0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgn-on Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for Computer and Informaton Securty Research School of Computer Scence and Software Engneerng Unversty of Wollongong, Australa Emal: {y898,guln,ymu}@uow.edu.au Abstract Dstrbuted systems and networks have been adopted by telecommuncatons, remote educatons, busnesses, armes and governments. A wdely appled technque for dstrbuted systems and networks s the sngle sgn-on (SSO) whch enables a user to use a untary secure credental (or token) to access multple computers and systems where he/she has access permssons. However, most exstng SSO schemes have not been formally proved to satsfy credental prvacy and soundness of credental based authentcaton. To overcome ths drawback, we formalse the securty model of sngle sgn-on scheme wth authentcated key exchange. Specally, we pont out the dfference between soundness and credental prvacy, and defne them together n one defnton. Also, we propose a provably secure sngle sgn-on authentcaton scheme, whch satsfes soundness, preserves credental prvacy, meets user anonymty, and supports sesson key exchange. The proposed scheme s very effcent so that t suts for moble devces n dstrbuted systems and networks. Index Terms Sngle sgn-on, Dstrbuted systems and networks, Soundness, Authentcaton, Informaton securty. I. INTRODUCTION Wth the wde spreadng of dstrbuted computer networks, varous network servces have ganed mportance and popularty n recent few years [][]. Consequently, user authentcaton [3] has been wdely used n dstrbuted computer networks to dentfy a legal user who requres accessng network servces. To prevent bogus servers, mutual authentcaton should be consdered, and also, a sesson key establshment s normally requred. In addton, user prvacy may be desred n dstrbuted computng envronments snce the nformaton exchanged mght be abused by some organzatons for marketng purposes [4]. However, desgnng effcent and secure mutual authentcaton protocols s challengng n computer networks. Moreover, wth the ncreasng usage of network servces, a user may need to mantan more and more ID/password pars for accessng dfferent dstrbuted servce provders, whch mpose a burden on users and servce provders as well as the communcaton overhead of computer networks. Sngle sgn-on (SSO) mechansm [5] provdes a good remedy to ths problem, as t allows a user wth a sngle credental to access multple servce provders. Intutvely, there are three basc securty requrements for SSO schemes, namely completeness, soundness and credental prvacy [6], [6]. However, to the best of our knowledge soundness has not been formally studed yet and how to preserve both soundness and credental prvacy s stll a challenge [6]. In 000, Lee and Chang [7] frst proposed an SSO scheme wth user anonymty. Later, Wu and Hsu [8] ponted out that Lee-Chang scheme suffers from masqueradng attack and dentty dsclosure attack. Meanwhle, Yang et al. [9] showed that Wu-Hsu scheme can not preserve credental prvacy ether snce a malcous servce provder can recover users credentals, and then proposed an mprovement to overcome ths lmtaton. In 006, however, Mangpud and Katt [0] ponted out that Yang et al. s scheme s nsecure aganst DoS (Denable of Servce) attack and presented a new scheme. In 009, Hsu and Chuang [] demonstrated that both Yang et al. and Mangpud-Katt schemes have not provded user anonymty snce ther schemes are vulnerable to dentty dsclosure attacks. To prevent such attacks, Hsu and Chuang proposed an RSA-based user dentfcaton scheme. Recently, Chang and Lee [] ponted out that Hsu-Chuang scheme s vulnerable to mpersonaton attacks and the scheme requres addtonal tme-synchronzed mechansms whch has unstable latency n dstrbuted networks. Then, they proposed a user anonymty preservng mprovement wth hgh effcency. The scheme uses random nonce to replace addtonal tmesynchronzed mechansm, does not need PKI (Publc key nfrastructure) for users, and suts for moble devce users. However, the securty analyss [6] shows that Chang-Lee scheme fals to provde proper user authentcaton and to preserve credental prvacy snce the knowledge proof of user authentcaton guarantees nether soundness nor credental prvacy. As promoted n [6], t s worthy to overcome the flaws n Chang-Lee scheme to obtan an effcent and provably secure scheme for moble devce users n dstrbuted systems and networks. Moreover, the soundness of credental based authentcaton should be formalsed and the credental prvacy should be preserved. Motvated to solve these ssues, n ths paper we frst specfy a formal model for SSO wth a unfed defnton to formally specfy soundness and credental prvacy (Secton II). Then, after revewng Chang-Lee SSO scheme n Secton III and Schnorr sgnature [3] n Secton IV, we mprove Chang-Lee scheme by explotng Schnorr sgnature n Secton V due to ts smplcty and unforgeablty [4], [5], whle keep Chang-Lee s sesson key establshment part 978-0-7695-4745-9/ $6.00 0 IEEE DOI 0.09/TrustCom.0.8 7
