Design and Analysis of Authenticated Key Agreement Schemes for Future IoT Applications and Session Initiation Protocol

Transcription

1 Desgn and Analyss of Authentcated Key Agreement Schemes for Future IoT Applcatons and Sesson Intaton Protocol Thess submtted n partal fulfllment of the requrements for the degree of Master of Scence (By Research) n Computer Scence and Engneerng by C. Sravan Roll No c.sravan@research.t.ac.n Internatonal Insttute of Informaton Technology, Hyderabad (Deemed to be Unversty) Hyderabad , INDIA JULY 2017

2

3 Desgn and Analyss of Authentcated Key Agreement Schemes for Future IoT Applcatons and Sesson Intaton Protocol Thess submtted n partal fulfllment of the requrements for the degree of Master of Scence (By Research) n Computer Scence and Engneerng by C. Sravan under the gudance of Dr. Ashok Kumar Das Internatonal Insttute of Informaton Technology, Hyderabad (Deemed to be Unversty) Hyderabad , INDIA JULY 2017

4

5 Copyrght c C. SRAVANI, 2017 All Rghts Reserved

6

7 Dedcated to my famly

8

9 Declaraton I certfy that a. The work contaned n ths thess s orgnal and has been done by myself under the general supervson of my supervsor. b. The work has not been submtted to any other Insttute for any degree or dploma. c. I have followed the gudelnes provded by the Insttute n wrtng the thess. d. I have conformed to the norms and gudelnes gven n the Ethcal Code of Conduct of the Insttute. e. Whenever I have used materals (data, theoretcal analyss, and text) from other sources, I have gven due credt to them by ctng them n the text of the thess and gvng ther detals n the references. f. Whenever I have quoted wrtten materals from other sources, I have put them under quotaton marks and gven due credt to the sources by ctng them and gvng requred detals n the references. Place : IIIT Hyderabad C. Sravan MS Student Date: Roll No Center for Securty, Theory and Algorthmc Research Internatonal Insttute of Informaton Technology Hyderabad , INDIA

10

11 CERTIFICATE Ths s to certfy that the thess enttled Desgn and Analyss of Authentcated Key Agreement Schemes for Future IoT Applcatons and Sesson Intaton Protocol, submtted by C. Sravan to Internatonal Insttute of Informaton Technology, Hyderabad, s a record of bona fde research work under my supervson and s worthy of consderaton for the award of the degree of Master of Scence (By Research) n Computer Scence and Engneerng of the Insttute. Place : IIIT Hyderabad Date: Dr. Ashok Kumar Das Center for Securty, Theory and Algorthmc Research Internatonal Insttute of Informaton Technology Hyderabad , INDIA

12

13 Acknowledgments The success and fnal outcome of ths MS thess requred a lot of gudance and assstance from many people and I am extremely fortunate to have got ths all along the completon of my MS thess work. Whatever I have done s only due to such gudance and assstance, and I would not forget to thank them. I owe my profound grattude to my MS advsor Dr. Ashok Kumar Das, who took keen nterest n my MS work and guded me all along, tll the completon of my MS thess by provdng all hs valuable gudance and support wthout whch ths work would not have been possble. I am thankful to and fortunate enough to get constant encouragement, support and gudance from all the Teachng staff of Center for Securty, Theory and Algorthmc Research whch helped me n successfully completng my thess work. Also, I would lke to extend my sncere regards to all the non-teachng staff of Internatonal Insttute of Informaton Technology, Hyderabad for ther tmely support. Fnally, I would lke to thank my parents for provdng me wth unfalng support and contnuous encouragement throughout my years of study. Ths accomplshment would not have been possble wthout them. Place : IIIT Hyderabad Date: C. Sravan MS Student Center for Securty, Theory and Algorthmc Research Internatonal Insttute of Informaton Technology Hyderabad , INDIA

14

15 Abstract The ablty to convey nformaton quckly, accurately, and effcently s one of the prmary ams of human nnovaton. Wth the nventon of the electronc numercal ntegrator and computer, an nteracton between nformatcs and telecommuncaton began whch added faster data processng to dstant communcaton. The conventonal crcut swtchng was soon replaced by packet swtchng, and the TCP/IP protocol sute, facltatng communcaton between computers/heterogeneous machnes, ultmately leadng to the brth of the Internet. The advent of the Internet has resulted n the redefnng of tradtonal modes of communcaton lke rado, televson and paper mal gvng rse to servces such as emal, dgtal newspapers, Internet telephony and vdeo streamng. Wth networks growng exponentally, modern communcaton methods have become the drvng force of socal evoluton. The ever ncreasng amount of nformaton beng generated presents new challenges n terms of storage, transfer and securty. Snce computers can range from stand-alone to networked devces, varous avenues of attacks are avalable to compromse nformaton securty. Ensurng confdentalty of nformaton beng transmtted and stored s therefore essental. Also known as access control, ths can be acheved through authentcaton. Authentcaton s the process of verfyng a clamed dentty. The valdaton method can nvolve multple factors wth the level of securty beng proportonal to the number and type of factors nvolved. Mutual authentcaton s where the nvolved partes smultaneously authentcate each other to establsh a connecton. It s most often mplemented machne-to-machne through dgtal certfcates where there s a chance of the user not realzng when the remote authentcaton fals. Challenge-response based mechansms help mtgate ths problem by detectng false end-ponts. In ths thess, we study the mportance of authentcaton and key agreement n two dfferent network applcatons Internet of Thngs (IoT) and Sesson Intaton Protocol (SIP). The frst study presents a new Ellptc Curve Cryptography (ECC) sgnaturebased authentcated key establshment scheme for applcatons n IoT envronment. The proposed scheme accommodates password and bometrc update as well as stolen/lost smartcard revocaton phases. The proposed scheme has been proved to be secure usng the wdely-used Burrows-Abad-Needham logc (BAN logc), nformal securty analyss, and also a formal securty verfcaton usng the broadly-accepted Automated Valdaton of Internet Securty Protocols and Applcatons (AVISPA) tool. The practcal demonstraton of the scheme s evaluated usng the wdely-accepted NS2 smulator for varous network

