MOTP: An Identity Authentication Scheme for M-Commerce

Transcription

1 Chinese Journal of Electronics Vol.22, No.1, Jan MOTP: An Identity Authentication Scheme for M-Commerce ZHU Xiaomin 1, SHANG Xiaopu 2, WANG Chuanchen 2 and ZHANG Runtong 2 (1.School of Mechanical, Electronic and Control Engineering, Beijing Jiaotong University, Beijing , China) (2.Institute of Information Systems, Beijing Jiaotong University, Beijing , China) Abstract With the development of E-commerce and mobile communication technology, Mobile E-commerce (M-commerce) has become one of the important means of trade. Identity authentication is the basic security issue in M-commerce. In this paper, an efficient Elliptic curve based One-time password (OTP) identity authentication scheme (MOTP) for M-commerce is proposed, also, International mobile equipment identity (IMEI) of mobile devices is introduced as an important authentication factors. At the end, this paper analyzes the novel scheme by BAN logic and does simulation in OPNET. Key words M-commerce, Identity authentication, One-time password (OTP), BAN Logic, Simulation. I. Introduction M-commerce refers to a form of business that conducts commerce using mobile device. One of most security issues is how to realize identity certification which can avoid a fake server get user s private information or a fake user s client get sensitive information from server, and finally prevent economic loss. Currently, majority of the authentication certification is based on the simple user name/password and short message [1,2]. These methods make the length of transmitted cipher key short and easily intercepted by others during wireless transmission. In order to increase security of authentication, some authentication methods based on biological characteristics (e.g. fingerprints) are proposed, however, it is also vulnerable to replay attacks [3,4] and the device cost is high, which are not suitable for universal use in wireless communication networks [5,6]. Also, some authentication systems use digital signature techniques, but they have to run on a complete Certification authority (CA) system, besides, the cost of certification process is high, which increases the requirement for mobile device s performance [7]. Lamport [8] first proposed the usage of HASH function to generate One-time passwords (OTP), the OTP authentication technology does not require third-party certification, with low calculation workload and cost, can be easily and quickly loaded on any system without additional hardware, although some improvement should be done, it is still a relatively feasible scheme suitable in M- commerce [9]. This paper, follows the idea of OTP, presents a bidirectional identity authentication scheme MOTP to improve the securityinm-commerce. Theschemealsomakesuseofelliptic curve algorithm to improve the authentication security, and introduces IMEI as the sole identifier of mobile device. In the next section, we describe the scheme of MOTP. The security and performance of the scheme is analyzed in Section III and Section IV. Finally, we conclude in Section V. II. The Scheme of MOTP MOTP use OTP as the basic idea, for OTP is simple on implementation and its requirement on device s compute ability is low, the communication times between server and client is not so many, and it doesn t need 3rd parity authentication during the process. Traditionally, OTP schemes can be divided into three types [10] : password sequence (S/Key) scheme, scheme of time synchronization and challenge/response scheme. In environment of M-commerce, OTP schemes have the following problems: (1) Lack of a two-way authentication between client and server; (2) The challenge/response scheme, require hardware support; (3) The S/Key scheme cannot effectively resist the smallnumber-attacks; (4) The time synchronization scheme has high requirements of time synchronization and propagation delay on both the client and server. 1. Considerations on the scheme design The novel identity authentication scheme we proposed in this paper for M-commerce will realize: (1) Two-way authentication between client and server. (2) Resist against replay-attacks and small-numberattacks. The authentication process will be divided into two stages. Manuscript Received Mar. 2012; Accepted Apr This work is supported by the National Natural Science Foundation of China (No ), Beijing Natural Science Foundation (No ), the Fundamental Research Funds for Central Universities of China (No.2011JBM365, No.2011YJS226) and Beijing Municipal Science and Technology Commission (No.Z ).

