Vous êtes sur la page 1sur 4

34 (IJCNS) International Journal of Computer and Network Security,

Vol. 1, No. 3, December 2009

Enhancement in the Identities-Exchange Process


during the Authentication Process
Amr M. Kisk1, Nagy W. Messiha2, Nabil M. A. Ayad 3, Nawal A. Elfeshawy4, and Fathi E. Abdel-Samie5
1
Egyptian Atomic Energy Authority EAEA
eng.amr_kishk@yahoo.com
2
Faculty of Electronic Engineering, Menouf, Egypt
nagy_w_messiha@hotmail.com
3
Egyptian Atomic Energy Authority EAEA
nabilayad483@hotmail.com
4
Faculty of Electronic Engineering, Menouf, Egypt
nelfishawy@hotmail.com
5
Faculty of Electronic Engineering, Menouf, Egypt
fathi_sayed@yahoo.com

Abstract: The key exchange is the most important target to the asymmetrical-encryption algorithms. Section 3 presents the
hackers. The asymmetrical encryption algorithms are used for enhancement in the Authentication Process. Section 4
the key-exchange in the authentication process. These presents the results. Finally, conclusion is presented in
algorithms help the authentication protocols to authenticate the section 5.
networks. The enhancement of the key-exchange and identities-
exchange is presented in this paper. The enhancement of the
key-exchange keeps the shared keys to be secure from the man-
2. Review on the Asymmetrical-Encryption
in-the-middle attacks. Algorithms

Keywords: Public key; Key-Updating; Secret Key; Shared In the RSA algorithm, the authentication server announces
Key. two keys and keeps two keys to be secret keys. The client
uses the two public keys to encrypt the message and the
1. Introduction authentication server uses one of the secret key to decrypt
the message. The RSA steps are as the following:
Wireless Local Area Network (WLAN) is one of the fastest- Step 1: Authentication server chooses two very large
growing technologies. The demand for connecting devices numbers p and q.
without the use of cables is increasing everywhere. WLAN Step 2: It calculates n = p × q
can be found in the office buildings, and in many other Step 3: It calculate φ = ( p − 1) × (q − 1)
public areas [1]. The security in WLAN is based on Step 4: It chooses a random integer e, and then determines d
cryptography, the science and art of transforming messages from the relation
to make them secure and immune to attacks. Cryptography
can be used to authenticate the sender and receiver of the d × e = 1modφ
message to each other within WLAN.
(1)
The data security in WLAN needs a key for encryption and
decryption processes [2]. The key exchange should be safer
Step 5: The client encrypts the plain text, p, with the two
to avoid the attacks to get that key. The authentication
keys, n and e.
protocols use an asymmetrical encryption algorithm for the
key exchange. The Diffie and Hellman [1], RSA [2], and
C=Pe mod n
Elliptic-Curve cryptography [2] are examples of the
(2)
asymmetrical encryption algorithms. These algorithms
depend on two types of keys, secret and public keys. The
Step 6: The authentication server decrypts C by using d and
client and server exchange a two authenticated keys used to
n to get P.
generate the key used for the encryption and decryption of
data.
P=Cd mod n
The authentication protocols have been used for
(3)
authentication and key-exchange processes, such as EAP-
The drawback of RSA is that clients in this network can
TLS [3], EAP-TTLS [4], and PEAP [5]. This paper is
analysis this encrypted message because all the clients have
organized as follows. Section 2 gives a short review of the
the same public keys to encrypt the message. This gives the
(IJCNS) International Journal of Computer and Network Security, 35
Vol. 1, No. 3, December 2009

man-in-the middle attacks to monitor the key-exchange determine d from the relation
process in the authentication process.
In the Diffie and Hellman, the authentication server d × e = 1 mod φ
announces two keys, p and g, and uses a secret key, x. The (8)
client has a secret key, y. The authentication server encrypts Step 5: It chooses a prime number, nk, to be a secret key in
its two public keys, p and g, by the secret key, x, see the authentication server.
equation (4), then sends the encrypted message Ks to the Step 6: It chooses a prime numbers, ns, for each client in
client. The client will use its secret key, y, to get the shared WLAN.
key, K, see equation (5). The client will send an encryption Step 7: It calculates shared key of the client, ks, from the
message, Kc, to the authentication server. Kc can be following equations.
obtained from equation (6). The authentication server will
use its secret key, x, to get the shared key, K, see equation nk = ns × pc
(7). The man-in- the middle attacks can easily exchange the qc = ns ⊕ nk
data with the authentication server from the starting point.
(9)
He can generate a secret key, y, and then obtain the shared
key, K, from the previous steps.
ks = ( pc × qc ) mod nk