16 performance parameters. Fnally, t s shown that the scheme provdes more functonalty features, and ts computatonal and communcaton costs are also comparable wth other exstng approaches. In the next study, we focus on authentcaton n Sesson Intaton Protocol for Voce over IP envronments. In ths work, we present an effcent ECC based three-factor authentcaton and sesson key agreement scheme for SIP, whch uses the dentty, password and personal bometrcs of a user as three factors. The proposed scheme resolves the shortcomngs n exstng SIP authentcaton protocols. The proposed scheme also supports password and bometrc update phase wthout nvolvng the server and the user moble devce revocaton phase n case the moble devce s lost/stolen. Formal securty analyss under the Real-Or-Random (ROR) model and the broadly-accepted BAN logc ensures that the proposed scheme can wthstand several known securty attacks. The proposed scheme has also been analyzed nformally to show that t can also wthstand other known attacks. Smulaton for formal securty verfcaton usng the wdely-known AVISPA tool shows that the scheme s secure aganst replay and man-n-the-mddle attacks. Fnally, hgh securty, and low communcaton and computaton costs make the proposed scheme more sutable for practcal applcaton as compared to other exstng related ECC-based schemes for SIP authentcaton. Keywords: Authentcaton, Key Establshment, Sesson Intaton Protocol, Ellptc Curve Cryptography, Internet of Thngs (IoT), BAN logc, AVISPA, NS2 smulaton, Securty.

17 Dssemnaton of Work Chapter #4. Sravan Challa, Mohammad Wazd, Ashok Kumar Das, Neeraj Kumar, Alavalapat Goutham Reddy, Eun-Jun Yoon, and Kee-Young Yoo. Secure Sgnature-Based Authentcated Key Establshment Scheme for Future IoT Applcatons, n IEEE Access, Vol. 5, pp , (2016 SCI Impact Factor: 3.224) [Ths artcle s one of the top 50 most frequently downloaded documents for Popular Artcles (May 2017)] Chapter #5. Sravan Challa, Ashok Kumar Das, Saru Kumar, Vanga Odelu, Fan Wu, and Xong L. Provably secure three-factor authentcaton and key agreement scheme for sesson ntaton protocol, n Securty and Communcaton Networks (Wley), Vol. 9, No. 18, pp , (2016 SCI Impact Factor: 1.067)

18

19 Contents 1 Introducton Internet of Thngs (IoT) Applcatons Functonalty requrements Securty requrements Sesson ntaton protocol Functonalty requrements Securty requrements Objectve of the work Summary of contrbutons Sgnature-based three-factor authentcated key establshment for future IoT applcatons Three-factor authentcaton and key agreement for sesson ntaton protocol Organzaton of the thess Mathematcal Prelmnares One-way hash functon Bomtrecs and fuzzy extractors Ellptc curve cryptography Ellptc curve over a fnte feld ECC encrypton and decrypton Ellptc curve dgtal sgnature ECC vs RSA Summary

20 CONTENTS 3 Revew of Related Works Authentcaton and key agreement schemes for IoT applcatons Authentcaton schemes for SIP Summary Sgnature-Based Three-Factor Authentcated Key Establshment for Future IoT Applcatons System models IoT authentcaton model Threat model Our contrbutons The proposed scheme System setup phase Sensng devce regstraton phase User regstraton phase Logn phase Authentcaton and key agreement phase Password and bometrc update phase Smart card revocaton phase Dynamc sensng devce addton phase Securty analyss of the proposed scheme Mutual authentcaton usng BAN logc Dscusson on other attacks Formal securty verfcaton usng AVISPA tool Performance comparson Practcal perspectve: NS2 smulaton study Smulaton parameters Smulaton envronment Smulaton results and dscussons Summary Three-Factor Authentcaton and Key Agreement for Sesson Intaton Protocol Threat model Our contrbutons

21 CONTENTS 5.3 Overvew of Mshra s scheme System setup phase Regstraton phase Authentcaton and key agreement phase Password change phase Cryptanalyss and lmtatons of Mshra s scheme Prvleged-nsder attack Offlne-password guessng attack Denal-of-servce attack Server dependent password change phase The proposed scheme System setup phase Regstraton phase Logn phase Authentcaton and key agreement phase Password and bometrc update phase Moble devce revocaton phase Securty analyss of the proposed scheme Formal securty analyss usng random oracle model Formal securty analyss usng BAN logc Informal securty analyss and other dscussons Smulaton for formal securty verfcaton through AVISPA tool Implementaton detals n HLPSL Smulaton result analyss Performance comparson Summary Concluson and Future Works Contrbutons Future research drectons

22

23 Lst of Fgures 4.1 Authentcaton model for IoT applcatons (Adapted from [40]) Summary of user regstraton phase Summary of logn and authentcaton phases Summary of password and bometrc update phase Summary of smart card revocaton phase Archtecture of the AVISPA tool (Source: [7]) Role specfcaton n HLPSL for the user U Role specfcaton n HLPSL for the GW N Role specfcaton n HLPSL for the sensng devce SD j Role specfcaton n HLPSL for the sesson, goal and envronment Analyss of smulaton results usng OFMC and CL-AtSe backends End-to-end delay of our scheme Throughput of our scheme Summary of regstraton phase n the proposed scheme Summary of logn, and authentcaton and key agreement phases n the proposed scheme Password and bometrc update phase Role specfcaton for user U Role specfcaton for server S Role specfcaton of sesson, goal and envronment Smulaton result usng OFMC backend of our scheme Smulaton result usng CL-AtSe backend of our scheme

