Loose Security Protocol Algorithm Design and Performance Analysis Method

(1)

2016 International Congress on Computation Algorithms in Engineering (ICCAE 2016) ISBN: 978-1-60595-386-1

1 INTRODUCTION

The network security problem is becoming serious; therefore, to design a high-performance security pro-tocol is particularly important for the authentication and encryption of the network communication process. To analyze the performance of the designed security protocol algorithm to improve the algorithm perfor-mance is an important step in the design of security protocol algorithm. In the conventional algorithm performance analysis, the algorithm analysis methods are the time analysis method, Cycle analysis method, MIPS analysis method, multiplication and addition analysis method and so on. However, viewing from these algorithms analysis methods, it only needs to conduct the coarse-grained analysis toward the pro-cessing time, the number of executed clock cycles and the number of multiplication and addition executed in the algorithm in a single machine. In addition to the processing performance in a single machine, the algo-rithm used in the network also has processing perfor-mance in the network and network nodes. Therefore, the traditional algorithm performance analysis meth-ods are not fully applicable to the performance analy-sis of the network protocol algorithm.

2 OVERVIEW OF AUTHENTICATION AND

ENCRYPTION

Communication between application entities shall go through the identity authentication, so as to effectively prevent counterfeiting [1]. The identity authentication is completed by AS of a third party, and both parties of communication shall register their true identity information in AS and obtain a pair of secret keys distributed by AS, of which a public key is used for encryption, and a private key is used for digital signa-ture and decryption. The certified identity information is stored in AS authentication database. The data con-tent transmitted by both parties of communication must go through a certain transformation, so as to effectively prevent information leakage. Under the foundation framework of a public key, the sender adopts the public key of the receiver to encrypt the transfer data. The receiver adopts the private key to decrypt. Due to the confidentiality of the private key, only the real receiver can use it to decrypt, so as to ensure the information confidentiality. In the sin-gle-key system, both parties of communication use the same secrete key for encryption and decryption [2].

Loose Security Protocol Algorithm Design

and Performance Analysis Method

Kaifen Liu1 & Muhd Amirul Najhan bin Shamsudin2

1

Chongqing Creation Vocational College, Chongqing, China

2

National Defence University, Kuala Lumpur, Malaysia

ABSTRACT: For the network security problem, this paper proposes a kind of loose security protocol algorithm. The protocol includes two parts: authentication and encryption, which are respectively used for authentication and encryption for the network applications. This paper also adopts OPNET to customize the application model-ing method in order to analyze the network performance of the protocol algorithm. The simulation shows that, after analysis and optimization of the algorithm performance through customizing the application model by using OPNET in the design of the loose security protocol algorithm, the algorithm performance has a significant im-provement.

(2)

3 AUTHENTICATION AND ENCRYPTION DE-SCRIPTION ALGORITHM DESIGN 3.1 Algorithm description

[image:2.516.82.224.195.308.2]

To achieve secure communications between A and B, first, there is a need to verify valid identification of A and B, which is the basis of secure communications; second, the communications between A and B distrib-ute the session key; finally, the encryption transmis-sion is achieved in the communication channel of A and B. The workflow of authentication and encryption algorithm is shown in Figure 1:

Figure 1. Workflow of authentication and encryption algorithm.

In Figure 1, AS is a third party with credibility, who is responsible for the authentication in both parties of communication, the distribution of session keys and other functions. AS must strictly follow certain work-flow. Client A and Client B achieve secure communi-cations through the following eight steps:

1. A→AS: {IDA, IDB}

Before communications between A and B, A sends the authentication request of the identity of A (IDA) and the identity of B (IDB) to AS.

2. AS→A: {ESKAS(IDB, PKB)}

After received the authentication request of the identity of A, AS sends the identity information of B (IDB, PKB) to A and signs. The identity information of B includes the public key (PKB) of IDB and B. The purpose of AS signature is to ensure that the authenti-cation information is really from AS.

3. A→B: {EPKB (NA, IDA)}

A manifests its identity to B. For anti-replay, A generates a random number (NA). NA and IDA are encrypted by the public key of B. The information can be only used by B.

4. B→AS: {IDA, IDB, EPKAS(NA)}

After receiving the information of A, B sends the authentication request of the identity of A and B to AS, and sends NA encrypted by the public key of AS to AS.

