Key revocation phase

When a certified key pair is found compromised, the KDC can revoke it with a certificate revocation list (CRL). The KDC publishes CRL containing the serial numbers of all the certificates for the revoked key pair. Anyone who wants to verify a self-certificate should check the CRL first. Once the certificates of the compromised key are revoked, the compromised key can no longer be used to gain access to sensor data. More details on certificate revocation and certificate update can be found in [47].

5.2 Security analysis

In this section, we show that our protocol can resist several notorious attacks. In addition, we provide a comparative study with other user authentication protocols.

5.2.1 Petri net model

The Petri net model is illustrated in Figure 5.3. We also construct attack scenarios in Figure 5.4. The definitions of the places and transitions used in this

Figure 5.3: A Petri net model of the proposed self-certificate-based user authenti-cation protocol.

model are listed in Table 5.2 and Table 5.3, respectively. The model is simulated with the platform independent Petri net editor 2 (PIPE2) [1]. The simulation result for the protocol is bounded, which could be realized in hardware [52].

5.2.2 Security properties

The security of the proposed protocol is based on the difficulty of the elliptic-curve discrete logarithm problem (ECDLP), which is believed to be unsolvable in polynomial time. Let G₁ be a group of the prime order q and P be an arbitrary generator of G₁. We view G₁ as an additive group.

Now we show that the proposed protocol can resist replay attacks, forgery attacks, and node-capture attacks, and also analyze the security property: mutual authentication.

Figure 5.4: A Petri net model of the proposed self-certificate-based user authenti-cation protocol under an attack scenario.

Theorem 1. The proposed protocol can resist a replay attack.

Proof. Assume an adversary A eavesdrops the messages {CI_i, Q_i, R_i, Self-Cert_i} and {v} sent by U_i and replays them to log in to the system in a later session.

Upon receiving the replay message, sensor node j first verifies Q_i and Self-Cert_i, and then chooses a random nonce m^∗_j. Next, j computes MAC_Kj,i(m^∗_j) and sends {CI_j, Q_j, R_j, Self-Cert_j, MAC_Kj,i(m^∗_j)} back to A. After receiving the message, A has to compute v^∗ = m⁰⁰₁|| · · · ||m⁰⁰_nand broadcast {v^∗} back to the WSNs. However, A cannot just replay the message {v} directly since the random nonce m_jembedded in MAC_Kj,i(m_j) is different from m^∗_j in this session. As shown in Figure 5.3, computing mj is defined in transition T10, which has two input places, P25 and P₂₉. Place P₂₅ is the value of MAC_Kj,i(m_j) and place P₂₉ is the value of K_i,j.

In Figure 5.4, when the adversary replays U_i’s login message (P₃₄), the firing sequence is given below: T14→ T2 → T3 → T4 → T5 → T6 → T15 → T16. However,

Table 5.2: Definitions of places

P₁₁ Success verification message P₂₇ Success verification message

P12 Sj P28 Si

P₁₃ K_j,i P₂₉ K_i,j

P₁₄ m_j P₃₀ m⁰_j

P₁₅ MAC_Kj,i(m_j) P₃₁ v = m⁰₁|| · · · ||m⁰_n

P16 CIj P32 P acket{v}

P₁₇ Q_j P₃₃ Success verification message

there is a deadlock in the transition T13 since the random nonce mj embedded in MAC_Kj,i(m_j) is different from m^∗_j in this session. Because having no idea about K_i,j to correctly respond the challenge m^∗_j, the adversary cannot launch a replay attack. 2

Theorem 2. The proposed protocol can resist a forgery attack.

Proof. Assume an attacker A impersonates user i by submitting {CI_i, Q_i, R_i, Self-Cert_i} obtained in a previous session. Upon receiving the message, sensor node j first performs the authentication operations. Then j sends {CI_j, Q_j, R_j, Self-Cert_j, MAC_Kj,i(m^∗_j)} back to A. However, A cannot decrypt MAC_Kj,i(m^∗_j) since he does not have user i’s private key, which is needed for computing the pair-wise key K_i,j. As shown in Figure 5.3, computing the pair-wise key K_i,j is

Table 5.3: Definitions of transitions

Trans. Definition Trans. Definition

T1 Transmit T7 Split the packet

{CI_i, Q_i, R_i, Self-Cert_i} T₈ Verify Q_j and Self-Cert_j value of Si. If A could compute Ui’s private key somehow, he would have broken the elliptic-curve discrete logarithm problem (ECDLP) as defined in Definition 3.

