Authentication Scheme with User Anonymity Based on Three Party Structure for Wireless Environments Ryoichi Isawa1 and Masakatu Morii1 1

Kobe University, 1-1 Rokkodai-cho, Nada-ku, Kobe-shi, 657-8501 Japan [email protected], [email protected]

Abstract. Kang et al. proposed an anonymous authentication scheme based on three party structure. In the scheme, there are mobile users, foreign agents, and one home agent in each domain. Because foreign agents send all mobile users’ requests to the home agent, the scheme requires high authentication costs of home agent. He et al. proposed an anonymous authentication scheme based on two party structure. In the scheme, mobile users and foreign agents can authenticate each other without the home agent. They adopt a group signature in order to achieve two party structure. However, in exchange for reducing the authentication costs of home agent, computational costs of mobile user become higher because they has to use a group signature. In this paper, we first review Kang et al.’s scheme to specify requirements for improving it. We then propose a new authentication scheme based on three party structure. The proposed scheme overcomes various disadvantages of Kang et al.’s scheme, and mobile users computationally faster than those of He et al.’s scheme. Keywords: authentication, privacy, revocation, key establishment, wireless communications

1

Introduction

Anonymous authentication schemes on wireless environments are being widely investigated. An adversary can easier intercept users’ identities on a wireless network than a wired network. If an adversary intercepts a user’s identity on the Internet, she/he can guess which access point the user connects, and she/he can also guess the user’s location from the access point. We must protect user anonymity in order to solve such a problem. In 2004, Zhu et al. proposed a new authentication scheme with user anonymity[7]. They adopt a three party structure, that is, there are mobile users, foreign agents, and one home agent in each domain. A mobile user has a smart card that has a one-way hash function and secret data for authentication. When the user requests a foreign agent to authenticate her/himself, her/his own smart card first calculates the login messages using only a hash function. Then, the user’s mobile device encrypts a part of the login messages and sends them to the foreign agent. Having receiving them, the foreign agent requests the home agent to authenticate

2

Ryoichi Isawa, Masakatu Morii

the user. Here, the foreign agent and the home agent authenticate each other using Public Key Infrastructure (PKI). The home agent authenticates the user, and it creates a session key which is used between the user and the foreign agent after this authentication session. Then, the home agent sends an authentication result and the session key to the foreign agent. Having receiving them, the foreign agent sends them to the user. The user also authenticate the foreign agent using the received messages. Zhu et al. make four assumptions: 1) smart cards and mobile users do not use public key cryptosystems because the computational costs of public key cryptosystem are expensive, 2) Mobile users use tamper-resistant smart cards which protect secret data from anyone including their owners, 3) the home agent has only one secret key which is used for all users’ authentications, and 4) the home agent and a foreign agent can authenticate each other using Public Key Infrastructure (PKI). Zhu et al.’s scheme is efficient and simple authentication mean. However, Lee, Hwang, and Liao showed that Zhu et al.’s scheme has several security weaknesses, and they proposed a new authentication scheme[4]. Unfortunately, Wu et al. showed that Lee, Hwang, and Liao’s scheme fails to protect user anonymity, and they improved their scheme[6]. Little by little, the schemes based on Zhu et al.’s scheme had been improved. In 2011, Lee and Kwon[5], Cui et al.[1], and Kang et al.[3] proposed new anonymous authentication schemes based on Zhu et al.’s scheme, independently. Lee and Kwon assumed that the home agent have a distinct value for each user. Cui et al.’s scheme encrypts the secret data in a user’s smart card using a public key cryptosystem. Because the home agent has to decrypt login messages using a public key cryptosystem for each user, the computational costs of home agent is expensive. Lee and Kwon’s and Cui et al.’s scheme violate the advantages of Zhu et al.’s scheme. In this study, we focus on Kang et al.’s scheme. On the other hand, He et al. indicated that two major disadvantages of three party structure: the authentication costs of home agent are expensive[2], for example, foreign agents send all requests of mobile users to the home agent, and mobile user has to store different secret values for each domain because each home agent manages different foreign agents and each home agent does not share secret data. In order to prevent such problems, they proposed a new authentication scheme based on two party structure. In their scheme, a mobile user and a foreign agent authenticate each other without the home agent, while protecting user anonymity. They adopt Verifier-Local Revocation Group Signature with Backward Unlinkability based on a group signature scheme. Furthermore, their scheme satisfies the six requirements for anonymous authentication: 1) Server authentication: a mobile user has to authenticate a foreign server in order to prevent an adversary’s impersonation of the server like phishing. 2) Subscription validation: a foreign server has to authenticate a mobile user, but the server must not learn the user’s identity. 3) Provision of user revocation: a foreign server can revoke a mobile user even if the user is not expired, for example, when the user takes an illegal action. 4) Key establishment: a mobile user and a foreign server share a session key after they authenticate each other. The session key is only known to them. Moreover, the home agent must not learn the session key.

