tity can get hold of privileges which it is not ... authorized to get a service. One way ... the authorities in the visiting domain as V . Location. Register. Station. Base.
Wireless '96
Design of Secure End-to-End Protocols for Mobile Systems Vijay Varadharajan and Yi Mu Department of Computing, University of Western Sydney, Nepean, PO Box 10, Kingswood, NSW 2747, Australia
Abstract
The paper is organised as follows. We begin in Section 2 by outlining security threats in a mobile networked environment. In Section 3 we propose mobile user authentication protocols in intra and inter domain situations. Section 4 extends these protocols to an end-to-end situation, thereby allowing two mobile users to authenticate each other and to establish a secret key for secure conversations. Finally, Section 5 gives our conclusions.
Use of mobile personal computers in open networked environment is revolutionalising the way we use computers. Mobile networked computing is raising some important information security and privacy issues. This paper is concerned with the design of authentication protocols for a mobile networked computing environment. We propose mobile user authentication protocols in intra and inter domain situations using symmetric key based cryptosystems. The paper then extends these protocols to an end-to-end situation, thereby allowing two mobile users to have secure conversations. The protocols provide varying degrees of anonymity of the communicating users to other system users.
2 Mobile Networked Environment
2.1 Security Threats
A networked environment is in general susceptible to a number of security threats. These include the following:
1 Introduction
�
Information and communication technology is on the threshold of new style of computing [1]. First, the telecommunications industry is witnessing the development of Personal Communication Systems that are \person-speci c" with person to person logical connections. Such systems rely more and more on wireless communications, both in the elds of voice and data communications between mobile personal computers and computer systems. Second, the computer industry is in the phase of practical implementation of distributed systems concept. In particular, the notion of open systems is a major driving force. Whereas today's rst generation notebook computers and personal digital assistants are self-contained, networked mobile computers are part of a greater computing infrastructure. This raises several issues with regard to information security and privacy, system dependability and availability [2].
�
1
Masquerading: the pretence of one entity to be another entity. By masquerading, an entity can get hold of privileges which it is not authorized to have in the rst place. Within a computer system, a user or process might masquerade as another to gain access to a le or memory to which it is not authorized, while over a network, a masquerading user or host may deceive the receiver about its real identity. Unauthorized use of Resources: This includes unauthorized access to both resources on the networks as well as a computer system. For instance, within a computer system, this threat corresponds to users or processes accessing les, memory or processor without authorization. Over a network, the threat may be in the form of accessing a network resource. This may be a simple network component such as a printer or a terminal, or a more complex one such as a database,
or some applications within the database. Thus unauthorized use of resource may lead to theft of computing and communications resources, or to the unauthorized destruction, modi cation, disclosure of information related to the business. �
�
�
�
is either depleted or saturated with meaningless messages.
2.2 Security and Mobility The mobile environment aggravates some of the above security concerns and threats.
Unauthorized Disclosure and Flow of Information: This threat involves unauthorized disclosure and illegal ow of information stored, processed or transferred in a networked system, both internal and external to the user organizations. Within a system, such an attack may occur in the form of unauthorized reading of stored information, while over the network, the means of attack might be wiretapping or tra�c analysis. Unauthorized Alteration of Resources and Information: Unauthorized alteration of information may occur both within a system (by writing into memory) and over the network (through active wire-tapping). The latter attack may be used in combination with other attacks such as replay whereby a message or part of a message is repeated intentionally to produce an unauthorized e�ect. This threat may also involve unauthorized introduction (removal) of resources into (from) a distribution system. Repudiation of Actions: This is a threat against accountability in organizations. For instance, a repudiation attack can occur whereby the sender (or the receiver) of a message denies having sent (or received) the information. For instance, a customer engages in a transaction with a bank to withdraw a certain amount from his account, but later denies having sent the message. A similar attack can occur at the receiving end; for instance, a rm denying the receipt of a particular bid o�er for the tender even though it actually did receive that o�er. Unauthorized Denial of Service: Here, the attacker acts to deny resources or services to entities which are authorized to use them. For instance, within a computer system an entity may lock a le thereby denying access to other authorized entities. In the case of the network, the attack may involve blocking the access to the network by continuous deletion or generation of messages so that the target 2
�
Because the connection to a wireless link may be easy, the security of wireless communication can be compromised much more easily than that of wired communication.
