Provably secure and efficient authentication techniques for the global mobility network

The Journal of Systems and Software 84 (2011) 1717–1725

Contents lists available at ScienceDirect

The Journal of Systems and Software journal homepage: www.elsevier.com/locate/jss

Provably secure and efficient authentication techniques for the global mobility network Tian-Fu Lee a , Tzonelih Hwang b,∗ a b

Department of Medical Informatics, Tzu Chi University, Hualien 970, Taiwan, ROC Department of Computer Science and Information Engineering, National Cheng Kung University, No. 1, Ta-Hsueh Road, Tainan 701, Taiwan, ROC

a r t i c l e

i n f o

Article history: Received 6 May 2010 Received in revised form 4 March 2011 Accepted 3 May 2011 Available online 20 May 2011 Keywords: Wireless communication Mobile communication systems Network communication Personal communication networks Computer network security

a b s t r a c t Recently, several authentication techniques have been developed for the global mobility network (GLOMONET), which provides mobile users with global roaming services. Due to the hardware limitations, the mobile user cannot support the heavy encryption and decryption. This investigation adjusts the entity in the roaming scenario that selects the session key to be used to different types of authentication schemes in GLOMONET and presents two provably secure and efficient authentication protocols for roaming services. One protocol is based on synchronized clocks, while the other uses random numbers. Compared to related approaches, the proposed authentication protocols not only reduce the number of transmissions, but also diminish the computational cost involved in encryption and decryption. Thus, they are more suitable for GLOMONET. © 2011 Elsevier Inc. All rights reserved.

1. Introduction Numerous authentication approaches have been proposed recently for the global mobility network (GLOMONET), which provides personal communication users with a global roaming service. The roaming service comprises setup and provision phases (Suzuki and Nakada, 1997; Buttyan et al., 2000). The former is concerned with setting up the roaming-service environment according to the visited network, the home network, and the roaming user. An authentication key belonging to the visited network and the roaming user also is established during this phase. Meanwhile, the later phase is concerned with providing the roaming user with roaming services within the visited network using the authentication key. For providing higher security, many authentication protocols had used public-key systems or exponential computations recently. For example, Long et al. (2004) presented a localized authentication protocol for inter-network roaming across wireless LANs. Lee and Yeh (2005) proposed an authentication protocol which provided the property of delegation and was suitable for use in portable communication systems. In the same year, Lee et al. (2005) provided a solution of authentication techniques for GLOMONET and presented of a secure authentication protocol for roaming services. Jiang et al. (2006) based on the self-certified scheme (Saeednia,

∗ Corresponding author. Tel.: +886 6 2757575x62524; fax: +886 6 2747076. E-mail addresses: [email protected], [email protected] (T. Hwang). 0164-1212/$ – see front matter © 2011 Elsevier Inc. All rights reserved. doi:10.1016/j.jss.2011.05.006

1997, 2003; Wu et al., 1998) and presented an authentication protocol with identity anonymity. Although these approaches in Long et al. (2004), Lee and Yeh (2005), Lee et al. (2005) and Jiang et al. (2006) provided more secure properties, using exponential computations increased clients’ overheads. In addition, due to the hardware limitations, the mobile user is difficult to support the heavy encryption and decryption in the roaming environment. Therefore, the protocols, which only use the symmetric encryptions and decryptions, seem to be more suitable for the roaming environment. In network authentication protocols, each step must guarantee the freshness of messages to prevent replaying attacks. Generally, two types of mechanism are used for this purpose. One such mechanism is based on synchronized clocks (clock-based) (Denning and Sacco, 1981; Gong, 1992), while the other uses random numbers or nonces (nonce-based) (Needham and Schroeder, 1978; Gong, 1995). Although clock-based authentication protocols require fewer messages in communication than nonce-based authentication protocols, constructing synchronized clocks in a network environment is complicated (Denning and Sacco, 1981; Mills, 1994, 1998). In 1997, Suzuki and Nakada (1997) developed a nonce-based authentication technique in GLOMONET, which was suitable for the distributed security management of global communication. However, Buttyan et al. (2000) stated that the scheme of Suzuki and Nakada had several security weaknesses and proposed a modified nonce-based scheme as an alternative. Subsequently, Hwang and Chang (2003) designed a clock-based authentication protocol

1718

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

using the self-encryption mechanism for roaming service. In 2006, Jiang et al. (2006) also improved the protocol of Hwang and Chang and presented a clock-based authentication protocol with identity anonymity in order to provide the privacy of mobile user’s location information during the communication. Apparently, the protocols of Hwang and Chang and Jiang et al. reduced the number of transmissions during the authentication phase and simplified the mobile equipment in GLOMONET. However, the maintenance of clock synchronization between the visited network and the home network makes their clock-based protocols complicated. In the roaming environment, any one of three participants, the roaming user, the visited network and the home network, may generate (or select) the authentication key. In the authentication protocols of Buttyan et al. and Hwang and Chang the authentication keys are selected according to the visited network. However, different entities that select the authentication key in network authentication protocols will influence the number of messages in communication. This work adjusts the entity that selects the authentication key (i.e. the selector of the authentication key) to different types of authentication schemes in GLOMONET so that the authentication key generation and key confirmation processes are executed at early stages. Using this technique, two provably secure and efficient authentication protocols, which only use symmetric encryptions and decryptions, for roaming services are proposed. One of these schemes is a nonce-based authentication protocol, while the other is a clock-based authentication protocol. Both the number of transmissions and the computational cost of the proposed nonce-based authentication protocol are fewer than that in the nonce-based authentication protocol of Buttyan et al. Furthermore, comparing the proposed clock-based protocol with that of Hwang and Chang reveals that the proposed protocol not only reduces the number of transmissions during the authentication phase, but also reduces the computational cost involved in encryption and decryption. The remainder of this paper is organized as follows. Section 2 reviews the concepts of the nonce-based authentication protocol of Buttyan et al. and the clock-based authentication protocol