The discrete logarithm problem can be reduced to the problem of computing the private key Si from the public key Qi = Si· P . In addition, even if the adversary obtains multiple pair-wise keys K_i,j, it is intractable to compute S_i due to the hardness of the ECDLP problem. Thus, we claim that computing the private key from the public key and the pair-wise key is at least as difficult as the elliptic-curve discrete logarithm problem. As a result, our protocol is secure against the forgery attacks.2

Theorem 3. The proposed protocol can resist a node-capture attack.

Proof. It is assumed that t < n/2, i.e. the majority of sensors are honest.

Due to the voting stage in the login-and-authentication phase, if a sensor node can collect at least (n − t) yes votes, the sensor node believes the user is legitimate.

Hence, our protocol can tolerate up to t nodes being captured. 2 Theorem 4. The proposed protocol can provide mutual authentication.

Proof. The security of the pair-wise key is based on the difficulty of ECDLP, which are believed to be unsolvable in polynomial time. Using equation (5.6), the pair-wise key between Ui and sensor node j is established as follows:

K_i,j = S_i· Q_j = S_i· S_j· P = Q_i· S_j = K_j,i (5.11) As shown in Figure 5.3, computing a pair-wise key is defined in transition T₄ and transition T₉. Therefore, U_i and sensor node j can use the pair-wise key K_i,j in subsequent communications. 2

5.2.3 Functionality

We summarize the functionality of our proposed protocol in this subsection.

The crucial requirements for a user authentication protocol are listed below:

C1. (t, n)-threshold authentication: A protocol can deal with authenticated queries involving multiple sensor nodes and still works well even if the adversary captures t nodes out of n nodes in the WSNs.

C2. Mutual authentication: A user and a sensor node can authenticate each other.

C3. Key agreement: After successful authentication, a user and a sensor node mutually agree upon pair-wise keys.

C4. User-controlled key change: A user can change his key pair without interaction with a key distribution center.

C5. Key revokability: An issued key pair can be revoked, say, when it is found compromised.

We summarize the functionality of related authentication protocols in Table 5.4.

5.3 Efficiency analysis

Now we examine the performance of our proposed protocol. We use the

com-Table 5.4: Comparison of user authentication protocols for WSNs

C1 C2 C3 C4 C5

Our proposed protocol Yes Yes Yes Yes Yes

Benenson et al.’s protocol [9] No No No No No

Benenson et al.’s protocol [8] Yes No No No No

Banerjee et al.’s protocol [6] Yes No No No No

Wang et al.’s protocol [60] Yes No Yes No No

Jiang et al.’s protocol [24] Yes Yes Yes No No

Wong et al.’s protocol [63] No No No No No

Tseng et al.’s protocol [58] No No No No No

Yu et al.’s protocol [67] No No No No No

C1: (t, n)-threshold authentication; C2: mutual authentication; C3: key agreement; C4:

user-controlled key change; C5: key revokability.

putational and communication overhead as the metric to evaluate the performance of the proposed protocol. Due to the similarity of network scenarios, we compare our proposed protocol with Jiang et al.’s protocol [24], which is presented in Ta-ble 5.5, TaTa-ble 5.6. We only compare the computational overhead in two phases (pre-deployment and login-and-authentication) since Jiang et al.’s protocol did not include the user-controlled key change and key revocation phases. As illustrated in Table 5.5, the computational overhead in Jiang et al.’s protocol and our protocol in the pre-deployment phase is very similar. The only difference is that each entity needs to generate a self-certificate in our protocol.