Authentication Protocol Based on Three Party Structure

3

5) User anonymity: besides a mobile user and its home agent, no one including a foreign agent can tell the user’s identity. 6) User untraceability: besides a mobile user and its home agent, no one including a foreign agent can link any previous or future communication data transmitted between the user and the home agent. If the user sends communication data containing a fixed or predetermined value, the foreign agent can trace the user using such values. In addition, He et al. indicated that Wu et al.’s scheme[6] does not satisfy the third requirement and the forth requirement. In contrast, He et al.’s scheme satisfies the above requirements, but the computational costs of mobile user is expensive because of using a group signature.

In this paper, we proposed a new anonymous authentication scheme based on three party structure. We adopt three party structure in order that the computational costs of mobile user can become inexpensive. The proposed scheme is based on Kang et al.’s scheme, and it overcomes several disadvantages of Kang et al.’s scheme. Because Kang et al. does not consider the third and the forth requirements, Kang et al.’s scheme does not achieve them similar to Wu et al.’s scheme. Furthermore, the home agent does not have a revocation list of mobile users, and a mobile user and a foreign agent use an original session key created by the home agent. In the proposed scheme, the home agent have a revocation list of mobile users, and the foreign agent modifies a session key created by the home agent. In order to reduce the computational costs of home agent, we give several home agents to one domain. Then, all of the home agents share the secret value in order that mobile users can seamlessly request any foreign agents. Here, because a home agent has one secret value for all users’ authentications, the home agents can easier share the same secret value. In addition, Kang et al.’s scheme has one more weakness as follows. In Kang et al.’s scheme, mobile users use tamper-resistant smart cards, and all mobile users share a same secret value. They protect their own identities with the secret value on communication channels. There is a potential threat that a mobile user obtains the secret value from her/his own smart card. Suppose that an adversary registered at the home agent as a valid user. If the adversary obtains the secret value from her/his own smart card, she/he can obtain other users’ identities from their login messages using the secret value. We can tell that the schemes without using tamper-resistant smart card are more secure. In order to adopting non-tamper-resistant smart card, we give a distinct secret value to each mobile user in the proposed scheme.

The remainder of this paper is organized as follows. In Section 2, we review Kang et al.’s scheme and specify the requirements for improving their scheme. In Section 3, we propose a new anonymous authentication scheme based on three party structure. In Section 4, we verify if the proposed scheme satisfy the requirements given in Section 2. Finally, in Section 5, we conclude the paper.

4

Ryoichi Isawa, Masakatu Morii Table 1. List of symbols used in this paper MU FA HA AD IDA h(·) h(x) (x)k Ek (x) SA , P A X⇒Y: Z X→Y: Z || ⊕

2

a mobile user a foreign agent the home agent an adversary an identity of A a one-way hash function the hash value of the input data x An encrypted message x using a symmetric key k An encrypted message x using an asymmetric key k A’s secret key and A’s public key respectively X sends Z to Y through a secure channel X sends Z to Y through an insecure channel a concatenation XOR operation