Ui (Kuh)

Table 1 Notation of roaming service authentication protocols. Kuh Kvh Kauth f(M) EK (M) r0 , r1 , r2 , r3 M1 ||M2

The long-term secret key belonging to a user Ui and its home network H The long-term secret key shared between a visited network V and the home network of a user The authentication key belonging to a roaming user Ui and a visited network A secret one-way function applied to Encryption of M using a symmetric encryption scheme with a cryptographically strong shared key K Random numbers selected by Ui , V or H Message M1 concatenates to message M2

of Hwang and Chang for roaming services. Section 3 then introduces the proposed nonce-based and clock-based authentication protocols for roaming services. Subsequently, Section 4 analyzes the security of the proposed protocols. Section 4 also compares the proposed protocols with other related approaches. Finally, Section 5 draws conclusions. 2. Previous works This section briefly reviews the nonce-based authentication protocol of Buttyan et al. and the clock-based authentication protocol and the Hwang and Chang for roaming services. Assume that Ui denotes a roaming user, V represents the visited network and H is the home network. Table 1 lists the notation used throughout this investigation. 2.1. The nonce-based authentication protocol of Buttyan et al. In 2000, Buttyan et al. (2000) demonstrated that the scheme of Suzuki and Nakada (1997) was unable to resist several attacks, and thus proposed a modified nonce-based authentication protocol for roaming service as an alternative. Fig. 1 illustrates the authentication protocol of Buttyan et al., which works as follows:

H (Kuh;Kvh)

V (Kvh)

Generate r0 (1) Request, r0 Generate r1 (2) r1 Generate r2

(3) EKvh(r1), r2 Check r1

(4) EKvh(r2||Ui||Kauth||r0) (5) EKuh(V||Kauth||r0)

Check r2

Generate r3 (6) r3, EKuh(V||Kauth||r0) Check r0

(7) EKauth(r3) (8) EKauth(EKauth(r3))

Check r3

Check EKauth(r3) Fig. 1. The nonce-based authentication protocol of Buttyan et al.

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

V (Kvh)

Ui (Kuh)

1719

H (Kuh;Kvh)

Generate r0 (1) Ui, H, EKuh(Kuh||r0) Generate r1 (2) EKuh(Kuh||r0), EKvh(Ui||r1||t) Check t Check Kuh=f(Ui) (3) EKvh(r1), C=EKuh(r0||r1||V)

(4) C

Check r1 Kauth= r1

Check r0 Kauth= r1

(5) EKauth(r1) Check Kauth Fig. 2. The clock-based authentication protocol of Hwang and Chang.

Step 1: Ui generates and sends a random number r0 to V. Step 2: V generates and sends a random number r1 to V. Step 3: H generates a random number r2 and sends EKvh (r1 ), r2 to V. Step 4: If V successfully verifies r1 by decrypting EKvh (r1 ) using Kvh , and then selects an authentication key Kauth and sends EKvh (r2 ||Ui ||Kauth ||r0 ) to H. Otherwise, V rejects Ui ’s request. Step 5: If H successfully verifies r2 by decrypting EKvh (r2 ||Ui ||Kauth ||r0 ) using Kvh , then H computes and sends EKuh (V ||Kauth ||r0 ) to V. Step 6: V generates another random number r3 , and then sends r3 and forwards EKuh (V ||Kauth ||r0 ) to Ui . Step 7: If Ui successfully verifies r0 by decrypting EKuh (V ||Kauth ||r0 ) using Kuh , and then computes and sends EKuh (r3 ) to V. Step 8. If V successfully verifies r3 by decrypting EKuh (r3 ) using Kauth , and then computes and sends EKauth (EKauth (r3 )) to Ui . Step 9: Finally, Ui decrypts EKauth (EKauth (r3 )) using Kauth , checks EKauth (r3 ) and confirms V’s knowledge of the authentication key Kauth . Therefore, the authentication protocol of Buttyan et al. belonged to the nonce-based type and adopted the visited network as the entity that selects the authentication key. Eight transmissions are required. 2.2. The clock-based authentication protocol of Hwang and Chang In 2003, Hwang and Chang (2003) proposed an efficient clock-based authentication protocol using the self-encryption mechanism for roaming services. Fig. 2 illustrates the authentication protocol of Hwang and Chang, which is described as follows: Step 1: Ui generates a random number r0 and encrypts (Kuh ||r0 ) using Kuh = f(Ui ). Then he sends his request and EKuh (Kuh ||r0 ) to V. Step 2: V generates a random number r1 , sends EKvh (Ui ||r1 ||t) and forwards EKuh (Kuh ||r0 ) to, H where t denotes the timestamp. Step 3: H authenticates V by decrypting EKvh (Ui ||r1 ||t) using Kvh and checking the timestamp t. Additionally, H authenticates Ui by decrypting EKuh (Kuh ||r0 ) using Kuh = f(Ui ). If successfully, H then sends EKvh (r1 ) and C = EKuh (r0 ||r1 ||V ) to V.

