IEEE COMMUNICATIONS LETTERS, VOL. 1, NO. 3, MAY 1997 87
An Authentication Protocol
Without Trusted Third Party
Shiuh-Pyng Shieh,
Member, IEEE, Wen-Her Yang, and Hun-Min Sun
Abstract— A secure authentication protocol which supports
both the privacy of messages and the authenticity of communicat-ing parties is proposed. The trusted third party (key information center) is not needed once the secure network system is set up. Mutual authentication and key distribution can be achieved with two messages merely between two parties involved.
Index Terms—Authentication protocol, ID-based scheme.
I. INTRODUCTION
T
HE first ID-based scheme, proposed by Shamir [3], supports only digital signature rather than message en-cryption. Tsujii proposed another ID-based cryptosystem based on the discrete logarithm problem [4], which suffers from the conspiracy problem, and needs high overhead of exponential computations. Okamoto and Tanaka extended Shamir’s idea and combined digital signature and key distribution in a simple ID-based scheme [2] which supports message encryption and withstands the conspiracy problem. However, in the scheme user identifications may be forged, user secret information may be disclosed, and the high overhead of exponential computations is needed.In this letter, we propose a new authentication protocol in which the key information center is needed only when the secure network system is being set up or when new users request to register. Not only does our protocol need fewer exponential computations but it also resolves the security problems that appeared in the Okamoto and Tanaka’s scheme.
II. SECURE AUTHENTICATION PROTOCOL
Both the ID-based scheme and symmetric cryptographic technique are used in the new secure authentication protocol. The ID-based scheme is used for system setup and authen-tication, while the symmetric cryptographic is used for sub-sequent message encryption to obtain better communication performance. There are two phases in the new authentication protocol. The initial phase is completed at the key information center to set up the system, and the authentication phase is executed between the two communication parties to achieve mutual authentication and exchange the common session key.
Manuscript received November 20, 1996. The associate editor coordinating the review of this letter and approving it for publication was Dr. C. Dooligeris. The authors are with the Department of Computer Science and Information Engineering, College of Electrical Engineering and Computer Science, National Chiao-Tung University, Hsinchu, Taiwan 30010; (email: [email protected]).
Publisher Item Identifier S 1089-7798(97)04328-7.
A. Initial Phase
The information center is responsible neither for mutual authentication nor for the generation of common keys. The role of this center is to simply generate public and secret in-formation for newly registered users. When the secure network system is setting up, the key information center will execute the following steps.
1) Choose two large prime numbers and , and let .
2) Obtain the center’s secret information from the fol-lowing computation, where is only known by the center.
(1) 3) Find an integer which is a primitive element in both and , where is the center’s public information.
4) Let ID denote the identity of user who requests to register to this secure network. ID could be composed of name, address, , and so on.
5) Choose a one-way function to compute the extended identity of as follows
ID
(2) where denotes the bit length of .
6) After computing , calculate the user secret infor-mation as
(3) From the relations above, the following equation would be obtained.
(4) 7) Send back to user over a secure chan-nel, such as a certified and sealed mail. Upon receipt of the information, user must keep secret and store the public information .
Once the secure network system is set up, the key infor-mation center is not needed except when new users join. The center’s secret information must be stored secretly for subsequent use. However, the integers and will be no longer used and should be thrown away secretly. When a new user requests to join, he sends the center his ID. Upon receipt of the user ID, the center repeats steps 5–7.
88 IEEE COMMUNICATIONS LETTERS, VOL. 1, NO. 3, MAY 1997
B. Authentication Phase
The new authentication protocol only needs two messages to complete the mutual authentication. Upon receipt of the first message from user , user verifies the message contents. If the verification succeeds, he believes that the message is sent by user . Thus user authenticates user . Similarly, user authenticates user with the second message. The execution steps for mutual authentication and key exchange for a session are listed as follows.
1) If user wishes to communicate with user , he generates a random number and calculates the following two integers:
(5) (6) where time is the time he calculated the two integers. 2) User sends these two integers and together with
ID and to user .
3) Upon receipt of the message, User compares with the present local time. If the difference between
and the present local time is shorter than the valid period, the message received is considered valid. Ac-cording to different network environments, the length of the valid period can be adjusted. (In order to avoid valid messages being rejected in a network where clocks are not at least loosely synchronized, the step for comparing and present local time should be skipped.) Then, user calculates ID and checks whether the following equation holds:
(7) 4) If the equation holds, user believes the message is sent by user and keeps for generation of the common key later. Then, he generates a random number and calculates the following two integers:
(8) (9) 5) User sends these two integers and along with
ID , and to user .
6) Upon receipt of the message, user checks whether is identical to the one he sent. ( herein can be considered as a nonce of user , which is only used for once.) If yes, he calculates ID and checks if the following equation holds:
(10) 7) If it is true, user calculates the session key as
follows:
(11) 8) In the same way, user calculates the session key
as follows:
(12) 9) Users and use as the common key of this
session to encrypt the communicating messages.
