an individual and group authentication model

An Individual and Group Authentication Model for Wireless Network Services Huy Hoang Ngo, Xianping Wu, Phu Dung Le, Bala Srinivasan

An Individual and Group Authentication Model for Wireless Network Services

Huy Hoang Ngo*Corresponding author

Faculty of Information Technology, Monash University, Melbourne, Australia , Xianping Wu, Phu Dung Le, Bala Srinivasan

{huy.hoang.ngo, xianping.wu, phu.dung.le, bala.srinivasan}@infotech.monash.edu.au doi: 10.4156/jcit.vol5.issue1.10

Abstract

Authentication is the most important component to

protect information system from unauthorized access. Because mobile devices have resource limitations, current existing authentication methods experience security, efficiency, flexibility and scalability problems in wireless network services. Although many access control methods utilize both individuals and groups while validating authorization, there has been up to date no authentication mechanism supporting both group and individual. To overcome the existing problems, an authentication model for large scale wireless network is proposed in this paper. It provides secure, efficient, flexible and scalable authentication for wireless network users and services. To exhibit the security and efficiency characteristics, a realization of the authentication model using dynamic key cryptography and group key management for individual and group of users and services is also proposed. Its analysis demonstrates the advantages in security, efficiency, flexibility and scalability of both individual and group authentication to existing authentication methods.

Keywords

Dynamic key cryptography, group key management,

authentication, wireless network services.

1. Introduction

With the new trends of cloud computing and wireless networks, services have become the core of the current software architectures. In the Software as a Service software distribution model [1], services allow users to access business functionality from wired and wireless networks without installation. Instead of investing for regularly upgrading hardware, users can utilize thin client such as mobile devices to access services from anywhere and at anytime. With this ability, services can provide flexibility and convenience for wireless network users. However, they also bring about security challenges, in particular

authentication system to protect unauthorized access for services.

Existing authentication methods have become more and more vulnerable in wireless networks. Due to the characteristics of broadcasting signals into the air, communications in wireless networks are susceptible to eavesdropping and intercepting attacks. Therefore, replay attack and cryptanalysis attack risks on existing authentication methods such as OpenID [2], Kerberos [3] are higher. Although there are proposed authentication methods for wireless networks in [4-8], flexibly achieving secure, efficient and scalable authentication for different requirements in wireless networks are not their major concerns. Efficient authentication methods in [4, 5, 7, 8] are not secure enough for sensitive services. In contrast, authentications using asymmetric cryptography in [6] consumes a lot of computational resource, which is not suitable for low profile mobile devices. Furthermore, large scale dynamic users and services in wireless network can cause scalability problem for these methods.

In large scale dynamic system, access control system such as RBAC [9] and PRBAC [10] utilizes groups of users and services to achieve scalability. While users and services are dynamic, user groups and service groups are assumed to be more stable. Grouping users and services into user groups and services can help to deal with scalability. Meanwhile, some services also require individual identities authentication for auditing. However, none of existing authentication mechanisms can support both individual and group authentication. Furthermore, the authentication model should also be flexible to adapt different requirements of problems and device profiles in wireless networks. There is no existing authentication method to provide secure, efficient, flexible and scalable authentication for individual and group wireless network users and services.

In this paper, a model providing secure, efficient, flexible and scalable authentication for wireless network services is proposed. In the authentication model, users and services are grouped into user groups and service groups respectively. Based on a set of

82

Journal of Convergence Information Technology Volume 5, Number 1, February 2010

relationship among users, services, user groups and service groups, the authentication model provide individual and group authentication for users and services. A realization is proposed to validate the authentication model. An analysis and a discussion show that the implementation can achieve security, efficiency, flexibility and scalability in authentication for both individual and group wireless network users and services.

The rest of paper is organized as follows. Next section reviews related works. Section 3 describes the authentication model. A realization of the authentication is proposed in section 4. Section 5 analyses and discusses properties of the authentication realization and model. Section 6 ends the paper with conclusion and proposes further research.

2. Background

In this section, two techniques used to realize the authentication model are described. The first technique is the dynamic key cryptographic generation and the second is a hybrid key management in wireless networks. The dynamic key cryptography can help the authentication protocols of the authentication realization prevent cryptanalysis attacks and replay attacks. Mean while the group authentication keys are used to controlled and distributed by the group key management among group members.

2.1 Notations

At first, notations using in this paper are described.

Table 1. Notations Notations Descriptions

DK1… DK dynamic keys n EK, IK initial keys used to generate dynamic key

TK1… TK temporary keys m SK seed key h(.) a one-way hash function ⊕ exclusive-OR

Nu, Nu’, Ns,

Ns

nonces (random generated number) ’

A → B: X A sends a uni-cast message X to B {X}K message X is encrypted by key K

KP Q←→ K is a shared cryptography key to secure communications between P and Q

P believes X P may acts as X is true

P received X P received a message containing X, P can read and repeat X

P said X P at some time sent a message containing X P controls X P has jurisdiction over X

fresh(X) X has not been sent before the current protocol run

⟨X⟩ P cannot read or recognize X (P does not have the key k to decrypt {X}k *P

2.1 Dynamic Key Generation Technique

Dynamic keys are one-time symmetric cryptographic keys. In dynamic key cryptography, each message is encrypted by only one dynamic key. Cryptographic keys are not reusable in dynamic key cryptography. Therefore, it minimizes cryptanalysis attack risks. The idea of dynamic key is similar to one-time pad [11]. However, instead of having key exchange before the encryption, dynamic key cryptography has off-line key generation scheme to generate sequence of dynamic keys at involved parties. A dynamic key sequence is a collection of dynamic key {DK1…DKn}. Each dynamic key in the sequence is used to encrypt a message. One dynamic key DKi is computed from the previous key DKi-1 and other materials using the dynamic key generation techniques so that compromising the previous key DKi-1 does not make the current dynamic key DKi

In [12], a dynamic key generation technique is proposed. The analysis shows that dynamic key sequence created by the scheme can prevent replay attacks in authentication. The dynamic key generation scheme is divided into the following four steps as in Fig.1.

vulnerable.

