A Secure Offline Key Generation With Protection ... - Semantic Scholar

0 downloads 0 Views 371KB Size Report
payment, micropayment, security protocol. 1. INTRODUCTION .... e.g. client, merchant, payment gateway, and issuer, whereas their protocol involves only two.
A Secure Offline Key Generation With Protection Against Key Compromise Supakorn KUNGPISDAN1 and Suwadej METHEEKUL2 1

Faculty of Information Science and Information Technology Mahanakorn University of Technology Bangkok, 10530, Thailand 2 Faculty of Engineering Mahanakorn University of Technology Bangkok, 10530, Thailand

ABSTRACT Data transfer can be performed securely with encryption. However, the parties who use symmetric encryption require having a secret key shared beforehand. To increase security, such encryption key is required to be changed periodically. However, exchanging new session keys has to be performed over a network. This is susceptible to traffic analysis attack. Several offline key generation techniques have been proposed but failed to solve this problem, but they are not purely offline. In this paper, we proposed a key generation technique that operates purely offline. It allows communicating hosts to generate shared session keys without having to exchanging the keys over the network. We also show that this technique is secure against various key compromise attacks without requiring any communications among engaging parties. Keyword: key generation, electronic commerce, mobile payment, micropayment, security protocol

1. INTRODUCTION Nowadays, the Internet becomes more popular. People increasingly perform several kinds of transactions over the Internet. Some transactions are related to the transfer of sensitive information. However, over the Internet, an attacker may listen to conversation of information transfer made by some other people. To ensure the privacy of the transfer of sensitive information, some network applications offer data encryption before the transmission. Symmetric encryption is one of the most popular methods to secure Internet transactions due to its lightweight and easy to implement. However, symmetric encryption requires a share key (known as a session key) to be securely distributed among engaging parties beforehand. Moreover, to increase transaction security, a new session key needs to be periodically redistributed. This is because the longer the key is in use, the higher chance the key is compromised by traffic analysis attack. Such key exchange is done over the network which is susceptible to traffic analysis attack in that someone may intercept the ciphertext and try to analyze the session key. To solve the problem stated above, a number of offline key generation techniques have been proposed [1, 2, 3, 8, 9]. However, such techniques are not completely offline. That is, they still require some parameters to be transmitted over the network in order to use them for generating a new encryption key. Moreover, several techniques are prone to session key compromise [2, 3, 8, 9].

Kungpisdan et al. [1] proposed an offline session key generation scheme for Internet transactions. This technique offers the ability for engaging parties to generating the same set of session keys with only a small number of parameters transmitted over the communications channel comparing to other existing schemes [8, 9] that requires message exchange more often. Based on the concept of having a set of preference keys, a new set of session keys can be regenerated from it offline if the session key is compromised. However, from [1], the preference keys themselves are compromised, all necessary parameters requires to be transmitted over the networks. Dandash et al. [2] proposed a dynamic group key generation technique that is based on [1]. This technique offers enhanced security against session key compromise be increasing the number of input parameters to produce each session key. However, from [2], a new session key is generated purely based on previously used session keys. If an attacker can collect a number of previously used session keys, he/she will be able to generate a new session key for the next session. Moreover, this technique was claimed to be secure against key compromise, but it did not specify what to do if some of the keys are compromised. Furthermore, they claimed that the session key generation is performed without exchanging any information between communicating hosts. However, the process to update a new set of session keys requires a number of parameters to be exchanged. In this paper, we introduce a session key generation technique that solves the problems of existing techniques [1, 2, 8, 9]. The proposed technique can perform purely offline. Our technique is also secure against key compromise. Inspired by the technique proposed by Kungpisdan et al. [1], the longer the technique is used, the more secure the internet transaction will be. We also show that our technique can be applied to any kind of transactions. This paper is organized as follows. Section 2 presents existing session key generations techniques and their weaknesses. In section 3, we introduce our session key management technique. Section 4 shows an application of our technique to an Internet application. In section 5, we analyze security of the proposed technique. Section 6 summarizes the paper.

