Aug 31, 2009  in the Home Location Register (HLR) of the provider. The BTS are connected ..... integrate the public parameters into the GSM/UMTS lookup mechanism and carry the information over ..... getting it for free. However, we denote ...
Journal of Supercomputing No. xxxxxx
Secure Mobile Communication via Identitybased Cryptography and Serveraided Computations Matthew Smith · Christian Schridde · Bj¨ orn Agel · Bernd Freisleben
Received: 31.08.2009 / Accepted: 18.03.2010
Abstract In this paper, an identitybased key agreement protocol for securing mobile telephony in GSM and UMTS networks is presented. The approach allows two mobile phones to perform a session key agreement over an unsecured channel and between different providers using telephone numbers as public keys. Using the created session key, a symmetric encryption of all call data can be performed. Solutions to the problems of multidomain key generation, key distribution, multidomain public parameter distribution and interdomain key agreement are presented. Furthermore, the proposed approach can be speeded up using serveraided cryptography, by outsourcing computationally expensive cryptographic operations to a highperformance backend computing server. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N951 and N821 Nokia smartphones. Keywords mobile communication, identitybased cryptography, clusteraided computations
1 Introduction The proliferation of mobile telephones is extensive, with billions of handsets in active use in almost all countries. However, unlike the area of network security, mobile phone call security is severely lacking. In mobile phone networks, eavesdropping on a call is easy, even for nongovernmental forces. Since the encryption schemes in GSM (2G) and UMTS (3G) only encrypt calls between the mobile phone and the base station, an attacker positioned anywhere in the network between the two base stations can usually intercept calls without great difficulty. Furthermore, since GSM base stations are not authenticated, an attacker can pose as a base station and intercept phone calls in the vicinity. Due to backwards compatibility and UMTS coverage issues, most UMTS devices allow network fallback to GSM, opening up UMTS devices to the same maninthemiddle attacks that afflict GSM networks. While it is possible to implement endtoend encryption of mobile phone calls based on a Public Key Infrastructure (PKI), the complexity of setting up and using a PKI is prohibitive. Identitybased cryptography (IBC) promises to offer an approach to endtoend encryption for mobile telephone calls in which the telephone numbers of the call Department of Mathematics and Computer Science, University of Marburg HansMeerweinStr. 3, D35032 Marburg, Germany {matthew, schriddc, agel, freisleb}@informatik.unimarburg.de
2
participants are used as the public keys to secure the communication channel, thus making the cryptographic security procedure as easy as making a telephone call. The use of telephone numbers as public keys has two major benefits. Firstly, since the caller knows the number to be called, the caller also automatically knows the public key and does not need a separate public key lookup or certification infrastructure. Secondly, telephone numbers are easy to understand and users are confident in using them, such that there is no need to educate users to understand the link between a telephone number, a public key and/or its certificate, thus significantly lowering the complexity threshold of phone call encryption. Several solutions have been proposed that allow multiple identity private key generator (IDPKGs) to interoperate [10,17,3], but these systems require either cooperation between the IDPKGs or a hierarchical approach with a trusted party at the top. Both of these approaches are difficult to use in the area of mobile telephony due to organizational difficulties and conflicting business interests. As demonstrated by approaches based on a Certificate Authority (CA), there will always be competing organizations offering the same service for the same protocol (e.g. signing RSA public keys) without wanting to cooperate on the corporate level. Thus, to successfully deploy IBC in mobile telephony, the IBC system must be able to cope with real world network issues, such as allowing competing organizations to operate their IDPKG independently of other IDPKGs, roaming and changing providers while still enabling crossdomain execution of the IBC protocols for their customers. Cryptographic protocols that use public/private keys are typically based on NPhard mathematical problems. To make such a problem infeasible to compute on modern hardware, the involved integers or dimensions must be sufficient large. This leads to computations with very large integers, which are very expensive regarding computational power and sometimes memory consumption. A simple RSA encryption with an uptodate key size can take several seconds of time on a PDA, whereby the CPU utilization reaches its maximum. In this paper, a new multidomain identitybased key agreement system is introduced that focuses on the issues to be solved when implementing IBC for mobile telephony. The proposed approach is realized using standard telephone numbers as public keys with multiple security domains (i.e. mobile telephony providers). It utilizes the mathematics also used in the traditional DiffieHellman [6] key agreement and RivestShamirAdleman (RSA) [25] public key cryptography approaches. Solutions to the problems of multidomain key generation, key distribution, multidomain public parameter distribution and interdomain key agreement are presented. Furthermore, using the idea of serveraided cryptography, it is shown how a highperformance backend computing server can support mobile devices in reducing the computational effort during cryptographic operations. The feasibility of the approach is illustrated by presenting experimental results based on a Symbian implementation running on N951 and N821 Nokia smartphones. The paper is organized as follows. Section 2 presents the problem statement. Section 3 gives an overview of the proposed identitybased key agreement protocol. Section 4 addresses real world problems occurring during the implementation. Experimental results are presented in Section 5. Section 6 discusses the issues involved with serveraided cryptographic computations. Section 7 discusses related work. Section 8 concludes the paper and outlines areas for future research.
3
2 Problem Statement 2.1 The Need for Security In GSM networks, communication between a mobile system (MS) (i.e. a mobile phone) and a base transceiver station (BTS) is encrypted using the A5 [22] cryptographic protocol. Due to design flaws, A5 is vulnerable to cryptoanalysis such that hackers can eavesdrop on the communication. Updates to the A5 protocol have been proposed to hinder further attacks, and the UMTS standard has replaced A5 by a more secure (and open) protocol, making cryptographic attacks less of a concern. But even the meanwhile established protocol A8 could be broken in around 8 hours of work in all in various implementation. A simpler attack is to subvert the communication setup before encryption. To allow a MS to authenticate itself to the network provider, it gets a subscriber authentication key (SAK). The SAK is stored both on the SIM card of the MS and in the Home Location Register (HLR) of the provider. The BTS are connected to a Base Station Controller (BSC) that in turn is connected to a Mobile Switching Center (MSC) and a Visitor Location Register (VLR). These in turn are connected to the HLR and the Authentication Center (AuC) that give access to the SAK of the MS. During the authentication process, a 128bit random number is generated which using the A3 [5] is combined with the SAK to create a 32bit authentication key called SRES. The SRES key is then sent to the BTS. The SRES key is then compared to the SRES* key that is computed by the AuC of the provider also using the A3 algorithm and the HLR SAK. If the two values match, the MS is authenticated and may join the network. The BTS does not authenticate itself to the MS. This opens up the possibility of a ManintheMiddle (MITMA) attack.
