Robust Anonymous Authentication Scheme without Verification Table for Roaming Service in Global Mobility Networks Kuo-Yang Wu1 , Kuo-Yu Tsai2 , and Tzong-Chen Wu1,2 1

Department of Information Management, National Taiwan University of Science and Technology, Taipei 106, Taiwan 2 Taiwan Information Security Center, National Taiwan University of Science and Technology, Taipei 106, Taiwan

Abstract. In 2008, Wu et al. proposed an authentication scheme with anonymity for roaming environment, in which an unintended party cannot obtain any identity information about a mobile user. However, Mun et al. showed that there are some weaknesses inherent in Wu et al.’s scheme. They also proposed an enhanced authentication scheme with anonymity for roaming service in global mobility networks. In this paper, we demonstrate some attacks on Mun et al.’s scheme. We propose a robust anonymous authentication scheme without any verification table for roaming service in global mobility networks and prove the security of the proposed scheme. Key words: Anonymous Authentication, Roaming Service, Global Mobility Network

1

Introduction

With the rapid development of wireless networks, a mobile user can access various internet services and resources by using his/her mobile device anytime and anywhere. Since the mobile user transmits his/her messages over radio waves in wireless networks, it is easy to intercept the transmitted messages. That gives rise to some security issues in wireless networks, such as unauthorized access and privacy leakage. User authentication is one of the essential solutions to prevent unauthorized access to services and resources. In addition, providing user anonymity in wireless networks is one of the ways to protect the privacy for mobile users. A global mobility network (GLOMONET for short) provides the global roaming service that mobile users can access the services provided by the home agent via a foreign agent. In 2004, Zhu and Ma [9] proposed an authentication scheme providing user anonymity in GLOMONET, in which anyone, except a home agent, cannot obtain any mobile user’s real identity. Lee et al. [2] pointed out

2

Kuo-Yang Wu, Kuo-Yu Tsai and Tzong-Chen Wu

that there are some weaknesses in Zhu and Ma’s scheme and further proposed an improved scheme in 2006. However, Wu et al. [6] demonstrated that Lee et al.’s scheme [2] cannot satisfy the properties of user anonymity and backward secrecy. Wu et al. [6] also proposed an improved scheme to satisfy the mentioned properties. Later, Xu and Feng [7] and Zeng et al. [8] pointed out that Wu et al.’s scheme [6] still cannot achieve user anonymity, respectively. Xu and Feng [7] presented a simple improved scheme to resist the shown attacks. In 2011, Li et al. [3] pointed out that Xu and Feng’s improved scheme cannot provide the property of unlinkability, and they also presented an improvement. [7]. Mun et al. [5] showed some weaknesses inherent in Wu et al.’s scheme in the same year. Mun et al. [5] proposed an enhanced anonymous authentication scheme based on elliptic curve cryptography and claimed that their proposed scheme can overcome the shown weakness and provide mutual authentication and resistance to man-in-the-middle attacks. In this paper, we demonstrate some attacks on Mun et al.’s scheme [5] and propose a robust anonymous authentication scheme without any verification table for roaming service in GLOMONET.

2

Review of Mun et al.’s Scheme

We first give a brief review of Mun et al.’s scheme [5] in Section 2.1. Then, some weaknesses are shown in Section 2.2. 2.1

Brief Review

For simplicity, we define the following symbols for system setup in advance: IDx an entity X’s identity. P Wx an entity X’s password. Nx a nonce (random number) generated by an entity X. h() a one-way hash function that accepts as input an arbitrary-length message and outputs a fixed-length message. fk () a function that accepts as input an arbitrary-length message and a secret key and outputs a fixed-length message authentication code. SK a session key shared between two communicating entities. E an elliptic curve [1, 4] over a finite field Fp defined by y 2 = x3 + ax + b, where a, b ∈ Fp , and p is a prime number. Q a point of prime order on E. Mun et al.’s scheme consists of three phases: registration phase, authentication and session key establishment phase, and session key update phase. In the registration phase, a mobile user (MU for short) has to register with a home agent (HA for short) via a secure channel. Thereafter, MU and a foreign agent (FA for short) can perform mutual authentication and establish a session key with the aid of HA in the authentication and session key establishment phase. In the session key update phase, MU and FA can cooperate to update the shared session key at the ith session.

