EFFICIENT DELEGATION-BASED AUTHENTICATION

PROTOCOL WITH STRONG MOBILE PRIVACY

Jian-Zhu Lu, Hong-Qing Ren and Jiping Zhou

Department of Computer Science, Jinan University, Guangzhou, 510632 Guangdong, China

Keywords:

Security, Privacy, Mobile communication, Mutual authentication.

Abstract:

In 2008, Tang and Wu designed a one-time alias mechanism for protecting the mobile privacy of a user.

Recently, Youn and Lim proposed an improved delegation-based authentication protocol to provide private

roaming service. In this article, we show that a link between requests may disclose information about the

mobile privacy of a sender, and that the aliases of a user fail to achieve the unlinkability in Tan-Wu’s scheme.

We remedy this situation by suggesting an enhanced protocol that utilizes a pseudorandom function. Compared

to Youn-Lim’s protocol, our design is more efﬁcient than theirs.

1 INTRODUCTION

Recent years have witnessed the dramatic and con-

tinuous increase of e-commerce transactions. E-

commerce makes it easier for a service provider to

get and collect users’ personal information. Privacy

is one of the major concerns of users when exchang-

ing information through a network. In a roaming en-

vironment, it’s important to provide a secure way to

simultaneously protect the interests of both the ser-

vice provider and the users and thereby establish a

trust relationship.

To meet the challenge of providing access con-

trol for a content provider and privacy protection for

users, several authentication schemes have been pro-

posed for roaming service (Lee, 2005), (Tang, 2008a),

(Tang, 2008b). In 2005, Lee and Yeh (Lee, 2005)

proposed a delegation-based authentication (DBA)

protocol for the use in portable communication sys-

tem. Tang and Wu designed a possible attack to Lee-

Yeh’s scheme in (Tang, 2008a), and then proposed a

scheme of protecting mobile privacy in wireless net-

works (Tang, 2008b). Recently, Youn and Lim (Youn,

2010) showed that the protocol in (Lee, 2005) cannot

achieve private roaming service. They then presented

an improved protocol to ﬁx the problem.

In Tan-Wu’s scheme (Tang, 2008b), authors de-

signed a one-time alias mechanism for various lev-

els of privacy protection. A new alias was generated

by hashing either the previous used alias or the user

identity. In this article, we show that Tan-Wu’s pro-

tocol cannot provide the mobile privacy for a roam-

ing user since the aliases of the user fails to achieve

the unlinkability. We remedy this situation by sug-

gesting an enhanced protocol that utilizes a pseudo-

random function(PRF). We also demonstrate how the

enhanced protocol is more efﬁcient compared to the

implementation in (Youn, 2010).

2 REVIEW OF TANG-WU’S

SCHEME

2.1 Description

In 2008, Tan and Wu proposed a mutual authen-

tication scheme for mobile communications (Tang,

2008b), which is brieﬂy described below. First, the

notation used in the scheme is deﬁned as follows. Let

G be a cyclic additive group with generator T, p is the

largest prime factor of the order of T, h : Z

∗

7→ Z

∗

a collision-resistant hash function, and

∏

: G 7→ Z

∗

a point representation function. The symbol ‘

’ de-

notes a point addition operator in G, and [X]

denotes

encrypting a message X with a key K using a symmet-

ric encryption algorithm. We assume that IDV and

IDH be the identities of VLR and HLR, respectively.

HLR has a private/public key pair (x, Y), where x ∈ Z

∗

is a random number, and Y = xT

The scheme in (Tang, 2008b) consists of two pro-

tocols:TDI and EMA. TDI is described below.

Step (1). First, MS sends his/her real identity IDM

and a alias IDMA to HLR for registration.

123

Lu J., Ren H. and Zhou J..

EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY.

DOI: 10.5220/0003606901230127

In Proceedings of the International Conference on Wireless Information Networks and Systems (WINSYS-2011), pages 123-127

ISBN: 978-989-8425-73-7

 2011 SCITEPRESS (Science and Technology Publications, Lda.)

Step (2). HLR sets key usage restrictions in m

and generates a random number κ, and computes

Γ = (h(IDMA|m

)T) ⊎ (κT) and σ = −xh(Π(Γ)) −

κmodp for a mobile station MS. Afterwards,

(IDMA, m

, Γ) is published, while (IDMA, σ) is

stored in HLR’s database and (σ, m

) is sent to MS

via a secure channel.

