Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks

Transcription

1 An abridged version of this paper appears in the Proc. of the Third IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom 2005 Workshops), 8-12 March 2005, Kauai Island, Hawaii. Security Analysis of Two Anonymous Authentication Protocols for Distributed Wireless Networks Duncan S. Wong Department of Computer Science City University of Hong Kong Hong Kong December 19, 2004 Abstract In a set of distributed wireless networks, such as globally distributed cellular systems, different networks could be administered by different operators. Mobile devices subscribed to one network may need to access networks administered by some other operators. An anonymous authentication protocol allows a roaming mobile device to anonymously authenticate itself to a visiting network in such a way that eavesdroppers in the visiting network and operators of other networks can only tell to which network the mobile device is subscribed but cannot tell the identity of the mobile device. The protocol is useful for protecting the privacy of the roaming mobile device. In this paper, we review two anonymous authentication protocols and point out some weaknesses and flaws of them. We show that these protocols are vulnerable to some practical attacks and the anonymity of a roaming mobile device could be compromised. 1 Introduction Consider in a set of globally distributed cellular systems or a meshed set of Wireless LANs supporting roaming, each of them consists of some distributed wireless networks which could be administered by different operators. When a mobile device subscribed to one network, referred to as the mobile device s home network, roams across the distributed wireless networks, it may access a network which is administered by a different operator, referred to as the mobile device s foreign network. An anonymous authentication protocol allows this roaming mobile device to anonymously authenticate itself to a visiting foreign network in such a way that the following goals will be achieved. 1. (Mutual Authentication) Both the roaming mobile device and the visiting foreign network have obtained assurance on the identities of their communicating parties. In general, each of the two communicating parties should obtain assurance on the identity of its communicating party. 2. (User Anonymity) Eavesdroppers of the visiting foreign network, including other mobile devices in the network, and any foreign networks other than the visiting one, should not be able to find out the identity of the roaming mobile device; The work described in this paper was fully supported by a grant from the Research Grants Council of the Hong Kong Special Administrative Region, China (Project No (RGC Ref. No. CityU 1161/04E )). 1

2 3. (User Untraceability) Eavesdroppers and foreign networks should not be able to track the roaming sequence of the mobile device. These security goals are useful for protecting the privacy of the mobile device, especially in a widely distributed wireless networks administered by a large number of different operators. This level of privacy has not yet achieved in the current cellular systems. However, this has always been a desirable feature from the past to new and upcoming wireless networks [9]. It becomes increasingly important when more and more ad hoc wireless networks are in place to provide services. In this paper, we review two anonymous authentication protocols for wireless communications. The first one was proposed by Varadharajan and Mu [10] and the second one was proposed by Go and Kim [3]. We find that they are vulnerable to several attacks which allow eavesdroppers or foreign networks other than the visiting one to find out the identity of a roaming mobile device or trace the roaming sequence of the mobile device. In the protocols of [10], the privacy of the mobile devices cannot be preserved if the underlying symmetric encryption function is a typical stream cipher. Stream ciphers are commonly used in wireless applications for better performance and less battery power consumption. Our attacks allow eavesdroppers or other mobile devices to reveal the identity of a targeted mobile device. In the protocol of [3], a malicious foreign network which is not the visiting one can find out the mobile device s identity without interacting with the mobile device. These attacks show that their protocols cannot achieve the original security goals. Since the attacking techniques are practical and can be implemented effectively, we believe that the attacks presented in this paper should be checked against every time when a new anonymous authentication protocol is designed. Paper Organization: In Sec. 2, we review some previously proposed anonymous authentication protocols for wireless communications. In Sec. 3, we first review the Varadharajan-Mu authentication protocols [10] and then describe two attacks. In Sec. 4, we describe another attacking technique and show that Go-Kim authentication protocol [3] is susceptible to this attack. Finally in Sec. 5, we conclude the paper. 2 Related Work We call a roaming mobile device, its home network and the visiting foreign network as a user, the user s home server and a foreign network, respectively. There had been a number of works on anonymous authentication protocols for wireless networks [1, 8, 10, 3]. In [1, 8], several levels of privacy requirements and protocols were proposed. The basic idea is to have a distinct alias associated to each user which appears unintelligible to anyone else except the home server of the user. When the user requests for a connection to a foreign server, he presents the alias and the identity of a server which is claimed to be his home server. The foreign server then forwards the alias to the claimed home server for verification. This technique is commonly used for providing user anonymity. Another feature which is closely related to anonymity is user untraceability: it means that nobody except the home server of a user should be able to track the user s sequence of roaming. To provide user untraceability, the alias of [1, 8] has to be renewed every time after it is used. 2