unchanged. The securty of the proposed protocol s dscussed n Secton VI. Fnally, secton VII concludes ths paper. II. FORMAL MODEL In ths secton we present a formal model to defne authentcated key exchange sngle sgn-on (AKESSO) scheme and ts securty requrements. Specally, we lst the components (e.g. syntax) of AKESSO, defne correctness, descrbe an adversary model, and formally specfy three securty propertes, ncludng secure credental based user authentcaton, secure credental based servce provder authentcaton, and sesson key securty. Defnton. An authentcated key exchange sngle sgnon (AKESSO) scheme comprses a trusted credental provder TCP, a group of servce provders P and a group of users U. It conssts of eght algorthms and one protocol: ntalzaton algorthm Int( ), dentty generaton algorthm IdGen( ), credental generaton algorthm CGen( ), credental verfcaton algorthm CV er( ), user proof generaton algorthm UPGen( ), user proof verfcaton algorthm UPVer( ), servce provder proof generaton algorthm SPPGen( ), and servce provder proof verfcaton algorthm SPPV er( ), and key exchange protocol. ) Int(λ): Takng securty parameter λ 0 (or λ ) as nput, outputs the publc/prvate key par (PK,SK) for TCP (or (PK,SK ) for P P ). ) IdGen(RI ): Takng regstraton nformaton RI as nput, outputs an unque dentty ID for a user U U. 3) CGen(ID,SK): Takng an dentty ID and TCP s prvate key SK as nput, outputs a credental C for user U. 4) CV er(c,id,pk): Takng credental C, an dentty ID, and TCP s publc key PK as nput, outputs or 0 for acceptng or reectng credental C respectvely. 5) UPGen(C,ID,PK,M): Takng a credental C,an dentty ID, TCP s publc key PK and a temporal message M generated n a sesson as nput, outputs a user proof up showng user U s knowledge of credental C. 6) UPVer(up,ID,PK,M): Takng a user proof up,an dentty ID, TCP s publc key PK, and a temporal message M generated n a sesson as nput, outputs or 0 for acceptng or reectng up as a vald credental proof w.r.t. dentty ID respectvely. 7) SPPGen(SK,M ): Takng servce provder P s prvate key SK and a temporal message M generated n a sesson as nput, outputs a servce provder proof spp showng P s knowledge of SK. 8) SPPV er(spp,pk,m ): Takng a servce provder proof spp, P s publc key PK, and a temporal message M generated n a sesson as nput, outputs or 0 for acceptng or reectng spp as a vald servce provder proof w.r.t. publc key PK respectvely. 9) : Ths s a key exchange protocol run by a user U wth prvate nput C and a servce provder P wth prvate nput SK. After the completon of each protocol nstance, U wll output a sesson key K f he/she accepts P. Smlarly, after the completon of each protocol nstance P wll output a sesson key K f t accepts U. (Ideally, K and K are expected to be the same value.) Remark. The above defnton focuses on publc key based AKESSO wth non-nteractve proofs. It could be extended to support nteractve proofs, where sp and ssp are generated by nteractve protocols run by user U and servce provder P. However, defnng symmetrc key based AKESSO wll be another story, whch s out the scope of ths paper. Remark. Compared to Han et al. s formal model gven n [6], we requre key exchange n AKESSO, and each user does not need to hold a publc/prvate key par. However, n Han et al. s defnton TCP (called IdP n ther paper) s less trusted as t wll not be able to mpersonate any user: Each user wll run a zero knowledge protocol to show that he/she knows the prvate key correspondng to the publc key embedded n hs/her credental. Before formally defnng securty propertes, we naturally requre an AKESSO should be correct. Namely, a credental C generated by the trusted credental provder TCP wll be vald, a user proof up ssued properly by user u who holds a vald credental C wll be accepted by a servce provder P accordng to UPVer algorthm, a servce provder proof spp ssued properly by P wll be accepted by user U accordng to SPPV er algorthm, and U and P wll accept each other and output the same sesson key f they honestly run the key exchange protocol. Formally, we defne correctness as below. Defnton. (Correctness) An AKESSO scheme s called correct f t satsfes all the followng condtons: ) For any RI and any key par (PK,SK), fid IdGen(RI ) and C CGen(ID,SK), then CV er(c,id,pk)=. ) For any ID, any key par (PK,SK) and any M, f C CGen(ID,SK) and up UPGen(C,ID,PK,M), then UPVer(up,ID, PK,M)=. 3) For any key par (PK,SK ) and any M, f spp SPPGen(SK,M ), then SPPV er(spp,pk,m )=. 4) For any user U wth vald credental C and servce provder P wth prvate key SK, f both of them run the key exchange protocol honestly, then they wll accept each other and output the same sesson key,.e., K = K. Informally, an AKESSO scheme s secure f all the desred functonaltes gven n the above defnton can be carred out only by the proper enttes,.e., not by attackers who 7