2. EXISTING SESSION KEY GENERATION TECHNIQUES 2.1 Kungpisdan et al.’s Approach Kungpisdan et al. [1] proposed an offline session key generation scheme that overcomes the problems of using long-term keys to generate every session key found in [9]. This technique allows engaging parties to generate a set of session keys after exchanging a couple of parameters only in the first time they communicate. The technique operates as follows: 1) 2)

Alice and Bob exchanges KAB, DK, r. KAB is a long-term key shared between Alice and Bob. DK is called distributed key. r is a random number. Both of them generates a set of preference key Ki, where i = 1, …, m, as follows: K1 = h(DK, KAB), K2 = h(DK, K1), …, Km = h(DK, Km-1)

3)

Then KAB can be removed from the system. Alice and Bob then generate Session Initialization (SI) key (SIK) as follows: SIK = h(KMid1, KMid2)

4)

Where KMid1 = mid(K1, Kw), w = r mod m, and KMid2 = mid(K1, KMid1). KMid1 and KMid2 is then removed from the system. They can generate a set of session key SKj, where j = 1,…, n, as follows: SK1 = h(SIK, DK), SK2 = h(SIK, K1), …, SKn = h(SIK, SKn-1) SKj can then be used to encrypt a message sent between hosts until a new set of session keys is required. We can see that both of them can generate session keys on their local host.

From [1], session key update is done as follows: 1)

2)

Assume that Alice and Bob uses SKj up to SKp, where 1 ≤ p ≤ n. They select two preference keys K’Mid1 and K’Mid2, where K’Mid1 = mid(K1, Kq), q = p mod rm, rm is the remaining number of preference keys Ki and K’Mid2 = mid(K1, K’Mid1). Then they generate a new SI key SIK’= h(K’Mid1, K’Mid2). Note that mid(X, Y) stands for the middle value between X and Y. A new set of session key SK’j, j = 1, …, n, can be generated as follows: SK’1 = h(SIK’, DK), SK2 = h(SIK’,SK’1), …, SK’n = h(SIK’, SK’n-1)

3)

The above process is done when a new set of session key is required as the current session keys have been used for a long time or SKj is compromised. If Ki is compromised, the system needs to start over by re-exchange KAB, DK, and r.

We can see that the above technique needs to exchange some information when generating a new set of Ki. Moreover, DK appears several times during the key generation. This increases the chance to trace back to Ki if SKj is compromised. Furthermore, if Ki is compromised, the entire system is

compromised. parameters.

We

need

to

re-exchange

all

necessary

2.2 Dandash et al.’s Approach Dandash et al. proposed an offline session key generation scheme based on [1]. Because of the limited space, we can only show the improvement and extensions in comparison with [1]. The authors added more parameters as inputs to the key generation. That is, to generate a set of preference keys Ki, where i = 1, …, m (in [2], it is called secondary keys), it is performed as follows: K1 = h(Keymaster, TPass, ShS), …, Km = h(Km-3, Km-2, Km-1) Where {Keymaster, TPass, ShS} are long-term shared secrets that was exchanged between engaging parties offline at the beginning of transaction. Then, generating the SI key (or VT in [2]) is performed based on three preference keys in the set of Ki. Then a set of session key SKj, where j = 1, …, m, can be generated as follows: SK1 = h(VT, TPass, ShS), SK2 = h(TPass, ShS, SK1), SK3 = h(ShS, SK1, SK2), SK4 = h(SK1, SK2, SK3), … SKm = h(SKm-3, SKm-2, SKm-1) Obviously, generating a new preference key or a new session key is based on the previously used key. This is susceptible to session key compromise attack in that if an attacker successfully collects a number of ciphertext and successfully derives the current session key, the attacker will also be able to derive the previously-used session keys. Thus, he/she can easily generate the next session key. Generating a new set of session keys through the session key update is also based on the previously-used keys. Again, TPass and ShS appear several times while generating a new key. This increases the chance to derive such parameters from intercepted messages. Furthermore, the authors did not specify what to do if, in the worst case, a secondary key is compromised. Dandash et al. also proposed an Internet banking protocol based on the key management technique that requires less computation than other payment protocols [3, 4, 5, 6, 7]. However, those protocols are electronic payment protocols that have many engaging parties, e.g. client, merchant, payment gateway, and issuer, whereas their protocol involves only two players: client and bank. Thus, it is not right to compare them as they serve different purposes.

3. THE PROPOSED SCHEME In this section, we introduce an offline session key generation technique that can operate purely offline even when regenerating a set of session key as a result of session key compromise. In section 3.1, our session key generation is presented. Section 3.2 describes the proposed session key update technique.

3.1 Session Key Generation 3.1.1 Initial Assumptions 1)

2)

Alice and Bob share {KAB, DK, m}, where KAB is a longterm key, DK is called a distributed key, and m is a random number. m is used to specify the number of keys that will be generated. m also varies randomly among different pairs of parties. conc(M1, M2, M3) represents the concatenation of the message M1, M2, and M3, respectively.

