Efficient Nonce-based Authentication Scheme for. session initiation protocol



Similar documents
Efficient nonce-based authentication scheme for Session Initiation Protocol

Cryptography. Debiao He. School of Mathematics and Statistics, Wuhan University, Wuhan, People s Republic of China. hedebiao@163.

An Improved Authentication Protocol for Session Initiation Protocol Using Smart Card and Elliptic Curve Cryptography

A More Robust Authentication Scheme for Roaming Service in Global Mobility Networks Using ECC

Application of Automatic Variable Password Technique in Das s Remote System Authentication Scheme Using Smart Card

User authentication in SIP

Secure File Transfer Using USB

Bit Chat: A Peer-to-Peer Instant Messenger

On the Security Vulnerabilities of a Hash Based Strong Password Authentication Scheme

Client Server Registration Protocol

Single Sign-On Secure Authentication Password Mechanism

Authentication Types. Password-based Authentication. Off-Line Password Guessing

CRYPTANALYSIS OF A MORE EFFICIENT AND SECURE DYNAMIC ID-BASED REMOTE USER AUTHENTICATION SCHEME

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

A Lightweight Secure SIP Model for End-to-End Communication

Computer Security: Principles and Practice

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

A Stubborn Security Model Based on Three-factor Authentication and Modified Public Key

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Capture Resilient ElGamal Signature Protocols

MANAGING OF AUTHENTICATING PASSWORD BY MEANS OF NUMEROUS SERVERS

Keywords Decryption, Encryption,password attack, Replay attack, steganography, Visual cryptography EXISTING SYSTEM OF KERBEROS

Chapter 16: Authentication in Distributed System

How To Use Kerberos

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

EXAM questions for the course TTM Information Security May Part 1

National Security Agency Perspective on Key Management

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

A novel deniable authentication protocol using generalized ElGamal signature scheme

CS 494/594 Computer and Network Security

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Unregister Attacks in SIP

An Overview of Communication Manager Transport and Storage Encryption Algorithms

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

Cryptography and Network Security

Security vulnerabilities in the Internet and possible solutions

Secure Authentication of Distributed Networks by Single Sign-On Mechanism

Authentication and Authorization Applications in 4G Networks

Elements of Applied Cryptography. Key Distribution. Trusted third party: KDC, KTC Diffie-Helmann protocol The man-in-the-middle attack

SECURITY ANALYSIS OF PASSWORD BASED MUTUAL AUTHENTICATION METHOD FOR REMOTE USER

Kerberos. Guilin Wang. School of Computer Science, University of Birmingham

A SMART CARD-BASED MOBILE SECURE TRANSACTION SYSTEM FOR MEDICAL TREATMENT EXAMINATION REPORTS. Received January 2010; revised May 2010

Securing Session Initiation Protocol for VOIP Services

Prevention of Anomalous SIP Messages

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

CRYPTOGRAPHY IN NETWORK SECURITY

Chapter 7 Transport-Level Security

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

1. discovery phase 2. authentication and association phase 3. EAP/802.1x/RADIUS authentication 4. 4-way handshake 5. group key handshake 6.

Using Foundstone CookieDigger to Analyze Web Session Management

A secure login system using virtual password

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

Authentication requirement Authentication function MAC Hash function Security of

A Novel Approach to combine Public-key encryption with Symmetric-key encryption

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Network Security. HIT Shimrit Tzur-David

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Lecture 9: Application of Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

BIG DATA: CRYPTOGRAPHICALLY ENFORCED ACCESS CONTROL AND SECURE COMMUNICATION

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

Authentication protocol for fingerprint feature extraction and IBC in monitoring systems

VoIP Security. Seminar: Cryptography and Security Michael Muncan

A Factoring and Discrete Logarithm based Cryptosystem

QR-CODE BASED NON-REPUDIATION TRANSACTION VERIFICATION SYSTEM

An Efficient Implementation For Key Management Technique Using Smart Card And ECIES Cryptography

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

Vulnerability Analysis on Mobile VoIP Supplementary Services and MITM Attack

A Vulnerability in the Song Authentication Protocol for Low-Cost RFID Tags

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

SIP, Session Initiation Protocol used in VoIP

Secure Remote Password (SRP) Authentication

How To Attack A Phone With A Billing Attack On A Sip Phone On A Cell Phone On An At&T Vpn Vpn Phone On Vnet.Com (Vnet) On A Pnet Vnet Vip (Sip)