�
The situation gets further complicated if the users are allowed to cross security domains. For example, a hospital may allow patients with mobile computers to use nearby printers but prohibit access to distant printers and resources designated for hospital personnel only.
�
Being reachable at any location and at any time creates greater concern about privacy issues among the potential users. For instance, there may be a need for developing pro les which specify who, when and from where is authorized to get a service. One way is to provide mechanisms that restrict the list of users who are allowed to use a mobile appliance to send a message. From the management point of view, we need to address where are these pro les are stored and how are these pro les distributed?
�
Mobile users will use resources at various locations. These resources may be provided by di�erent service providers. We need to understand the trust issues involved when allowing mobile clients to use resources of different servers at di�erent locations.
�
Integrity and con dentiality of information stored on the mobile appliance is another important concern.
�
Needless to say that user anonymity is important in mobile environment [3]. Di�erent degrees of anonymity can be provided such as hiding user identity from eavesdroppers and hiding user identity from certain administrative authorities. We will discuss these issues in our protocol design.
3 Mobile User Authentication
Authentication Server
3.1 Notation
Location Register
The following notations are used in the description of the protocols. �
A, B: End-users.
�
As : Subliminal identity of end-user A.
�
H: Home Domain Server.
�
V : Visiting Domain Server.
�
KAB : Shared Secret Symmetric Key between A and B.
�
Ks : Secret Session Key.
�
[content]key: content encrypted with a symmetric key key
�
h(:::): A strong one-way hash function.
�
nA : Nonce generated by user A.
�
A ! B: message: A sends message to B.
Base Station
Message Switch Borad
Mobile Station (MS)
Mobile Network System (MNS)
Figure 1: Mobile Computing Environment.
3.3 Assumptions
We assume that when accessing the network in the home domain, the mobile user is authenticated with a traditional server-based authentication mechanism such as Kerberos. Users of every network domain are registered with that domain's authentication server. The authentication server of a domain can be replicated or partitioned within the domain but the set of all partitioned and duplicated authentication servers represent a single domain-level authority. For sake of simplicity, in the rest of this paper, we assume that mobile station A belongs to Home Domain (H) and mobile station B belongs to Visiting Domain (V ). In our systems, to enable the mutual authentication and user anonymity, we assume that mobile users share long term secret key with their home domain, i.e., A and H share KAH and similarly B and V share KBV . The privacy of communication between domains is ensured by H and V sharing secret symmetric keys (e.g. KHV ). If A travels to the visiting domain V , a shared session key between A and V must be established. In this paper, the user and the mobile computing station are regarded as an intact part.
3.2 Environment
A simple mobile computing environment is shown in Figure 1. Mobile Computing Stations (MS) accesses the mobile network via a mobile network system. For instance, the network system may consist of Base Stations, Location Register, and Mobile Switching Component. The Location Register contains information related to the location and the subscription of the users in its domain. We will assume that an Authentication Server is present in every domain. This is logically a distinct entity; in practice, it may be co-located with the Location Register. The Authentication Servers store con dential information such as keys and are assumed to be physically protected. The mobile stations can move from one place to another, either within its domain (referred to as the \home" domain or move outside its home domain to a \visiting" domain. We will collectively refer to the authorities in the home domain as H and the authorities in the visiting domain as V .
3.4 Design Criteria �
3
Anonymity: It is desirable to keep both end users' identities secret. For this reason users' identities must be protected from disclosure from eavesdroppers on the mobile network. We will refer to this as the rst degree anonymity. Furthermore, there is no need for a foreign authority (e.g. visiting domain authority V ) to know the real identity of the user. What it needs is only a proof of the solvency of the entity accessing the service and enough information to bill the user's
�
�
�
home authority. We will refer to this as the second degree anonymity. Security against outside attackers: The protocols should not be vulnerable to outsiders' eavesdropping attacks. Domain speci c secret information such as a user's secret key should not be propagated from the home domain to the remote (visiting) domain. Minimal number of messages: It is important to minimize the number of exchanges in the protocol between the home domain and the remote domain in the setup phase, given that the distance between the home and the remote domain may be large.
is initialized rst at the time of registration; subsequently it is updated at the end of each session. We will see below how the subliminal identity is used in the protocols. Basic Setup
3.5 Authentication Protocols
In this section, we consider user authentication protocols based on symmetric key cryptography. Symmetric key cryptography is particularly suitable for situations where minimal computer power and less computational time are required. These are the main reasons behind the choice of symmetric key based systems in the GSM (Group Special Mobile of the European Telecommunications Standard Institute - ETSI)[4, 5] and DECT (Digital European Cordless Telephone), and the interim Standard IS-54 of the Telecommunications industries Association (TIA) for U.S. Digital Cellular.
