AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS

Transcription

1 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence Electrcal Engneerng, Unversty of Mssour-Kansas Cty, MO 64110, USA [email protected] 2 Key Laboratory of Network Securty and Cryptology, Fuan Normal Unversty, Fuan, 35007, P. R. Chna ABSTRACT [email protected] Group communcaton mples a many-to-many communcaton and t goes beyond both one-to-one communcaton (.e., uncast) and one-to-many communcaton (.e., multcast). Unlke most user authentcaton protocols that authentcate a sngle user each tme, we propose a new type of authentcaton, called group authentcaton, that authentcates all users n a group at once. The group authentcaton protocol s specally desgned to support group communcatons. There s a group manager who s responsble to manage the group communcaton. Durng regstraton, each user of a group obtans an unque token from the group manager. Users present ther tokens to determne whether they all belong to the same group or not. The group authentcaton protocol allows users to reuse ther tokens wthout compromsng the securty of tokens. In addton, the group authentcaton can protect the dentty of each user. KEYWORDS User authentcaton; Group communcaton; Secret sharng; Ad hoc network; Strong t -consstency 1. INTRODUCTION User authentcaton s one of the most mportant securty servces n computer and communcaton applcaton. Knowledge based authentcaton (e.g., password) [16,9] and key based authentcaton (e.g., publc/prvate key) [7,12] are the two most popular approaches. Knowledge based authentcaton has some securty flaws. Most users lke to use smple and short passwords. However, Internet hackers can easly crack smple passwords. Publc-key based authentcaton needs a certfcate authorty (CA) to provde the authentcty of publc keys. In addton, publc-key computatons nvolve large ntegers. Computatonal tme s one of the man concerns for publc-key based authentcaton. All user authentcaton protocols [10,6] are one-to-one type of authentcaton where the prover nteracts wth the verfer to prove the dentty of the prover. For example, the RSA dgtal sgnature [13] s used to authentcate the sgner of the sgnature. In ths approach, the verfer sends a random challenge to the prover. Then, the prover dgtally sgns the random challenge and returns the dgtal sgnature of the challenge to the verfer. After successfully verfyng the dgtal sgnature, the verfer s convnced that the prover s the one wth the dentty of the publc key used to verfy the dgtal sgnature. In wreless communcatons, when a moble subscrber wants to establsh a connecton wth the base staton, the subscrber and the base staton nteract to DOI : /nsa

2 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 establsh mutual authentcaton. Mutual authentcaton can prevent an llegtmate subscrber from usng the servce and prevent the fake base staton from harmng the subscrber. Network applcatons are no longer ust one-to-one communcaton; but nvolve multple users ( 2). Group communcaton [14,2] mples a many-to-many communcaton and t goes beyond both one-to-one communcaton (.e., uncast) and one-to-many communcaton (.e., multcast). In ths paper, we propose a new type of authentcaton, called group authentcaton, whch authentcates all users n a group at once. The group authentcaton protocol s specally desgned to support group communcatons. The group authentcaton s defned to nvolve multple users and users want to convnce each other that they all belong to the same group wthout revealng ther denttes. In the group authentcaton, each user acts as both the prover and the verfer. Group authentcaton s extremely mportant n an ad hoc network because ths network s temporarly establshed by multple users and these users want to use ths network to exchange secret nformaton. Devsng protocols to provde group authentcaton n ad hoc networks s extremely challengng due to hghly dynamc and unpredctable topologcal changes. As a result, there are two popular models to provde group authentcaton servces n an ad hoc network. The frst model nvolves a centralzed authentcaton server (AS) [11,3] and the second model has no AS [5,4]. In the frst model, AS manages the access rghts of the network. For example, Bhakt et al. [3] proposed to adopt Extensble Authentcaton Protocol (EAP) n the IEEE 802.1x standard for wreless ad hoc network. Ths approach requres to set up the AS and have moble users to access to the AS servce. In fact, n some stuatons, the second model s the only way to provde group authentcaton. For example, n an ad-hoc network communcaton, there has no AS servce avalable to moble users. In the second model, each user needs to take n charge of authentcatng other users. In a straghtforward approach, f there are n users n the group, each user can use the one-to-one authentcaton protocol for n 1 tmes to authentcate other users. Computatonal tme s one of the maor concerns n ths approach. In ths paper, we ntroduce a specal type of group authentcaton whch provdes an effcent way to authentcate multple users belongng to the same group wthout revealng dentty of each user. Our proposed protocol s no longer a one-to-one type of authentcaton. It s a many-to-many type of authentcaton. Unlke most user authentcaton protocols that authentcate a sngle user each tme, our proposed protocol authentcates all users of a group at once. In our proposal, each user needs to regster wth a group manager (GM) to become a group user. Lke the trusted dealer n Shamr's (, tn ) secret sharng scheme [15], the GM needs to select a secret polynomal and compute token for each user. Based on these tokens, our protocol can establsh group authentcaton for all users at once. The group authentcaton protocol allows users to reuse ther tokens wthout compromsng the securty of tokens. Our proposed protocol supports exstng wreless communcaton network ncludng wreless ad hoc network. The rest of ths paper s organzed as follows. In next secton, we nclude some prelmnares. In Secton 3, we ntroduce the model of our proposed group authentcaton. In Secton 4, we present basc one-tme group authentcaton protocol; n Secton 5, we present group authentcaton protocol wthout revealng tokens. We conclude n Secton 6. 10

