Académique Documents
Professionnel Documents
Culture Documents
SUMMARY
Recently, Lee et al. proposed a simple and efcient authentication scheme for mobile satellite communication
systems. However, we nd that their scheme is vulnerable to the smart card loss attack, the denial of service attack
and the replay attack. To overcome the weaknesses of Lee et al.s scheme, we proposed an authentication scheme
for mobile satellite communication systems to improve security. The proposed scheme possesses the essential
properties and security requirements, which should be considered for the authentication scheme of mobile satellite
communication systems. Copyright 2014 John Wiley & Sons, Ltd.
Received 11 June 2013; Revised 25 October 2013; Accepted 11 March 2014
KEY WORDS:
1. INTRODUCTION
Currently, satellite communication systems are one of the most important technologies used to provide
advanced personal communication services, which offer the benets of large coverage and enhanced
mobility for users. The geostationary satellite, located in geosynchronous equatorial orbit, is too far from
the earth. So it usually has a signal delay problem [1]. To solve this problem, the low-Earth-orbit (LEO)
satellite communication systems have been proposed [24]. It possesses the advantages such as small
attenuation of the signals and a shorter transmission delay [5]. In this satellite system, the LEO satellites
enable communication between mobile devices and network control center (NCC) via gateways (Figure 1)
[6]. The LEO satellites, the gateways, the NCC and the mobile devices are the main components.
In this assumption, the following essential properties and security requirements must be considered
to efciently establish a secure mobile satellite communication [715]:
Essential properties:
Mutual authentication: Mutual authentication between users and the NCC is an essential requirement, whereas many authentication schemes in the literature only provide unilateral authentication,
that is, Global System for Mobile Communication. Without proper authentication for the NCC, the
user might be fooled during the user authentication phase to send his sensitive information to an
unidentied target or be fooled into establishing a connection to retrieve services, which is not
recognized by the legitimate NCC.
User privacy: There are two major privacy issues of concern for mobile networks: users identity
and location. Since sometimes the users real identity is sensitive to adversaries or the linkable
identity of a user is useful in mining his/her behavior, the users identity and associated information
must be kept secret from outsiders and the mobile users current location [16].
Condentiality: Communication over wireless paths is susceptible to eavesdropping. Security
protocols guarantee the condentiality of communications between mobile users and the NCC
*Correspondence to: Yuanyuan Zhang, School of Mathematics and Statistics, Wuhan University, Wuhan, China.
E-mail: circle0519@hotmail.com
by concealing them using secret random numbers and hash functions. Only legal participants can
retrieve original messages through their shared information.
Low computation: A security protocol should result in low computation cost. Due to limited
resources, on one hand, complex computations will fail in the handheld device of a mobile user,
and, on the other hand, frequent computations might cause the NCC to become a bottleneck.
Minimum trust: It is well-accepted that the NCC is trustworthy, because legal mobile users
register their private information to obtain services at the NCC, but the trust level of the other
third parties involved should be as little as possible.
Perfect forward/backward secrecy: It is always possible that a session key can be compromised for
some reasons. An adversary may derive the secret key from the last session and the next session
(so-called known key attacks) if these keys have correlation with the compromised session key.
To avoid that the revealed key may inuence the security the session key must be derived from
a one-time-use parameter. This measure can prevent impersonation or replay attacks.
Security requirement:
Withstand replay attacks: An attacker may try to intercept the messages between two communicating parties and replay these messages in the further processes.
Withstand denial of server attacks: This attack would prevent legal users from accessing the
authentication server.
Withstand smart card loss attacks: If an attacker obtains the smart card by some way, then he or
she could use it to impersonate a legitimate user to communicate with the trust server.
Withstand impersonation attacks: An attacker may try to impersonate a legitimate user to communicate with the trust server or impersonate the trust server to communicate with the legitimate user.
Withstand stolen-verier attacks: An attacker could break into the trust server and steal the
password verier from the trust server. Then he or she could use it to create a valid login request
to communicate with the trust server.