Step 4: If V successfully verifies r1 by decrypting EKvh (r1 ) using Kvh , and then sets r1 as the authentication key Kauth and passes C to Ui . Otherwise, V rejects Ui s request. Step 5: If Ui successfully verifies r0 by decrypting C using Kuh , then Ui sets r1 as the authentication key Kauth , confirms H’s knowledge of the authentication key and sends Kauth (r1 ) to V. Step 6: Finally, V authenticates Ui by checking Kauth and confirms Ui ’s knowledge of the authentication key. Therefore, the authentication protocol of Hwang and Chang needed to maintain the clock synchronization and adopted the visited network as the entity that selects the authentication key. Five transmissions are required. 3. Proposed authentication protocols for roaming services This section adjusts the entity that selects the authentication key in authentication schemes and presents two secure and efficient roaming service authentication protocols. One is a clock-based authentication protocol, while the other is a nonce-based authentication protocol. Two issues are central to the problem of network authentication protocols, namely, authentication and message freshness (Stallings, 1999). Authentication enables participants to verify the identities of one another and protects against impersonating attacks; meanwhile, message freshness ensures that communicating messages are fresh and also prevents replaying attacks. Additionally, in the roaming environment, any one of three participants, roaming user Ui , visited network V and home network H, can generate the authentication key. Consequently, we modify the entity that selects the authentication key such that the proposed nonce-based and clock-based authentication schemes execute the authentication key generation and key confirmation processes in early steps and reduce the number of transmissions. 3.1. Proposed nonce-based authentication protocol Nonce-based authentication protocols for roaming service require a challenge/response interactive authentication (Suzuki and Nakada, 1997; Stallings, 1999). After receiving the nonces from Ui and V, and H generates and sends out the authentication key

1720

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

Ui (Kuh)

H (Kuh;Kvh)

V (Kvh)

Generate r0 (1) Ui, H, EKuh(Ui||r0) Generate r1 (2) EKvh(Ui||r1), EKuh(Ui||r0)

(3) EKuh(r0||r2||V),EKvh(r1||r2)

Check Ui Generate r2

Check r1 Kauth= r2 (4) EKuh(r0||r2||V),μv=EKauth(Kauth||r1)

Check r0,V Kauth= r2 Verify μv

(5) μu=r1 Check μu Fig. 3. Proposed nonce-based authentication protocol for roaming services.

Kauth . Then, on receiving Kauth from, Ui and V are able to verify its authentication and message freshness. That is, Ui and V issue their authenticated messages in Steps 1 and 2, respectively. In Step 3, H authenticates V and Ui , then issues Kauth , which is randomly selected by H. Finally, V and Ui authenticate H, and obtain Kauth in Steps 3 and 4, respectively. Fig. 3 illustrates the proposed noncebased authentication protocol. The detailed descriptions are given as follows.

3.1.1. The nonce-based protocol (NBP) Step 1. Ui → V : Ui , H, EKuh (Ui ||r0 ) The roaming user Ui generates a random number r0 and encrypts (Ui ||r0 ) using Kuh . The Ui then sends his request and EKuh (Ui ||r0 ) to the visited network V. Step 2. V → H : EKuh (Ui ||r0 ), EKvh (Ui ||r1 )

Ui (Kuh)

On receiving the request of Ui ’s, V generates a random number r1 , sends EKvh (Ui ||r1 ) and forwards EKuh (Ui ||r0 ) to the home network H of Ui . Step 3. H → V : EKvh (r1 ||r2 ), EKuh (r0 ||r2 ||V ) The home network H decrypts EKvh (Ui ||r1 ) and EKuh (Ui ||r0 ), and authenticates V and Ui by checking Ui . If successful, H then generates a random number r2 and sends EKvh (r1 ||r2 ), EKuh (r0 ||r2 ||V ) to V. Step 4. V → H : EKuh (r0 ||r2 ||V ) and authenticates H by checking r1 . If successful, V decrypts EKuh (r1 ||r2 ) using Kvh then sets r2 as the authentication key Kauth and forwards EKuh (r0 ||r2 ||V ) to Ui . Otherwise, V rejects the request of Ui . Step 5. Finally, if Ui successfully verifies r0 by decrypting EKuh (r0 ||r2 ||V ) with Kuh , then Ui authenticates H, and sets r2 as the authentication key Kauth .

V (Kvh)

H (Kuh;Kvh)

Generate r0 (1) Ui, H, EKuh(r0||tu||V) (2) EKvh(Ui||tv), EKuh(r0||tu||V) Check Ui,V,tv, tu (3) EKvh(r0||tu||tv) Check tv Kauth= r0

(4) μv=EKauth(tu) Verify μv

Fig. 4. Proposed clock-based authentication protocol for roaming services.