Alice Bob

EK, IK

{TK1, TK2, ..., TKm}EK

SK = IK + TK1 + TK2 + ... + TKm

TKmTK2TK1 ...SK TKmTK2TK1 ...SK

...DK3DK2 DK4DK1 DKn ...DK3DK2 DK4DK1 DKn

TKmTK2TK1 ...

TKmTK2TK1 ...

DKi=f(SK, ..., ..., ...) DKi=f(SK, ..., ..., ...)

SK = IK + TK1 + TK2 + ... + TKm

Figure 1. The dynamic key generation technique

Step 1: Alice and Bob exchange two keys EK and IK via a secure channel. Step 2: Alice randomly generates m initial temporary keys TK1,...,TKm

and sends the message to Bob, encrypted by EK.

)...(,},...,{: 11 EKTKTKhEKTKTKBA mm ⊕⊕⊕→

(1)

The result of the hash function h(TK1⊕...⊕TKm

⊕EK) is the digital signature to authenticate the source of the message. It is used to verify that Alice is the one who sends this message.

83


Step 3: Both Alice and Bob compute a seed key SK from the initial key IK and the temporary keys TK1,...,TKm

mTKTKIKSK +++= ...1

using bit-wise additional operation. (2)

Step 4: Generate sequence of dynamic keys. The first dynamic key DK1 is generated from the seed key SK and the temporary keys TK1,...,TKm

)...( 1211 mmm TKTKTKTKSKhDK ⊕⊕⊕⊕⊕= −−

by using hash function h(.):

(3)

With n is the number of dynamic keys a sequence, assume n > m, the other dynamic keys are generated by using hash function h() with the replaced parameters as follows.

)...( 1122 DKTKTKTKSKhDK mm ⊕⊕⊕⊕⊕= − )...( 2133 DKDKTKTKSKhDK m ⊕⊕⊕⊕⊕=

… )...( 123 −−−− ⊕⊕⊕⊕⊕= nnnmnn DKDKDKDKSKhDK

(3’)

The result is a dynamic key sequence {DK1,...DKn

} used to secure communications in authentication.

2.2 Hybrid Group Key Management

Hybrid group key management [13] is an efficient group key management for wireless networks. Group key management is a mechanism to secure group communications via multicast by symmetric keys. The hybrid group key management is a distributed group key management designed on the structure of wireless cellular networks. Its architecture is separated into two-level structure: the fundamental wireless network level and logic structure level.

In the fundamental wireless network level, the whole wireless network is separated into smaller local wireless cells. Each wireless cell is managed by a key server named CKS integrating with the based station of the wireless cell. The CKS locally handles group key operations for members in its wireless cell. There is a central key server named GKS on the top level to manage messages of CKSs. The structure is illustrated in Fig.2.

Figure 2. The network structure of the group key

management

The logic structure level is also divided into two clusters: leader cluster and member cluster. Based on these two clusters, rekeying operations in group key management occurs independently in each layer. It localizes effects of rekeying for member joins and member leaves. The logic structure is illustrated in Fig.3.

K18

K14 K58

K12 K34 K56 K78

u4u3u2u1

u1

u5 u6

u7 u8 u9 u10

u32

u33 u34

u35 u36 u37 u38

……..

Level 1Leader Cluster

Level 2Member Cluster

Cluster Leader Cluster Leader

Member Cluster 1 Member Cluster 4 Figure 3. The logical structure of the proposed group

key management

3. The Proposed Authentication Model

There are n users, m services, x user groups and y service groups in the model. These users are grouped into the user groups while the services are grouped into the service groups. Notations for users, services, user groups and service groups are specified as follows:

• n users written as u1,…, un

• m service written as s,

1,…, sm

• x user groups denoted as UG,

1,…, UG• y service groups denoted as SG

x 1,…, SGy

In the proposed model, a user group represents for a set of users sharing a set of privileges. User group concept has been introduced in operating systems [14] and RBAC authorization control [9]. User groups are usually derived from existing groups of users in reality such as groups of friends, employees of a company, students of a class, or members of a family. Users are also grouped by their roles in a system. Usually a role is directly referred to a privilege in the system. By joining into a group, users share permissions with other members in the same user group. In the model, a user group has its own privilege via a represented role. The privilege stands for permissions to access different services in the system. In other words, users are grouped by their authorities. A user group, denoted as UG, of k members, u

.

i1, …,uik

, is specified as follows:

84


1{ ,..., }, ,0i ikUG u u k k n= ∈ < ≤ (4) Service group is a new concept introduced in the

proposed model. Similar to users, services are also grouped into service groups. A service group, denoted as SG, of l services si 1, …, sil

1{ ,..., }, ,0i ilSG s s l l m= ∈ < ≤

, is written as follows: (5)

Services in a group share the same security requirements. By being a member of a service group, a service agrees to grant permissions to members of authorized user groups to access. Therefore services are grouped by security requirements. It is possible that a service be a member of multiple service groups. Although these service groups have different security requirements, the service adapts the security requirement from the using service group in an authentication. The security requirement for a service having multiple service group memberships is the minimal security requirements from these service groups.

