New Secure Authentication and Key agreement Scheme for Session Initiation Protocol using Elliptic Curve Cryptography

Transcription

1 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 New Authentication and Key agreement Scheme for Session Initiation Protocol using Elliptic Curve Cryptography Vaishali P Bhoge, Dr Sadhna Mishra, Prof Bhagat Raghuwanshi Computer Science and Engineering Dept RGPV Bhopal, Bhopal (India) vaishubhoge@gmailcom bhagatmnit@gmailcom sadhnamanit@yahucom Abstract VoIP is new emerging technology for delivery of voice communication and multimedia session over the Internet In VoIP network voice and signalling are multiplexed and travel as normal data inside the IP network This growing popularity is due to cost saving factor and flexibility of services Session Initiation Protocol (SIP) is an application layer control protocol for establish, maintain and terminates user sessions in VoIP network The SIP authentication is based on HTTP digest authentication scheme which suffer from various security threats and attacks Many Researchers have proposed different SIP authentication schemes to secure the SIP authentication Recently, Tang et al proposed a SIP authentication scheme using Elliptic Curve Cryptography (ECC) but still their scheme suffer from the offline-password guessing attack and registration attack So to overcome such security threat we proposed A new secure authentication and key agreement scheme for SIP using Elliptic Curve Cryptography Keywords Session Initiation Protocol, Elliptic Curve Cryptography, HTTP digest authenticatoin I I NTRODUCTION Session Initiation Protocol (SIP) is Internet Engineering Task Force (IETF) standard for IP-based telephony and new generation Internet Multimedia Subsystem (IMS) network[1] SIP is an application layer control protocol used for creating, maintaining and terminating the session among SIP users The session can include Internet Telephony, multimedia conference, distance learning, multimedia distribution and instance messaging applications It is text based peer-to-peer protocol widely used for controlling multimedia communication sessions SIP authentication mechanism is based on HTTP Digest authentication to support challenge response authentication protocol[] Voice over IP Security Alliance (VOIPSA) [3] introduce VoIP security and privacy threat taxonomy which defines the many potential security threats and attacks that exist in SIP protocol implementation Different SIP protocol attacks are exist in SIP based network because of the weak authentication scheme used for SIP session establishment between SIP end user[] ISSN: SIP is The important signalling protocol used between multiple user consist of requests and responses to initiate the call The most common operation is INVITE operation that uses in the authentication to authenticate each end user before Session establishment Successful session consist of two INVITE message followed by an ACK message The INVITE request ask callee to establish a session with authentication If the callee s response indicate that it accept the call, the caller confirmed it by sending ACK message If one of the user want to hangup the call, it sends a BYE request to terminate the call In SIP based network authentication take place between user agent and SIP server (Proxy server, Registrar, and user agent server), where SIP server requires a user agent to authenticate itself before processing the request this SIP authentication is requires in following cases: Registration: accept the registration request from user to prevent malicious user to register without authorization Session establishment: To create the call session both end user identify each other identity using INVITE request Session modification: to prevent and ensure that an unauthorized third party does not modify existing session Terminating session: Terminate a session via BYE request When user want to use SIP service he or she has to perform SIP authentication mechanism to establish SIP session Thus SIP authentication is The most important issue in VoIP or IMS network So various SIP authentication schemes had been proposed by various researches to prevent SIP from existing security threats and attacks Different SIP authentication scheme based on Elliptic Curve Cryptography have been proposed to secure SIP authentication using cryptographic algorithm with low computation cost [6,7,8,9,1] In 5, Yang et al found that original SIP authentication scheme was vulnerable to off-line password guessing attack Page