3 On authentication, protocols of [1, 8] do not provide foreign server authentication. The user cannot make sure if he is communicating with a foreign server that is intended to connect. In [10, 3], anonymous authentication protocols were proposed which support mutual authentication. In [10], a related scenario to roaming was discussed and three protocols were proposed for providing authenticated key establishment between two mobile devices, each subscribed to a distinct server. Their protocols protect the identities of both mobile devices from eavesdroppers, and other mobile devices and servers. However, in Sec. 3 below, we show that all of their protocols cannot preserve the privacy of the mobile devices if the underlying symmetric encryption function is a typical stream cipher. For many wireless networks, stream ciphers are used for better performance and less power consumption when compared with block ciphers. Hence the attacks described in Sec. 3 have significant practical impact. In our attacks, eavesdroppers and other network users can compromise the anonymity of two communicating mobile devices. In [3], an anonymous authentication protocol was proposed for mobile devices to roam anonymously on distributed wireless networks. Their protocol is targeted to protect the mobile device s identity from all entities other than its home server and the visiting foreign server. However, according to results given below (in Sec. 4 below), it is found that a malicious foreign server which is not serving the mobile device can launch an attack to reveal the mobile device s identity. 3 Varadharajan-Mu Anonymous Authentication Protocols In [10], Varadharajan and Mu proposed three anonymous authentication protocols. In the following, we review the first protocol of [10] and present two attacks which compromise the original anonymity goals of the protocol. The attacks can be applied to the other two protocols as well. Consider a scenario when a user A from his home server H travels to a network administered by a foreign server V and requests for a secure connection with another user B subscribed to V, that is, V is the home server of B. The anonymity goals are as follows. 1. (Caller Anonymity) The real identity of A should only be known to H and B. That is, A should remain anonymous to eavesdroppers, all network users except B, and all foreign servers including V. 2. (Callee Anonymity) The real identity of B should only be known to V, A and H. That is, B should remain anonymous to eavesdroppers, all network users except A, and all servers except V and H. Below is a review of the first protocol of [10]. Let k be a security parameter. Let E K be a symmetric encryption function with the symmetric key K. Let Sig X be a secret signing algorithm of an entity X and V er X be the corresponding public signature verification algorithm. Let P KE X be a public key encryption function with the public key of entity X. Let A and B be mobile devices that A initiates a connection to B. Let H be the home server of A and V be the home server of B. Let K AH be a long-term symmetric key shared between A and H. Let K BV be a long-term symmetric key shared between B and V. Let h 1 and h 2 be two distinct cryptographic hash functions such as [6]. Both of them map from {0, 1} to {0, 1} k. 3