3.1.2 Key Generation Process The proposed key generation process is shown in Figure 1 below.

-

IKxMid1 = mid(IKx1, IKxrm) and rm is the remaining number of intermediate keys in the set of IKxj. IKxMid2 = mid(IKxMid1, IKxrm). IKxMid3 = mid(IKx1, IKxMid2). IK1Mid1 = KMid1, IK1Mid1 = KMid2, and IK1Mid1 = KMid3. The generation of KMid1, KMid2, and KMid3 is the same as that of IKxMid1, IKxMid2, IKxMid3, respectively. IKxj-1 = φ.

Note that the previously used intermediate keys in any round can then be removed from the system. Thus, the remaining intermediate keys in each round can be written as follows: {K1, K2, …, Krm} {IK11, IK12, …, IK1rm}, {IK21, IK22, …, IK2rm}, … {IKn1, IKn2, …, IKnrm} 3) The output of the last round of intermediate key generation is considered as session keys SKj, where j = 1, …, m, which is shown below: IKn1 = SK1, IKn2 = SK2, …, IKnm = SKm. Alice and Bob then can use SKj as a credential to secure transactions e.g. as an encryption key or as an input to MAC (Message Authentication Code). We can see that the session key was generated purely offline. Comparing to [1], the generation of intermediate keys as well as session keys is based on dynamically chosen input, not just one specific parameters as that in [1]. That is, in [1], the generation of every single session key in the set of SKj is based on SIK.

3.2 Session Key Update Figure 1 Session Key Generation 1) After sharing {KAB, DK, m}, Alice and Bob generate a set of preference keys Ki, where i = 1, …, m, as shown below: Ki = h(Ki-1, DK) Where K0 = KAB. The set of Ki will be used as a source to regenerate session keys if needed or if a session key is compromised. After generating the set of Ki, KAB and DK can be removed from the system. 2) The next step is to generate sets of intermediate keys. The purpose of intermediate key generation is to increase the difficulty for cryptanalysis. In other words, it increases difficulty to trace back to the preference key is the session key is compromised. Our proposed framework is general in that it does not specify the number of rounds the engaging parties need to perform. The higher number of round is perform, the greater security the system is. However, increasing the number of rounds will take more time to complete. The proposed intermediate key generation is performed as follows:

For security purpose, after Alice and Bob use the session keys for certain period, they may generate a new set of session keys. This is because the messages encrypted with the current session keys may be intercepted and analyzed. If a number of session keys have been exposed, in the worst case, it may possibly be traced back to intermediated and preferences keys.

3.2.1 Session Key and Intermediate Key Update Sometimes the current set of session key (or intermediate keys) needs to be updated, either because Alice or Bob requires to update it or the currently-used session key is compromised. Based on the assumption that an attacker may be able to collect a number of previously used session keys and successfully break them, such keys will no longer be reused.

IKxj = h(conc(IKx-1Mid), IKxj-1) Where x specifies the round number. j specifies the number of intermediate keys that is generated, j = 1, …, m. IKx-1Mid stands for the set of {IKx-1Mid1, IK x-1Mid2, IK x1 Mid3}.

Figure 2 Session Key Update

Assume that after Alice and Bob have used the session key up to SKj (or SKj was known to the attacker), they want to change a new set of session keys. Both of them can generate a new set of session keys as follows: n

IK’ j =

h(conc(IKn-1Mid),

IK’

n

j-1)

Figure 2 depicts the session key (or intermediate) key update process. Note that IK’n0 = φ. After generating each session (or intermediate) key, all previously-used intermediate keys are then removed from the system. Avoiding the reuse of keys can increase security of the system.

based on the previously used session keys. This is considered more secure than [2] against the session key compromise.

4.2 Intermediate Key Compromise Normally, compromise of intermediate keys is very difficult because they are not transmitted over the network. Deriving an intermediate key requires an attacker to acquire a number of session keys. Each session key is generated by hashing the hash value of a couple of intermediate keys. Moreover, each session key is not generated based on the same set of intermediate keys. This makes deriving an intermediate key much harder. Based on the intermediate key update in section 3.2.1, if a number of session keys as well as some intermediate keys was known to an attacker, the engaging parties can update a new set of intermediate keys securely by using a number of intermediate keys in the previous round. For example, if an intermediate key SKx5 was compromised, both Alice and Bob can request the intermediate key update by calculating a new set of SK’xj based on a couple of middle keys that belong to the set of intermediate keys in round x-1.