Review of Kang et al.’s Scheme

Table 1 lists the symbols used in this paper. Under the assumption that MU uses a non-tamper-resistant smart card, we show that Kang et al.’s scheme[3] cannot protect MU’s identity IDM U . 2.1

Protocol

Kang et al.’s scheme consists of three phases: the initial phase, the first phase, and the second phase. The weakness of Kang et al.’s scheme is in the first phase. Initial Phase 1. MU inputs IDM U . 2. MU⇒HA: IDM U . 3. HA calculates the following data. P WM U = h(N ||IDM U ) r1 = h(N ||IDHA ) r2 = h(N ||IDM U ) ⊕ IDHA ⊕ IDM U Where N is a secret value kept by HA. 4. HA makes MU’s smart card containing IDHA , r1 , r2 , and h(·). 5. HA⇒MU: P WM U , MU’s smart card. Now, HA has IDHA and N . MU has P WM U and the smart card.

Authentication Protocol Based on Three Party Structure

5

First Phase MU requests FA to authenticate each other through HA and to share a secret key with FA as follows. 1. MU inputs P WM U . 2. MU’s smart card takes a current time-stamp TM U and calculates the following data. n = h(TM U ||r1 ) ⊕ r2 ⊕ P WM U = h(TM U ||r1 ) ⊕ IDHA ⊕ IDM U L = h(TM U ⊕ P WM U ) 3. MU chooses two random numbers x0 and x. MU then calculates (h(IDM U )|| x0 ||x)L . 4. MU→FA: n, (h(IDM U )||x0 ||x)L , IDHA , TM U . 5. FA checks the validity of TM U . If it is valid, FA chooses a random number b, and she/he creates a certificate CertF A and a corresponding signature ESF A (h(b||n|| h((IDM U )||x0 ||x)L ||TM U ||CertF A )). Then, FA takes TF A . 6. FA→HA: b, n, (h(IDM U )||x0 ||x)L , TM U , ESF A (h(b||n|| h((IDM U )||x0 ||x)L || TM U ||CertF A )), CertF A , TF A . 7. HA checks the validity of CertF A and TF A . If they are valid, HA calculates the following data. IDM U = h(TM U ||h(N ||IDHA )) ⊕ n ⊕ IDHA L = h(TM U ⊕ h(N ||IDM U )) 8. HA decrypts (h(IDM U )||x0 ||x)L using L to obtain h(IDM U ), x0 , and x. HA then calculates h(IDM U ) of the obtained IDM U and compares it with the decrypted h(IDM U ). If it is valid, HA authenticates MU. 9. HA calculates W = EPF A (h(h(N ||IDM U ))||x0 ||x) and generates a random number c. HA then creates a certificate CertHA and a corresponding signature ESHA (h(b||c||W ||CertHA )). Next, HA takes THA . 10. HA→FA: b, c, W , ESHA (h(b||c||W ||CertHA )), CertHA , THA . 11. FA checks the validity of CertHA and THA . If they are valid, FA creates a temporary certificate T CertM U which includes a time-stamp and other information. FA then decrypts W using the secret key SF A in order to obtain h(h(N ||IDM U )), x0 , and x. Next, FA stores T CertM U , h(P WM U ), x0 , and x. 12. FA calculates the following the data. k = h(h(h(N ||IDM U ))||x||x0 ) = h(h(P WM U )||x||x0 ) (T CertM U ||h(x0 ||x))k 13. FA→MU: (T CertM U ||h(x0 ||x))k 14. MU calculates k and obtains T CertM U . MU then calculates h(x0 ||x) and compares it with the decrypted h(x0 ||x). If they match, MU authenticates FA.

