390 likes | 505 Views
Authentication and Cryptography on Wireless Communication Systems ( cited from IEEE Trans. Computer, Oct. 2004 ). Presenter: Dr. Shiuh-Jeng Wang Keynote speech at Florida State University (FSU), Oct. 1 and 7, 2004 Keynote speech at University of Florida (UF), Nov. 01, 2004
E N D
Authentication and Cryptography on Wireless Communication Systems (cited from IEEE Trans. Computer, Oct. 2004) • Presenter: Dr. Shiuh-Jeng Wang • Keynote speech at Florida State University (FSU), Oct. 1 and 7, 2004 • Keynote speech at University of Florida (UF), Nov. 01, 2004 • Associate Professor at Information Management of • CPU (Central Police University), Taiwan • Director of Chinese Cryptology Information Security • Association (CCISA) • Editor-in-Chief, Communications of the CCISA • Director of ICCL (Information Cryptology and Construction Lab.) • at CPU
Outline • Wireless communications • Public-key systems • Knapsack systems • Authentication requests • Applications for the three protocol proposals • Benefits • Conclusions
Wireless Communications I Constraints • hardware complexity • time complexity • power consumption
Wireless Communications II • Mobile communications through the transmission of the base stations • Mobile communications without the connection of the base stations
Wireless with base station Reverse Link Forward Link Control or Setup Channels Mobile Unit Base Station
Wireless Communicationswithout the connection of the base stations(Ad-hoc sensor networks)
Public-key system II (B: secret key, Krb) (B: public key, Kub) A : public key, Kua secret key, Kra B: public key, Kub secret key, Krb
Public-key system III A: public key, Kua secret key, Kra B: public key, Kub secret key, Krb
Public-key system IV A: public key, Kua secret key, Kra B: public key, Kub secret key, Krb
Public-key usage • Encryption: • RSA, ElGamal • Digital signature: • RSA, ElGamal, DSA • Key exchange without trusted server: • DH (Diffie-Hellman)-key exchange
Application of Public-key system(ID-based cryptosystem) • (Shamir ’84) In order to sign a message M, the smart card computes a pair (t,s) as follows: and where r is a random number and is f a one-way function, is each user secret key, d is a system secret key. The pair (t,s) is the signature of which is to be sent to anyone who is the intended recipient of M. For legitimate receivers, the signature of can be easily verified by checking if
Knapsack system I • Based on a computationally difficult problem called the knapsack problem (or the subset-sum problem). • More formally: Given a set of values A = (a1, ..., an) of positive integers and another integer C, find a subset of the elements of A that sums to C; that is, find a binary vector M = (m1, ..., mn) such that C = AM Ex. Let n = 5, C = 14, A = (1, 10, 5, 22, 3). Then M = (1, 1, 0, 0, 1) is a solution. Probably, it is easy to guess the 0/1 solution, but if we let the vector length be extended to about 100-long or more, it should be hard to guess (find out) the exact one solution in linear-time for this scenario, since 2^(100) is required in the worst case.
Knapsack system II • The knapsack problem is an NP-complete problem. The best algorithms for solving arbitrary instances of size n require O(2^(n/2)) time and O(2^(n/4)) space. • There are, however, a special class of knapsack problems, referred to as simple knapsacks, that can be solved in linear time (it is made as Trapdoor).
Knapsack system III Simple Knapsack • In a simple knapsack, the elements ai, i = 1, ..., n are super-increasing so that for i = 2, ..., n. Ex: n=5, A = (3, 5, 9, 20, 52) i.e. 5>3; 9> (3+5); 20> (3+5+9); 52> (3+5+9+20).
Knapsack system IV(solution) Procedure: simple(C, A) • forindownto 1 • ifCai • mi 1 • CCai • else • mi 0 • ifC = 0 • returnM • else • return "No solution exists“ Ex. Let n = 5, C = 60, A = (3, 5, 9, 20, 52). Then M = (1, 1, 0, 0, 1) is a solution. (60 >52, ‘1’ is obtained, 60-52=8; 8 <20, ‘0’ is obtained; 8<9, ‘0’ is obtained; 8>5, ‘1’ is obtained, 8-5=3; 3=3, ‘1’ is obtained then, 3-3=0.
