2011 Seventh International Conference on Intelligent Information Hiding and Multimedia Signal Processing

An Efficient Mutual Authentication with Key Agreement Protocol for Mobile Devices

Jen-Ho Yang
Department of Information and Electronic Commerce, Kainan University, Taoyuan County, Taiwan, R. O. C. E-mail: jenhoyang@mail.knu.edu.tw

Chin-Chen Chang
Department of Information Engineering and Computer Science, Feng Chia University, Taichung, Taiwan, R.O.C. E-mail: ccc@cs.ccu.edu.tw

Shih-Yi Lin
Department of Information Science and Computer Engineering, National Chung Cheng University, Chiayi, Taiwan, R.O.C. E-mail: lsy94@cs.ccu.edu.tw

AbstractAuthentication with key agreement protocol (AKA) can provide mutual authentication and create a session key between two communication parties. In 2005, Chen and Yeh proposed an AKA protocol based on one-way hash function and exclusive-or (XOR) operations. Having the feature of fast processing, their protocol is more efficient than previously related works. However, we discover that Chen and Yehs protocol cannot withstand denial of service (DoS) attack. Moreover, their protocol has redundant communication rounds such that it is not efficient for mobile devices. Therefore, we propose an efficient AKA protocol for mobile devices in this paper, which has lower computation and communication loads. Moreover, our protocol can prevent DoS attack and does not require a verification table in the server. In a word, our AKA protocol is efficient and practical for mobile devices. Keywords-Authentication with key agreement; one-way hash function; denial of service; mobile device

I.

INTRODUCTION

With the development of electronic technologies, more and more transactions are implemented on mobile devices, such as PDAs and cellular phones. These are inexpensive and portable devices such that people can easily and conveniently accomplish the transactions anytime and anywhere. However, there is a problem when the transactions are applied to mobile devices. The problem is that anyone may intercept the packets sent by mobile devices. This is because the communications on mobile devices are performed in wireless environments so that the mobile communications need to be broadcast in nature. Concerning the communication security, the mobile device should be authenticated by a server before conducting transaction. On the contrary, the server also needs to be authenticated by the mobile device. To accomplish this purpose, mutual authentication mechanism is necessary to ensure secure communications. Therefore, many related literatures are proposed [2, 3, 4, 7, 8]. After completing mutual authentication, the mobile device and the server also require a session key to encrypt the messages for later communications. Here, the authentication with key

agreement (AKA) protocol is a suitable one to be applied to mobile devices. However, most AKA protocol, whether public-keybased or password-based protocols, are not designed for mobile devices. Due to the limitations of computational ability, storage space, and power supply on mobile devices, the public-key-based AKA protocols [6, 11] are not suitable for mobile devices; they have to compute modular exponentiation, which is a time-consuming operation. On the other hand, password-based AKA protocols [9, 12] must maintain a password verification table in the server for checking users validities. With the increase of users, the server will take a heavy load to maintain a large verification table. In addition, the password-based AKA protocols may encounter some malicious attacks. For example, the stolenverifier attack may occur because the server must keep a verification table for users. Moreover, it may suffer password guessing attack [10, 14] because most users may choose easy-to-remember passwords. These weaknesses make public-key-based and password-based AKA protocols not suitable for mobile devices. Some AKA protocols [1, 5] use timestamp to make the messages different in each authentication session. The major disadvantage of the timestamp-based AKA protocol is that it requires synchronized transactions between mobile devices and the server. Nevertheless, synchronized transactions are difficult to be implemented in wireless environments. In 2003, Chien and Jan [3] proposed a nonce-based authentication protocol. However, this protocol does not contain a session key agreement mechanism, and it also needs to maintain a verification table by the server. Juang [15] proposed a nonce-based AKA protocol without a verification table. Compared with Chien and Jans protocol, Juangs protocol not only provides a session key agreement mechanism but also accomplishes mutual authentication without a verification table in the server. However, Juangs protocol has to use the symmetric cryptosystem. This may increase the computation loads on both the user and the server. Therefore, in 2005, Chen and Yeh [13] proposed an efficient nonce-based AKA protocol based on one-way hash function and exclusive-or (XOR) operation. Compared with Juangs protocol, their protocol has lower computation load because the one-way hash
145