24

25 Lst of Tables 2.1 Comparson of key length and computaton tme for sgnature generaton [50] Notatons used n ths chapter Approxmate tme requred for varous operatons [74] Comparson of computaton overhead of our scheme wth related IoT schemes Comparson of communcaton overhead of our scheme wth related IoT schemes Comparson of functonalty features of the proposed scheme wth related IoT schemes Varous smulaton parameters Notatons used n ths chapter Approxmate tme requred for varous operatons [74] Comparson of computaton overhead of the proposed scheme wth related ECC-based schemes Comparson of communcaton overhead of the proposed scheme wth related ECC-based schemes Comparson of functonalty features of the proposed scheme wth related ECC-based schemes

26

27 Chapter 1 Introducton Authentcaton s the process of confrmng the valdty of a clamed dentty by verfyng at least one knd of dentfcaton. The process of confrmaton mght nclude verfyng dentfcaton documents, dgtal certfcates for webstes or determnng age usng carbon datng. Authentcaton methods can be broadly classfed nto three categores based on the factors nvolved whch are as follows: Knowledge: It s known to the user lke personal dentfcaton number, password, securty queston etc. Ownershp: It s possessed by the user lke smart card, securty token, moble devce etc. Inherence: It s a characterstc of the user lke bometrcs, sgnature etc. Authentcaton can be ensured through any or all the factors mentoned above and thus, the methods nvolved can be sngle-factor, two-factor or mult-factor n ncreasng order of securty. Mult-factor authentcaton allows usng dfferent factors from the same category - for example, usng both password and securty queston. Three-factor authentcaton, however, requres usng one factor from each of the above mentoned categores - password, smart card and bometrcs, for nstance. The relablty of the authentcaton s dependent not just on the factors chosen but how they are mplemented as well. The followng subsectons dscuss two networkng technques - Internet of Thngs (IoT) and Sesson Intaton Protocol (SIP) - along wth ther applcatons, functonal and securty requrements, focusng on the mportance of authentcaton n these scenaros.

28 2 Introducton 1.1 Internet of Thngs (IoT) IoT encompasses a system of physcal objects that are nterconnected to exchange and collect data over the nternet. These objects are equpped wth the requred processng and communcaton abltes and possess a locatable Internet Protocol address (IP address). The objectve here s to ntegrate computer-based systems and the physcal world for economc beneft, and to mprove accuracy and effcency whle reducng human nvolvement. Cyber-physcal systems such as smart grds and ntellgent transportaton can be consdered as subsets of IoT [6]. The connectvty provded should be beyond machneto-machne communcaton coverng varous protocols and applcatons nterconnectng systems, devces and servces. Multple technologes lke wreless communcaton, embedded systems and machne learnng are the buldng blocks of ths vson. Applcatons of IoT are dverse ncludng nfrastructure management n hgh-rsk condtons, dsaster management through envronmental montorng and provdng remote health-care servces, to lst a few. IoT, whle broadenng access to nformaton, has an enormous threat to securty and prvacy due to ts heterogeneous and dynamc nature. Cyber attacks could change from vrtual to physcal wth the ncrease n number of wearable devces. An estmated 50 bllon objects wll be a part of IoT by 2020 [40]. IoT beng a relatvely new concept, the securty challenges nvolved have not been addressed approprately at the desgn level for these objects. Employng effectve securty practces, especally authentcaton and key management schemes to protect anonymty and prvacy, are requred. In the followng subsectons, applcatons, functonal and securty requrements of IoT are dscussed Applcatons Ths secton dscusses some promnent applcatons of IoT whch are as follows: Wearable devces: Rangng from navgaton tools and communcaton gadgets to ftness trackers and specfc health montorng devces, wearable devces have both personal and busness use. Most models rely on short-range wreless communcaton technologes lke Bluetooth and local W-F setups. The IoT applcatons used for wearables should be energy effcent. The devces are ncorporated wth sensors and software to gather data for obtanng meanngful nsghts about users through analyss.

29 1.1 Internet of Thngs (IoT) 3 Telemedcne: Wth rapd developments n wreless sensor healthcare networks for enablng remote medcal servces, IoT can help people n lvng a healther lfe through connected wearable devces. The accumulated data helps provde personalzed analyss of a person s health and approprate remedes can be taken. Industral Internet: Through bg data analytcs, sensors and software ndustral IoT s helpng n creatng machnes that are more consstent and accurate n communcatng through data. Ths also helps detect problems and neffcences sooner. Conventonal automaton methods can be transformed through machne-to-machne communcaton, wreless connecton and nnovatve hardware. Qualty control and sustanablty can also be acheved usng ths. Energy management: Smart grds collect data whch s analysed for behavour patterns of electrcty supplers and consumers to mprove the economcs and effcency of usage. They are also hghly relable as power outages are detected quckly at an ndvdual home level, thus accommodatng a dstrbuted energy system. IoT n agrculture: Wth the ncreasng demand for food supply, usng advanced technques to research on food producton and sustanablty s mportant whch requres hghly scalable solutons. Sensng for mosture n sol and nutrents, controlled waterng of plants and determnng customzed fertlzers are some advantages of usng IoT n agrculture. Smart farmng helps farmers n ganng nsghts from data to mprove returns on nvestment. Smart home: The applances and devces n a smart home have the capacty to communcate wth each other and the surroundng envronment. They enable controllng and customzng the home envronment to provde effcent energy management and better securty n addton to savng tme and money. Smart cty: Ths helps deal wth ssues lke traffc congeston, polluton and energy supply defct. Some applcatons of IoT n buldng smart ctes nclude automated transportaton, smart survellance, montorng envronment, water dstrbuton and smart energy management systems. For example, sensors and web applcatons can help detect meter tamperng ssues and any malfuncton n the power grd.

