Design of Secure End-to-End Protocols for Mobile Systems. Nepean, PO Box 10, Kingswood, NSW 2747, Australia. conclusions. 2.

Transcription

1 Wireless '96 Design of Secure End-to-End Protocols for Mobile Systems Vijay Varadharajan and Yi Mu Department of Computing, University of Western Sydney, Nepean, PO Box 10, Kingswood, NSW 2747, Australia Abstract Use of mobile personal computers in open networked environment is revolutionalising the way we use computers. Mobile networked computing is raising some important information security and privacy issues. This paper is concerned with the design of authentication protocols for a mobile networked computing environment. We propose mobile user authentication protocols in intra and inter domain situations using symmetric key based cryptosystems. The paper then extends these protocols to an end-to-end situation, thereby allowing two mobile users to have secure conversations. The protocols provide varying degrees of anonymity of the communicating users to other system users. 1 Introduction Information and communication technology is on the threshold of new style of computing [1]. First, the telecommunications industry is witnessing the development of Personal Communication Systems that are \person-specic" with person to person logical connections. Such systems rely more and more on wireless communications, both in the elds of voice and data communications between mobile personal computers and computer systems. Second, the computer industry is in the phase of practical implementation of distributed systems concept. In particular, the notion of open systems is a major driving force. Whereas today's rst generation notebook computers and personal digital assistants are self-contained, networked mobile computers are part of a greater computing infrastructure. This raises several issues with regard to information security and privacy, system dependability and availability [2]. The paper is organised as follows. We begin in Section 2 by outlining security threats in a mobile networked environment. In Section 3 we propose mobile user authentication protocols in intra and inter domain situations. Section 4 extends these protocols to an end-to-end situation, thereby allowing two mobile users to authenticate each other and to establish a secret key for secure conversations. Finally, Section 5 gives our conclusions. 2 Mobile Networked Environment 2.1 Security Threats A networked environment is in general susceptible to a number of security threats. These include the following: Masquerading: the pretence of one entity to be another entity. By masquerading, an entity can get hold of privileges which it is not authorized to have in the rst place. Within a computer system, a user or process might masquerade as another to gain access to a le or memory to which it is not authorized, while over a network, a masquerading user or host may deceive the receiver about its real identity. Unauthorized use of Resources: This includes unauthorized access to both resources on the networks as well as a computer system. For instance, within a computer system, this threat corresponds to users or processes accessing les, memory or processor without authorization. Over a network, the threat may be in the form of accessing a network resource. This may be a simple network component such as a printer or a terminal, or a more complex one such as a database, 1

2 or some applications within the database. Thus unauthorized use of resource may lead to theft of computing and communications resources, or to the unauthorized destruction, modication, disclosure of information related to the business. Unauthorized Disclosure and Flow of Information: This threat involves unauthorized disclosure and illegal ow of information stored, processed or transferred in a networked system, both internal and external to the user organizations. Within a system, such an attack may occur in the form of unauthorized reading of stored information, while over the network, the means of attack might be wiretapping or trac analysis. Unauthorized Alteration of Resources and Information: Unauthorized alteration of information may occur both within a system (by writing into memory) and over the network (through active wire-tapping). The latter attack may be used in combination with other attacks such as replay whereby a message or part of a message is repeated intentionally to produce an unauthorized eect. This threat may also involve unauthorized introduction (removal) of resources into (from) a distribution system. Repudiation of Actions: This is a threat against accountability in organizations. For instance, a repudiation attack can occur whereby the sender (or the receiver) of a message denies having sent (or received) the information. For instance, a customer engages in a transaction with a bank to withdraw a certain amount from his account, but later denies having sent the message. A similar attack can occur at the receiving end; for instance, a rm denying the receipt of a particular bid oer for the tender even though it actually did receive that oer. Unauthorized Denial of Service: Here, the attacker acts to deny resources or services to entities which are authorized to use them. For instance, within a computer system an entity may lock a le thereby denying access to other authorized entities. In the case of the network, the attack may involve blocking the access to the network by continuous deletion or generation of messages so that the target is either depleted or saturated with meaningless messages. 2.2 Security and Mobility The mobile environment aggravates some of the above security concerns and threats. Because the connection to a wireless link may be easy, the security of wireless communication can be compromised much more easily than that of wired communication. The situation gets further complicated if the users are allowed to cross security domains. For example, a hospital may allow patients with mobile computers to use nearby printers but prohibit access to distant printers and resources designated for hospital personnel only. Being reachable at any location and at any time creates greater concern about privacy issues among the potential users. For instance, there may be a need for developing proles which specify who, when and from where is authorized to get a service. One way is to provide mechanisms that restrict the list of users who are allowed to use a mobile appliance to send a message. From the management point of view, we need to address where are these proles are stored and how are these proles distributed? Mobile users will use resources at various locations. These resources may be provided by dierent service providers. We need to understand the trust issues involved when allowing mobile clients to use resources of different servers at dierent locations. Integrity and condentiality of information stored on the mobile appliance is another important concern. Needless to say that user anonymity is important in mobile environment [3]. Dierent degrees of anonymity can be provided such as hiding user identity from eavesdroppers and hiding user identity from certain administrative authorities. We will discuss these issues in our protocol design. 2