978-0-7695-4517-2/11 $26.00 2011 IEEE DOI 10.1109/IIHMSP.2011.60

function and XOR operation are faster than symmetric cryptosystem. Due to its low computation-ability and limited power-supply, Chen and Yehs protocol meets our needs in designing an AKA protocol on mobile devices. However, there are still some problems. First, Chen and Yehs protocol cannot withstand denial of service (DoS) attack. An attacker can easily make the server break down by sending a lot of request packets to the server. In addition, their protocol has redundant communications between the user (mobile device) and the server. This increases communication overhead on mobile devices. Therefore, we propose an efficient mutual authentication with key agreement protocol for mobile devices in this paper. In our protocol, we use less one-way hash functions and XOR operations to accomplish mutual authentication with key agreement on mobile devices. In addition, our protocol has less communication rounds than Chen and Yehs protocol, and it can prevent DoS attack. According to the above description, our AKA protocol is efficient and suitable for mobile devices. II. RELATE WORKS

|| N i ) . Then, U i checks whether C3 is equal to H ( H ( IDi x) || N i || N s ) . If the equation holds, the servers validity is confirmed. Then, U i computes C4 = H (H 2 (IDi x) || Ni + 1|| Ns + 1) and sends it back to the server. Step 4. The server computes C 4' = H ( H 2 ( IDi x) || N i + 1 || N s + 1) and checks if the received C4 is equal to C4' . If it is, the server can confirm U i is valid. Step 5. Finally, the server and U i both compute the session key SK as SK = H ( H 3 ( IDi x) || N i + 2 || N s + 2) . Chen and Yehs protocol requires three rounds to accomplish mutual authentication and key agreement mechanism. We find that if the redundant computations in Chen and Yehs protocol can be eliminated, the computation rounds can be further reduced. Moreover, Chen and Yehs protocol cannot prevent denial of service (DoS) attack. If a user sends ( IDi , C1 ) to the server, the server cannot check the users validity until the user sends back C4 to it. An attacker can take advantage of this and easily shut down the server. Assume that an attacker chooses many valid identifies IDi s and generates the faked C1 s. He then
i

In this section, Chen and Yehs AKA protocol [13] are introduced. Their protocol is shown as follows. The registration phase Step 1. U i sends his identity IDi and password PWi to the server via a secure channel. Step 2. After receiving ( IDi , PWi ) , the server computes

sends lots of ( IDi , C1i ) pairs to the server, but does not compute associated C4 i . The server will compute lots of nonsense equations and wait for the attackers replies. However, there will be no replies and the server keeps waiting. Repeatedly, the server will be so busy to access the attackers requests such that it cannot serve other legal users requests. III. THE PROPOSED PROTOCOL

vi = H ( IDi x) PWi , and stores ( H (), vi ) in

the smart card and sends it to U i . The login and authentication with key agreement phase When U i wants to log in to the server, he inserts his smart card and inputs his password PWi into a smart card through the following steps. Step 1. The smart card computes H ( IDi x) = vi PWi and generates a nonce value Ni to compute C1 , where C1 = H 2 ( IDi x ) N i . Step 2. Upon receiving ( IDi , C1 ) , the server uses its secret
key x to compute N i by Ni = C1 H 2 (IDi x) . Then, the server generates a nonce value N s and computes C2 and C3 by C2 = H ( H ( IDi x) || N i ) N S and C3 = H ( H ( IDi x) || N i || N S ) , where || denotes a string concatenation operation. Finally, the server sends (C2 , C3 ) to U i . Step 3. U i obtains N s by computing the equation: C 2 H ( H ( ID i x )

Our protocol is divided into two phases: the initialization phase and the authentication with key agreement phase. Table I shows the notations used in our protocol.
TABLE I. Notations x THE NOTATIONS USED IN OUR PROTOCOL Descriptions a secret key held by the server the mobile device i

MDi IDi PWi

H () H ( y)

MDi s identity MDi s password

a secure one-way hash function the hash operation over y performing H () n times on a XOR operation