In reality, services are often grouped by existing application packages. In a simple example, a multimedia company provides multiple paid TV channels as services. Although they are classified into their categories such as music, movie, news, fashion, cartoon, adult, etc., the TV channel services are grouped by pre-paid packages. Each package is considered as a service group. When a user subscribes a package, he/she is able to access to channels in the package. Instead of controlling authorization and authentication for individual channels, the company manages its services via service groups.

The main idea of the proposed authentication model is to provide authentication for user groups and service groups. Unlike traditional authentication model working with individual users and services, the proposed authentication model connects users to user groups, services to service groups. Instead of using individual identities, users and services authenticate their group identities. Therefore, authentications are considered to be performed between user groups and service groups. Hence, the individual authentication problem becomes group authentication problem. The overview of the proposed authentication model is illustrated in Fig. 4.

User

Group of Users

Service

Group of Services

Authentication Model

Authentication

Figure 4. The conceptual authentication model

To provide authentication for users and services,

the proposed model uses a building block named authentication verification. The authentication verification is an extension of the authentication block in [15]. It performs the authentication by validating claimed identities in authentication requests. An authentication request is simply a service access request created by a user and sent to a service in the system. There are three main components in the authentication verification: a collection of relationships, a group manager and an authentication controller. The tasks of the authentication controller and the group manager rely on the collection of relationships. To perform authentication, these components realize the relationships for their tasks. In other words, the collection of relationships between entities and identities is the fundamental component to uphold the group manager and the authentication controller in the model. The structure of the authentication verification is illustrated in Fig.5.

Authentication Verification

Group Manager

Relationships

Authentication Controller

Figure 5. The structure of authentication verification

3.1 The collection of relationship

The collection includes relationships between authentication entities and authentication identities in the authentication model. The authentication relationship between a user U and his/her individual identity is called user authentication relationship or UGA. Similarly, the authentication relationship

85


between a service S and its individual identity is called service group authentication or SGA. Between user U and user group UG, there is a user group assignment denoted as UA. Correspondingly, the relationship between entity service S and identity service group SG named as service group assignment or SA. Between two identities UG and SG, there is a group authentication relationship GA. The collection of relationships between entities and identities is illustrated in Fig.6.

U

UG

UA

SG

S

GA

SA

UGA SGA

Figure 6. The relationships between entities in the

model

Based on the collection of relationships, other components in the authentication verification process are built. The group manager is built from UA, UGA, SA and SGA relationships. Meanwhile, the authentication controller is built from GA relationship. Fig.7 illustrates the entities, components and relationships between entities and components in the model.

U

UA

S

SA

UGA SGA

GAUG SG

Group Manager

Authentication Controller

Group Manager

Figure 7. The relationships between entities, elements

and components summary

3.2 The Group Manager

The group manager is built from two relationships: user group assignment (UA) and service group assignment (SA). These relationships are involved by two different types of entities: user and service. Therefore, the group manager is divided into two sub-group manager components: user group manager and service group manager. The user group manager is a key management service to manage memberships of

user groups. Beside UA, it also controls UGA relationship. The service group manager is a key management service to manage memberships of service groups. It handles both SA and SGA relationship.

3.3 The Authentication Controller

The authentication controller is the core component to verify authentication request from users and services in the model. Similar to single sign on authentication approaches, the authentication controller employs a special service, named as authentication service, to handle authentication process. Authentication Service (AS) is a specific service that is used to verify claimed identity of entities in requests. The authentication service AS is a trusted third party verifying request authentication from users and services in the model. The trusts are represented by sharing authentication keys between users and AS or between other services and AS.

In the proposed model, authentication identities verified by AS are group identities instead of individual identities. These claimed identities are either user groups or server groups. The authentication of a user group identity from a user is to identify whether user is a legit member of user group UG. The evidences of user group identities and service group identities are represented by shared group keys obtaining from the group manager. These group keys are used as authentication keys for user groups and service groups.

AS employs authentication protocols to verify authentication requests. Authentication protocols are cryptography protocols to communicate among entities and AS in authentications so that users and services can prove their claimed identities. By encrypting/decrypting challenges and authentication materials in messages of the protocols with authentication keys, users and services can create the trust on their group membership with AS. 3.4 The Authentication Architecture

The proposed authentication architecture is divided

into two layers which are Key Management and Authentication. These two layers are derived from the group manager and the authentication controller in the proposed model. The group manager creates a transparent layer to provide operations related to group memberships and group authentication keys for users and services. The authentication controller builds a layer called authentication layer staying on top of the

86


control group authentication operations. This layer supports the authentication protocols in order to perform authentication. Fig.8 illustrates the two layers authentication architecture.

Figure 8. The authentication architecture.

In the architecture, each user u, a service s or the

authentication service AS is integrated with two modules which are a key management module and an authentication module. The key management module updates group keys from the the group manager via the key management layer. The authentication modules use the group key obtained from the key management module to authenticate with authentication services via authentication layer.

4. An Authentication Realization of the Authentication Model

The hybrid group key management and the dynamic key cryptography are used to fulfill the group manager and the authentication controller in the model. These mechanisms are the key components to enhance the efficiency and security for the group manager and the authentication controller in the model in wireless network services. The realization is used to demonstrate the advantages of the proposed authentication model over the previous authentication methods in wireless networks. However, it is neither the only realization of the authentication model nor the compulsory mechanisms to use for any realization for this model.

4.1 The Realization for the Group Manager

The realization of the group manager controls users groups and service groups to support for group authentication. It requires a mechanism to manage two different types of groups efficiently. Beside the group membership change operations, there are also two extra operations to support operations in authentication controller. To realize the group manager of the authentication model, the hybrid group key management in wireless networks is utilized to achieve

security and efficiency for managing membership change of user groups and service groups.