Ks=gx mod p Step 8: The authentication server will announce nv and e as


(4) public keys for all clients in WLAN, and it gives each client
K=gxy mod p its two keys, ns and ks. Where ns is exchanged between the
(5) client and the server, and it is used to generate the ks used to
Kc=gy mod p encrypt the identities of the client and the server to complete
(6) the authentication process.
K=gyx mod p
(7) 3.2 The Authentication Process
The authentication process will appear as the following
The proposed algorithm keeps the server and the keys stored steps:
in them to be secure from the outside attacks. That prevent Step 1: The Access Point (AP) sends a request packet to the
unauthorized user to discover the shared key and the stored client to start the authentication process.
keys between them. Any authentication algorithm can use Step 2: The client encrypts ns with the two public keys, nv
the proposed algorithm for authentication process and it will and e.
give the high security to the identification exchange between
the authentication server and the client. C=nse mod nv
(10.a)
3. The Authentication Process Enhancement
Step 3: The C-packet is passes to the authentication server
through the AP
The authentication server and the clients in Wireless Local
Step 4: The authentication server decrypts C by using d and
Area Network (WLAN) look for the best authentication
nv to get ns.
protocol to keep their environment to be safe from any
attacks. The public encryption algorithms are one of the
ns=Cd mod nv
methods used to safe WLAN environments. The explanation
(10.b)
of the new key-exchange algorithm requires two processes,
the key-distribution process and the authentication process.
Step 5: The authentication server determines Ks of that
The key-distribution process is the initial process used at the
client according to equations (9).
initial configuration of the network, and it is used to
The shared key, Ks, is kept out of the man-in-the middle
distribute the network keys from the authentication server to
attacks, because the flying shared-key, ns, cannot be
all clients. The authentication process is the process used
analyzed except by the secret-key, n, stored in the
to authenticate the clients and the authentication server to
authentication server. The outside attack can be appeared as:
each other using the generated keys in the key-distribution
process before the data exchange process. • A client: in this case, the ks generated by
ns in the authentication server will not be
matched with ks of the client.
3.1 The Key-Distribution Process
This process used to distribute the keys to all clients. The • The authentication server: in this case, the
first steps of the key-distribution process are the same as server cannot match the generated ks with
RSA algorithm. The steps of the key-generation are as the the client key, ks. Each client has their
following: shared keys that will save the clients in
Step 1: Authentication server chooses two very large WLAN from the man-in-the middle
numbers p and q. attacks.
Step 2: It calculates nv = p × q Step 6: The authentication server and the client exchange
their identities, as description in the next sub-section.
Step 3: It calculates φ = ( p − 1) × ( q − 1)
Step 4: It chooses a random integer number, e, and then
36 (IJCNS) International Journal of Computer and Network Security,
Vol. 1, No. 3, December 2009

3.3 Identities Exchange Stage


The dual authentication between the client and the server is The feedback, kv, is the backbone of the key-updating as
based on the exchange of the identities. After the key- shown in figure (1). The encryption/decryption procedures
exchange stage, the client encrypts its identities by using the are as the following:
shared key, Ks, to send them to the authentication server. Step 1: Kn = Ks ⊕ Kv
But, the same key used to encrypt all identities packet can Where:
give the possibility to the outside attacks to discover the key • Ks is the shared-key.
based on the fixed shape of the packet such that used in • Kv is the feedback value, and its value is
EAP-methods. The solution of that problem is the key- zero at the first time
updating with each packet. The key-updating adds many Step 2: Kv = S (Kn)
benefits such as: Where: S(Kn) is the output value of the S-Box when the
- Increase the impossibilities to the outside attackers to input is Kn, it is applied on each byte inside Kn.
discover the shared key. Step 3: M * = M ⊕ Kv
- No need to update the shared key with each
Where:
authentication process.
• M* is the encrypted/ decrypted identity
The shared-key is divided into bytes. Each byte of the
• M is the plain/encrypted identity
shared key is applied to the S-Box. The S-box is a matrix
respectively.
of16 × 16 , and it is used to map the input code to another
code at the output. The contents of the S-Box are shown in
Table (1). 4. The Results
For example, if some byte appears as 39 in a hexadecimal
form at the sender, then the output of the S-Box of table (1) The enhancement in the key-exchange improves the
will be the code that takes the row number 3 and the drawbacks of the Diffie Helman and RSA algorithms to
column number 9, or the input byte, 39, is mapped into FF exchange the keys during the authentication process. The
at the output. The encryption and/or the decryption of the shared key is exchanged in a safe environment. The
identities are shown in the figure (1). attackers must know n which is stored in the authentication
server to obtain the shared key. The enhancement in the
identities-exchange during the authentication process keeps
the WLAN environment to be safer than that used Diffie
M Helman and RSA:
Ks Kn Kv
i. The difficulties to discover the shared key.
XOR S-Box XOR ii. The unauthorized client cannot get the shared key except
by n which is stored in the authorized authentication server.
iii. The unauthorized server cannot get the shared key
Kv M*
except by n which is stored in the authorized authentication
server.
iv. The key-updating with each packet of the identities
Figure 1. The Encryption/Decryption of the Identities during the authentication process add more difficulties to
the attacks to discover the shared key.