2 MOTP: An Identity Authentication Scheme for M-Commerce 147 (3) Computational load and the implemental costs are minimized compared with the existing OTP schemes. The whole authentication process will be divided into two parts. The first part is the authentication of the user s identity on mobile device; the second part is the authentication between mobile device and server. In this paper, we only focus on the second part. 2. Registration stage In the registration process, users using the server generate secure elliptic curve generated by the user s public key, private key, then the user with the server public key exchange, the last user to register the server s public key encryption. The ID and password (PW) are chosen by the user during the registration, before registration, the server generates secure elliptic curve (ECC) parameters, and selects its private key (KSS) as well as public keys (KSR). When user applies for registration, the server sends ECC parameters with KSR to user, user selects its own private key (KUS) and public key (KUR) When registration, MOTP follows the following steps: (1) User inputs registration ID and PW, then the user send encrypted PW, current time T and device s IMEI to server. (2) The server decrypts and saves IMEI, encrypted PW and T 0 for further certification (suppose IMEI and PW), then send successful registration message to user. Fig.1 shows the whole stage and here E means encryption. Fig. 1. The registration stage 3. The authentication stage The authentication process follows the following steps: (1) User enters the ID and PW and sends them to server after encryption, the server receives and checks IMEI,verifies whether E KUR(PW)isequaltoE KUR(PW). If they are the same, the process continues, otherwise the login process is stopped. (2) The user extracts the login time T 1, and sends A=E KSR(IMEI,T 1) to server, and saves T 1 temporarily. (3) The server uses its private key to decrypt E KSS(A), obtains IMEI and T 1, then sends B=E KUR(IMEI,T 1,T 0)to user. (4) The User decrypts E KUS(B) by its private key, obtains IMEI, T 1 and T 0. They are compared with the T 1 saved earlier, if they are equal, the server authentication is completed, otherwise the login process is stopped. At the same time, T 0 is shown to the user, in order to the check the latest login time to prevent theft of account. (5) The User sends C=E KSR(IMEI,T 0)toserver,and the server uses the private key to decrypt E KSS(C), obtains IMEI and T 0, which are compared with the T 0 saved earlier; If they are identical, the user is verified, otherwise the login process is stopped.. (6) The client end destructs T 1, and the server replaces T 0 with T 1. The login process is finished. Fig.2 shows the whole process of login stage. Fig. 2. The login stage 4. Security analysis on the scheme By using MOTP, the following advantages on security can be achieved: (1) Realizes two-way authentication. Step (4) realized the authentication for server, the user end decrypts E KUS(B) by the private key, obtains IMEI, T 1 and T 0.ThisisthencomparedwiththeT 1 saved earlier; step (5) realized the authentication for user, the server decrypts E KSS(C) with the private key and obtains IMEI, T 1 and T 0, which are compared with the initially saved T 0. (2) Resists against replay attacks and small-numberattacks effectively. The uncertain factor proposed in this certification scheme is the time T, thereby the passwords are only valid once, and the information intercepted by the attacker is not valid for the next use. Meanwhile, the OTPs are a combination of public and private key with IMEI, which differs from traditional S/Key scheme, which also prevents smallnumber-attacks. (3) The password in form of clear text only appears on the user device. For during the transmission in the network, it will be in the form of encrypted message with high security. III. The Proof of Logicality of the Scheme 1. Introduction of Proof on BAN Logicality In this paper, we use BAN logic as formal analytical tools to analyze MOTP and prove its security. Some relevant inferential rules of BAN logical proof include:

3 148 Chinese Journal of Electronics 2013 (R1) The message implication rule: P Q K P, P {X} K P Q X (R2) The nonce-verification rule: (R3) The arbitration rule: (R4) The belief rule: P X, P Y P (X, Y ) (R5) The freshness rule: P #(X),P Q X P Q X P Q X, P Q X P X P (X, Y ) P X P #(X) P #(X, Y ) P Q (X, Y ) P Q X The objectives which the logical proofs of BAN logic need to achieve include the following two levels of beliefs: Primary belief: Secondary belief: A A K B, B A K B A B A K B, B A A K B If the authentication protocol is lack of key agreement function, then K may be replaced by the authentication information agreed by the main participant, and if the outcome of the analysis on the protocol could achieve the ultimate belief, then the protocol can be considered secure, otherwise, the protocol is considered flawed. 