Step (3). If h(IDMA|m

)T = (σT) ⊎(h(Π(Γ))Y) ⊎

Γ, MS accepts the delegation key σ.

There are three parties involved in EMA: MS,

VLR, and HLR. Suppose there is a secure channel to

protect the trafﬁc between VLR and HLR, and K

(V,H)

is their share key. Three parties perform the following

steps:

Step (1). MS randomly generates a communica-

tion key ck and two numbers nonce and κ, and

computes C = [ck, ts, T

exp

, nonce]

, R = kT and s =

−kh(Π(R)|nonce) + σmodp. Here, ts is the current

timestamp, and nonce is a nonce. ck is only valid

for a certain time length T

exp

. Then, MS sends S

{R, s, IDH, m

, C, nonce} to VLR.

Step (2). After receiving S

, VLR checks the war-

rant m

for restrictions, and authenticates MS by us-

ing the attached digital signature (R, s). If both are

true, VLR sends a request S

= {IDMA, C} to HLR.

Step (3). HLR ﬁrst searches the corresponding σ in

its database according to IDMA, then decrypts C to

obtain ck, ts, T

exp

and nonce. If ck is valid, HLR

provides strong mobile privacy for MS by perform-

ing the following three tasks: (a) generation of new

alias IDMA = h(IDX) ∈ Z

∗

, where IDX be the pre-

vious used alias or IDM; (b) substitution of dele-

gation key σ

′

for σ and public information Γ

′

for

Γ, where Γ

′

= (h(IDMA|m

)T) ⊎ (κ

′

T) and σ =

−xh(Π(Γ

′

)) − κ

′

modp for a random number κ

′

; and

V,H

= [IDMA, T

exp

, ts, ck, nonce]

(V,H)

VLR and forwarding [T

V,M

]

to MS, where T

V,M

{IDV, nonce, σ

′

Step (4). Receiving the response {C

V,H

, [T

V,M

]

}

from HLR, VLR decryptsC

V,H

, and check the validity

not only for ck that isn’t an expired key, but also for

nonce that is equal to the one in Step (2). If it is true,

VLR computes [IDV, nonce, [T

V,M

]

and sends it to

MS.

Step (5). MS decrypts [IDV, nonce, [T

V,M

]

and

V,M

]

using ck and σ, respectively. By the consis-

tency of IDV and N, MS can authenticate VLR. If

true, and MS and VLR authenticate each other suc-

cessfully.

MS VLR HLR

−−−−−−−−−−−−−−−−→

(I)

−−−−−−−−−−−−−→

IDMA, C

←−−−−−−−−−−−−−

V,H

, [T

V,M

]

←−−−−−−−−−−−−−−

[IDV, N, [T

V,M

]

C = [ck, ts, T

exp

, IDV, N, IDMA

′

]

(I) = {IDMA, C, Sig

(N), N, m

, IDH}

V,H

= [IDMA, T

exp

, ts, ck, N]

(V,H)

V,M

= {IDV, N, σ

′

}

Figure 1: Efﬁcient DBA Protocol with Strong Mobile Pri-

vacy.

2.2 Mobile Privacy of Users in EMA

The mobile privacy of a user can be disclosed by using

the tracking and activity recognition when a link be-

tween the requests from the user exists. Suppose that

the service-region is divided into n areas and MS vis-

its them in the following order: A

→ A

→ ··· → A

There are n service providers. Each service provider

VLR

is responsible for one area A

, 1 ≤ i ≤ n. A re-

quest S

) for a service item I

is generated in the

area A

by MS and is sent to the VLR

through a wire-

less channel. Using a pseudonym technique, MS is

able to interact with the system without revealing his

identity. However, an attacker can track the unique

pseudonym. This problem can be addressed with a

one-time alias technique for MS. The one time alias

IDMA

is used by MS to transmit the request mes-

sages S

) to VLR

. If a link between these requests

is obtained by some means, an attacker can take action

to track MS’s moving history and current location.