Fig. 1 IMSI Catcher Attack
Using an IMSI catcher [18], an attacker can pose as a BTS and intercept calls in the vicinity by broadcasting a strong base station signal. Figure 1 shows the procedure. MS are programmed to connect to the strongest BTS signal, thus if the IMSI catcher has the strongest signal they serve their current BTS connection (1) and will connect to the IMSI catcher (2) no questions asked (3). Since the BTS is also responsible for selecting the security mechanism, the IMSI catcher can then force the MS to turn off or select an insecure encryption algorithm (4) and thus allow the MITMA to operate. The downside to this attack is that the IMSI catcher cannot function as a real BTS since it is not connected to the main phone network and must forward calls using its own MS and SIM (5). However, since the SIM in the IMSI catcher cannot register itself as the target SIM (due to the authentication
4
of the MS), the attacked MS is not registered at any BTS and is not reachable while it is connected to the IMSI catcher. Thus, only outgoing calls can be intercepted, since the network cannot reach the attacked MS. Furthermore, the IMSI catcher is not a targeted attack. It affects all MS in its vicinity all of which are not reachable while they are connected to the IMSI catcher and whose calls would need to be forwarded if the IMSI catcher is not to become noticeable. While this attack should not be taken lightly, there are some real world problems in its execution. A much simpler attack is enabled by cost saving measures in common practice when setting up base stations. Since connecting all BTS to a secured wired network is costly, BTS can also be connected to the main network via a directed microwave link. This microwave signal is sent without encryption and can easily be intercepted, giving an attacker clear text access to all calls going via this link without leaving a physical trace. But even a wired connection is not safe if an attacker is willing to apply a physical tap to the line. These link taps are particularly relevant since they can be used without affecting the rest of the network and thus cannot be easily detected. They also allow a large number of calls to be tapped simultaneously. For instance, a BTS located near a firm, government building or celebrity house can be tapped, thus, making all mobile calls made to and from that location available to the attacker. Since the equipment needed to execute such a tap is becoming more portable and cheaper at a rapid rate, this kind of attack will rapidly gain in relevance. To prevent the above attacks, endtoend protection of phone calls is required. However, the solution must be able to be deployed in a multiorganization environment and be usable by nontech savvy users. As stated in the introduction, conventional PKI based solutions are too complex both for the network providers and for the users. A simple approach is required that can be implemented by network providers independently of each other and that does not introduce added complexity for end users.
2.2 The Need for Speed Security always comes with a cost, since additional operations or verifications are required. Using cryptographic techniques, this extra cost can extend the time to set up a secure channel significantly. In the case of mobile devices, this is particularly critical, since the computational power and the memory capacities of such devices are smaller than those of modern desktop hardware. The most costly operation in this domain is exponentiation. Exponentiation with secure bit sizes requires several hundred or thousands of multiplications, consuming quite some time on small devices. Compared to the size of memory or the available bandwidth, the actual bit size of the involved integers is relatively small, e.g. a 1024 bit exponent does not need much space to store or much time to transfer, but used as an exponent it entails much effort. A portable device is always or most of the time connected to a network. Thus, an interesting idea is to “outsource” expensive computations by submitting the relatively few bits to a computationally powerful backend server B. Cryptographic operations sometimes contain sensitive information such as a private key, but sometimes they include just a multiplication with publicly known integers. In the latter case, outsourcing is without a risk, since no sensitive data can be stolen. The only damaging case that can occur is when the backend server always responds with false results, making all further computations needless. In the case when private information is involved, this information must be blinded such that the remote server cannot extract useful information from it. Obviously, the blinding operation itself should be less in cost than the actual cryptographic operation in question. Figure 2
5
illustrates the task when two participants use a key agreement protocol that enables outsourcing during the involved steps. In step 1, participant 1 (the initiator) builds a packet with the help of the backend server that sends the aided computation back in step 2. During step 3, participant 2 receives the packet and uses the server to handle the received packet (steps 4 and 5) and to create its own packet (steps 6 and 7). In step 8, participant 2 responds. In step 9 and 10, participant 1 uses the backend server to process the received answer. Participant 2
v 6 8f 3f
f 6f 5f 7f

f 9f f 2f 10

4
KeyAgreement
? v Participant 1
1
v v v v v
v v v v v
v v v v v
v v v v v
HighPerformance Backend Server
Fig. 2 A key agreement protocol using a compute cluster for expensive cryptographic computations
3 Algorithms In this section, an approach is presented that fulfills the requirements stated in Section 2. The approach allows two mobile systems to perform a session key agreement over an unsecured channel and between different providers using telephone numbers as public keys. Using the created session key, a symmetric encryption of all call data can be performed. Furthermore, the approach can be speeded up using serveraided cryptography, by outsourcing computationally expensive operations.
3.1 Algorithmic Overview The identitybased key agreement protocol SSF (Secure Session Framework) [26] consists of four main algorithms: Setup, Extract, Build SIK, and Compute.
3.2 Key Agreement The Setup algorithm (Algorithm 1) is executed by the IDPKG. This part of the key agreement protocol is only performed once and creates both the master secrets P and Q as well as the public parameters. Definition 1 (Public, Shared Parameters (PSP)) The public, shared parameters of the key agreement protocol SSF is the quadruple PSP = (N, G, R, H(·)). The Extract algorithm (Algorithm 2) creates the identity key (i.e. the private key) for a given identity. This algorithm is executed by the IDPKG. If all IDs are known and the range is not too big (e.g. a Class B or C subnet of the Internet), it is possible to execute this step for all IDs offline, and the master secrets can then be destroyed, if required.
6
Algorithm 1 Setup Input: k1 ,k2 Output: {PSP, SP} //PRIMES(n) returns a random nbit prime number. rand
1. R ← {2k1 −1 , 2k1 − 1} rand
2. P ← PRIMES(k2 ) 3. if R(P − 1) goto 2 4. if (P − 1)/2 is not prime, goto 2 5. 6. 7. 8.
rand
Q ← PRIMES(k2 ) if R(Q − 1) goto 4 if (Q − 1)/2 is not prime, goto 4 N←P·Q rand
9. G ← Z∗N 10. H(·) ← collisionresistant hash function, which maps into the group generated by G. 11. return {(N, G, R, H), (P, Q)}
Algorithm 2 Extract Input: PSP, SP, ID Output: dID 1. dID ≡ H(ID)1/R (mod N) 2. return dID
Algorithm 3 Build SIK Input: PSP, dID , k Output: SIKID rand
1. r ← {2k−1 , 2k − 1} 2. SIKID ≡ Gr · dID (mod N) 3. return SIKID
The Build SIK algorithm (Algorithm 3) is executed by the devices taking part in the key agreement. The random integer rID is generated with a secure number generator to make rID unpredictable. The private identity key is used in combination with this randomly chosen integer and the generator in such a way that it is not possible to extract the identity key from the SIK. This is due to the fact that the multiplications are performed in the ring ZN and the result set of a division in the ring ZN is so large that the extraction of the identity key is infeasible. The SIK is then sent over an unsecured channel to the other party and vice versa. The SIK must be greater than zero to prevent a trivial replacement attack where an attacker replaces the SIKs with zero which in turn would make the session key zero as well. Any other replacement attacks lead to invalid session keys. The final step of the key agreement process is the computation of the session key using the Compute algorithm (Algorithm 4) that is executed by the devices taking part in the key agreement. By applying the inverse of the hash value of the opposite’s identity, the involved identity key is canceled out. Only if both endpoint addresses match their identity keys, a valid session key is created. The key distribution system proposed by Okamoto [21] extracts its identity information in a similar manner as our scheme, but does not address the case of key agreement between different domains.