Robust Anonymous Authentication Scheme without Verification Table

3

Registration Phase: As a new mobile user MU wants to register with HA, he/she has to choose his/her identity and sends it to HA. Then, HA computes a password and an authentication token for MU. In this phase, MU and HA cooperate to perform the following tasks via a secure channel. 1. MU sends his/her chosen identity IDMU and nonce NMU to HA. 2. Upon receiving the registration messages from MU, HA computes a password P WMU and an authentication token rMU , where P WMU = h(NMU kNHA ) and rMU = h(IDMU kP WMU ) ⊕ IDHA . 3. HA sends {P WMU , rMU , NHA , IDHA , h()} to MU and stores the tuple {IDMU , NMU , NHA , rMU } in the verification table. Authentication and Session Key Establishment Phase: Where MU roams in a foreign network, he/she and FA have to perform mutual authentication and session key establishment with the aid of HA, as follows. 1. MU sends {IDHA , NHA , rMU } to FA. 2. After FA receives the transmitted messages from MU, FA stores them in the verification table for further communications. 3. FA generates a nonce NF A and sends {rMU , IDF A , NF A } to HA. 4. Upon receiving {rMU , IDF A , NF A } from FA, HA performs the following tasks. (a) Compute MU’s password P WMU according to the verification table, where P WMU = h(NMU kNHA ). ′ (b) Compute rMU = h(IDMU kP WMU ) ⊕ IDHA . ′ (c) Verify whether rMU = rMU . If the equality holds, MU is a legal mobile user; otherwise, HA rejects the request and terminates the processes. (d) Compute the response messages {PHA , SHA } and send them to FA, where PHA = h(P WMU kNF A )

and SHA = h(IDF A kNF A ) ⊕ rMU ⊕ PHA . 5. On receiving {PHA , SHA }, FA performs the following tasks. ′ (a) Compute SHA = h(IDF A kNF A ) ⊕ rMU ⊕ PHA in accordance with the verification table. ′ (b) Verify whether SHA = SHA . If the equality holds, FA can assure that the messages is sent by HA; otherwise, FA rejects the messages and stops performing the next step. (c) Select a random number a and compute the corresponding point a1 Q on E. (d) Compute PF A = (SHA kIDF A kNF A ).

4

Kuo-Yang Wu, Kuo-Yu Tsai and Tzong-Chen Wu

(e) Send {SF A , a1 Q, PF A } to MU. 6. Upon receiving {SF A , a1 Q, PF A } from FA, MU performs the following tasks to authenticate HA and FA. ′ (a) Compute SHA = h(IDF A kNF A ) ⊕ rMU ⊕ h(P WMU kNF A ). ′ (b) Verify whether SHA = SF A . If the equality holds, MU simultaneously authenticates HA and FA; otherwise, MU rejects the response messages and terminates the processes. (c) Choose a random number b1 and compute b1 Q. (d) Compute the session key SK according the received a1 Q and his/her chosen number b1 , where SK = h(b1 a1 Q). (e) Compute a message authentication code fSK (NF A kb1 Q). (f) Send {b1 Q, fSK (NF A kb1 Q)} to FA. 7. After FA receives {b1 Q, fSK (NF A kb1 Q)} from MU, FA performs the following tasks. (a) Compute the session key SK = h(a1 b1 Q) in accordance with the received b1 Q and his/her chosen number a1 . ′ (b) Compute the message authentication code fSK (NF A kb1 Q) for verifying the session key. ′ (c) If fSK (NF A kb1 Q) = fSK (NF A kb1 Q), FA can confirm that MU is a legal mobile user, and the session key SK shared between MU and FA is valid; otherwise, FA rejects the session key. Session Key Update Phase: In the ith session, MU and FA cooperate to update the session key. 1. MU chooses a new random number bi and computes bi Q. Then, MU sends bi Q to FA. 2. Upon receiving the message from MU, FA performs the following tasks. (a) Choose a new random number ai . (b) Compute ai Q. (c) Generate the new session key SK ′ = h(ai bi Q). (d) Compute the message authentication code fSK ′ (ai bi Qkai−1 bi−1 Q). (e) Send ai Q and fSK ′ (ai bi Qkai−1 bi−1 Q) to MU. 3. On receiving the response message from FA, MU performs the tasks as follows. (a) Compute the new session key SK ′ = h(bi ai Q) in accordance with the received ai Q and his/her chosen bi . ′ (b) Compute the message authentication code fSK ′ (ai bi Qk ai−1 bi−1 Q). If ′ ′ fSK (a b Qk a b Q), MU accepts the new (a b Qk a b Q) = f ′ i i i−1 i−1 i i i−1 i−1 SK session key; otherwise, he/she rejects it.