Practice Questions. CS161 Computer Security, Fall 2008

Three attacks in SSL protocol and their solutions

IMPROVED SECURITY MEASURES FOR DATA IN KEY EXCHANGES IN CLOUD ENVIRONMENT

A Novel Approach for Evaluating and Detecting Low Rate SIP Flooding Attack

Computer System Management: Hosting Servers, Miscellaneous

TELE 301 Network Management. Lecture 18: Network Security

CS 758: Cryptography / Network Security

Efficient ID-based authentication and key agreement protocols for the session initiation protocol

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Preventing Abuse of Cookies Stolen by XSS

Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Transcription:

International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 12 Efficient Nonce-based Authentication for Session Initiation Protocol Jia Lun Tsai Degree Program for E-learning, Department of Applied Mathematics, National Chiao Tung University 1001 University Road, Hsinchu, Taiwan 300, ROC (Email:crousekimo@yahoo.com.tw) (Received June 14, 2007; revised Oct. 23, 2007; and accepted Jan. 21, 2008) Abstract In recent years, Session Initiation Protocol (SIP) is more and more popular. However, there are many security problems in the Session Initiation Protocol. In 2005, Yang et al. [9] proposed a secure authentication scheme for Session Initiation Protocol. This authentication scheme is based on Diffie-Hellman [2] concept, so the computation cost of this authentication scheme is very high. In order to improve this shortcoming, Durlanik et al. [3] also proposed an authentication using ECDH in 2005. However, the computation cost of this authentication scheme is still very high. In this paper, we propose an efficient nonce-based authentication scheme. The computation cost of this authentication scheme is lower than Yang et al.s authentication scheme and Durlanik et al.s authentication scheme, and it is very suitable for low computation power equipment. Keywords: Authentication scheme, HTTP digest authentication, session initiation protocol 1 Introduction Session Initiation Protocol (SIP) [1, 4, 7] is the Internet Engineering Task Force (IETF) standard for IP telephone. The Session Initiation Protocol (SIP) is an applicationlayer control (signaling) protocol that can create, modify and terminate sessions with one or more participants. These sessions include Internet multimedia conferences, Internet telephone calls and multimedia distribution. Members in a session can communicate via multicast or via a mesh of unicast relations, or a combination of these. Session Initiation Protocol is a text-based peerto-peer protocol, and incorporates elements of two widely used Internet protocols: Hyper Text Transport Protocol (HTTP) used for Web and Simple Mail Transport Protocol (SMTP) [8]. Authentication is the most important for Session Initiation protocol. When a user wants to use Session Initiation Protocol, this user must be authenticated. However, other than needing to recognize whether a user s identity is legal, the user will also need to recognize whether the server is the correct one as well. For these reasons, the authentication scheme of SIP is not safe, because the SIP authentication scheme is derived from HTTP Digest authentication [4]. The authentication scheme of SIP uses challenge-response mechanism to only verify the identity of the user and is vulnerable to offline password guessing attack, server spoofing. In order to resist these flaws, Yang et al. [7, 9] proposed a secure authentication scheme for session initiation protocol. This authentication scheme is based on Diffie-Hellman Key Exchange [2], which depends on the difficulty of discrete logarithms. The computation cost of the Yang et al. s authentication scheme is very high, so it is not suitable for low computation power equipments. In order to improve this shortcoming, Durlanik et al. [3] also proposed an authentication using ECDH in 2005. In this paper, we propose an efficient nonce-based authentication scheme. This authentication scheme is based on the random nonce. All communication messages are encrypted/ decrypted by using one-way hash function and exclusiveor operation, so its computation cost is low. It is very suitable for low computation equipment. 2 Review Yang et al. s and Durlanik et al. s In this section, we reviewed Yang et al. s authentication scheme [9] and Durlanik et al. s authentication scheme [3]. Before we review these two proposed authentication schemes for Session Initiation Protocol, all symbols are described as Table 1. 2.1 Review Yang et al. s Authentication In this section, we review Yang et al. s authentication scheme. This authentication scheme is based on Diffie- Hellman Key Exchange [2] and enhances the security of the original SIP authentication scheme.

