New anonymous channel protocol in wireless communications

A New Anonymous Channel Protocol in Wireless Communications

∗

Min-Shiang Hwang, Cheng-Chi Lee, and Ji-Zhe Lee

Abstract: In this paper, the authors shall propose a new

anony-mous channel protocol for wireless communications. Compared with Juang et al.’s protocol and Jan et al.’s protocol, our protocol is more efficient. In addition, our protocol saves the trouble of em-ploying public key cryptography in the anonymous channel ticket authentication phase just as Jan et al.’s protocol.

Keywords: Anonymous channel, Authentication, Security,

Wire-less communications

1. Introduction

Wireless mobile communication is gaining popularity in recent years. People can roam freely and use the mo-bile service almost everywhere. Thanks to the wireless telecommunication infrastructure, we can enjoy mobile services through portable devices such as cellular phones, PDA, laptops, etc. Mobile service systems are oftentimes called Personal Communication Systems (PCS’s). These modern digital cellular systems include AMPS, GSM [4, 5], IS-54 (TDMA), and IS-95 (CDMA) for voice com-munication as well as CDPD [3] and GPRS [6] for other forms of data communication.

Current protocols for location management are based on a two-level data hierarchy such that the two types of databases, the home location register (HLR) and the vis-itor location register (VLR), are involved in tracking an MS. Under such a design the radio scope from the HLR to its MS is called the home network, while the visit net-work is just the opposite. To integrate all those above, all the protocols we mention in this paper are under the mo-bile communication system architecture of a GSM-style system.

Through a valid authentication protocol, mobile users can obtain services from wireless communication

net-Received February 24, 2003. Revised August 17, 2003.

Min-Shiang Hwang, Department of Management Information Sys-tem, National Chung Hsing University, 250 Kuo Kuang Road, 402 Taichung, Taiwan, R.O.C. Fax: 886-4-23742337.

Cheng-Chi Lee, Department of Computer and Information Science, National Chiao-Tung University, 1001 Ta Hsueh Road, Hsinchu, Taiwan, R.O.C.

Ji-Zhe Lee, Department of Information Management, Chaoyang University of Technology, 168 Gifeng E. Rd., Wufeng,

Taichung County, Taiwan 413, R.O.C. Correspondence to: Min-Shiang Hwang. E-mail: mshwang@nchu.edu.tw

∗ _{This research was partially supported by the National Science}

Council, Taiwan, R.O.C., under contract no.: NSC91-2213-E-324-003.

works. Much research has been invested in the privacy and authentication of wireless communications [1, 2, 7– 14]. In 1999, Juang et al. proposed an anonymous channel protocol where the mobile station could request services privately under the visit network [11]. This is the so-called unlinkability. However, in their scheme, the visit network alone cannot verify the requester; it requires the assis-tance of the home network. So, the mobile station must ask the home network to certify the identity and sign an anonymous channel ticket blindly. Then the mobile station and the visit network can authenticate each other via the signed blind ticket.

However, Jan et al. pointed out that Juang et al.’s pro-tocol is traceable and inefficient [10]. According to Jan et al.’s attack, the location anonymity (unlinkability) re-quirement can be broken because the blind ticket is used time after time and then the anonymous PA (Pseudo Ac-count) is also used time and again. So, the home net-work gets to know the PA roaming path [10]. Besides, Jan et al. also claimed that their protocol is more efficient than Juang et al.’s protocol in the anonymous channel ticket au-thentication phase. They could reduce the communication cost by 2m each time in the authentication phase, where m is anonymous message’s bits [10].

Observing Jan et al.’s protocol, we find that the effi-ciency of their protocol shows only in the ticket authen-tication phase. The contribution of Jan et al.’s protocol is reducing the cost in the ticket authentication phase, which is a high frequency phase. However, the need for the data renewal is also large when the ticket is replaced, and fur-thermore there is no real pattern to this ticket indicating whether time or deadline is used. As a result the compu-tation cost is still more than that of Juang et al.’s protocol in the ticket-issuing phase. In this article, we shall propose a new protocol which is better than Jan et al.’s protocol. Our protocol is more efficient than Juang et al.’s protocol and the Jan et al.’s protocol.