Table 1: S-Box Contents


0 1 2 3 4 5 6 7 8 9 A B C D E F
0 A7 74 6C D2 DB 41 49 9F F5 91 56 9A CC B5 53 FB
1 D8 B3 4E 78 9B 92 4C 96 7A 8D C7 F2 65 71 6E 86
2 E9 D4 F6 47 FD 94 B9 85 82 BC C0 D6 A9 DE C1 AE
3 B1 F8 69 CA F0 EC 98 D3 FA FF A0 C3 D5 B6 93 44
4 CB 05 F3 E1 3F 67 8B 23 62 06 A4 AC 16 76 12 60
5 88 A2 E5 0E 7D 5C 0A CF B8 E7 80 8A 55 84 6B 7F
6 4F C5 48 DA DC 1C B7 45 A8 32 BB 5E 02 A5 1E DD
7 E3 1D F7 BE 01 C4 4D D9 13 AB 18 C8 CC 54 BF 5F
8 5A B4 28 89 5D 27 1F F9 50 83 EE 46 B2 19 BD A3
9 E6 09 15 3E 25 D7 17 FC 36 EA 0B 14 EF E0 CE 07
A 3A D1 51 8F 4A 6D FE 00 68 2C F4 79 4B E4 2F EB
B E8 30 8C 11 81 0D 3D 66 58 26 5B 6A 29 8E 73 7E
C 2A 2E F1 3B 75 61 ED 1A 7B DF 33 40 7C 0C 9E 57
D E2 A1 03 37 21 3C 2B 95 10 77 63 04 64 6F 2D C9
E 9D 43 D0 71 AD 52 90 59 B0 20 99 AF 35 C6 8A 9C
F 34 C2 1B 42 AA 08 22 72 31 87 38 0F 97 24 A6 39
(IJCNS) International Journal of Computer and Network Security, 37
Vol. 1, No. 3, December 2009

5. Conclusion
Nabil M. A. Ayad received the B.S. in
Electronics and Electrical Communications
The authentication process is used to authenticate the clients
Department, Cairo University, Cairo,
and the authentication server in WLAN. The asymmetrical Egypt, June 1974, and M.S. in "A
encryption algorithm is used for key-exchange in the Microprocessor-Based Data Acquisition
authentication process. The enhancement of the key- System for Exchanges", April 1979, and
exchange process increases the difficulties to discover the the Ph.D in “Performance Evaluation of
shared key. The key-updating with each Identity-packet adds Routing Techniques for Packet- Switched
more difficulties to crack the WLAN environment. The Computer Networks”, Oct., 1984. From 1995 to 2002, He was an
authentication process becomes more secure because of the associate professor in the department of Reactors, Egyptian Atomic
key-exchange enhancement and the key-updating process. Energy Authority. Currently, he is a Professor in the department of
Reactors, Egyptian Atomic Energy Authority. He is interested in
Communication systems, Designing and implementing of PC
References business accounting packages Intelligent Database systems,
[1] F. Majstor, “WLAN security, threats and Evaluation of LAN performance, and Modeling of computer
solutions”,28th IEEE International Conference on networks.
Local Computer Networks, Bonn, Germany, Oct
2003.
Nawal El-Fishawy She received the PhD
[2] William Stallings, “Network Security Essentials degree in mobile communications the faculty of
(Applications and Standards)”, Pearson Education, Electronic Eng., Menoufia University, Menouf ،
2004. Egypt ،in collaboration with Southampton
[3] Simon, D., Aboba, B., and R. Hurst, "The EAP- University in 1991 .Now she is the head of
TLS Authentication Protocol", RFC 5216, March Computer Science and Engineering Dept.,
2008. Faculty of Electronic Eng. Her research interest
[4] P. Funk and S. Blake-Wilson, " EAP Tunneled includes computer communication networks
TLS Authentication Protocol Version 1 (EAP- with emphasis on protocol design, traffic modeling and
performance evaluation of broadband networks and multiple access
TTLSv1) ", The Internet Society, Mar. 2006.
control protocols for wireless communications systems and
[5] Palekar, A., Simon, D., Zorn, G., Salowey, J., networks. Now she directed her research interests to the
Zhou, H., and S. Josefsson, "Protected EAP developments of security over wireless communications networks
Protocol (PEAP) Version 2", work in progress, (mobile communications, WLAN, Bluetooth), VOIP, and
October 2004. encryption algorithms.
[6] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.,
and H. Levkowetz, "Extensible Authentication
Protocol (EAP)", RFC 3748, June 2004.
[7] Simpson, W., "The Point-to-Point Protocol (PPP)",
STD 51, RFC 1661, July 1994.
[8] Kasera and N. Narang, "3G Mobile Networks -
Architecture, Protocols and Procedures", McGraw-
Hill, 2004.

Authors Profile

Nagy Wadie Messiha received the B.S. in


Electrical Engineering Telecommunication
Department, Ein Shams University, Cairo, Egypt,
June 1965, and M.S. in "Telecommunication
Engineering", Helwan University, Cairo, Egypt,
1973, and the Ph.D in Computer Science from
University of Stuttgart, in 1981. From 1981 to
1987, He was an associate professor in the department of
communication engineering, Menoufia University, Menouf, Egypt.
Currently, he is a Professor in the department of communication
engineering, Menoufia University, Menouf, Egypt. He is interested
in Communication systems, Electrical circuit Theory, Systems and
Networks, Electronic Measurements, Computer Networks, and
Information Theory and Coding.