International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 13 Table 1: Symbol table Symbol Explanation h() One-way hash function Exclusive or P W The remote user password Concatenation N The random nonce generated by the user and the server X Y : M X send a message M to Y U, S Each represents as user and server p Large prime number dc, ds Represents the public key and private key G Base point in the curve 2.1.1 Registration Phase When a user wants to register and become a new legal user, the person must first submit his or her username and password to remote server. The username and password is used to verify the identity of the user and server. When the server receives this user s username and password, the server stores this username and password. database. The server uses pw to compute h(pw) t 1 h(pw) to get t 1. Furthermore, the server generate a random number r 2 and use t 1, r 2, g, p, pw to compute t 2 h(pw), K = t r 2 1 mod p, andh(t 1, K). Then the server sends Challenge (reakm, t 2 h(pw), h(t 1, K)) to the user. Step 3: U S: Response(username, realm, h(username, realm, K)). When the user receives the Challenge message, the user uses h(pw) to compute h(pw) t 2 h(pw) to get t 2. Then the user uses t 2, r 1, p to compute K = t r1 2 mod p and h(t 1, K). If the computed h(t 1, K) is not the same as the Challenge(h(t 1, K)), the user rejects the server request. Otherwise, the user use username, realm, K to compute h(username, realm, K) and sends Response(username, realm, h(username, realm, K)) to the server. Figure 1: Yang et al. s authentication scheme Step 4: When the server receives the Response message, the server uses username, realm, K to compute h(username, realm, K). If the computed h(username, realm, K) is the same as the Response(h(username, realm, K)), the server accepts the user s connection. Otherwise, the server rejects the user request. 2.1.2 Authentication Phase If a legal user wants to login in system, this user must type his or her username and password. All steps of authentication Step 1: U S: Request(username, t 1 h(pw)), where t 1 = g r1 mod p. The user generates a random number r 1, and use r 1, g, p to compute t 1 = g r 1 mod p. Step 2: S U: Challenge(realm, t 2 h(pw), h(t 2, K). When the server receives the user s messages, the server uses username to get the user s pw from its 2.2 Review Durlanik et al. s Authentication In this section, we review Durlanik et al. s authentication scheme. This authentication scheme is based on Elliptic Curve Diffie-Hellman (ECDH). 2.2.1 Registration Phase In Durlanik et al. s authentication scheme, both the server and the user have a pre-shared password for authentication and an elliptic curve public key pair.

International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 14 3 Our Proposed Authentication In this section, we reviewed our authentication scheme. Before we review our proposed authentication scheme for Session Initiation Protocol, we define the symbols first. 3.1 Registration Figure 2: Durlanik et al. s authentication scheme When a user wants to register and become a new legal user, this user must first submit his/her username and password to remote server. The username and password P W is used to verify the identity of the user and server. When the server receives this user s username and password, the server stores the user s username and password P W. 2.2.2 Authentication Phase If a legal user wants to login in system, this user must type his or her username and password. All steps of authentication Step 1: U S: Request(username, d c G h(pw)). The user sends a Request message including its username and its public key xor by its hashed password. Step 2: S U: Challenge(realm, d s G h(p W ), h(d c G, d c d s G). When the server receives the Request message, the server computes d c G h(p W ) h(p W ) to obtain d c G. Then, the server computes a session key K = d s d c G, d s G h(p W ), and h(d c G, d c d s G). Finally, the server send Challenge(realm, d s G h(p W ), h(d c G, d c d s G) message to the user. Figure 3: The general description of the head-end Step 3: When the user receives the challenge messages, this user computes d s G h(p W ) h(p W ) to obtain d s G. Then, the user computes h(d c G, d c d s G) to verify received h(d c G, d c d s G). If they are equal, the user computes a session key K = d s d c G. Step 4: U S: Response(realm, username, h(username, realm, K)). The user computes h(username, realm, K). Then, the user sends Response(realm, username, h(username, realm, K)) to the server. Step 5: When the server receives Response(realm, username, h(username, realm, K)), the server computes h(username, realm, K). Then, the server verifies Response message. If they are equal, the server accepts this connection. Otherwise, the server disconnect this connection. 3.2 Authentication If a legal user wants to login in system, he/she must type his or her username and password. All steps of authentication Step 1: U S: Request(username, N c ). The user generates a random number Nc and sends Request(username, N c ). Step 2: S U: Challenge(realm, N s h(pw N c ), h(pw N s N c )). When the server receives the Request message, the server generates a random N s and uses N s, N c, pw to compute N s h(pw N c ). Then, the server uses pw, N s, N c to compute h(pw N s N c ) and sends Challenge(realm, N s h(pw N c ), h(pw N s N c )) to the user.

