Design an efficient three-party authenticated key exchange protocol in the cloud environment

Transcription

1 Design an efficient three-party authenticated key exchange protocol in the cloud environment Chung-Yi Lin a, *, Yuh-Min Chen a, Shu-Yi Liaw b, Chen-Hua Fu c a Institute of Manufacturing Information Systems, National Cheng Kung University, Tainan, ROC b Department of usiness dministration, National Pingtung University Science Technology, Pingtung, ROC c Department of Information Management, National Defense University, Taipei, ROC * Corresponding author address: p @gmailcom STRCT With the emergence of cloud, conventional threeparty authenticated key exchange (3PKE) protocols face two common problems; one is that the server users are not in the same domain, therefore, the shared authenticated keys may be unknowingly compromised The other problem is these protocols require higher on-line computation cost on-line communication cost during session key agreement, which can create excessive overhead for cloud clients using devices with low computational capacity This paper proposes a novel protocol based on the self-verified token pair scheme employed by Chen et al The proposed protocol does not require that the authenticated keys be stored in clouds to achieve user authentication Furthermore, it overcomes the security threats existing in the protocol developed by Chen et al improves the performance in session key agreement to make it suitable for 3PKE in cloud environments Keywords: 3PKE, uthenticated key exchange, Cloud environment I INTRODUCTION Since the first key exchange protocol was proposed by Diffie Hellman [1], a number of researchers have proposed schemes with similar authentication functions such as [2][3][4][5] Steiner et al proposed that users share their authenticated keys with a trusted server for mutual authentications in subsequent session key agreements [6] This became known as the three-party authenticated key exchange (3PKE) protocol However, the protocol developed by Steiner et al is unable to detect on-line guessing or off-line password-guessing attacks To eliminate the threat of such attacks, some schemes using server public keys such as [7][8] Nevertheless, these schemes rely on public-key infrastructure create excessive computational overhead, making them unsuitable for environments with limited computational resources lthough recent 3PKE protocols such as [9][10][11][12] do not use server public keys, the emergence of cloud presents new challenges First of all, the server the users are not necessarily in the same trusted domain Even if a cloud could replace the server assist two communication parties in mutual authentication, storing the shared authenticated keys in the cloud would pose the risk of keys being compromised The equipment used by cloud clients, such cell phones e-readers, are extremely limited with regard to computational capabilities, memory, communication bwidth, battery power [13][14] The means of adapting conventional 3PKE protocols to cloud environments is thus an issue worthy of further investigation For cloud clients using 3PKE with such devices, we concur that some of the systems applications may be required to expend on-line resources for computation communication simultaneously, which could lead to excessive overhead Chen et al proposed a protocol with a self-verified token pair scheme that does not require the additional storage of sensitive tables in the server to achieve user authentication [15] In this scheme, the server hides the secret key derived in the self-verified token pair given to a specific user Subsequently, the server requires only its private key the self-verified token pair sent by the user to obtain the shared authenticated key This provides an ideal method to secure authenticated keys stored in clouds; however, Yang Chang pointed out that this protocol is unable to withst stolen-verifier attacks [16] Nose further noted that once an adversary obtains an authenticated key, a key-compromise impersonation attack can be initiated [17] Yang Chang also pointed out that the protocol proposed by Chen et al requires higher on-line computational costs communication loads in reaching session key agreement, therefore, the protocol is inappropriate for the limited resources of mobile devices