Synopsis

The remainder of this thesis is organized as follows. Chapter 2 briefly introduces back-ground technologies and related work. Chapter 3 presents the proposed mechanism, in-cluding the system architecture and message flows. We analyze the security and signal-ing overhead of the proposed mechanism in chapter 4. In the end, we conclude the the-sis and introduce our future works in chapter 5.

Chapter 2

Background and Related Work

This chapter presents some popular AKA mechanisms for the fabulous 3G networks.

After a brief introduction to the basic system architecture, both the pro and con are ana-lyzed and discussed as the related work.

2.1 UMTS AKA

MS SN HN

2. ID Response 3. Auth. Data Request

5. User Auth. Request (Rand(i)||AUTN(i))

6. User Auth. Response (RES(i))

7. Auth. result

Generate Authentication Vectors AV(1...n)

Store AV & select AV(i)

Verify AUTN(i) Compute RES(i)

Compare RES(i) & XRES(i)

Compute CK(i) and IK(i) Select CK(i) and IK(i)

4. Auth. Data Response(AV)

Figure 2-1 An overview of UMTS AKA mechanism

The AKA procedure are extensively applied into widely divergent formats in multifari-ous networks for its facility and brief principle. Take UMTS AKA [14] for example. The

MS SN HN

2. ID Response 3. Auth. Data Request

5. User Auth. Request (Rand(i)||AUTN(i))

6. User Auth. Response (RES(i))

7. Auth. result

Generate Authentication Vectors AV(1...n)

Store AV & select AV(i)

Verify AUTN(i) Compute RES(i)

Compare RES(i) & XRES(i)

Compute CK(i) and IK(i) Select CK(i) and IK(i)

4. Auth. Data Response(AV)

Figure 2-1 shows the overview of UMTS AKA protocol. The entire UMTS AKA mechanism can be divided into two procedures: I. Authentication Data Distribution and II. User Authentication and Key Agreement. The first procedure is for HN to distribute the request authentication data for proper SN which provides access to Internet for the roaming MS. The second procedure is to establish a new pair of reliable session key between MS and SN. This process is illustrated in 7 major steps below:

1: ID Request: Upon MS proposing an access request, Serving Network (SN) initiates

the authentication procedure by sending requests to MS and asking for MS’s identity.

2: ID Response: The International Mobile Subscriber Identity (IMSI) of MS is sent from MS to SN so that SN can identify MS and transfer the authentication request backward to the HN of MS.

Generate SQN

Generate RAND

AUTN=SQN♁AK || AMF || MAC AV = RAND || XRES || CK || IK || AUTN

Figure 2-2 Operation in HN in UMTS AKA

3: Authentication Data Request: The purpose of this step is for SN to request

Authenti-cation Vectors (AV(i…n)) from the Home Network (HN). The ordered list on “n” au-thentication vectors based on sequence number (SQN) may be computed or pre-computed on demand and sent from HN to SN. The operation of generating each attributes in AV is shown in Figure 2-2. A cipher key K for MS, a random number RAND are the common parameters used as input in addition to Authentication Man-agement Field (AMF) and Sequence Number (SQN) to generate AV(i) comprising MAC (Message Authentication Code), XRES (eXpected Response), CK, IK, AK (Anonymity Key) and AUTN (Network Authentication Token).

4: Authentication Data Response: After generating the AV for specific MS, HN sends it

to SN so that SN is authorized to authenticate MS with the temporary authentication data.

5: User Auth. Request: After generating the AV for specific MS, HN sends it to SN so that SN is authorized to authenticate MS with the temporary authentication data. Up re-ceiving the message from HN, SN selects the next unused Authentication Vector from

the ordered array and then sends both the RAND(i) and AUTN(i) of the ith selected vector to MS so that MS can verify the correctness of SQN and computes the propor-tional response RES(i).

Verify MAC = XMAC

Verify that SQN is in the correct range

f1 f2 f3 f4

Figure 2-3 Operation in MS in UMTS AKA mechanism

6: User Auth. Response: MS verifies the correctness of SQN first by computing a

XMAC and comparing it with the MAC in AUTN(i). If the SQN is correct, MS then computes the proportional response RES(i) and sent it back to SN in the response mes-sage. The operation in MS is illustrated in Figure 2-3.