Beside three basic rekey operations in hybrid group key management (user join, user leave and user handoff), there are two extra rekey operations. The first rekey operation is periodical rekey. This rekey operation is independent from membership change. It is used to refresh authentication keys periodically. It is used to reduce cryptanalysis attack risks on authentication keys. The other rekey operation is post-authentication rekey. After an authentication, authentication keys of involved entities are updated. This feature can help to reduce both cryptanalysis attacks and replay attacks. These rekey operations enhanced the security for the distribution and of authentication keys among members of user groups and service groups.

4.2 The Realization for the Authentication Controller

In the authentication controller, the authentication service verifies the authentication requests. To verify authentication requests, the authentication controller uses authentication protocols to validate claimed identities in authentication requests. Similar to other entities, the authentication service also uses authentication library to verify authentication. To verify identities of user groups and service groups, authentication service is a member of all user groups and service groups by default so that it knows all the group keys of all user groups and service groups for authentication.

There are two authentication protocols: one is for group, the other for individual.

4.2.1 The Group Authentication Protocol

The group authentication protocol using dynamic keys is proposed to verify identities for users and services via authentication service. In the first step of the authentication protocol, a service s receives a direct access request from a user u. In the request, u claims that he/she is a member of a user group UG. Firstly, s verifies whether UG is allowed to access itself using authorization control integrating with s. After confirming that member of UG can access s via the permission with SG while s is a member of SG, s forwards the request to AS to ask for authentication. Finally, the main purpose of AS is to verify authentication of the user group identity UG of user u and service group identity SG of service s.

87


The authentication protocol consists of six following steps. Step 1: u sends the request to s claiming that he is a member of UG. Beside the claimed user group identity, the message contains a nonce Nu and a hash value of the nonce exclusive-or with the key group of UG, (h(Nu⊕KUGStep 2: After receiving the request, s validates authorization of the request then sends a message to AS. The message contains information of the request in request and also claimed service group identity SG of s. Besides, s also sends another message to AS as a request AS by a nonce N

)).

s encrypted by its group key KSGStep 3: By receiving the message from s, AS generates two key EK and IK as material keys for s and u to generate dynamic keys. It produces a message having two parts and sends to s. The first part is the material to generate dynamic keys for u. It contains two keys EK and IK and the nonce N

.

u encrypted with user group key KUG. The second part includes EK, IK and Ns encrypted by KSG

Step 4: s decrypts its message from AS to extract EK and IK. It forwards the first part of the message, the key material for u, receiving from AS to u. The message sent to u also contains three temporary keys TK

which are sent to as the material for s to generate dynamic keys.

1, TK2 and TK3 as in step 2 to create dynamic keys. It also includes another nonce Ns

’

Step 5: u extracts EK, IK and N

to challenge u to encrypt it.

u from the first part of the message. The extracted value of Nu is compare with the original value of nonce Nu when it created. When the value is matched, u can trust two keys EK and IK created by AS. It uses EK to decrypt the second part of the message to extract temporary keys TK1, TK2, TK3 and the nonce Ns

’. u uses the initial key IK and temporary keys TK1, TK2, TK3 to create SK then DK1 as in step 3 and 4 to create a sequence of dynamic keys. Finally, u creates a new nonce Nu

’ and combines a message with Nu

’ and Ns’ + 1 encrypted by DK1

Step 6: s also computes dynamic keys DK

to response to the challenge of s.

1 then DK2 from EK, IK, TK1, TK2, and TK3. Then it uses DK1 to extract the message from u in step 5, validates Ns

’ to authenticate u. After the validation process is completed, s responses to u the value Nu

’-1 encrypted by DK2 as the confirmation of authentication and its willing to serve u. By receiving this message and validating Nu

’, u can trust the validity of s which complete the mutual authentication. After this step, u and s continue the session and use next dynamic keys

DKi, i ≥3) in the sequence as cryptographic key to secure the communication. In the end of phase 6, s notices AS to invoke post-authentication rekey to update KUG

The six steps protocol is formalized by six following messages.

.

'1 2 3

' '1

'2

1. : , , ( )2 . : , , ( ), , , ( )3 . :{ , , } ,{ , , }

4. :{ , , } ,{ , , , }

5. :{ 1, }

6. :{ 1}

u u UG

u u UG s SG

u UG s SG

u UG s

s u

u

u s UG N h N Ks AS UG N h N K SG N h Ns KAS s EK IK N K EK IK N K

s u EK IK N K TK TK TK N EK

u s N N DK

s u N DK

→ ⊕

→ ⊕ ⊕

→

→

→ +

→ −

The message flow of the group authentication

protocol is described in Fig. 9.

Figure 9. The group authentication protocol

The result of the authentication protocol is a secure

channel established between u and s. The secure channel uses a sequence of dynamic keys as cryptographic keys for securing communications. During steps 5 and 6, both u and s start to share a sequence of dynamic keys DK1, DK2

, etc... They use these dynamic keys to secure the communications between them.

4.2.2 The Individual Authentication Protocol In the original idea of the authentication model,

users utilize their user group identities to authenticate and access services. It accelerates authorization and the identity look-up in the authentication. Services and authentication service does not need to store memberships of all the users. Therefore, authorization verification process does not have to look up user memberships and its performance can be optimized. In the authentication model, services recognize access

88


requests from members of user groups. The identity to be verified is group identity. However, some service requires individual identity authentication for audit tracing as well.

In the situation of services requiring individual identity authentication for audit tracing, the individual authentication protocol is proposed to authenticate both individual identity and group identity. This extension made the authentication to be similar to two-factor authentication from user group identity and user individual identity.