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

3.1.2. The nonce-based protocol with explicit mutual authentication (NBP-MA) The proposed NBP protocol realizes mutual authentication by encrypting the later communications with the session key. That is, the NBP protocol does not provide mutual authentication during executing the protocol. The NBP-MA protocol is transformed from the NBP protocol by adding key confirmation messages (or authenticators) u and v . Fig. 3 also depicts the proposed NBP-MA protocol, which works as follows. First, Steps 1–4 are identical to the NBP protocol. In Step 4, V also computes and sends out his authenticator v = EKauth (Kauth ||r1 ) to Ui . In Step 5, Ui decrypts and verifies v by using Kauth , and then sends his authenticator u = r1 to V. Finally, V confirms Ui ’s knowledge of the authentication key by verifying u . Hence, the home network selects the authentication key in the nonce-based authentication protocol proposed here. Five transmissions are required and less than the transmissions that the nonce-based authentication protocol of Buttyan et al. required. 3.2. Proposed clock-based authentication protocol In the roaming environment, when roaming user Ui visits network, Ui receives the messages broadcast by V. Consequently, the messages from V are permitted to contain the validating timestamps. Additionally, numerous solutions involving clock synchronization for wired and wireless local area networks have been presented in Mills (1994, 1998) and Mock et al. (2000). Consequently, clock synchronization between Ui and V is reasonable. Hence, the proposed clock-based protocol assumes that synchronized clocks are constructed between Ui and, as well as between V and Ui ’s home network H. In clock-based roaming service authentication protocols, participants easily can provide authentication and message freshness, since each participant can easily establish message freshness using timestamps. Thus, in the proposed clock-based authentication protocol, the roaming user selects and sends out the authentication key Kauth . V and H can easily verify Kauth and make sure its freshness. In Step 1 of the proposed clock-based authentication protocol, Ui generates a random number r0 as Kauth . By the passing messages of V involving Kauth in Step 2, H can authenticate V and Ui , and validate Kauth in Step 3. H then delivers Kauth to V and thus V and Ui have the same authentication key Kauth . Fig. 4 illustrates the proposed clock-based authentication protocol. The detailed descriptions are presented below. 3.2.1. The clock-based protocol (TBP) Step 1. Ui generates a random number r0 as Kauth and encrypts (r0 ||tu ) using EKuh where tu denotes the timestamp. Ui then sends his request and EKuh (r0 ||tu ||V ) to V. Step 2. On receiving the request of Ui , V sends EKvh (Ui ||tv ) and forwards EKuh (r0 ||tu ||V ) to Ui ’s home network, where tv is the timestamp. Step 3. H decrypts EKvh (Ui ||tv ) and EKuh (r0 ||tu ||V ), and authenticates V and Ui by checking Ui „ tv and tu , respectively. If successful, H then sends EKvh (r0 ||tu ||tv ) to V. Step 4. Finally, V decrypts EKvh (r0 ||tu ||tv ) using EKvh . If V successfully validates tv , then V sets r0 as the authentication key Kauth . 3.2.2. The clock-based protocol with explicit mutual authentication (TNBP-MA) Similar to the previous subsection, the TBP protocol does not provide mutual authentication during executing the protocol, and the TBP-MA protocol can be transformed from the TBP protocol by adding the authenticator v . Fig. 4 also depicts the proposed TBP-MA protocol, which works as follows.

1721

First, Steps 1–4 are identical to the NBP protocol. In Step 4, V also computes and sends out his authenticator v = EKauth (tu ) to Ui . Finally, Ui decrypts v by using Kauth , authenticates H and V by checking tu , and confirms V’s knowledge of Kauth . Therefore, the proposed clock-based authentication protocol adopts the roaming user as the entity that selects the authentication key. Four transmissions are required and less than the transmissions that the clock-based authentication protocol of Hwang and Chang required. 4. Security and performance analyses This section provides the security proofs of the proposed authentication protocols and compares their performance with that of other related authentication protocols. 4.1. Security proofs of proposed authentication protocols 4.1.1. Communication model Protocol participants: The protocol participants have a roaming user, a visited network V and U’s home network H. U and V try to authenticate each other and establish an authentication key Kauth via H in P. A participant may be involved in numerous instances, called oracles, of distinct concurrent executions of P. The instance i of participant U is expressed as ˘Ui . Long-lived keys: The long-term secret key Kuh is shared between U and H, and the long-term secret key Kvh is shared between V and H. The long-lived keys Kuh and Kvh are defined as the symmetric keys of U and V, respectively. Oracle queries: Oracle queries model the capabilities of the adversary A and are described below. - Send(˘Ui , M): This query models the adversary A who powerfully controls all communications in protocol P. A sends a message M to oracle ˘Ui ; then ˘Ui computes what P tells it to, and sends back the response message. A can initiate the execution of P by sending a query (˘Ui , “start”) to a user oracle ˘Ui . - SymEnc({ε, D}, k{M, C}): This query allows adversary A accessing to encryption oracle SymEnc defined in previous section. On receiving an encryption query SymEnc(ε, k, M) from A, SymEnc checks whether a record (k, M, C) has been queried and recorded in the , which is used to record all previous SymEnc queries. If so, SymEnc returns the correspondent ciphertext C to A; otherwise it generates and returns a random C, and adds (k, M, C) into the table. Similarly, on receiving a decryption query SymEnc(D, k, C) from A, SymEnc checks whether a record (k, M, C) has been queried and recorded in the -table. If so, SymEnc returns the correspondent plaintext M to A; otherwise it generates and returns a random M, and adds (k, M, C) into the -table. - SymEnc ({ε, D}, k{M, C}): This oracle query is similar to the previous oracle query, SymEnc query. However, SymEnc query is used for generating authenticator u or v . - Reveal(˘Ui ): This query models known key attacks. That is, compromising one authentication key does not reveal other authentication keys. The Reveal query is only available to adversary A if oracle ˘Ui has accepted. - Test(˘Ui ): This query measures the semantic security of the authentication key Kauth , which specifies the indistinguishability of the real authentication key from a random string. During the execution of protocol P, adversary A can send queries to the oracle, as described above. A can ask a single Test query at sometime. Upon receiving this query, ˘Ui flips an unbiased coin c. It returns the real authentication key Kauth to A if c = 1; otherwise, it returns a random string to A. Notably, this query is available only when ˘Ui is Fresh, which term is defined in the following section.

j

- oracles ˘Ui and ˘V directly exchange message flows and j

- only oracles ˘Ui and ˘V have the same authentication key Kauth . Freshness: An oracle ˘Ui is Fresh in P if the following conditions are satisfied.