3 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May PRELIMINARIES 2.1. Revew of Shamr's secret sharng scheme [15] In Shamr's ( tn, ) secret sharng scheme based on the polynomal, there are n shareholders and a mutually trusted dealer. The scheme conssts of two algorthms: a) Share generaton algorthm: the dealer frst pcks a random polynomal of degree t 1, t 1 f( x) at 1x a1xa0 mod p, such that the secret s satsfes f (0) a0 s and all coeffcents, a 0,a 1,..a t-1 Z P, p s a prme wth p s. The dealer computes shares, f ( x ), for 1, 2,, n, and dstrbutes each share f ( x ) to shareholder U secretly. b) Secret reconstructon algorthm: t takes any t or more than t shares, for example, shares (.e., t n), ( x1, f( x1)),( x2, f( x2)),,( x, f( x)), as nputs, and outputs the secret s usng Lagrange nterpolatng formula as x s f( x ) mod p. r 1 r1, r x xr We note that the above algorthms satsfy the basc requrements of the secret sharng scheme, that are, (1) wth the knowledge of any t or more than t shares, shareholders can reconstruct the secret s ; and (2) wth the knowledge of any t 1 or fewer than t 1 shares, shareholders cannot obtan the secret s. Shamr's secret sharng scheme s uncondtonally secure snce the scheme satsfes these two requrements wthout makng any computatonal assumpton. For more nformaton on ths scheme, please refer to the orgnal paper [15] Harn and Ln's defnton on strong t -consstency [8] Benaloh [1] presented a noton of t -consstency to determne whether a set of shares s generated from a polynomal of degree t 1 at most. Recently, Harn and Ln [8] proposed a new defnton of strong t -consstency whch s the extenson of Benaloh's defnton. Defnton 1 (Strong t -consstency [8]). A set of n shares (.e., t n) s sad to be strong t - consstent f (a) any subset of t or more than t shares can reconstruct the secret, and (b) any subset of fewer than t shares cannot reconstruct the secret. It s obvous that f shares n Shamr's secret sharng scheme are generated by a polynomal wth degree t 1 exactly, then shares satsfy the securty requrements of a ( tn, ) secret sharng scheme and these shares are also strong t -consstent. Checkng strong t -consstency of n shares can be executed very effcently by usng Lagrange nterpolatng formula. In fact, to check whether n shares are strong t -consstent or not, t only needs to check whether the nterpolaton of n shares yelds a polynomal wth degree t 1 exactly. If ths condton s satsfed, we can conclude that all shares are strong t -consstent. However, f there are some llegtmate shares, the degree of the nterpolatng polynomal of these n shares s more than t 1 wth very hgh probablty. In other words, these n shares are most lkely to be not strong t -consstent. The property of strong t -consstency wll be used n Secton 5 of our protocol to check strong t -consstency of n shares wthout revealng tokens. 11