2 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 and server spoofing attack he proposed authentication scheme to resist these attacks [5] However Yang et al s scheme was vulnerable to stolen-verifier attack, off-line password guessing attack and Denning-Sacco attack Later in The same year, Durlanik et al proposed an efficient SIP authentication scheme based on Elliptic Curve Diffie-Hellman (ECDH) key exchange algorithm with reduced execution time and memory requirement But still this scheme was vulnerable to off-line dictionary attack and Denning-Sacco attack [6] In 9, Yoon et al proposed improved SIP authentication scheme to overcome the weakness of Durlanik et al s authentication scheme but still was defenceless to off-line password guessing attack and stolen-verifier attack [7] In 11, Arshad et al proposed new SIP authentication scheme based on ECC to secure SIP from password guessing attack and stolen-verifier attack [9] Tang et al proposed new secure SIP authentication to prevent from vulnerabilities of Arshad s scheme [1] This SIP authentication scheme was based on Elliptic Curve Discrete Logarithm Problem (ECDLP) In this paper we demonstrate that Tang et al s SIP authentication scheme is vulnerable to Off-line password guessing attack and Registration attack We also proposed our secure and strong SIP authentication and key agreement scheme to make more secure SIP protocol implementation The remainder of this paper is organised as follow Section reviews the preliminaries on SIP authentication scheme and Elliptic curve Cryptography In Section 3, we give a brief review of Tang et al s SIP authentication scheme and describe the weakness of algorithm We also provide detail review for Off-line password attack and registration attack on this scheme In Section we describe the proposed secure and efficient SIP authentication scheme to establish the SIP session In Section 5 we prove the security of proposed algorithm In Section 6 we evaluate the performance of proposed SIP authentication scheme And Section 7 provide the conclusion II Fig 1 HTTP based SIP authentication procedure Step 3: Client Server RESPONSE(nonce, realm, username, response): Client compute response h(nonce, username,password,realm) where h() is one way MD5 hash function and is used to generate digest authentication message Then client send the response message to server Server will extract the password from database based on username and compute the response to verify against the response send by client If they match it verify the identity of client Otherwise server abort SIP session B Elliptic Curve Cryptography The application of elliptic curves to the field of cryptography has been relatively recent ECC provides the public key cryptosystems that uses the Elliptic Curve Discrete Logarithm Problem (ECDLP) This is more efficient and strong as compare to traditional cryptosystems in term of computation cost and memory requirement ECC operates over a group of points on an elliptic curve which defined by equation: Ea,b : x3 + ax + b P RELIMIRIES A SIP authentication procedure SIP authentication scheme based on challenge response mechanism similar to HTTP Digest authentication scheme [11] This is known as Digest authentication due to use of an MD5 hashing function on usename/password of user as security algorithm This mechanism relies on a shared secrete between client and server So client pre-shares a password with a server before authentication procedure starts Following fig shows the SIP authentication scheme based on HTTP Digest authentication The original SIP authentication procedure is as follow: Step 1 Client Server: REQUEST The client send a REQUEST to a server Step : server Client CHALLANGE(nonce, realm) Then server generate the challange that include the nonce and realm and server send challange back to client in response to client request ISSN: (1) Server select Elliptic Curve domain parameter over Fp are textuple: T (p, a, b, P, n, h) Considering