are allowed to access all possble resources n a rgorously specfed adversary model. In fact, we shall defne securty of SSO authentcaton whch corresponds to tems ) to 3), and sesson key prvacy whch corresponds to tem 4). To further defne these securty propertes, we specfy the adversary model as follows: Let TCP be the trusted authorty oracle wth ts key par (SK,PK), U,P be the user oracle smulatng a set of all regstered users, nteractng wth the servce provder oracle n sesson, and P,U be the servce provder oracle smulatng a set of all regstered servce provders, nteractng wth the user oracle n the sesson. A probablstc polynomal tme (PPT) adversary A can ask the followng oracle queres. ) O : Regster(,U) Upon recevng ths query, the TCP wll run IdGen(RI A ) and CGen(ID A,SK) algorthms, and output a new user dentty ID A wth correspondng credental C A to A who can verfy the credental by runnng CV er( ). ) O : Regster(,P) Upon recevng ths query, the system wll run Int(λ ) and output P A s prvate/publc key par (SK A,PK A ) together wth dentty SID A to A. 3) O 3 : Execute(U,P ) Upon recevng ths query, U,P and P,U wll execute protocol as U and P n, respectvely. The exchanged messages between them wll be recorded and sent to A. Here, we requre that both U s credental and P s prvate key are not been corrupted by A va O and O oracles. 4) O 4 : Send(U,m,f) Ths query sends the message m as message flow f {0,,,n} to the user oracle U,P whch smulates a user U, and then, the oracle computes message honestly n, and sends responses back to A, where n s the total number of messages transmtted n protocol. If a user s the protocol ntator by default, A can also start a new sesson by askng Send(U,, 0), where denotes an empty set. 5) O 5 : Send(P,m,f) Ths query sends the message m as message flow f {0,,,n} to the user oracle P,U whch smulates a servce provder P, and then, the oracle computes message honestly n, and sends responses back to A. If a servce provder s the protocol ntator by default, A can also start a new sesson by askng Send(P,, 0). 6) O 6 : Reveal(,) Ths query models the leakage of sesson key n sesson. Ths query only can be asked when a sesson key has been shared between a servce provder and a user n sesson. Remark 3. O 3 smulates the real envronment for a passve attacker A who can eavesdrop all messages exchanged between U and P when executng protocol.ifa knows U s credental C and P s prvate key SK, oracle O 3 s not necessary as A can run protocol by tself on behalf of them. If A knows one of these two secrets but not both, A can run protocol wth U (P ) whose secret s not released va executng oracle O 4 (O 5 ). Remark 4. O 4 smulates the real envronment for an actve attacker A who may obtan a servce provder P s prvate key SK, send message m as message flow f {0,,,n} to a target user U and then get the correspondng response. To answer ths oracle, U wll generate hs/her response accordng to the specfcaton of protocol and sends t to A. Notes that f U dd not receve all necessary prevous messages that match ths message wth message flow f, ths oracle request wll be reected, snce t s meanngless n the vew pont of U. Actually, O 4 also provdes adversary A oracle access on algorthm UPGen( ) snce U,P wll run UPGen( ) somehow n executng. In our constructon, UPGen( ) s Schnorr sgnature generaton algorthm. In ths case, on the one hand, oracle O 4 may be not stronger than the sgnng oracle n Game-UFCMA revewed n secton IV, snce the temporal message M, one nput of algorthm UPGen( ), may be ontly decded by U and A (playng the role of one P ), rather than ust by A. So, t may be hard for A to get U s user proof for any arbtrary message M. On the other hand, adversary A may be not weaker than the forger n Game- UFCMA snce besdes O 4 we also offer other oracle queres, whch may ncrease A s ablty. We omt a smlar remark whch apples to O 5. To formally defne the soundness and credental prvacy, we frst dscuss the dfference between soundness and credental prvacy snce the maorty of exstng schemes only consder the credental prvacy. The credental prvacy requres unforgeablty and rrecoverableness. The former guarantees that any PPT adversary A has only a neglgble probablty for successfully forgng a vald credental C t of a target user U t n the credental generaton phase, whle the latter requres that n user authentcaton phase, any A can only recover C t wth a neglgble probablty. Soundness s also crtcal n the user authentcaton phase as t ensures that any A wthout a vald credental can only generate a user proof up that passes through user authentcaton wth a neglgble probablty. The exstng studes [6], [] only focus on f a vald credental can be forged or recovered by attackers, but do not consder f a vald credental s defntely necessary for generatng a vald user proof. We shall defne these three propertes as a sngle defnton (but one for users and one for servce provders). Let A O denotes an adversary A who has access to all oracle queres n O = {O =,,, 6} n adversary model; let the credental holder U wth dentty ID and credental C, and the servce provder P wth dentty SID and key par (SK,PK ) are two polynomal-tme Turng machnes. Let U and P nteract wth each other, and place A between U and P. ɛ denotes a neglgble functon. We defne secure credental based user authentcaton as follows: Defnton 3. (Secure credental based user authentcaton (SCUA)) An AKESSO scheme acheves secure credental based user authentcaton, f any PPT adversary A has a neglgble advantage Adv SCUA (A O ) for creatng a vald user proof wthout holdng the correspondng credental. Formally, 73