30 4 Introducton Functonalty requrements To enable smooth operaton of IoT, some crtcal functonalty requrements of the nvolved enttes are dscussed below. Interoperablty: Wth the number of IoT devces ncreasng everyday, ther applcatons are also becomng ncreasngly dverse. Whle sensors can be used to record surroundng condtons lke temperature and mosture level, actuators are used to trgger specfc events. Wearable devces that gather health statstcs are ganng popularty. As heterogenety s one of the promnent propertes of IoT applcatons and devces, t s essental to ensure that nteracton between all nvolved enttes s possble. The connectvty requred for such nteractons should be dverse supportng varous wred and wreless technologes. Sensng and ntellgence: The nvolved nodes n IoT should be able to adapt themselves and self-organze as per the clent s requests to facltate data sharng and performng coordnated tasks. The gradual shft n paradgm from always-on servces to always-responsve servces allows for the desgnng of applcaton and context specfc IoT platforms that cater to the clent requests at run-tme. The servce dscovery should therefore, be ntellgent and done through wreless sensng to avod both constrants of wred alternatves and the dependence on external trggers. Energy effcent: The nodes wth the above mentoned sensng capabltes should use power effcently durng computaton and communcaton. Also, as most nodes are dormant majorty of the tme, state swtchover should be avalable so that kernel can change redundant nodes to sleep/swtch off mode. The hardware desgned for such purposes should be ntellgent enough to consume very low energy n sleep mode. Data management: Varous enttes nvolved n IoT generate large amounts of data ether through processng or sensng whch s sent n real-tme for storage and analyss. The platform should therefore possess the capacty to handle such massve amounts of data wthout any human nterventon. Analytc tools: To gan valuable nsghts nto the data gathered as mentoned above, powerful tools for data analyss are requred.

31 1.1 Internet of Thngs (IoT) 5 Scalablty: The desgn of any IoT platform should take nto the consderaton the exponental ncrease n devces and the data generated and processed by them to acheve the true potental of IoT solutons. Avalablty and relablty: As IoT platforms possess the ablty to nteract wth and control devces mpactng daly lfe, hgh avalablty s exceptonally mportant. Also, the devces should be relable enough to provde performance and servces as per the needs of the applcatons they have been desgned for. Openness: An IoT platform could go beyond ts specalzed servces and provde an Applcaton Programmng Interface (API) facltatng thrd partes n applcaton development. Securty: Owng to the dversty of the enttes nvolved n IoT, ensurng secure communcaton across connectons, applcatons, devces and even the data beng transmtted and stored s mportant. Ths ssue has been further dealt wth n the next subsecton Securty requrements As accessblty and global connectvty are the key requrements of any IoT applcaton, t ncreases the avalable avenues of threats and attacks. The heterogeneous nature of IoT further rases complexty n the deployment of securty mechansms. The wreless nature of most nvolved enttes and ther lmted capacty are also problematc. Possble transent and random falures are vulnerabltes that attackers could explot. The varous possble attacks on IoT applcatons are lsted below. Denal-of-servce: Apart from conventonal denal-of-servce (DoS) attacks lke exhaustng resources and bandwdth, IoT can be susceptble to attacks on communcaton nfrastructure lke channel jammng. Adversares who are prvleged nsders can gan control of the relevant nfrastructure to cause more chaos n the network. Controllng: Actve attackers can gan partal or full control of IoT enttes and the extent of damage that can be caused s based on the followng: Servces beng provded by the entty. Relevance of the data beng managed by that entty.

32 6 Introducton Eavesdroppng: Ths s a passve attack through whch nformaton can be gathered from channel communcaton. A malcous nsder attacker can also gan more advantage by capturng nfrastructure or enttes. Physcal damage: The easy accessblty of IoT enttes and applcatons can be exploted by attackers to cause physcal harm hnderng servces by attackng an entty or the hardware of the module creatng t vrtually. Attackers lackng techncal knowledge and wantng to cause consderable damage can utlze ths. Node capture: Easy accessblty can also be a vulnerablty for nformaton extracton through capturng enttes and tryng to extract stored data usng power analyss attacks [55, 69]. Ths s a major threat aganst data processng and storage enttes. The countermeasures to recover from such attacks once they are detected and dagnosed should be lghtweght due to the lmted capacty of the nvolved enttes. The solutons must be real-tme n nature and f possble, a part of self-healng nfrastructure. Any programmng nformaton requred to deploy the soluton should be communcated securely to the enttes. The followng are some requrements for IoT to counter securty breaches: Relablty: The am s to guarantee nformaton avalablty whle effcently managng data storage. Provdng redundancy among communcaton channels through multple paths s one way to ensure avalablty. Responsblty: Otherwse known as access control, ths ensures legtmate access to servces by defnng prvacy constrants. The rules for each entty and possble labltes must be clearly defned to avod damages. Prvacy: Owng to the ubqutous nature of IoT, provdng prvacy s very mportant. There are the followng three areas where prvacy has to be ensured: Data sharng and management: Ths can be acheved by enumeratng data aggregated at the sensors. Also, prvacy-preservaton technques can be used. Data collecton: Some cryptographc approaches mentoned n [56, 64] can be used. Data securty: Ths can be ensured through password protecton.