To develop a 3PKE protocol suitable for cloud environments, this paper proposes a novel protocol based on the scheme established by Chen et al with the objective of obtaining better security performance in session key agreement II PRELIMINRIES System model Figure1 illustrates the proposed system model The participating parties include Initiator, Responder, the cloud To achieve mutual authentication, must register with the cloud to obtain the respective authenticated keys that the cloud shares with them eforeh, generate the rom exponents components required to produce the session key as well as the verification values of their components During session key agreement, exchange their components, through the cloud, they exchange the verification values of their components When receive the verification value, they use it to verify the integrity of the component sent to them earlier Subsequently, when wish to establish secure communication at a specific time, they can use their own rom exponent the component from the other party to generate a common session key

2 Initiator Cloud Responder Step 3 retrieves Step 4 rn c _ rn h psw computes c _ sk sk k1 rn k 1 h psw, rn Step 5 saves c sk, tok1 _ s component s verification value of component s component s verification value of component undergoes the same procedure saves c _ sk, tok1 Figure 1 Conceptual model TLE I NOTTIONS Security requirements We assume that two types of adversaries exist in the environment: illegal (unregistered) malicious users, referred to as external adversaries, legal (registered) malicious users, referred to as internal adversaries oth types of adversary may attempt to steal the shared authenticated keys private rom exponents through stolen-verifier attacks to enable impersonation attacks crack session keys Internal adversaries may also try to impersonate Initiator or Responder through cloud authentication during session key agreement, thereby tricking the other party into opening a session with them In view of the above, we conclude that the security requirements include (1) ensuring the confidentiality of the shared authenticated keys the private rom exponents to oppose stolen-verifier attacks (2) ensuring that internal adversaries are unable to perform impersonation-of-initiator attacks or impersonation-of-responder attacks III PROPOSED PROTOCOLS The notation used in the proposed protocol is presented in TableⅠ Sections describe the phase, procedures computation steps Initialization phase In this phase, perform the same procedures Take for instance 1) Registration procedure: Prior to this procedure, must first select generate a rom number before Then, applies for registration in the cloud: c _ rn rn h psw rn 1 rn q psw Step 1 The cloud generates a rom number sk H, 1 q computes ID Step 2 Cloud computes g mod p generates selfverified token pair through Then, cloud delivers to tok 1 h, ID tok1 q tok2 x tok1 mod sk, tok1, tok2 Notations Definition h a collision-free one way hash function the exclusive operator the concatenation operator p, q two large primes, whereby g x sk, sk tok1 tok1 ra, ra R, R k1, k1 a generator, g q 1mod p q p 1 in Z * p the private key of the cloud the authenticated keys generated by the cloud shared with, the self-verified token pairs generated by the cloud for, the rom exponents generated by, the components of session key generated by, the encryption keys used by, to encrypt their authenticated key k2, k2 the encryption keys used by, to encrypt their v, v vc, vc v _ R, v _ R 2) Pre-process procedure: Step 1 Step 2 rom component identity verification values generated by identity verification values generated by the cloud to give to the verification values generated by for their component generates one time rom number ra computes R g mod p retrieves by k 2 h rn, psw rn c _ rn h psw rn Step 3 computes into n blocks with the same bit-, such as, Step 4 divides lengths as computes Step 5 R saves ra k2 ra Z * p r 1, r2,, rn c1,, cn r1 k2, rn k2 R c1,, cn, undergoes the same procedure saves c _, ra KE phase: 1) Round 1:

