Beruflich Dokumente
Kultur Dokumente
3, MARCH 2018
where deploys a large number of nodes with a huge amount A. System Setup Phase
of interactive historical data, such as the field of e-commerce Let (N, p, q) be the three security integer parameters and
and Vehicular Ad Hoc Network(VANET). {L f , L g , L r , L m } be the four sets of polynomials, which
The network model of our protocol includes only a single all satisfy the requirements of the NTRU algorithm. In the
MN and AP. Instead of selecting only trusted APs and commu- system setup phase, the AS is responsible for initializing the
nicating with them, the MN roams randomly throughout the identity-authenticated public and private system parameters as
network and enters into the different APs, and then performs follows:
handover authentication with them. The advantage of our (1) A polynomials g AS ∈ L g and a secure hash function H1
method is of low computation cost, high efficiency and easy are selected, where H1 : {0, 1}∗ → Z q∗ ;
implementation. The disadvantage is that it cannot predict the (2) AS publishes system parameters as
misbehaving nodes and prevent the collusion attacks due to {N, p, q, L f , L g , L r , L m , H1 } and keeps g AS secret.
the lack of trust and reputation evaluation mechanism. The Subsequently, AS computes the private and public keys for
correctness of authentication protocol can only rely on the the identity authentication of all MNs and APs.
certification results of both parties. Therefore, our method is • For each mobile node M Ni with identity I Di , AS chooses
suitable for the scenario of single authentication model with a set of unrelated PIDs for M Ni . For each P I Dk ∈ P I D,
a few participants, such as mobile wireless networks. the AS chooses f k,AS ∈ L f and computes the public key
−1 −1
II. P RELIMINARIES h k,AS = fk,AS,q ∗ g AS (mod q), where f k,AS,q is the inverse of
We first give a brief review of NTRU cryptosystem. More f k,AS in ring Rq . The public and private key tuples for P I Dk
−1
details can be found in previous studies [10]. is {h k,AS , ( f k,AS , fk,AS,q )}. Then AS sends all the public and
The NTRU cryptosystem works over the ring Rq = private key tuples along with the PIDs to M Ni through a
Z q [X]/(X N − 1) and has a security system based on hard secure channel.
problems associated with lattice, such as closest vector prob- • For each access point instance A P j , AS chooses f j,AS ∈
−1
lem (CVP) and shortest vector problem (SVP). The NTRU L f and computes the public key h j,AS = f j,AS,q ∗g AS (mod q)
−1
cryptosystem depends on three integer parameters (N, p, q), for A P j , where f j,AS,q is the inverse of f j,AS in
where N is a prime, p and q are coprime integers, it uses ring Rq . Then AS sends public and private key tuples
−1
four sets of polynomials (L f , L g , L r , L m ) of degree N − 1 {h j,AS , ( f j,AS , f j,AS,q )} to A P j via a secure chann el.
at most and which consist of many polynomials with small
integer coefficients, such as binary {0, 1} or triples {−1, 0, 1}. B. Handover Authentication Phase
The NTRU algorithm works as follows:
Each AP must periodically broadcasts a beacon message
System Parameters
includes its identity I D A P , the public key h A P,AS and other
(1) N is a positive prime.
relevant network information. The handover authentication
(2) p and q are coprime, namely, gcd( p, q) = 1.
phase is performed when a MN(M Na ), enters in the coverage
(3) q is considerably greater than p, normally p = 2 or 3.
of a new AP( A Pb ), the M Na first extracts I Db and h b,AS from
Key Generation
the beacon message and performs the handover authentication
(1) Two polynomials f ∈ L f and g ∈ L g , are selected such
phase. The handover authentication process is depicted in the
that there exist Fp ∈ Rq and Fq ∈ Rq , which satisfy
Fig. 1. The details are described as follows:
Fq ∗ f ≡ 1(mod q), Fp ∗ f ≡ 1(mod p)
1) M Na ⇒ A Pb : {Ma , Auth 1 }: The M Na randomly
(2) The public key is calculated as follows
selects a polynomials ra ∈ L r and computes the encrypting
h ≡ Fq ∗ g (mod q).
message ea = ph b,AS ∗ ra + h a,AS (mod q). Then the M Na
Where h is the public key, and the corresponding private −1
generates the identity authentication code I ACa = f a,AS,q ∗
key is ( f, Fp ).
h b,AS using his/her pre-allocated private key and the public key
Encryption
of A Pb . Subsequently, M Na randomly chooses an unused PID
(1) The polynomials m ∈ L m are obtained for the plain
pi da and generates the message Ma = ( pi da I Db ea ta )
message M by making use of the public hash function
where ta is the current timestamp. Next M Na computes the
(2) A polynomial r ∈ L r , is chosen, and then the ciphertext
shared session key S K a−b = H1 ( pi da I Db I ACa ) and the
e is calculated as
authentication message Auth 1 = H1(Ma S K a−b ) Finally,
e ≡ pr ∗ h + m(mod q)
M Na sends {Ma , Auth 1 } to A Pb .