4

4

Proposed clock-based protocol Clock-based Ui

4.1.2. Security definitions j Partnering: Two user oracles ˘Ui and ˘V are partnered if

4

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

2 2 1 (Step 1) 2 (Steps 2, 4) 1 (Step 3) 1 (Step 4) 1 (Step 4) 2 (Step 3) 3 (r0 , tu , tv )

1722

j

- ˘Ui (or ˘V ) has accepted a authentication key Kauth , and j

5

5

3 2 2 (Step 1, 5) 1 (Step 2) 2 (Step 3) 1 (Step 5) 2 (Steps 4,6) 2 (Step 3) 3 (r0 , r1 , t)

AKE security: In this security definition, the adversary is allowed to ask many Test queries as it wants. If a Test query is asked to a client instance that has not accepted, then return the invalid symbol ⊥. If a Test query is asked to an instance of an honest participant whose intended partner is dishonest or to an instance of a dishonest participant, then returns the real authentication key. Otherwise, the Test query decides to return either the real authentication key or a random string via an unbiased coin c. The adversary aims to correctly guess the value of the hidden bit c used by the Test oracle. Let E denote the event that the adversary wins this game. The ake-advantage of the event that an adversary violates the indistinguishability of the protocol P Advake (A), and defined as P

5

(or ˘V ) and its partner have not been sent a Reveal query. The protocol of Hwang and Chang Clock-based V

-

˘Ui

2l−1

+ 4 · Advsk (t, qse , quh , qvh ),

where qse denotes the numbers of the Send queries; quh and qvh denote the numbers of the SymEnc queries involving U and H, and involving V and H, respectively; l is a security parameter; t  = t + 8(quh + qvh ); and  is the time to compute a symmetric en/decryption.

The protocol of Buttyan et al. Nonce-based V

5

5

5

5

6

4 4 1 (Step 7) 3 (Steps 4, 6, 8) 2 (Steps 3, 5) 2 (Steps 7, 9) 2 (Steps 4, 8) 1 (Step 5) 5 (r0 , r1 , r2 , r3 , Kauth ) Used variables

q2uh + q2vh

Decryption

Advake (t  , qse , quh , qvh ) ≤ nbp

Encryption

Theorem 2. Let Advsk denote the advantage that an adversary breaks the long-term secret key. Then, the probability that an adversary breaks the AKE security of the NBP protocol:

Ui ↔ V V↔H Ui V H Ui V H

AKE security for the NBP protocol: The following theorem shows that the proposed NBP protocol has AKE security if the used longterm secret keys are secure.

Transmission

|Pr[A] − Pr[B]| ≤ Pr[F].

Item Type Kauth selector

Lemma 1 (Difference Lemma). Let A, B and F be events defined in some probability distribution, and suppose that A ∧ ¬ F ⇔ B ∧ ¬ F. Then

Table 2 Comparisons of other related protocols and the proposed protocols.

4.1.3. Security proof The symmetric-key encryption scheme used in our proposed protocols is Chosen Ciphertext Secure (Shoup, 2005). The Difference Lemma (Shoup, 2005) is made used within our sequence of games. The Chosen Ciphertext Security and the Difference Lemma are described as follows: Chosen Ciphertext Secure symmetric-key encryption: For a symmetric-key encryption scheme, the CCA-advantage of the adversary A is the probability that A breaks the indistinguishability under Chosen Ciphertext Attacks, and denoted by Advsk (A). The symmetric-key encryption scheme SE is Chosen Ciphertext Secure if Advsk (A) is negligible (Shoup, 2005).

8

The protocol P is AKE-secure if Advake (A) is negligible. P Mutual authentication (MA) security: In executing protocol P, the adversary A violates mutual authentication if A can fake the authenticator  u or  h . The probability of this event is denoted by (A). The protocol P is MA-secure if Advma (A) is negligible. Advma P P

3 2 1 (Step 1) 2 (Steps 2, 4) 2 (Step 3) 2 (Step 5) 1 (Step 4) 2 (Step 3) 3 (r0 , r1 , r2 )

Proposed nonce-based protocol Nonce-based H

Advake P (A) = |2 · Pr[E] − 1|.

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

AKE security for the NBP-MA protocol: The following theorem shows that the proposed NBP-MA protocol has AKE security if the used long-term secret key is secure and the NBP protocol has AKE security. Theorem 3. Let Advsk denote the advantage that an adversary breaks the long-term secret key. Then, the probability that an adversary breaks the AKE security of the NBP-MA protocol: Advake (t  , qse , quh , qvh , quv ) ≤ 2Advake (t, qse , quv , qvh ) nbp-ma nbp + 2Advsk (t, qse , quv ) +

quv 2 2l−1

,

where t  ≤ t + (qse + quh + qvh ) · trelay + 2 · , the used parameters are defined as in Theorem 2; quv denotes the numbers of the SymEnc queries involving U and V; and trelay is the time of relay a query. MA security for the NBP-MA protocol: The following theorem shows that the proposed NBP-MA protocol has MA security if the used long-term secret key is secure and the NBP protocol has AKE security. Theorem 4.

Let Advake denote the advantage an adversary breaks the nbp

AKE security of the NBP protocol. Let Advsk denote the advantage that denote an adversary breaks the long-term secret keys. Let Advma nbp-ma the advantage in violating the explicit mutual authentication of the NBP-MA protocol. Then, we have Advma (t  , qse , quh , qvh , quv ) ≤ 2Advake (t, qse , quv , qvh ) nbp-ma nbp + 2Advsk (t, qse , quv ) +

quv 2 + 1 2l−1

,

where t  ≤ t + (qse + quh + qvh ) · trelay + 2 · , the used parameters are defined as in Theorems 2 and 3. The proofs of Theorems 2–4 are presented in Appendix A. AKE security for the TBP protocol: The following theorem shows that the proposed TBP protocol has AKE security if the used longterm secret keys are secure. Theorem 5. Let Advsk denote the advantage that an adversary breaks the long-term secret key. Then, the probability that an adversary breaks the AKE security of the TBP protocol: Advake (t  , qse , quh , qvh ) ≤ tbp