of an integer p specifying finite field Fp, two element a,b belong to Fp A base point P on Fp, a prime n which is order of P, and an integer h which define as cofactorh #E(Fp )/n III R EVIEW OF TANG ET AL S SIP AUTHENTICATION SCHEME In this section we briefly review Tang et al s SIP authentication scheme based on Elliptic Curve Cryptography [1] This scheme consist of four phases: System setup phase, Registrtation phase, Login and Authentication phase, and password change phase A system setup phase In this phase both sever and all communicating parties are agree on the EC parameter The sever will select a secrete key Sk, keep secrete Sk and publish p, a, b, n, h, P Page 1

3 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 B Registration phase Before login to server, client must be registered with server first In this phase client pre-shared his credential using secure channel Client chooses his or her identity IDi and password P Wi, and send through a pre-established secure channel Server computes Vi h(idi Ks ) P Wi, and stores (IDi, Vi ) in its database Client Ui need to go through the above authentication phase and let the server S authenticate his or her identity with the old password P Wi After receiving the successful authentication confirmation from server S, client Ui input the new password P Wi Client Ui compute P W D h(sk Sku ) P Wi and V h(sk SKu P Wi ), and sends password change request (P W D, V ) to server S On receipt of message server S compute P Wi h(sk ) P W D and check whether V is equal to h(sk P Wi ) If they are not equal, the server reject password change request, computes h3 h( SK Denied ) and sends denied message ( Denied, h3) back to user Ui Otherwise server S computes accepted message h h( SK Accepted ) and sends ( Accepted, h) back to user Ui Finally server S computes Vi h(idi Ks ) P Wi and replace Vi with Vi C Login and Authentication phase This login and authentication phase is important phase of SIP authentication scheme where client want to login to remote SIP server to establish SIP session client uses his or her identity IDi and password P W i to authenticate itself to SIP server This mutual authentication scheme is based on Elliptic curve discrete logarithm problem (ECDLP) to establish SIP session between client and server This SIP authentication scheme is as follow: Step 1 Ui S : REQUEST (IDi, R1) User Ui select a random secrete nonce r1 Zn, compute R r1p, R1 H(IDi, P Wi ), and then create message REQUEST(IDi, R1) and send to SIP server S Step S Ui : CHALLANGE (S, R, V 1) On receipt of request message, S compute the P Wi Vi h(idi Ks ) based on existed user IDi, then com putes R R1 H(IDi P Wi ) Server select random secrete nonce r Zn, compute R rp,session key rr r1rp Then server compute V 1 h(s IDi R R ), and send challenge message to client Step 3 Ui S : RESPONSE (IDi, S, V ) On receiving challange message from server client computes its session SKu r1r r1rp, V1 h(s IDi R R SKu ) and check whether equals to V1 If they are equal, client Ui authenticate the server S otherwise terminate the session client Ui authenticates server S and computes V h(idi S SKu P Wi ) to send RESPONSE (IDi, S, V ) to server S After receiving response message from client Ui, server S authenticate to client Ui by verifying the value of V by computing V h(idi S SKu P Wi ) and comparing both V and V If they are not equal, server S failed the authentication of client Ui and terminate the session Otherwise server S authenticate identity of client Ui After authenticating each other both parties make key agreement eventually and establish the session with common session key SK h(idi S r1p rp r1rp P Wi ) for further communication D Password change phase When the user doubts whether his or her password is stolen, he or she can change the password easily in this phase ISSN: IV C RYPTALYSIS OF TANG ET AL S S CHEME Tang et al provides the strong security solution to SIP authentication scheme against many possible threats and attack Still this scheme of authentication based on elliptic curve is vulnerable to Registration attack and off-line password guessing attack A Registration Attack When client send REGISTER request to the SIP server it uses SIP authentication based on HTTP digest authentication