Knapsack IV cryptosystem basic operations (continued) • Public key: a vector A=w*A’ mod p, where A’ is a super-increasing vector. • Private key: some numbers, such as w’ and A’, in each authorized receiver, where w’ is an inverse of w mod p, i.e. w*w’ mod p=1. • Trapdoor: if A’ is obtained, then the message is discovered accordingly. Actually, at authorized receiver, A’ can be obtained as A’=w’*A mod p, since A=w*A’ mod p and w*w’ mod p=1. • Afterwards, due to A’ is super-increasing, encrypted message is recovered in linear-time solution.
Knapsack system V Knapsack-like cipher: The trapdoor solution used in our knapsack-like system is given as follows. • Definition 1 A vector A=(a1, a2,…ai, ..., an ) is said to be volume-increasing on i, 1in if and only if ai >
Knapsack system V( continued) Knapsack-like cipher: • Problem 1 Find a vector A=(a1, a2,…,ai, …, an ) and a set of n constants {1, 2, …, i, …, n } such that are volume-increasing on i for each (i*A mod p) 1in, where p is a large prime and p > is satisfied.
Knapsack system V (continued) • Note that the operator * in the expression of i*A denotes scalar multiplication. Examining Problem 1, there are 2n unknown elements of ai’s and i’s for 1in,and n +1 conditions. The solutions do exist if ai’s and i’s are relatively prime to p, where p is chosen as a large prime.
Knapsack system VI Example(continued) • Assume that there are 6 mobiles in the mobile system. The public key vector A=(a1, a2, a3, a4, a5, a6 ) =(1341, 5239, 13954, 2490, 15341, 4662 ) . and p = 54401. • Private key : (i, yi), i=1,2,…6, where yi=i*ai mod p. (1, y1)=(37341, 25361), (2, y2)=(5965, 24461), (3, y3)=(52699, 23529), (4, y4)=(6979, 23791), (5, y5)=(11973, 20017), (6, y6)=(2316, 25794). • Assume that now the participating mobiles in a conference call are {MU2, MU4, MU6}, that is, R = (0, 1, 0, 1, 0, 1). • A constant =(A)(R) =12391 is made and broadcasted. • Each MUi , i=1,2,…, 6, then attempts to derive the bit in R.1* mod 54401= 11826<y1=25361, r=0; 2* mod 54419=35757>y2=24461, r=1;3* mod 54419=18106<y3=23529, r=0; 4* mod 54419=33600>y4=23791, r=1;5* mod 54419=5916<y5=20017, r=0; 6* mod 54419=28229>y6=25794, r=1.
Authentication requests I Mobile (MS) and base station (BS) authenticate to each other during Call-setup authentication protocol and Hand-off authentication protocol • Theorem 1 In CSAP (Call-setup authentication protocol), if a base station BSi is legal, then an mobile can correctly authenticate BSi. • Theorem 1’ In CSAP, if a claimed base station BSi is an illegal base station, then BSi should be rejected by an mobile in the course of the authentication procedure based the secure public key cryptosystem.
Authentication requests II • Theorem 2 In CSAP (Call-setup authentication protocol), if an mobile MUi is a legal mobile, then base station BSi (or MSC) can correctly authenticate MUi. • Theorem 2’In CSAP, if MU’ is an illegal mobile, then MU’ should be rejected by the BSi (or MSC) in the course of the authentication procedure based on the security primitive of a public key cryptosystem.
Authentication requests III • Theorem 3 A new base station is treated as a legal base station in HAP (Hand-off authentication protocol) if the verification process holds. • Theorem 3’The forgeability is computationally not feasible for any illegal base station in the hand-off procedure based on the security primitives.
Authentication requests IV • Corollary 1The multiplicative homomorphism procedure used in HAP (Hand-off authentication protocol) for a mobile unit to verify a base station is subject to the authentication scheme. Outline: In a signature-based scheme, the following two basic requirements are satisfied. I. Authenticity: The receiver must be able to verify the identity of the sender, based on its signature. II. Unforgeability: It is impossible for anyone, including the receiver, to forge the sender's signature.