International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 15 Table 2: Symbol table Hash Exclusive Exponent- ECC Number of Session Server Off-Line Function Or iation Computation message Key Spoofing password Computation flows guessing Our 7 4 0 0 1.5 Yes No No Yang et al. 7 4 4 0 1.5 No No No Durlanik et al. 7 2 0 6 1.5 Yes No No Step 3: U S: Response(username, realm, h(n s pw N c )). When the user receives the Response message, this user uses N c, pw to compute h(pw N c ) and uses h(pw N c ), N s h(pw N c ) to compute h(pw N c ) N s h(pw N c ) to get N s. Then, the user uses pw, N s, N c to compute h(pw N s N c ). If the computed h(pw N s N c ) is not the same as Challenge(h(pw N s N c )), the user rejects the server request. Otherwise, the user uses N s, pw, N c to compute h(n s pw N c ) and sends Response(username, realm, h(n s pw N c )) to the server. Step 4: When the server receives Response message, the server uses N s, pw, N c to compute h(n s pw N c ). If the computed h(n s pw N c ) is not the same as Response(h(N s pw N c )), the server rejects the user request. Otherwise, the server accepts the connection. Step 5: After the server and the remote user authenticate each other, they use N s as a session key SK = Ns. 4 Security Analysis Below we can examine whether the communication agreement is safety, we will examine our authentication scheme on various known attacks. 4.1 Replay Attack Our authentication scheme uses the random nonce to withstand the replay attack. Authentication messages N s h(pw N c ), h(pw N s N c ), h(n s pw N c ) are generated by random nonce N c and the random nonce N s. The random nonce N c and the random nonce N s are generated independently, and both values will deficient in each session. Assume an adversary wants to enter the system. This adversary can not enter the system by re-sending messages ever transmitted by a legal user, because the random nonce N s is different. 4.2 Password Guess Attack In our authentication scheme, it is impossible for an adversary to guess the user s password. The password of a user was protected by the random number Nc and the random number N s. The random number N s is generated by the server and the random number N c is generated by the user. They are different in the next session, so our authentication scheme can withstand password guess attack. 4.3 Server Spoofing Attack In our authentication scheme, we will obviously ask the user to know whether the server is the correct one before authenticating the user. Therefore, if an attacker wants to masquerade as the server to cheat the user, this attacker must have the user password P W. If someone is discovered to masquerade as the server to cheat the user, the user will disconnect all following transmissions. any server spoofing attack will fails. 4.4 Impersonation Attack Hence, In our scheme, an attacker can not masquerade as a legal user. To successfully perform the impersonation attack, the attacker must require the knowledge of P W to generate and interpret authentication messages correctly, because all the authentication messages between the server and the user are protected by pw. pw is memorized by the user. If someone is discovered to masquerade as the legal user to cheat the server, the server will disconnect all following transmissions. Hence, any impersonation attack will fails. 4.5 Security of Session Key A session key is generated by user s password P W and a random number. Whenever the communication ends between the user and the server, the key will self destruct immediately and will not be reused at the next time. When the user reenters the system, a new session key will be generated to encrypt the information during the communication process. Therefore assuming the attacking has obtained a session key, the person will not be able to use the session key to decode the information in other communication processes. Because the random nonce N s and random nonce N c is generated randomly, it will not be able to use a known session key to calculate the value of the next session key.

International Journal of Network Security, Vol.9, No.1, PP.12 16, July 2009 16 5 Compare with other Authentication In this section, we compare our nonce-based authentication scheme with Yang et al. s authentication scheme [9] and Durlanik et al. s authentication scheme [3]. All comparisons are described as Table 2. Jia-Lun Tsai received her M.S. degrees in E-learning from National Chiao Tung University, in 2007 respectively. His reaches interests include Authentication scheme, Network Security, Wireless Security, and Cryptography etc.. 6 Conclusion In this paper, we describe Yang et al. s authentication scheme. The computation cost of Yang et al. s authentication schemes is very high. In order to improve this flaw, we propose a nonce-based authentication scheme. This nonce-based authentication scheme is only based on nonce. The computation cost of this authentication scheme is lower than Yang et al. s authentication schemes. It is very suitable for low computation equipment. References [1] J. Arkko, et al., Security mechanism agreement for SIP sessions, IETF Internet Draft (draft-ietf-sipsec-agree-04.txt), June 2002. [2] W. Diffie, and M. Hellman, New directions in cryptology, IEEE Transaction on Information Theory, vol. 22, no. 6, 1976. [3] A. Durlanik, and I. Sogukpinar, SIP authentication scheme using ECDH, World Enformatika socity Transaction on Engineering computing and technology, vol.8, pp. 350-353, 2005. [4] J. Franks, et al., HTTP authentication: basic and digest access authentication, IETF RFC2617, June 1999. [5] M. Handley, and et al., SIP: session initiation protocol, IETF RFC2543, March 1999. [6] J. Rosenberg, et al., SIP: session initiation protocol, IETF RFC3261, June 2002. [7] M. Thomas, SIP Security Requirements, IETF Internet Draft (draftthomas-sip-sec-reg-00. txt), Nov. 2001 (work in progress). [8] L. Veltri, S. Salsano, and D. Papalilo, SIP security issues: the SIP authentication procedure and its processing load, IEEE Network, vol. 16, no. 6, pp. 38-44, 2002. [9] C. C. Yang, R. C. Wang, and W. T. Liu, Secure authentication scheme for session initiation protocol, Computers and Security, vol. 24, pp. 381-386, 2005.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information