using UDP transport for flexible service During authentication client IP address is sent in clear form and not protected by Tang et al s authentication scheme An attacker can easily modified the hostname or IP address to register its own IP address So whenever receive call to valid UA, the call will be forwarded to attackers registered IP address In this way Tang et al s authentication suffer from Registration attack B off-line password guessing attack This off-line password guessing attack works when an attacker tries to find out Password P Wi of client Ui Following are details steps to perform the off-line password guessing attack: An attacker record the SIP message between client Ui and server S and get open parameters like targeted user id details IDi An attacker chooses it s own random secrete nonce r1 Zn, compute R r1p and then impersonate as target user IDi to send request message REQUEST(IDi, R) for SIP authentication Page

4 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 On receiving request message server S compute P Wi Vi h(idi, Ks ) andr R H(IDi P Wi ) The server select its random secrete nonce r Zn to compute R rp, rr and server verifier V 1 h(idi S R R Sks ) to send message CHALLANGE (S, R, V 1) to attacker who impersonate the user IDi After receiving challenge message an attacker perform the following steps to get the user passsword P Wi using off-line password guessing: 1) ) 3) ) An attacker select candidate password P Wi from Dictionary D An attacker record Authentication parameter R, and V 1 An attacker s known parameter are r1 and R are used in breaking the Tang et al s cryptosystem An attacker calculate H(IDi P Wi ) using guess password P Wi and then compute R R H(IDi P Wi ) where H(IDi P Wi ) is elliptic point h(idi P Wi )P An attacker computes parameter based on server side computation of rr which is equal to following computation 5) 6) V To secure the SIP authentication scheme against these two vulnerabilities we proposed new secure and efficient SIP authentication and key agreement scheme based on ECC Our scheme also contain four phases: System setup phase, Registration phase, Login and authentication phase, and password change phase A System setup phase In this phase both User Ui and Server S are agree on the Elliptic Curve parameter The server select the secrete Ks, compute Q Ks P, keep the secrete Ks and publishes P, a, b, n, h, Q B Registration phase When initially client Ui want to login to SIP server S for SIP authentication, he/she must register to the remote server first This phase includes providing the user details and location details along with credential details like username IDi and password P Wi In this phase the user communicate with server using the secure channel This phase include following steps: rr r[r H(IDi P Wi )] rr rh(idi P Wi ) r1rp rh(idi P Wi )P r1r h(idi P Wi )R So an attacker compute r1r h(idi P Wi )R based on known values r1, R and guess P Wi Then an attacker compute V i (IDi S R ) and compare with V 1 If they are equal, an attacker guesses the correct password P Wi of target user Otherwise an attacker go to step 1 for different password P Wi and repeat procedure until get the correct password The algorithm of a off-line password guessing attack is as follows: P ROPOSED SIP AUTHENTICATION SCHEME User chooses his or her identity IDi and password P Wi, send this credential through the pre-established secure channel like ( Socket Layer) SSL or VPN (Virtual Private Network) Then server compute the Vi h(idi Ks ) h(ipi P Wi ) based on password and IP address of client IPi, and stores (IDi, Vi ) in server database Ui S Ui select IDi and P Wi publish P, a, b, n, h, Q Register(IDi, P Wi, IPi ) S compute Vi h(idi Ks ) h(ipi P Wi ) Store Vi in database Figure 1: Registration phase OfflinePassguessAttack(r1, R, R, V 1) { C Login and Authentication scheme for i : to D After successful registration client Ui can login to server S using his or her login credentials for SIP authentication to establish the SIP session over VoIP network When client Ui want to login to SIP server S, using his or her identity IDi and password P Wi perform following steps in SIP authentication to establish SIP session between both parties: { P Wi D i ; R R H(IDi P Wi ); r1r h(idi P Wi )R; V 1 (IDi S R ); Step 1 Ui S : REQUEST (IDi, R1) User Ui select a random secrete r1 Zn, compute R r1p After that user compute Hp h(ipi P Wi )Q h(ipi P Wi )Ks P based on server public Q, and then compute R1 R + Hp User Ui create message REQUEST(IDi, R1) and send to server S Step S Ui : CHALLANGE (S, R, V 1) On receipt of request message, server S compute the h(ipi P Wi ) Vi h(idi Ks ) based on existed if V 1 V 1 then return P Wi } } In this way we can perform the cryptanalysis of Tang et al s SIP authentication which is vulnerable to Registration attack and password guessing attack ISSN: Page 3