There is a link between one-time aliases of MS

in (Tang, 2008b). As describe in (Tang, 2008b,

page1040, line 15), a new alias of MS is simply

IDMA=h(IDX), where IDX be the previous used

alias or IDM. In the ﬁrst request S

), there isn’t

any previous used alias for MS. The ﬁrst alias in

) can be computed as IDMA

=h(IDM). Af-

ter the ﬁrst request, MS computes the one-time alias

IDMA

=h(IDX) in S

), where IDX ∈ G

i−1

={IDM,

IDMA

, ···, IDMA

i−1

}, and 2 ≤ i ≤ n. For a given

set Ω, we denote {h(e)|e ∈ Ω} as h(Ω). The above

process may be regarded as selecting an element

IDMA

from the set h(G

i−1

)={h(e)|e ∈ G

i−1

}. Note

that G

={IDM, h(IDM)} and G

i−1

∪ {IDMA

Since IDMA

∈ h(G

i−1

), we have G

⊆(G

i−1

∪

h(G

i−1

)). Thus, G

⊆{IDM, h(IDM), h

(IDM)}

using G

={IDM, h(IDM)}, and G

⊆ {IDM,

h(IDM), h

(IDM), h

(IDM)} using the result of

, and so on. Each set G

i−1

can be rep-

WINSYS 2011 - International Conference on Wireless Information Networks and Systems

124

resented as a subset of D

i−1

={IDM, h(IDM), ··· ,

i−1

(IDM)}, and thereby h(G

i−1

) ⊆ h(D

i−1

). We

note that h(D

) ⊂ h(D

) ⊂ ··· ⊂ h(D

n−1

) and

h(D

n−1

)= {h(IDM), h

(IDM), · · · , h

(IDM)}. Ev-

ery set h(G

i−1

) is a subset of h(D

n−1

), so that

when IDMA

is chosen by MS from h(G

i−1

), it

belongs to h(D

n−1

). However, the elements in

h(D

n−1

) form a hash chain that can be gener-

ated by the seed h(IDM). For each MS’s alias

couple (IDMA

i−1

, IDMA

), there exists an inte-

ger l ∈ Z

n−1

such as IDMA

(IDMA

i−1

) or

IDMA

i−1

(IDMA

). Hence, an attacker can link

two different aliases of MS, and conclude that MS

visits areas (from A

i−1

to A

) in consecutive order.

3 EFFICIENT DBA PROTOCOL

WITH STRONG MOBILE

PRIVACY

3.1 Basic Idea

Let IDMA be the current alias of MS and assume that

F is taken from a pseudorandom function (PRF). For

the unlinkability, an alias of MS is derived from F

with delegation key σ and input IDMA and output of

the appropriate length for the subsequent authentica-

tion. HLR generates a new delegation key pair (σ

′

, Γ

′

)

for each new alias IDMA

′

, and transmits σ

′

to MS in a

secure way. Then MS and HLR store (IDMA

′

, σ

′

) in-

stead of (IDMA, σ). They use the updated delegation

key pair for a new authentication.

3.2 Description of Enhanced Protocol

Since the setup procedure is the same as TDI pro-

posed in (Tang, 2008b), we only describe the efﬁcient

mutual authentication (EMA) procedure as shown in

Fig. 1. Let l be an integer representing the length

of an alias and B

(m) denote the ﬁrst l bits of binary

string m. For each execution of EMA protocol , three

parties perform the following steps:

Step (1). MS sends a request S

(I) to VLR for

the service item I. First, MS computes a new alias

IDMA

′

= B

(F(σ, IDMA)) for the next authentication.

MS randomly generates a communication key ck and

two numbers N and κ, and computes C=[ck, ts, T

exp

IDV, N, IDMA

′

]

and Sig

(N)=(R, s), where R=kT,

and s=−kh(Π(R)|N) + σ modp. Here, ts is the cur-

rent timestamp, and N is a nonce. ck is only valid for

a certain time length T

exp

. Then, MS sends S

(I) =

{IDMA, C, Sig

(N), N, m

, IDH} to VLR.

Step (2). After receiving S

, VLR checks the war-

rant m

for restrictions, and authenticates MS by us-

ing the attached digital signature (R, s). If both are

true, VLR sends a request S

={IDMA, C} to HLR.

Otherwise, VLR rejects MS’s request.