quh 2 + qvh 2 2l−1

+ 4 · Advsk (t, qse , quh , qvh ),

where qse denotes the numbers of the Send queries; quh and qvh denote the numbers of the SymEnc queries involving U and H, and involving V and H, respectively; t  = t + 6(quh + qvh ); and  is the time to compute a symmetric en/decryption. AKE security for the TBP-MA protocol: The following theorem shows that the proposed TBP-MA protocol has AKE security if the used long-term secret key is secure and the TBP protocol has AKE security. Theorem 6. Let Advsk denote the advantage that an adversary breaks the long-term secret key. Then, the probability that an adversary breaks the AKE security of the TBP-MA protocol: Advake (t  , qse , quh , qvh , quv ) ≤ 2Advake (t, qse , quv , qvh ) tbp-ma tbp + 2Advsk (t, qse , quv ) +

q2uv 2l−1

,

where t  ≤ t + (qse + quh + qvh ) · trelay + 2 · , the used parameters are defined as in Theorem 2; quv denotes the numbers of the SymEnc queries involving U and V; and trelay is the time of relay a query. MA security for the TBP-MA protocol: The following theorem shows that the proposed TBP-MA protocol has MA security if the

1723

used long-term secret key is secure and the TBP protocol has AKE security. Theorem 7. Let Advake denote the advantage an adversary breaks the tbp

AKE security of the TBP protocol. Let Advsk denote the advantage that an adversary breaks the long-term secret keys. Let Advma denote tbp-ma the advantage in violating the explicit mutual authentication of the TBP-MA protocol. Then, we have Advma (t  , qse , quh , qvh , quv ) ≤ 2Advake (t, qse , quv , qvh ) tbp-ma tbp q2uv + 1 , + 2Advsk (t, qse , quv ) + 2l−1 where t  ≤ t + (qse + quh + qvh ) · trelay + 2 · , and the used parameters are defined as in Theorems 5 and 6. The proposed clock-based authentication protocol is similar to the proposed nonce-based authentication protocol. The security proof of the proposed clock-based protocol can be obtained by using similar arguments, and thus is not presented here. 4.2. Performance analyses and comparisons

Table 2 lists the performance comparison of the authentication protocol of Buttyan et al. (2000), the authentication protocol of Hwang and Chang (2003) and the protocols proposed here. In 2006, Jiang et al. (2006) presented an anonymous protocol based on the protocol of Hwang and Chang. Since the protocol proposed by Jiang et al. only adapts a pseudonym identity PID = h(N H) ⊕ Ui ⊕ H, where N is a nonce, for a mobile user to protect the actual identity Ui without increasing the computation complexity. Thus, the computation loads of the protocol in Jiang et al. (2006) are almost the same as those of the protocol of Hwang and Chang, and therefore are not presented here. The first comparison item is the types to which the schemes belong. The authentication protocol of Butyan et al. and the proposed nonce-based authentication protocol belong to the nonce-based type, and the authentication protocol of Hwang and Chang and the proposed clock-based authentication protocol belong to the clock-based type. The second item is which participant is adjusted as the entity that selects the authentication key Kauth . Adopting the first participant to provide authentication and message freshness to generate the authentication key, the selectors of the authentication key in the proposed nonce-based and clockbased authentication protocols differ from those of other related protocols. The numbers of encryption processes, decryption processes and transmissions also are compared. The proposed nonce-based protocol requires five transmissions, five encryption processes and five decryption processes. The proposed protocol thus is more efficient than the nonce-based authentication protocol of Buttyan et al. Furthermore, the proposed clock-based authentication protocol involves fewer transmissions and computational cost in encryption and decryption than the clock-based authentication protocol of Hwang and Chang. The proposed protocol thus is more efficient than other related authentication protocols in encryption and decryption. The final item lists the number of variables used in each authentication protocol. The protocols presented here use fewer variables than the protocol of Buttyan et al. The numbers of variables used in proposed protocols equal the number of variables used in the protocol of Hwang and Chang. That is, the variables used in the proposed protocols are not redundant. 5. Conclusions This study proposes both nonce-based and clock-based authentication protocols for roaming services. These protocols adjust the

1724

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

entity that selects the used authentication key for authentication schemes. From the performance comparisons in Table 2, the numbers of transmissions clearly are not only reduced, but the computational cost associated with encryption and decryption also are reduced in the proposed nonce-based and clock-based authentication protocols. Additionally, the proposed protocols provide the properties of mutual authentication and authentication key security; and impersonating and replay attacks are unsuccessful against the proposed protocols. Appendix A. A.1. Proof of Theorem 2 The proof consists of a sequence of games starting at the game defines the probability of the event Ei that the adversary wins this game, i.e. c = c. The first game is the real attack against the NBP protocol and the terminal game Gake 2 concludes that the adversary has a negligible advantage to break the AKE security of the NBP protocol. Assume that the challenger A1 attempts to breaks the long-term secret keys, and the adversary Aake is constructed to break the authentication key security. The following game models that Aake tries to distinguish the real authentication key from the random string. The challenger A1 sets up the used parameters, starts simulating the protocol NBP and answers the oracle queries made by Aake , which are relayed to the protocol NBP. The challenger A1 flips an unbiased coin c ∈ {0, 1}. It returns the real authentication key Kauth to Aake if c = 1; otherwise, it returns a random string to Aake . The adversary Aake outputs its guess bit c and wins if c = c. Game Gake 0 : This game corresponds to the real attack. By definition, we have ake Gake 0 . Each game Gi

(Aake ) = |2Pr[E0 ] − 1|. Advake nbp

(A.1)

Game Gake 1 : This game simulates all oracles as in previous game except for replacing the long-term secret keys, Kuh and Kvh , with two random numbers. Thus, by Lemma 1, we have |Pr[E1 ] − Pr[E2 ]| ≤ 2 · Advsk (A1 ).

