A key agreement protocol using mutual Authentication for Ad-Hoc Networks
Post on 15-Jan-2016
33 Views
Preview:
DESCRIPTION
Transcript
A key agreement protocol using mutual Authentication for Ad-Hoc Networks
IEEE 2005Authors : Chichun Lo,
Chunchieh Huang, Yongxin Huang
Date : 2005_11_29Presented by Fei-Yau, Hung
Outline
Introduction Review of the Huang-Chang Scheme The proposed scheme Security analysis Conclusion
Introduction
Wireless technology has become more pervasive as E-Commerce and other applications communication platform.
Two kinds of network structures in wireless area network Infrastructure Infrastructureless
Introduction
Properties concerned for security design in MANET (Ad-Hoc network) : Self-organize Fully decentralized Dynamic topology Low computation power
Review of the Huang-Chang Scheme Notations
1 -1
: Memeber i
: The member is a descendant node
: The member is a ascendant node
: Member i's identity
: Password
(), : One-way hash function
: Member i's comtributory key
: coopera
i
d
a
i
i
n
M
M
M
ID
P
f H
S
M M te to construct subkey
Review of the Huang-Chang Scheme Notations
, : is the intermediate key and is
the session key hold by
: Member generates random number
, : XOR operation
|| : Concatenate
, : Encrypt data with key by symm
i i i i
i
i
x
K K K K
M
nonce i
X
E E x
etric algorithm
, : Decrypt data with key by symmetric algorithm
: Exponential operationxD D x
EXP
Review of the Huang-Chang Scheme
Tree structure illustrates the membership
Review of the Huang-Chang Scheme
Key initiation phase
2 2 1
2
random quantity
construct intermediate key depends on the
location where he/she is
case 1 : (2 -1) :
case 2 : (2 -1) :
case 3 : (2 -1) :
i i
i
i i
i i i i
i i
M S
K
i n K S
i n K K K S
i n K K
選擇一個
1 2 3 1case 4 : ( 1) : iS
i K K K S
Review of the Huang-Chang Scheme
Authenticating the legal children
/ 2
, ( || )
i i
i i
K f P K
K K
Review of the Huang-Chang Scheme Session Key Generation phase
1 1
, ( || )
Broadcast
step 1 : where 1,2, , -1
and broadcasts , ( || ).
step 2 : where 1,2, , -1
and sends .
step 3 : where
i i
Broadcasti
C f P Ci n
i i i
n i
M M i n
f P
M M i n
C S S
M M i
E ( )
1,2, , -1
and sends E ( ).
step 4 : where 1,2, , -1
and sends K .
step 5 : Member checks the session key .
i
P S in
P C i n
K
i n
i n
n
n
C S
M M i n
S
M K
Review of the Huang-Chang Scheme
The flows of Huang-Chang’s Scheme The replay attack : attacker collects
multiple pairs, while the group is establishing.
The password guessing attack Performance : must repeat n times to
compute for each member
( , ( || ))i iK f P K
nM
iM( )iP C i nE C S
The proposed scheme Key initiation phaseif Md=Mi, then Ma=M i/2
if IDd=IDi, then IDa=ID i/2
case1(i n) : step1~3 are used for mutual authentication
step1 : : , , ( || || )
step2 : : , , ( || ||d a d a P d a d
d a a d P a d d
M M ID ID E ID ID nonce
M M ID ID E ID ID nonce
2 2 1
2
1|| )
step3 : : , , ( || || 1|| )
if (2 -1) :
if (2 -1) :
if (2 -1) :
i
d a d a P d a a i
i i
i i i i
i i i
K
M M ID ID E ID ID nonce K
i n K S
i n K S K K
i n K K S
The proposed scheme
Key initiation phase
case2 ( 1) : Mutual authentication is the same as the
above step1 to step3 in the case1. In this
case, member Mi is a root node and
c
i
1 2 2 1 1 2
omputes the value of ; where
i i nS K K S S S
The proposed scheme
Session key generation phase
1
1 1 1
1
step 1 : where 2,3, ,
and broadcasts , ( || || ).
step 2 : where 2,3, , -1
and broadcasts , ( || || 1|| ).
s
Broadcasti
P
Broadcastn i
n P n n n
M M i n
ID E ID nonce
M M i n
ID E ID S nonce nonce
tep 3 : where 2,3, , -1
and sends , , ( || 1|| ).
step 4 : Member checks the session key .
i n
i n n n i
n
M M i n
ID ID f ID nonce K
M K
Example
8 4
8 4 8
, ,
( || || )P
ID ID
E ID ID nonce
4 8
4 8 8 4
, ,
( || || 1|| )P
ID ID
E ID ID nonce nonce
Example
8 4
8 4 4 8
, ,
( || || 1|| )P
ID ID
E ID ID nonce K
Example1
1 1
1. ,
( || || )P
ID
E ID nonce
11
11 1 11
2. ,
( || || 1|| )P n
ID
E ID S nonce nonce
Node11 broadcast
Node1 broadcast
Example
All members compute their own session
key , and send
to the checker .
Finally, the checker will check all
member’s session key.
i nK S
11 11 11, , ( || 1|| )i iID ID f ID nonce K
11M
The proposed scheme Session key Update periodically
step 1 : where 1,2, , 1
and broadcasts , ( || || ).
step 2 : computs new session key .
step 3 : where 2,3, , -1
and send
old
Broadcastn i
n K n n n
i new old n
i n
M M i n
ID E ID S nonce
M K K S
M M i n
1s , , ( || 1|| ).
step 4 : Member checks new session key .i n n new
n
ID ID f ID nonce K
M K
Security analysis
Dynamic key agreement protocol requirements Group key secrecy Key independency Forward and backward secrecy
Security analysis
Compare with Huang & Chang’s scheme This protocol using nonce value to
prevent the replay attack. Password guessing attack does not wok.
Security analysis Performance Discussion
Methods G-DH2Hypercube
DH-LKHHuang & Chang
The proposed scheme
Rounds n logn logn logn+1 3logn+3
Multicast messages
1 0 logn 2 3
Unicast messages
n-1 nlogn 0 3n-4 4n-7
Message size grows
Y N Y Y N
DH key exchange
n (logn)/2 logn-1 0 0
Computation
If i<n (i+1)EXP
If i = 1
nEXP
If i<=n
(logn)EXP
If i<=n
(logn+1)EXP
If i<n
3H+1E+1D+4X
If i=n
1H+(n-1)E+2X
If i<n
2H+4E+4D+3X
If i=n
1H+1E+1D+1X
Conclusion
Adding mutual authentication to avoid replay attack.
Modifying transcripts to prevent password guessing attack.
Periodical session key updating makes the ciphertext or chosen plaintext attack have no chance to happen.
The system can work well in the MANET environment.
top related