7: Auth. Result: Once the RES(i) is sent to SN and verified correct, the SN chooses the

corresponding CK/IK as the session key for the following connection. While waiting for the authentication result, MS computes the CK/IK in advance for usage until new au-thentication procedure is requested or Disconnection.

2.2 UMTS X-AKA

To reduce the traffic between SN and HN, Chung-Ming Huang and Jian-Wei Li

pro-posed another AKA protocol called UMTS X-AKA [4]. The Figure 1-1 illustrates the detail steps of X-AKA. The concept of UMTS X-AKA is to realize local authentication by means of a transient key TK generated by HN and stored in SN. The UMTS X-AKA can be decomposed into two major procedures: (1) Registration & Distribution of Au-thentication Vectors, (2) AuAu-thentication & Key Agreement (for the j-th round)

MS SN HN

Generate RANDS & AUTHS

Verify AUTHS

Generate RAND & TK &

Authentication info AUTHH

Compute CK(RANDS)

& IK(RANDS) Store TK & AUTHH

(1).Registration &

Figure 2-4 An overview of UMTS X-AKA mechanism

The UMTS AKA provides mutual authentication and the freshness assurance of the agreed session key. Compared with GSM AKA, the UMTS AKA is proven to be rela-tively secure [12] not only in reply attack caused by limited authentication data but also in false base station attack caused by unidirectional authentication. However, the UMTS AKA has three known flaws in (1) bandwidth consumption between HN and SN, (2) storage space of SN for spare authentication vector, and (3) sequence number synchro-nization. (1) and (2) are solve in UMTS X-AKA. However, the synchronization still cost for extra messages in UMTS X-AKA

However, most of the conventional AKA mechanisms are for single Mobile Station.

When multiple MSs communicate and move as a group in Wireless Network, the cur-rent AKA mechanisms are suffered from the same issue: SN has to transfer multiple messages with Authentication Data Request for different MSs to the same HN and re-ceive response messages with Authentication Data since the MSs in the same group be-long to the same HN. Based on the group concept, we propose a sharing group authen-tication key-based Authenauthen-tication and Key Agreement mechanism to reduce the signal-ing overhead between SN and HN. With this group authentication procedure, not only the bandwidth between SN and HN is saved but also the key pre-distributed is achieved for group members.

the next chapter.

Chapter 3

Group Authentication Key-based AKA

The aforementioned authentication and key agreement protocols are widely imple-mented, however, the complexity and costs are relatively high when bursts of authenti-cation messages pump for group communiauthenti-cations. In this paper, we propose an adaptive authentication protocol based on group authentication key to lessen the complexity and latency caused by group authentication. The idea of grouping mobile stations is based on clustering; people living in the same community, working in the same company, studying in the same campus, or even casually being on the same bus, tend to move from one place to another together. When a group of mobile users migrates simultane-ously, the first member who hands off may provide not only a personal identity but also sometimes a group identity to serving network. In our approach, however, mobile sta-tion provides only individual identity. The serving network may first check if this MS belongs to any active group which any members has already finished his authentication procedure and made the group authentication data available in database of serving net-work for the rest members in the same group. Assume that MS1 is the first member who performs authentication procedure when handoff, SN may obtain some authentication data for both MS and his group from their home network. Instead of generating and dis-tributing individual authentication data for each mobile station respectively, our scheme produce authentication data for groups of users so that mobile stations in the same group share the same batch of authentication data including group transient authentica-tion key and informaauthentica-tion in group list. By reducing the redundant messages, such as Authentication Data Request sent out by different MS in the same group to the same home network, the system may avoid suffering from significant latency and bottleneck

between serving network and home network.

The proposed protocol can be divided into three main procedures: 1.Setup proce-dure, 2. Authentication Data Distribution, 3. Mutual Authentication and Key Agreement.

We will describe the details of each step from section 3.2.

3.1 Architecture

The basic architecture is shown in Figure 3-1 where Figure 3-1(a) shows how the tradi-tional AKA protocols work with roaming MS group and Fig.(b) the proposed GK-AKA.