The rest of this paper is organized as follows. First, our new protocol will be illustrated in Section 2. Then, in Sec-tion 3, we shall analyze the security and show the features of our protocol; besides we shall also compare our pro-tocol with the other two propro-tocols. Finally the conclusion will be in the fourth section.

2. The proposed protocol

There are two phases, Anonymous Channel Ticket

Issu-ing Phase and Anonymous Channel Ticket Authentication Phase, in our proposed protocol for wireless

communica-tions. The main task of the first phase is that the mobile 1434-8411/04/58/03-218 $ 30.00/0

station (MS) must require the anonymous channel ticket from the home location register (HLR) through the vis-itor location register (VLR). After receiving the ticket, the MS can use mobile services, such as mobile calls, provided by the VLR. If the MS continues using mo-bile services from the VLR, it must enter the second phase of our protocol. The second phase is mainly about checking the validity of the anonymous channel ticket. We will describe the details of our protocol in the fol-lowing subsections. Before the description of our protocol starts, we first show some system symbols in the following table.

2.1 Anonymous channel ticket issuing phase

In our new protocol, three entities are involved, which are the MS, VLR, and the HLR. The steps of this phase are as follows. The statement A⇒ B : {messages} means that the left-hand side entity sends messages to the right-hand side entity.

1. MS⇒ VLR: {HD, TNh, T, (IDi, T )Kh,i}

MS sends VLR the messages HD, the token TNh

is-sued by HLR, the time stamp T , and(IDi, T ), which

is encrypted by the shared key Kh,i.

2. VLR⇒ HLR: {VD, TNh, T, (IDi, T )Kh,i}

VLR passes the received message to HLR, and she/he replaces the HD with the VD. HLR receives the mes-sage from VLR and then verifies the identity of MS. HLR finds the shared key of this MS by searching

TNh, and HLR takes this key to decrypt(IDi, T )Kh,i. Therefore, HLR can check the identity of the MS, and then HLR calculates the anonymous channel ticketδ =

{(IDi, T )Kh,i||VT}shand Tkt(m) = (δ, m)Kh,v, where||

stands for concatenation. 3. HLR⇒ VLR:

{TNh, (δ, n)Kh,v, (TNh, Tkt(m), m, n)Kh,i}

HLR encryptsδ and the seed n by using the key Kh,v.

Then, HLR encrypts the new token TN_h, Tkt(m), m, and n by using the key Kh,i. Next, HLR transmits them

to VLR. VLR can decrypt the value(δ, n)Kh,vby using the key Kh,vand record these parametersδ and n.

Table 1.System symbols of the proposed scheme.

Symbol Meaning

δ the signed ticket information by HLR VT the valid time of the anonymous channel ticket Tkt(m) the anonymous channel ticket to be used m times Kh,v the shared key between HLR and VLR

Kh,i the shared key between HLR and MS (IDi)

TNh the authentication token which HLR issues to MS

HD the identity of HLR VD the identity of VLR ph the public key of HLR

sh the secret key of HLR

{m}ph to encrypt the message m by public key cryptosystem using public key ph

(m)k to encrypt the message m by secure cryptosystem using symmetric key k

4. VLR⇒ MS: {TNh, r, (TN_h, Tkt(m), m, n)Kh,i}

Upon receiving the messages from HLR, VLR gen-erates a random value r and passes the messages {TNh, r, (TNh, Tkt(m), m, n)Kh,i} to MS. VLR records

r and the token TNh of MS.

This phase is mainly that HLR verifies MS’s identity and produces the anonymous channel ticket to MS. VLR also receives the proof values from HLR and uses them to negotiate with MS in the ticket authentication phase.