for any PPT A, Adv SCUA (A O) = Pr[(IDt,up t,m) A O UPVer(up t,id t,pk,m)=] ɛ wth the followng restrctons: A has not obtaned the credental C t correspondng to ID t va O - Regster(,U) oracle; and A has not obtaned any vald user proof up t for message M by askng any oracle n O, n partcular O 3 and O 4. Smlarly, the defnton of secure servce provder authentcaton s gven as below: Defnton 4. (Secure servce provder authentcaton (SSPA)) An AKESSO scheme acheves secure servce provder authentcaton, f any PPT adversary A has a neglgble advantage Adv SSPA (A O ) for forgng a vald servce provder proof wthout holdng the correspondng servce provder s prvate key. Formally, for any PPT A, Adv SSPA (A O ) = Pr[(PK t,m,spp t ) A O SPPV er(pk t,m,spp t )=] ɛ wth the followng restrctons: A has not obtaned the prvate key SK t correspondng to SID t va O - Regster(,P) oracle; A has not obtaned any vald servce provder proof spp t for message M by askng any oracle n O, n partcular O 3 and O 5. Here, we revew the freshness and test query Test(,) for defnng sesson key securty [7]. An adversary can get sesson keys by askng O 6. We say the sesson key s fresh f and only f the O 6 query has not been asked w.r.t. ths sesson. In other words, the fresh sesson key must be unknown to the adversary. For smplcty, we call the test query as O 7, whch s a game defned as follows: O 7 Test(,): In protocol,f U,P and P,U accept and share the same fresh sesson key n sesson, upon recevng ths query, by tossng a con b the correct sesson key s returned f b = 0, otherwse, a random sesson key s returend. A only can ask ths query one tme and A needs to output one bt b as the result of guessng b. A s advantage n attackng the sesson key securty (SKS) of protocol s defned as Adv SKS (A O )= Pr[b = b], where O = O {O 7 }. Sesson key securty [7] models adversary A s nablty to dstngush the real sesson key and a random strng, as formally defned below. Defnton 5. (Sesson Key Securty) We say an AKESSO satsfes sesson key securty f for any PPT adversary A, Adv SKS (A O ) ɛ, where O = O {O 7 }. Fnally, we can gve the defnton of secure authentcated key exchange sngle sgn-on scheme. Defnton 6. (Secure Authentcated Key Exchange Sngle Sgn-On Scheme): An AKESSO scheme s called secure f t s correct and satsfes SCUA, SSPA, and sesson key securty. III. REVIEW OF CHANG-LEE S SCHEME In 0, Chang and Lee [] proposed an mproved effcent remote user dentfcaton scheme for moble devce users, the scheme employs sngle sgn-on technque, supports sesson key establshment, and preserves user anonymty. However, the scheme nether provdes credental prvacy nor soundness due to [6]. In ths secton, We brefly revews the Chang-Lee scheme and ts drawbacks. A. Revew of the Scheme Chang-Lee s SSO scheme conssts of three phases: system ntalzaton, regstraton, and user dentfcaton. The detals are as follows. ) System Intalzaton Phase: The trusted authorty TCP determnes the RSA key par (e, d) and a generator g, and publshes publc parameters. ) Regstraton Phase: In ths phase, the trusted authorty sgns an RSA sgnature S =(ID h(id )) d mod N to user U as the credental. For each servce provder P, he needs to mantan hs own RSA publc parameters (ID,e,N ) and prvate parameter d smlar as TCP. 3) User Identfcaton Phase: In ths phase, the sesson key s K = h(id k ), where k s the plan Dffe- Hellman sesson key. For dentfyng servce provders, an RSA sgnature scheme has been used; for user authentcaton, the user need to provde a proof z = S h(k k n) mod N of credental S, where k s user s sesson key materal and n s a random nonce selected by the user. For the purpose of anonymty, the random nonce n 3 and user dentty whch used for proof checkng has been encrypted va symmetrc key encrypton scheme wth sesson key K (treated as encrypton key). The user can pass authentcaton f z e mod N dose hold, and the user beleves that they are share the same sesson key f the hashed n 3 has been receved. mod N = SID h(k k n) B. Revew of Attacks Two hgh rsky attacks are dentfed n [6] on Chang- Lee scheme. The former allows a malcous P to recover user credental; the latter enables an adversary passng user authentcaton wthout a vald credental. They are brefly revewed below. ) Credental Recoverng Attack: A user U can pass authentcaton f he provdes the vald proof z of knowledge C. To smplfy the dscusson, we use h to denote h(k k n ). So proof z = S h. It s easy to see that for dfferent proofs n dfferent sesson, the same credental S has been encrypted multple tmes wth dfferent h but the same modulo N. Thus, f a malcous P has been accessed twce wth the same user U, then P s able to recover U s credental S by usng extended Eucldean algorthm. Let us suppose that (z,z ) and (h,h ), the proofs and hash values n two dfferent sessons, satsfy gcd(h,h ) =. Then we can fnd two ntegers a and b such that a h + b h = (n Z) due to the extended Eucldean algorthm. Fnally, the P can recover user credental by computng z a z b 74