This game simulates all oracles as in previous game Game except for using a table list 1 to simulate SymEnc queries involving U and H, and using a table list and 2 to simulate SymEnc queries ake involving U and H. Then, games Gake 1 and G2 are indistinguishable except collisions of 1 -table and 2 -table in Gake 2 . Thus, according to the birthday paradox and Lemma 1, we have q2uh + q2vh 2l

,

(A.3)

where Aake makes quh SymEnc queries involving U and H, and qvh SymEnc queries involving V and H. It is straightforward that Pr[E2 ] =

1 . 2

(A.4)

Combining Eq. (A.1), Eqs. (A.2)–(A.4), we have Advake (Aake ) nbp

≤

q2uh + q2vh 2l−1

Advake − (Aake ) = |2Pr[E0 ] − 1|. nbp-ma

(A.5)

Game Gake 1 : This game simulates all oracles as in previous game except for replacing the long-term secret key, Kauth , in the symmetric en/decryption scheme, which used as input to the symmetric en/decryption scheme in the last two flows of NBP-MA, with a random number. Thus, by Lemma 1, we have |Pr[E0 ] − Pr[E1 ]| ≤ Advsk (A2 ).

(A.6)

ake Game Gake in Theorem 2, this game simulates 2 : Similar to G1 all oracles as in previous game except for using a table list 3 to simulate SymEnc queries involving U and V. Then, games Gma 1 ma and Gma 2 are undistinguishable except collisions of 3 in G2 . Thus, according to the birthday paradox and Lemma 1, we have

|Pr[E1 ] − Pr[E2 ]| ≤

q2uv 2l

,

(A.7)

where Ama makes quv SymEnc queries involving U and V. Game Gma 3 : This game simulates all oracles as in previous game except for replacing the authentication key Kauth with a random number. Then, we can use Ama to build an adversary A2 against the AKE security of NBP. First, A2 sets up the parameters, starts simulating the NBP-MA protocol and answers the oracle queries made by Ama as follows:

(A.2)

Gake 2 :

|Pr[E0 ] − Pr[E1 ]| ≤

real attack against the NBP-MA protocol and the terminal game Gake 3 concludes that the adversary has a negligible advantage to break AKE security of the NBP-MA protocol. Assume that the challenger A2 attempts to break AKE security of the NBP protocol, and the adversary Aake is constructed to break AKE security of the NBPMA protocol. The challenger A2 flips an unbiased coin c ∈ {0, 1}. It returns the real authentication key Kauth to Ama if c = 1; otherwise, it returns a random string to Ama . The adversary Ama outputs its guess bit c and wins if c = c. The following game models that Aake tries to distinguish the real authentication key from the random string. Game Gake 0 : This game corresponds to the real attack. By definition, we have

+ 4 · Advsk (A1 ).

Then the proof is concluded.  A.2. Proof of Theorem 3

- When Ama make Send or SymEnc queries, A2 answers what the NBP protocol says to. - When Ama makes SymEnc queries, A2 answers corresponding authenticators to Ama by making the same queries to the oracle SymEnc . - When Ama makes Test queries, A2 answers these queries using the bit c that it has previously selected and the authentication keys that has computed. Accordingly, the probability that A2 outputs 1 when its Test oracle returns the real authentication keys is equivalent to the probability that Aake correctly guesses the hidden bit c in game Gma 2 . Similarly, the probability that A2 outputs 1 when its Test oracle returns the random strings is equivalent to the probability that Ama correctly guesses the hidden bit c in game Gma 3 . Thus, by Lemma 1, we have |Pr[E2 ] − Pr[E3 ]| ≤ Advake (A2 ). nbp

(A.8)

At this time, no information on the hidden bit c is leaked to the adversary. It is straightforward that Pr[E3 ] =

1 . 2

(A.9)

Combining Eq. (A.5), Eqs. (A.6)–(A.9), we have The proof also consists of a sequence of games starting at the ake game Gake defines the probability of the event Ei 0 . Each game Gi that the adversary wins this game, i.e. c = c. The first game is the

(Ama ) ≤ 2Advake (A2 ) + 2Advsk (A2 ) + Advake nbp−ma nbp

q2uv 2l−1

.

T.-F. Lee, T. Hwang / The Journal of Systems and Software 84 (2011) 1717–1725

Assume that trelay is the time of relay a query and  is the time of generating a random number. Then, A2 has at most timecomplexity t and t  ≤ t + (qse + quh + qvh ) · trelay + 2 · .

(A3 ). |Pr[E2 ] − Pr[E3 ]| ≤ Advake nbp

(A.13)

At this time, no information on the authenticator is leaked to the adversary. It is straightforward that Pr[E3 ] =

Then the proof is concluded. 

1725

1 2l

.

(A.14)

Combining Eq. (A.10), Eqs. (A.11)–(A.14), we have A.3. Proof of Theorem 4 The proof also consists of a sequence of games starting at the game Gma 0 . The first game is the real attack against the NBP-MA protocol and the terminal game Gma 3 concludes that the adversary has a negligible advantage to break MA security of the NBP-MA protocol. The challenger A3 attempts to break MA security for the NBP protocol and the adversary Ama is constructed to break MA security for the NBP-MA protocol. The adversary Ama wins this game if he successfully fakes the authenticator  u or  h . Game Gma 0 : This game corresponds to the real attack. By definition, we have Advma (Ama ) = 2Pr[E0 ]. nbp-ma

(A.10)

Game Gma 1 : This game simulates all oracles as in previous game except for replacing the long-term secret key, Kauth , in the symmetric en/decryption scheme, which used as input to the symmetric en/decryption scheme in the last two flows of NBP-MA, with a random number. Thus, by Lemma 1, we have |Pr[E0 ] − Pr[E1 ]| ≤ Advsk (A3 ). Gma 2 :