5. AS→B:{ESKAS (IDA,PKA), EPKB (ESKAS (NA, Ks, IDB, IDA))}

AS returns the identity information of A (IDA, PKA) to B, and signs to ensure that the information is really from AS. AS generates the session key (Ks) of the communications between A and B, and then signs (NA, Ks, IDB, IDA) to encrypt by using the public key of B, so as to ensure that (NA, Ks, IDB, IDA) is really from AS, and only B can use this information.

6. B→A: {EPKA (ESKAS (NA, Ks, IDB, IDA), NB)} (NA, Ks, IDB, IDA) and the generated random num-ber (NB), are signed by AS. B encrypts them by the public key of A and then sends them to A.

7. A→B: {EKs (NB)}

A decrypts the signature data of AS and checks whether NA is counterfeit. At the same time, it obtains the session key (Ks) of B. The random number gener-ated by B is encrypted by the session password (Ks) and then sent to B, and finally it establishes a session connection with B.

8. A→B: {EKs (M)}, B→A:{EKs (M`)} Thereafter, the communications between A and B use the session key (Ks) to encrypt plaintext data transmission.

3.2 Description algorithm design

3.2.1 Timing sequence design

According to the algorithm description, the execution sequence at each stage and the directivity of data flow must be strictly specified. The workflow of commu-nications between A, AS and B is shown in Table 1, and it is executed by the sequences 1-8.

Table 1. Execution sequence at each stage and direction of data flow.

Timing sequence Stage Source Goal

1 A→AS:{IDA, IDB} A AS

2 AS→A:{ESKAS (IDB, PKB)} AS A

3 A→B:{EPKB (NA, IDA)} A B

4 B→AS:{IDA, IDB, EPKAS (NA)} B AS

5 AS→B:{ESKAS (IDA, PKA), EPKB (ESKAS (NA, Ks, IDB, IDA))} AS B

6 B→A:{EPKA (ESKAS (NA, Ks, IDB, IDA), NB)} B A

7 A→B:{EKs (NB)} A B

8 A→B:{EKs (M)} A B

[image:2.516.56.469.537.669.2]

(3)

3.2.2 Data flow design

For interaction at each stage, there is a need to deter-mine the request count, response count, request pro-cessing time, response propro-cessing time and other pa-rameters, and also determine the request and response packet size. The processing time of authentication and encryption algorithm is mainly the time required by the asymmetric encryption, decryption, signature and verification. According to the improvement of expo-nential module algorithm by Montgomery algorithm, 1024-bit key is used to encrypt the data of 1000B, and the operation time is within 200ms; the operation time of decryption is within 50ms [3]. The data flow design of description algorithm is shown in Table 2.

3.2.3 Description algorithm analysis

As can be seen from Table 2, there are two processes to describe the algorithm: The authentication process is comprised of the timing sequences 1-7, and the encryption process is comprised of the timing se-quence 8.

In the authentication process, in addition to the timing sequence 1, other six timing sequences shall go through encryption, signature and decryption and so on. Therefore, it will produce the corresponding time in the processor, which is specified by the initializa-tion time in Table 2.

In the timing sequence 8, the session key obtained

by A from AS through the authentication process en-crypts and transmits the plaintext M. The encryption process is completed by using the symmetric encryp-tion mechanism, so the initializaencryp-tion time is much smaller, which is 0.1s specified by the description algorithm; the number of request is 1, the number of every request is 10,000, and the size of every packet is 1kbytes, with a total of 10,000kbytes. The method of “a single request and multiple packets” is used to complete the encryption process.

In the timing sequence 9, the session key obtained by B from AS through the authentication process en-crypts and transmits the plaintext M. The initialization time is 0.1s specified by the description algorithm, the number of request is 1, the number of every request is 20,000, and the size of every packet is 1kbytes, with a total of 20,000kbytes. The method of “a single request and multiple packets” is used to complete the encryp-tion process.

4 DESCRIPTION ALGORITHM PERFORMANCE

ANALYSIS

[image:3.516.58.461.67.355.2]

OPNET network simulation software is used for the description algorithm performance analysis, so as to obtain the description algorithm performance parame-ters [4]. OPNET supports the custom multiport busi-ness modeling.

Table 2. Data flow design of description algorithm.