3 Step1 retrieves k 1 hpsw, rn Step2 retrieves Step3 generates Step4 generates identity verification value Step5 sends to the cloud, respectively k1 sk c _ sk k1 v _ R h ID, R T sk v _ R v h ID, T, v _ R, sk rn c _ rn h psw R ID, ID, ID, T, v _ R, v, tok1 2) Round 2: Upon receiving the message delivered by, does the following: k1 Step 1 retrieves Step 2 retrieves sk Step 3 generates Step 4 generates identity verification value Step 5 sends to the cloud, respectively, saves temporarily Similarly, upon receiving the message from, saves temporarily rn c _ rn h psw sk c _ sk k1 v _ R h ID, R T v h ID, T, v _ R, sk v _ R k 1 h psw, rn ID, R ID, ID, T, v _ R, v, tok1 R R 3) Round 3: fter receiving the messages from, the cloud follows the steps below: Step1 The cloud authenticates Step11 Step12 The cloud verifies whether the timestamps respectively created by are fresher than those of the last request The cloud retrieves sk ' H, ' Similarly, the cloud sk' ' tok2 xtok1 mod q also ID retrieves sk' by ' tok2 xtok1 mod q sk ' H ID, ' Step13 The cloud verifies v v, such as v?hid,t,v _ R,sk' v?h ID,T,v _ R,sk' Step14 The cloud generates vc H ID,v_ R,sk' vc H ID respectively Step15 The cloud sends ID, ID, vc vc vc,v _ R,sk' ID, ID, vc, such as for, to, respectively Upon receiving the message from the cloud, respectively use R R to verify vc vc,such as vc?hid,hid,r, sk If they pass verification, then, vc?h ID,h ID,R sk R R confirm the integrity of Thereafter, when wish the establish secure communication at a given time, computes, retrieves rn c _ rn h psw ra k 2 h rn, psw, obtains the common session key session key retrieves ra ra c1 k2 cn k2 R ra mod p In the same manner, obtains the common session key by session key p R ra mod IV SECURITY NLYSIS In this section, we assess whether the proposed protocol meets the security requirements efore the security demonstration, we emphasize the following facts to assist in security analysis: (1) discrete logarithm problems (DLP) D-H problems (DHP) are difficult to solve, (2) one way hash functions are collision-free irreversible, (3) clouds can protect their private keys from being compromised These are widely accepted baselines in security Furthermore, we assume that one way hash functions rom number algorithms are sufficiently secure have the same bit-lengths In addition to the original parties,, the cloud, the parties of the security demonstration also include external adversary internal adversary Proposition1: The proposed protocol can withst stolen-verifier attacks We use party is attacked as an example The proof of our proposition is as follows To ensure the confidentiality of authenticated key rom exponent, computes to generate encryption keys k2 Then, uses to encrypt sk as uses k2 to encrypt the blocks divided from, thereby deriving s or use the same attack approaches, we will explain the attack using an attack by as an example Suppose attacks steals c _ sk, c _ ra, k 1 h psw, rn sk k1 c _ sk sk k1 r1 k1,, rn k1 c _ rn k2 c _ rn k 2 h rn, psw ra To obtain sk ra k1 ra, must first gain k1 rn from h psw, cannot know Therefore, attempts to gain psw or ecause c _ rn rn

4 either or Even if performs a brute force attack, they cannot differentiate the real or from Consequently, can only guess Say are both 128 bits The chances of correctly guessing or is 1/2 128, thus, it is unlikely that will be able to derive or This demonstrates that the proposed protocol can achieve our proposition k2 psw rn psw rn psw c _ rn rn k1 The protocol can withst impersonation attacks The proof of Proposition 1 shows that neither nor can obtain the authenticated key of s a result, they cannot pass the authentication of the cloud with messages forged as though they were from However, possesses a shared authenticated key with which both impersonation-of-initiator impersonation-of-responder attacks could be attempted elow is our proof with regard to Proposition 2 CSE 1 Impersonation-of-initiator attack: Suppose impersonates attempts to establish a session with sends to the cloud, respectively Upon receiving the message, sends to the cloud, respectively Subsequently, must intercept messages from the channel between tamper with the message from the channel between the cloud by changing it to in an attempt to pass the authentication of the cloud will think that they are establishing a session with when in fact they are doing so with However, cannot impersonate because the verification value generated by is ; if changed to, the cloud would discover that v hid,t,c_ R, sk s a result, would