4 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May MODEL 3.1. Enttes a) Group Manager (GM): A group manager s responsble to regster users to form a group. The responsblty of GM s to ssue a secret token to each user durng regstraton. Later, authentcaton s based on the secret tokens. Snce tokens are used n authentcaton, denttes of users are protected. In order to prevent malcous users to reveal ther tokens to attackers, each token s a unque nteger. The secret tokens are shares of the polynomal generated by the GM. b) Group Users: Jon a group and become a group user, each user needs to regster wth the GM. After beng successfully regstered, each user receves a secret token from the GM. Each user wth a unque token can prevent malcous users to gve ther tokens to mpersonators. c) Attackers: We consder two types of attackers, the nsde attackers and the outsde attackers. The nsde attackers are users who are legtmate users and own legtmate tokens from the GM. We consder that the nsder attackers may collude to forge tokens for non-users. The outsde attackers are mpersonators who do not own any tokens and try to mpersonate users to fal the authentcaton protocol. We also assume that the GM does not collude wth any user. If the GM colludes wth any user by revealng the secret of the GM to the user, the colluded user can do harm to the group. In addton, we assume all users act honestly n the authentcaton. If any use acts dshonestly by revealng a nvald value, the authentcaton s faled Authentcaton outcomes There are only two possble outcomes of a group authentcaton; that are, ether yes or no. If the outcome s yes, t means that all users belong to the same group; otherwse, there are mpersonators. 4. BASIC ONE-TIME GROUP AUTHENTICATION PROTOCOL In the followng dscusson, we assume that there are n users, M1, M2,, Mn, regstered at the GM to form a group System set up Durng regstraton, GM constructs a random ( t 1) -th (.e., t n) degree polynomal f ( x ) wth f (0) s, and computes secret tokens of users as y f( x), for 1, 2,, n, where x s the publc nformaton assocated wth user M. GM sends each token y to user M secretly. GM makes H() s publcly known, where H s a one-way functon. Remark 1. The threshold t s an mportant securty parameter that affects the securty of group authentcaton protocols. Usng a ( tn, ) secret sharng scheme to ssue tokens n the regstraton can prevent up to t 1 nsde attackers, who are legtmate users, colluded together to forge tokens. 12

5 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May Basc one-tme group authentcaton protocol From now on, we assume that there are users wth ther tokens f ( x1), f( x2),, f( x ) where t n, who want to execute the group authentcaton protocol. The basc dea of ths protocol s that each user releases the token obtaned from the GM durng regstraton. If all released tokens are vald, the nterpolaton of the released tokens can reconstruct the secret s. The publshed one-way hash of the secret s used to compare wth the one-way hash of the reconstructed secret. Theorem 1. Protocol 1 can detect any number of llegtmate users. Proof. If there s llegtmate user who does not own a vald token on the polynomal f ( x ), the reconstructed secret wll be dfferent from the secret s. Thus, Protocol 1 can detect any number of llegtmate users. Protocol 1: One-tme group authentcaton protocol Step 1. Each user M reveals hs token f ( x ), to all other users smultaneously. Step 2. After knowng all tokens, f ( x ), for 1, 2,,, followng Lagrange nterpolatng xr formula, each user computes s f( x ) mod p. If H ( s) H( s), all 1 r1, r x xr users have been authentcated successfully; otherwse, there are llegtmate users. Remark 2. Ths s a one-tme authentcaton protocol snce the secret and tokens are revealed to all users n ths protocol. The authentcaton s no longer a one-to-one authentcaton and t s a many-to-many authentcaton. The proposed protocol s very effcent to authentcate multple users belongng to the same group wthout revealng dentty of each user. 5. GROUP AUTHENTICATION PROTOCOL WITHOUT REVEALING TOKENS In Protocol 1, snce tokens are revealed to all users, each token can only be used for one-tme authentcaton. In addton, the secret s s also exposed to users n Protocol 1. In the followng dscusson, we propose a way to protect tokens. In addton, the secret does not need to be recovered n each authentcaton. Our authentcaton s based on the property of strong t - consstency n Secton Group authentcaton protocol wthout revealng tokens In the followng protocol, t can be acheved authentcaton wthout revealng tokens and the secret. The basc dea of our approach uses the property of strong t -consstency. Let each user select a random polynomal wth ( t 1) -th degree and generate shares for other users. Then, each user releases the addtve sum of hs own token obtaned from the GM durng the regstraton and sum of shares of polynomals generated by users. Due to the property of secret 13