Timing sequence

Stage Request Response

1 A→AS:{IDA, IDB} Request count=1 _{Request size=1kbytes}

2 AS→A:{ESKAS (IDB, PKB)}

Processing time =0.2s Response count=1 Response size=1kbytes

3 A→B:{EPKB (NA, IDA)}

Initialization time=0.2s Request count=1 Request size =1kbytes

4 B→AS:{IDA, IDB, EPKAS (NA)}

5 AS→B:{E_(N SKAS (IDA, PKA), EPKB (ESKAS A, Ks, IDB, IDA))}

Processing time=0.25s Response count=1 Response size=2kbytes

6 B→A:{EPK_N A (ESKAS (NA, Ks, IDB, IDA), B)}

7 A→B:{EKs (NB)}

8

A→B:{EKs (M)}

Initialization time=0.1s Request count =1 Packets per request=10000 Request size =1kbytes

B→A:{EKs (M`)}

Initialization time=0.1s Request count=1

(4)

4.1 Simulation network model

Figure 2. Simulation network model.

In order to analyze the description algorithm perfor-mance in the Internet, the network model is estab-lished as shown in Figure 1. In Figure 1, as a third party of the public trust, AS is a node of PPP_server

and distributes the session key for the encryption of communications between A and B, so as to achieve authentication of A and B. A and B are nodes of PPP_client. The Internet is a cloud node of IP. The packet loss rate is set as 0%, and the packet delay is set as 0.1s. DS1 (1.544Mbps) link is used to connect with AS, A, B and the Internet node.

4.2 Custom service

4.2.1 Custom authentication service

OPNET provides the definition of custom service through Task config. Task config defines two tasks-xieshang and jiami, which are respectively cor-responding to authentication and encryption.

The main configuration parameters of the custom service in the authentication process are shown in Table 3.

Table 3. Manual configuration table.

Phase

Name Source Destination REQ/RESP Pattern End Phase When

A->AS Originating _Source AS REQ->RESP->REQ->RESP.... (Serial) Final Response Arrives at _Source

A->B Originating

Source B REQ->REQ->....RESP->.... (Concurrent)

Final Request Arrives at Destination

B->AS B AS REQ->RESP->REQ->RESP.... (Serial) Final Response Arrives at Source

B->A B A REQ->RESP->REQ->RESP.... (Serial) Final Response Arrives at Source

Table 4. Data flow setting at each stage of authentication.

Phase Name Source->Dest Traffic Dest->Source Traffic

A->AS

Initialization Time (seconds):constant (0) Request Count: constant (1)

Interrequest Time (seconds):exponential (1.0) Request Packet Size (bytes):constant (1024) Packets Per Request: constant (1)

Request Processing Time (seconds):constant (0.2) Response Packet Size (bytes):constant (1024) Packets Per Response: constant (1)

Interpacket Time (seconds):exponential (1.0)

A->B

Initialization Time (seconds):constant (0.2) Request Count: constant (1)

No Response

B->AS

Initialization Time (seconds):constant (0.2) Request Count: constant (1)

B->A

Initialization Time (seconds):constant (0) Request Count: constant (1)

[image:4.516.51.467.67.476.2]

Table 5. Manual configuration table.

Phase

Name Source Destination REQ/RESP Pattern End Phase When

A->B Originating

Source B

REQ->REQ->....RESP->.... (Con-current)

Final Request Arrives at Destination

B->A B Originating Source

REQ->REQ->....RESP->.... (Con-current)

(5)

The data flow parameters at each stage of authenti-cation are shown in Table 4.

4.2.2 Custom encryption service

The main configuration parameters of the custom service in the encryption process are shown in Table 5.

The data flow parameters at each stage of authenti-cation are shown in Table 6.

4.3 Custom application

4.3.1 Task table configuration

Task Ordering: Serial (Ordered) Transport Protocol: TCP Transport Port: Default Type of Service: Best Effort (0)

Connection Policy: Refresh After Application RSVP Parameters: None

ACE Task Interdependency: Final Response Arrival at Client

4.3.2 Task description configuration

Task Name Task Weight xieshang 10 jiamijiami 10

4.4 User profile configuration

The configuration of user behavior and profile behav-ior attributes is shown in Table 7.

4.5 Simulation run

4.5.1 Configuration of simulation running parame-ters and collected statistics

The simulation running duration is set as 1 hour, the speed seed number is set as 128, and the value per statistic is set as 100.

[image:5.516.54.465.68.175.2]

Simulation statistics are collected: the application response time, the task response time and the phase response time.

Table 6. Data flow setting at each stage of authentication.

A->B

Initialization Time (seconds):constant (0.1 Request Count: constant (1)

No Response

B->A

No Response

Table 7. Configuration of application behavior and profile behavior attributes.