The individual authentication is somewhat different from the group authentication protocols. In message 1 and 2, the individual identity u is inserted. The individual dynamic keys u

iDK are also used for authentication in this protocol. Therefore, the signature in message 1 is signed by both KUG

uiDK and . In

message 3 and 4, the key exchange message { , , }u UGEK IK N K is broken down into two parts:

1{ } uiEK DK + and { , }u UGIK N K . The first part is

encrypted by individual dynamic key of u while the second part is encrypted by authentication key of his/her user group UG. The rest of the individual authentication protocol is the same as the group authentication protocol. The six messages in the individual authentication protocol are formalized as follows:

1'

1 1 2 3' '

1'

2

1. : , , , ( )

2 . : , , , ( ), , , ( )

3. :{ } ,{ , } ,{ , , }

4. :{ } ,{ , } ,{ , , , }

5. :{ 1, }

6. :{ 1}

uu u UG i

uu u UG i s SGui u UG s SG

ui u UG s

s u

u

u s u UG N h N K DK

s AS u UG N h N K DK SG N h Ns K

AS s EK DK IK N K EK IK N K

s u EK DK IK N K TK TK TK N EK

u s N N DK

s u N DK

+

+

→ ⊕ ⊕

→ ⊕ ⊕ ⊕

→

→

→ +

→ −

5. Analysis and Discussion

5.1 Security Analysis

The security analysis is performed from each

component to the whole authentication realization. Because the security of the group manager is described in [13], we do not repeat the analysis of the group key management. The security analysis expresses that the group manager can distribute authentication keys securely to members of user groups and services group. The protocol authentication protocols are formally analyzed by SVO logic [16]. The following analysis is

performed to verify the security of the authentication controller. Before analyzing the authentication controller, the freshness of the dynamic keys is verified so that they can be used to secure authentication protocols. 5.1.1 The Freshness of Dynamic Keys

In this analysis, dynamic keys are investigated to

find out whether they are good keys for cryptography and authentication. The belief in the goodness of cryptographic keys are mentioned in [17] as a base to construct logic to verify authentication protocols. Beside the goodness, freshness of authentication keys are also mentioned as the authentication key has not been used before the current run of the authentication. The following theorem is used to explain the goodness and the freshness of dynamic keys from its dynamic key generation input. Dynamic Key Theorem. If an entity P believes that two keys EK and IK are produced and sent by AS and it also believes in either the freshness of either initial keys EK, IK or temporary keys TK1, TK2 and TK3, the produced dynamic keys DK1,…,DKn

are believed to be good and fresh keys to communicate with other entities in an authentication.

Proof: All entities in an authentication are assumed to believe that AS has a jurisdiction in EK and IK. In other words, they believe that AS generates good keys EK and IK. Therefore, it is deduced that P believes in the goodness of EK and IK. P believes AS controls EK, IK ∧ P believes AS says EK, IK → P believes EK, IK

Because it is infeasible to guess dynamic keys and the collision freedom condition for the strong hash function f(.), the goodness of the first dynamic key DK1

derived from equation (3) based on EK and IK can be deduced:

P believes EK, IK → P believes DK

1

When the entity P believes in DK1, he/she also believes in the next dynamic key DK2 derived from equation (3’). Therefore, the other dynamic keys in the sequence, DK3, DK4, …, DKn are also believed by P. The freshness of the first dynamic key DK1 in the sequence is also deduced from the freshness of one of the initial keys EK, IK, TK1, TK2 and TK3. Because

89


DK1 is computed by the collision free one-way hash function f(.) with input parameters being TK1, TK2, TK3 and SK, the freshness of either TK1, TK2, TK3 or SK, can warrantee the freshness of DK1. However, SK is computed by IK, TK1, TK2 and TK3 in equation (2). Therefore, SK is fresh if one of four keys IK, TK1, TK2 or TK3 is fresh. Therefore the first dynamic key DK1

Similar to the work out of the goodness for other dynamic keys in the sequence, other dynamic keys DK

is fresh.

2, DK3,…, DKn are also fresh when one of the initial keys IK, TK1, TK2 or TK3

is fresh. �

Based on the dynamic key theorem, two following corollaries are given to prove the security of two authentication protocols with dynamic keys. Corollary 1. Dynamic Key First Generator Corollary P believes AS says (EK, IK) ∧ P believes fresh(TK1, TK2, TK3) ∧ P says (TK1, TK2, TK3

iDKP Q←→) → P believes ∧ P believes fresh (DKi

),∀i>0.

This corollary explains that after receiving EK and IK from AS, P can create TK1, TK2 and TK3 and exchange with Q to generate dynamic keys DKi to secure communication. P can believe in the goodness and the freshness of dynamic keys DKi

in communicating with Q.

Corollary 2. Dynamic Key Second Generator Corollary Q believes AS says (EK, IK) ∧ Q believes fresh(EK, IK) ∧ Q believes P says (TK1, TK2, TK3

iDKP Q←→) → Q believes ∧ Q believes fresh (DKi

This corollary explains that after receiving and verifying the freshness of EK and IK from AS, Q can use TK

),∀i>0.

1 and TK2 receiving from P to generate dynamic keys DKi

Both the two above corollaries are deduced from the dynamic key theorem. Based on these corollaries, the security of the authentication protocols is verified.

to communicate with P. Q can believe in the goodness and the freshness of dynamic keys in communicating with P.

5.1.2 Security Analysis of the Group Authentication Protocol

The proposed authentication protocol is analyzed

by SVO logic [16] to find out whether it achieves authentication goals. Analysis in SVO uses twenty one axioms to interpret goals in cryptographic protocols.