The HN represents the Authentication Server (AS) or the Authentication Center (AuC) which controls and manages all the authentication data for MS. The SN represents the authenticator in various wireless networks, such as Access Point in 802.11 network, or Serving Network in cellular network. Without loss of generality, the roaming group is called G1 with group identity ID_M1. The roaming MSs are numbered in sequence as MSM1-1 the first member who performs authentication procedure, and the following members sending authentication request are MS_M1-2, MS_M1-3, and MS_M1-4.

MS Group

(a). The traditional AKA (b). The proposed GK-AKA

Figure 3-1 System Architecture for roaming MS group

3.2 Setup Procedure

Unlike conventional AKA protocols generating difference authentication data for

indi-vidual MS, our proposed mechanism provides group authentication data for a set of mobile stations. Thus before the AKA mechanism starts, the HN generates the group authentication data and distributes the necessary part to mobile stations in the same group. Group authentication data includes 1). Group Information and 2). Message Au-thentication Code (MAC) Algorithms. The Group Information consists of the Group

Authentication Key (GAK) shared by HN and group members and the Index Table stored in only HN shown in Table. 1. After this step, HN holds the GAK and the Index Table while each MS holds the GAK, Group ID, its individual member ID and Initial Value, and is unaware of other MSs’ personal information.

3.2.1 Group Authentication Key (GAK)

GAK

HN MS_M1-2

MS_M1-1

MS_M1-4 MS_M1-3

Figure 3-2 Group Authentication Key

For the most part of networks, Group Key is introduced for encryption. Each member in the trust-group owns an individual key for end-to-end communication and shares a common group key for group communications. Here we define an entirely difference group key called Group Authentication Key (GAK) which is still shared by all members in the same group as shown in Figure 3-2 and used in not encryption but authentication.

One MS can belong to more than one group and hold multiple GAKs as shown in

GAK

_M1

^HN

MS

_M1-2

MS

_M1-1

MS

_M1-4

MS

_M1-3

GAK

_M2

MS

_M2-1

MS

_M2-2

MS

_M2-3

G1 G2

Figure 3-3.

GAK

_M1

^HN

MS

_M1-2

MS

_M1-1

MS

_M1-4

MS

_M1-3

GAK

_M2

MS

_M2-1

MS

_M2-2

MS

_M2-3

G1 G2

Figure 3-3 One MS belongs to multiple MS groups

The GAK, as well as the individual authentication key for each MS, may be pre-defined or computed on demand. The generation and distribution of GAK with the members joining or leaving are managed by the Authentication Center (AuC) in users’

home network, and the details will not be discussed in this paper and can be referred to [10].

3.2.2 Index Table

Table I. Index Table

The major attributes comprise Group Identity (GID), Group Authentication Key (GAK), Member Identities (MS ID), Initial Value (IVi) for each member, and other information.

In this proposed protocol, the digits of initial value IV_i are so large that each value is unique and distinct from one another and no members can spy on others’ initial values.

With the peculiarity of practically unlimited, the initial value of members can also be different and unique from group to group. Besides the facility for distinguishing from members, the initial value IV_i also behaves as the sequence number in UMTS AKA where SQN is responsible for the synchronization between MS and SN in User Authen-tication Procedure in UMTS AKA.

3.2.3 Message Authentication Code (MAC) Algorithms

The cryptographic MAC algorithms are short pieces of information used to authenticate a message. The inputs for MAC algorithms consist of a secret key and some information and outputs generated by MAC algorithms are usually not reversible. The MAC algo-rithms used in the proposed approach are:

f0: generating MAC for HN to authenticate MS.

f1: generating MAC for MS to authenticate SN.

f2: generating MAC for SN to authenticate MS.

f3: key generation.

3.3 Authentication Data Distribution Procedure

The idea of the proposed protocol relies on the premise that members in the same group tend to migrate continuously and the latency arises from handoff procedure is propor-tional to the number of drifters. For n mobile stations, convenpropor-tionally, SN has to send n Authentication Data Request message separately. However we now reduce the

redun-dant messages to the same destination arisen from different members in the same trust group by providing the group authentication data-Group Transient Key (GTK)-substi-tuting for the original GAK so that the primitive authentication key will not be revealed and the computed transient key can be periodically updated based on the random num-ber provided by SN and MS to ensure the freshness of authentication material.

MS_M1-1 SN HN

Pre-Shared Key K_M1-1, GAK Pre-Shared Key K_M1-1, GAK

Generate AUTH_M1

1.ID req.