6 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 Protocol 2: Group authentcaton protocol wthout revealng tokens Step 1. Each user M selects a random polynomal, f ( x ), wth ( t 1) -th degree. For the polynomal f ( x ), user M computes shares as f( x r), for r 1, 2,,, r, for other users. User M sends each share, f( x r) to user M r secretly. Step 2. After recevng fr( x ) for r 1, 2,,, each user uses hs token f ( x ) to compute y f( x ) f ( x ) mod p. Each user releases hs value y. r r1 Step 3. After knowng y, for 1, 2,,, each user checks whether they are strong t - consstent. If they are not strong t -consstent, there are llegtmate users; else, all users have been successfully authentcated belongng to the same group. sharng homomorphsm n Secton 2.2, the released sums are shares of the secret polynomal f ( x ) of tokens and sum of polynomals generated by users. If all users act honestly and own vald tokens, the released sums should be strong t -consstent; otherwse, the released sums are not strong t -consstent. Snce users do not need to reconstruct the secret n the protocol and the tokens have not been revealed drectly, the dealer does not need to publsh the one-way of the secret s durng system set up and the tokens can be reused. Theorem 2. Protocol 2 can detect any number of llegtmate users. Proof. Due to the property of secret sharng homomorphsm, each released value, y n Step 2 s f ( x) f ( x) mod p, wth ( t 1) -th degree. the share of addtve sum of polynomals, Thus, n Step 3, all released values, r1 llegtmate user who does not own a vald token, f ( x ) 1, 2,, r y, for 1, 2,,, are strong t -consstent. If there s any, the released values, y, for, are not strong t -consstent wth very hgh probablty. Remark 3. In Step 2, the token f ( x ) cannot be computed from the revealed value y f( x ) f ( x ) mod p. Therefore, the tokens are protected uncondtonally and can r r1 be reused for multple authentcatons Computatonal complexty The most tme-consumng operaton for each user s to check the strong t -consstency of released values y for 1, 2,,, n Step 3 of Protocol 2. Followng our dscusson presented n Secton 2.2, checkng strong t -consstency needs to compute the nterpolatng polynomal of values y. The polynomal nterpolaton becomes the man computatonal task n our proposed protocol. However, the modulus p n our polynomal nterpolaton s much smaller than the 14