2.2 Anonymous channel ticket authentication phase In this phase, MS encrypts the anonymous channel ticket by using the session key computed by r and n. He/She sends the encrypted ticket to VLR. Next, VLR can de-crypt and verify the validity of the ticket. After that, MS can use the anonymous service through the authentication of VLR.

1. MS⇒ VLR: {TNh, (Tkt(m))f(r⊕n)}

MS sends the token TNh and the anonymous channel

ticket Tkt(m) encrypted by the session key f(r ⊕ n) to VLR, where f(·) is one-way hash function. Based on the token TNh, VLR can find the recorded

informa-tion (r, n, δ) of this MS. VLR can compute the ses-sion key f(r ⊕ n) and decrypt the anonymous channel ticket Tkt(m). And then VLR can verify the validity of the anonymous channel ticket. Next VLR derives the using time m from Tkt(m) = {δ, m}Kh,v and computes the next ticket Tkt(m − 1) = {δ, (m − 1)}Kh,v.

2. VLR⇒ MS: {TNh, (Tkt(m − 1))f((r−1)⊕n)}

VLR encrypts the next anonymous channel ticket

Tkt(m − 1) by using the next session key f((r − 1)

⊕n), and VLR sends it to MS. After receiving the

message from VLR, MS decrypt the next ticket by using the session key f((r − 1) ⊕ n). Once the ticket of the using time m is exhausted, MS would request the new anonymous ticket from HLR. In our proto-col, we assume that the random value r is bigger than the ticket of the using time m. Therefore, the session key sequences are sufficient. According to the

decreas-ing of the random value r, we can obtain the(r + 1) sequences of session keys:

           f(r ⊕ n) f((r − 1) ⊕ n) f((r − 2) ⊕ n) ... f(n)

This phase is mainly that MS takes the ticket to de-mand the anonymous channel service from VLR. VLR will deduct the using times from the ticket until the num-ber of times is empty. In such situation, MS shall refresh the ticket by inquiring HLR.

3. Analysis and comparison

In the first subsection below we will evaluate our protocol in terms of its security and features. Then, in the sec-ond subsection, we shall compare the performance of our protocol with those of two other protocols: Juang et al.’s protocol and Jan et al.’s protocol. The comparison will have two parts: the communication cost part and the com-putation cost part. The communication cost part is mainly to compare the traffic transmission time of the three proto-cols, and the computation cost part is to compare the total computation time of the three protocols in each phase.

3.1 Security and feature analysis

Our protocol can satisfy all the security demands in Jan et al.’s protocol does. Our analysis is as follows.

1. The MS can get the correct anonymous channel ticket from the home network: The ticket is encrypted by the key Kh,ishared between MS and HLR, so the VLR or

the others cannot derive the ticket. Only the MS who has the valid secret shared key can decrypt the mes-sage and obtain the ticket.

2. The visit network can authenticate the MS and support the anonymous channel service: Based on the anony-mous channel ticket and the seed n, VLR can authen-ticate the MS. Then the MS can send messages to the VLR privately because the message is encrypted by the sequences of session keys under the visit network. 3. The proposed protocol can support the anonymous

channel service and the nameless location service: In our protocol, there is no identity information of the MS revealed. Therefore, the unlinkability requirement is achieved in our protocol.

4. There are sequences of session keys between the MS and the visit network: According to the seed n and the random value r, the MS and the VLR can communi-cate with each other privately by using the un-fixed session key.

5. Real ticket patterns of our anonymous channel ticket: In our protocol, our anonymous channel ticket issued

by the HLR exists the real ticket patterns in the actual application. The patterns are like the using time m of the ticket, the expiring period, and the using site. In the above-mentioned analysis, we mainly focus on the anonymity feature. Because of this feature is the chief point in the anonymous channel protocol including the un-linkability. Then we also think about the other security methods such as symmetric cryptography and using the un-fixed session keys. Last, our ticket form is also satisfy-ing the real ticket patterns.

