Key Establishment Protocols for Secure Mobile Communications

A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area Networks”, IEEE Personal Communications

Presented by Yanxia Zhao

Content

Introduction Public-key cryptosystems Secret-key cryptosystems Aziz-Diffie protocol Conclusions

Introduction Mobile applications have special

vulnerabilities. the wireless medium introduces new

opportunities for eavesdropping on wireless data communications.

Active intrusions through the wireless medium are made easier.

Security is a critical issue in mobile application, both for the users and providers of such system.

Introduction (contd.) Design goals of authentication and key

management Protocols:

Prevent unauthorized access to mobile network.

Provide the mutual authentication between a base station and a mobile station.

Introduction (contd.) Types of Key Establishment Protocols for mobile

communication Secret-key cryptosystems: GSM(Global System for Mobile

Communications) U.S. Digital Cellular System

Public-key cryptosystems: MSR+DH Protocol Beller and Yacobi’s Protocol Aziz-Diffie Protocol

Secret Key Cryptography

Secret Key Cryptography involves the use of a single key. The same key is used for Encryption and Decryption.

Plain text Cipher textEncryption

Plain textCipher textDecryption

Key

Figure 1 A secret key cryptographic system

Secret Key Cryptography (Contd.) Secret Key Systems provide Strong Authentication

functionality. This implies that someone can prove knowledge of a secret without revealing it. Authentication is generally implemented using a Challenge-Response mechanism.

ArA

Challenge B

Response

Challenge

Response

rA encrypted with KAB

rB

rB encrypted with KAB

Figure 2 Challenge –Response MechanismA and B share a secret key KAB

Advantage of Secret-key based protocol

The Secret-key based protocol supports inexpensive mobile stations of low power and light weight. So the Secret-key based protocol is suitable for high dynamic mobile system.

Disadvantage of Secret-key based protocol The key management of the secret-key based

protocol is more complicated and more dangerous than that of public-key based one. Each mobile station must keep its secret

information, which of all should be stored in Authentication Center (AC).

AC becomes the critical component in the system because it should participate in all key establishment protocol executions.

The communication overhead of AC is increased and one must replicate the AC to reduce the overhead. However, the replication of AC increases the risk of the system.

Public Key Cryptography In Public Key Cryptography, each individual user

has two keys: a Private Key (that is not revealed to anyone else) and a Public Key (that is open to the public). Encryption is done using the Public Key and Decryption is done using the Private Key.

Plain text

Plain textCipher text

Cipher textEncryption

Decryption

Public KeyPrivate Key

Figure 3. A Public Key Cryptographic System

Public Key Cryptography (contd.)

Encrypt mA

using eB

Encrypt mB

using eA

Decrypt to mB using dA

Decrypt to mA using dB

A B

Figure 4. Information transfer in a Public Key Cryptographic System.

A’s <Public Key, Private Key> pair is <eA,dA> and B’s pair is <eB,dB>

Public Key Cryptography (contd.)

Digital signatures : Public Key Cryptography also facilitates digital signatures, whereby a person can “sign” a plain-text using his Private Key and anyone can verify the person’s identity by using the Public Key of that person.

Plain text

Plain textSigned Message

Signed Message

Signing

Private KeyPublic Key

Figure 5. Digital Signatures in Public Key System

Advantage of Public-key based protocol

The public-key based protocols only need CA (Certificate Authority) which certifies the public-keys of mobile stations and base stations.

CA is less critical than AC (in secret-key based protocol) because CA only certifies public-keys, whereas AC should manage all secret information.

Disadvantage of Public-key based protocol

Public-key based protocol is not fully utilized because of the poor computing power and the small battery capacity of a mobile station. Consequently, many researches for key establishment protocols focus on minimizing computational overhead of a mobile station without loss of security.

Overview of Aziz-Diffie protocol The protocol proposed by Aziz and Diffie uses

public-key cryptographic techniques in order to secure the wireless link. Public-key cryptography is used to do session key setup and authentication.

Each participant in the protocol generates a public key/private key pair. The private key is kept securely by the owner of the key pair. The public key is submitted, over an authenticated channel, to a trusted certification authority (CA).

Overview of Aziz-Diffie protocol (Contd.) The participant submits the information. The CA will

then issue a certificate to the participant. The certificate will contain a binding between the public key and a logical identifier of the participant , in the form of a document digitally signed using the CA’s private key.