In 1996, Cruickshank rst proposed a security system for satellite networks [17]. However,
Cruickshanks scheme has the following three disadvantages: (1) the complex computation overhead;
(2) the complexity of the public-key management in a Public Key Infrastructure; and (3) the reveal of
users privacy [15]. In 2003, Hwang et al. proposed another authentication scheme for mobile satellite
communication system based on secret-key cryptosystems [18]. However, Hwang et al.s scheme is
vulnerable to the known key attack and the stolen-verier attack. In their scheme, the session key needs
Copyright 2014 John Wiley & Sons, Ltd.
to be updated on the server side whenever the mobile user is authenticated. In 2009, Chen proposed a
self-verication authentication scheme for mobile satellite communication systems [8]. They claimed
that their scheme had three advantages as follows: removing the complexity of Public Key Infrastructure,
avoiding complex computations for mobile users and requiring no sensitive verication table. In 2012,
Lee et al. proposed a simple and efcient authentication scheme for mobile satellite communication
systems [19]. They demonstrated that their scheme could achieve the security and functionality requirements, which should be considered for the authentication scheme of mobile satellite communication
systems. Nevertheless, we nd that their scheme has some security loopholes. Therefore, we proposed
an improved authentication scheme for mobile satellite communication systems with low computation
cost to avoid the security aw.
The rest of this paper is organized as follows. Section 2 reviews the concept of Lee et al.s scheme,
and Section 3 discusses its weakness analysis. Section 4 shows the details of our proposed scheme,
whereas Section 5 demonstrates the security analysis of our proposed scheme. Finally, Section 6
presents our conclusions.
U a mobile user;
UID the identity of the mobile user;
TID the temporary identity of the mobile user;
LEOID the identity of the LEO satellite;
h() a one-way hash function;
the bitwise XOR operation; and
string concatenation operation.
Lee et al.s scheme includes three phases as follows: registration phase, login phase and authentication phase. They are described as follows.
2.1. Registration phase
Assume that the NCC owns its long-term private key x. During the registration phase, a user U requests
to be a legal user and the NCC conduct the following operations:
(1) U NCC: UID
The mobile user U chooses his/her identity UID freely and sends it to the NCC via a secure channel.
(2) NCC U: TID, R, k
After receiving the message from U, the NCC computes
P hU ID x
R PhU ID k
where k is a secret random number and x is a long-term private key generated by the NCC. Then,
NCC decides an initialized temporary identity TID and stores {UID, TID} in the verication table.
Afterward, the NCC issues a smart card containing {TID, R, k, h()} and sends it to U through a secure channel.
U inserts his/her smart card into a smart card reader and inputs his/her identity UID. Then the smart card
chooses a secret random number r to compute
P RhU ID k
Q P r
S hU ID r
Next U sends the login message {Q, S, TID} to the LEO.
(2) LEO NCC: Q, S, TID, LEOID
Upon receiving the message from U, the LEO forwards {Q, S, TID, LEOID} to the NCC.
2.3. Authentication phase
After receiving the authentication request from U, the NCC performs the following steps to authenticate U.
(1) Upon receiving the login request from U, the NCC achieves UID according to TID and computes
P hU ID x
r QP
S h U ID r
Then the NCC checks if S is equal to the received S. If this holds, the user U is authenticated. Otherwise, this authentication request is rejected.
(2) The NCC chooses a secret random t to compute
V 1 Pt
V 3 hrt
Then, the NCC generates a new temporary identity TIDnew, calculates
and updates the old TID with TIDnew
V 4 V 3 T IDnew
in the verication table for next time to authentication.
V 2 h P rt V 4
Checking if V2 is equal to the received V2. If this holds, the NCC is authenticated. Then U
computes
V 3 h rt
T IDnew V 3 V 4
U replaces TID with TIDnew in his/her smart card used for next authentication and computes the
session key SK = h(UID r t P).