3.2 Cost comparisons

In this subsection, we shall compare our protocol with the other two protocols as to the communication cost and the computation cost. First, the communication cost com-parison is in Table 2. Since the communication cost is the same in the anonymous channel ticket-issuing phase, we focus only on the anonymous channel ticket authen-tication phase. The symbol c stands for the count of the transmission time.

In Table 2, the communication costs of Juang et al.’s and Jan et al.’s protocols are separately 5c and 3c. The il-lustration is depicted in the Ref. [10]. However, the cost of our protocol is just 2c because we reduce one step in the ticket authentication phase. In Jan et al.’s protocol [10], they consume three steps on ticket authentication. But our protocol has only two steps to obtain the same effect. We see that Juang et al.’s protocol takes the more communi-cation cost in the ticket authenticommuni-cation phase because their protocol needs the help of HLR in this phase. Without the requirement of the support of HLR, the communication cost of Jan et al.’s protocol is lower. As for our protocol, we take one transmission less than Jan et al.’s protocol. Therefore, we have the lowest communication cost. Next, we shall show the comparison of computation cost in Ta-bles 3 and 4, the two of which are for the ticket issuing phase and the ticket authentication phase, respectively. The notations used in the tables are defined as follows:

• Th: the time for computing a hash function.

• Tinv: the time for finding the inverse.

• Tmul: the time for modular multiplication.

• Tex p: the time for modular exponentiation.

• Tpub: the time for enciphering/deciphering with an

asymmetric cryptosystem.

• Tsym: the time for enciphering/deciphering with a

sym-metric cryptosystem.

• Tadd: the time for modular addition.

Table 2.Comparisons with the communication cost in the ticket

authentication phase.

Protocols Communication costs

Juang et al.’s Protocol [11] 5c Jan et al.’s protocol [10] 3c

Table 3.Comparisons with the computation cost in the ticket issuing phase. Protocols Computation costs

Juang et al.’s Protocol [11] 1Tpub+ 2Tsym+ 2Texp+ 1Tinv+ 1Th+ 2Tmul

Jan et al.’s protocol [10] 1Tpub+ 3Tsym+ 6Texp+ 2Th+ 5Tmul+ 2Tadd

Our protocol 1Tpub+ 4Tsym

Table 4.Comparisons with the computation costs in the ticket au-thentication phase.

Protocols Computation costs

Juang et al.’s Protocol [11] 1Tpub+ 2Tsym+ 1Texp+ 2Th+ 2Tmul

Jan et al.’s protocol [10] 3Texp+ 3Th+ 9Tmul+ 3Tadd

Our protocol 3Tsym+ 2Th

In Table 3, we survey the computation costs of Juang et al.’s protocol first [11]. In their ticket issuing phase, we can find these equations: Ψ = βeh(Tkt) mod n

h, Certi=

(T1, γ)f(Keyi), and {IDi, Ψ, Certi, T1}er. The computation costs of these equations are Tpub+ Tsym+2Texp+ Th+ Tmul and owing to HLR sends VLR(Γ, N2)K_vh, therefore, the cost is one Tsymin addition. MS receives the blind ticketΓ and check it by β−1Γ mod nh, the costs are thus Tinv+

Tmul. Due to above-mentioned statements, we conclude the total computation costs of Juang et al.’s protocol are

Tpub+ 2Tsym+ 2Texp+ Tinv+ Th+ 2Tmul.

In Jan et al.’s protocol [10], the computation cost of {IDi, A, B, T , Texpire, Certi}eh is Tpub+ Tsym. HLR sends VLR,(dM, Texpire, DM)K_h,vand(C, Texpire, EM)K_h,i, the cost is Tsym+ 3Texp+ Th+ 4Tmul+ 2Tadd. Next, VLR makes NEWID= f2(dM) and sends MS, (C, Texpire,

EM)K_h,i, then MS receives the values from VLR and check them by gEM = yA·Kh,i

h · CC mod P. Therefore, the total computation costs are Tpub+ 3Tsym+ 6Texp+ 2Th+ 5Tmul+ 2Tadd.