�
Mobile Station User A: Belongs to domain H. Has subliminal identity As issued by H and a secret symmetric key KAH shared between A and H.
�
Mobile Station User B: Belongs to domain V . Has subliminal identity Bs issued by H and a secret symmetric key KBV shared between B and V .
�
Home Server H: Has the mapping between the subliminal identity As to real identity A. Has secret symmetric key KAH as well as the interdomain shared secret key KV H . Home Server V : Has the mapping between the subliminal identity Bs to real identity B. Has secret symmetric key KBH as well as the interdomain shared secret key KV H .
�
3.5.2 Intra-Domain Protocol
We now consider the authentication protocol between a user and his/her home domain.
3.5.1 Subliminal Identity
1: A ! H: As ; H; nA; [h(As; H; nA)]KAH 2: H ! A: H; As; [Ks]KAH ; [As]KAH ; [h(H; As; As; Ks ; nA)]KAH
An important concern in the mobile environment is the anonymity of users. One requirement is that the identity of a communicating user is known only to the user himself, to the communicating partner, and to the home mobile network service H. Other entities such as the visiting domain V as well as all other users should not have access to the communicating users' identities. To address this issue, we introduce the notion of a subliminal identity, written as IDs . Each user is issued a subliminal identity by the home domain. The subliminal ID is composed of a number (e.g. a sequence number) along with a timestamp. This will allow H to perform e�cient search of the database when required to locate a speci c subliminal ID. Only H knows the mapping between this subliminal ID and the real user ID. The use of subliminal IDs helps to conceal the real user IDs to outsiders. It
0
0
This is a two step handshake process. In Step 1, mobile station A sends a message to its home server H requesting the establishment of a secret session key. In Step 2, H returns a response including a session key Ks and a new subliminal identity both encrypted under the shared key KAH . First note that the use of the subliminalidentity helps to conceal the real identity of the initiator to other system users. In our protocol, we have carefully separated the information which needs to be signed (for integrity and authentication) from that which needs to be encrypted (for con dentiality). Even though we employ only symmetric key systems, we have used the word \sign" to 4
The token contains the information for authentication of A by H. V passes the token to H in Step 2. V cannot check the signed hash value at this stage as it does not have KAV . KAV is generated with a strong one-way hash function f. Only A and H can construct KAV . After receiving the token in Step 2, H authenticates A. In Step 3, H sends a new subliminal identity As encrypted under KAH and the signed hash value [h(H; As; nA)]KAH . This portion of the message will be passed to A by V in Step 4. H also provides V the key KAV and A's subliminal identity. Encrypted signed hash value [h(H; V; KAV ; As; nV )]KV H is also sent. In Step 4, upon receipt of H's message, V can verify the hash value received from As in Step 1. It can then issue A a session key Ks encrypted under KAV . The message also includes the information sent by H and a signed hash value for integrity.
highlight this aspect. It is particularly important to adhere to this principle in the design of protocols; mixing these two aspects leads to lack of clarity in protocol design which is often an important source for protocol aws. Furthermore this separation is useful when it comes to obtaining export licenses where it is necessary to justify to the authorities the functionality of the various cryptographic interfaces and their use. Hence intra-domain user authentication is achieved by the use of the shared key KAH and a session key is established between A and H to protect subsequent communications.
0
0
3.5.3 Inter-Domain Protocol User A travels to a foreign domain V . When A requests a service in V , V needs to verify the identity of A before providing the service. Following the authentication process, a secret key to protect communications between V and A can be established. Regarding anonymity, as we mentioned earlier, the real identity of A may need to be hidden from both the eavesdroppers as well as V . There should also be a mechanism for H to issue a new subliminal identity to A. This may be optional. 1
A
4 Secure End-to-End Communications So far we have been considering authentication of user A by a mobile network service authority such as H (intra-domain) or V (inter-domain). From a user point of view, in a mobile computing environment, securing the end-to-end path from one mobile user to another is the primary concern. The end-to-end security service minimises the interferences from the operator controlled network components. In this section, we present a secure end-to-end authentication and key distribution protocol between two mobile users. In this paper, we only consider the symmetric key approach. A public key based system is described in [6]. Basic Setup: � Mobile Station Users A and B: { Belong to H and V respectively. { A has subliminal identity As issued by H and a secret symmetric key KAH . { B has subliminal identity Bs issued by V and a secret symmetric key KBV . � Home Server H: { Has the mapping from the subliminal identity to real identity for A.