h a+h mod N = S b mod N = S. The success rate of ths attack s about 60% [6]. ) Impersonaton Attack wthout Credentals: A small RSA publc key e has been assumed n ths attack, where the small requres the bnary length of e s much less than the output length of hash functon h. The ratonalty of ths assumpton s gven n [6]. In the conversaton, f the h s dvsble by e, then the adversary computes an nteger b such that h = e b, and calculates proof z by z = SID b, where SID = ID h(id ). The verfcaton holds as SID h mod N = SID b e mod N = z e mod N. Thus, the adversary can pass user authentcaton wthout a vald credental. The success rate of the attack s about /e [6]. IV. REVIEW OF SCHNORR SIGNATURE As one of the smplest, shortest, and frequently used sgnature schemes, Schnorr sgnature scheme [8], [3] s provably secure n a random oracle model under the assumpton that dscrete logarthm problem s ntractable [9], [0], [], [5]. We now revew Schnorr sgnature scheme as follows. Intalsaton: The scheme s defned n a cyclc group G of order q wth a generator g Z p, were p and q are prmes such that q p, q 60, and p 04. A secure hash functon h( ) s also selected. Sgnature Generaton: To sgn a message m wth prvate key x Z q, a sgner pcks a randomness r Z q, and outputs the sgnature (a, e, s) by computng a = g r mod p, e = h(a, m), and s = r + x e mod q. Sgnature Verfcaton: Gven a sgnature (a, e, s) for message m w.r.t. publc key y = g x mod p, the verfer accepts ths sgnature ff e h(a, m) and g s ay e mod p. Let us denote Int(λ), SGen( ) and SV er( ) the ntalsaton algorthm, sgnng algorthm and verfcaton algorthm, respectvely. Formally, a sgnature scheme s called exstentally unforgeable f for any PPT forgery algorthm A, tcan only wn the followng game, called Game-UFCMA, wth a neglgble probablty [][3]. Setup: (pk, sk) Int(λ). Gven a securty parameter λ, a publc/prvate key par s generated by the ntalsaton algorthm and adversary A s gven the publc key pk. Query: σ SGen(sk, m ). A runs up to q tmes to ask the sgnature sgnng oracle n an adaptve manner. Each tme, the sgnng oracle wll reply a sgnature σ for each message m chosen by A, where q. Forge: A outputs a new message and sgnature par (m,σ ). A wns f ) SV er(pk, m,σ )=,.e., σ s a vald sgnature for message m under the publc key pk. ) m m, for any {,,q}. V. PROPOSED SCHEME Ths secton presents a secure sngle sgn-on scheme wth user anonymty for remote user authentcaton n dstrbuted systems and networks. We use Schnorr sgnature [8][3] to overcome the drawbacks n Chang-Lee scheme as ther user TCP P U SID ID C x y E k (M) D k (C) h( ) TABLE I NOTATIONS USED IN THE SCHEME The trusted credental provder A servce provder A user The unque dentty of P The unque dentty of U The credental of U The long term prvate key of TCP The publc key of TCP Symmetrc encrypton of message M usng key k Symmetrc decrypton of cphertext C usng key k A secure hash functon proof cannot provde soundness and credental prvacy whle Schnorr sgnature can. As a proveably unforgeable sgnature scheme [], Schnorr sgnature allows a sgner to authentcate hm/herself by sgnng a message wthout releasng any other useful nformaton about hs/her prvate sgnng key. In the proposed scheme, the TCP frst ssues the credental for each user by sgnng the user s dentty ID accordng to Schnorr sgnature. Then, by treatng hs/her credental as another publc/prvate key par the user can authentcate hm/herself by sgnng a Schnorr sgnature on a temporal message generated n the protocol. In contrast, each servce provder mantans ts own publc/prvate key par n any secure sgnature scheme so that t can authentcate tself to users by smply ssung a normal sgnature. Fnally, as does n Chang-Lee scheme [], the sesson key s establshed by runnng a varant of Dffe- Hellman key exchange protocol, and the user anonymty s guaranteed by symmetrc key encrypton. The notatons used n the scheme are summarsed n Table I. System Setup Phase: In ths phase, TCP ntalzes hs/her publc and prvate parameters as Schnorr sgnature scheme. Frstly, TCP pcks large prmes p and q such that q p, chooses a generator g of large safe prme order q n cyclc group G. Then, TCP sets ts prvate key SK = x, where x Z q s a random number, and publshes ts publc key PK = y, where y = g x mod p. Regstraton Phase: In ths phase, user asks TCP for regstraton, then TCP ssues a unque dentty ID va IdGen(RI ) and sgns a Schnorr sgnature (a, e, C) for user s dentty as credental generaton algorthm CGen(ID,SK). C s kept secret by user, whle (a, e) wll be made publc. The detals are gven below. User Regstraton: When a user U asks for regstraton, TCP selects a unque dentty ID and generates a credental C =(a, e, C) for U by selectng a randomness r Z q and computng a = g r mod p, e = h(a, ID ), and C = r + xe mod q. Then, TCP sends dentty ID and credental C whch s Schnorr sgnature for ID to user U, where C should be kept as a secret. Servce Provder Regstraton: Each P mantans a publc/prvate key par (PK,SK ) of any secure sgnature scheme. Here, algorthms SPPGen( ) and SPPV er( ) are dentcal to the sgnature generaton and verfcaton algorthms respectvely. 75