As shown in Table 5.6, one certificate verification is required for each sensor node during the login-and-authentication phase in our protocol. If a user generates a new key, it takes one more hash operation and two more point multiplications for each sensor node in order to verify the new key. Hence, compared with Jiang et al.’s protocol, our protocol provides various functionalities at the cost of one

Table 5.5: Performance comparison in the pre-deployment phase Computational type Jiang et al.’s protocol Our protocol

KDC Each entity KDC Each entity

Random number generation 3 0 3 0

Hash operation 1 0 1 0

Point multiplication 3 0 3 0

Certificate generation^∗ − − 0 1

Certificate generation^∗: Jiang et al.’s protocol [24] provides no certificate generation.

certificate verification for each sensor node.

The communication overhead is in terms of the following three aspects: the communication overhead incurred by broadcasting the messages from a user to sen-sors within his transmission range, the overhead incurred by delivering a response from a sensor to a user, and the overhead incurred by transmitting yes votes be-tween sensors. In our analysis, we assume a key length of 160 bits in the ECC cryp-tosystem. As stated in Section 5.1.2, the user broadcasts {CI_i, Q_i, R_i, Self-Cert_i} in step 1 and {v} in step 5. The length of the certificate information CI_i is 184 bytes, as shown in Figure 5.5. Qi and Ri each costs 40 bytes. Assume the Self-Cert_i is constructed by the elliptic-curve digital signature algorithm (ECDSA) [3, 4]. The length of the Self-Cert_i is 40 bytes. Thus, the communication overhead incurred by broadcasting the messages from a user to sensors is (304 + |v|) bytes.

As stated in Section 5.1.2, when a sensor transmits {CI_j, Q_j, R_j, Self-Cert_j, MAC_Kj,i(m_j)} to a user in step 3, as shown in Figure 5.6, it will cost each sensor 324 bytes. Upon correctly verifying the user, the sensor broadcasts a yes vote to other nodes, which costs (n − 1) × |yes vote| bytes. Note that the sensor nodes could use the pair-wise keys to encrypt the votes and related information to avoid the bogus-vote problem. The total communication overhead is listed in Table 5.7.

Table 5.6: Performance comparison in the login-and-authentication phase Computational type Jiang et al.’s protocol Our protocol

Each node Each user Each node Each user

Random number generation 1 0 1 0

Hash operation 1 n^∗ 1 (2)^∗∗ n

Symmetric encryption 1 0 1 (n)^∗∗∗ 0

Symmetric decryption 0 n 0 (n)^∗∗∗ n

Point multiplication 2 2n 2 (4)^∗∗ 2n

Certificate verification^∗∗∗∗ − − 1 n

n^∗: Assume there are n sensors in the communication range of the user.

(2)^∗∗: If a changed key is used, it takes one more hash operation and two more point multiplications for each sensor node.

(n)^∗∗∗: To deal with the bogus-vote problem, the sensor nodes could use the pair-wise keys to encrypt and decrypt the votes and related information.

Certificate verification^∗∗∗∗: Jiang et al.’s protocol [24] does not include certificate verifi-cation.

CI_i Q_i R_i Self-Cert_i

184 bytes 40 bytes 40 bytes 40 bytes

CertNo

Figure 5.5: Broadcasting message format from a user to sensors in the login-and-authentication.

CIj Q

j R

j Self-Cert

j

184 bytes 40 bytes 40 bytes 40 bytes

CertNo

Figure 5.6: Transmitting message format from a sensor to a user in the login-and-authentication phase.

Table 5.7: Communication overhead in the login-and-authentication phase

Each user Each sensor

Communication overhead

(304 + |v|^∗) bytes (324+(n−1)^∗∗×|yes vote|) bytes

|v|^∗: |v| denotes the length of the challenge response sent from a user to sensors.

(n − 1)^∗∗: Assume there are (n − 1) sensors in the communication range of the sensor.

Chapter 6

Conclusion and future works

In this dissertation, we introduced recent developments in the field of wire-less security and investigated several user authentication protocols in wirewire-less net-works. A detailed explanation of security frameworks and security requirements for authentication was given. We designed several user authentication protocols in wireless networks, including two kinds of password-based user authentication pro-tocols, a biometrics-based user authentication protocol, and a self-certificate-based user authentication protocol.