III. COMPUTATION OVERHEAD
In the Okamoto and Tanaka’s scheme, each party needs five exponential computations to complete mutual authentication and exchange a common key for each session (one for , one for , two for equation check, and one for the common key calculation).
Our protocol reduces the number of exponential computa-tions for each communication session from five to two. In the
authentication phase, we can first compute , then calculate and as follows:
(13) (14) No exponential computation but multiplication is needed in these two equations. The verification of sender’s identity [see (7)] can also be accomplished without exponential computa-tion in the same way. Therefore, our protocol needs only two exponential computations (one for , and one for common
key ).
IV. SECURITY ANALYSIS
Our protocol provides message encryption and the authen-ticity of communicating parties to guarantee the privacy and security of network communication. It does not have the conspiracy problem existing in the Tsujii’s scheme because its security relies on the difficulty of computing the discrete logarithm problem. If a forger wants to masquerade user to communicate with others, he must find two integers and satisfying the following equation:
(15) The use of low public exponents in this equation does not lower the the difficulty to crack . Although the forger can get a pair of integers that makes the equation hold, the pair is unattainable because computing pair from is a discrete logarithm problem.
Our protocol can also protect users from the Hastad’s attack. Hastad proposed an attack on using RSA with low exponents in a public key network [1]. To illustrate this attack, suppose that a message is broadcasted to three parties in which the public exponents are , and in which the moduli are , , and . The encrypted messages are
Using the Chinese remainder theorem, one can find
. However, because
. Therefore, is not affected by being reduced modulo , and the message can be recovered by taking the cube root of . This attack will not succeed in our protocol, because the same modulus is used for all parties.
Although we use a timestamp to check the message legality, the replay-attack will not succeed in our protocol, even if the assumption of synchronized clocks does not exist. Considering the following scenario, an intruder eavesdropped a communi-cation session, e.g., the communicommuni-cation between user and
SHIEH: AN AUTHENTICATION PROTOCOL WITHOUT THIRD PARTY 89 user . The intruder may replay an old authentication message
captured in the old session. Upon receipt of the old messages, user checks the legality of . If the system’s clock time is synchronized, he knows the message is invalid by examining and therefore discards this authentication message. If the system’s clock is not synchronized, he may reconsider the message. Then he chooses a new random number and replies the following message to the intruder:
(16) (17) However, the common key of this communication session is , instead of the old common key . The intruder cannot compute the new common key without knowing the random number . Since the old messages are all encrypted by the old common key , he cannot successfully replay the old messages he eavesdropped. User may try to decrypt them by the new common key , but the decryption fails. Consequently, he closes the connection and the attack fails.
Our protocol also does not have the two weaknesses ap-peared in the Okamoto and Tanaka’s scheme.
(1) Our protocol uses two small prime numbers 3 and 2 instead of the two integers and in the Okamoto’s scheme. Since the possibility no longer exists that may be a factor of , user secret information will not be disclosed in our protocol.
(2) The attack of forged authentication messages will fail in our protocol because of the one-way function . If a malicious user wants tosend a forged message to user , he will randomly choose a pair numbers . Although a bogus may be computed from (15), he cannot derive the correct ID from because
of the one-way function . If he randomly chooses an identity information ID , and sends it together with , the time he wrote the message, and the forged message, upon receiving the packet, user will get from ID , instead of . Consequently, the verification of (7) will fail, and user will reject the forged request. Therefore, our protocol is able to protect user communication from the attack of forged requests.
V. CONCLUSION
An ID-based authentication protocol is proposed in which both the key in formation center and files for the storage of public information are not required. Once the secure network system is set up, the authentication and key exchange can be handled solely by the two parties involved, instead of the key information center. This protocol resolves the problems appeared in the Okamoto and Tanaka’s scheme. Even if the system clocks are not synchronized, it can withstand the replay problem. In contrast to five exponential computations needed in the Okamoto and Tanaka’s scheme, our protocol needs only two exponential computations for mutual authentication and key exchange, thereby greatly reducing the load on communication devices.
REFERENCES
[1] J. Hastad, “On using RSA with low exponent in a public key net-work,” in Lecture Notes in Computer Science: Advances in
Cryptology-CRYPTO’85 Proc., pp. 403–408.
[2] E. Okamoto and K. Tanaka, “Identity-based information security man-agement system for personal computer networks,” IEEE J. Select. Areas
Commun., vol. 7, pp. 290–294, Feb. 1989.
[3] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
Proc. Crypto-84, Santa Barbara, CA, 1984, pp. 47–53.
[4] S. Tsujii, T. Itho, and K. Kurosawa, “ID-based cryptosystem using discrete logarithm problem,” Electron. Lett., vol. 23, pp. 1318–1320, Nov. 1987.