33 1.2 Sesson ntaton protocol 7 Trust: IoT s dynamc and dstrbuted and thus, ensurng trust among nteractng enttes s mportant. In a heterogeneous network lke IoT where devces and not just humans can be nvolved n trust management, resource constrants should also be consdered whle developng technques. Safety: System components can be prone to sudden falures and safety s requred to reduce damage possbltes. Identfcaton and authentcaton: Prvacy and secure access can be ensured prmarly through ths. As global access s a necessty n IoT, enttes could have one permanent and several temporary denttes. 1.2 Sesson ntaton protocol Wth the nventon of the Electronc Numercal Integrator And Computer (ENIAC), an nteracton between nformatcs and telecommuncaton began whch added faster data processng to dstant communcaton. The conventonal crcut swtchng was soon replaced by packet swtchng, and the TCP/IP protocol sute, facltatng communcaton between computers/heterogeneous machnes, ultmately leadng to the brth of the Internet. Voce over IP (or Internet telephony), an ntegrated voce/data soluton, was developed to replace tradtonal PSTN (Publc Swtched Telephone Network) connectons and to enable transmsson of voce sgnals from telephone as dgtal sgnals over exstng data networks. Smlar to tradtonal telephony n call ntaton, VoIP also nvolves sgnalng, channel setup and analog to dgtal converson of voce/vdeo sgnals. However, as the sgnals are transmtted through packet swtchng nstead of crcut swtchng, encodng s done usng approprate voce/vdeo codecs. The mplementaton of VoIP has been done usng varous propretary protocols as well as protocols based on open standards. Sesson Intaton Protocol (SIP) s the most wdely used for sgnallng among these. SIP operates at the applcaton-layer and s used manly for creatng, modfyng, and termnatng sessons over one or several meda streams. These sessons nclude VoIP calls and multmeda conferences, nstant messagng and event subscrpton/notfcaton. SIP operates ndependent of the underlyng transport layer protocol whch ncludes TCP, UDP or Stream Control Transmsson Protocol (SCTP). It can be used to establsh both uncast and multcast sessons. The protocol also allows for modfcaton of exstng calls by changng ports or addresses. Partcpants

34 8 Introducton and meda streams can be added or deleted as per requrement. Analogous to SS7 (Sgnallng System No. 7) n tradtonal telephony n mplementaton of call processng features, SIP beng text based, has a smlar formattng to HTTP (Hypertext Transfer Protocol), reusng most of the status codes, header felds and encodng rules. SIP follows a challenge response mechansm smlar to HTTP. Also, n contrast to the centralzed archtecture of SS7 where features are mplemented at network core and most endponts are non-computng nodes (tradtonal handsets), SIP features are mplemented at the communcatng end ponts that follow a clent-server model. The codng and meda formats n SIP are mplemented usng several other protocols that work n concert wth SIP for communcaton after call s setup. Durng call ntalzaton, Sesson Descrpton Protocol (SDP) data unt contanng the detals of communcaton protocol, meda and codng formats s a part of the SIP message body. The communcaton protocols for voce and vdeo meda are typcally Real-tme Transport Protocol (RTP) or Secure Real-Tme Transport Protocol (SRTP). Each entty n the network lke user agent, server or vocemal box s dentfed through a Unform Resource Identfer (URI) whose syntax s smlar to the one generally used n web servces (sp:username@domanname). The followng subsectons dscuss some functonal and securty requrements of SIP. These have been detaled n RFC 3261 [88] Functonalty requrements Telephony devces runnng SIP, also known as User Agents (UAs), can be any type of computng devce wth IP networkng capablty. They may also support meda other than voce lke vdeo, text, games etc. Possessng both audo and vsual nterfaces, these devces have the ablty to understand dfferent nternet protocols. The functonal requrements are therefore defned for the followng targets: end users servce provders and network admnstrators manufacturers system ntegrators. The specfed requrements are amed at easng the nstallaton and operaton of SIP enabled devces across features provded by multple vendors. These requrements descrbed n RFC 4504 [93] are as follows.

35 1.2 Sesson ntaton protocol 9 General requrements: The devces should be able to acqure IP network settngs both through manual entry and automatc confguraton through DHCP. IPv6 support must also be present owng to the gradual exhauston of IPv4 addresses and due to the move towards IPv6 n some wreless networks. Devces must be able to locate SIP servers and choose the approprate transport protocol usng DNS. Support for smple network tme protocol ensures that clocks are synchronzed. Upgradng devces to support addtonal functonalty and features should be possble wthout needng specal equpment or applcatons. Emergency support: Apart from supportng emergency landlne numbers, SIP enabled devces should allow for a user to set a prorty header for acceptng calls selectvely. Also, to enable nterrupton of low-prorty communcaton durng emergences, the devces beng used n emergency preparedness must support the resourceprorty header as detaled n RFC 4412 [78]. Mult-lne requrement: As each SIP devce can be regstered wth multple servce provders under dfferent credentals, mult-lne support s requred. Closely resemblng emal clents supportng several malng accounts, ths functonalty necesstates unque credentals (username and password) for each lne. Also, approprate sgnals for call watng and do-not-dsturb must be avalable on a per lne bass. Moblty: Users wth approprate credentals must be able to access servces through any SIP enabled devce rrespectve of devce dentty. For ths, the devces must be able to support credentals of several users. Credentals assocated wth a devce must be stored n ts non-volatle memory. Any other legtmate user accessng through the devce must be provded wth the settngs and features n the proxy and assocated polcy server. Interactve text support: Although nstant messagng s supported by SIP enabled devces, contnuous nteracton through text conversaton mght be preferred as an alternatve to voce due to ts more streamng-lke nature makng t more approprate for real-tme communcaton. Ths allows for voce to be captoned as text n envronments that are nosy or nvolve hearng mpared users. Due to the advantages lke ts mmedacy, effcency and lack of crossed messages problem, text nteracton s preferred durng emergency stuatons as well. Therefore, all SIP devces should have provson to nput and dsplay text. Ether bult-n nterfaces or wred/wreless