u h( k SID SPPVer ( PK, u, v) k k mod e h( k, K ) E r r k g mod K h( SID z r C e K V ' n ) p p k ) ( ID n n e a)? U V ' h ( n ) V 3 3? Fg.. M (Req, n ) M ( k, v, n ) M3 (, z, k) M4 ( V) k g r mod u h( k SID n ) p v SPPGen ( SK, u) k k mod p ( ID n n e a) D e? h( a ID ) e h( k, K ) g? r K h( SID k ) z e e e k a ( y ) 3 V h( n ) Partcpant Identfcaton Phase 3 P K ( ) Authentcaton Phase: In ths phase, to authentcate hm/herself user U sgns a Schnorr sgnature the newly establshed sesson key K usng credental C the sgnng key, whle U s sesson key materal k s used as the commtment. Note that the correspondng verfcaton key of C s g C, whch can be recovered by computng g C = a y e mod p. For servce provder authentcaton, any provably secure sgnature scheme can be used to authentcate a servce provder n proposed scheme. The sesson key s establshed by usng modfed Dffe-Hellman key exchange scheme whch has been formally proved n [], and the user anonymty and unlnkablty are preserved by usng symmetrc key encrypton to encrypt a, e, and user s dentty ID. The detals of ths phase are llustrated n Fgure and further explaned below. ) User U chooses a random nonce n and sends M = (Req, n ) to P, where Req s a servce request. ) Upon recevng (Req, n ), P pcks random number r Z q, computes ts sesson key materal k = g r mod p, u = h(k SID n ) and sgns u to get a sgnature v = SPPGen(SK,u), and sends M = (k,v,n ) to the user. 3) User U frst computes u = h(k SID n ) and verfes the sgnature v by checkng f SPPV er(pk,u,v) =. If the output s 0, U termnates the protocol. Otherwse, U accepts the servce provder P s authentcaton, and then selects a random number r Z q to compute k = g r mod p, k = k r mod p, and the sesson key K = h(sid k ). After that, U sgns K usng hs/her credental secret C by calculatng e = h(k,k ), z = r + Ce mod q and ω = E K (ID n 3 n e a), where n 3 s a nonce chosen by U. Fnally, U sends M 3 = (ω, z, k ) to servce provder P. 4) To verfy z, P frst calculates k = k r mod p, derves sesson key K = h(sid k ) and decrypt ω wth K to recover ID n 3 n e a. Then, P checks f e = h(a ID ). If ths does not hold, P aborts the protocol. Otherwse, the servce provder computes e = h(k,k ) and verfes z by checkng f g z = k a e (y e ) e mod p. If ths holds, P accepts U s authentcaton, beleves that they have shared the same sesson key K, and sends V = h(n 3 ) as M 4 to U. 5) User U computes V = h(n 3 ) and checks f V = V.If ths holds, U beleves that he/she has shared the same sesson key K wth P. VI. SECURITY ANALYSIS The proposed scheme employs Schnorr sgnature scheme [8][3] to generate credentals for users, uses modfed Dffe- Hellman key exchange scheme to establsh the sesson key, sgns a Schnorr sgnature on the hashed sesson key for user authentcaton, uses any secure sgnature scheme for server authentcaton, and takes symmetrc key encrypton to ensure user anonymty. The secure authentcated key exchange sngle sgn-on (AKESSO) scheme requres secure credental based user authentcaton (SCUA), secure servce provder authentcaton (SSPA), and secure sesson key. To prove the securty of proposed AKESSO, we wll ust prove SCUA and SSPA because () the proposed scheme only mproves parts of key generaton, user authentcaton and servce provder authentcaton n Chang-Lee scheme [], whle the parts of user anonymty and sesson key establshment have not been modfed; and the user anonymty and sesson key securty have been proved n [] and dscussed n [6] wthout revealng any problems. Now, we start to formally analyse the securty of the proposed AKESSO scheme. Theorem. (Correctness) The proposed constructon s a correct AKESSO scheme accordng to Defnton. Proof: Ths can be straghtforwardly verfed accordng to Defnton gven n Secton II. Informally, the proposed AKESSO scheme guarantees SSPA as each servce provder employs a secure sgnature scheme. To prove SCUA, we need to show that Defnton 3 holds for the proposed AKESSO scheme by assumng the unforgeablty of Schnorr sgnature scheme. Theorem. (Secure Credental based User Authentcaton) In proposed AKESSO scheme, f there s an PPT adversary A who has a non-neglgble advantage Adv SCUA (A O ) as specfed n Defnton 3, then Schnorr sgnature scheme s exstentally forgeable under UFCMA attacks as defned n Secton IV. Proof: As adversary A, wth access to all oracles n O = {O,, O 6 }, has a non-neglgble advantage 76
Adv SCUA (A O ), accordng to Defnton 3 ths mples that at least one of the followng two cases s true: Case (): Wth a non-neglgble probablty ɛ, A O s able to derve a credental C t correspondng to an unregstered target dentty ID t. Case (): Wth a non-neglgble probablty ɛ, A O s able to forge a vald user proof for a new message M w.r.t. a regstered target dentty ID. Now, we wll prove that f ether Case () or Case () s true, we can construct an algorthm B that s able to break the unforgeablty of Schnorr sgnature, where B runs A O as a sub-program for fulfllng ts purpose. Case (). Suppose that B s gven a target Schnorr sgnature scheme wth parameter (p, q, h( )) and publc key y = g x mod p, where the prvate key x s not known to B. B s strategy for wnng Game-UFCMA wth non-neglgble probablty s to set up an AKESSO scheme for A and to smulate oracles n O such that A cannot dstngush the dfference between ths smulated envronment and a real AKESSO scheme. Therefore, A wll be able to successfully derve a credental C t for an unregstered dentty ID t wth probablty ɛ. After that, B can adapt ths credental