2. Modeling of the scheme If we take C as user, S as server, the protocol during the registration stage can be described as follows: (M1) C S: IMEI, E KUR(PW); (M2) S C: successful message M; (M3) C S: E KSR(IMEI,T 1); (M4) S C: E KUR(IMEI,T 1,T 0); (M5) C S: E KSR(IMEI,T 0); (M6) S C: successful message M. The first, second and sixth messages were neglected during the above step, as they play no role in analyzing the logic attributes of the protocol. To simplify, T 1 and T 0 are treated as one random number. The idealized protocol as follows (M3) C S: E KSR(IMEI,T 1); (M4) S C: E KUR(IMEI,T 1,T 0); (M5) C S: E KSR(IMEI,T 0). Some assumptions of initialized state as follows: (A1) S KSR; (A2) C KUR; (A3) C IMEI; (A4) S #(IMEI); (A5) C #(IMEI); (A6) S C => IMEI. 3. The logical reasoning From M3 we obtain: (F1) S<E KSR(IMEI,T 1); Using F1 and A1, and applying R1, the following is obtained: (F2) S C (IMEI,T 1); Using A3 and applying Rule (7), the following is obtained: (F3) S C#(IMEI,T 1); Using F2 and F3, and applying R2, we obtain: (F4) S C (IMEI,T 1); Using F4 and applying R4, we obtain: (F5) S C IMEI; Using F5 and A6, and applying R3, we obtain: (F6) S IMEI; From M4 we know that: (F7) C<E KSR(IMEI,T 1); Using F7 and A2, and applying R1, we obtain: (F8) C S (IMEI,T 1); Using A4, and applying R7, we obtain: (F9) C S#(IMEI,T 1); Using F8 and F9, and applying R3, we obtain: (F10) C S (IMEI,T 1); Using F10 and applying R4, we obtain: (F11) C S IMEI. The above analysis indicates that the protocol is consistent with the ultimate goal, which achieved certification purposes, i.e. the primary belief: A3 and F6; and secondary belief: F6 and F11. Similarly, if the scheme corresponds with the ultimate goal after logic reasoning for the login stage, and achieves the objective of authentication, then we have primary belief as: A5 and function S IMEI, and secondary belief as: function S C = IMEI and C S IMEI. Thus, the formal analysis of MOTP is completed. IV. Simulations In this section, we will simulate three authentication schemes on OPNET Modeler 8.1. Except the scheme we proposed, another two schemes in Refs.[11] and [12] are used as comparison. The simulation time is 30 minutes; AES algorithm with key length of 128bits is used for the symmetric encryption function; the modulus length for modular exponential computation is 1024bits; the model of the simulation network layer is in the form of a client connection. In the first and second simulation, thicker solid line represents MOTP, the thinner solid line represents the challenge/response scheme, and the thin dotted line represents the simple username/password model. 1. Single runtime of the schemes Fig.3 shows the simulation result and the runtimes of three models are compared. The vertical axis represents the runtime of authentication process.

4 MOTP: An Identity Authentication Scheme for M-Commerce 149 Fig. 3. Runtime Fig. 4. The Channel utilization rate Fig. 5. Queue delay Due to the adoption of elliptic curve technology in MOTP, the runtime is longer than that of the simple dynamic password authentication, which is about 0.5s for average. Though its average runtime maintains at around 1.75s, it is in the acceptable range. The runtime of challenge/response scheme is 0.05s longer than ours, because MOTP has fewer handshakes between user and server, as well as a faster asymmetric key encryption algorithm which is the elliptic curve algorithm. 2. Channel utilization rate Fig.4 demonstrates the channel utilization rates of the two models. In this simulation, six connections between mobile devices and server are established. Until the system reach stable status, the channel utilization rate of MOTP is about 4.8%, the simple password authentication model is around 4.5%, and the rate of traditional time synchronization technology certification program is about 5.0%. In comparison with the traditional time synchronization authentication scheme, MOTP has a lower utilization rate; it means accommodate more user access at the same time. On the other hand, due to the simple username/password scheme of this program having no encryption/decryption and computational skills, it has a little lower utilization rate. In other words, the new enhances the security of the authentication but not increase the channel burden. 3. Delay analysis The outcome of the delay simulation on the scheme is shown in Fig.5. In this diagram, the vertical axis represents the delayed time in seconds. Δ represents the model of MOTP, represents the traditional challenge/response authentication scheme model, represents the simple username/password authentication model. As to the servers, the shorter the delay time, the higher the efficiency to response user s requests, which can improve the quality of service. The average delay time of the novel scheme is about 0.147s; The delay time of the traditional time synchronization technology certification scheme is around 0.188s; The simple user name/password authentication model has average value of 0.187s. Obviously, MOTP has higher efficiency to respond user s requests when running. 