Identity-based authentication protocol for grid

1. Identity-based authentication protocol for grid Source: Journal of Systems Engineering and Electronics Vol. 19, No. 4, pp.860-864, 2008 Authors: Li Hongwei, Sun Shixin, and Yang Haomiao Reporter: 陳德祐

2. Outline Weil pairing properties Identity-based architecture for grid Identity-based encryption Identity-based signature Identity-based authentication protocol Security on the proposed scheme

3. Bilinear Pairings Bilinear Pairing Let G1, G2 be cyclic groups of same order q. G1 : an additive groupE(Fp) G2 : a multiplicative group P : a generator of G1 Definition • A bilinear map • Bilinear: • Non-degenerate: • Computability:

4. Identity-based architecture for grid (IBAG) DN0 DNM DNN Root PKG (0-level) • The identity: • ID0=DN0 • IDM= DN0||DNM • IDN=DN0||DNM||DNN • IDN|0=DN0 • IDN|1= DN0||DNM • IDN|2=DN0||DNM||DNN Virtual Organization Sub-PKG (1-level) Entity (2-level)

5. Root PKG setup G1, G2 : two groups of prime order q An admissible pairing : A generator PG1 H1:{0, 1}* G1 H2: G2{0, 1}n Zq*and set Q0=P, P0=H1(DN0), S0= P0 The root PKG’s master key: S0 System parameters:<G1, G2, ê, P, Q0, P0, H1, H2>

6. Lower-level setup Root PKG acts for node X in 1-level as follows: Compute the public key of node X: PX=H1(IDX), where IDX=DN0||DNX Set secret key of node X:SX=S0+ρXPX, whereρXZq*, known by X and its parent node Compute Q-value: QIDX|1= ρX P, where QIDX|1 is public Each node in the 1-level similarly performs the above steps, all nodes in 2-level get their secret key Sy=S0 + ρXPX + ρYPY, and secret point ρY ρX is the secret point of node DN0||DNX ρY is the secret point of node DN0|| DNX||DNY public keyPy=H1(IDy), and public value Q-value.

7. DN0 DNM DNN • Zq*and set Q0=P, P0=H1(DN0), S0= P0 • The root PKG’s master key: S0 • System parameters:<G1, G2, ê, P, Q0, P0, H1, H2> Root PKG (0-level) Virtual Organization Sub-PKG (1-level) • public key : PX=H1(IDX), where IDX=DN0||DNX • secret key :SX=S0+ρXPX, whereρX(Zq*) is known by X and its parent node?! • Q-value: QIDX|1= ρX P, where QIDX|1 is public X ifρX is known by X, then DN0’ssecret key :S0=SX –ρXPX >< Entity (2-level) Y • public key:PY=H1(IDY), where IDY=DN0||DNX||DNY • secret key: Sy=S0 + ρXPX + ρYPY, and secret point ρY • ρX is the secret point of node DN0||DNX • ρY is the secret point of node DN0|| DNX||DNY • public Q-value Y knows SX =S0 + ρXPX=Sy - ρYPY

8. Identity-based encryption E1 and E2 , let IDE2=(DN0||DN1||DN2) Encrypt m with IDE2, E1 computes P1=H1(DN0||DN1) P2=H1(DN0||DN1||DN2) Choose a random rZq* Output C=<rP, rP1, rP2, H2(gr)⊕m>, where C=<U0, U1, U2, V>

9. Identity-based decryption E2 decrypts C=<U0, U1, U2, V> using its secret key SE2 = S0 + ρ1P1 + ρ2P2, ρ1 is the secret point of node DN0||DN1 ρ2 is the secret point of node DN0|| DN1||DN2 m=H2(d)⊕V. C=<rP, rP1, rP2, H2(gr)⊕m>

10. Cryptanalysis of Identity-based decryption An entity E3 under the same VO knows the parent node’s secret key S (= S0 +ρ1P1) and can decryptC=<U0, U1, U2, V> m=H2(d)⊕V. C=<rP, rP1, rP2, H2(gr)⊕m>

11. Identity-based signature E2signsm as follows. Compute Pm=H1(DN0||DN1||DN2||m) Compute δ=SE2+ ρ2Pm, whereρ2is the secret point ofE2 Output the signature Other entities can verify the signature

12. Identity based authentication protocol Notations nc, ns: the fresh random number ID: the session identifier specificationC: the cipher specification of C specificationS: the cipher specification of S FCS: a pre-master secret key used to generate the shared key EPC[FCS]:encrypt FCS with the public key PC of the entity C SigSS[M]: sign M with the private key SS of the entity S

13. CS: ClientHello (nc, ID, specificationC) ClientHelloDone SC: ServerHello (nS, ID, specificationS) ServerKeyExchange(EPC[FCS]) IdentityVerify (SigSS[M]) ServerHelloDone CS: ClientFinished. Session key KCS=PRF(FCS, nc, nS ,) , where PRF is a pseudo-random function Identity based authentication protocol • Security on the proposed protocol • Masquerade as C • Known the session key