nto a forged Schnorr sgnature for a new message and thus break the unforgeablty of Schnorr sgnature scheme. Now we descrbe how B sets up such a smulated AKESSO scheme for A. Frst, B sets y as the publc key of TCP and gves y to B. Then, each oracle n O ( =,, 6) can be smulated as follows. To smulate O query B can ask ts own sgnng oracle to get a Schnorr sgnature C for each dentty ID and then reply (ID,C ) to A. To smulate O query B can smply run Int(λ ) to get a publc/prvate key par (SK,PK ) for an dentty SID, and then forwards (SID,SK,PK ) to A. AsB knows all users credentals and all servce provders s prvate keys, t can smulate oracles O 3, O 4, O 5 and O 6 by trvally executng the whole protocol, runnng one move on behalf of a user, runnng one move on behalf of a servce provder, and revealng a sesson, respectvely. Note that as ID t s an unregstered dentty n ths case, the correspondng user U t wll not be nvolved n any oracle O ( =,, 6). It s not dffcult to see that the above smulated system s ndstngushable from a real system n the vew pont of A. Hence, A wll be able to output a credental C t for target dentty ID t wth non-neglgble probablty ɛ, where ID t s not asked n O queres. Therefore, B wll smply forward C t as a forged Schnorr sgnature for message ID t. Snce ID t s not asked n O queres, A does not ask ID t n ts sgnng oracle,.e., ID t s a new message for B. So, B s forged message-sgnature par (ID t,c t ) s vald accordng to the defnton of Game-UFCMA (refer to Secton IV). Moreover, B s success rate s exactly the same as A s,.e., ɛ, whch s non-neglgble. Consequently, ths means that B successfully breaks the unforgeablty of Schnorr sgnature scheme. Case (). Ths can be proved smlarly as Case () but B wll embed ts target Schnorr sgnature scheme n the user proof generaton algorthm for a regstered target user U t wth dentty ID t. Detals are gven as follows. Suppose that B s gven a target Schnorr sgnature scheme wth parameter (p, q, h( )) and publc key y = g x mod p, where the prvate key x s not known to B. Frst, B sets y = g x mod p as the publc key of TCP by selectng a random number x as TCP s prvate key. For any dentty ID except target dentty ID t, to answer an O query B can drectly ssue a credental C for ID by generatng a Schnorr sgnature for ID as B knows TCP s prvate key x. In contrast, B wll take (a,e,x ) as the credental C t for target dentty ID t, where e {0,,,q } s a random number, a Z p s set as a = y y e mod p, and h(a,id t ) s set as e. So, we have g x = a y h(e,id t) mod p. Note that B does not know the value of x and t wll be not requred to reveal C t to A because ID t s the target dentty. In addton, here we can artfcally fx the hash value for such a specal nput (a,id t ) because Schnorr sgnature s secure n random oracle where hash functon can be vewed as an random functon []. All other oracles n O can be smulated as n Case (), except A asks O 3 and O 4 queres n whch U t wth dentty ID t s nvolved. In such scenaros, B can smulate U t to output a vald user proof up t w.r.t. credental C t by executng the whole protocol or runnng one move wth necessary help from ts own sgnng oracle w.r.t. publc key y. Agan, t s not dffcult to see that the above smulated system s ndstngushable from a real system n the vew pont of A. Hence, wth probablty ɛ A wll be able to output a vald user proof up t for a message M w.r.t. target dentty ID t, where M s not asked n O 3 and O 4 queres. Therefore, B can smply forward up t as a forged Schnorr sgnature for message M. Snce M s not asked n O 3 and O 4 queres, A does not ask M n ts sgnng oracle,.e., M s a new message for B. So, B s forged message-sgnature par (up t,m) s vald accordng to the defnton of Game-UFCMA (refer to Secton IV). Moreover, B s success rate s exactly the same as A s,.e., ɛ, whch s non-neglgble. Consequently, ths means that B successfully breaks the unforgeablty of Schnorr sgnature scheme. Remark 5. In Case (), A O could drectly forge C t, recover C t after executng protocol wth user U t or eavesdroppng the transcrpts between U t and some servce provders, or derve C t n any other possble way, though A O s not allowed to obtan C t by trvally askng O oracle w.r.t. ID t. Hence, ths means that f our AKESSO fals to satsfy the unforgeablty or unrecoverableness of credental, then Schnorr sgnature s forgeable. Smlarly, n Case () A O could drectly forge a user proof up t wthout credental C t, observe and adapts exstng user proofs generated by U t nto a user proof up t for a message M, or compute up t n any other way, though A O s not allowed to obtan any user proof for the same message M by trvally askng O 3 and O 4 oracles w.r.t. ID t. Hence, ths mples that f our AKESSO fals to satsfy soundness of credental based authentcaton [6], then Schnorr sgnature s forgeable. 77