For password-based user authentication, we proposed two password-based user authentication protocols, namely protocol-I and protocol-II. The protocol-I is a password-based user authentication protocol using LU decomposition and the protocol-II is a password-based user authentication protocol for WSNs. For biometrics-based user authentication, we proposed a biometrics-biometrics-based remote user authenti-cation protocol using smart cards. We also extended the protocol to a multi-party biometrics-based remote user authentication protocol by incorporating a secret sharing component. For self-certificate-based user authentication, we proposed a self-certificate-based user authentication protocol for WSNs, which still works well even if the adversary captures t nodes out of n nodes in the WSNs. Moreover,

security of these proposed protocols was modelled and analyzed with Petri nets.

There are still various uncovered security issues in wireless networks. For ex-ample, in vehicular ad hoc networks (VANETs), security issues of VANETs are very challenging due to the scale of the network, the speed of the vehicles, their geographic positions, and the very sporadic connectivity between them, especially on how to construct secure inter-vehicle communications (IVC) and roadside-to-vehicle communications (RVC). The above issues might be interesting for possible future work.

Bibliography

[1] Platform Independent Petri net Editor 2 (PIPE2), available:

http://pipe2.sourceforge.net/index.html.

[2] Government Smart Card Handbook, U. S. General Services Administrator, 2004.

[3] Public Key Cryptography for the Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA), American National Standards Institute ANSI X9.62, 2005.

[4] Digital Signature Standard (DSS), National Institute of Standards and Tech-nology FIPS PUB 186-3, 2009.

[5] J. Armington, P. Ho, P. Koznek, and R. Martinez. Biometric authentica-tion in infrastructure security. In Proceedings of Internaauthentica-tional Conference on Infrastructure Security (InfraSec 2002), 2002.

[6] S. Banerjee and D. Mukhopadhyay. Symmetric key based authenticated query-ing in wireless sensor networks. In Proceedquery-ings of the First International Con-ference on Integrated Internet Ad Hoc and Sensor Networks, 2006.

[7] Z. Benenson, F. C. G¨artner, and D. Kesdogan. User authentication in sensor networks (extended abstract). In Proceedings of Informatik 2004 (Workshop on Sensor Networks), 2004.

[8] Z. Benenson, F. C. G¨artner, and D. Kesdogan. An algorithmic framework for robust access control in wireless sensor networks. In Proceedings of the European Workshop on Wireless Sensor Networks (EWSN 2005), 2005.

[9] Z. Benenson, N. Gedicke, and O. Raivio. Realizing robust user authentication in sensor networks. In Workshop on Real-World Wireless Sensor Networks (REALWSN 2005), 2005.

[10] C. C. Chang and I. C. Lin. Remarks on fingerprint-based remote user authen-tication scheme using smart cards. ACM SIGOPS Operating Systems Review, 38(4):91–96, 2004.

[11] Y. F. Chang, C. C. Chang, and Y. W. Su. A secure improvement on the user-friendly remote authentication scheme with no time concurrency mechanism.

In Proceedings of the IEEE International Conference on Advanced Information Networking and Applications (AINA 2006), volume 2, 2006.

[12] H. Y. Chien and C. C. Chen. A remote authentication scheme preserving user anonymity. In Proceedings of the IEEE International Conference on Advanced Information Networking and Applications (AINA 2005), 2005.

[13] H. Y. Chien, J. K. Jan, and Y. M. Tseng. An efficient and practical solution to remote authentication: smart card. Computers and Security, 21(4):372–375, 2002.

[14] S. J. Choi and H. Y. Youn. A novel data encryption and distribution approach for high security and availability using LU decomposition. In Proceedings of the International Conference on Computational Science and Its Applications (ICCSA 2004), 2004.

[15] M. L. Das, A. Saxena, and V. P. Gulati. A dynamic ID-based remote user au-thentication scheme. IEEE Transactions on Consumer Electronics, 50(2):629–

631, 2004.

[16] Y. Dodis, R. Ostrovsky, L. Reyzin, and A. Smith. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In Proceedings of Advances in Cryptology - Eurocrypt 2004, 2004.

