• No results found

An Improved Certificate less Authenticated Key Agreement Protocol

N/A
N/A
Protected

Academic year: 2020

Share "An Improved Certificate less Authenticated Key Agreement Protocol"

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

2017 2nd International Conference on Computer Science and Technology (CST 2017) ISBN: 978-1-60595-461-5

An Improved Certificate-less Authenticated

Key Agreement Protocol

Jie LING

1

and Zi-jian YU

1,a*

1Faculty of Computer Science and Technology, Guangdong University of Technology,

Guangzhou 510006, China

a850302505@qq.com

*Corresponding author

Keyword: DLP, CDHP, Authenticated, Certificate-Less, Key agreement

Abstract. Through the analysis of the certificate-less authenticated key agreement protocol with security issue of key-compromise impersonation and invalid authentication, this paper proposes an efficient protocol based on Discrete Logarithm Problem and Computational Diffie-Hellman Problem assumptions to solve the security issue and reduce the overhead. During the conversation, the two entities each have three secret values, namely, the partial private key from Key Generate Center (KGC), the long-term private key from the entity itself, and the temporary private key for each conversation generated by the entity itself. Through the theoretical analysis, this scheme provides mutual authentication, forward security and key compromise impersonation, preventing MITM attack and keeping the session key secure as long as the communication parties with a secret value is not disclosed.

Introduction

After Al-Riyami and Paterson [1] proposed a Certificate-less Public Key Cryptography (CL-PKC), some researchers have proposed different certificate-less authentication key agreement protocols. But most of these protocols are based on bilinear pairs operation and the computational complexity is higher. Wenhao Liu et al. [2] proposed a certificate-less two-party key agreement scheme without bilinear pairing and claimed that the scheme has a temporary key leak security. However, the analysis indicates that if the user’s temporary key leaks, the user’s master key expression ( + ) during the key agreement will be calculated. In literature [2], user Alice calculated = /( + + ℎ)and sent to user Bob as the authentication parameter. Once Alice leaks temporary private key, the attacker can use the formula:

+ = − ℎ to calculate Alice’s authentication private key ( + ) while s and h are public parameters. Then the attacker will calculate the session key and pretend to be Alice, communicating with any other entities and implementing impersonation attacks. Literature [3,4] proposed a protocol to avoid the security threat of temporary key leak. But this protocol does not have a valid authentication between the two parties of the key agreement actually. In literature [4], user Bobcalculatesℎ =

( , , , ), and authenticates A by the equation ℎ = ℎ . However, all the parameters( , , , ) are provided by user A. The verification equation ℎ = ℎ

appears to be meaningless. Attacker can use the real to disguise as any user i for authentication and key agreement.

Literature [5] proposed an improved efficiency of the key agreement protocol. But there still exist the security threat and impersonation attack, causing by the temporary private key leak.

(2)

protocol which can effectively solve the security threat but implementing a 512bit bilinear pair of operations takes about 20ms, a 1024bit prime exponent operation only needs 8.8ms, and a pairing operation cost about 21 times as elliptic curve point multiplication operation [7].

In order to repair the security vulnerability of the user's long-term private key leak and provides effective identity authentication, this paper presents an improved certificate-less authentication protocol without bilinear pairing computing based on the DLP and CDH assumptions. During the communication, there are three secret values, namely, the partial private key generated by KGC, the long-term private key generated by user itself and the temporary private key generated by user at random. This scheme does not transmit any expression related to any private key during the conversation, keeps the session key secure as long as the communication parties with a secret value is not disclosed, through the theoretical analysis.

Protocol Designed

Assumption and Preliminary Work

Discrete Logarithm Problem Assumptions. Let G be an additive cyclic group of order q on the elliptic curve and P be a generator of G, given P, ∈G, for any unknown ∈ ∗, calculate a. In probabilistic polynomial time (PPT), algorithm A has the advantage of solving DLP problem:

( ) = ( , ) = | ∈ ∗

For any PPT algorithm A, ( ) is negligible.