6

Ryoichi Isawa, Masakatu Morii

Second Phase 1. MU calculates the ith session key as follows. ki = h(h(h(N ||IDM U ))||x||xi−1 ), i = 1, . . . , n 2. MU→FA: T CertM U , (xi ||T CertM U ||OtherInf ormation)ki 3. FA decrypts (xi ||T CertM U ||OtherInf ormation)ki using ki . Then, FA stores (T CertM U , h(P WM U ), xi ) for the next session. 2.2

Weakness

Suppose that AD is a MU, which knows P WAD and has a smart card containing IDHA , r1 , and r2 . Under our assumption, AD knows r1 in her/his own smart card. Because all MUs share r1 , AD can obtain other MU’s identity IDM U as follows. AD intercepts MU’s login messages TM U and n at step 4 in the first phase. AD can obtain IDM U from n⊕h(TM U ||r1 )⊕IDHA . Therefore, Kang et al.’s scheme fails to protect MU’s identity. 2.3

Requirements given by He et al.

We verify if Kang et al.’s scheme satisfies the following requirements given by He et al.[2]. Server authentication: The scheme satisfies this requirement because MU authenticates FA at step 14 in the first phase. Subscription validation: The scheme satisfies this requirement because HA authenticates MU at step 8, and HA sends a session key to FA instead of an authentication result at 10 in the first phase. Provision of user revocation: The scheme does not satisfy this requirement because HA does not have a revocation list of MU. Key establishment: The scheme does not satisfy this requirement because FA and MU use an original session key created by HA. User anonymity: Under the assumption that MU use a non-tamper-resistant smart card, the scheme does not satisfy this requirement. User untraceability: MU changes the login messages using TM U in every authentication session. However, under our assumption, the scheme does not satisfy this requirement because the scheme does not satisfy “User Anonymity”.

3 3.1

Proposed scheme Main Concept

Kang et al.’s scheme does not satisfy the third–sixth requirements. Then, three party structure schemes have two major disadvantages provided in [2]: the authentication costs of home agent are expensive, and mobile user has to store different secret values for each domain. We proposed a new authentication scheme

Authentication Protocol Based on Three Party Structure

7

in order to overcome those problems. In order to satisfy the requirements, we give the remedies: we give a revocation list of mobile users to HA for “Provision of user revocation”, FA modify a session key created by HA for “Key establishment”, we give a distinct secret value h(N ||MM U ) to each MU for “User anonymity”, and MU changes all login messages in every authentication session for “User untraceability”. Furthermore, in order to overcome the major disadvantages, we propose a model in which several home agent in one domain. 3.2

Protocol

The proposed scheme consists of three phases: the initial phase, the first phase, and the second phase. We omit the second phase because the second phase is the same as Kang et al.’s scheme. Initial Phase HA has IDHA and N . 1. MU inputs IDM U . 2. MU⇒HA: IDM U . 3. HA generates a random number MM U . HA then calculates the following data. P WM U = h(N ||IDM U ) r1 = h(N ||IDHA ) r2 = h(N ||IDM U ) ⊕ IDHA ⊕ IDM U h(N ||MM U ) N ⊕ MM U 4. HA makes MU’s smart card containing IDHA , r1 , r2 , h(·), h(N ||MM U ), and N ⊕ MM U . 5. HA⇒MU: P WM U , MU’s smart card. Now, HA has IDHA and N . Because MU knows secret data in her/his smart card under our assumption, MU has IDM U , P WM U , IDHA , r1 , r2 , h(N ||MM U ), and N ⊕ MM U . First Phase 1. MU inputs P WM U . 2. MU’s smart card takes a current time-stamp TM U and calculates the following data. α = N ⊕ MM U β = h(TM U ||h(N ||MM U )) ⊕ r2 ⊕ P WM U = h(TM U ||h(N ||MM U )) ⊕ IDHA ⊕ IDM U L = h(TM U ⊕ P WM U )