As for the computation cost of our protocol, there are one Tsym in (IDi, T)Kh,i. Next, HLR computesδ = {(IDi, T )Kh,i||VT}sh and Tkt(m) = (δ, m)Kh,v to VLR. The costs are Tpub+ Tsym. Last, VLR receives(δ, n)Kh,v and (TN_h, Tkt(m), m, n)Kh,i from HLR. The costs are 2Tsym. The total computation costs are thus Tpub+ 4Tsym.

We can see the computation cost of Jan et al.’s pro-tocol is still higher than that of Juang et al.’s propro-tocol in the ticket issuing phase because Jan et al.’s protocol needs 6Texpwhile Juang et al.’s protocol takes only 2Texp. Since

Texpis the longest of all the time units defined above, we come to the conclusion that Jan et al.’s protocol consumes the most time in the ticket issuing phase. Our protocol in contrast, needs the shortest computation time.

In Table 4, we also view the computation costs of Juang et al.’s protocol first [11]. Because MS makes {Ksh, ri}erto VLR, VLR pass it to HLR. Then HLR com-putes the session key Ki by h(Ksh·ri) and sends VLR,

(Ki, ri, PA, li fetime, N4)K_vh. Next, VLR sends MS,

(Ii, ri)Ki. Therefore, we can obtain the computation costs

are Tpub+ 2Tsym+ Th. Furthermore, HLR makes K_sh =

(Tkt₎dh_{and VLR produces}(K

sh)h(Ksh)both for ticket re-newal. The costs are thus Texp+ Th+ 2Tmul. We can judge the total computation costs are Tpub+2Tsym+ Texp+2Th+ 2Tmul.

In Jan et al.’s protocol [10], the computation costs of NEWID, J, L are 3Texp+ 3Th+ 9Tmul+ 3Tadd. As re-gards our protocol, we has the computation costs 3Tsym+ 2Th for that MS sends VLR, (Tkt(m))f(r⊕n), VLR com-putes Tkt(m − 1) = {δ, (m − 1)}Kh,v, and VLR transmits (Tkt(m − 1))f((r−1)⊕n)to MS.

The computation cost of Jan et al.’s protocol is lower than that of Juang et al.’s cost because the former protocol needs no assistance of HLR and no public key cryptosys-tem. Although we use the symmetric key encryption in our ticket authentication phase, our computation cost is still lower than that of Jan et al.’s scheme. We have the best efficiency because the time unit Tsymstands for a cost lower than Texp. Altogether, our protocol is the most effi-cient of the three.

4. Conclusion

In this paper, we have proposed a new anonymous chan-nel protocol for wireless communications. Compared with two well received protocols, our protocol is quite effi-cient. In addition, the session key between MS and VLR is variable in our anonymous channel ticket authentication phase.

Acknowledgement. The authors wish to thank many

anonymous referees for their suggestions to improve this paper. Part of this research was supported by the Na-tional Science Council, Taiwan, R.O.C., under contract no. NSC91-2213-E-324-003.

References

[1] Aziz, A., Diffie, W.: Privacy and authentication for wireless local area networks. IEEE Personal Communications 1(1) (1994) 24–31.

[2] Beller, M.J., Chang, L.F., Yacobi, Y.: Privacy and authentica-tion on a portable communicaauthentica-tions system. IEEE Journal on Selected Areas in Communications 11 (Aug. 1993) 821–829. [3] CDPD Forum. Cellular digital packet data (CDPD) system specification. Tech. Rep. Release 1.1, CDPD Forum, Jan. 1995.

[4] ETSI. Recommendation GSM 02.09: Security related net-work functions. tech. rep., European Telecommunications Standards Institute, ETSI, June 1993.