In the end, they can use SK to encrypt/decrypt messages for secret communication. If the replying
message from NCC is lost, U will re-login and the NCC should know the old identity of U.
The login and authentication phases of Lee et al.s scheme are summarized in Figure 2.
Copyright 2014 John Wiley & Sons, Ltd.
Steal Us smart card and eavesdrop the login message {Qi, Si, TIDi} just once.
Extract the information {TIDnew, R, k, h()} stored in
card.
smart
Guess U ID and compute S h U ID Rh U ID k Qi .
Check whether S equals Si. If holds, we consider that U ID is equal to Us identity UID. If not, return S3.
The attacker can impersonate U to communicate with the NCC by using UID and TIDnew.
After those steps, the NCC considers that the legal user U has been authenticated and U can communicate with other mobile users. Because Z has passed the authentication of the NCC, the TIDnew
in the verication table has been updated with a new temporary identity. So, the legal user U cannot
access the NCC in the next time.
3.3. Replay attack
In Lee et al.s scheme, they propose that if the replying message from the NCC is lost, U will re-login,
and the NCC should know the old identity of U. That means, after updating the old identity with a new
temporary identity in the verication table, the NCC still store the old identity until U has completed
the next authentication.
If the NCC does not store the login message Q and S, which correlate with the identity TIDold, the
attacker dose the following steps after the NCC sending the replying message to U.
(1) Eavesdrop the login message {Q, S, TIDold} from U.
(2) Sends the login message {Q, S, TIDold} to the LEO.
If the NCC stores the login message Q and S correlating with the identity TIDold, detailed process is
as follows.
(1) Obtain only once login message {Qi, Si, TIDi} from U.
(2) Eavesdrop the recent login message {Q, S, TIDold} from U.
(3) Sends the login message {Qi, Si, TIDold} to the LEO.
When receiving the login request from the attacker, the NCC may think that U has not
received the replying message and U re-logins with the old identity. Obviously, the attacker
can be authenticated by the NCC with the login message. The NCC updates the old identity with
another new identity in the verication table. Since then the identity in Us smart card is different
with the identity in the NCCs verication table. So the legal user U cannot access the NCC in
the next time.
S h U ID r T ID
Then the NCC checks if S is equal to the received S. If this holds, the user U will be authenticated.
Otherwise, this authentication request will be rejected.
(2) Next, the NCC chooses a secret random t to compute
V 1 Pt
The NCC generates a new temporary identity TIDnew, calculates
V 2 h Pr tT IDnew
V 3 h V 1 r T IDnew
and replaces the old TID with TIDnew in the verication table.
(3) NCC LEO: V1, V2, V3, LEOID
The NCC computes the session key SK = h(UID r t P), and sends these messages {V1, V2, V3,
LEOID} to the LEO.
(4) LEO U: V1, V2, V3
The LEO forwards the messages {V1, V2, V3} to U. After receiving messages from the LEO, U computes
t V 1 P
T IDnew V 3 hV 1 r
V 2 h P rt T IDnew
Then U checks if V2 is equal to the received V2. If this holds, the NCC will be authenticated, and TID
will be replaced by TIDnew in his/her smart card for the next authentication. Then U and computes the
session key SK = h(UID r t P).
At last, the two users can use SK to communicate through a secure channel. If the replying message
from the NCC is lost, U will be able to re-login, and the NCC should know the last login message of U.
The login and authentication phases of our proposed scheme are summarized in Figure 3.
4.4. Smart card lost phase
If U losts his/her smart card, he/she can send a request to the NCC via secure channel.
Copyright 2014 John Wiley & Sons, Ltd.
R P h U ID k
where k is a secret random number, and x is a long-term private key generated by the NCC. Then, NCC
chooses an initialized temporary identity TIDnew and stores {UID, TIDnew, PW} in the verication table. Then,
the NCC issues a smart card containing { TIDnew, R, k, h()} and sends it to U through a secure channel.