[17] C. I. Fan and Y. H. Lin. Provably secure remote truly three-factor authenti-cation scheme with privacy protection on biometrics. IEEE Transactions on Information Forensics and Security, 4(4):933–945, 2009.

[18] Y. H. Gil, D. S. Moon, S. B. Pan, and Y. W. Chung. Fingerprint verification system involving smart card. In Proceedings of International Conference on Information Security and Cryptology (ICISC 2002), 2002.

[19] H. I. Hsiao and D. J. DeWitt. A performance study of three high availability data replication strategies. In Proceedings of the First International Confer-ence on Parallel and Distributed Information Systems (ICPDIS), 1991.

[20] B. T. Hsieh, H. T. Yeh, and H. M. Sun. Cryptanalysis of a fingerprint-based remote user authentication scheme using smart cards. In Proceedings of the IEEE International Carnahan Conference on Security Technology, 2003.

[21] C. L. Hsu. Security of Chien et al.’s remote user authentication scheme using smart cards. Computer Standards and Interfaces, 26(3):167–169, 2004.

[22] C. L. Hsu. A user friendly remote authentication scheme with smart cards against impersonation attacks. Applied Mathematics and Computation, 170(1):135–143, 2005.

[23] L. Hu, Y. Yang, and X. Niu. Improved remote user authentication scheme pre-serving user anonymity. In Proceedings of the IEEE International Conference on Communication Networks and Services Research (CNSR 2007), 2007.

[24] C. Jiang, B. Li, and H. Xu. An efficient scheme for user authentication in wireless sensor networks. In Proceedings of the IEEE International Conference on Advanced Information Networking and Applications Workshops (AINAW 2007), 2007.

[25] W. S. Juang. Efficient password authenticated key agreement using smart cards. Computers and Security, 23(2):167–173, 2004.

[26] M. K. Khan and J. Zhang. Improving the security of a flexible biomet-rics remote user authentication scheme. Computer Standards and Interfaces, 29(1):82–85, 2007.

[27] M. K. Khan, J. Zhang, and X. Wang. Chaotic hash-based fingerprint biometric remote user authentication scheme on mobile devices. Chaos, Solitons and Fractals, 35(3):519–524, 2008.

[28] H. S. Kim, S. W. Lee, and K. Y. Yoo. ID-based password authentication scheme using smart cards and fingerprints. ACM SIGOPS Operating Systems Review, 37(4):32–41, 2003.

[29] K. W. Kim, J. C. Jeon, and K. Y. Yoo. Efficient and secure password au-thentication schemes for low-power devices. In Proceedings of International Conference on Mobile Ad-hoc and Sensor Networks (MSN 2005), 2005.

[30] N. Koblitz, A. Menezes, and S. Vanstone. The state of elliptic curve cryptog-raphy. Designs, Codes and Cryptography, 19(2-3):173–193, 2000.

[31] W. C. Ku, S. T. Chang, H. H. Chen, and M. J. Tsaur. Weakness and simple improvement of a password authentication scheme based on geometric ap-proach. In Proceedings of the IEEE Conference on Local Computer Networks (LCN 2005), 2005.

[32] W. C. Ku, H. M. Chuang, and M. J. Tsaur. Vulnerabilities of Wu-Chieu’s improved password authentication scheme using smart cards. IEICE Trans-actions on Fundamentals of Electronics, Communications and Computer Sci-ences, E88-A(11):3241–3243, 2005.

[33] L. Lamport. Password authentication with insecure communication. Commu-nications of the ACM, 24(11):770–772, 1981.

[34] K. Lauter. The advantages of elliptic curve cryptography for wireless security.

IEEE Wireless Communications, 11(1):62–67, 2004.

[35] B. Lee and K. Kim. Self-certificate: PKI using self-certified key. In Proceedings of the Conference on Information Security and Cryptology (CISC 2000), 2000.

[36] J. K. Lee, S. R. Ryu, and K. Y. Yoo. Fingerprint-based remote user au-thentication scheme using smart cards. Electronics Letters, 38(12):554–555, 2002.

[37] S. W. Lee, H. S. Kim, and K. Y. Yoo. Efficient password authenticated key agreement using smart cards. Computer Standards and Interfaces, 27(2):181–

183, 2005.