Computational Diffie-Hellman Problem Assumptions. Let G be an additive cyclic group of order q on the elliptic curve, and P be a generator of G, given , ∈ , for any unknown , ∈ ∗, calculate abP. In probabilistic polynomial time (PPT), algorithm A has the advantage of solving CDH problem:

( ) = ( , ) = | , ∈ ∗

For any PPT algorithm A, ( ) is negligible.

Setup Phase

This protocol is divided into three stages: system establishment, user key generation, and identity authentication and key negotiation. In the conversation, each party has three secret values, namely, the partial private key generated by KGC, the long-term private key generated by user itself, and the temporary private key generated by user at random.

Now defined some notions as show in the Table 1:

Table 1. Notions Table.

Notion implication

× ECC point multiplication

→ output

{}k k bit of data string

|| linked operation

= ECC point multiplication, P is a generator

A ciphertext generated by B

A plaintext decrypted from

() A function of encrypting with key K

(3)

Set the secure parameters ∈ , KGC to produce two large primesp, q, and q|p-1. P is a generator of G, an additive cyclic group of order q on the elliptic curve. KGC randomly selects the master key ∈ ∗ and calculates the system public key = .

Define two hash functions: : {0,1}∗× →, : {0,1}→ {0,1}

KGC discloses public parameters{ , , , , , }, keep the master key x.

User Key Generation

KGC randomly selects ∈ ∗ for any legal user i, whose unique identity is , calculates = , = + ( , ),and returns to user i as partial private key, as partial public key. User i judges whether partial private key is valid by the equation + ( , ) = isestablished.

User i randomly selects ∈ ∗ as its long-term private key, calculates = P, and as the long-term public key and is placed on the common directory tree. Get the user main private key =< , >, the main public key =< , >.

Identity Authentication and Key Agreement

Assume that the two parties are Alice and Bob, Alice performs the initiator and Bob performs the responder. The flaw chart show in Figure 1. Alice randomly selects ∈

, calculates = , and sends a message( || )to Bob, initiating authentication

and key negotiation request.

After receiving Alice’s message, Bob calculatesℎ = ( , ), randomly selects ∈ ∗, and calculates = . Then he calculates key:

= ( + ℎ ) +

(1) And uses the to encrypt message( || )to by symmetric encryption, and sends the message( || )to Alice.

After receiving Bob’s message, Alice calculates ℎ = ( , ), decrypts to = ( || ′) using key:

= + ( + ℎ )

(2)

By contrast, if = , Bob will be trusted and he will pass the authentication. At the same time, Alice accepts the temporary public key of Bob, encrypts with the public key to through the asymmetric encryption method, and then sends to Bob and calculates:

= ( + ℎ ) + =

(3)

= + =

(4)

After receiving the , Bob decrypts to using the temporary private key b, verifies the equation = is valid, if it is established, Alice will be trusted and now the two parties have completed the authentication. Bob accepts and calculates:

= ( + ℎ ) + =

(5)

= + =

(4)

Finally, the session key was determined:

= ( | | | | )

[image:4.612.142.466.135.332.2]

(7)

Figure 1. Authentication key agreement flow chart.

Security Attribute Definition and Security Analysis

Authentication Key Agreement Protocol must be satisfied in two aspects: one is that the authentication of all participants is valid; the other is that every session key is secret.

Protocol Validity Analysis

According to the cyclic group to satisfy the law of exchange [8]: Let P be the generator of order q of the additive group G on the elliptic curve, , ∈ ∗, then abP=baP. In this protocol, the parameters , , , , , ∈ ∗, P are the generating elements of order q of the additive cyclic group G on the elliptic curve, then:

= + ( + ℎ ) = + ( + ℎ )

= ( + ℎ ) + = =

(8)

= ( + ℎ ) + = ( + ℎ ) + = + ( + ℎ )

= =

(9)

= + = + = + = =

(10) As the equation (8) (9) (10), Alice and Bob can negotiate a same session key through this protocol.

Security Attribute Definition

(5)

(1) Perfect Forward Security: Even if the long-term keys of all protocol participants leak, an attacker cannot obtain a previous session key.

(2) Master Key Forward Security: Even if the system master key leaks, the attacker cannot get the previous session key.