3 3 Mobile User Authentication 3.1 Notation The following notations are used in the description of the protocols. A, B: End-users. Authentication Server Base Station Location Register Message Switch Borad Mobile Network System (MNS) Mobile Station (MS) A s : Subliminal identity of end-user A. H: Home Domain Server. V : Visiting Domain Server. K AB : Shared Secret Symmetric Key between A and B. K s : Secret Session Key. [content] key : content encrypted with a symmetric key key h(:::): A strong one-way hash function. n A : Nonce generated by user A. A! B: message: A sends message to B. 3.2 Environment A simple mobile computing environment is shown in Figure 1. Mobile Computing Stations (MS) accesses the mobile network via a mobile network system. For instance, the network system may consist of Base Stations, Location Register, and Mobile Switching Component. The Location Register contains information related to the location and the subscription of the users in its domain. We will assume that an Authentication Server is present in every domain. This is logically a distinct entity; in practice, it may be co-located with the Location Register. The Authentication Servers store condential information such as keys and are assumed to be physically protected. The mobile stations can move from one place to another, either within its domain (referred to as the \home" domain or move outside its home domain to a \visiting" domain. We will collectively refer to the authorities in the home domain as H and the authorities in the visiting domain as V. Figure 1: Mobile Computing Environment. 3.3 Assumptions We assume that when accessing the network in the home domain, the mobile user is authenticated with a traditional server-based authentication mechanism such as Kerberos. Users of every network domain are registered with that domain's authentication server. The authentication server of a domain can be replicated or partitioned within the domain but the set of all partitioned and duplicated authentication servers represent a single domain-level authority. For sake of simplicity, in the rest of this paper, we assume that mobile station A belongs to Home Domain (H) and mobile station B belongs to Visiting Domain (V ). In our systems, to enable the mutual authentication and user anonymity, we assume that mobile users share long term secret key with their home domain, i.e., A and H share K AH and similarly B and V share K BV. The privacy of communication between domains is ensured by H and V sharing secret symmetric keys (e.g. K HV ). If A travels to the visiting domain V, a shared session key between A and V must be established. In this paper, the user and the mobile computing station are regarded as an intact part. 3.4 Design Criteria Anonymity: It is desirable to keep both end users' identities secret. For this reason users' identities must be protected from disclosure from eavesdroppers on the mobile network. We will refer to this as the rst degree anonymity. Furthermore, there is no need for a foreign authority (e.g. visiting domain authority V ) to know the real identity of the user. What it needs is only a proof of the solvency of the entity accessing the service and enough information to bill the user's 3