36 10 Introducton lnks to connect external nput/dsplay should be provded to facltate the same Securty requrements SIP sgnalng securty has no bearng on the securty of protocols workng n concert wth t and the meda beng transmtted can be encrypted end-to-end once the sesson s establshed. However, snce the sgnalng happens over publc channels, the packets are prone to modfcaton attacks and sessons can be dsrupted by adversares. Some possble attack scenaros have been dscussed below. Regstraton hjackng: The address of record feld n the From and To headers of an SIP message s used to dentfy users. Ths feld can be assessed by a regstrar when a regster message s receved to assess f the request can modfy the assocated contact addresses of the record n the To header feld. Whle the address of record felds n From and To headers are usually dentcal, the felds are dfferent n case a thrd party s dong regstraton on behalf of the users. Malcous regstratons are possble through mpersonaton attacks by modfyng the address of record feld n the From header to mpersonate a trusted regstraton authorty. Snce the trusted thrd party has permsson to modfy contact addresses assocated wth the user t s dong the regstraton for, the attacker can replace tself as the only contact n the user s contact lst. All subsequent requests to the user are then redrected to the attacker. Ths s possble due to the absence of approprate authentcaton mechansms to verfy user dentty. Server mpersonaton: User agents contact servers n a partcular doman whle placng ther requests whch s specfed n the Request-URI. However, the request can be ntercepted by an attacker mpersonatng as the remote server. The response wth approprate SIP header felds and forged contact addresses could redrect the user to nsecure resources or smply deny servce. Ths happens as the users cannot authentcate the remote server. Message tamperng: The requests from user agents to SIP servers are routed through trusted proxes whch are not expected to nspect or modfy the messages. These messages contan senstve nformaton lke sesson keys for establshed communcaton and should not be accessble to doman admnstrators as well. However, malcous proxy servers can perform man-n-the-mddle attack and effect the n-

37 1.3 Objectve of the work 11 tegrty of the message. Therefore, end-to-end securng of message bodes and n some cases, header felds as well s requred to ensure confdentalty and ntegrty. Sesson termnaton: After ntal sgnallng and sesson setup, state of the sesson s contnuously modfed durng subsequent communcaton. An attacker eavesdroppng durng ntalzaton can obtan the sesson parameters. A forged message mpersonatng ether party can then be sent by the attacker to termnate the sesson prematurely. Sender authentcaton s one way to fx ths ssue. The above threats and more securty ssues dscussed n [88] ndcate that confdentalty, ntegrty and authentcaton are requred to mtgate the effects of these vulnerabltes. Preventng message spoofng, replay attacks and ensurng prvacy of enttes s also requred. SIP reuses exstng securty mechansms to acheve these requrements nstead of specfc mechansm beng desgned for t. Although end-to-end encrypton of the entre message ensures ntegrty and confdentalty, t s nfeasble as some header felds need to modfed by ntermedate proxy servers for proper functonng of SIP. Therefore, mplementng securty measures at lower layers s also recommended. For example, Transport Layer Securty (TLS) encrypts sgnalng traffc and ensures confdentalty and ntegrty. Durng TLS negotaton, the enttes can exchange certfcates to establsh mutual authentcaton whch requres possesson of a root certfcate ssued by a trusted certfcate authorty. Other cryptographc authentcaton methods can also be used for dentty verfcaton. An alternatve for SIP URI s the SIPS URI that specfes that the resources must be reached securely. It also mandates the use of TLS to secure communcaton at each hop towards the destnaton. As SIP follows a challenge response mechansm smlar to HTTP, authentcaton smlar to HTTP dgest authentcaton needs to be ncorporated. Also, S/MIME (Secure/Multpurpose Internet Mal Extensons) can be used to encrypt just the meda beng transmtted excludng the headers and thus, t ensures end-to-end ntegrty and mutual authentcaton. 1.3 Objectve of the work Authentcaton s the process of verfyng a clamed dentty. The valdaton method can nvolve multple factors wth the level of securty beng proportonal to the number and type of factors nvolved. In networks, authentcaton s requred to ensure access control. Owng to the dgtal nature of the communcaton envronment, the vulnerabltes

38 12 Introducton nvolved are more challengng. The necessty of mutual authentcaton s especally hghlghted n scenaros where enttes can be deployed remotely, one example beng wreless sensor networks. Furthermore, communcaton channels are susceptble to both passve and actve attacks, and therefore, establshng a secure communcaton mechansm between nvolved partes s also requred. In ths thess, we study the mportance of authentcaton and key agreement n two dfferent network applcatons Internet of Thngs (IoT) and Sesson Intaton Protocol (SIP). 1.4 Summary of contrbutons The contrbutons towards ths thess have been summarzed n the followng subsectons Sgnature-based three-factor authentcated key establshment for future IoT applcatons In ths work, a novel authentcaton and key establshment scheme based on Ellptc Curve Dgtal Sgnature Algorthm (ECDSA) s desgned for securng IoT applcatons. Ths s to ensure authorzed and legtmate access to sensng devce servces and data by a user through a gateway node (GW N). The proposed scheme fulflls the functonalty requrements of IoT applcatons and also has computaton and communcaton costs comparable to exstng Ellptc Curve Cryptography (ECC)-based IoT authentcaton schemes. The proposed scheme also facltates password and bometrc update wthout nvolvng the GW N and allows dynamc addton of sensng devces. Informal and formal securty analyss of the scheme ncludng the smulaton usng the wdely-accepted Automated Valdaton of Internet Securty Protocols and Applcatons (AVISPA) tool [7] show that the scheme s secure aganst varous known attacks. Also, network performance parameters for the scheme have been measured usng the broadly-used NS2 smulator [2, 107] Three-factor authentcaton and key agreement for sesson ntaton protocol We frst revew the prevous authentcaton schemes proposed for SIP and show that the recently proposed Mshra s scheme [70] s vulnerable to some securty attacks and