4 Assume that there is a temporary identity, denoted by A s, shared between A and H. Similarly, a temporary identity, B s, is assumed to be shared between B and V before starting the protocol. The temporary identity is called a subliminal identity in [10] and is intended for the provision of user anonymity. In Fig. 1, the first protocol of [10] is illustrated. In the figure, notations A, H, B and V also represent their corresponding identities. 1. A : n A R {0, 1} k, K AV = h 1 (K AH A s V ), T oken AHV = E KAH (A H V n A ), mac 1 = E KAV (h 2 (A s B H n A )) 2. A V : A s, H, n A, T oken AHV, msg 1 = E KAV (A s B), mac 1 3. V : n V R {0, 1} k, sig 1 = Sig V (V H n V A s T oken AHV ) 4. V H : V, H, n V, A s, T oken AHV, sig 1 5. H : If T oken AHV is in correct form and V er V (sig 1 ) = 1: sig 2 = Sig H (H V K AV A s n V ), mac 3 = E KAH (h 2 (H n A A new s )) 6. V H : H, V, n V, msg 2 = P KE V (K AV A s ), sig 2, msg 3 = E KAH (H A new s ), mac 3 7. V : Decrypt msg 2. If V er H (sig 2 ) = 1: Decrypt msg 1. If mac 1 is in correct form: K s R {0, 1} k, mac 4 = E KAV (h 2 (V A s B B s K s n A )), mac 5 = E KBV (h 2 (V A s B K s )) 8. A V : V, A s, n A, msg 3, mac 3, msg 4 = E KAV (B B s K s ), mac 4, msg 5 = E KBV (A s K s ), mac 5 9. A : Decrypt msg 3. If mac 3 is in correct form: Decrypt msg 4. If mac 4 is in correct form: Update the subliminal identity to A new s. n A R {0, 1} k, mac 6 = E Ks (h 2 (A s A B s V n A )) 10. A B : A s, B s, V, n A, msg 5, mac 5, msg 6 = E Ks (A A s ), mac B : Decrypt msg 5. If mac 5 is in correct form: Decrypt msg 6. If mac 6 is in correct form, accept the connection. 12. A B : B s, A s, n A, mac 7 = E Ks (h 2 (B s A s n A )) 13. A : If mac 7 is in correct form, accept the connection. Figure 1: Varadharajan-Mu Anonymous Authentication Protocol In Fig. 1, x R X means that x is randomly chosen from the domain X. Symbol means binary string concatenation and A V means that A sends some message to V. A new s identity for A. is the new temporary Obviously, the anonymity requirement of keeping V from knowing the real identity of A would be compromised if V can get the message sent from A to B in Step 10 of Fig. 1. However, this can be prevented easily in practice by adjusting the transmission power of A such that it is too low for V to get the signal. 4

5 In the following, we describe two attacks which compromise user anonymity of A and B, respectively. The attacking techniques can also be applied to the other two protocols of [10]. The security requirement of the underlying symmetric encryption function is not specified clearly in [10]. Rigorous mathematical definitions and precise algorithm specifications are not given. In the following, we illustrate that missing of these important definitions and specifications could severely affect the security of the protocol. Assume that the encryption function is some secure stream cipher such as [2, 7]. In many wireless networks, security protocols use stream ciphers instead of block ciphers for better performance, less memory requirement, and lower power consumption. Define the stream cipher as M M f(k) for all message M with appropriate length where K is the symmetric key and f is a secure pseudorandom function family keyed by K. We now show that this implementation is insecure as caller and callee anonymity cannot be attained. 3.1 Attack 1: Compromising Anonymity of A by Eavesdroppers Note that T oken AHV = (A H V n A ) f(k AH ). The bit information of f(k AH ) is leaked directly from the publicly known components H, V and n A. In addition, the first portion of T oken AHV corresponding to A is always the same. An eavesdropper can use this information to track the roaming sequence of a mobile device. Regardless the renewal of the subliminal identity of A in each protocol run, the scheme is traceable. If the length of H and A are the same, then the identity of A is revealed immediately from T oken AHV and msg 3. Notice that T oken AHV = f(k AH ) (A ) and msg 3 = f(k AH ) (H ). Since the value of H is publicly known, the value of A is obtained immediately from T oken AHV msg 3 (H ). 3.2 Attack 2: Compromising the Anonymity of B by a Mobile Device If A is also a malicious user, this attack allows A to obtain enough bits of f(k BV ) for identifying all the subsequent communications initiated by B with any other mobile devices in any other networks. Note that msg 5 = (A s K s ) f(k BV ). Since A knows A s and K s, this portion of f(k BV ) can also be obtained by A. Then as long as the length of B is smaller than that of A s K s, A can compute the portion of B in any T oken BV S for any foreign server S of B. Hence A compromises the anonymity of B in all its future communications with any other entities after initiating only one call with it. 4 Go-Kim Anonymous Authentication Protocol In [3], Go and Kim proposed an anonymous authentication protocol for a user traveling anonymously from one wireless network to another. These networks are administered by different operators. Besides the user s home server and his visiting foreign server, no one including eavesdroppers, other users in the system and other foreign server that are not interacting with the user should be able to obtain the real identity of the user. In the following, we first review their protocol and then describe an active attack which allows a malicious foreign server to eavesdrop communications between a user and another foreign server and launch an active attack for obtaining the identity of the user. 5