The authentication protocol has a set of six goals for authentication: ping authentication, entity authentication, secret dynamic key establishment, dynamic key freshness, mutual understanding of dynamic keys and dynamic key confirmation. These six goals are specified as follows: G1. u believes s say X G2. u believes (s say F(X,Nu

’), fresh(Nu’

G3. u believes ))

iDKu s←→ G4. u believes fresh(DKi

G5. u believes s says ()

iDKu s←→ )

G6. u believes ( iDKu s←→ ∧ s says {Nu’}DKi

)

Initial Assumptions P1. u believes UGKu AS←→

P2. s believes SGKs AS←→ P3. u believes AS control Ku s←→ P4. s believes AS control Ku s←→ P5. u believes AS control fresh(EK, IK) P6. s believes AS control fresh(EK, IK) P7. u believes fresh(NuP8. u believes fresh(N

) u

’

P9. s believes fresh(N)

sP10. s believes fresh(N

) s’

P11. s believes fresh(TK) 1

P12. s believes fresh(TK)

2P13. s believes fresh(TK

) 3

)

P1 to P2 note that both u and s are assumed to believe in their group authentication keys. P3 and P4 note that they also believe in two key EK and IK generating by AS. P5 and P6 note that they believe in the freshness of the keys generated by AS. P7, P8, P9 and P10 note that they believe nonces generated by themselves. P11, P12, P13 note that s believes in the freshness of temporary TK1 and TK2

created by itself.

Received Message Assumptions

P14. s received (UG, Nu, h(Nu ⊕ KUG

P15. AS received (UG,N))

u,h(Nu ⊕ KUG), SG,Ns, h(Ns ⊕ KSGP16. s received ({EK, IK, N

)) u}KUG,{EK, IK, Ns}KSG

P17. u received ({EK, IK, N)

u}KUG, {TK1, TK2, TK3, Ns

’

P18. s received { N}EK)

s’+1, Nu

’}DKP19. u received { N

1

u’-1 }DK

2

P14 to P19 are derived from message 1 to message 6 in the group authentication protocols. After receiving

90


the messages, the comprehensions of the messages are expressed as follows:

Comprehension Assumptions P20. s believe s received (UG, Nu, h(Nu ⊕ KUG

P21. AS believes AS received (UG, N))

u, h(Nu ⊕ KUG), SG,Ns, h(Ns ⊕ KSGP22. s believes s received ({EK, IK, N

)) u}KUG,{EK, IK,

Ns}KSGP23. u believes u received ({EK, IK, N

) u}KUG, {TK1, TK2,

TK3, Ns’

P24. s believes s received { N}EK)

s’+1, Nu

’}DKP25. u believes u received { N

1

u’-1 }DK

2

The comprehensions from P22 to P25 are interpreted as follows:

Interpretation Assumptions P26. s believe s received (⟨{EK, IK, Nu}KUG⟩*s,{⟨EK, IK⟩*s, Ns}KSG) → s believes s received (⟨{EK, IK, Nu}KUG⟩*s, Ns,

⟨IK⟩*s*sEKu s←→, , fresh(EK,IK))

P27. u believes u received ({⟨EK, IK⟩*s, Nu}KUG, ⟨{TK1, TK2, TK3, Ns

’}EK⟩*u) → u believes u received (Nu, ⟨IK⟩*u

*uEKu s←→

,

,fresh(EK, IK), ⟨{ TK1, TK2, TK3 Ns’}EK⟩*u

P28. s believes s received { N))

s’+1, ⟨Nu

’⟩*s }DK1→ s believes

s received (Ns’, ⟨Nu

’⟩*s1 *sDKu s←→, )

P29. u believes u received { Nu’-1 }DK2→ u believes u

received (Nu’ 2 *uDKu s←→, )

Derivation for u

i. u believes EK, IK by Jurisdiction and Nonce-Verification Axioms, P27, P7 and P3. ii. u believes fresh(EK,IK) by Freshness Axiom, P27, P3 and P5. iii. u believes s says TK1,TK2 and TK3

iv. u believes

by Source Association Axiom, Saying Axiom, Belief Axiom and P27.

iDKu s←→ ∧ fresh(DKi

v. u believes s says (N

) by Dynamic Key Second Generator Corollary, (i), (ii) and (iii).

u’ 2DKu s←→, ∧ fresh(Nu

’

From the analysis above, we can derive authentication goals for u from the analysis above. For u, G1 is derived in (iii), G2 in (v), G3 and G4 in (iv) in G5, G6 in (v). Similar to this, we do the derivation for s.

)) by Saying Axiom, Source Association Axiom, Belief Axiom, P8, P29, and iv.

Derivation for s

i. s believes EK, IK by Jurisdiction and Nonce-Verification Axioms, P26, P9 and P4. ii. s says TK1, TK2, TK3

iii. s believes by Saying Axiom and P23.

iDKu s←→ ∧ fresh(DKi

iv. s believes u says (N

) by Dynamic Key First Generator Corollary, (i), (ii) and P11, P12 and P13.

s’ 1DKu s←→, ∧ fresh(Ns

’

Similar to the derivation for u, we can derive conclusion that the authentication for s meets its goals with the above analysis. For s, G1 and G2 are derived in (iv), G3 and G4 in (iii) in G5, G6 in (iv).

)) by Saying Axiom, Source Association Axiom, Belief Axiom, P10, P25, and iii.

In summary, the authentication protocol meets six goals for both user and service. Based on the derivation for u and s, the six basic goals of authentication protocols in SVO are achieved. 5.1.3 Security Analysis of the Individual Authentication Protocol

Similar to the security analysis of the group authentication protocol, besides the original assumption from the group authentication, the individual authentication protocol has two extra assumptions expressing that both u and AS believe in the individual key DKi

u

of u.