39 1.5 Organzaton of the thess 13 s also neffcent n password change phase. Snce the attacks aganst Mshra s scheme are mportant, we am to elmnate those attacks by proposng an ECC-based provably secure authentcaton scheme whle keepng low computaton and communcaton costs. A rgorous securty analyss s done formally usng both random oracle model and the wdely-accepted Burrows-Abad-Needham (BAN) logc [11], and formal securty verfcaton s also done usng AVISPA tool to show that the suggested scheme s more secure as compared to Mshra s scheme and other related ECC-based schemes proposed n the lterature. In addton, our scheme works for the password and bometrc update phase by a legal user at any tme wthout nvolvng the server. Furthermore, the proposed scheme supports the moble devce revocaton mechansm n case a legal user loses hs/her devce. 1.5 Organzaton of the thess The organzaton of ths thess s as follows. Chapter 1 gves a bref overvew of authentcaton and dscusses the objectve behnd our research work on authentcaton n IoT and SIP. Chapter 2 dscusses some mathematcal prelmnares used n our work. One-way hash functon has been dscussed brefly. Ellptc Curve Cryptography (ECC) and ts dgtal sgnature algorthm are dscussed next. Fnally, a comparson of ECC and RSA s presented. Chapter 3 presents the exstng related work for authentcaton n IoT and SIP. In Chapter 4, we propose a new sgnature-based authentcaton and key establshment scheme for IoT applcatons. We also show that our scheme provdes better effcency and securty when compared wth some related schemes. In Chapter 5, we propose an effcent three-factor authentcaton and key agreement scheme for SIP based on ECC and prove that the scheme s more secure than some exstng related schemes. Chapter 6 summarzes the thess by hghlghtng the contrbutons and t also dscusses some future research drectons.

40

41 Chapter 2 Mathematcal Prelmnares Ths chapter dscusses some mathematcal prelmnares requred to desgn and analyze the schemes proposed n further chapters. Frst, the propertes of one-way hash functon are dscussed. The use of fuzzy extractors n generatng strong bometrc keys s dscussed next. Then, the ellptc curve cryptosystem and ellptc curve dgtal sgnature algorthm have been descrbed brefly. A comparson of ECC cryptosystem wth the popular publckey RSA cryptosystem n terms of effcency and securty has also been presented. 2.1 One-way hash functon A one-way functon s defned as a functon for whch fndng the nverse of any random nput s computatonally nfeasble. A hash functon s one that produces a fxed length output for any arbtrary length nput. In cryptography, a one-way hash functon s used to produce a dgest or a hash value of a message wth the followng propertes: The output s determnstc, that s, the same dgest s produced for the same message. If the nput message s altered even slghtly, the hash dgest should change sgnfcantly to reduce the probablty of correlaton between the two hash values. Dervng the nput x from the gven hash value y = h(x) and the gven hash functon h( ) s computatonally nfeasble. Ths property s called the one-way property. For any nput x, fndng another nput y such that h(x) = h(y) wth y x, s computatonally nfeasble. Ths property s otherwse known as the weak collson

42 16 Mathematcal Prelmnares resstant property. Identfyng an nput par (x, y) such that h(x) = h(y) where y x, s also computatonally nfeasble. Ths property s otherwse known as the strong collson resstant property. Mathematcally, a one-way hash functon can be defned as follows. Defnton 2.1 (One-way hash functon). A one-way hash functon h: {0, 1} {0, 1} n s an algorthm that takes an arbtrary length bnary strng x {0, 1} as nput, and then outputs a bnary strng of fxed length n, say y {0, 1} n such that y = h(x), where {0, 1} and {0, 1} n denote bnary strngs of 0s and 1s of arbtrary lenth and fxed lengh, n, respectvely. Let Adv(A) HASH (t) denote the advantage that an adversary A has n fndng a hash collson. Then, Adv HASH (A) (t) = P r[(x, x ) R A : x x, h(x) = h(x )], where P r[b] s the probablty of a random event B and the par (x, x ) R A means (x, x ) s selected randomly by A. By an (η, t)-adversary A attackng the collson resstance of h( ), we mean that the runtme of A s at most t and that Adv HASH (A) (t) η. Hash functons can be used n buldng other cryptographc prmtves lke message authentcaton codes and pseudo-random number generators. They also help n verfyng the ntegrty of a message. Snce t s very senstve to even a small varaton n nput, hash dgest can be used to avod storng passwords n cleartext. The Secure Hash Algorthm (SHA) standard has algorthms wth varyng lengths of dgest produced. Of these, the SHA-1 [89] wth a 160-bt hash dgest s the most wdely used n applcatons and protocols lke Secure Socket Layer (SSL). For better securty, SHA-256 s preferred. 2.2 Bomtrecs and fuzzy extractors Bometrc verfcaton allows one to confrm or establsh an ndvdual s dentty. Some advantages of bometrc keys (for example, fngerprnts, faces, rses, hand geometry and palm-prnts, etc.) are gven below (as descrbed n [20, 61]): Bometrc keys can not be lost or forgotten. Bometrc keys are very dffcult to copy or share.