8

Ryoichi Isawa, Masakatu Morii

3. MU chooses three random numbers x0 , x, and y. MU then calculates γ= (h(IDM U )||x0 ||x)L . 4. MU→FA: α, β, γ, y, IDHA , TM U . 5. FA checks the validity of TM U . If it is valid, FA generates a random number b, and then she/he FA creates a certificate CertF A and a corresponding signature ESF A (h(b||α||β||γ||TM U ||CertF A )). Then, FA takes TF A . 6. FA→HA: b, α, β, γ, TM U , ESF A (h(b||α||β||γ||TM U || CertF A )), CertF A , TF A . 7. HA checks the validity of CertF A and TF A . If they are valid, HA obtains MM U and IDM U as follows. MM U = α ⊕ N IDM U = β ⊕ h(TM U ||h(N ||MM U )) ⊕ IDHA 8. HA calculates P WM U = h(N ||IDM U ) and L = h(TM U ⊕ P WM U ). HA then decrypts γ using L in order to obtain h(IDM U ), x0 , and x. 9. HA verifies IDM U as follows. HA calculates h(IDM U ) of the obtained IDM U and compares it with the decrypted h(IDM U ). If they do not match, HA terminates this authentication session. 10. HA verifies if MU is banned at the current time using a revocation list RL, where RL gives a list of MUs who are banned. HA constantly updates RL using information reported by FAs or others. ˜ M U and calculates N ⊕ M ˜ MU . 11. HA randomly selects a new M ˜ M U )L . HA 12. HA calculates W = EPF A (h(h(N ||IDM U ))||x0 ||x) and (N ⊕ M then generates a random number c, and she/he creates a certificate CertHA ˜ M U )L ||CertHA )). and a corresponding signature ESHA (h(b||c||W ||(N ⊕ M Next, HA takes THA . ˜ M U )L , ES (h(b||c||W ||(N ⊕ M ˜ M U )L ||CertHA )), 13. HA→FA: b, c, W , (N ⊕ M HA CertHA , THA . 14. FA checks THA and CertHA . If they are valid, FA creates a temporary certificate T CertM U which includes a time-stamp and other information. FA then decrypts W using the secret key SF A in order to obtain h(h(N ||IDM U )), x0 , and x. Next, FA stores T CertM U , h(P WM U ), x0 , and x. 15. FA calculates the following the data. k = h(h(h(N ||IDM U ))||x||x0 ||y) = h(h(P WM U )||x||x0 ||y) ˜ M U )L )k (T CertM U ||h(x0 ||x)||(N ⊕ M ˜ M U )L )k 16. FA→MU: (T CertM U ||h(x0 ||x)||(N ⊕ M 17. MU calculates k and obtains T CertM U . MU then calculates h(x0 ||x) and compares it with the decrypted h(x0 ||x). If they match, MU authenticates ˜ M U )L using L in order to obtain N ⊕ M ˜ MU , FA. Next, MU decrypts (N ⊕ M ˜ and she/he replace N ⊕ MM U with N ⊕ MM U . 3.3

System Model

Each HA manages several FAs in each domain. If each HA has distinct secret data, MU has each secret data for each domain. In the proposed scheme, because

Authentication Protocol Based on Three Party Structure

9

Domain 1

FA1 ,FA2 ,. . .,FAm1

HA1 ,· · ·,HAn1

2

FA1 ,FA2 ,. . .,FAm2

HA1 ,· · ·,HAn2 share N

l

FA1 ,FA2 ,. . .,FAml

HA1 ,· · ·,HAnl

l: the number of domains mi : the number of FAs in Domain i ni : the number of HAs in Domain i

Fig. 1. System model of the proposed scheme

each HA has only one secret value N , the cost of sharing N among HAs is inexpensive. We give a system model in which each HA share N in Figure 1. In the system model, MU can seamlessly request FAs in each domain. Then, HAs in one domain can co-operate in order to reduce the authentication costs of each HA.