5 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 user IDi, then computes Hp h(ipi P Wi )Ks P and R R1 Hp from secrete Ks and P Wi Server select random secrete nonce r Zn, compute R rp, session key rr r1rp Then server compute V 1 h(s IDi R R ), and send challenge message (S, R, V 1) to client Step 3 Ui S : RESPONSE (IDi, S, V ) On receiving challenge message from server client computes its session SKu r1r r1rp, V1 h(s IDi R R SKu ) and check whether equals to V1 If they are equal, client Ui authenticate the server S otherwise terminate the session client Ui authenticates server S and computes V h(idi S R SKu ) to send RESPONSE (IDi, S, V ) to server S After receiving response message from client Ui, server S authenticate to client Ui by verifying the value of V with h(idi S rp ) If they are not equal, server S failed the authentication of client Ui and terminate the session Otherwise server S authenticate identity of client Ui After successful mutual authenticating each other both establish the SIP session with common session key SK h(idi S R1 R ) for further communication Ui S r1 Zn,R r1p Hp h(ipi, P Wi )Q R1 R + Hp REQU EST (IDi, R1) S check IDi exist h(ipi P Wi ) Vi h(idi Ks ) Hp h(ipi, P Wi )Sk P R R1 Hp r Zn, R rp rr r1rp V 1 h(s IDi R R ) CHALLAN GE(S, R, V 1) SKu r1r r1rp check V1? h(s IDi R R SKu ) V h(idi S R SKu ) RESP ON SE(IDi, S, V ) check V? h(idi S R ) SK h(idi S R1 R ) Figure : Login and Authentication phase D Password change phase In this phase user Ui can change the password securely by authenticating to server S with previous credentials and change the existed password P Wi with new password P Wi client Server : changepass(idi, P W D, V ) After successful initial SIP authentication Ui compute P W D h(sk SKu ) h(ipi P Wi ) and V h(idi SKu h(ipi P Wi )), then send the message (IDi, P W D, V ) to server S ISSN: On receipt of message from user Ui server recover new password h(ipi P Wi ) P W D h(sk ) and check whether V is equal to h(idi h(ipi P Wi ))or not If they are not equal, The server reject password change request, computes h3 h( SK Denied ) and sends denied message ( Denied, h3) back to user Ui Otherwise server S computes accepted message h h( SK Accepted ) and sends ( Accepted, h) back to user Ui Finally server S computes Vi h(idi Ks ) h(ipi P Wi ) and replace Vi with Vi Ui S Ui select IDi and P Wi publish P, a, b, n, h, Q Initial SIP authentication select new P Wi P W D h(sk SKu ) h(ipi P Wi ) V h(idi SKu h(ipi P Wi )) changep ass(idi, P W D, V ) h(ipi P Wi ) P W D h(sk ) Check V? h(idi h(ipi P Wi )) h3 or h h3 h( SK Denied ) h h( SK Accepted ) Vi h(idi Ks ) h(ipi P Wi ) replace Vi with Vi Figure : Password change phase VI S ECURITY AND PERFORMANCE ALYSIS We analyse a security of the proposed SIP authentication scheme based on Elliptic Curve Cryptography with following security terms: Definition 1: Password P Wi is low entropy value that can be guess in polynomial time Definition : Secrete key Ks of server S is high entropy value that cannot be guess in polynomial time Definition 3: Elliptic Curve Discrete Logarithm Problem (ECDLP): Given public key point Q rp, it is hard to compute secrete r Definition : Elliptic Curve Computational DiffieHellman Problem (ECCDHP) is as follow: given point element r1p and rp, it is hard to find r1rp Definition 5: Elliptic Curve Decisional Diffie-Hellman Problem (ECDDHP)is as follow: for x, y, z Zq, given any three point elements xp, yp, and zp in G, it is hard to decide whether cp abp in G Definition 6: one way hash function Y f (X), when given X it is easy to compute Y and given Y it is hard to compute X The security properties of previously reported schemes [6, 5, 9, 1, 11, 13] and proposed SIP authentication scheme are summarized in Table below Page