2.ID res.(AUTH_M1)

3. Auth. Data req.(AUTH_M1)

Verify AUTH_M1, Generate AUTH_H

4.Auth. Data res.(AUTH_H) Store AUTH_H

Figure 3-4 Distribution of Authentication Data in the proposed AKA mechanism

Let the first member who performs authentication procedure be MS_M1-1. Figure 3-4 il-lustrates the operation of GAK. The detail steps are as follows:

1. ID Req.: SN tries to get MS_M1-1’s identity.

2. ID Res.(AUTHM1): Upon receiving the ID Req. message, MSM1-1 generates

AUTHM1 = (IDM1||IDM1-1||RNM1-1||MACM1-1)

where ID the GID, ID the MID, a random number RN , and MAC =

f0(KM1-1, RNM1-1) for HN to authenticate MS before distributing group authentication data to SN. The detail operation is presented in Figure 3-5.

f

⁰

MAC

_M1-1

K

_M1-1 RN_M1-1

AUTH

AUTH_{M 1M1}=(ID_M1||ID_M1-1||RN_M1-1||MAC_M1-1)

Figure 3-5 Generation of MACM1-1 in MS in the proposed GAK-AKA mechanism

3. Auth. Data Req.(AUTHM1): Since MSM1-1 is the first MS in group, SN has no data to authenticate MS_M1-1. SN then transfers the message to HN and requests for data to au-thenticate the roaming group G1 which MSM1-1 belongs to.

4. Auth. Data Res.(AUTH_H): HN first verifies the MAC_M1-1 in AUTH_M1 with K_M1-1 the pre-share key of MSM1-1. If MSM1-1 is confirmed legit, HN retrieves the corresponding GAK of MS group G1 to generate a Group Transient Key (GTK)

GTK_M1 = f3(RN_M1-1||RN_H||AMF||GAK)

. The group authentication data sent to SN is AUTH_H = (RN_H||AMF||RN_M1-1||GTK_M1) where RNH is the random number generated by HN, AMF the Authentication Manage-ment Field, RN_M1-1 the random number used as one of the input of GTK_M1, and the GTKM1 of course. The Index Table for G1 is also sent to SN in this step. Figure 3-6 il-lustrates the operation in HN while HN receives the authentication request of MS_M1-1 from SN.

Generate RN RN

_HH

AUTH

_H

= RN RN

_HH

|| AMF || RN

_M1-1

|| GTK

_M1

f

⁰

f

³

Yes/No GTK_M1

AMF RN

_H

GAK RN_M1-1

MAC_M1-1 AUTH_M1

K_M1-1

=

MS Authentication

Figure 3-6 The Operation in HN when SN sends the authenticate request of MSM1-1

3.4 Mutual Authentication and Key Agreement Procedure

This procedure focuses on the mutual authentication between MS and SN, and is de-signed to generate the session key between MS and SN so that a secure channel is es-tablished between MS and SN. Figure 3-7 presents the message flows.

MS_M1-1 SN HN

Pre-Shared Key K_M1-1, GAK Pre-Shared Key K_M1-1, GAK

Generate AUTH_SM1-1 5.Auth. req.(AUTH_SM1-1)

Verify AUTH_SM1-1

6.Auth. res.(MAC_M1) Compute MAC_M1,MK

Verify MAC_M1 Compute MK

7.Auth. Result (Success/Fail)

GTK_M1

Figure 3-7 Mutual Authentication and Key Agreement in the proposed mechanism

5. Auth. Req.(AUTHSM1-1): After obtaining the group authentication data AUTHH for MS group G1, SN initiates the i-th run of mutual authentication procedure between SN and MSM1-1 by generating AUTHSM1-1 = (AMF||RNH||RNM1-1||MACS||RNSM1-1) where the first three parameters are necessary for mobile station to generate GTK_M1, MAC_S = f1(GTKM1||RNM1-1||IVM1-1+i), and a random number RNSM1-1 generated by SN and used to challenge MS_M1-1 later. While waiting for the response from MS_M1-1, SN can compute the Master Key MK = f3(GTKM1||RNM1-1||RNSM1-1) for the subsequent sessions between MS_M1-1 and SN in advance. The detail operations are shown in Figure 3-8.