4

Consideration

We verify if the proposed scheme satisfy the requirements. Server authentication: In the proposed scheme, MU authenticates FA using h(x0 ||x) at step 17 in the first phase. If AD does not obtain x and x0 , we can conclude that AD cannot impersonate a foreign agent. At step 3, MU encrypts x and x0 using L. At step 4, MU sends them to a foreign agent, where L is created with P WM U = h(N ||IDM U ). Because N is a secret value kept by HA, AD cannot obtain it and cannot create P WM U and L. Therefore, the proposed scheme satisfies this requirement. Subscription validation: In the proposed scheme, HA verifies if MU is valid by comparing the decrypted h(IDM U ) with the calculated h(IDM U ) at step 9. At step 8, HA calculates P WM U and L. At step 7, HA obtains MM U and IDM U . If MM U is not valid at step 8, an invalid IDM U is calculated by HA. Because MM U is protected with N at step 4, AD cannot obtain MM U . Therefore, the proposed scheme satisfies this requirement. Provision of user revocation: Because HA verifies if MU is banned using RL at step 10, the proposed scheme satisfy this requirement. Because HA manages FAs, this requirement is easy for the proposed scheme to satisfy. Key establishment: MU sends a random number y at step 4, and FA does not send it to HA. Then, FA calculates a session key k using y. Under the assumption that HA does not intercept y at step 4, HA does not obtain k. The

10

Ryoichi Isawa, Masakatu Morii

proposed scheme satisfies this requirement. However, under the assumption that HA intercept y, the proposed scheme cannot satisfy this requirement. In the latter, MU and FA have to use a secure channel. This is our future work. User anonymity: In the proposed scheme, each MU has a different h(N ||MM U ). The login messages of MU are α, β, γ, IDHA , and TM U . Only β contains IDM U protected with h(TM U ||h(N ||MM U )), and α contains MM U protected with N , where N is a secret value kept by HA. Because AD can obtain TM U but cannot obtain N and MM U , AD cannot also calculate h(TM U ||h(N ||MM U )). Therefore, the proposed scheme satisfies this requirement. User untraceability: MU changes the login messages using TM U in every authentication session, and HA randomly selects a new N ⊕ MM U and MU stores it in every authentication session. Therefore, the proposed scheme satisfy this requirement. Note that MU has to use a rewritable smart card or mobile device because of updating N ⊕ MM U . The authentication costs of HA: In the proposed scheme, because HA authenticates MU using only N , HA in each domain can easier share N . If we supply several HAs such as the system model given in Section 3.3, we can reduce the authentication costs of HA. However, even if we give the system model, each HA has to manages several FAs. We should reduce the costs of each HA a lot. This is our future work.

5

Conclusion

In He et al.’s scheme based on two party structure, mobile users require high computational costs because of using a group signature. In order to reduce the costs of mobile users, we propose a new anonymous authentication scheme based on three party structure. We first review Kang et al.’s scheme in order to specific the requirements for improving it. The proposed scheme satisfies most requirements. In exchange for the authentication costs of HA, mobile users are computationally faster because they can calculate login messages using one-way hash functions and symmetric encryption functions. However, we should reduce the authentication costs of HA a lot. This is our major future work.

References 1. Cui, X., Qin, X.: An enhanced user authentication scheme for wireless communications. IEICE Trans. Inf. & Syst. E94-D(1), 155–157 (Jan 2011) 2. He, D., Bu, J., Chan, S., Chen, C., Yin, M.: Privacy-preserving universal authentication protocol for wireless communications. IEICE Trans. Wireless Commun. 10(2), 431–436 (Feb 2011) 3. Kang, M., Rhee, H.S., Choi, J.Y.: Improved user authentication scheme with user anonymity for wireless communications. IEICE Trans. Fundamentals E94-A(2), 860–864 (Feb 2011)

Authentication Protocol Based on Three Party Structure

11

4. Lee, C.C., Hwang, M.S., Liao, I.E.: Security enhancement on a new authentication scheme with anonymity for wireless environments. IEEE Trans. Ind. Electron. 53(5), 1683–1687 (Oct 2006) 5. Lee, J., Kwon, T.: Secure authentication scheme with improved anonymity for wireless environments. IEICE Trans. Commun. E94-B(2), 554–557 (Feb 2011) 6. Wu, C.C., Lee, W.B., Tsaur, W.J.: A secure authentication scheme with anonymity for wireless communications. IEEE Commun. Lett. 12(10), 722–723 (Oct 2008) 7. Zhu, J., Ma, J.: A new authentication scheme with anonymity for wireless environment. IEEE Trans. Consum. Electron. 50(1), 231–235 (Jun 2004)