4 home authority. We will refer to this as the second degree anonymity. Security against outside attackers: The protocols should not be vulnerable to outsiders' eavesdropping attacks. Domain specic secret information such as a user's secret key should not be propagated from the home domain to the remote (visiting) domain. Minimal number of messages: It is important to minimize the number of exchanges in the protocol between the home domain and the remote domain in the setup phase, given that the distance between the home and the remote domain may be large. 3.5 Authentication Protocols In this section, we consider user authentication protocols based on symmetric key cryptography. Symmetric key cryptography is particularly suitable for situations where minimal computer power and less computational time are required. These are the main reasons behind the choice of symmetric key based systems in the GSM (Group Special Mobile of the European Telecommunications Standard Institute - ETSI)[4, 5] and DECT (Digital European Cordless Telephone), and the interim Standard IS-54 of the Telecommunications industries Association (TIA) for U.S. Digital Cellular Subliminal Identity An important concern in the mobile environment is the anonymity of users. One requirement is that the identity of a communicating user is known only to the user himself, to the communicating partner, and to the home mobile network service H. Other entities such as the visiting domain V as well as all other users should not have access to the communicating users' identities. To address this issue, we introduce the notion of a subliminal identity, written as ID s. Each user is issued a subliminal identity by the home domain. The subliminal ID is composed of a number (e.g. a sequence number) along with a timestamp. This will allow H to perform ecient search of the database when required to locate a specic subliminal ID. Only H knows the mapping between this subliminal ID and the real user ID. The use of subliminal IDs helps to conceal the real user IDs to outsiders. It is initialized rst at the time of registration; subsequently it is updated at the end of each session. We will see below how the subliminal identity is used in the protocols. Basic Setup Mobile Station User A: Belongs to domain H. Has subliminal identity A s issued by H and a secret symmetric key K AH shared between A and H. Mobile Station User B: Belongs to domain V. Has subliminal identity B s issued by H and a secret symmetric key K BV shared between B and V. Home Server H: Has the mapping between the subliminal identity A s to real identity A. Has secret symmetric key K AH as well as the interdomain shared secret key K V H. Home Server V : Has the mapping between the subliminal identity B s to real identity B. Has secret symmetric key K BH as well as the interdomain shared secret key K V H Intra-Domain Protocol We now consider the authentication protocol between a user and his/her home domain. 1: A! H: A s ; H; n A ; [h(a s ; H; n A )] KAH 2: H! A: H; A s ; [K s ] KAH ; [A 0 s] KAH ; [h(h; A s ; A 0 s ; K s; n A )] KAH This is a two step handshake process. In Step 1, mobile station A sends a message to its home server H requesting the establishment of a secret session key. In Step 2, H returns a response including a session key K s and a new subliminal identity both encrypted under the shared key K AH. First note that the use of the subliminal identity helps to conceal the real identity of the initiator to other system users. In our protocol, we have carefully separated the information which needs to be signed (for integrity and authentication) from that which needs to be encrypted (for condentiality). Even though we employ only symmetric key systems, we have used the word \sign" to 4

5 highlight this aspect. It is particularly important to adhere to this principle in the design of protocols; mixing these two aspects leads to lack of clarity in protocol design which is often an important source for protocol aws. Furthermore this separation is useful when it comes to obtaining export licenses where it is necessary to justify to the authorities the functionality of the various cryptographic interfaces and their use. Hence intra-domain user authentication is achieved by the use of the shared key K AH and a session key is established between A and H to protect subsequent communications Inter-Domain Protocol User A travels to a foreign domain V. When A requests a service in V, V needs to verify the identity of A before providing the service. Following the authentication process, a secret key to protect communications between V and A can be established. Regarding anonymity, as we mentioned earlier, the real identity of A may need to be hidden from both the eavesdroppers as well as V. There should also be a mechanism for H to issue a new subliminal identity to A. This may be optional. A 1 2 V 4 3 H Figure 2: Inter-domain Authentication Protocol. The protocol is as follows: 1: A! V : A s ; H; n A ; T oken AHV ; [h(a s ; H; n A )] KAV ; where K AV = f(k AH ; A s ; V ) T oken AHV = [A; H; V; n A ] KAH 2: V! H: V; H; n V ; A s ; T oken AHV ; [h(v; H; n V ; A s ; T oken AHV )] KV H 3: H! V : H; V; n V ; [A 0 s] KAH ; [h(h; V; K AV ; A s ; n V )] KV H ; [K AV ; A s ] KV H ; [h(h; A 0 s ; n A)] KAH 4: V! A: V; A s ; [K s ] KAV ; [h(v; A s ; K s )] KAV ; [A 0 s ] K AH ; [h(h; A 0 s ; n A)] KAH In Step 1, A begins by sending V a token T oken AHV, a nonce n A and the signed hash value. V is not able to understand T oken AHV as it is encrypted under K AH and V does not have K AH. The token contains the information for authentication of A by H. V passes the token to H in Step 2. V cannot check the signed hash value at this stage as it does not have K AV. K AV is generated with a strong one-way hash function f. Only A and H can construct K AV. After receiving the token in Step 2, H authenticates A. In Step 3, H sends a new subliminal identity A 0 s encrypted under K AH and the signed hash value [h(h; A 0 s ; n A)] KAH. This portion of the message will be passed to A by V in Step 4. H also provides V the key K AV and A's subliminal identity. Encrypted signed hash value [h(h; V; K AV ; A s ; n V )] KV H is also sent. In Step 4, upon receipt of H's message, V can verify the hash value received from A s in Step 1. It can then issue A a session key K s encrypted under K AV. The message also includes the information sent by H and a signed hash value for integrity. 4 Secure End-to-End Communications So far we have been considering authentication of user A by a mobile network service authority such as H (intra-domain) or V (inter-domain). From a user point of view, in a mobile computing environment, securing the end-to-end path from one mobile user to another is the primary concern. The end-to-end security service minimises the interferences from the operator controlled network components. In this section, we present a secure end-to-end authentication and key distribution protocol between two mobile users. In this paper, we only consider the symmetric key approach. A public key based system is described in [6]. Basic Setup: Mobile Station Users A and B: { Belong to H and V respectively. { A has subliminal identity A s issued by H and a secret symmetric key K AH. { B has subliminal identity B s issued by V and a secret symmetric key K BV. Home Server H: { Has the mapping from the subliminal identity to real identity for A. 5