Application behavior attribute Profile behavior attribute

Number of Rows:1 Operation Mode: Serial(ordered)

Name: cust Start Time: End of Simulation

Start Time Offset: uniform(5,10) Inter-repetition Time: constant(300)

Duration: End of Profile Number of Repetitions: constant(1)

Inter-repetition Time: exponential(300) Repetition Pa0074tern: concurrent

Number of Repetitions: constant(1)

[image:5.516.61.463.73.459.2]

Repetition Pattern: Serial

Table 8. Parameter adjustment in the encryption process.

A->B

Interrequest Time (seconds):exponential (1.0) Request Packet Size (bytes):constant (10000) Packets Per Request:constant (1)

No Response

B->A

Initialization Time (seconds):constant (0.1 Request Count:constant (1)

Interrequest Time (seconds):exponential (1.0) Request Packet Size (bytes):constant (10000) Packets Per Request:constant (1)

(6)

4.5.2 Simulation analysis

[image:6.516.61.245.157.343.2]

After the simulation run, the application response time is 9.20483600807s, which is a total time for the com-pletion of authentication, encryption and transmission as shown in Figure 3, of which the time used by xie-shang in the authentication process is 4.74190264585s as shown in Figure 4, and the time used by jiami in the encryption process is 4.46293336222s as shown in Figure 5.

[image:6.516.270.457.245.451.2]

Figure 3. Average value of application response time.

Figure 4. Average value of task response time in authentication (xieshang).

The application response time is relatively long, which has a greater delay for the end user. In the en-tire process, the time used by the authentication pro-cess is related to the network delay and propro-cessing time of the related devices. In the specific network environment, the time used by the authentication (xieshang) process is basically constant. To reduce the

application response time, there is only a need to re-duce the encryption time. Through the description algorithm analysis, the size of the request packet is 1bytes, namely, Request Packet Size (bytes): constant (1), while the number of packets per request is 10,000, namely, Packets Per Request: constant (10000). In the design process of description algorithm, the data at the application layer is divided into a plurality of packets with 1bytes. Each packet is to be encrypted, thus in-creasing the encryption time, namely, generating a confused syndrome at the sending end [5]. To reduce the total time used by the application, it is necessary to control over the data packet size in the encryption process, so that the data packet is as large as possible, close to or equal to MSS size. The description algo-rithm is adjusted as shown in Table 8, namely, Re-quest Packet Size (bytes): constant (10000), Packets Per Request: constant (1).

Figure 5. Average value of task response time in encryption (jiami).

After the parameter adjustment based on Table 8, under the circumstance of other constant parameters, the application response time is 5.62325099979s after the simulation run as shown in Figure 6, of which the time used by xieshang in the authentication process is 4.74190264585s as shown in Figure 7, and the total time used by jiami in the encryption process is 0.881348353946s as shown in Figure 8.

[image:6.516.61.245.366.564.2]

(7)

[image:7.516.272.455.54.235.2]

increased. After encryption of big data, the encryption packets are grouped according to the size of MSS. Such an encryption process is only executed once, thereby reducing the processing time of encryption.

Figure 6. Average value of application response time after parameter adjustment.

[image:7.516.60.247.102.296.2]

Figure 7. Average value of task response time of authentica-tion (xieshang) after parameter adjustment.

Figure 8. Average value of task response time of encryption (jiami) after parameter adjustment.

5 CONCLUSION

In the design process of network security algorithm, OPNET is adopted to carry out the simulation analysis of key performance of the algorithm, and the simula-tion results can be used to analyze the algorithm per-formance and optimize the algorithm through algo-rithm adjustment, so as to obtain an algoalgo-rithm with higher performance.

REFERENCES

[1] Fang Yong, & Liu Jiayong. 2007. Introduction to Infor-mation System Security. Beijing: Electronic Industry Press, pp: 110-125.

[2] Yan Shaoge. 2008. Research of essential technologies on distributed key management. Zhengzhou: Electronic Technology Department of PLA Information Engineer-ing University.

[3] Wang Lingfang, & Mu Jingqin translation. 2014. Prac-tical guide of computer network simulation OPNET. Beijing: Mechanical Industry Press, pp: 133-164. [4] Xie Xiren translation. 2007. TCP/IP protocol suite.

Bei-jing: Tsinghua University Press, pp: 258-259.

[5] Wang Lingfang, & Feng Yufen translation. 2013. Prin-ciple and application of network performance analysis. Beijing: Mechanical Industry Press, pp: 105-118. [6] Li Aolei, & Li Zhizhu. 2013. Simulation and application

[image:7.516.57.250.332.523.2]