2
V
4
H
3
Figure 2: Inter-domain Authentication Protocol. The protocol is as follows: 1: A ! V : As ; H; nA; TokenAHV ; [h(As ; H; nA)]KAV ; where KAV = f(KAH ; As ; V ) TokenAHV = [A; H; V; nA]KAH 2: V ! H: V; H; nV ; As; TokenAHV ; [h(V; H; nV ; As; TokenAHV )]KV H 3: H ! V : H; V; nV ; [As]KAH ; [h(H; V; KAV ; As; nV )]KV H ; [KAV ; As]KV H ; [h(H; As; nA)]KAH 4: V ! A: V; As ; [Ks]KAV ; [h(V; As ; Ks)]KAV ; [As ]KAH ; [h(H; As; nA )]KAH 0
0
0
0
In Step 1, A begins by sending V a token TokenAHV , a nonce nA and the signed hash value. V is not able to understand TokenAHV as it is encrypted under KAH and V does not have KAH . 5
{ Has secret symmetric keys KAH and
�
to communicate with B. B's identity is encrypted with KAH to protect against disclosure to eavesdroppers. The nonce nA is used by A to identify its request for communication with B. Upon veri cation of the request in Step 2, H generates a secret conversation key KAB , which is encrypted under KHV for distribution to V . In Step 3, V passes to B the secret conversation key KAB , along with A's and B's identities and nonce nA , encrypted under KBV . Now authentication of A to B is complete. Step 4 starts the authentication process of B to A. B sends V the hash value containing the secret conversation key KAB , nonces, and A's and B's identities, encrypted under KBV . This information is passed to H in Step 5. Upon veri cation of the hash value received in Step 5, H is aware whether or not B has received the correct conversation key and whether the information is fresh. At the end of Step 6, A obtains from H, the conversation key KAB as well as a new subliminal identity As . Now authentication of B to A is complete. Using the conversation key, A and B can securely communicate with each other (Step 7). However note that this protocol does not provide the second degree anonymity. H knows the real identity of B and V knows the real identity of A. The second degree anonymity can be achieved using the hybrid approach employing both symmetric and public key based cryptosystems. This is considered in [6].
KV H . Home Server V : { Has the mapping from the subliminal identity to real identity for B. { Has secret symmetric keys KBV and KV H .
4.1 Case (i)
In this subsection, we consider the situation where both A and B reside within their respective home domains and wish to have a secure communication between them. 2
H
1
6
5
V
3
4
0
A
B
Figure 3: Secure End-to-End Protocol: Case (i). The end-to-end inter-domain protocol is as follows: 1: A ! H: As ; H; nA; [B]KAH ; [h(As ; H; nA; B)]KAH 2: H ! V : H; V; nH ; [A; B; nA; KAB ]KHV ; [h(H; V; nH ; nA ; A; B; KAB )]KHV 3:V ! B: V; Bs ; nV ; [A; B; nA; KAB ]KBV ; [h(V; Bs ; nV ; nA ; A; B; KAB )]KBV 4: B ! V : Bs ; V; nV ; [h(Bs ; V; nV + 1; nA + 1; A; B; KAB ]KBV 5: V ! H: V; H; nH ; [h(V; H; nH + 1; nA + 1; A; B; KAB ]KHV 6: H ! A: H; As; [KAB ; As]KAH ; nA; [h(H; A; B; As; As ; nA; KAB )]KAH 7: A ! B: As ; Bs ; nonce; [message]KAB ; [h(As ; Bs ; nonce; message)]KAB
4.2 Case (ii) Now consider the situation where A (belonging to H) travels to domain V , and then wishes to communicate with B in domain V . 2
H
0
3
V
0
4
1
B A
The main objective of this protocol is to provide mutual authentication between mobile station users A and B, and to establish a secret shared conversation key KAB between them. In Step 1, A authenticates himself to H using the subliminal identity As and KAH , and requests
A
Figure 4: Secure End-to-End Protocol: Case (ii) The protocol is as follows: 6
1: A ! V : As ; H; nA; TokenAHV ; [As ; B]KAV ; [h(As; H; nA)]KAV ; where KAV = f(KAH ; As ; V ), TokenAHV = [A; H; V; nA]KAH 2: V ! H: V; H; nV ; As; TokenAHV ; [h(V; H; nV ; As; TokenAHV )]KV H 3: H ! V : H; V; [KAV ; As]KV H ; [As]KAH ; nV ; [h(H; V; KAV ; As; nV )]KV H , [h(H; As; nA)]KAH 4: V ! A: V; As ; nV ; [Ks; B; Bs ]KAV ; nA ; [h(V; As ; B; Bs ; Ks; nA; nV )]KAV , [A; As; Ks ]KBV ; [h(V; A; As; B; nV ; Ks)]KBV , [As ]KAH ; [h(H; As; nA )]KAH : 5: A ! B: As ; Bs ; V; nA; nV ; [A; As; Ks]KBV ; [h(V; A; As; B; nV ; Ks)]KBV ; [h(As ; Bs ; V; nA; nV )]Ks