P30. u believes uiDKs AS←→

P31. AS believes uiDKs AS←→

Similar to the group authentication protocol

analysis, the receiving of six messages of the individual authentication protocol is formalized as following

Received Message Assumptions

P32. s received (u,UG, Nu, h(Nu ⊕ KUGuiDK ⊕ ))

P33. AS received (u, UG, Nu, h(Nu ⊕ KUGuiDK ⊕ ), SG, Ns,

h(Ns ⊕ KSG

P34. s received ({EK}))

1uiDK + , {IK, Nu}KUG,{EK, IK,

Ns}KSG

P35. u received ({EK})

uiDK , {IK, Nu}KUG, {TK1, TK2, TK3,

Ns’

P36. s received { N}EK)

s’+1, Nu

’}DKP37. u received { N

1

u’-1 }DK

2

Comprehension Assumptions

91


P38. s believe s received (u, UG, Nu, h(Nu ⊕ KUGuiDK ⊕ )

P39. AS believes AS received (u, UG, Nu, h(Nu ⊕ KUG uiDK⊕ ), SG,Ns, h(Ns ⊕ KSG

P40. s believes s received ({EK}⊕

)) uiDK , {IK, Nu}KUG,{EK,

IK, Ns}KSG

P41. u believes u received ({EK}⊕

) uiDK , {IK, Nu}KUG,

{TK1, TK2, TK3, Ns’

P42. s believes s received { N}EK)

s’+1, Nu

’}DKP43. u believes u received { N

1

u’-1 }DK

2

As we see, P42 is similar to P24; P43 to P25. The comprehensions of P40 to P41 are interpreted by P44 and P45 as follows:

Interpretation Assumptions P44. s believe s received ({EK}DKu

i+1, {IK, Nu}KUG, ,{EK, IK, Ns}KSG)) → s believes s received (⟨{EK} DKu

i+1, {IK}

KUG, Nu⟩*s*uEKu s←→, ,fresh(EK, IK)).

P44. u believe u received ({EK}DKui+1, {IK, Nu}KUG, ⟨{TK1,

TK2, TK3, Ns’}EK⟩*u)) → u believes u received (⟨EK, IK⟩*s,

Nu*uEKu s←→, ,fresh(EK,IK), ⟨{ TK1, TK2, TK3 Ns

’}EK⟩*u

).

The rest of the derivation is similar to the derivation of the group authentication protocol.

5.2 Performance Analysis

Because the key management layer is transparent to the authentication layer, the cost in an authentication does not involve the cost of group management. Thus, it is based on the cost of the authentication protocol in the authentication controller. The computational cost for u, s and AS in an authentication are summarized in Table 2 and Table 3. This cost includes cost to generate dynamic keys, encrypt and decrypt messages in the protocol. The results in Table 2 and Table 3 show that the computational cost of individual authentication protocol performance is slightly higher than that of the group authentication protocol.

Table 2. Computational cost for the group authentication protocol.

Computational Cost Key Generation

u 3 hashings, 3 decryptions (8 keys), 1 encryption (2 key)

and 9 exclusive ORs 2 nonces

s 3 hashings, 2 decryptions (5 keys), 2 encryptions (5

2 nonces and 3 keys

keys) and 9 exclusive ORs

AS 2 hashing, 2 exclusive-ORs and 2 encryptions (6 keys) 2 keys

Table 3. Computational cost for the individual

authentication protocol. Computational Cost Key Generation

u 5 hashings, 3 decryptions (8 keys), 1 encryption (2 key)

and 16 exclusive ORs 2 nonces

s 3 hashings, 2 decryptions (5

keys), 2 encryptions (5 keys) and 9 exclusive ORs

2 nonces and 3 keys

AS 2 hashing, 9 exclusive-ORs and 3 encryptions (6 keys) 2 keys

The communication cost of the group and

individual authentication protocol are quite simple. The user u sends 2 messages. The service s sends 3 messages. And the authentication service AS sends 1 message. The communication cost is summarized in Table. 4.

Table 4. Communicational Cost

Group Authentication Individual Authentication

u 2 message (5 values) 2 messages (6 values)

s 3 message (14 values) 3 messages (15 values)

AS 1 message (6 values) 1 message (6 values) 5.3 Discussion 5.3.1 Traditional Security Risks

In this part, the authentication realization is examined under three traditional security risks for authentication: replay attacks, phishing attacks and cryptanalysis attacks. Because a dynamic key can be used once, a cryptographic message can only be decrypted and validated once. Therefore, authentication service can detect replay messages. Without the ability to generate the encrypted messages from correct synchronized dynamic keys, adversary cannot mount successfully replay attacks on cryptographic protocols using dynamic keys. Similarly, from a compromised dynamic key, it is infeasible to compute next dynamic keys for authentication. Therefore, the authentication protocol can reduce risks of phishing attacks and cryptanalysis attacks. 5.3.2 Scalability

92


The authentication model can achieve scalability to

adapt to rapid changes of the system. In wireless networks, users and services are very dynamic. Users and services may join and leave system very frequently. When the number of users and services change rapidly in the large scale system, the impact to management cost for authentication may become a considerable problem.

By grouping users and services into user groups and service groups, the authentication model can achieve scalability. Instead of dealing with each individual member of groups, the authentication is performed on group members. While the users and services are very dynamic in wireless networks, the user group and service group are more stable. Management Cost from rapid changes can be reduced with the proposed model. 5.3.2 Flexibility

The two layer architecture of the authentication model offers a great range of realizations for components in two different layers. Because of the separation and transparency between the two layers, each of them can be independently realized and implemented. A realization for the authentication controller in authentication layer does not restraint the realization for the group manager in key group layer and vice versa. Both the group manager and the authentication controller have many possible realizations and implementations.