4.5. Password change phase
When the user wants to change his/her password PW to a new password PWnew, he/she should perform
the following steps:
(1) U LEO: Q, Qnew, S, TID
U inserts his/her smart card into a smart card reader and inputs his/her identity UID, password PW and
new password PWnew. Then the smart card chooses a secret random number r to compute
P RhU ID k
Q P rPW
Qnew PrPW new
S hU ID rT ID
And then, U sends the login message {Q, Qnew, S, TID} to the LEO.
Copyright 2014 John Wiley & Sons, Ltd.
S h U ID r T ID
Then the NCC checks if S is equal to the received S. If this holds, the user U will be authenticated.
Otherwise, this authentication request will be rejected.
(4) In order to obtain the users new password, the NCC computes
PW new Pr Qnew
and replaces the old PW with PWnew in the verication table.
The last steps (5)(7) in this phase are the same to the steps (2)(4) in the authentication phase.
Mutual authentication
Mutual authentication enables participants mutually to authenticate each other. In our proposed
scheme, the user sends a login message {Q, S, TID} to the server. The server veries the user by
checking the hash value S = h(UID r TID) and then sends the replying message {V1, V2, V3} to
the user. Upon receiving the message from the server, the user can achieve the secret random t to authenticate the server by checking V 2 h P rt T IDnew . After these authentication processes nished, the user and the server authenticate each other and compute the shared session key for secure
communication. Therefore, the proposed scheme provides secure mutual authentication and shared session key agreement.
(2) Users privacy
In the proposed protocol, the users identity UID is never transmitted over the public network for
authentication purposes. Here a different temporary identity TID is used in each session to keep the privacy of the user. Because the temporary identity TID is unlinkable, even the LEO and the gateway do
not have any idea who is communicating with the NCC. Therefore, the proposed scheme provides
users privacy.
(3) Condentiality
Communication between the user U and the NCC is kept condential by computing the messages
with secret random number r and t. The login message S = h(UID r TID) and Q = P r PW is
concealed by a secret random number r. Only the NCC can obtain r with the long-term private key
x. The response message from the NCC is also concealed by a secret random number t and hash
function h(). Therefore, the proposed scheme provides condentiality.
Copyright 2014 John Wiley & Sons, Ltd.
forge a valid login message Q = P r PW, because P = h(UID x) only known to the NCC and the
users smart card.
(5) Stolen-verier attack
In our scheme, if the attacker broke into the NCC in some way, then he/she can steal the identity
UID, the password PW and the temporary identity TID from the verication table. However, he/she
has no way of obtaining P = R h(UID k) to compute a valid login message Q without the long-term
private key x and the users smart card. Clearly, our proposed scheme has no sensitive information
stored in the verication table. Therefore, our proposed scheme can withstand stolen-verier attacks.
6. CONCLUSION
Based on Lee et al.s scheme, this paper proposed an improved authentication scheme for mobile satellite communication systems. Compared with their scheme, the proposed scheme can withstand the
smart card loss attack, the denial of service attack and the replay attack. Moreover, our proposed
scheme can possess all essential properties and security requirements, which should be considered
for the authentication scheme of mobile satellite communication systems. In additional, our scheme
is only based on hash functions, concatenation operation and exclusive-OR operations. As a result,
we believe that the proposed scheme is very suitable for LEO satellite communication system because
it provides security, reliability and efciency.
REFERENCES
1. Comparetto G, Ramirez R. Trends in mobile satellite technology. IEEE Comput 1999; 30(2):4452.
2. Fossa CE, Raines RA, Gunsch GH, Temple MA. An overview of the IRIDIUM (R) low Earth orbit (LEO) satellite system. In
Proceedings of the IEEE 1998 National Aerospace and Electronics Conference, NAECON98, Dayton, U.S.A., 1998; 152159.
3. Yiltas D, HalimZaim A. Evaluation of call blocking probabilities in LEO satellite networks. Int J SatellCommunNetw 2009;
27(2):103115.