6 { Has secret symmetric keys K AH and K V H. Home Server V : { Has the mapping from the subliminal identity to real identity for B. { Has secret symmetric keys K BV and K V H. 4.1 Case (i) In this subsection, we consider the situation where both A and B reside within their respective home domains and wish to have a secure communication between them. 1 A 6 H Figure 3: Secure End-to-End Protocol: Case (i). The end-to-end inter-domain protocol is as follows: 2 5 1: A! H: A s ; H; n A ; [B] KAH ; 2: H! V : [h(a s ; H; n A ; B)] KAH H; V; n H ; [A; B; n A ; K AB ] KHV ; 3:V! B: [h(h; V; n H ; n A ; A; B; K AB )] KHV V; B s ; n V ; [A; B; n A ; K AB ] KBV ; 4: B! V : [h(v; B s ; n V ; n A ; A; B; K AB )] KBV B s ; V; n V ; [h(b s ; V; n V + 1; n A + 1; 5: V! H: A; B; K AB ] KBV V; H; n H ; [h(v; H; n H + 1; n A + 1; 6: H! A: A; B; K AB ] KHV H; A s ; [K AB ; A 0 s] KAH ; n A ; 7: A! B: [h(h; A; B; A s ; A 0 s ; n A; K AB )] KAH A s ; B s ; nonce; [message] KAB ; [h(a s ; B s ; nonce; message)] KAB The main objective of this protocol is to provide mutual authentication between mobile station users A and B, and to establish a secret shared conversation key K AB between them. In Step 1, A authenticates himself to H using the subliminal identity A s and K AH, and requests 4 V 3 B to communicate with B. B's identity is encrypted with K AH to protect against disclosure to eavesdroppers. The nonce n A is used by A to identify its request for communication with B. Upon verication of the request in Step 2, H generates a secret conversation key K AB, which is encrypted under K HV for distribution to V. In Step 3, V passes to B the secret conversation key K AB, along with A's and B's identities and nonce n A, encrypted under K BV. Now authentication of A to B is complete. Step 4 starts the authentication process of B to A. B sends V the hash value containing the secret conversation key K AB, nonces, and A's and B's identities, encrypted under K BV. This information is passed to H in Step 5. Upon verication of the hash value received in Step 5, H is aware whether or not B has received the correct conversation key and whether the information is fresh. At the end of Step 6, A obtains from H, the conversation key K AB as well as a new subliminal identity A 0 s. Now authentication of B to A is complete. Using the conversation key, A and B can securely communicate with each other (Step 7). However note that this protocol does not provide the second degree anonymity. H knows the real identity of B and V knows the real identity of A. The second degree anonymity can be achieved using the hybrid approach employing both symmetric and public key based cryptosystems. This is considered in [6]. 4.2 Case (ii) Now consider the situation where A (belonging to H) travels to domain V, and then wishes to communicate with B in domain V. A H 3 2 Figure 4: Secure End-to-End Protocol: Case (ii) The protocol is as follows: V 4 1 A B 6