The authentication model can be applied for not only wireless networks but also wired networks. With a great range of available realizations for both two components in two layers, realizations of model are able to offer different level of security and efficiency. There are efficient realizations that are suitable for large scaled wireless network users and services operating on limited resource devices. There are also strong secure realizations that can be used to protect sensitive services and users in wired networks. 5.3 Comparison

In order to validate the security and efficiency, the proposed authentication realization with two authentication protocol are compared to two existing authentication protocols: Kerberos and OpenId.

Table 4 shows the security comparison of the proposed authentication realization with Kerberos and OpenID via replay attacks, cryptanalysis attacks and phishing attacks.

Table 4. Security Comparison

Replay Cryptanalysis Phishing Kerberos Possible Possible Secure OpenID Secure Possible Possible

Proposed Model Secure Secure Secure

The comparison shows that only proposed

authentication is secure under replay attacks, cryptanalysis attacks and phishing attacks. By using dynamic keys, the proposed authentication realization is able to provide secure authentication for both individual and group of users.

Table 5. Performance Comparison

Asymmetric Encryptions

Symmetric Encryptions Messages

Kerberos 0 14 6 OpenID 6 62 6

Proposed Model 0 16 6

The comparison in the table 5 shows the efficiency of the proposed authentication realization in compare to other authentication methods. Although the proposed authentication realization is not the most efficient authentication method, the differences from the most efficient authentication method, Kerberos, are two symmetric encryptions. It shows that the proposed authentication realization can achieve high level of security without scarifying its performance. 6. Conclusion

In this paper, we have addressed the security,

efficiency, scalability and flexibility issues in authentication for wireless network services. There has been no existing authentication method that can achieve security, efficiency, scalability and flexibility. A new authentication model for wireless network services has then been proposed to tackle the problems. The authentication is made real by an authentication realization using dynamic key cryptography and hybrid group key management. The group and individual authentication are performed via two different authentication protocols. We have demonstrated and proved that the authentication realization can achieve security, efficiency, flexibility and scalability characteristics.

This research has opened up avenues for further works to secure wireless network services to prevent unauthorized access. In future work, the authentication

93


is aimed to integrate with a new access control model to achieve security and efficiency in protecting illegitimate access services. 7. References [1]. K. Bennett, P. Layzel, D. Budgen, P. Brereton, L.

Macaulay, and M. Munro, “Service-Based Software: The Future for Flexible Software,” Proceeding of the Seventh Asia-Pacific Software Engineering Conference, 2000, pp. 214-221.

[2]. H.-K. Oh, and S.-H. Jin, “The Security Limitations of SSO in OpenID,” Proceeding of the 10th International Conference on Advanced Communication Technology, ICACT 2008, 2008, pp. 1608-1611.

[3]. B.C. Neuman, and T. Ts'o, “Kerberos: An Authentication Service for Computer Networks,” IEEE Communications, vol. 32, no. 9, 1994, pp. 33-38.

[4]. A.A. Pirzada, and C. McDonald, “Kerberos Assisted Authentication in Mobile Ad-hoc Networks,” Proceedings of the 27th Australasian Computer Science Conference, 2000, pp. 41-46.

[5]. H.-Y. Chien, and J.-K. Jan, “A hybrid authentication protocol for large mobile network,” Journal of Systems and Software, vol. 67, no. 2, 2003, pp. 123-130.

[6]. Q. Tang, and C.J. Mitchell, “Cryptanalysis of a hybrid authentication protocol for large mobile networks,” Journal of Systems and Software, vol. 79, no. 4, 2006, pp. 496-501.

[7]. L.A. Martucci, T.C.M.B. Carvalho, and W.V. Ruggiero, “A Lightweight Distributed Group Authentication Mechanism,” Proceeding of the Fourth International Network Conference INC2004, 2004, pp. 393-400.

[8]. A. Zwierko, and Z. Kotulski, “A new protocol for group authentication providing partial anonymity,” Proceeding of the Next Generation Internet Networks, 2005, pp. 356-363.

[9]. R. Sandhu, E. Coyne, H. Feinstein, and C. Youman, “Role-Based Access Control Models,” IEEE Computer, vol. 29, no. 2, 1996, pp. 38-47.

[10]. H.H. Ngo, a.X. Wu, P.D. Le, and C. Wilson, “Package-Role Based Authorization Control Model for Wireless Network Services,” Proceeding of the International Conference on Availability, Reliability and Security, ARES 2009, 2009, pp. 475-480.

[11]. C. Shannon, “Communication Theory of Secrecy Systems,” Bell System Technical Journal, vol. 28, no. 4, 1949, pp. 656–715.

[12]. H.H. Ngo, X. Wu, P.D. Le, and B. Srinivasan, “Dynamic Key Cryptography and Applications,” International Journal of Network Security, vol. 10, no. 3, 2010, pp. 161-174.

[13]. Y. Wang, P.D. Le, and B. Srinivasan, “Hybrid Group Key Management Scheme For Secure Wireless Multicast,” Proceeding of the 6th IEEE/ACIS International Conference on Computer and Information Science, 2007, pp. 346-351.

[14]. E.S. Raymond, The Art of UNIX Programming, Addison-Wesley Professional, 2003.

[15]. M. Bugliesi, R. Focardi, M. Maffei, and F. Tudone, “Principles for Entity Authentication,” Proceeding of the 5th International Conference Perspectives of System Informatics, Lecture Notes in Computer Science, Springer Berlin / Heidelberg, 2000, pp. 294-307.

[16]. P. Syverson, and I. Cervesato, “The logic of authentication protocols,” Processing of Foundations of Security Analysis and Design, 2001, pp. 63-136.

[17]. M. Burrows, M. Abadi, and R. Needham, “A logic of authentication,” ACM Transactions on Computer Systems, vol. 8, no. 1, 1990, pp. 18-36.

94

an individual and group authentication model

Documents