Having obtained a certificate for each participant, as well as secure backup of the private keys, the mobile and base exchange certificates and engage in a mutual challenge-response protocol. The protocol allows negotiation of the shared-key algorithm.

Notes on Nomenclature Public key of certification authority: Pub_CA Private key of certification authority: Priv_CA Public key of mobile host: Pub_Mobile Private key of mobile host: Priv_Mobile Public key of base station: Pub_Base Private key of base station: Priv_Base Certificate of mobile host: Cert_Mobile Certificate of base station: Cert_Base E(X,Y): the encryption of Y under key X MD(X): the message digest function value on contents X Sig(X,Y)=E(X,MD(Y)): the signature of Y with key X

Initial connection setup between mobile host and base station using Aziz-Diffie protocol Message #1. MobileBase {Cert_Mobile, CH1, List of

SKCSs}

Message #2. BaseMobile {Cert-Base, E(Pub_Mobile,RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, CH1, List of SKCSs}) }

Message #3. MobileBase {E(Pub_Base,RN2), Sig(Priv_Mobile, {E(Pub_Base, RN2), E(Pub_Mobile,RN1}) }

Figure 6. Aziz-Diffie protocol for wireless networksCA-Certificate of A KA-Public key of A KA

-1-Private key of A RA, NA-random # generated by A RB-random # generated by B

Description of Initial connection setup process At connection initiation time, a mobile requesting to

connect to the wired network would send message #1 to the base. It includes mobile’s host certificate, a 128 –bit randomly chosen challenge value (CH1), and a list of supported shared-key cryptosystem (SKCS) to the base.

Certificate = Sig(Priv_CA, {Serial Number, Validity Period, Machine Name, Machine Public Key, CA name})

The list of SKCSs is intended to allow for negotiation of SKCS with the base. The SKCS will be used to encrypt subsequent data packets.

Description of Initial connection setup process(Contd.)

After receiving message #1, the base will attempt to verify the signature on Cert_Mobile. If the certificate is invalid, the base rejects the connection attempt. If the certificate is valid (the public key in the certificate belongs to a certified mobile host), the base will send Message #2 to the mobile:

Cert_Base a random number RN1 encrypted under the pub_Mobile the SKCS that the base chose out of the list of SKCSs the signature on some message using Priv_Base.

Description of Initial connection setup process

(Contd.)Method of choosing shared-key cryptosystem (SKCS):

The SKCS is chosen from the intersection of the set of SKCSs proposed in message #1 by the mobile and the set the base supports. The base will choose the one it deems the most secure from the intersection of the two sets.

The selected algorithm is subsequently employed for encipherment of the call data once the initial connection is setup and a session key is established.

Description of Initial connection setup process

(Contd.) After receiving message #2, the mobile validates the

certificate of the base (Cert_Base). If the certificate is valid, then the mobile will verify the signature on the message. If the signature doesn’t match, the base is deemed an imposter and the mobile will abort the connection attempt. Otherwise, the base is deemed authentic and the mobile will send Message #3:

a random number RN2 encrypted under the pub_Base the signature on the encrypted RN1 and RN2 using

Priv_Base.

Description of Initial connection setup process

(Contd.) After receiving message #3, the base will verify the

signature in the message. If the signature verifies, the mobile is deemed an authentic host. Otherwise, the mobile is deemed an intruder and the base will reject the connection attempt.

If the connection attempt succeeds, then at this point mutual authentication has been setup. The mobile and base use (RN1 RN2) as the session key. Since both halves of the key are completely random, knowing either RN1 or RN2 tells an attacker nothing about the session key.

Advantage of Aziz-Diffie Protocol

The protocol provides good forward secrecy. This approach requires the compromise of both the base’s and the mobile’s private keys in order for preceding traffic between that base and mobile to be compromised.

Disadvantage of Aziz-Diffie Protocol

The protocol is computationally expensive. The expensive portions of public key cryptosystems are typically the private key operations. In this protocol, the mobile has to perform two operations using its private key. The base also performs two private key operations.

This protocol is also vulnerable to a man-in-the middle attack.

Conclusions Aziz-Diffie Protocol provides good forward secrecy,

but it is computationally expensive and vulnerable to a man-in-the-middle attack.

The problem of designing correct protocols for authentication and key management is difficult to solve in any environment. In the mobile system, the extra constraints and requirements make this problem all the harder.

More suitable key establishment protocol needs to be developed for mobile communication.

Any Question?