H n (a )
||

string concatenation operation

146

The initialization phase In this phase, the server is responsible for initializing the parameters for the system. The steps are shown as follows. Step 1. The server selects a secure one-way hash function H () . Step 2. The server computes Ai = H ( IDi x) and stores Ai in MDi . The authentication with key agreement phase Step 1. MDi randomly selects a nonce value N i to compute M 1 = N i H ( Ai ) and M 1 = N i H ( Ai ) . Then, MDi sends ( M 1 , M 2 , IDi ) to the server. Step 2. After receiving ( M 1 , M 2 , IDi ) , the server computes N i' = M 1 H 2 ( IDi x)
' 2 ' i ' 2

requires two rounds to accomplish mutual authentication with key agreement, which is more efficient and practical than Chen and Yehs protocol. IV. SECURITY ANALYSIS AND DISCUSSIONS

In this section, we give some possible attacks which might occur on our protocol and discuss the security of our protocol. Denial of service (DoS) attack A DoS attacker may send lots of redundant requests to shut down the server. In our protocol, a DoS attacker may ~ ~ ~ ~ send ( M 1 , M 2 , IDi ) to the server, where M 1 , M 2 are ~ arbitrary messages and IDi is a legal identity. Because M 1 ~ ~ ~ and M 2 are not valid messages, M 1 and M 2 cannot satisfy ~ ~' ~ the verification equation M 2 = M 2 = H (IDi N i' ) in Step 2 of authentication with key agreement phase. Then, the server will reject this request and immediately stop this session. Thus, the server can still access other legal mobile devices requests such that the DoS attack is infeasible.

and

M = H ( IDi N ) and checks if M is equal to M 2 . If the equation holds, the server can confirm MDi is valid. Otherwise, the server rejects MDi s request and stops the session. Step 3. The server selects a nonce N s to compute

M 3 = H 2 ( IDi x) N s SK = H ( H ( IDi x) || N s || N )
' i

, , then MDi
' s

and it sends

M 4 = H ( SK || N s || N ) ,
' i

and

( M 3 , M 4 ) to MDi . Step 4. Upon receiving ( M 3 , M 4 ) ,

' s '

Impersonation attack Assume that an attacker wants to impersonate a legal ~ ~ mobile device MDi , he generates N i and Ai to compute ~ ~ ~ ~ M 1 and M 2 . Then, the attacker sends ( M 1 , M 2 , IDi ) to the ~ ~ ~ server. After receiving ( M 1 , M 2 , IDi ) , the server verifies M 2 ~ ~ to see if M2 is equal to H ( IDi N i' ) , where ~ ~ ~ N i' = M 1 H 2 ( IDi x) . However, M 2 cannot satisfy the verification equation because the correct Ai = H ( IDi x) is unknown. Thus, the impersonation attack is impossible to occur.

computes

N = M 3 H ( Ai ) , SK = H ( Ai || N || N i ) , and M 4' = H ( SK ' || N s' || N i ) . If M 4' is equal to M 4 , MDi confirms that both the server and the session key SK ' are valid.

Figure 1. The proposed protocol

Replay attack Assume that an attacker wiretaps in communication between MDi and the server. Then, he can collect the message ( M 1 , M 2 , IDi ) sent previously by MDi , and he tries to replay ( M 1 , M 2 , IDi ) to the server in next session. However, both M 1 = N i H ( Ai ) and M 1 = N i H ( Ai ) contain a nonce N i , which makes the messages different in each session. Due to the server may temporarily keep the transaction records in a period of time, the replay attack can be discovered if the attacker sends the same message in each session. Moreover, even if the attacker replays the previous message to the server, he cannot obtain the nonce which is chosen by the server to obtain the session key SK. Therefore, our protocol can withstand the replay attack. V. COMPARISONS

The proposed protocol is illustrated in Figure 1. Compared with Chen and Yehs protocol, our protocol just

The comparisons of the related protocols are given in Table 2. In these protocols, only Juangs protocol uses the

147

symmetric cryptosystem and the others use one-way hash functions. Thus, Juangs protocol has the longest operation time among these protocols. Although Chen and Jans protocol just requires two rounds, it does not support session key agreement mechanism and it also needs to maintain a verification table in the server. While for Chien and Yehs protocol, though it can provide session key agreement mechanism without a verification table, it requires three rounds to accomplish authentication with key agreement. Therefore, our protocol is more efficient and practical for mobile devices according to Table II.