7
Algorithm 4 Compute Input for EID1 : ID2 , PSP, SIKID2 , rID1 Input for EID2 : ID1 , PSP, SIKID1 , rID2 Output: common integer S −1 )2rID1 ≡ ((GrID2 · d R −1 )2rID1 ≡ G2RrID1 rID2 ≡ S 1. (SIKR ID2 ) · H(ID2 ) ID2 · H(ID2 ) r 2r R −1 )2rID2 ≡ G2RrID1 rID2 ≡ S −1 ) ID2 ≡ ((G ID1 · d 2. (SIKR ID1 ) · H(ID1 ) ID1 · H(ID1 ) 3. return S
(mod N) (mod N)
3.3 Key Agreement Between Different Domains The IDPKG determines the public, shared parameters, and all entities that receive their identity key for their IDs from this generator can establish a key agreement among each other. In practice, it is very unlikely that all phones will receive their identity key from the same security domain, since this would imply the existence of a third party trusted by all with a secure communication link to all devices. Since telephone network providers are in charge of managing the MS information of their customers autonomously, it is desirable that they also manage the security information autonomously, meaning that they must be allowed to operate their own IDPKG without having to cooperate with other providers. The management infrastructure, such as HLRs and AuC, can then simply be extended by the required additional data. We now show how crossdomain key agreement can be achieved such that only the public parameters must be distributed (which will be discussed in Section 4). Each device only needs a single identity key, and the IDPKGs do not need to agree on common parameters or participate in any form of hierarchy. In the following, we assume without loss of generality, that there are two domains D1 and D2 . Their public parameters are (N1 , G1 , R1 , H1 (·)) and (N2 , G2 , R2 , H2 (·)), respectively. Every parameter can be chosen independently. The case that (R2 , ϕ(N1 )) > 1 or (R1 , ϕ(N2 )) > 1 is not critical, since no Rth roots must be computed regarding the other domain’s modulus. The two moduli N1 and N2 were chosen according to the requirements stated in the Setup algorithm, i.e. the computation of discrete logarithms is infeasible in ZN1 and ZN2 , respectively. Consequently, an algorithm such as the PohligHellman algorithm [23] cannot be applied and Pollard’s P − 1 factoring algorithm [24] will not be a threat. Thus, a random nontrivial integer has a large order in ZN1 N2 with an overwhelming probability, and the computation of discrete logarithms is infeasible in ZN1 N2 . In the following, an entity EID1 from D1 wants to communicate with EID2 from D2 . The algorithm for the crossdomain key extension is shown in Algorithm 5, and algorithm to generate the extended SIK is shown in Algorithm 6.
Algorithm 5 Extension (view of EID1 making a Key Agreement with EID2 ) Input: PSP1 , PSP2 , dID1 , ID2 e ID , H g Output: d 2 (ID2 ) 1 1. PSP1,2 ← (N1 · N2 , G1 · G2 , R1 · R2 , H2 ) e ID : //Use the CRT to compute the integer d 1 e ID ≡ dID 2a. d (mod N ) 1 1 1 e ID ≡ 1 (mod N2 ) 2b. d 1 g //Use the CRT to compute the integer H 2 (ID2 ): R g 1 3a. H2 (ID2 ) ≡ H2 (ID2 ) (mod N2 ) g 3b. H 2 (ID2 ) ≡ 1 (mod N1 ) e ID , H g 4. return {d 2 (ID2 )} 1
8
Algorithm 6 Build extended SIK e ID Input: PSP1,2 , d 1 (1,2) Output: eSIKID1 (1,2)
1. eSIKID1
e ID ≡ (G1 · G2 )rID1 d 1
(mod N1 N2 )
(1,2)
2. return eSIKID1
In step 1 of the crossdomain key agreement algorithm, the common shared public parameters are the elementwise product of both sets of domain parameters. In step 2, entity EID1 extends its identity key using the ChineseRemainder Theorem (CRT). In step 3, entity EID1 extends its hash identifier also using the ChineseRemainder Theorem. The procedure for entity EID2 is analog, only the indices change from 1 to 2. Key agreement is then performed using the extension of the original algorithm shown in Algorithm 7. For more information on the SSF protocol, the reader is referred to [26].
Algorithm 7 Compute (view of EID1 ) (1,2) g Input for EID1 : ID2 , PSP1,2 , eSIKID2 , rID1 , H 2 (ID2 ) (1,2) g , rID , H Input for EID : ID1 , PSP1,2 , eSIK 1 (ID1 ) 2
ID1
2
Output: common integer S 2rID 1 −1 e ID )R1 ·R2 H g 1. ((G1 · G2 )rID2 d ≡ (G1 · G2 )2R1 R2 rID1 rID2 ≡ S 2 (ID2 ) 2 2rID 2 −1 g e ID )R1 ·R2 H 2. ((G1 · G2 )rID1 d ≡ (G1 · G2 )2R1 R2 rID1 rID2 ≡ S 1 (ID1 ) 1 3. return S
(mod N1 · N2 ) (mod N1 · N2 )
4 Implementation Issues In the following, several issues for deploying the proposed system in practice are discussed. It will be shown how the public parameters and the identity keys are distributed in multiprovider scenarios and how telephone number expiry is handled. One of the important issues of any multiorganizational cryptographic system is the distribution of the public parameters and keys. It should be noted that a main requirement is to try to minimize the number of global distribution steps in favor of local distribution steps, since this distributes the workload and reduces the risk of a global compromise. In a scenario with #prov providers, each with #cust customers where #cust ≫ #prov, we have #prov · #cust customers in total. This means that #prov·#cust private/identity keys need to be distributed. In a PKI, in the worst case in which everybody wants to communicate with everybody else, (#prov · #cust − 1) · (#prov · #cust) public keys need to be exchanged and managed. In our system, only the public parameters of the #prov providers need to be exchanged. This reduces the number of transfers from #prov · #cust local and (#prov · #cust − 1) · (#prov · #cust) global transfers to #prov · #cust local transfers and only #prov global transfers, and since #cust ≫ #prov, this is a large saving. Even using traditional key distribution mechanisms, our system offers a significant saving compared to a PKI in key escrow mode. In the following, further optimizations of the distribution process that are possible due to the network centric approach of our solution will be suggested.