Robust Anonymous Authentication Scheme without Verification Table

2.2

5

Weaknesses

Mun et al. [5] claimed that their proposed scheme can achieve user anonymity, perfect forward secrecy, mutual authentication, replay-attack resistance, and prevention of password disclose for legitimate users. However, we find that there are replay and man-in-middle attacks inherent in Mun et al.’s scheme. Replay Attack: Suppose that an adversary has an intercepted message {IDHA , NHA , rMU } sent by a legal mobile user MU. The adversary can successfully impersonates or deceives the legal MU in another foreign network FA′ by directly sending {IDHA , NHA , rMU }, as follows. 1. The adversary directly sends {IDHA , NHA , rMU } to FA′ . 2. Upon receiving the transmitted messages from the adversary, FA′ stores them in the verification table for further communications. 3. FA′ generates a nonce NF A′ and sends {rMU , IDF A′ , NF A′ } to HA. 4. On receiving {rMU , IDF A′ , NF A′ } from FA′ , HA performs the following tasks. (a) Compute MU’s password P WMU according to the verification table, where P WMU = h(NMU kNHA ). ′ (b) Compute rMU = h(IDMU kP WMU ) ⊕ IDHA . ′ (c) Verify whether rMU = rMU . If the equality holds, the adversary is a legal mobile user; otherwise, HA rejects the request and terminates the processes. (d) Compute the response messages {PHA , SHA } and send them to FA′ , where PHA = h(P WMU kNF A′ )

and SHA = h(IDF A′ kNF A′ ) ⊕ rMU ⊕ PHA . 5. On receiving {PHA , SHA }, FA′ performs the following tasks. ′ (a) Compute SHA = h(IDF A′ kNF A′ ) ⊕ rMU ⊕ PHA in accordance with the verification table. ′ (b) Verify whether SHA = SHA . If the equality holds, FA′ can assure that the messages is sent by HA; otherwise, FA′ rejects the messages and stops to perform the next step. (c) Select a random number a and compute the corresponding point a1 Q on E. (d) Compute PF A′ = (SHA kIDF A′ kNF A′ ). (e) Send {SF A′ , a1 Q, PF A′ } to the adversary. 6. After the adversary receives {SF A , a1 Q, PF A } from FA′ , the adversary performs the following tasks. (a) Select a random number b1 and compute b1 Q. (b) Compute the session key SK according the received a1 Q and his/her chosen number b1 , where SK = h(b1 a1 Q).