be unable to pass the authentication of the cloud ID, ID, T, c _ R, v, tok1, tok 2 ID, v _ R v h ID ID, v _ R ID, ID, T, c_ R, v, tok1 ID,ID,T,cR,v, tok1,t,c _ R, sk ID ID CSE 2 Impersonation-of-responder attack: Supposing wishes to establish a session with, sends ID, v _ R ID, ID, T, c _ R, v, tok1, tok2 to the cloud, respectively tampers with the message from the communication channel between the cloud by changing it to intercepts the messages in the communication channel between Moreover, sends ID, ID, T, c _ R, v, tok1 ID, ID, T, c_ R, v, tok1, tok 2 ID, v _ R to the cloud, respectively, in an attempt to pass the authentication of the cloud make think a session is being established with, when in fact the session is with However, is unable to impersonate because the verification value generated by is v hid, T, c _ R, sk ; if changed ID to ID, the cloud would discover that s a result, would be unable to pass the authentication of the cloud v h ID, T, c _ R, sk V EFFICIENCY NLYSIS We compared the proposed protocol with that proposed by Chen et al with regard to performance in communication costs on-line computation costs Communication cost We compared the communication costs of the two protocols with regard to communication efficiency the size of messages being transmitted 1) Communication efficiency: We used the number of rounds times of communication to examine the communication efficiency of the protocol The proposed protocol requires 3 rounds 6 communications In contrast, the protocol proposed by Chen et al requires 3 rounds 7 communications The protocol proposed in this paper demonstrates superior communication efficiency 2) Message transmission size: Chen et al assumed that the sizes of q are 1,024 bits 160 bits, the output size of one way hash function is 128 bits, the size of the timestamp is 96 bits, the size of ID is negligible We thus compared the sizes of messages transmitted from 3 rounds using the proposed protocol that proposed by Chen et al based on the aforementioned assumptions Figure 2 presents the results In both the first second rounds, the costs of the proposed protocol were * bits, whereas in the third round, the cost was 2*128 bits Thus, the total size of messages transmitted was 3584 bits This result is approximately 2240 bits smaller than that using the protocol proposed by Chen et al On-line computation cost: The session key agreement requires on-line computation; therefore, we compared the proposed protocol that proposed by Chen et al with regard to the computation costs required in the KE phase The symbols used to analyze the computation cost are presented in Table Ⅱ s introduced in previous studies as [18][19][20], the relationships of the various computation costs can be determined as shown in Table Ⅲ Table Ⅳ compares the total computation costs required by,, the server (cloud) in the proposed protocol that proposed by Chen et al Figure 3 displays the computation costs required in each round To facilitate the comparisons in Figure 3, we converted the costs of T EXP T MUL into cost of T H The results of the comparisons indicate that the proposed protocol imposes significantly lower computation costs than that proposed by Chen et al with the exception of the cloud, which induces computation costs higher than those of the server in the protocol developed by Chen et al Regardless, clouds are likely to have greater computation capabilities, therefore, such costs will not cause excessive computational overhead p

5 Symbol T EXP T MUL T DD T H T Figure 2 Comparison of size of messages transmitted TLE II SYMOLS USED TO NLYZE COMPUTTION COSTS Definition Cost of one modular exponential operation Cost of one modular multiplication operation Cost for one modular addition operation Cost of one hash function operation Cost of one exclusive OR operation TLE III RELTIONSHIPS MONG VRIOUS OPERTIONS 3PKE Chen et al 1 T EXP 240 T MUL 1 T EXP 600 T H 1 T H 04 T MUL T DD is negligible T is negligible TLE IV COMPRISON OF COMPUTTIONL COSTS 2T EXP+ 4T H 2T EXP+ 4T H proposed 7T H 7T H Computation cost Server (Cloud) 2T MUL+ 6T H 2T MUL+ 12T H Total 4T EXP+2T MUL+ 14T H 2T MUL+26T H Figure 3 Comparison of computational costs required in each round The above analysis demonstrates that the proposed protocol has better communication efficiency