7 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 modulus n most publc-key cryptosystems, such as RSA cryptosystem [13]. In addton, not lke conventonal user authentcaton protocol that authentcates one user at a tme, ths proposed authentcaton protocol authentcates all users at once. Thus, the proposed authentcaton protocol s very effcent n comparng wth all exstng authentcaton protocols. 6. CONCLUSIONS We propose a specal type of group authentcaton whch s specally desgned for group communcatons such as the ad hoc wreless communcaton network. The proposed group authentcaton protocol s no longer a one-to-one type of user authentcaton and t s a many-tomany type of authentcaton that authentcates multple users at once. We frst propose an basc one-tme group authentcaton protocol and then propose a general group authentcaton protocol wthout revealng tokens. Our proposed group authentcaton s very effcent snce the computaton s based on the computaton of lnear polynomal. ACKNOWLEDGEMENTS Ths research s supported by the Natonal Natural Scence Foundatons of Chna under Grant No and the Natural Scence Foundaton of Fuan Provnce under Grant No. 2011J REFERENCES [1] Benaloh J. C., (1987) Secret sharng homomorphsms: keepng shares of a secret, n: Proceedngs of CRYPTO '86, LNCS 263, pp [2] Bruhadeshwar B. and Kulkarn S.S., (2011) Balancng revocaton and storage trade-offs n secure group communcaton, IEEE Transactons on Dependable and Secure Computng, 8 (1): [3] Catur Bhakt M. A., Abdullah A., and Jung L. T., (2007) EAP-based authentcaton for ad hoc network, n: Proc Semnar Nasonal Aplkas Teknolog Informas SNATI 07, pp. C-133-C [4] Caballero-Gl P. and Hernndez-Goya C., (2009) Self-organzed authentcaton n Moble ad-hoc networks, Journal of Communcatons and Networks, 11(5): [5] Capkun S., Buttyn, L. and Hubaux J. P., (2003) Self-organzed publc-key management for moble ad hoc networks, IEEE Transactons on moble computng, 2(1): [6] Das M. L., (2009) Two-factor user authentcaton n wreless sensor networks, IEEE Transactons on Wreless Communcatons, 8 (3): [7] Downnard I., (2002) Publc-key cryptography extensons nto Kerberos, IEEE Potentals, 21(5): [8] Harn L. and Ln C., (2010) Strong verfable secret sharng scheme, Informaton Scences, 180(16): [9] Ku W. C., (2005) Weaknesses and drawbacks of a password authentcaton scheme usng neural networks for multserver archtecture, IEEE Transactons on Neural Networks, 16(4), [10] Opplger R., Hauser R., and Basn D., (2008) SSL/TLS sesson-aware user authentcaton, Computer, 41(3): [11] Przada A. A. and McDonald C., (2004) Kerberos asssted authentcaton n moble ad-hoc networks, n: Proceedngs of the 27th Australasan Computer Scence Conference ACSC 04, 26(1), pp [12] Ren K., Yu S., Lou W., and Zhang Y., (2009) Mult-user broadcast authentcaton n wreless sensor networks, IEEE Transactons on Vehcular Technology, 58(8): [13] Rvest R., Shamr A., and Adleman L., (1978) A method for obtanng dgtal sgnatures and publckey cryptosystems, Communcatons of the ACM, 21 (2): [14] Sakarndr P. and Ansar N., (2010) Survey of securty servces on group communcatons, IET Informaton. Securty., 4(4): [15] Shamr A., (1979) How to share a secret, Communcatons of the ACM, 22(11):

8 Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 [16] Yan J., Blackwell A., Anderson R., and Grant A., (2004) Password memorablty and securty: Emprcal results, IEEE Securty & Prvacy Magazne, 2(5): Authors Len Harn receved the B.S. degree n electrcal engneerng from the Natonal Tawan Unversty n 1977, the M.S. degree n electrcal engneerng from the State Unversty of New York-Stony Brook n 1980, and the Ph.D. degree n electrcal engneerng from the Unversty of Mnnesota n In 1984, he oned the Department of Electrcal and Computer Engneerng, Unversty of Mssour- Columba as an assstant professor, and n 1986, he moved to Computer Scence and Telecommuncaton Program (CSTP), Unversty of Mssour, Kansas Cty (UMKC). Whle at UMKC, he went on development leave to work n Racal Data Group, Florda for a year. Hs research nterests nclude cryptography, network securty, and wreless communcaton securty. He has publshed a number of papers on dgtal sgnature desgn and applcatons and wreless and network securty. He has wrtten two books on securty. He s currently nvestgatng new ways of usng secret sharng n varous applcatons. Changlu Ln receved the BS degree and MS degree n mathematcs from the Fuan Normal Unversty, P.R. Chna, n 2002 and n 2005, respectvely, and receved the Ph.D degree n nformaton securty from the state key laboratory of nformaton securty, Graduate Unversty of Chnese Academy of Scences, P.R. Chna, n He works currently for the School of Mathematcs and Computer Scence, and the Key Laboratory of Network Securty and Cryptology, Fuan Normal Unversty. He s nterested n cryptography and network securty, and has conducted research n dverse areas, ncludng secret sharng, publc key cryptography and ther applcatons. 16