(A.11)

Gake 1

Game Similar to in Theorem 2, this game simulates all oracles as in previous game except for using a table list 3 to simulate SymEnc queries involving U and V. Then, games Gma 1 and ma Gma 2 are undistinguishable except collisions of 3 -table in G2 . Thus, according to the birthday paradox and Lemma 1, we have |Pr[E1 ] − Pr[E2 ]| ≤

q2uv 2l

,

(A.12)

where Ama makes quv SymEnc queries involving U and V. Game Gma 3 : This game simulates all oracles as in previous game except for replacing the authentication key Kauth with a random number. Then, we can use Ama to build an adversary A3 against the AKE security of NBP. First, A3 sets up the parameters, starts simulating the NBP-MA protocol and answers the oracle queries made by Ama as follows. - When Ama make Send or SymEnc queries, A3 answers what the NBP protocol says to. - When Ama makes SymEnc queries, A3 answers corresponding authenticators to Ama by making the same queries to the oracle SymEnc . - When Ama makes Test queries, A3 answers these queries using the bit c that it has previously selected and the authentication keys that have computed. - Accordingly, the probability that A3 outputs 1 when the authenticator is obtained by the real authentication key is equivalent to the probability that Ama correctly guesses the hidden bit c in game Gma 2 . Similarly, the probability that A3 outputs 1 when the authenticator obtained by a random string is equivalent to the probability that Ama correctly guesses the hidden bit c in game Gma 3 . Thus, by Lemma 1, we have

Advma (Ama ) ≤ 2Advake (A3 ) + 2Advsk (A3 ) + nbp-ma nbp

q2uv + 1 2l−1

.

Then the proof is concluded.  References Buttyan, L., Gbaguidi, C., Staaman, S., Wilhelm, U., 2000. Extensions to an authentication technique proposed for the global mobility network. IEEE Trans. Commun. 48, 373–376. Denning, D.E., Sacco, G.M., 1981. Timestamps in key distribution protocols. Commun. ACM 24 (8), 533–536. Gong, L., 1992. A security risk of depending on synchronized clocks. ACM Oper. Syst. Rev. 26 (1), 49–53. Gong, L., 1995. Efficient network authentication protocols: lower bounds and implementations. Distrib. Comput. 9 (3), 131–145. Hwang, K.-F., Chang, C.-C., 2003. A self-encryption mechanism for authentication of roaming and teleconferences services. IEEE Trans. Wireless Commun. 2, 400–407. Jiang, X., Lin, C., Shen, X., Shi, M., 2006. Mutual authentication and key exchange protocols for roaming services in wireless mobile networks. IEEE Trans. Wireless Commun. 5 (9), 2569–2577. Lee, T.-F., Chang, C.-C., Hwang, T., 2005. Private authentication techniques for the global mobility network. Wireless Pers. Commun. 35 (4), 329–336. Lee, W.-B., Yeh, C.-K., 2005. A new delegation-based authentication protocol for use in portable communication systems. IEEE Trans. Wireless Commun. 4 (1), 57–64. Long, M., Wu, C.-H., Irwin, J.D., 2004. Localised authentication for inter-network roaming across wireless LANs. IEE Proc. Commun. 151 (5), 496–500. Mills, D.L., 1994. Precision synchronization of computer network clocks. ACM Comput. Commun. Rev. 24 (1), 28–43. Mills, D.L., 1998. Adaptive hybrid clock discipline algorithm for the network time protocol. IEEE/ACM Trans. Netw. 6, 505–514. Mock, M., Frings, R., Nett, E., Trikaliotis, S., 2000. Clock synchronization for wireless local area networks. In: Proc. of the 12th Euromicro Conference on Real Time Systems , pp. 183–189. Needham, R.M., Schroeder, M.D., 1978. Using encryption for authentication in Large Networks of computers. Commun. ACM 21 (12), 993–999. Saeednia, S., 1997. Identity-based and self-certified key exchange protocols. In: Proc. Second Australian Conf. on Info. Security and Privacy , pp. 303–313. Saeednia, S., 2003. A note on Girault’s self-certified key exchange protocols. Inform. Process. Lett. 86 (6), 323–327. Shoup, V., 2005. Sequences of games: a tool for taming complexity in security proofs. Available from: http://www.shoup.net. Stallings, W., 1999. Cryptography and Network Security: Principles and Practice, second edition. Prentice Hall, Upper Saddle River, NJ. Suzuki, S., Nakada, K., 1997. An authentication technique based on distributed security management for the global mobility network. IEEE J. Select. Areas Commun. 15, 1608–1617. Wu, T.-C., Chang, Y.-S., Lin, T.-Y., 1998. Improvement of Saeednia’s self-certified model. Electron. Lett. 34 (1), 1094–1095. Tian-Fu Lee was born in Tainan, Taiwan, ROC, in 1969. He received his BS degree in applied mathematics from National Chung Hsing University, Taiwan, in 1992, his MS degree in computer science and Information Engineering from National Chung Cheng University, Taiwan, in 1998, and his PhD degree in Department of Computer Science and Information Engineering, National Cheng Kung University, Taiwan, in 2008. He works as an assistant professor in Department of Medical Informatics, Tzu Chi University. His research interests include cryptography, network security, medical information security, wireless networks, and algorithmic graph theory. Tzonclin Hwang was born in Tainan, in March 1958. He received his undergraduate degree from National Cheng Kung University, Tainan, Taiwan, in 1980, and the MS and PhD degrees in computer science from the University of Southwestern Louisiana, USA, in 1988. He is presently a professor in Department of Computer science and Information Engineering, National Cheng Kung University. His research interests include quantum cryptography, cryptology, network security, and coding theory.