7 1: A! V : A s ; H; n A ; T oken AHV ; [A s ; B] KAV ; [h(a s ; H; n A )] KAV ; where K AV = f(k AH ; A s ; V ), T oken AHV = [A; H; V; n A ] KAH 2: V! H: V; H; n V ; A s ; T oken AHV ; [h(v; H; n V ; A s ; T oken AHV )] KV H 3: H! V : H; V; [K AV ; A s ] KV H ; [A 0 s] KAH ; n V ; [h(h; V; K AV ; A s ; n V )] KV H, [h(h; A 0 s ; n A)] KAH 4: V! A: V; A s ; n 0 V ; [K s; B; B s ] KAV ; n A ; [h(v; A s ; B; B s ; K s ; n A ; n 0 V )] K AV, [A; A s ; K s ] KBV ; [h(v; A; A s ; B; n 0 V ; K s)] KBV, [A 0 s] KAH ; [h(h; A 0 s ; n A)] KAH : 5: A! B: A s ; B s ; V; n 0 A ; n0 V ; [A; A s; K s ] KBV ; [h(v; A; A s ; B; n 0 V ; K s)] KBV ; [h(a s ; B s ; V; n 0 A ; n0 V )] K s User A is the initiator who wishes to have secure conversation with user B. In Step 1, A begins by sending V a conversation request [A s ; B] KAV, a token T oken AHV, a nonce n A and the signed hash value. T oken AHV encrypted with K AH needs to be passed to H by V in Step 2 and it contains the necessary information for authentication of A by H. At this stage, V cannot verify the hash value and cannot decrypt the request as it does not have K AV. K AV is generated using a strong one-way hash function f. Only A and H can construct K AV. Steps 2 and 3 are similar to those in the user inter-domain authentication protocol given in section 3. In Step 4, V distributes conversation key K s to A. This key is encrypted under K AV for A and encrypted under K BV for B. A also receives the new subliminal identity which can be used in future communications. In Step 5, A sends the conversation key K s to B, and now A and B can have secure communications using K s. Note that once again the second degree anonymity is not achieved in this protocol. V knows the real identity of A. However the real identity of B is not known to H. We can modify the protocol to provide the second degree anonymity with respect to V as follows: 4': V! A: V; A s ; n 0 V ; [K s; B; B s ] KAV ; n A ; [h(v; A s ; B; B s ; K s ; n A ; n 0 V )] K AV, [A s ; K s ] KBV ; [A 0 s] KAH ; [h(v; A s ; B; n 0 V ; K s)] KBV, [h(h; A 0 s ; n A)] KAH : 5': A! B: A s ; B s ; V; n 0 A ; n0 V ; [A s ; K s ] KBV ; [A; A s ] Ks ; [h(v; A s ; B; n 0 V ; K s)] KBV ; [h(a; A s ; B s ; V; n 0 A ; n0 V )] K s However in this case, only A (and not H or V ) is able to guarantee the mapping between A and A s to B. Once again the hybrid approach provides a better solution to the second degree anonymity problem [6]. 5 Discussion We have proposed symmetric key based protocols for use in mobile networks. We rst considered user authentication in both intra and interdomain enviornments. These protocols enabled authentication as well as the establishment of a shared secret key between mobile users and the domain authorities. Then we extended these protocols to provide secure end-to-end communication between two mobile users residing in dierent domains. We considered two such communication scenarios. These protocols also provided a certain degree of anonymity of the communicating users to other users as well as system authorities. This was achieved by introducing the notion of subliminal identities. In this paper, we have not addressed the issue of the storage of secret keys within the mobile station. One mechanism is to store the keys in tamper-proof smartcards and to provide appropriate interface to the mobile station. This scheme can be further strengthened by requiring a key/password to activate the smartcard. This is particularly important if the same mobile station is to be used by multiple users at dierent times. References [1] D. C. Cox, \Protable digital radio communication - an approach to tetherless access," IEEE Communications Magazine, vol. 27, July [2] V. Varadharajian, \Security for personal mobile networked computing," in Proceedings 7

8 of the International Conference on Mibile and personal Communications Systems, April [3] N. Asokan, \Anonymity in a mobile computing environment," in Proceedings of 1994 IEEE Workshop on Mibile Computing Systems and Applications, [4] M. Rahnema, \Overview of the GSM system and protocol archilecture," IEEE Communications Magazine, pp. 92{100, April [5] R. Molva, D. Samfat, and G. Tsudik, \Authentication of mobile users," IEEE Network, pp. 26{34, March/April [6] V. Varadharajan and Y. Mu, \Authentication protocols for mobile communication systems: A hybrid approach," (In preparation). 8