(3) Key Compromise Impersonation: If participant A’s long-term key leaks, the attacker can only disguise as participate A in the conversation instead of disguising as others to dialogue with A.

(4) Known Session Key Security: After the session key between the protocols participants is compromised, the attacker who obtained the disclosure key cannot obtain the past and future session key based on the obtained session key.

(5) Unknown Key Share: For participant Alice, if there is no authentication to Bob, there is no dialogue between Alice and Bob.

(6) Key Control: Neither party can produce a session key that is the same as it expected.

(7) Known Temporary Key Security: If participant’s temporary key leaks, an attacker cannot obtain the participant's private key and the session key.

Security Analysis

This scheme is based on the discrete logarithm problem and the computable Diffie-Hellman problem assumption. Before the security analysis, there are two types of attackers defined for the certificate-less authentication key agreement protocol.

The first type of attacker E1 is an active attacker, who does not know the system master key but can choose a public key to replace the long-term public key of any other users and asks KGC for partial private key. The second type of attacker E2 is equivalent to a malicious KGC, who knows the system's master key but can not replace the long-term public key of all the users.

(1) Perfect Forward Security: If the attacker obtains the user's long-term key, the attacker will meet the first type of attacker E1 defined above. Because of the session

key = ( | | | | ), , contained , , , and a,

b is the temporary key generated randomly by user A and B in key agreement. If the attacker E1wants to crack the session key K, he must give aP and bP to seek abP, which is equivalent to solving the CDH problem. In this case, this agreement satisfies Perfect Forward Security.

(2) Master Key Forward Security: If the attacker obtains the system master key, he will meet the second type of attacker E2 defined above. As the user’s long-term private key generated by itself, and do not open to the public. The attacker E2wants to crack the session key , , it is also equivalent to crack the CDH problem. In this case, this agreement satisfies Master Key Forward Security.

(3) Key Compromise Impersonation: Assuming that Alice’s long-term key leaks, the attacker can query the KGC for a partial private key of Alice and update the long-term key of Alice. Then he will meet the first type of attacker E1 defined above. If the attacker wants to obtain the system master key or other user’s private key, he must give aP to seek a, which is equivalent to cracking the CLP problem. In this case, this agreement satisfies Key Compromise Impersonation Security.

(4) Known Session Key Security: Assuming a session key leaks, since the two parties of the conversation will generate a random number as the temporary key every key agreement, all session keys are different and the attacker cannot obtain the past and future session key based on the obtained session key. In this case, this agreement satisfies Known Session Key Security.

(6)

and sign the message in the case of unknown key and will not be authenticated, so the legal user will refuse the key agreement phase with the attacker. Therefore, this agreement satisfies the Unknown Key Sharing Security.

(6) Key Control: The session key contains the randomly generated temporary key. The session key is evenly distributed in the session key space, so any participant cannot control the final session key. Therefore, the protocol satisfies Key Control Security.

(7) Known Temporary Key Security: This protocol uses implicit authentication and the user does not transmit any expressions related to the user's private key during the authentication phase, so the attacker cannot calculate any private key with temporary key in the authentication phase. Therefore, this protocol satisfies Known Temporary Key Security.

Security and Efficiency Comparison

Set the abbreviations as shown below: PFS: Perfect Forward Security

MKFS: Master Key Forward Security KCI: Key Compromise Impersonation MA: Mutual Authentication

[image:6.612.123.489.360.432.2]

D-MITM: Defense Man in the Middle Attack KTKS: Known Temporary Key Security

Table 2. Security Comparison.

Literature PFS MKFS KCI MA D-MITM KTKS

Literature[2] √ √ × √ √ ×

Literature[4] √ √ × × × √

Literature[5] √ √ × √ √ ×

Literature[6] √ √ √ √ √ √

This protocol √ √ √ √ √ √

Comparison results in Table 2, "√" means that the protocol satisfies the property, "×" means that does not satisfy the property.