[5] ETSI. Recommendation GSM 03.20: Security related net-work functions. tech. rep., European Telecommunications Standards Institute, ETSI, June 1993.

[6] Granbohm, H., Wiklund, J.: GPRS – general packet radio service. Ericsson Review 76(2) (1999) 82–88.

[7] Hwang, Min-Shiang, Lee, Chii-Hwa: Authenticated key-exchange in a mobile radio network. European Transactions on Telecommunications 8(3) (1997) 265–269.

[8] Hwang, Min-Shiang, Lee, Chii-Hwa: Secure access schemes in mobile database systems. European Transactions on Telecommunications 12(4) (2001) 303–310.

[9] Hwang, Min-Shiang, Yang, Wei-Pang: Conference key distri-bution protocols for digital mobile communication systems. IEEE Journal on Selected Areas in Communications 13(2) (1995) 416–420.

[10] Jan, Jinn Ke, Lin, Whe Dar: An efficient anonymous channel protocol in wireless communications. IEICE Transactions on Communication E84-B, (March 2001) 484–491.

[11] Juang, W.S., Lei, C.L., Chang, C.Y.: Anonymous channel and authentication in wireless communication. Computer Com-munications 22 (1999) 1502–1511.

[12] Lee, Chii-Hwa, Hwang, Min-Shiang, Yang, Wei-Pang: En-hanced privacy and authentication for the global system of mobile communications. Wireless Networks 5 (July 1999) 231–243.

[13] Lin, H., Harn, L.: Authentication protocols for personal com-munication system. ACM SIGCOMM’95 (Aug. 1995) 256– 261.

[14] Molva, R., Samfat, D., Tsudik, G.: Authentication of mobile users. IEEE Network 8(2) (1994) 26–34.

Min-Shiang Hwang was born on Au-gust 27, 1960 in Tainan, Taiwan, Republic of China (ROC.). He received the B.S. in Electronic Engineering from National Taipei Institute of Technology, Taipei, Taiwan, ROC, in 1980; the M.S. in In-dustrial Engineering from National Tsing Hua University, Taiwan, in 1988; and the Ph.D. in Computer and Information Science from National Chiao Tung Uni-versity, Taiwan, in 1995. He also studied

Applied Mathematics at National Cheng Kung University, Taiwan, from 1984–1986. Dr. Hwang passed the National Higher Examin-ation in field “Electronic Engineer” in 1988. He also passed the National Telecommunication Special Examination in field “Infor-mation Engineering”, qualified as advanced technician the first class in 1990. From 1988 to 1991, he was the leader of the Com-puter Center at Telecommunication Laboratories (TL), Ministry of Transportation and Communications, ROC. He was also a chair-man of the Department of Information Management, Chaoyang University of Technology (CYUT), Taiwan, during 1999–2002. He was a professor and chairman of the Graduate Institute of Network-ing and Communications, CYUT, durNetwork-ing 2002–2003. He obtained the 1997, 1998, 1999, 2000, and 2001 Distinguished Research Awards of the National Science Council of the Republic of China. He is currently a professor of the department of Management Infor-mation Systems, National Chung Hsing University, Taiwan, ROC. He is a member of IEEE, ACM, and Chinese Information Secu-rity Association. His current research interests include electronic commerce, database and data security, cryptography, image com-pression, and mobile computing. Dr. Hwang had published 80 articles on the above research fields in international journals.

Cheng-Chi Lee received the B.S. and M.S. in Information Management from Chaoyang University of Technology (CYUT), Taichung, Taiwan, Republic of China, in 1999 and in 2001. He is cur-rently pursuing his Ph.D. in Computer and Information Science from National Chiao Tung University, Taiwan, Republic of China. His current research interests in-clude information security, cryptography, and mobile communications.

Ji-Zhe Lee received M.S. in Information Management from Chaoyang University of Technology (CYUT), Taichung, Tai-wan, Republic of China, in 2003. His current research interests include infor-mation security, cryptography, and mobile communications.