[5]

[6]

[7]

[8]

[9] TABLE II. COMPARISONS OF THE RELATED WORKS Verification table No No Yes no Execution rounds 2 3 2 3 Key agreement Yes Yes No Yes [12] [11]

[10]

Cryptosystem Ours [13] [3] [15] No No No Yes

[13]

VI.

CONCLUSIONS
[14]

Due to the limitation of hardware techniques, how to reduce the computation load becomes an important issue when we implement the AKA protocol on mobile devices. In this paper, we propose an efficient AKA protocol, which has low computation load because it is based on one-way hash function and XOR operations. Compared with some related works proposed previously, our protocol just uses two communication rounds to accomplish mutual authentication and session key agreement. Therefore, our protocol is more efficient and practical than those works on mobile devices. In the future, we are going to investigate a group-oriented AKA protocol for mobile devices such that mobile devices belonging to different servers can authentication and share a session key each other.

[15]

L. Gong, A security risk of depending on synchronized clocks, ACM Operating System Review, Vol. 26, No. 1, pp. 49-53, 1992.M. Young, The Technical Writers Handbook. Mill Valley, CA: University Science, 1989. L. Law, A. Menezes, M. Qu, J. Solinas, and S. Vanstone, An efficient protocol for Authenticated key agreement, Designs, Codes and Cryptography, Vol. 28, No. 2, pp. 119-134, 2003. M. Sandirigama, A. Shimizu, and M. T. Noda, Simple and secure password authentication protocol (SAS), IEICE Transactions on Communications, Vol. E83-B, No. 6, pp. 1363-1365, 2000. M. S. Hwang, C. C. Lee, and Y.L. Tang, A simple remote user authentication protocol, Mathematical and Computer Modelling, Vol. 36, No. 1-2, pp. 103-107, 2002. S. J. Wang, Remote table-based log-in authentication upon geometric triangle, Computer Standards & Interfaces, Vol. 26, No. 2, pp. 85-92, 2004. S. M. Bellovin and M. Merritt, Augmented encrypted key exchange: A password-based protocols secure against dictionary attacks and password file compromise, Proceedings of First ACM Conference on Computer & Communications Security, Fairfax, VA, pp. 244-250, 1993. S. Blake-Wilson, D. Johnson, and A. Menezes, Key agreement protocols and their security analysis, Proceedings of Sixth IMA International Conference on Cryptography and Coding, Cirencester, UK, Vol. 1355, pp. 30-45, 1997. S. M. Yeh and K. H. Liao, Shared authentication token secure against replay and key weak attack, Information Processing Letters, Vol. 62, No. 2, pp. 77-80, 1997. Y. C. Chen and L. Y. Yeh, An efficient nonce-based authentication protocol with key agreement, Applied Mathematics and Computation, Vol. 169, No. 2, pp. 982-994, 2005. Y. Ding and P. Horster, Undetectable on-line password guessing attacks, ACM Operating Systems Review, Vol. 29, No. 4, pp. 77-86, 1995. W. S. Juang, Efficient password authenticated key agreement using smart card, Computers & Security, Vol. 23, No. 2, pp. 167-173, 2004.

REFERENCES
[1] G. L. Hsu, Security of Chien et al.s remote user authentication protocol using smart cards, Computer Standards & Interfaces, Vol. 26, No. 3, pp. 167 169, 2004. H. M. Sun, An efficient remote use authentication protocol using smart cards, IEEE Transactions on Consumer Electronics, Vol. 46, No. 4, pp. 958-961, 2000. H. Y. Chien and J. K. Jan, Robust and simple authentication protocol, Computer Journal, Vol. 46, pp. 193-201, 2003. H. Y. Chien, J. K. Jan, and Y. M. Tseng, An efficient and practical solution to remote authentication: smart card, Computers & Security, Vol. 21, No. 4, pp. 372-375, 2002.R. Nicole, Title of paper with only first word capitalized, J. Name Stand. Abbrev., in press.

[2]

[3] [4]

148