6

Kuo-Yang Wu, Kuo-Yu Tsai and Tzong-Chen Wu

(c) Compute a message authentication code fSK (NF A kb1 Q). (d) Send {b1 Q, fSK (NF A kb1 Q)} to FA′ . 7. Upon receiving {b1 Q, fSK (NF A kb1 Q)} from the adversary, FA′ performs the following tasks. (a) Compute the session key SK = h(a1 b1 Q) in accordance with the received b1 Q and his/her chosen number a1 . ′ (b) Compute and verify the message authentication code fSK (NF A kb1 Q). According to the above, FA′ regards the adversary as a legal mobile user, and the adversary can successfully establish a session key with FA′ . Man-in-the-Middle Attack: Assume that an adversary intercepts all transmitted messages between MU and FA from the step 6 to the step 7 in the authentication and session key establishment phase. 6. The adversary intercepts the messages {SF A , a1 Q, PF A } sent by FA. (a) Select a random number a′1 and compute a′1 Q. (b) Send {SF A , a′1 Q, PF A } to MU. (c) Upon receiving {SF A , a′1 Q, PF A }, MU performs the following tasks. i. Select a random number b1 and compute b1 Q. ii. Compute the session key SK ′ according the received a′1 Q and his/her chosen number b1 , where SK ′ = h(b1 a′1 Q). iii. Compute a message authentication code fSK (NF A kb1 Q). iv. Send {b1 Q, fSK (NF A kb1 Q)} to FA. v. The adversary intercepts {b1 Q, fSK (NF A kb1 Q)} sent by MU and further, computes the session key SK ′ = h(b1 a′1 Q) shared with MU. (d) After intercepting {b1 Q, fSK (NF A kb1 Q)} sent by MU, the adversary performs the follow tasks. i. Select a random number b′1 and compute b′1 Q. ii. Compute the session key SK ′′ shared between FA and the adversary, where SK ′ = h(b′1 a1 Q). iii. Compute a message authentication code fSK (NF A kb′1 Q). iv. Send {b′1 Q, fSK ′ (NF A kb′1 Q)} to FA. 7. Upon receiving {b′1 Q, fSK (NF A kb′1 Q)} from the adversary, FA performs the following tasks. (a) Compute the session key SK ′′ = h(a1 b′1 Q) in accordance with the received b′1 Q and his/her chosen number a1 . ′ ′ (b) Compute and verify the message authentication code fSK ′′ (NF A kb1 Q). According to the above, the adversary can successfully mount a man-in-themiddle attack that the adversary can establish session keys with FA and MU, respectively.

Robust Anonymous Authentication Scheme without Verification Table

3

7

The Proposed Scheme

The proposed scheme includes the system setup phase, the registration phase, the authentication and session key establishment phase, and the session key update phase. There are also three roles in the proposed scheme: a mobile user (MU for short), a home agent (HA for short), and a foreign agent (FA for short). System Setup Phase: HA generates systems parameters, his/her long term secret key, and a shared secret key SKHA between himself/herself and FA. K a long term secret key for HA. SKxy a session key shared between two communicating entities X and Y. E an elliptic curve [1, 4] over a finite field Fp defined by y 2 = x3 + ax + b, where a, b ∈ Fp , and p is a prime number. G an additive group of prime order q, where G is a subgroup for the group of points on E. Q a point of prime order on E. h1 () a one-way hash function defined as h1 : {0, 1}∗ → {0, 1}k , where k is a security parameter. h2 () a one-way hash function defined as h2 : G → {0, 1}k . fk () a function that accepts as input an arbitrary-length message and a secret key and outputs a fixed-length message authentication code. Registration Phase: When a new MU wants to register with HA, he/she has to choose his/her identity and sends it to HA. Then, HA computes a password and an authentication token for MU. In this phase, MU and HA cooperate to perform the following tasks via a secure channel. 1. MU sends his/her chosen identity IDMU to HA. 2. After receiving the registration messages, HA computes a password P WMU and an authentication token TMU for MU, where TMU = h1 (IDHA kKkr), P WMU = h1 (IDMU kKkr), and CMU = TMU ⊕ P WMU . Note that r is a random number chosen by HA. 3. HA sends {P WMU , CMU , r, IDHA , h1 (), h2 ()} to MU. Authentication and Session Key Establishment Phase: Where MU roams in a foreign network, he/she first inputs his identity and password to generate login messages. Then, MU and FA perform mutual authentication and session key establishment with the aid of HA, as follows. 1. MU inputs his identity and password and performs the following tasks. (a) Compute TMU = CMU ⊕ P WMU . (b) Generate a nonce NMU . (c) Select a random number b1 and compute b1 Q.

8

2.

3.

4.

5.