6 International Journal of Computer Trends and Technology (IJCTT) - volume 3 Number - December 15 Table I Comparison of security properties of SIP Attacks Impersonation Attack Password guessing Attack Denning-Sacco Attack Stolen Verifier Attack Registration Attack Mutual Authentication Sessin Key Security Known Key Secrecy perfect Forword Secrecy Durlanic Yang Tsai Not Provide Not We focused on The computation cost of the login and authentication phage in SIP authentication scheme The main computation cost is defined by the Elliptic Curve scale multiplication operation So here we define the notation PM, HM, PA and H as the time complexity for Elliptic Curve scale multiplication, hash-to-point function, point addition and hash function operations, respectively Following table provides the computation cost and communication cost of login and authentication phase in SIP authentication scheme using ECC User Agent User Ui side Server S side Total [] [] Login and Authentication Phase 3M P + 1P A + HP + 3H 3M P + 1P A + HP + H 6M P + P A + HP + 7H [5] [6] The computations cost of proposed scheme and previously schemes [6, 5, 9, 1, 11, 13 ] are shown in Table below Table III Computation cost of proposed Scheme Cost MP A HP H Durlanic 6 Yang 8 VII Yoon 6 3 Arshad 5 8 our C ONCLUSION [9] [1] [11] [1] In this paper we have perform cryptanalysis of Tang et al s SIP authentication scheme based on ECC We have demonstrated the vulnerabilities of this scheme to Registration attack and off-line password guessing attack So to over come these security threats we proposed A new secure Authentication and key agreement scheme for Session Initiation Protocol using ECC cryptosystem Our new SIP authentication scheme based on Elliptic Curve Cryptography provides the reduction in the computation cost which is flexible for the performance of the devices with the memory and computational power constraint This scheme can be easily flexible with the mobile devices with next generation mobile communication over the VoIP and IMS network So new scheme has been proved to be more secure and efficient compared to previous SIP authentication scheme ISSN: [7] [8] Tang 7 1 Arshad Tang our R EFERENCES [1] [3] Table II Communication cost of proposed Scheme Yoon [13] Rosenberg J, Schulzrinne H, Camarillo G, Johnston A, Peterson J, Sparks R, Handley M and Schooler E SIP: Session Initiation Protocol, RFC 361 IETF Network Working Group, June Franks J, Hallam-Baker P, Hostetler J, Lawrence S, Leach P, Luotonen A and Stewart L HTTP Authentication: Basic and Digest Access Authentication,RFC 617, IETF Network Working Group, June 1999 The Voice over IP Security Alliance VOIPSA, VoIP Security and Privacy Threat Taxonomy PublicRelease 1, October 5 Ganesh Sonwane, Mr B R Chandavarkar Security Analysis of Session Initiation Protocol in IPv and IPv6 based VoIP network Second International Conference on Advanced Computing, Networking and Security (ADCONS), Dec 13 Yang CC,Wang RC, Liu WT authentication scheme for session initiation protocol ComputSecur : , 5 Durlanik A, Sogukpinar I, SIP Authentication Scheme using ECDH World EnformatikaSocity 5 Yoon EJ, Yoo KY Cryptanalysis of DS-SIP authentication scheme using ECDH, International Conference on New Trends in Information and Service Science 6 67, 9 Chen TH, Yeh HL, Liu PC, Hsiang HC, Shih WK, A secured authentication protocol for SIP using elliptic curves cryptography CN, CCIS 119:6 55, 1 Arshad R, Ikram N, Elliptic curve cryptography based mutual authentication scheme for session initiation protocol Multimed Tool Appl doi:117/s , 11 David Butcher,Xiangyang Li and Jinhua Guo, Security Challenges and Defense in VOIP Infrastructures IEEE Transaction On SystemManand Cybernetics-Part C, 7 Franks et al HTTP authentication: Basic and Digest authentication, RFC 617, June 1999 Hongbin Tang, Xinsong Liu, Cryoptonalysis of Arshad et al s ECCbased mutual authentication scheme for session initiation protocol Springer+Business Media, LCC 1 HHakan kilinc and Tugrul Yanic A Survey of SIP Authentication and Key Agreement Scheme IEEE Communication Survey and Tutorials vol 16,No, 1 Page 5