9
4.1 Distribution of Shared, Public Parameters Like most other IBC approaches, our system also uses shared public parameters. In a single domain scenario, the distribution of the public parameters is not a problem. However, if each network provider runs its own IDPKG, the number of public parameters and the binding between public parameters and identity keys becomes more complex. As stated above, this distribution problem is still much smaller than the distribution problem for traditional public keys where each entity has its own public key that needs to be distributed. Of course, traditional PKI technology can be used to distribute the public parameters, but a more suitable solution is to integrate the public parameters into the GSM/UMTS lookup mechanism and carry the information over the SS7 [8] protocol. Since there already is lookup functionality to locate the HLR of a MS and the current location of the MS, a flag can be attached to the request message, stating that the public parameters of the MS should be sent piggybacked to the response. The flag is used, since the public parameters only need to be queried for the very first call to a MS of a particular provider. All subsequent calls to the same or other MS of the same provider do not need a further public parameter lookup. In the case of UMTS, this is reasonably secure since the BTS must authenticate itself to the MS and thus an active MITMA is prevented that could otherwise tamper with the public parameters. The passive MITMAs still possible with UMTS are not a danger to the transfer of the public parameters since they are public anyway. In the case of GSM, this form of public parameter distribution holds the risk of an attacker with an IMSI catcher replacing the public parameters with his own on the first call made to a provider by a MS. However, this attack only works on the very first call ever placed to a provider and will be detected as soon as the MS calls someone else at the same provider after the attack due to a public parameter mismatch. To summarize, this form of public parameter distribution is not a problem in UMTS networks and if the slight security risk in GSM networks is unacceptable, a traditional CA based signing approach can be added to prevent tampering with the public parameters.
4.2 Distribution of the Identity Keys The most critical element in all IBEs or PKIs in key escrow mode is the distribution of the identity keys (private keys) and the prevention of identity misbinding. In a mobile phone scenario, identity keys can be placed on the SIM card during manufacturing. Since the deployment process of SIM cards is already set up to include sensitive personal information, adding the identity key to the SIM is not difficult. If there is no requirement for key expiration, this is most likely the best solution, since the identity key is never transmitted over a public network and thus the risk of compromise is minimized. However, if a more flexible online system is required, the novel structure of the presented algorithm allows this as well. If the public parameters of the provider for a MS can be placed on the SIM during manufacturing, the presented system offers a secure way to transmit identity keys securely over an insecure network. When a MS first connects the the network, it requests its identity key from its home provider. Since this message exchange is security critical, the messages must be protected. To this end, the client creates a session key that is encrypted using the public parameter N (N can be used in the same way as an RSA public key) of the provider. The session key can only be decrypted by the provider who then uses the session key to encrypt the identity key of the MS using AES, and sends it to the client. Since even an active MITMA cannot compromise this message exchange, because it is not in possession of the P and Q to decrypt the session key, the transfer of the identity key is secure. This novel online distribution of iden
10
rID  64bit 128bit 256bit 512bit
rID  64bit 128bit 256bit 512bit
512bit modulus R 3 17 513 38 45 47 86 86 82 156 166 161 324 335 318 2048bit modulus R 3 17 513 622 670 670 1192 1186 1208 2320 2421 2334 4577 4559 4582
65537 51 92 167 325
65537 700 1169 2435 4575
rID  64bit 128bit 256bit 512bit
rID  64bit 128bit 256bit 512bit
1024bit modulus R 3 17 513 161 174 172 305 316 316 620 618 629 1219 1237 1240
65537 180 311 625 1244
4096bit modulus R 3 17 513 2354 2485 2566 4586 4594 4734 8813 9280 9153 17641 18514 17497
65537 2680 4842 9100 17749
Fig. 3 Measurements regarding different setups (milliseconds) on a ARM11 CPU with 330MHz.
tity keys allows key expiration (see below) to be implemented without a significant overhead, since no further security infrastructure or outofband communication is required.
4.3 Key Expiration Another practical issue of mobile phone call encryption is the fact that telephone numbers are reused. In a PKI or CA based solution, this creates several problems, since the central PKI must be updated or the CA must be contacted to resign public keys as the MS swap telephone numbers. Certificate Revocation Lists can be used to accomplish this, however the solutions tend to become quite complex. In particular, public key caching mechanisms can lead to problems. In the presented identitybased solution, natural key expiration techniques can be used to cope with telephone number reuse. Boneh et al. [4] showed how keys can be given a lifetime, which allows natural expiration of the identity key. This is done by the internal concatenation of the ID, in our case the telephone number, with a date. The same technique can be used in our solution. Thus, when a customer releases a telephone number and it is reused, the next customer will have a different identity key based on the current date. Since telephone number reuse is timedelayed in any case, this time frame can be used as the key lifetime to ensure that each successive owner lies in a new lifetime slot. With the techniques introduced in this paper, a frequent automatic inband key distribution can be safely executed and thus key renewal is far less of a problem. Additionally, key expiration also reduces the risk of identity key theft, since the attack window is restricted to a small time interval.
5 Experimental Results In this section, experimental results of the presented identitybased cryptographic security solution for mobile phone key agreement are presented. The experiments were run on a Nokia N821 and a Nokia N951 both with an ARM11 CPU with 330 MHz running Symbian 9.2 FP1. The performance of the key agreement was measured. Actually, this means to measure the performance of the Compute algorithm, because it is the only algorithm that has to be executed during call establishment. To gain a robust mean, all experiments were performed 100 times. For the key agreement, the following parameters were examined: the modulus  with N of 512, 1024, 2048 and 4096bit, the random exponent  with rID of 64, 128, 256 and
11
512bit and the chosen public parameter R ∈ {3, 17, 513, 65537}. The numbers chosen for R were selected to give an overview of the performance of the algorithm based on the size of R. R can be chosen arbitrarily by the IDPKG according to the Setup algorithm (Step 2.3). Each of the tables shown in Fig. 3 contains the mean time for the key agreement operations of the 100 trial runs computed using a fixed modulus with rID and R in the rows and columns. It is evident from the tables that the main contribution to the computational time is the modulus and the random exponent. The public random number R selected by the provider does not have a significant effect due to the fact that the computational time of the algorithm depends on the number of 1 ′ s in the binary representation of the number and the used random numbers all contain two binary 1 ′ s. The random number R is not security critical for R > 3. While the time needed for key agreement using a 4096bit modulus and a 512bit random exponent is too long for current devices, key agreement with a 2048bit modulus and 128 or 256bit random exponents has acceptable run times. Once a session key has been established, a symmetric encryption of the call using AES 256 is executed. The encoding block was set to 4096 Byte which contains at least 256 ms (depending on the compression) of audio data. On the N951 and N822 it only takes an average of 24.1 ms to encrypt the block, so the phones can easily cope with the real time encryption of the voice data in this setting.
