A key agreement protocol using mutual Authentication for Ad-Hoc Networks IEEE 2005 Authors : Chichun Lo, Chunchieh Huang, Yongxin Huang Date : 2005_11_29.

A key agreement protocol using mutual Authentication for Ad-Hoc Networks

IEEE 2005Authors : Chichun Lo,

Chunchieh Huang, Yongxin Huang

Date : 2005_11_29Presented by Fei-Yau, Hung

Outline

Introduction Review of the Huang-Chang Scheme The proposed scheme Security analysis Conclusion

Introduction

Wireless technology has become more pervasive as E-Commerce and other applications communication platform.

Two kinds of network structures in wireless area network Infrastructure Infrastructureless

Introduction

Properties concerned for security design in MANET (Ad-Hoc network) : Self-organize Fully decentralized Dynamic topology Low computation power

Review of the Huang-Chang Scheme Notations

1 -1

: Memeber i

: The member is a descendant node

: The member is a ascendant node

: Member i's identity

: Password

(), : One-way hash function

: Member i's comtributory key

: coopera

i

d

a

i

i

n

M

M

M

ID

P

f H

S

M M te to construct subkey

Review of the Huang-Chang Scheme Notations

, : is the intermediate key and is

the session key hold by

: Member generates random number

, : XOR operation

|| : Concatenate

, : Encrypt data with key by symm

i i i i

i

i

x

K K K K

M

nonce i

X

E E x

etric algorithm

, : Decrypt data with key by symmetric algorithm

: Exponential operationxD D x

EXP

Review of the Huang-Chang Scheme

Tree structure illustrates the membership

Review of the Huang-Chang Scheme

Key initiation phase

2 2 1

2

random quantity

construct intermediate key depends on the

location where he/she is

case 1 : (2 -1) :

case 2 : (2 -1) :

case 3 : (2 -1) :

i i

i

i i

i i i i

i i

M S

K

i n K S

i n K K K S

i n K K

選擇一個

1 2 3 1case 4 : ( 1) : iS

i K K K S

Review of the Huang-Chang Scheme

Authenticating the legal children

/ 2

, ( || )

i i

i i

K f P K

K K

Review of the Huang-Chang Scheme Session Key Generation phase

1 1

, ( || )

Broadcast

step 1 : where 1,2, , -1

and broadcasts , ( || ).

step 2 : where 1,2, , -1

and sends .

step 3 : where

i i

Broadcasti

C f P Ci n

i i i

n i

M M i n

f P

M M i n

C S S

M M i

E ( )

1,2, , -1

and sends E ( ).

step 4 : where 1,2, , -1

and sends K .

step 5 : Member checks the session key .

i

P S in

P C i n

K

i n

i n

n

n

C S

M M i n

S

M K

Review of the Huang-Chang Scheme

The flows of Huang-Chang’s Scheme The replay attack : attacker collects

multiple pairs, while the group is establishing.

The password guessing attack Performance : must repeat n times to

compute for each member

( , ( || ))i iK f P K

nM

iM( )iP C i nE C S

The proposed scheme Key initiation phaseif Md=Mi, then Ma=M i/2

if IDd=IDi, then IDa=ID i/2

case1(i n) : step1~3 are used for mutual authentication

step1 : : , , ( || || )

step2 : : , , ( || ||d a d a P d a d

d a a d P a d d

M M ID ID E ID ID nonce

M M ID ID E ID ID nonce

2 2 1

2

1|| )

step3 : : , , ( || || 1|| )

if (2 -1) :

if (2 -1) :

if (2 -1) :

i

d a d a P d a a i

i i

i i i i

i i i

K

M M ID ID E ID ID nonce K

i n K S

i n K S K K

i n K K S

The proposed scheme

Key initiation phase

case2 ( 1) : Mutual authentication is the same as the

above step1 to step3 in the case1. In this

case, member Mi is a root node and

c

i

1 2 2 1 1 2

omputes the value of ; where

i i nS K K S S S

The proposed scheme

Session key generation phase

1

1 1 1

1

step 1 : where 2,3, ,

and broadcasts , ( || || ).

step 2 : where 2,3, , -1

and broadcasts , ( || || 1|| ).

s

Broadcasti

P

Broadcastn i

n P n n n

M M i n

ID E ID nonce

M M i n

ID E ID S nonce nonce

tep 3 : where 2,3, , -1

and sends , , ( || 1|| ).

step 4 : Member checks the session key .

i n

i n n n i

n

M M i n

ID ID f ID nonce K

M K

Example

8 4

8 4 8

, ,

( || || )P

ID ID

E ID ID nonce

4 8

4 8 8 4

, ,

( || || 1|| )P

ID ID

E ID ID nonce nonce

Example

8 4

8 4 4 8

, ,

( || || 1|| )P

ID ID

E ID ID nonce K

Example1

1 1

1. ,

( || || )P

ID

E ID nonce

11

11 1 11

2. ,

( || || 1|| )P n

ID

E ID S nonce nonce

Node11 broadcast

Node1 broadcast

Example

All members compute their own session

key , and send

to the checker .

Finally, the checker will check all

member’s session key.

i nK S

11 11 11, , ( || 1|| )i iID ID f ID nonce K

11M

The proposed scheme Session key Update periodically

step 1 : where 1,2, , 1

and broadcasts , ( || || ).

step 2 : computs new session key .

step 3 : where 2,3, , -1

and send

old

Broadcastn i

n K n n n

i new old n

i n

M M i n

ID E ID S nonce

M K K S

M M i n

1s , , ( || 1|| ).

step 4 : Member checks new session key .i n n new

n

ID ID f ID nonce K

M K

Security analysis

Dynamic key agreement protocol requirements Group key secrecy Key independency Forward and backward secrecy

Security analysis

Compare with Huang & Chang’s scheme This protocol using nonce value to

prevent the replay attack. Password guessing attack does not wok.

Security analysis Performance Discussion

Methods G-DH2Hypercube

DH-LKHHuang & Chang

The proposed scheme

Rounds n logn logn logn+1 3logn+3

Multicast messages

1 0 logn 2 3

Unicast messages

n-1 nlogn 0 3n-4 4n-7

Message size grows

Y N Y Y N

DH key exchange

n (logn)/2 logn-1 0 0

Computation

If i<n (i+1)EXP

If i = 1

nEXP

If i<=n

(logn)EXP

If i<=n

(logn+1)EXP

If i<n

3H+1E+1D+4X

If i=n

1H+(n-1)E+2X

If i<n

2H+4E+4D+3X

If i=n

1H+1E+1D+1X

Conclusion

Adding mutual authentication to avoid replay attack.

Modifying transcripts to prevent password guessing attack.

Periodical session key updating makes the ciphertext or chosen plaintext attack have no chance to happen.

The system can work well in the MANET environment.