Kuo-Yang Wu, Kuo-Yu Tsai and Tzong-Chen Wu

(d) Compute a message authentication code M ACMU = fTM U (IDF A k NMU k rk h2 (b1 Q)). (e) Send {IDF A , NMU , r, b1 Q, M ACMU } to FA. After FA receives the transmitted messages, FA performs the following tasks. (a) Generate a nonce NF A . (b) Select a random number a1 and compute a1 Q. (c) Compute an authentication code for the received messages M ACF A , where M ACF A = fSKHA (IDF A kNF A kNMU kh2 (a1 Q)kM ACMU ). (d) FA sends {IDF A , NMU , NF A , r, b1 Q, a1 Q, M ACMU , M ACF A } to HA. Upon receiving {rMU , IDF A , NF A }, HA performs the following tasks. (a) Compute M ACF′ A = fSKHA (IDF A kNF A kNMU kh2 (a1 Q)kM ACMU ). If M ACF′ A = M ACF A , HA authenticates FA; otherwise, he/she rejects the received messages and terminates the processes. ′ (b) Compute TMU = h1 (IDHA kKkr) with his/her long secret key K. ′ ′ ′ (c) Compute M ACMU = fTM (IDF A kNMU krkh2 (b1 Q)). If M ACMU = U M ACMU , HA authenticates MU and accepts the login messages; otherwise, he/she rejects MU’s login request and terminates the processes. (d) Generate a nonce NHA . (e) Compute two message authentication codes M AC1HA = fSKHA (IDF A k ′ NMU k NHA k NF A k h2 (b1 Q)) and M AC2HA = fTM (IDF A k NMU k U NHA k NF A k h2 (a1 Q)). (f) Send {IDF A , NMU , NF A , NHA , a1 Q, b1 Q, M AC1HA , M AC2HA } to FA. On receiving {IDF A , NMU , NF A , NHA , a1 Q, b1 Q, M AC1HA , M AC2HA }, FA performs the following tasks. (a) Compute M AC1′HA = fSKHA (IDF A k NMU k NHA k NF A k h2 (b1 Q)). If M AC1′HA = M AC1HA , FA compute a session key SKF M = h2 (a1 b1 Q) and a message authentication code fSKF M (IDF A k NMU k NF A ); otherwise, he/she rejects the messages and terminates the processes. (b) Send {IDF A , NMU , NF A , NHA , M AC2HA , fSKF M (IDF A k NMU k NF A )} to MU. Upon receiving {IDF A , NMU , NF A , NHA , M AC2HA , fSKF M (IDF A k NMU k NF A )} from FA, MU performs the following tasks to authenticate HA and FA. ′ (a) Compute M AC2′HA = fTM (IDF A k NMU k NHA k NF A k h2 (a1 Q)). If U M AC2′HA = M AC2HA , MU authenticates HA and FA; otherwise, he/she rejects the messages and terminates the processes. (b) Compute the session key SKMF = h2 (b1 a1 Q) and fSKF M (IDF A k NMU k NF A )}. If the message authentication code is correct, MU confirms that FA obtains the same session key; otherwise, he/she rejects the session key.

Session Key Update Phase: In the ith session, MU and FA cooperate to update the session key. 1. MU chooses a new random number bi and computes bi Q. Then, MU sends bi Q to FA. 2. Upon receiving the message from MU, FA performs the following tasks.

Robust Anonymous Authentication Scheme without Verification Table

9

(a) Choose a new random number ai . (b) Compute ai Q. (c) Generate the new session key SK ′ = h2 (ai bi Q). (d) Compute the message authentication code fSK ′ (h2 (ai bi Q)kh2 (ai−1 bi−1 Q)). (e) Send ai Q and fSK ′ (ai bi Qkai−1 bi−1 Q) to MU. 3. On receiving the response message from FA, MU performs the tasks as follows. (a) Compute the new session key SK ′ = h2 (bi ai Q) in accordance with the received ai Q and his/her chosen bi . ′ (b) Compute the message authentication code fSK ′ (ai bi Qk ai−1 bi−1 Q). If ′ fSK ′ (h2 (ai bi Q)k h2 (ai−1 bi−1 Q)) = fSK ′ (h2 (ai bi Q)k h2 (ai−1 bi−1 Q)), MU accepts the new session key; otherwise, he/she rejects it.