4. Summary of simulations Based on the simulation, MOTP has no major difference on performance compared with the simple username/password authentication scheme. However, the security performance is improved. Meanwhile, compared with the challenge/response authentication scheme, the performance of MOTP is better (show as Table 1). Table 1. Overall results of simulations on OPNET Parameters of Challenge/response simulation scheme MOTP Single runtime of models Longer Shorter Delay Longer Shorter Utilization rate Higher Lower V. Conclusions The authentication of user identity is the premise of ensuring information security in M-commerce. OTP is relatively safe and efficient comparing with other authentication schemes, moreover, it is easy to implement and utilize, which is suitable for identity authentication in M-commerce. Considering the attributes of M-commerce environment as well as the problems may exist when adopt OTP in M-commerce, this paper proposed MOTP, a novel identity authentication scheme, and proved the scheme by BAN formal protocol, finally did simulation on OPNET. Based on the analysis and simulation, it can conclude that MOTP has high simplicity and implemental efficiency. More important, the novel scheme totally satisfies the requirement of a two-way authentication, overcomes some weak points that similar schemes possess, also it prevents replay attacks and counterfeiting attacks effectively, it is a suitable and advanced authentication scheme in M-commerce. References [1] Yu Zheng, Dake He and Mingxing He, An authentication scheme in mobile terminal users based on trusted computation, Chinese Journal of Computers, Vol.29, No.8, pp , [2] Mu Yang, Runtong Zhang and Yi Yang, New OTP authentication scheme for m-commerce based on one time password, Computer Security, Vol.28, No.B06, pp.71 72, 75, [3] Chao Li, Yang Xin, Xinxin Niu, Identity authentication scheme based on biometric certificate, Computer Engineering, Vol.33, No.20, pp , [4] L. Fan, C.X. Xu, J.H. Li, User authentication scheme using smart cards for multi-server environments, Chinese Journal of Electronics, Vol.15, No.1, pp.79 84, [5] Ji Dongyao, Wang Yumin, An Authentication and Micropayment Protocol for Mobile Computing Network, Acta Electronica Sinica, Vol.30, No.4, pp , (in Chinese)

5 150 Chinese Journal of Electronics 2013 [6] Ping Han, Yanqin Zhu, Xizhao Luo, Identity authentication scheme using OTP in wireless LAN, Computer Engineering, Vol.34, No.14, pp , 165, [7] Tianfa Liu, Qiyuan Feng, Guiyong Yang, Reserch of authentication technique based on OTP, Computer Applications and Software, Vol.8, No.8, pp , 206, [8] L. Lamport, Password authentication with insecure communication, Communication of ACM, Vol.24, No.11, pp , [9] Chunli Lin, Chingpo Hung, Masquerade on one-time password authentication scheme, Future Generation Communication and Networking, Vol.2, pp , [10] Hesheng Wu, Xunli Fan, Weimin Wu, An efficient one-time password authentication, Application Research of Computers, Vol.20, No.8, pp.57 59, [11] T.H. Chert, W.B. Lee, G. Horng, Secure SAS-like password authentication schemes, Computer Standards and Interfaces, Vol.27, No.1, pp.25 31, [12] G. Horn, K.M. Martin, C.J. Mitchell, Authentication protocols for mobile network environment value-added services, IEEE Transaction on Vehicular Technology, Vol.51, No.2, pp , ZHU Xiaomin received B.S. and M.S. degrees from Tianjin University, Tianjin, China, in 1985 and in 1988, respectively, and the Ph.D. degree from Technical University of Crete, Greece, in She is presently an Associate Professor in the School of Mechanical, Electronic and Control Engineering at Beijing Jiaotong University in China. Her research interests cover E-commerce, system evaluation and optimization, and optimal control, and she has participated/was in charge of over 40 research projects in those related areas. She has published 58 papers and is an author or co-author of 15 books. ( SHANG Xiaopu received B.S. degree from PLA Information Engineering University, Zhengzhou, China, in He is currently a Ph.D. candidate in Information System at the Beijing Jiaotong University, Beijing, China. His research interests include wireless sensor networks and information security. ( shangxiaopu@bjtu.edu.cn) WANG Chuanchen received the B.S. degree from Tsinghua University, Beijing, China, in He is currently working toward the Ph.D. degree in Information Management at the Beijing Jiaotong University, Beijing, China. His current main research areas include electronic publication, group key management and secure group communication. ( wcc@phei.com.cn) ZHANG Runtong (Correspondence author) received B.S. degree from Dalian Maritime University, Liaoning, China, in 1985, and the Ph.D. degree from Technical University of Crete, Greece, in He is presently a Professor and the Director of Institute of Information Systems at the Beijing Jiaotong University in China. His research interests cover traffic engineering in mobile communication, optimal control and information security. ( rtzhang@bjtu.edu.cn)