Applications for the three protocol • Call-setup between an mobile and a serving base station • Hand-off for a roaming mobile (change to another cell with serving base station) • Conference call offered to multi-mobile in this system
Benefits and discussions • Each mobile and base station can authenticate to each other mutually during call-setup and hand-off requests. • The security of our authentication scheme relies on the difficulty in forging the signatures . Since the system’s secret key must be acquired first, it seems intractable, as in the well-known RSA. • it provides anonymous teleconferencing for a multi-mobile environment, in which the mechanism of knapsack-like cipher is provided. • As observed the construction of knapsack-like system in our scheme as per the definitions of our cipher, each item in the collected vector is independent to each other besides the ith item which has the volume-increasing property. At this point, our scenario might be free of past attacks to basic knapsack crypto-system.
Benefits and discussions(continued) • Consider the security of anonymity for this conference call.The security relies on the construction of a NP-complete knapsack problem. • Besides, the broadcast manner activated in the anonymous conference call requires only additive operations. In fact there are less operations performed in a broadcast manner in our scheme than in that of previous literatures.
Conclusions • The privacy homomorphism aspect of the RSA scheme, together with the concept of the identity-based cryptosystem is utilized to accomplish our mutual authentication in CSAP (Call set-up authentication protocol) and HAP (Hand-off authentication protocol). • This so-called anonymity is accomplished by the aspect of a knapsack-like cipher mechanism among the communicating mobiles in a conference call set-up. • We have proven that our scheme is suitable for digital cellular mobile radio systems in terms of hardware complexity, time complexity and power consumption.
Conclusions (continued) • Once the base stations are equipped with high-speed processors, so that a subscriber and a base stationcan authenticate each other within a reasonable time
References • S.J. Wang, “Anonymous Wireless Authentication on a Portable Cellular Mobile System,” IEEE Trans. Computers, Vol. 53, No. 10, Oct. 2004. • T. Haug, "Overview of GSM: Philosophy and Results," Int. Journal of Wireless Information Networks, vol. 1, pp. 7-16, 1994. • T1P1.3/93-044RI, Draft Technical Report on Privacy and Authentication Objectives for Wireless Access to Personal Communications, pp. 9-11, May 1993. • M. Tatebayashi, N. Matsuzaki and D.B. Newman, "Key Distribution Protocol for Digital Mobile Communication Systems," Advances in Cryptology: Proceedings of Grypto'89, Springer-Verlag, pp. 324-333, 1990. • T. Hwang, "Scheme for Secure Digital Communication Based on Symmetric Key Cryptography," Information Processing Letters, vol. 48, pp. 35-37, 1993. • G. Coomaraswamy and S. P. R. Kumar, "A Novel Method for Key Exchange and Authentication with Cellular Network Applications," IEEE Conference, ICUPC'93, pp. 186-190, 1993. • M. J. Beller, L. F. Chang and Y. Yacobi, "Privacy and Authentication on a Portable Communications System," IEEE J. Select. Areas. Commun., vol. SAC-11, pp. 821-829, August 1993. • A. Ashar and W. Diffie, "Privacy and Authentication for Wireless Local Area Networks," IEEE Personal Communications, First Quarter, pp. 25-31, 1994. • H. Y. Lin and L. Harn, "Authentication in Wireless Communications," IEEE Conference, Global Com'93, pp. 550-554, 1993. • R. Molva, D. Samfat, and G. Tsudik, "Authentication of Mobile Users," IEEE Network, March/April, pp. 26-34,1994. • M. S. Hwang and W. P. Yang, "Conference Key Distribution Protocols for Digital Mobile Communication Systems," IEEE J. Select. Areas Commun., vol. 13, no. 2, pp. 416-420, 1995. • S. Hirose, K. Ikeda, “A Conference Distribution System for the Start Configuration Based on the Discrete Logarithm Problem, Information Process. Lett. 62 (4), pp. 189-192, 1997. • M.S. Hwang, “Dynamic Participation in a Secure Conference scheme for Mobile Communications,” IEEE Trans. on Vehicular Technology, vol. 48, no. 5, pp. 1469-1474, Sept. 1999.