V; As ; nV ; [Ks; B; Bs ]KAV ; nA; [h(V; As ; B; Bs; Ks ; nA; nV )]KAV , [As ; Ks]KBV ; [As]KAH ; [h(V; As ; B; nV ; Ks)]KBV , [h(H; As; nA)]KAH : 5': A ! B: As ; Bs ; V; nA; nV ; [As ; Ks]KBV ; [A; As]Ks ; [h(V; As ; B; nV ; Ks)]KBV ; [h(A; As; Bs ; V; nA; nV )]Ks 4': V
0
0
0
0
0
0
0
However in this case, only A (and not H or V ) is able to guarantee the mapping between A and As to B. Once again the hybrid approach provides a better solution to the second degree anonymity problem [6].
0
0
0
0
0
0
0
0
0
0
0
0
0
0
! A:
5 Discussion
0
User A is the initiator who wishes to have secure conversation with user B.
We have proposed symmetric key based protocols for use in mobile networks. We rst considered user authentication in both intra and interdomain enviornments. These protocols enabled authentication as well as the establishment of a shared secret key between mobile users and the domain authorities. Then we extended these protocols to provide secure end-to-end communication between two mobile users residing in di�erent domains. We considered two such communication scenarios. These protocols also provided a certain degree of anonymity of the communicating users to other users as well as system authorities. This was achieved by introducing the notion of subliminal identities. In this paper, we have not addressed the issue of the storage of secret keys within the mobile station. One mechanism is to store the keys in tamper-proof smartcards and to provide appropriate interface to the mobile station. This scheme can be further strengthened by requiring a key/password to activate the smartcard. This is particularly important if the same mobile station is to be used by multiple users at di�erent times.
In Step 1, A begins by sending V a conversation request [As; B]KAV , a token TokenAHV , a nonce nA and the signed hash value. TokenAHV encrypted with KAH needs to be passed to H by V in Step 2 and it contains the necessary information for authentication of A by H. At this stage, V cannot verify the hash value and cannot decrypt the request as it does not have KAV . KAV is generated using a strong one-way hash function f. Only A and H can construct KAV . Steps 2 and 3 are similar to those in the user inter-domain authentication protocol given in section 3. In Step 4, V distributes conversation key Ks to A. This key is encrypted under KAV for A and encrypted under KBV for B. A also receives the new subliminal identity which can be used in future communications. In Step 5, A sends the conversation key Ks to B, and now A and B can have secure communications using Ks .
References
Note that once again the second degree anonymity is not achieved in this protocol. V knows the real identity of A. However the real identity of B is not known to H. We can modify the protocol to provide the second degree anonymity with respect to V as follows:
[1] D. C. Cox, \Protable digital radio communication - an approach to tetherless access," IEEE Communications Magazine, vol. 27, July 1990. [2] V. Varadharajian, \Security for personal mobile networked computing," in Proceedings 7
of the International Conference on Mibile and personal Communications Systems, April
1995. [3] N. Asokan, \Anonymity in a mobile computing environment," in Proceedings of 1994 IEEE Workshop on Mibile Computing Systems and Applications, 1994.
[4] M. Rahnema, \Overview of the GSM system and protocol archilecture," IEEE Communications Magazine, pp. 92{100, April 1993. [5] R. Molva, D. Samfat, and G. Tsudik, \Authentication of mobile users," IEEE Network, pp. 26{34, March/April 1994. [6] V. Varadharajan and Y. Mu, \Authentication protocols for mobile communication systems: A hybrid approach," (In preparation).
8