transmits smaller messages that the protocol developed by Chen et al Furthermore, in the KE phase, the proposed protocol significantly reduces computational costs for the two communication parties with regard to session key agreement VI CONCLUSION The objective of this paper was to improve the protocol proposed by Chen et al in terms of security performance during session key agreement to make it applicable to 3PKE in cloud environments Security analysis shows that the proposed protocol is able to withst stolen-verifier attacks as well as impersonation attacks Efficiency analysis indicates that the proposed protocol has higher communication efficiency transmits smaller messages than the protocol developed by Chen et al In addition, the proposed protocol significantly reduces the overhead of on-line computation for the two communication parties during session key agreement We can thus conclude that the proposed protocol is suitable for 3PKE in cloud environments This paper assumes that the cloud is honest follows the required security service agreement However, malicious clouds are still possible, we therefore plan to develop a 3PKE protocol capable of withsting malicious attacks even from the clouds themselves REFERENCES [1] W Diffie, MHellman, New directions in cryptography, IEEE Trans Inform Theory, vol 22, pp644 54, 1976 [2] SM ellovin, M Merrit, Encrypted key exchanged: Password-based protocols secure against dictionary attacks, in: Proc of IEEE Symposium on Security Privacy, pp72 84, 1992 [3] V oyko, P Mackenzie, S Patel, Provably secure password authenticated key exchange using Diffie- Hellman, in: Proceedings of EUROCRYPT 2000, dvances in Cryptology Springer-Verlag, pp , 2000 [4] O Goldreich, Y Lindell, Session-key generation using human passwords only, in: Proceedings of CRYPTO 2001, dvances in Cryptology Springer- Verlag, vol 2139, pp , 2001 [5] R Gennaro, Y Lindell, framework for passwordbased authenticated key exchange, In: Proceedings of EUROCRYPT 2003, dvances in Cryptology Springer- Verlag, vol 2656, pp , 2003 [6] M Steiner, G Tsudik, M Waidner, Refinement extension of encrypted key exchange,, CM SIGOPS Operating Systems Review, vol 29, pp22-30, 1995 [7] CL Lin, HM Sun, THwang, Three-party encrypted key exchange: attacks a solution, CM SIGOPS Operating System Review, vol 34, pp12-20, 2000 [8] H-M Sun, -C Chen, T, Hwang, Secure key agreement protocols for three-party against guessing attacks, The Journal of Systems Software, vol 75, pp63-68, 2005 [9] R Lu, Z Cao, Simple three-party exchange protocol, Computers & Security, vol 26, pp94-97, 2007 [10] TF Lee, T Hwang, Simple password-based three-party authenticated key exchange without server public keys, Information Sciences, vol180, pp , 2010 [11] TY Chang, MS Hwang, WP Yang, communication-efficient three-party password authenticated key exchange protocol, Information Sciences, vol 181, pp , 2011 [12] C Lv, M Ma, H Li, J Ma, Y Zhang, n novel threeparty authenticated key exchange protocol using one-time key, Journal of Network Computer pplication, vol 36, pp , 2013

6 [13] M Conti, et al, Looking ahead in pervasive : Challenges opportunities in the era of cyber physical convergence, Journal of Pervasive Mobile Computing, vol 8, pp2-21, 2012 [14] Q Shi, N Zhang, D-L Jones, Efficient autonomous signature exchange on ubiquitous networks, Journal of Network Computer pplication, vol35, pp , 2012 [15] TZ Chen, W Lee, H Chen, round- computation-efficient three-party authenticated key exchange protocol, The Journal of Systems Software, vol 81, pp , 2008 [16] JH Yang, CC Chang, n efficient three-party authenticated key exchange protocol using elliptic curve cryptography for mobile-commerce environments, The Journal of Systems Software, vol 82, pp , 2009 [17] P Nose, Security weaknesses of authenticated key agreement protocols, Information Processing Letters, vol 111, pp , 2011 [18] YP Liao, SS Wang, secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Stards & Interfaces, vol31, pp24-29, 2009 [19] Z Li, J Higgins, M Clement, Performance of finite field arithmetic in an elliptic curve cryptosystem, IEEE Computer Society, pp , 2001 [20] RC Wang, WS Juang, CL Lei, Web Metering Scheme for Fair dvertisement Transactions, International Journal of Security Its pplications, vol 2, pp49-56, 2008