6 For simplicity, we omit formal definitions of the following functions and assume that some appropriate domains and ranges are applied to each of them. Let E K be a symmetric encryption function under the symmetric key K. Let Sig A be a secret signing algorithm of entity A. Let V er A be the corresponding public signature verification algorithm of A. Let Z p be a multiplicative group generated by g where p is a large prime. Let the order of Z p be a large prime q such that q (p 1). Assume that the discrete logarithm problem [4] in Z p is hard. Let M, V and H denote the user, a foreign server and the home server of M, respectively. Assume that M has a public key pair denoted by (ŝ M, P M ) where ŝ M Z q is the private key and P M = gŝm mod p is the public key. Similarly, let (ŝ V, P V ) and (ŝ H, P H ) be the public key pairs of V and H, respectively, where P V = gŝv mod p and P H = gŝh mod p. Assume that M knows H s public key. Also assume that PKI (Public Key Infrastructure) is present. For each entity in the system, there exists a certificate issued by a trusted certificate authority on its identity and public key. For example, the certificates of M, V and H are denoted by Cert M, Cert V and Cert H, respectively. Let h, h 1 and h 2 be some cryptographic hash functions. The Go-Kim anonymous authentication protocol [3] is shown in Fig M : r M R Z q, K MH = P r M H mod p, T ID M = E KMH (h(m) (g r M mod p)) 2. M V : g r M mod p, T ID M, H 3. V : r V R Z q, sig 1 = Sig V (g r V mod p g r M mod p T ID M V ) 4. V H : g r V mod p, g r M mod p, T ID M, sig 1, T 1, Cert V 5. H : If Cert V is verified to be valid and V er V (sig 1 ) = 1: K MH = g r M ŝ H mod p, decrypt T ID M and identify M from h(m), r H R Z q, K V H = h 1 (g r V r H mod p P r H V mod p), sig 2 = Sig H (g r H mod p g r V mod p h(m) (g r M mod p) H), 6. V H : g r H mod p, E KV H (sig 2 h(m) (g r M mod p)), T 2, Cert H 7. V : Compute K V H accordingly. If Cert H is verified to be valid and V er H (sig 2 ) = 1: T ID new M = h(gr M r V mod p h(m)), K MV = h 1 (g r M r V mod p g r M ŝ V mod p) 8. M V : g r V mod p, E KMV (h(g r V mod p g r M mod p T IDM new 9. M : sig 3 = Sig M (g r M mod p g r V mod p T 2 V ) 10. M V : E KMV (sig 3 T 3 Cert M ) V ) T 2), T 3, Cert V Figure 2: Go-Kim Anonymous Authentication Protocol In the figure, T ID M is called a temporary identity of M. It is renewed every time when a new session between M and V is established. The new temporary identity is T ID new M. T 1, T 2 and T 3 are timestamps. In Step 5 in Fig. 2, H decrypts T ID M and identifies M from h(m). Due to the collision resistent property of the hash function h, the value of h(m) is distinct for distinct M with overwhelming probability. The value of h(m) can therefore be used directly to identify user M. Hence if an adversary can obtain the value of h(m), it should be considered that the identity of the 6