AUTH

_SM1-1

= AMF || RN

_H

|| RN

_M1-1

|| MAC

_S

|| RN

_SM1-1

Figure 3-8 The operation in SN while authenticating MSM1-1

f

⁰ MS Initialization Authenticate SN and HN

f

³

Figure 3-9 The operation in MSM1-1 in Mutual Authentication and Key Agreement procedure

6. Auth. Res.(MACM1): First of all, MSM1-1 computes the GTKM1 with the first three ar-guments in AUTH_SM1-1 and the GAK stored in each mobile station in the same group.

MSM1-1 then authenticates SN by computing and comparing a corresponding result of MAC_S. After successfully authenticating SN, besides generating the Master Key MK between SN and MSM1-1, MSM1-1 also generates the response message MACM1 = f2(GTK_M1||RN_SM1-1||IV_M1-1+i). Figure 3-9 shows the detail computation in MS_M1-1. 7. Auth. Result (Success/Fail): SN authenticates MSM1-1 by verifying whether MSM1-1

generates the correct response or not in Figure 3-8. The message sent to MS_M1-1 indi-cates the result of mutual authentication procedure.

After the full authentication process, the MK generated separately after step 5 in both MSM1-1 and SN can be used as the material for various keys.

When the second member MS_M1-2 in roaming MS group requests for authentication, SN initiates the mutual authentication procedure with the existing GTKM1 so that the original step 3 and 4 are skipped and the signals between SN and HN are eliminated.

The procedure of authenticating MSM1-2 is shown in Figure 3-10.However, the random numbers used to compute the challenge messages, such as RN_M1-2 for MAC_S and RNSM1-2 for MACM1, are entirely different from those used in authentication of MSM1-1. Figure 3-11 illustrates the operation of MAC algorithms in SN when authenticating MSM1-2 and Figure 3-12 presents the operation in MSM1-2.

MS_M1-2 SN HN

Pre-Shared Key K_M1-2, GAK Pre-Shared Key K_M1-2, GAK

Generate AUTH_M1

Figure 3-10 Authentication and Key Agreement for MSM1-2

AUTH_SM1-2= AMF || RN_H|| RN_M1-1|| MAC_S|| RN_SM1-2

Figure 3-11 The operation in SN while SN authenticating MSM1-2

f

⁰

f¹

MAC_M1-2 Yes/No

f²

f

³

MAC_M1 MS Initialization Authenticate HN and SN

f

³

MK

K_M1-2

GAK

×

＋

RN_H AMF MAC_S RN_SM1-2

RN_M1-2

i IV_M1-2

AUTH

AUTH_M1M1=(ID_M1||ID_M1-2||RN_M1-2||MAC_M1-2)

AUTH_SM1-2

GTK_M1

=

× RN_M1-1

Figure 3-12 The operation in MS while SN authenticating MSM1-2

Chapter 4

Security Considerations

In this section, we discuss some performance analysis and efficiency evaluations of the aforementioned protocols in related work and our proposed GAK protocol based on the shared group authentication key. Here we consider 1.the storages cost in SN, 2.the sig-nals transferred between SN, and HN

4.1 Security Analysis

First of all, our proposed protocol satisfies the following concepts of secure wireless network user authentication:

1. Mutual Authentication: In this GAK protocol, mutual authentication of MS and HN is done by producing the same GTK, and mutual authentication of MS and SN is done by generating and comparing the challenge messages RESS and RESM. In particular, even though all members share the same GTK, when one adversarial member, MS1 for example, tries to personate another member, MS2 for example, by eavesdropping and collecting the traffic be-tween MS2 and SN, MS1 fails to generate the correct RES_M which must be calculated by GTK, RNS2, and most important of all the initial value j2 of MS2.

In other words, the SN can easily distinguish one member from another even though all members have the same GTK and in case some of them may inter-cept other members’ challenge messages.

2. Reply Attack Resistance: When an attacker attempts to intercept an authen-tication packet and later transmit it to the expected destination, the receipt of

2. Reply Attack Resistance: When an attacker attempts to intercept an authen-tication packet and later transmit it to the expected destination, the receipt of

在文檔中 以群組認證金鑰支援跨網域漫遊的認證與金鑰分配機制 (頁 16-0)