6 Serveraided Cryptography The aim of serveraided cryptography is to support small devices in expensive operations. This is done by delegating these operations to powerful servers that do the computations on behalf of the owner of the small device. From the measurements in Tables 3 it is evident that the time for computations can last up to ≈ 17 seconds. This is an optimal application to utilize highperformance backend servers, possibly supported by the network provider, which supply computational power and memory for its clients. In our case, the Algorithms 3 and 4 as well as the corresponding Algorithms 6 and 7 would be candidates to be outsourced. These algorithms perform an exponentiation that involves an exponent of nonnegligible size. In the rest of this paper, we focus on Algorithms 3 and 4 only. When using serveraided computations, it has to be investigated whether the utilized server can be trusted or not. If the server cannot be trusted, the computational task may be performed wrongly by the server in order to harm the client. In such cases, the client has to verify the result in some way. If the server can be trusted, the client can assume that the computation is done as demanded and the result does not need to be verified. However, trusted or not, in no case the server is allowed to obtain a secret key that can be involved in the computation. For example, if the task is to compute Gr where r is a secret key, the server is not allowed to access the integer r at any time. In such cases, the secret key has to be hidden or blinded. We assume that the backend server B can be fully trusted and the packets pass the network connection untampered. In our case, this is not unrealistic, since a provider who wants to support its clients with serveraided computations is interested in satisfying its customers. In this case, we can outsource Algorithm 3 as shown in Figure 4. EID adds a random integer ρ to the actual exponent, which hides the exponent from disclosure. In the end, EID subtracts the integer by using a precomputed integer. It is clear that ˆr releases almost no information about the real integer r. The computational amount reduces from one exponentiation with O(log2 r) number of
12 Setting: Both participants possess the PSP = {N, G, R, H}, k is a security parameter. Preprocessing: (This is done only once for each mobile device) 1. EID computes a random integer ρ 2. EID computes s ≡ G−ρ
(mod N)
3. EID stores (ρ, s) B
EID
v r rand ← {2k−1 , 2k − 1} v rˆ = r + ρ v v v v compute SIKID ≡ s · t · dID 1
ˆ r
t 1
compute t ≡
≡ G−ρ Gr+ρ dID1 ≡ Gr dID1
Gˆr
(mod N)
(mod N)
v v v v v v
Fig. 4 Outsourcing of Algorithm 3
multiplications to one addition and two multiplications (apart from the preprocessing step that only has to done once for a device). Despite the additional cost of transferring the necessary bits, this is a large speedup compared to the original runtime. This method has already been proposed by Lim and Lee [15]. The reason why this simple but effective method works is that the base G is fixed, which makes the preprocessing step possible. On the contrary, in Algorithm −1 4, things are different. Here, the base (SIKR ) ≡ GRrID2 is not known in 2 · H(ID2 ) advance. SIK2 as well as H(ID2 ) are both values that depend on the corresponding participant, thus precomputation becomes impossible in this case. Computing the value G−ρ on the fly would lead to the same computational effort as computing Gr directly. We focus on the exponentiation with 2r1 in Algorithm 4 only, since the inner exponentiation SIKR 2 can be neglected due to the fact that the integer R can be chosen very small. An additional problem in Algorithm 4 is that the order of G in ZN and the factorization of N are unknown. A trivial approach would be to split the secret exponent into two parts r = r1 + r2 and submit the exponentiation task to two different backend servers. One backend server computes Gr1 , and the other one computes Gr2 . If the servers do not cooperate, they do not gain information about r and the result can simply be obtained by Gr1 · Gr2 (mod N). However, this cannot be assumed. Our solution makes use of the RepeatedSquaring Algorithm typically used for discrete exponentiation. The algorithm is illustrated in Algorithm 8. It can be seen that in each round of the forloop, at most one multiplication is performed and two if the ith bit position of the exponent is equal to 1. Algorithm 8 Repeated Squaring Algorithm
Pn−1 Input: G, r = i=0 ci 2i , N Output: Gr mod N 1. a ← 1 2. for i = n − 1 to 0 by −1 3. a ← a · a (mod N) 4. if ci = 1 then a ← a · G (mod N) 5. return a
The general idea of our solution is as follows: Assume B knows N and G. In each round, B computes two integers. For the first integer, B assumes that the ith bit position in r is equal to 0, thus B skips Line 4 in Algorithm 8. For the second
13
integer, B assumes that the ith bit position is equal to 1, thus B performs both exponentiations, in Line 3 and Line 4. Afterwards, B submits the two integers to EID . EID chooses the correct one, since he knows the exponent and thus knows if the ith bit is zero or not. After choosing the correct integer, he blinds it by adding a random integer M of sufficient size and sends it back to B, which proceeds in the same way for the next bit position. The blinding operation can be reversed by EID by reducing modulo M. After having explained the general idea, more details are necessary to prove that the algorithm indeed computes the correct result and that B is not able to obtain r with a nonnegligible probability in the size of r. First of all, the complete algorithm is given in Algorithm 9. Algorithm 9 Outsourced Version of Algorithm 4
Pn−1 Input: G, r = i=0 ci 2i , N r Output: G (mod N) 1. compute G1 ≡ G2 (mod N) 2. compute G2 ≡ G1 G (mod N) 3. Mn−1 = N 4. for i = n − 2 to 0 by −1 5.a if ci = 0 then Wi+1 ← (G1 (mod Mi+1 )) (mod N) 5.b else Wi+1 ← (G2 (mod Mi+1 )) (mod N) rand
6. Mi ← {N3 , N3 + ∆} 7. Wi ← Wi+1 + Mi 8. send Wi to B 9. receive (G1 , G2 ) ← (Wi2 , Wi2 G) 10. return Wi (mod Mi )
After skipping the most significant bit (since it must be equal to 1), the algorithm parses the exponent from the most significant bit to the least significant bit. For each bit (in Line 6), a random integer is chosen, which is added to the previous result in Line 7. B computes the square of Wi as well as the square of Wi times G. EID reduces the results first regarding Mi+1 and then regarding N (Line 5a/b), which reveals the correct solutions in ZN . Figure 5 shows the communication and computation steps in a single forloop iteration.