4

Security Analysis

Based on the intractability of solving the elliptic curve computational DiffieHellman problem (ECCDHP) and reversing the one-way hash function (OWHF), we first analyze the security of the proposed scheme in this section. Anonymity: Suppose that an adversary intercepts a mobile user MU’s password P WMU . However, the adversary cannot obtain the identity for MU due to the intractability of reversing the OWHF. Forward Secrecy: Consider the scenario that an adversary attempts to derive the previous session keys after the adversary obtains HA’s long term secret key K and MU’s password P WMU . However, he/she fails to derive the session keys due to intractability of solving the ECCDHP. Mutual Authentication: We consider the following cases. 1. Mutual Authentication between HA and MU: For authenticating MU, HA verifies the message authentication code M ACMU . In the other hand, MU authenticates HA by verifying the message authentication code M AC2HA . 2. Mutual Authentication between HA and FA: HA authenticates FA by verifying the message authentication code M ACF A . By verifying the message code M AC1HA , FA confirms the identity of HA. 3. Mutual Authentication between MU and FA: For authenticating FA, MU verifies the message authentication code M AC2HA . It implies that FA has been authenticated by HA. In the other hand, FA authenticates MU by verifying the authentication code M AC1HA . It also implies that MU has passed HA’s authentication. Replay-attack Reliance: Assume that an adversary attempts to replay the intercepted messages. However, the adversary cannot successfully mount such attacks because the proposed scheme adopt the nonce mechanism. Man-in-the-middle-attack Reliance: Consider the scenario that an adversary attempts to intercept all transmitted messages between MU and FA. However, the adversary cannot successfully mount such attacks because the proposed scheme provide mutual authentication between MU and FA with the help of HA.

10

5

Kuo-Yang Wu, Kuo-Yu Tsai and Tzong-Chen Wu

Conclusions

We demonstrate that there are some potential attacks in inherent in Mu et al.’s scheme and propose a robust anonymous authentication scheme for roaming service in global mobility networks, in which HA and FA do not maintain any table. The security of the proposed scheme is proven to be secure. Acknowledgments. This work is supported partially by National Science Council under the Grant 98-2221-E-011-073-MY3 and 99-2218-E-011-011, and Taiwan Information Security Center (TWISC), NSC 100-2219-E-011-002.

References 1. Koblitz, N.: Elliptic Curve Cryptosystems. Mathematics of Computation 48(177), 203V-209 (1987) 2. Lee, C.C., Hwang, M.S., Liao, I.E.: Security Enhancement on a New Authentication Scheme with Anonymity for Wireless Environments. IEEE Trans. Ind. Electron. 53(5), 1683V-1687 (2006) 3. Li, K. Xiu, A. He, F., Lee, D.H.: Anonymous Authentication with Unlinkability for Wireless Environments. IEICE Electronics Express 8(8), 536-541 (2011) 4. Miller, V.: Use of Elliptic Curves in Cryptography. In: Williams, H.C. (ed.) Advances in Cryptology X CRYPTO 85. LNCS, vol. 218, pp. 417V-426. Springer, Heidelberg (1985) 5. Mun H., Han, K, Lee, Y.S., Yeun, C.Y., Choi, H.H.: Enhanced Secure Anonymous Authentication Scheme for Roaming Service in Global Mobility Networks. Mathematical and Computer Modelling (2011), doi: 10.1016/j.mcm.2011.04.036 6. Wu, CC, Lee WB, Tsaur, WJ.: A Secure Authentication Scheme with Anonymity for Wireless Communications. IEEE Commun Lett 12(10), 722V3 (2008) 7. Xu, J., Feng, D.: Security Flaws in Authentication Protocols with Anonymity for Wireless Environments, ETRI J. 31(4), 460V462 (2009) 8. Zeng, P., Cao, Z., Choo, K.K.R., Wang, S.: On the Anonymity of Some Authentication Schemes for Wireless Communications, IEEE Commun. Lett. 13(3), 170V-171 (2009) 9. Zhu, J., Ma J.: A New Authentication Scheme with Anonymity for Wireless Environments. IEEE Trans Consumer Elect 50(1), 231-V5 (2004)