7 user M has been compromised. 4.1 Compromising User Anonymity In this section, we will describe an active attack which allows a malicious foreign server, which is not interacting with the user, to eavesdrop communications between the user and a visiting foreign server and obtain the real identity of the user. As mentioned above, the Go-Kim protocol was originally designed to allow only the home server and the visiting foreign server to know the real identity of the user M. No other entity in the system including any other foreign servers which are not engagged in this protocol run should be able to obtain the identity of the user. However we can see that T ID M does not contain V. In Step 4 in Fig. 2, when H receives messages from V, there is no proof that M is intended to communicate with V. In other words, H has no idea if M is actually in the serving network operated by V or some other network operated by another operator. In the following, we describe an attack to compromise the user s anonymity. The attack is based on this observation. Suppose there is a malicious foreign server E which is eavesdropping in the radio coverage of V. After M sends the first message flow to V shown in Step 2 in Fig. 2, E later connects to H in another session and claims that a user of H is visiting the network operated by E. The attack is carried out for getting the identity of M. This is illustrated in Fig M V : g r M mod p, T ID M, H 2. V H : g r V mod p, g r M mod p, T ID M, sig 1, T 1, Cert V 2. E H : g r 1 mod p, g r M mod p, T ID M, sig 1, T 1, Cert E 3. V H : g r H mod p, E KV H (sig 2 h(m) (g r M mod p)), T 2, Cert H 3. E H : g r 2 mod p, E KEH (sig 2 h(m) (gr M mod p)), T 2, Cert H 4. M V : g r V mod p, E KMV (h(g r V mod p g r M mod p T IDM new V ) T 2), T 3, Cert V 5. M V : E KMV (sig 3 T 3 Cert M ) Figure 3: Malicious Server Attack In Step 2 in Fig. 3, the malicious server E produces arbitrarily g r 1 mod p, generates a signature sig 1 and a timestamp T 1, and shows a valid certificate Cert E appropriately. In Step 3 in Fig. 3, h(m) is obtained by E and it can then be used directly to identify M. In addition, M can usually be found by exhaustively searching over the domain of M. In practice, the domain of M is usually small. For example, in GSM [5], the mobile unit can be identified uniquely using a 15-digit number. Note that the attacking session between E and H does not need to be launched in parallel with the original session between M and V. It can be launched after an arbitrary period of time. We call it the Malicious Server Attack. 7

8 5 Conclusions In this paper, we review two anonymous authentication protocols for wireless communications. The first one was proposed by Varadharajan and Mu [10] and the second one was proposed by Go and Kim [3]. We find that they are vulnerable to several attacks which allow eavesdroppers or foreign networks other than the visiting one to find out the identity of a roaming mobile device or trace the roaming sequence of a mobile device. For the three protocols of [10], we show that all of them cannot preserve the privacy of the mobile devices if the underlying symmetric encryption algorithm is implemented using some inappropriate specification. This illustrates the importance of specifying precisely all the underlying algorithms. Our attacks allow an eavesdropper or a malicious mobile device to trace the roaming sequence or reveal the identity of another roaming mobile device. For the protocol of [3], we find that a malicious foreign network which is not interacting with the mobile device can find out the mobile device s identity through an impersonation attack. These attacks show that these protocols cannot achieve the original security goals. Since the attacking techniques are practical and can be implemented effectively, we believe that these attacks should be checked against every time when a new anonymous authentication protocol is designed. References [1] G. Ateniese, A. Herzberg, H. Krawczyk, and G. Tsudik. On traveling incognito. In Proc. of the IEEE Workshop on Mobile Systems and Applications, December [2] M. Briceno, I. Goldberg, and D. Wagner. A pedagogical implementation of A5/1. Available at May [3] J. Go and K. Kim. Wireless authentication protocol preserving user anonymity. In Proc. of the 2001 Symposium on Cryptography and Information Security (SCIS 2001), pages , January [4] Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. CRC Press LLC, [5] Michel Mouly and Marie-Bernadette Pautet. The GSM System for Mobile Communications. Published by the authors, [6] NIST FIPS PUB Secure Hash Standard, April [7] R.L. Rivest. The RC4 Encryption Algorithm. RSA Data Security, Inc., March 12, (Proprietary). [8] D. Samfat, R. Molva, and N. Asokan. Untraceability in mobile networks. In Proc. of MobiCom 95, pages 26 36, [9] Technical Specification Group (TSG) SA. 3GPP TS : 3rd Generation Partnership Project 3GPP, 3G Security, Security Architecture, Oct [10] V. Varadharajan and Y. Mu. Preserving privacy in mobile communications: A hybrid method. In IEEE International Conference on Personal Wireless Communications, pages ,