Step (3). HLR retrieves σ according to IDMA, and

decrypts C to obtain ck, ts, T

exp

, IDV, N and IDMA

′

Then, HLR veriﬁes if IDV is identical to the iden-

tity of sender in Step (2), at the same time, checks

if ck is not expired. If IDMA

′

= B

(F(σ, IDMA)),

HLR performs the substitution of delegation key

(IDMA

′

, σ

′

) for (IDMA, σ) and public information

(IDMA

′

, Γ

′

, m

) for (IDMA, Γ, m

), where Γ

′

(h(IDMA|m

)T) ⊎ (κ

′

T) and σ = −xh(Π(Γ

′

)) −

′

modp for a random number κ

′

. Then, HLR sends

V,H

= [IDMA, T

exp

, ts, ck, N]

(V,H)

to VLR, and for-

wards [T

V,M

]

to MS, where T

V,M

= {IDV, N, σ

′

Step (4). Receiving the response {C

V,H

, [T

V,M

]

}

from HLR, VLR decrypts C

V,H

, and checks the va-

lidity not only for ck that isn’t an expired key, but also

for N that is equal to the one in Step (2). If it is true,

VLR computes [IDV, N, [T

V,M

]

and sends it to MS.

Step (5). MS decrypts [IDV, N, [T

V,M

]

and

V,M

]

using ck and σ, respectively. By the con-

sistency of IDV and N, MS can authenticate VLR.

If true, MS and VLR authenticate each other suc-

cessfully. MS stores (IDMA

′

, σ

′

, m

) instead of

(IDMA, σ, m

3.3 Security Discussion and

Performance Comparison

3.3.1 Security

HLR is assumed to be completely trustworthy and

nontamperable. As indicated in (Youn, 2010), we

also assume that legitimate entities (including HLR

and VLR) are trustworthy. In this case, we can trust

anyone who is veriﬁed as a valid entity.

We analyze the security provided by the enhanced

protocol. As the basic requirements on mobile au-

thentication in (Tang, 2008b) are entirely preserved,

the associated security properties hold true here as

well and we will not repeat them. The enhanced

protocol does not suffer from the ailments of tradi-

tional pseudonymous authentication protocols. At-

tacks such as DOS attack to HLR or the privacy

disclosure of requests described in Section 2.2 are

avoided.In the following, we only discuss the en-

hanced security features of the proposed scheme:

Unlinkability. We now analyze the unlinkability of

enhanced protocol in terms of the various parts of the

EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY

125

request message S

(I). Recall that IDMA is the out-

put of PRF F and C is the output of an IND-CCA

secure symmetric encryption scheme. Due to the in-

distinguishability property of a PRF F, it is computa-

tionally infeasible to distinguish between IDMA and

a random value in {0, 1}

. The probability of suc-

cess for an attacker to distinguish between C and a

random element in the ciphertext space is negligible

under the IND-CCA assumption (Bellare, 1997). The

nonce N is randomly selected from Z

∗

. At the same

time, MS runs a secure digital signature scheme in

(NIST, 2009) to generate Sig

(N) for a service item

I, giving one-time σ and (IDMA, Γ, m

). It is also

straightforward to show that events E

and E

oc-

cur with negligible probability, where E

is the event

that a HLR-generated veriﬁcation key (IDMA, Γ, m

)

is used more than once, and E

is the event that an

attacker forges a new, valid message/signature pair

with respect to any HLR-generated veriﬁcation key.

We have assumed that the probability of deriving

MS identity information from its associated delega-

tion constraint information m

is negligible. The part

“IDH” is used to point to the end of the ciphertext C.

Therefore, an attacker can’t ﬁnd a link of part in S

(I)

with the past.

Impersonation Attacks. The enhanced protocol

can efﬁciently preventan attacker from impersonating

attacks, since the scheme provides secure mutual au-

thentication mechanisms between a roaming MS and

VLR, MS and HLR, or VLR and HLR. Consider the

following impersonation attack scenarios in this pro-

tocol.