Setting: B knows G and N B
EID
v M rand 3 3 i ← {N , N + ∆} v W ←W +M i i+1 i v v v
Wi

compute (G1 , G2 ) = (Wi2 , Wi2 G) (G1 , G2 )
v v v v v
Fig. 5 Outsourcing of Algorithm 4
Example: We now give an example of how the algorithm works: Let N = 6499, G = 17 and the exponent r = 11 = 10112 . Thus, we have a 4bit exponent, and the forloop runs from 2 to 0, as shown in Figure 6. The first row shows the initialization step. Here, G2 and G3 are computed with respect to the first bit, and also M3 is set to N. All further computations of Wi2 and Wi2 G are done by B. The Mi values are just random integers. The final output
14 i 2 1 0
G1 289 Wi2 Wi2 Wi2
G2 4913 Wi2 17 Wi2 17 Wi2 17
Wi+1 n/a 289 3075 5858
Wi n/a 21580589148265 207332088832074 26566610735587
Mi+1 6499 6499 21580589147976 207332088828999
Mi n/a 21580589147976 207332088828999 26566610729729
bit 10112 10112 10112 10112
Fig. 6 Example for Algorithm 9
is 5858, which indeed is 1711
(mod 6499).
6.1 Correctness and Security Let r be an nbit integer. For the correctness it has to be shown that the partial i result in each round is equal to the term G⌊r/2 ⌋ (mod N), which is the usual partial term in the RepeatedSquaring Algorithm. Lemma 1 Algorithm 9 is correct. Proof We can argue via induction: Since EID knows the correct partial result for the most significant bit, which is G itself, we can assume that the (n − 1)th partial i n−1 result has been obtained by (G⌊r/2 ⌋ = G). Thus, EID already has Wi+1 ≡ G⌊r/2 ⌋ (mod N) as the correct partial result. After submitting Wi+1 +Mi to B, EID receives 2 Wi+1 + 2Wi+1 Mi + M2i
(1)
2 Wi+1 G + 2Wi+1 GMi + GM2i
(2)
2 2 Since Wi+1 < N and G < N it holds Wi+1 < Wi+1 G < N3 < Mi . Thus, i i equation (1) reduces to G2⌊r/2 ⌋ and equation (2) reduces to G2⌊r/2 ⌋+1 . i−1 The next partial term is G⌊r/2 ⌋ , which is either 2 r/2i or 2 r/2i + 1,
depending on whether the ith bit is ’0’ or ’1’. Since EID knows this bit value, he can choose the correct value from the two possibilities, thus obtaining the correct next partial result. q.e.d Lemma 2 During Algorithm 9, B does not obtain the secret integer r except with a negligible probability.
Proof To learn the exponent r, B must know whether the bit at the current position is ’0’ or ’1’. In the each round, B computes both cases; one integer for the case that the bit is ’0’ and one for the ’1’case. Obviously, in this round B does not learn anything about the bit value. In the next round, B receives one of the previously computed integers added with an random integer Mi−1 . If B could decide which integer is involved in this packet, B knows which integer EID has chosen, thus B knows the corresponding bit value. However, since Mi−1 is chosen completely randomly and independent of previous rounds, both possibilities are still equally likely, thus B can not do better than random guessing on each bit position, which is negligible in the length of r. q.e.d
15
6.2 Performance Gain To measure the performance gain, we have to count the savings of the computational cost as well as the additional overhead of the outsourcing procedure. By looking at Algorithm 9, we get the following costs: There are two multiplication at the beginning that compute G2 and G3 , both of which require time tmult . Next, there are two modular reductions in each round (Line 5a/b), one modulo M and one modulo N. We denote the total time for these two reductions by tred . In Line 6, a random integer is chosen from a given interval. Since N is a fixed public parameter, this random integer can be precomputed, thus we do not consider the time required for choosing the random integer. The last computational operation in the forloop is the addition Wi+1 + Mi . Addition is a cheap operation and is often treated as getting it for free. However, we denote the time for a single addition by tadd . Finally, we have another single reduction of modulo Mi+1 . In total, we get a cost of 2tmult + (n − 1)(tred + t(M)add ) + t(M)red
(3)
Since multiplication is much more expensive than reduction and addition, the cost is 2tmult + (n − 1)(tred + t(M)add ) + t(M)red < O(n)tmult
(4)
where the right side is the average cost for a multiplication with the RepeatedSquaring Method. Consequently, the algorithm yields a large computational saving compared to the standard case. Next, we count the number of bits that need to be transferred during the algorithm. Since G and N are fixed PSP, we assume they are already known by B. During one loop (see Figure 5), the terms Wi+1 + Mi , (Wi+1 + Mi )2 and (Wi+1 + Mi )2 G are exchanged. The bit length of Mi is log2 Mi , and since Mi is much larger than Wi+1 (remember that Wi+1 < N, since it was reduced modulo N in Line 5a/b), the bit length of Wi+1 + Mi is ≈ log2 Mi . The same argument holds for the second term. The squaring doubles the bit length, thus we have (Wi+1 +Mi )2  ≈ 2 log2 Mi . In the last term, the factor G has been multiplied, which adds log2 N bits to the previous term. In total, we get #bits = O (log2 r (log2 M + (2 log2 M) + (2 log2 M + log2 N)))
(5)
bits to transfer, which can be simplified to #bits = O (16 log2 r log2 N)
(6)
Depending on the size of N and r, this is a relatively high communication cost. However, the larger the available bandwidth, the larger the speedup is. To estimate how much the outsourcing algorithm improves the performance of the overall execution time of the encryption process, the measurements of Figure 3 have to be considered. The figure shows the time to compute the encryption key. Obviously, the algorithm lasts longer, the larger the involved bit sizes are. To illustrate the performance gain, we pick a 4096bit modulus and choose different exponent sizes: 64bit,128bit,256bit,512bit and 1024bit. The time for a computation for these sizes on the mobile phone is around (see Figure 3) 2.4 seconds, 4.7 seconds, 8.9 seconds, 17 seconds, and 34.7 seconds, respectively1 . Thus, if the total transfer time to the backend (plus the computation time on the backend B, which is mostly negligible compared to the other terms) is less than these values in seconds, a theoretical speedup is achieved. However, the actual bandwidth and
16
Fig. 7 Time (in seconds) to transfer all necessary bits for a 4096bit modulus regarding different exponent sizes.
connection properties can have fluctuations, caused by startup problems and jitter. In the latter case, this unknown factor is covered by an additional term called tdelay . In all measurements, R is neglected, since it does not change the time significantly. The theoretical performance gain is due to the reduction of the execution time on the mobile phone by the corresponding total transfer time. The plain transfer times are shown in Figure 7, whereas the gained speedup in seconds is shown in Figure 8. It is evident that with a 1.5 Mbit/s connection, no speedup can be achieved. However, already with a 2 Mbit/s connection, all differences are positive, which will probably be counterbalanced by startup times and jitter. If the bandwidth increases further, the obtained seconds become significant for the larger exponent sizes. To reduce the waiting times for the phone call to be established by several seconds, is a quite noticeable improvement for both callee and caller. After having illustrated the theoretical speedup, the value tdelay will now be increased. To uncover its effect, it is picked for a 4096bit modulus and a 512bit exponent. To total amount of data that must be transferred in this constellation is, according to Eq. 6, around 4.2 MBytes. The communication between the mobile device and the server is a normal data connection with only a single connection establishment. Two computations on the corresponding sites can be done on time, so no new connection must be built up in each round. The theoretical transfer time of these 4.2 MBytes can now differ regarding the value tdelay . Based on this fact, it is clear that this algorithm obtains a speedup for computations in local rea networks or other high speed environments, since there the time to transfer a few MBytes is negligible. In a GSM environment, the average jitter time is per default set to 4 ms. This is the value that is given in the literature and is used in many specifications. This 1
The last value is not part of Figure 3.