[38] Y. Lee, J. Nam, S. Kim, and D. Won. Two efficient and secure authentication schemes using smart cards. In Proceedings of International Conference on Computational Science and its Applications (ICCSA 2006), 2006.

[39] H. T. Liaw, J. F. Lin, and W. C. Wu. An efficient and complete remote user authentication scheme using smart card. Mathematical and Computer Modelling, 44(1-2):223–228, 2006.

[40] C. H. Lin and Y. Y. Lai. A flexible biometrics remote user authentication scheme. Computer Standards and Interfaces, 27(1):19–23, 2004.

[41] D. D. E. Long. A technique for managing mirrored disks. In Proceedings of the IEEE International Conference on Performance, Computing, and Com-munications, 2001.

[42] D. J. Malan, M. Welsh, and M. D. Smith. A public-key infrastructure for key distribution in TinyOS based on elliptic curve cryptography. In Proceedings of the IEEE International Conference on Sensor and Ad Hoc Communications and Networks (SECON 2004), 2004.

[43] A. J. Menezes, P. C. Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press, Boca Raton, Florida, 1997.

[44] J. Menon, J. Riegel, and J. Wyllie. Algorithms for software and low-cost hard-ware RAIDs. In Proceedings of the 40th IEEE Computer Society International Conference (COMPCON), 1995.

[45] C. J. Mitchell and Q. Tang. Security of the Lin-Lai smart card based user au-thentication scheme. Technical report, Royal Holloway, University of London, 2005.

[46] T. Murata. Petri nets: Properties, analysis and applications. Proceedings of the IEEE, 77(4):541–580, 1989.

[47] M. Naor and K. Nissim. Certificate revocation and certificate update. IEEE Journal on Selected Areas in Communications, 18(4):561–570, 2000.

[48] A. K. Pathan and C. S. Hong. An efficient bilateral remote user authentica-tion scheme with smart cards. In Proceedings of the 33rd Korea Informaauthentica-tion Science Society Fall Conference, 2006.

[49] A. K. Pathan, C. S. Hong, and T. Suda. A novel and efficient bilateral remote user authentication scheme using smart cards. In Proceedings of the IEEE International Conference on Consumer Electronics (ICCE 2007), 2007.

[50] A. Perrig, R. Szewczyk, V. Wen, D. Culler, and J. D. Tygar. SPINS: Security protocols for sensor networks. In Proceedings of International Conference on Mobile Computing and Networking (Mobicom), 2001.

[51] H. Petersen and P. Horster. Self-certified keys - concepts and applications.

In Proceedings of the 3rd Conference on Communications and Multimedia Security, 1997.

[52] J. L. Peterson. Petri net theory and the modeling of systems. Prentice-Hall, Englewood Cliffs, New Jersey, 1981.

[53] C. A. Petri. Kommunikation mit automaten. PhD thesis, University of Bonn, 1962.

[54] L. Rila and C. J. Mitchell. Security protocols for biometrics-based cardholder authentication in smartcards. In Proceedings of Applied Cryptography and Network Security (ACNS 2003), 2003.

[55] B. Schneier. Applied cryptography. John Wiley & Sons Inc. Publication, New York, 1996.

[56] A. Shamir. How to share a secret. Communications of the ACM, 22(11):612–

613, 1979.

[57] H. M. Sun. An efficient remote user authentication scheme using smart cards.

IEEE Transactions on Consumer Electronics, 46(4):958–961, 2000.

[58] H. R. Tseng, R. H. Jan, and W. Yang. An improved dynamic user authenti-cation scheme for wireless sensor networks. In Proceedings of the IEEE Global Communications Conference (GLOBECOM 2007), 2007.

[59] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain. Biometric cryptosys-tems: Issues and challenges. Proceedings of the IEEE, 92(6):948– 960, 2004.

[59] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain. Biometric cryptosys-tems: Issues and challenges. Proceedings of the IEEE, 92(6):948– 960, 2004.

在文檔中 適用於無線網路之使用者認證協定 (頁 81-0)