Figure 3 Preference Key Update

3.2.2 Preference Key Update If the current set of preference keys needs to be updated, Alice and Bob can perform the follows. Assume that both of them have used the preference key up to Ki and want to have a new set of preference keys, they can perform the following process: K’i = h(conc(KMid), K’i-1) Figure 3 illustrates the preference key update process. Again, after generating the new set of preference keys, the old preference keys can be removed from the system. Alice and Bob can then use Ki, where i = 1, …, m, to generate intermediate keys and then session keys, respectively. We can see that, with the proposed technique, all engaging parties can update not only preference keys, but also intermediate keys and session keys without any data transfer over the network. This results in significantly increase of the security to the system.

4. SECURITY ANALYSIS In this section, we show that the proposed technique is secure against various key compromise issues. We analyze the key compromise issues into three scenarios: session key compromise, intermediate key compromise, and preference key compromise, as described in sections 4.1, 4.2, and 4.3, respectively.

4.1 Session Key Compromise If the session key compromise is detected, both Alice and Bob can generate a new set of session keys SK’j, where j = 1, …, m. If SKj was revealed to an attacker, this will not affect the security of the entire system because the attacker is hardly able to generate SKj+1 from SKj. Moreover, comparing to [2], generating a new session key with our technique is not purely

As well as the discussion in the previous section, the generation of intermediate keys is not purely based on the previously used intermediate keys as that in [2]. Thus, the proposed technique is considered secure against the intermediate key compromise.

4.3 Preference Key Compromise Exposing a preference key is considered extremely difficult because an attacker needs to perform extremely complex operations to reverse a number of hash values. However, if the attacker can make a good guess and luckily get a preference key Ki, generating Ki+1 is extremely difficult because the attacker does not know DK. Moreover, getting Ki and Ki+1 from guessing does not help the attacker to derive an intermediate key. This is because generating an intermediate key is not based on two or three adjacent preference keys, but actually based on a number of preference keys chosen from our proposed technique. Therefore, our scheme is also considered secure against the preference key compromise.

5. CONCLUSION In this paper, a new offline key generation technique that is provable secure against key compromise attacks in various aspects was introduced. Our work focused on solving problems and limitations of existing techniques [1, 2]. The results given showed that the proposed key generation and update techniques provide higher security than the existing approaches. Engaging parties can deploy this technique to offline generate session keys. We believe that the proposed technique can be applied to any Internet applications that requires symmetric encryption with only little additional processing overhead. As our future works, we aim to measure the performance of the proposed technique by applying this technique to secure various kinds of Internet transactions e.g. mobile payments and electronic auction protocols in order to show that our protocol can be used to secure any kinds of network applications.

6. REFERENCES [1] S. Kungpisdan, P.D. Le, and B. Srinivasan, “A LimitedUsed Key Generation Scheme for Internet Transactions”, Lecture Notes in Computer Science, Vol. 3325, 2005. [2] O. Dandash et al., “Fraudulent Internet Banking Payments Prevention using Dynamic Key,” Journal of Networks, Vol.3(1), Academy Publisher, pp. 25-34, 2008 [3] S. Kungpisdan, B. Srinivasan, and P.D. Le, “Lightweight Mobile Credit-card Payment Protocol”, Lecture Notes in Computer Science, Vol. 2904, pp. 295-308, 2003. [4] S. Kungpisdan, B. Srinivasan, and P.D. Le, “A Secure Account-based Mobile Payment Protocol”, Proceedings of the International Conference on Information Technology: Coding and Computing 2004, Vol. 1, pp. 3539, 2004. [5] S. Kungpisdan, B. Srinivasan, and P.D. Le, “An Integrated Framework for Payment Transactions in Wireless Environments”, Proceedings of the 2nd International Conference on Information and Communication Technologies 2004, pp. 158-168, 2004. [6] Mastercard and Visa, “SET Protocol Specifications Book 13”, 1997. [7] M. Bellare et al., “Design, Implementation, and Deployment of the iKP Secure Electronic Payment System”, IEEE Journal of Selected Areas in Communications, Vol 18(4), pp. 611-627, 2000. [8] Y. Li and X. Zhang, “A Security-enhanced One-time Payment Scheme for Credit Card”, Proceedings of the International Workshop on Research Issues on Data Engineering: Web Services for E-Commerce and EGovernment Applications, pp. 40-47, 2004. [9] A. D. Rubin and R.N. Wright, “Off-line Generation of Limited-Use Credit Card Numbers”, Lecture Notes in Computer Science, Vol. 2339, pp. 196-209, 2002.