17
Fig. 8 Time gained (in seconds) based on the outsourcing method for a 4096bit modulus regarding different exponent sizes.
Mbits/s 1.5 2 2.5 3 3.5 4 4.5 5 10 100 1000
0 ms 4.35 1.06 4.40 6.64 8.23 9.43 10.36 11.10 14.45 17.47 17.49
1 ms 5.55 0.03 3.38 5.62 7.21 8.41 9.34 10.08 13.43 16.44 16.74
2 ms 2566 0.99 2.36 4.59 6.19 7.38 8.31 9.06 12.41 15.42 15.72
3 ms 7.59 2.01 1.34 3.57 5.17 6.36 7.29 8.04 11.39 14.40 14.70
jitter 4 ms 8.61 3.03 0.32 2.55 4.14 5.34 6.27 7.01 10.36 13.38 13.68
5 ms 9.64 4.05 0.71 1.53 3.12 4.32 5.25 5.99 9.34 12.36 12.66
6 ms 10.66 5.08 1.73 0.51 2.10 3.30 4.23 4.97 8.32 11.33 11.63
7 ms 11.68 6.10 2.75 0.52 1.08 2.27 3.20 3.95 7.30 10.31 10.61
8 ms 12.70 7.12 3.77 1.54 0.06 1.25 2.18 2.93 6.28 9.29 9.59
Fig. 9 Startup = 300 ms. The tables shows the gained speedup in seconds. That means the 17.5 seconds from the mobile computation must be reduced by the value from the table. E.g. for a 3 Mbit/s line and 2 ms jitter, the 17.5 seconds compute time is reduced by 4.56 seconds.
means that the average transfer time of a packet is, on the average, delayed by 4 ms. Additionally, we have a startup delay that also decreases the performance but only occurs once. The average of this startup delay is around 300 ms in the normal GSM network and below 50 ms in modern environments like HSPA. However, this constitutes only an additional summand and does not influence the performance as much as jitter does. In Figure 9, the jitter parameter is varied from 0 to 2 times on the average, thus 8 ms per communication. The startup delay is set to 300 ms. High jitter and a low bandwidth leeds to a slowdown characterized by the upper right negative table entries. But whenever the bandwidth reaches the 3 Mbit/s level (UMTS speed), even a network with a 2 times average jitter gives a slight speedup. In a 5 Mbit/s network with a 2 times average jitter, we gain 7 seconds compared to the case when all computations are performed on the mobile phone. For comparison, the speedup in local area network environments is also displayed.
18
We are aware that the algorithm is not optimal for GSM networks, due to its its jitter and startup times. However, it can lead to a speedup, at least at the UTMS speed level and decreases the time a user has to wait to get the encrypted phone call established. Furthermore, it is the first algorithm that allows to outsource an exponentiation where the base is unknown and the exponent must be kept secret.
7 Related Work GSM Security. For closed groups of people who only need to communicate among each other, there are mobile phones based on special hardware, such as the NSK200 [19], but these mobile phones are quite expensive and not very comfortable for the daily use. Apart from the mentioned A3 [5] and A5 [22] algorithms, research papers dealing with GSM security are rare. Kumar et al. [11] present an IBC based approach to mutual authentication and key agreement for GSM networks. Unlike our proposal, Kumar et al. use the IMSI number as the public identity key. The security of the protocol relies on a secure channel to the HLR and VLR (Phase 1, Steps 2 and 3). Both these design decision have drawbacks. Firstly, using the IMSI as the public key means the users must trust the infrastructure to show them the correct binding between telephone number and IMSI number, since most users do not know their own IMSI, let alone the IMSI of other users. Secondly, the communication channels between the MS and the HLR and VLR are not considered to be secure and must be handled by the presented solution. There are other approaches such as the Cryptophone [1] that applies the ZFone [2] VoIP security mechanism to mobile phones. ZFone executes a standard DiffieHellman key agreement (which is vulnerable to an active MITMA), but then displays a hash of the generated session key to both users. One user must then read out the hash to the other user, who can then see if the key agreement was compromised, since if a MITMA attack has taken place, the hash values are different. While preventing simple MITMAs, the ZFone solution is somewhat cumbersome, since users must read out hash values to each other. It also does not prevent impersonation attacks or voice based MITMA attacks. Another way to establish an encrypted phone call in GSM environments has been suggested by LaDue et al. [13] and Katugampala et al. [12]. In both papers, the authors describe approaches to utilize the GSM voice channel to transfer encrypted data. Normally, this is not possible per default, since the voice channel is subject to data compression, at the start as well as during the transmission at the intermediate stations. Furthermore, the GSM codec operates optimally only on a signal that is similar to human voice, which is an attribute that encrypted data completely lacks. Both approaches have not been tested successfully in a reallife environment. Since we found the general idea quite interesting, we spent several months to implement the algorithms and some of our modifications and extensions on selected mobile phones. However, the obstacles faced by different hardware, different codecs, different specifications, and the achieved transmission rates make this solution impractical for reallife use. ServerAided Computation. A satisfactory solution for speeding up exponentiation by serveraided methods, where the base as well as the exponent is random and secret and the order of the involved group is unknown, has not been published yet. All existing methods make use of one of these properties. Matsumoto et al. [16] have proposed an approach to let a server compute the integer xd (mod N), where d and x can be secret. However, their approach utilizes the fact that the client knows the factorization of N. Lim and Lee [14] have presented
19
an optimization of Matsumoto’s algorithm, but do not remove the need for knowing the factorization of N. In a further paper [15], Lim and Lee focus on exponentiation modulo p, which makes the order of the involved group always known. In 2005, Hohenberger and Lysyanskaya [9] presented some new ideas to generic outsourcing methods, but they also focus on computations modulo p only, as Nguyen et al. do [20]. Dijk et al. [7] mention to do exponentiation modulo a composite number N, but they also require that the client knows its factorization. Thus, none of these approaches considers to compute a discrete exponentiation modulo a composite integer N and its factorization is not known to either the client or the server. Additionally, the base as well as the exponent are random, and the exponent has to be kept secret.