According to the comparison result, there is a threat of user key leakage and KCI attack caused by leaked temporary key in the literature [2,7]. Once the attacker steals any user’s temporary private key, he can calculate user’s private key by the correlation expression and implement KCI attacks. Literature [7] improved Kerberos network authentication protocol using no bilinear pairing computing certificate-less authenticated key agreement protocol. Since the authentication server, AS, can easily calculate the user's temporary private key and then calculate the user's private key, there is a serious security threat if the AS is malicious. In literature [5], since there is no valid identity authentication of participants, active attackers can use this vulnerability to initiate KCI and MITM attacks.

(7)

Table 3. Efficiency comparison.

Literature Bilinear pairing computing

Point

addition multiplication Point

Encryption or

decryption Hash

Communication time

Literature[2] 0/0 8/10 7/10 2/2 3/3 2

Literature[5] 0/0 5/6 12/12 1/1 4/3 6

Literature[6] 1/1 0/0 6/6 2/2 2/2 4

This scheme 0/0 4/4 8/8 2/2 2/2 3

The data in the N/M format indicates the number of operations N by user Alice and the number of operations M of the response user Bob.

Conclusion

Through analyzing the agreement of the certificate-less authentication key agreement protocol of Wenhao LIU et al., this paper pointed out that those schemes do not have anti-temporary key leak security or a valid authentication and proposed an improved scheme, which can reduce overhead, provide forward security and key compromise impersonation security, prevent MITM attack, and keep the session key secure as long as the communication parties with a secret value is not disclosed.

Acknowledgments

This work is supported by the science and technology project of Guangdong Province (No.2015B010128014, 2015B090906015, 2014B090908010) and science and technology the project of Guangzhou (No.201604010077, 201604010048).

Reference

[1] Al-Riyami, S. S., Paterson, K. G. Certificate-less public keycryptography [C]//LNCS 2894: ASIACRYPT 2003. Berlin: Springer-Verlag, 2003:452-473.

[2] Wen-hao LIU, Chun-xiang XU. Certificate-less two-party key agreement scheme without bilinear pairing[J]. Application Research of Computers,2010,27(11): 4287-4289+4292.In Chinese

[3] Yang TANG, Youqu CHANG, Qian XU. Certificateless implicit authentication and key agreement without bi-linear pairing [J]. Computer Engineering and Applications, 2012, 48(15):83-87. In Chinese

[4] Jin PAN, Xiao-qiong LIU, Guo-peng LI. Certificateless-based two-party authenticated key agreement protocol [J]. Application Research of Computers,2012,29(06):2240-2242+2267. In Chinese

[5] Qian LIU, Yu ZHANG, Andong FAN. Improvement of Kerberos protocol for certificate-less implicit authentication[J]. Journal of Sichuan University of Science & Engineering (Natural Science Edition), 2014,27(02):59-63. In Chinese

(8)

[8] Jie LIN, ZanFu Xie. Introduction to Information Security[M] Guangzhou: South China University of Technology Press. 2005.08:64-67. In Chinese

[9] Manjun ZHANG. Study on Theory and Applications of Certificateless Public Key Cryptosystem[D]Xi’an China, Xidian University,2013.04:43-44. In Chinese

Figure

Figure 1. Authentication key agreement flow chart.
Table 2. Security Comparison.

References

Related documents

Numerical model of heat transfer in the human eye with consideration of fluid dynamics of the aqueous humour.. Beginning

The aim of this dissertation is to elucidate the properties of a passivating 1 oxide layer (skin) that forms spontaneously on a room temperature liquid metal alloy,

GENERAL The V-136RT is a single-path dial select microprocessor controlled intercom and page control unit used with a 1A2 key system to provide 36 zones of bell or buzzer

This information is crucial as this study aims to assess the environmental impacts of using PAA as a bleaching agent in the pulp and paper industry; however, there is no LCI on how

The intaglio surface of the zirconia material (Figure 2) showed a dissociation and deformation in the of UH and MM zirconia surfaces, while lines and scratches on the BC, BN and

This systematic review of interventions to improve out- comes of patients with CHF through changing care deliv- ery processes in clinical settings is consistent with

5 If both countries have the same savings rate and the same per capita income, and assuming that they invest what they save (i.e., the closed economy case) in physical and

Although hemodynamic management using the trend of the PI and PPV significantly decreased the duration of hypotension and intraoperative fluid balance, the inter- vention did