43 2.3 Ellptc curve cryptography 17 Bometrc keys are extremely hard to forge or dstrbute. Bometrc keys can not be guessed easly. Someone s bometrcs s not easy to break than others. As a result, bometrc-based remote user authentcatons are nherently more relable and secure than usual tradtonal password-based remote user authentcaton schemes. As statstcal nformaton regardng bometrc nput s unpredctable, desgnng cryptographc solutons for securng each scenaro s tedous. Convertng bometrc data to unform reproducble random strngs that can for example, be used as a secret key s therefore necessary. Fuzzy extractors are a par of functons where one functon generates the unform random bts from gven nput whle the other recovers the strng from an nput close to the orgnal nput wthn a predefned threshold. Mathematcally, the functon par n a fuzzy extractor s as follows. Gen: It s a probablstc generaton functon that takes as nput the user personal bometrcs Bo, and returns σ {0, 1} l as the bometrc key of length l bts and τ as the publc reproducton parameter. Rep: It s a determnstc functon to be used durng authentcaton. The nput s the user bometrcs, say Bo and τ, provded the Hammng dstance between Bo and the orgnal prevously entered bometrcs Bo s less than t, where t s an error tolerance threshold value. The output s the orgnal bometrc key σ, that s, σ = Rep(Bo, τ). 2.3 Ellptc curve cryptography Ths secton dscusses ellptc curve propertes and ts applcaton n cryptography Ellptc curve over a fnte feld Suppose a,b Z p, where Z p = {0, 1,..., p 1} and p > 3 s a prme. A non-sngular ellptc curve y 2 = x 3 + ax + b over the fnte feld GF (p) s the set E p (a, b) of solutons (x, y) Z p Z p to the congruence y 2 x 3 + ax + b (mod p),

44 18 Mathematcal Prelmnares where a,b Z p such that 4a b 2 0 (mod p), and a pont at nfnty or zero pont O. Note that 4a b 2 0 (mod p) s a necessary and suffcent condton to ensure a non-sngular soluton for the equaton x 3 + ax + b = 0 [71]. 4a b 2 = 0 (mod p) mples the ellptc curve s sngular. Let P = (x P, y P ), Q = (x Q, y Q ) E p (a, b). Then x Q = x P and y Q = y P when P +Q = O. Also, P +O = O +P = P, for all P E p (a, b). Hasse s theorem states that the number of ponts on E p (a, b), denoted as #E, satsfes the followng nequalty [54]: p p #E p p. In other words, there are about p ponts on an ellptc curve E p (a, b) over Z p. E p (a, b) forms a commutatve or an abelan group under addton modulo p operaton. Also, Ellptc curve pont addton Let P, Q E p (a, b) be two ponts on the ellptc curve. Then, R = (x R, y R ) = P + Q s calculated as follows [54]: where λ = x R = (λ 2 x P x Q ) y R = (λ(x P x R ) y P ) { yq y P x Q x P (mod p), (mod p), (mod p), f P Q 3x P 2 +a 2y P (mod p), f P = Q. Ellptc curve pont scalar multplcaton In ECC, multplcaton s done as repeated addtons. For example, 5P = P + P + P + P + P, where P E p (a, b) ECC encrypton and decrypton The plantext s frst encoded nto a pont on the ellptc curve, P m E p (a, b). Every user chooses a prvate-publc key par such that prvate key d Zp and the publc key s calculated as e = d.g where Zp = {1, 2,..., p 1} and G s a base pont on E p (a, b). The encrypton and decrypton methods explaned further are then appled on ths pont as follows. ECC encrypton: The user selects a random number l Zp. The correspondng cpher text C m for the plan text P m s a par of ponts C 1 and C 2, that s, C m = (C 1, C 2 ) where C 1 = l.g and C 2 = P m + l.e. Here, l s the random number chosen by the sender and e s the publc key of the recever. C m s then sent to the recever.

45 2.3 Ellptc curve cryptography 19 ECC decrypton: To retreve the plan-text P m, the recever computes C 2 (d.c 1 ) = (P m + l.e) (d.(l.g)) = P m + l.e l.e = P m. Here, d and e are the prvate and publc key of the recever, respectvely. Snce the random number l s secret to the sender, an adversary retrevng P m from C m s mpossble due to the ellptc curve dscrete logarthm problem (ECDLP) whch has been defned as follows. Defnton 2.2 (Ellptc curve dscrete logarthm problem (ECDLP)). For any two ponts P and Q belongng to ellptc curve E p (a, b), and for some postve nteger k such that Q = k.p, t s computatonally nfeasble to derve k f P and Q are known for a large prme p n polynomal tme. Here k s the scalar called the dscrete logarthm and k.p = P + P + + P (k tmes) s known as ECC pont or scalar multplcaton Ellptc curve dgtal sgnature Dgtal sgnatures are used to authentcate messages or dgtal documents whle ensurng non-repudaton and ntegrty. The sgnature algorthms employ asymmetrc or publc key cryptography technques and consst of three phases: 1) key generaton, 2) sgnature generaton and 3) sgnature verfcaton. Ellptc curve dgtal sgnature algorthm (ECDSA) s one such varant of the orgnal dgtal sgnature algorthm and t s phases have been explaned below. Key generaton: Frst, the system s setup by choosng an ellptc curve E p (a, b) and ts base pont G. Then, every entty chooses ts prvate key d Zp and computes ts correspondng publc key as e = d.g. Sgnature generaton: Consder an entty wth parameters E p (a, b), h( ), e, G, p where h( ) s a collson-resstant hash functon. Suppose m s the message to be sgned. Usng ts key par (d, e) and a chosen random number k Zp, the entty computes the sgnature as follows: k.g = (x 1, y 1 ), c = h(m), r = x 1 (mod p), s = l 1 (c + d.r) (mod p). If ether r = 0 or s = 0, the algorthm restarts. Otherwse, (r,s) s the sgnature of the sender for message m. The sgner then sends the sgned message m, (r, s) to the verfer.