8 Conclusions In this paper, an identitybased key agreement system for mobile telephony in GSM and UMTS networks was presented. All attacks presented in the paper can be successfully prevented by the identitybased cryptographic solution. The use of telephone numbers as public keys reduced the complexity of the security management framework and well as the usage complexity for phone call encryption. The approach offers solutions to the real world problems in realizing an identitybased security framework for mobile phone call encryption, namely multidomain key generation, key distribution, multidomain public parameter distribution and interdomain key agreement. Based on the idea of serveraided cryptography, it was shown how a highperformance backend computing server can support mobile devices in reducing the computational effort required for performing cryptographic operations. Experimental results based on a Symbian implementation for the Nokia smartphones N951 and N821 were presented to demonstrate the feasibility of the proposed approach. Future work will include simulated large scale deployment and scalability studies to quantitatively evaluate the administrative benefit of using the presented identitybased approach compared to a traditional PKI. The proofofconcept solution will also be ported to other platforms beyond Symbian. Furthermore, a suitable infrastructure for clusteraided cryptography supporting mobile phones with limited computational capabilities should be developed. Finally, userstudies will be performed to further evaluate the benefits to the nontech savvy end user.
References 1. Cryptophone. http://www.gsmk.de/. 2. ZFone. http://zfoneproject.com/. 3. Boneh, D., Boyen, X., and Goh, E.J. Hierarchical Identitybased Encryption with Constant Size Ciphertext. In EUROCRYPT  Advances in Cryptology (2005), vol. 3494 of Lecture Notes in Computer Science, Springer, pp. 440–456. Aarhus, Denmark. 4. Boneh, D., and Franklin, M. Identitybased Encryption from the Weil Pairing. SIAM Journal of Computation 32, 3 (2003), 586–615. 5. Clavier, C. An Improved SCARE Cryptanalysis Against a Secret A3/A8 GSM Algorithm. In Third International Conference on Information Systems Security (2007), pp. 143–155. Delhi, India. 6. Diffie, W., and Hellman, M. E. New Directions In Cryptography. IEEE Transactions On Information Theory, 6 (1976), 644–654. 7. Dijk, M., Clarke, D., Gassend, B., Suh, G. E., and Devadas, S. Speeding up Exponentiation using an Untrusted Computational Resource. Design Codes and Cryptography 39, 2 (2006), 253–273. 8. Dryburgh, L., and Hewett, J. Signaling System No. 7 (SS7/C7): Protocol, Architecture, and Applications. Cisco Press, 2003.
20 9. Hohenberger, S., and Lysyanskaya, A. How to Securely Outsource Cryptographic Computations. In Theory of Cryptography (2005), vol. 3378 of Lecture Notes in Computer Science, pp. 264–282. Cambridge, MA, USA. 10. Horwitz, J., and Lynn, B. Toward Hierarchical Identitybased Encryption. In EUROCRYPT  Advances in Cryptology (2002), vol. 2332 of Lecture Notes in Compute Science, SpringerVerlag, pp. 466–481. 11. Kumar, K. P., Shailaja, G., Kavitha, A., and Saxena, A. Mutual Authentication and Key Agreement for GSM. In ICMB ’06: Proceedings of the International Conference on Mobile Business (2006), IEEE Computer Society, p. 25. Copenhagen, Denmark. 12. Katugampala, N., Villette, S., and Kondoz, A. Secure voice over GSM and other low bit rate systems. In IEE Seminar on Secure GSM and Beyond: End to End Security for Mobile Communications (2003), pp. 13–15. London. 13. LaDue, C.K., Sapozhnykov, V.V. and Fienberg, K.S. A Data Modem for GSM Voice Channel. IEEE Transactions On Vehicular Technology, vol. 57, no. 4 (2008), 2205–2218 . 14. Lim, C. H., and Lee, P. J. Security and Performance of ServerAided RSA Computation Protocols. In CRYPTO  Advances in Cryptology (1995), vol. 963 of Lecture Notes in Computer Science, Springer, pp. 70–83. Santa Barbara, California, USA. 15. Lim, C. H., and Lee, P. J. Authenticated Session Keys and Their ServerAided Computation, 2006. Tech. Report. 16. Matsumoto, T., Kato, K., and Imai, H. Speeding Up Secret Computations with Insecure Auxiliary Devices. In CRYPTO  Advances in Cryptology (1990), vol. 537 of Lecture Notes in Computer Science, SpringerVerlag, pp. 497–506. Santa Barbara, California, USA. 17. McCullagh, N., and Barreto, P. A New TwoParty Identitybased Authenticated Key Agreement. In Cryptographers’ Track at RSA Conference  CTRSA (2005). 18. Meyer, U., and Wetzel, S. A ManInTheMiddle Attack on UMTS. In WiSe ’04: Proceedings of the 3rd ACM Workshop on Wireless Security (2004), ACM, pp. 90–97. Philadelphia, PA, USA. 19. Moldal, L., and Jorgensen, T. End to end encryption in GSM, DECT and satellite networks using NSK200. In IEE Seminar on Secure GSM and Beyond: End to End Security for Mobile Communications (2003), pp. 1–5. London. 20. Nguyen, P.Q., Shparlinski, I.E., and Stern, J. Distribution of Modular Sums and the Security of Server Aided Exponentiation. In In Proceedings of the Workshop on Computational Number Theory and Cryptography (1999), pp. 1–16. Singapore. 21. Okamoto, E. Key Distribution Systems Based on Identification Information. In CRYPTO  Advances in Cryptology (1988), vol. 403 of Lecture Notes in Computer Science, Springer, pp. 194–202. Santa Barbara, California, USA. 22. Petrovic, S. An improved Cryptanalysis of the A5/2 Algorithm for Mobile Communications. In Proceedings of the IASTED International Conference on Communication Systems and Networks (2002), pp. 437–444. Malaga, Spain. 23. Pohlig, S., and Hellman, M. An Improved Algorithm for Computing Logarithms over GF(p) and its Cryptographic Significance. IEEE Transactions on Information Theory, 24 (1984), 106–110. 24. Pollard, J. Theorems of Factorization and Primality Testing. Mathematical Proceedings of the Cambridge Philosophical Society 76 (1974), 521–528. 25. Rivest, R. L., Shamir, A., and Adleman, L. A Method For Obtaining Digital Signatures And PublicKey Cryptosystems. Communications of the ACM 1, 2 (1978), 120–126. 26. Schridde, C., Smith, M., and Freisleben, B. An Identitybased Key Agreement Protocol for the Network Layer. In SCN  International Conference on Security and Cryptography for Networks (2008), vol. 5229 of Lecture Notes in Computer Science, Springer, pp. 409–422. Amalfi, Italy.