As Schnorr sgnature scheme s proved to be secure under the dscrete logarthm assumpton [], Theorem assures that the proposed AKESSO scheme acheves secure credental based user authentcaton under the dscrete logarthm assumpton. Theorem 3. (Secure Servce Provder Authentcaton) In proposed AKESSO, f there s an PPT adversary A who has a non-neglgble advantage Adv SSPA (A O ) as specfed n Defnton 4, then sgnature sgnature scheme employed by servce provders s exstentally forgeable under UFCMA attacks as defned n Secton IV. Proof: Snce a servce provder proof s drectly generated as a normal sgnature by the correspondng servce provder, Theorem 3 can be formally proved as we dd for Case () n Theorem. Note that here we do not need to dscuss Case () as n Theorem, because each servce provder s requred to regster ts publc/prvate key par. Due to space lmt, the full proof s omtted. Theorem 4. Accordng to Defnton 6, the proposed AKESSO scheme s secure under the assumpton that all dgtal sgnatures employed n the scheme are exstentally unforgeable aganst UFCMA attacks as specfed n Secton IV. Proof: By Theorem, Theorem, Theorem 3 and sesson key securty proved n [], Theorem 4 holds accordng to Defnton 6. VII. CONCLUSIONS Most exstng sngle sgn-on schemes suffer from varous securty ssues and are vulnerable to dfferent attacks. In ths paper, we frst formalzed authentcated key exchange sngle sgn-on scheme. Specally, we formally defned secure authentcaton for both users and servce provders as such a treatment has not been studed yet [6]. Moreover, a Schnorr mechansm based SSO scheme has been proposed to overcome the drawbacks of Chang-Lee scheme [] but keep the same advantages. In ths new scheme, to preserve credental generaton prvacy, the TCP sgns a Schnorr sgnature [8][3] on user dentty; and to protect credental prvacy and soundness, the user explots hs/her credental as a sgnng key to sgn a Schnorr sgnature on the hashed sesson key. In fact, Schnorr sgnature mechansm [8][3] s more effcent than RSA mechansm whch has been employed by Chang-Lee scheme. Thus, the proposed scheme reduces the computaton cost, enhances the confdentalty, and preserves soundness and credental prvacy. [4] F. Bao, R. H. Deng, Prvacy Protecton for Transactons of Dgtal Goods, Proceedngs of the Thrd Internatonal Conference on Informaton and Communcatons Securty (ICICS 0), Sprnger-Verlag, London, UK, pp. 0-3. [5] The Open Group, Securty Forum on Sngle Sgn-on, http://www. opengroup.org/securty/l-sso.htm. [6] G. Wang, J. Yu, and Q. Xe, Securty Analyss of A Sngle Sgn- On Mechansm for Dstrbuted Computer Networks, IACR Cryptology eprnt Archve, Report 0/07, http://eprnt.acr.org/0/07. [7] W. B. Lee and C. C. Chang, User Identfcaton and Key Dstrbuton Mantanng Anonymty for Dstrbuted Computer Networks, Computer Systems Scence and Engneerng, vol. 5, no. 4, pp. 3-6, 000. [8] T.-S. Wu and C.-L. Hsu, Effcent User Identfcaton Scheme wth Key Dstrbuton Preservng Anonymty for Dstrbuted Computer Networks, Computers and Securty, vol. 3, no., pp. 0-5, 004. [9] Y. Yang, S.Wang, F. Bao, J.Wang, and R. H. Deng, New Effcent User Identfcaton and Key Dstrbuton Scheme Provdng Enhanced Securty, Computers and Securty, vol. 3, no. 8, pp. 697-704, 004. [0] K. V. Mangpud and R. S. Katt, A Secure Identfcaton and Key Agreement Protocol wth User Anonymty (ska), Computers and Securty, vol. 5, no. 6, pp. 40-45, 006. [] C.-L. Hsu and Y.-H. Chuang, A Novel User Identfcaton Scheme wth Key Dstrbuton Preservng User Anonymty for Dstrbuted Computer Networks, Inf. Sc., vol. 79, no. 4, pp. 4-49, 009. [] C.-C. Chang and C.-Y. Lee, A Secure Sngle Sgn-on Mechansm for Dstrbuted Computer Networks, IEEE Transactons on Industral Electroncs, vol. 59, no., pp. 69-637, 0. [3] C.P. Schnorr, Effcent Sgnature Generaton by Smart Cards, J. Cryptology, vol. 4, no. 3, pp. 6-74, 99. [4] S. Goldwasser, S. Mcal, and C. Rackoff, The Knowledge Complexty of Interactve Proof-Systems, SIAM J. Computng, vol. 8, no., pp. 86-08, Feb. 989. [5] W. Mao, Modern Cryptography: Theory and Practce, Prentce Hall PTR, 004. [6] J. Han, Y. Mu, W. Suslo, and J. Yan, A Generc Constructon of Dynamc Sngle Sgn-on wth Strong Securty, n Proc. of SecureComm 0, pp. 8-98, LNICS 50, Sprnger, 00. [7] M. Bellare and P. Rogaway, Entty Authentcaton and Key Dstrbuton, CRYPTO, pp. 3-49, 993. [8] C.P. Schnorr, Effcent Identfcaton and Sgnatures for Smart Cards, CRYPTO,pp. 39-5, 989. [9] M. Bellare and A. Palaco, GQ and Schnorr Identfcaton Schemes: Proofs of Securty aganst Impersonaton under Actve and Concurrent Attacks, CRYPTO, pp. 6-77, 00. [0] D. Pontcheval, J. Stern, Securty Proofs for Sgnature Schemes, EUROCRYPT, pp. 387-398, 996. [] D. Pontcheval, J. Stern, Securty Arguments for Dgtal Sgnatures and Blnd Sgnatures, J.Cryptology, vol.3, no.3, pp. 36-369, 000. [] S. Goldwasser, S. Mcal, and L. Ronald, A Paradoxcal Soluton to the Sgnature Problem (Extended Abstract), FOCS, pp. 44-448, 984. [3] S. Goldwasser, S. Mcal, and R. L. Rvest, A Dgtal Sgnature Scheme Secure Aganst Adaptve Chosen-Message Attacks, SIAM J. Comput., vol. 7, no., pp. 8-308, 988. REFERENCES [] A. C. Weaver and M. W. Condtry, Dstrbutng Internet Servces to The Networks Edge, IEEE Trans. Ind. Electron., vol. 50, no. 3, pp. 404-4, Jun. 003. [] L. Baroll and F. Xhafa, JXTA-OVERLAY: A PP Platform for Dstrbuted, Collaboratve and Ubqutous Computng, IEEE Trans. Ind. Electron., vol. 58, no. 6, pp. 63-7, Oct. 00. [3] L. Lamport, Password Authentcaton wth Insecure Communcaton, Commun. ACM, vol. 4, no., pp. 770-77, Nov. 98. 78