An attacker cannot impersonate a legitimate VLR

to cheat MS, since he does not possess the cor-

rect values N and [T

V,M

]

. By intercepting the ex-

changing messages in steps (2) and (4), an outside

attacker ﬁrst obtain C=[ck, ts, T

exp

, IDV, N, IDMA

′

]

and [IDV, N, [T

V,M

]

. Then, she/he tries to cheat

MS by replaying previously reply messages (e.g.,

[IDV, N

′

, [T

′

V,M

]

). However, N is different from

those within C in the replayed messages and, there-

fore, it would be rejected by MS. Furthermore, an

inside attacker cannot impersonate the visited VLR

to cheat MS. Since the delegation key σ is unknown

to the inside attacker, and she/he cannot generate

V,M

]

, where T

V,M

={IDV, N, σ

′

}, IDV and N are

chosen by MS, and σ

′

can be veriﬁed with the pub-

lic information Γ

′

An attacker hasn’t the power to impersonate HLR

while communicating with VLR and to impersonate

VLR while communicating with HLR, since neither

the long-term secret key K

(V,H)

nor a valid IDV in C is

possessed. Hence, while communicating with HLR,

an attacker can neither generate the valid messages in

step (2) to guarantee that the matching of IDV is done

in a consistent way. At the same time, the lack of

key K

(V,H)

implies that it can not decrypt the response

V,H

. Likewise, she/he generate the responding con-

ﬁrmation C

V,H

while communicating with VLR.

MS and its HLR can authenticate their messages

so that an attacker cannot impersonate them any more.

Since the delegation key σ is unknown to the at-

tacker, and she/he cannot generate a valid cipher-

text C=[ck, ts, T

exp

, IDV, N, IDMA

′

]

. Here, IDMA

′

(F(σ, IDMA)), and ts and N are generated by M.

Similarly, the attacker can neither generate the re-

sponding conﬁrmation [T

V,M

]

Replay Attacks and DoS Attacks. In DoS attacks,

the attackers may ﬂood a large number of illegal ac-

cess requests to the HLR. Their aim is to consume

critical resources in the HLR. By exhausting these

critical resources, the attacker can prevent the HLR

from serving legitimate users. In HLR-online authen-

tication, for every access request S

(I) from all users

that have registered in the HLR, HLR has to perform

two decryption operations and check the validity of

the requesters. These can easily be exploited by the

attacker.

The basic idea as adopted in (Tang, 2008a) is to

use a proxy signature along with mobile authenti-

cation. HLR performs a mobile authentication only

when the proxy signature can be veriﬁed by a VLR.

The following steps describe the proxy signature

veriﬁcation procedure performed by a VLR. For each

request S

(I) that is received, extract the nonce N and

its signature Sig

(N)=(R, s). VLR veriﬁes this value

Sig

(N) with the corresponding veriﬁcation informa-

tion (IDM, Γ, m

) of MS, then S

(I) is considered to

be legitimate if (sT)⊎(h(

∏

(R)|N)R) = Γ. Otherwise,

the request is illegitimate. Then, VLR construct a re-

quest message S

= {IDMA, C} for legitimate S

(I),

and send it to the HLR. Thus, it is difﬁcult for an at-

tacker to launch an effective DoS attack to HLR.

Furthermore, we make use of the nonce N to pre-

vent replay attacks. Thus, our solution does not suffer

from this attacks.

Table 1: Security comparison with other related schemes.

(Lee, 2005) (Tang, 2008b) (Youn, 2010) Ours

No No Yes Yes

Yes Yes Yes Yes

We also compare our scheme to other contributory

mobile authentication schemes including the schemes

in (Lee, 2005; Tang, 2008b; Youn, 2010). Table 1

summarizes the security properties of four schemes.

WINSYS 2011 - International Conference on Wireless Information Networks and Systems

126

The security properties against unlinkability, imper-

sonation attacks, mobile DoS attacks to HLR, replay

attacks, and session key agreement are are denoted as:

, SP

and SP

, respectively.

Tang and Wu (Tang, 2008a) showed that Lee-Yeh

scheme in (Lee, 2005) suffers from an impersonated

HLR attack such that the session key is compromised.

Lu and Zhou (Lu, 2010) described a dishonest VLR

′

for Tang-Wu (Tang, 2008a) scheme to obtain the com-

munication key generated by MS. The above compar-

isons show that our scheme and provides the strongest

security protection.

3.3.2 Performance

The storage and the computation and communication

in the enhanced protocol are about the same costs as

that in the scheme (Tang, 2008b). No computation

cost needs to be added by MS, except the additional

communication cost 2l.