Decryption
2) A Pb ⇒ M Na : {Auth 2 }: Upon receipt of the request
(1) We first compute a polynomial a
message {Ma , Auth 1 }, A Pb first verifies the timestamp ta and
a ≡ f ∗ e(mod q) ≡ pr ∗ g + f ∗ m(mod q)
aborts the message if ta is not fresh. Otherwise, A Pb computes
The coefficients of a must be between −q/2 and q/2
the M Na ’s pre-allocated public key h a,AS by decrypting ea ,
(2) The plain information m is calculated by
and uses it to compute its identity authentication code I ACb =
m ≡ Fp ∗ a(mod p) −1
f b,AS,q ∗h a,AS . Then the A Pb calculates the shared session key
III. P ROPOSED H ANDOVER AUTHENTICATION P ROTOCOL S K b−a = H1( pi da I Db I ACb ) and compares H1 (Ma
The new AHA protocol comprises two phases: system S K b−a ) with received Auth 1 . If they match, then A Pb verifies
setup phase and handover authentication phase. Specifically, if M Na is a legal registered user of AS. If the result is
the detailed description of those phases is as follows: negative, then this message is rejected. Later, A Pb computes
588 IEEE COMMUNICATIONS LETTERS, VOL. 22, NO. 3, MARCH 2018
IV. S ECURITY AND P ERFORMANCE A NALYSES time because the polynomial ra is randomly selected by M Na
during each session run. An adversary who intercepts the login
A. Security Analysis
message can obtain the PID from Ma , but he/she cannot obtain
1) Mutual Authentication and Key Agreement: The two MN’s real identity from PID. Moreover, the adversary cannot
communicating parties share the same certified key: trace the MN’s movement route by using the acquired PID.
−1 Therefore, the proposed scheme can provide user anonymity.
I ACa = f a,AS,q ∗ h b,AS (modq)
3) Resistance to Replay Attacks: In our scheme, the A Pb
−1
= f b,AS,q ∗ h a,AS (modq) = I ACb can quickly detect the replay attack and terminate the session
by verifying the freshness of timestamp ta , which is included
During the first step of the handover phase, M Na generates
in the login request message. Similarly, the M Na can also
the shared session key S K a−b = H1( pi da I Db I ACa )
rapidly detect the replay attack because the authentication code
and authentication information Auth 1 = H1(Ma I ACa ).
Auth 2 contains the one-time PID of M Na and the identity
Next, A Pb can computes the shared session key S K b−a =
of A Pb . Thus, the new protocol is able to resist the replay
H1( pi da I Db I ACb ) and authenticate M Na by checking
attacks.
whether the received Auth 1 is equal to H1(Ma S K b−a ).
−1 4) Resistance to Impersonation Attacks: The public and pri-
Only legitimate A Pb has the private key f b,AS,q to generate
vate keys are randomly generated by AS and delivered through
the correct certified key I ACb and Auth 2 , allowing M Na to
a secure channel. Hence, an adversary cannot forge I ACa =
authenticate A Pb through I ACa and Auth 2 . Moreover, both −1 −1
f a,AS,q ∗ h b,AS (mod q) or I ACb = f b,AS,q ∗ h a,AS (mod q)
M Na and A Pb can generate the same secret sharing key: −1 −1
without the private key f a,AS,q and f b,AS,q . Thus, he/she can-
S K a−b = H1( pi da I Db I ACa ) not forge legitimate shared session key S K a−b = H1( pi da
= H1( pi da I Db I ACb ) = S K b−a I Db I ACa ). Without knowing the shared session key
−1 −1
S K a−b , the adversary cannot forge a valid message to launch
Without knowing the secret key fa,AS,q or fb,AS,q , no one can impersonation attacks.
generate a legitimate session key. Hence, the new protocol can
provide mutual authentication and session key establishment. B. Comparison of Computation Costs
2) User Anonymity: The M Na uses a family of unlinkable To show the performance comparisons, we first introduce
PIDs to communicate with A Pb , and each PID is only use some notations as follows:
once during the handover authentication stage. Furthermore, • TB P : The time for a bilinear pairing operation.
the login message {Ma , Auth 1 } of M Na will change each • T P M : The time for a point multiplication based on pairing.
CHEN AND PENG: NOVEL NTRU-BASED HANDOVER AUTHENTICATION SCHEME FOR WIRELESS NETWORKS 589
TABLE III
T HE C OMPARISONS OF C OMPUTATION C OST (ms)