4. Zhou Y, Sun F, Zhang B. A novel QoS routing protocol for LEO and MEO satellite networks. Int J SatellCommunNetw
2007; 25(6):603617.
5. Maral G, De Ridder JJ, Evans BG, Richharia M. Low Earth orbit satellite systems for communications. Int. J. Satellite
Commun 1991; 9(10):209225.
6. Jeng SS, Lin HP. Smart antenna system and its application in low-Earth-orbit satellite communication systems. IEEE Proc
Microwaves, Antennas Propagat 1999; 146(2):12530.
7. Chang CC, Cheng TF, Wu HL. An authentication and key agreement protocol for satellite communications. International
Journal of Communication Systems 2012, DOI: 10.1002/dac.2448.
8. Chen TH, Lee WB, Chen HB. A self-verication authentication mechanism for mobile satellite communication systems.
ComputElectrEng 2009; 35(1):4148.
9. Huang JY, Liao IE, Tang HW. A forward authentication key management scheme for heterogeneous sensor networks.
EURASIP Journal on Wireless Communications and Networking 2011, 2011:296704, DOI: 10.1155/2011/296704.
10. Safdar GA, ONeill MP. Performance analysis of novel randomly shifted certication authority authentication protocol for
MANETs. EURASIP Journal on Wireless Communications and Networking 2009, 2009:243956, DOI: 10.1155/2009/243956.
11. Jian R, Yun L, Tongtong L. SPM: source privacy for mobile ad hoc networks. EURASIP Journal on Wireless Communications and Networking 2010, 2010:534712, DOI: 10.1155/2010/534712.
12. Vijay V, Diethelm O, Jaleel S, Antoni JH, Sanjay J. Broadcast secrecy via keychain- based encryption in single-hop wireless sensor
networks. EURASIP Journal on Wireless Communications and Networking 2011, 2011:695171, DOI: 10.1155/2011/695171.
13. Li JM, Park YH, Li X. A USIM-based uniform access authentication framework in mobile communication. EURASIP
Journal on Wireless Communications and Networking 2011, 2011:867315, DOI: 10.1155/2011/867315.
14. Spreitzer M, Theimer M. Secure mobile computing with location information. Communications of the ACM 1993; 36(7):27.
15. Yoon EJ, Yoo KY, Hong JW, Yoon SY, Park DI, Choi MJ. An efcient and secure anonymous authentication scheme for
mobile satellite communication systems. EURASIP Journal on Wireless Communications and Networking 2011, 2011:86,
DOI: 10.1186/1687-1499-2011-86.
16. Spreitzer M, Theimer M. Secure mobile computing with location information. Communications of the ACM 1993; 36(7):27.
17. Cruickshank HS. A security system for satellite networks. Proceedings of the IEEE Satellite Systems for Mobile Communications and Navigation, 1996; 187190.
18. Hwang MS, Yang CC, Shiu CY. An authentication scheme for mobile satellite communication systems. ACM SIGOPS
OperSyst. Rev. 2003; 145(23):4247.
19. Lee CC, Li CT, Chang RX. A simple and efcient authentication scheme for mobile satellite communication systems. Int. J.
Satellite Commun 2012; 30:2938.
20. Xu W, Trapper W, Zhang Y, Wood T. The feasibility of launching and detecting jamming attacks in wireless networks.
Proceedings of the sixth ACM international symposium on mobile ad hoc networking and computing. UrbanaChampaign, IL, USA, 2005; 4657.
21. Peng T, Leckie C, Ramamohanarao K. Survey of network-based defense mechanisms countering the DoS and DDoS
problems. ACM ComputSurv 2007; 39(1):142.
Copyright 2014 John Wiley & Sons, Ltd.
Jianhua Chen received his BS degree in Applied Mathematics from Harbin Institute
of Technology, Harbin, China, in 1983 and received his MS and PhD degree in Applied Mathematics from Wuhan University, Wuhan, China, in 1989 and 1994, respectively. Currently, he is a professor of Wuhan University. His current research
interests include number theory, information security, and network security.