Table 2: Computation costs comparison.

Ours (Youn, 2010)

MS VLR HLR MS VLR HLR

Public key oper. 1 0 1 1 0 1

Sig. veri. 0 1 0 0 1 0

Nonce gen. 1 0 0 0 0 0

Hash+PRF oper. 1+1 0+0 0+1 2+0 0+0 1+0

Sym. key oper. 3 2 2 1 1 2

Our protocol uses overall structure similar to a re-

cent protocol (Youn, 2010), but our design is more

efﬁcient than theirs. Table 2 shows the computa-

tion costs of both protocols. The time used to per-

form a symmetric encryption operation is negligible

compared with the time needed to execute a public-

key computation. Thus, Our computation cost is al-

most identical to Youn-Lim’s. Table 3 shows that the

communication costs and storage space of both pro-

tocols depend upon the choices of parameters, where

cr is the number of communication round, and L =

|ts| + |T

exp

| + |m

|. It is recommended that the secu-

rity strength of |p| isn’t less than 160 bits in (NIST,

2009)[Page 27], and the minimum of the security

strength of the (|p

∗

|, |q|) pair is (1024, 160) in (NIST,

2009)[Page 15]. Therefore, our design is a less strong

requirement in the communication cost and storage

space than Youn-Lim’s, especially for the mobile user

MS.

4 CONCLUSIONS

In this paper, we showed that Tan-Wu scheme (Tang,

2008b) doesn’t provide the protection of mobile pri-

Table 3: Communication costs and storage spaces compari-

son.

cr Commun. Storage

Messages spaces

MS 2 6p+ 3l +L p+ l + |m

Ours VLR 2 4p+ 2l +L 2p+ l

HLR 2 5p+ 2l +L 3p+ 2l +|m

MS 4 3p

∗

+ 2q+ 2l p

∗

+ q

(Youn, 2010) VLR 4 2p

∗

+ 5q+ 3l h+ l

HLR 2 p

∗

+ 5q+ l +|h| p

∗

+ 2q+ l

vacy in roaming services. We also proposes an

enhanced delegation-based authentication protocol.

Compared to Youn-Lim’s protocol in (Youn, 2010),

our design is more efﬁcient than theirs.

ACKNOWLEDGEMENTS

This work was supported in part by the Na-

tional Natural Science Foundation of China un-

der Grants 60773083, and in part by the Provin-

cial Natural Science Foundation of Guangdong un-

der Grants 2008B090500201, 2009B010800023 and

2010B090400164.

REFERENCES

Lee W.-B., Yeh C.-K., 2005. A New Delegation-based Au-

thentication Protocol for Use in Portable Communica-

tion Systems. In IEEE Transactions Wireless Commu-

nication, vol. 4, no.1, pp. 57-64

Tang C., Wu D. O.,2008. An Efﬁcient Mobile Authenti-

cation for Wireless Networks. In IEEE Transactions

Wireless Communication, vol. 7, no.4, pp. 1408-1416

Tang C., Wu D. O., 2008. Mobile Privacy in Wireless Net-

works Revisited. In IEEE Transactions Wireless Com-

munication, vol. 7, no.3, pp.1035-1042

Youn T.-Y., Lim J., 2010. Improved Delegation-Based Au-

thentication Protocol for Secure Roaming Service

with Unlinkability. In IEEE Communications Letters,

vol. 14, no. 9, pp.791-793

Bellare M., Desai A., Jokipii E., Rogaway P., 1997. A Con-

crete Security Treatment of Symmetric Encryption.

In: Proc. of the 38th IEEE Symp. on Found. of Com-

puter Sci., pp. 394-403

Lu J., Zhou J., 2010. The security of an efﬁcient mo-

bile authentication scheme for wireless networks, In

WiCOM 2010: 6th International Conference on Wire-

less Communications Networking and Mobile Com-

puting, Chengdu (China).

NIST, 2009. NIST FIPS PUB 186-3, Digital Signature Stan-

dard (DSS) . U.S. Department of Commerce.

EFFICIENT DELEGATION-BASED AUTHENTICATION PROTOCOL WITH STRONG MOBILE PRIVACY

127