References (continued) • C. Park, K. Itoh and K. Kurosawa, “Efficient Anonymous Channel and All/Nothing Election Scheme,” Advances in Cryptology: Proc. of EuroCrypto’93, LNCS 765, Springer-Verlag, pp. 248-259, 1993. • K. Sako and J. Kilian, “Receipt-free Mix-type Voting Scheme,” Advances in Cryptology: Proc. of EuroCrypt’95, LNCS 921, Springer-Verlag, pp. 393-403, 1995. • R. Cramer, R. Gennaro and B. Schoenmakers, “A Secure and Optimally Efficient Multi-authority Election Scheme,” Advances in Cryptology: Proc. of EuroCrypt’97, LNCS 1233, Springer-Verlag, pp. 103-118, 1997. • A. Shamir, "Identity-based Cryptosystems and Signature Schemes," Advances in Cryptology: Proceedings of Crypto'84, Springer-Verlag, pp. 47-53, 1985. • E. Okamota and K. Tanaka, "Key Distribution System Based on Identification Information," IEEE J. Select. Areas Commun., vol. 7, no. 4, pp. 481-485, 1989. • S. Tsujii and T. ltoh, "An ID-Based Cryptosystem Based on the Discrete Logarithm Problem," IEEE J. Select. Areas Commun., vol. 7, no. 4, pp. 467-473, 1989. • C. G. Gunther, “An Identity-Based Key-Exchange Protocol,” Advances in Cryptology: Proc. of Eurocrypt 1989, Springer-Verlag, pp. 29-37, 1989. • D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing,” Advances in Cryptology: Proc. of Crypto 2001, LNCS 2139, Springer-Verlag, pp. 213-229, 2001. • L. Chen, K. Harrison, A. Moss, D. Soldera and N.P. Smart, “Certification of Public Keys within an Identity Based System,” Proceedings of 5th International Information Security Conference, ISC 2002, LNCS 2433, Springer-Verlag, pp. 322-333, 2002. • W. Diffie and M. E. Hellman, "New Directions in Cryptography," IEEE Trans. Information Theory, vol. 22, no. 6, pp. 644-654, 1976. • R. L. Rivest, A. Shamir and L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Comm. of ACM, vol. 21, no. 2, pp. 120-126, 1978. • A. S. Tanenbaum, Computer Networks. Englewood, New Jersey: Prentice Hall, Seconded. 1988. • R. L. Rivest, L. Adleman and M. L. Dertouzos, "On Data Banks and Privacy Homomorphisms," In Foundations of Secure Computation, R.A. DeMillo et al., Eds. Academic Press, New York, pp. 169-179, 1978. • E. F. Brickell, P. J. Lee, Y. Yacobi, "Secure Audio Teleconference," Advances in Cryptology: Proceedings of Crypto'87, Springer-Verlag, pp. 117-125, 1988. • D.E. Denning, Cryptography and data security, Addison-Wesley, MA, 1983. • R.C. Merkle and M.E. Hellman, “Hiding Information and Signatures in Trapdoor Knapsack,” IEEE Trans. on Info. Theory, vol. 24, no. 5, pp. 525-530, Sept. 1978. • L.S. Bobrow and M.A. Arbib, Discrete mathematics: applied algebra for computer and information science, Saunders, Philadelphia, 1974. • C. P. Pfleeger, Security in Computing, Prentice Hall, Englewood Cliffs, New Jersey, 1989. • A. Lysyanskaya, R. L. Rivest, A. Sahai, and S. Wolf, “Pseudonym Systems,” Selected Areas in Cryptography ’99 (SAC’99), LNCS 1758, pp. 184-199, 1999. • A. Shamir, “A Polynomial-time Algorithm for Breaking the Basic Merkle-Hellman Cryptosystem,” IEEE Trans. on Info. Theory, vol. 30, no. 5, pp. 699-704, Sept. 1984.
References (continued) • B. Schneier, Applied Cryptography, 2th ed., John Wiley & Sons, New York, 1996. • J.C. Lagarias, “Knapsack Public Key Cryptosystems and Diophantine Approximation,” Advances in Cryptology: Proc. of Crypto 83, Plenum Press, pp. 3-23, 1984. • A. Shamir, “How to share a secret,” Comm. ACM, vol. 22, no. 11, pp. 612-613, 1979. • T. Weigold, “Java-Based Wireless Identity Module,” London Communications Symposium 2002 (LCS 2002), London, UK, 2002. • D. E. Knuth, The Art of Computer Programming, vol. 2. 2nd ed. Reading, Addison-Wesley, MA, 1981.