Concatenated Wireless Roaming Security Association and Authentication Protocol using ID-Based Cryptography

Byung-Gil Lee', Member, I E E E , Hyun-Gon Kim', Sung-Won Sohn' and Kil-Houm Park' Electronics and Telecommunications Research Institute, Daejeon, Korea' Kyungpook National University, 1370 Sankyuk-dong, Buk-gu, DaeCu, Korea'

Abirran-The

hlobile I P application of AAA (I)iameter pmto.

example, i t i s well known that the Mobile IP registration and tion of signaling information and authentication of a foreign network[Zl. One solution i s a public-key-based authentication scheme between the mobile node and agents. IPSec depends on a public-key infrastructure that has not yet been deployed, plus the key management component of IPSec requires heavy processing by end devices. In existing research, Jacobs' proposal[4] involves the use of public key cryptography for Mobile IP. However, this has certain drawbacks mainly due to the heavy operation at the mobile node[Sl. I n typical public key cryptography, the user's public key i s explicitly encoded i n a public key certificate, which i s essentially a binding between the certificate holder's identity and the claimed public key. Therefore, the PKI model requires universal tmst i n the certificate issuers, such as the CA(Certification Authorities). This also has some well-known side-effects, such as cross-doamin trust and certificate revocation. However, the main problem is the basic assumption that all certificates are public and ubiquitous, and hence readily available to anyone. Yet, this assumption i s not always realistic and small data-sized certification centric, especially in a wireless network where connectivity is sporadic. In contrast identity-based Cryptography changes the nature of obtaining public keys by constructing a one-to-one mapping between identities and public keys. As such, identity-based cryptography greatly reduces the need for and reliance on public key certificates and certification authorities. Consequently, the introduction of identity-based cryptographic schemes has many advantages ranging from easy migration to public key cryptography in a wireless link environment. This means that the system(network and mobile device) does not require as much system load as public key-based cryptography in key management. In CRL(certificate revocation list, X 5 9 . a fine-grained mech.0) anism for receiving and checking the CRL profile has not yet been developed. However, the introduction o f identity-based methods over a wireless link has greatly simplified key management(user's E-mail is public key and NAI), as such methods reduce the need for and number of public key certificates. Accordingly, the main idea of the current study i s the application of identity-based cryptography to Mobile IP with AAA, plus to obtain assurances o f verification and payment in a foreign network, the Mobile IP architecture must also support an Authentication, Authorization, and Accounting(AAA) service. In

col) provides rruthmticntion.aulhori7alion, and accounting (.%.%AI binding protocol have weaknesses with regard to the protecwriicrs in a simless rwaminp inlrrnct wrvire. As such. the cur-

rent paper pruposcs the applicalion of identity-based cryptugraph) lo hlebile I P with AA,\ authentication, thcmhy facilitating Ihe introdurlion of public Le) cryplography lhrouph allowing il hlubile IP enlily's public he) tu he derivrd lmm an arhilrury idenlitticalion value, such as an e-msil clyled H I ( N c t n u r k Access Idenlily). Ihc Diameter Srcuril) .\sruuiatiun~DSA) providt%il PKI. based universal and ~ ~ " channel. uhich L used for idmlilgtlDJu m and bawd ke) delivery hrlneen theAAAscrvrrofIh~\.isitpd home ISP nrlwork. Thrrefure. the ~mpused mrlhud comhinrs Ihr UIC #of Ihe DSA with an idmlilytlDi-based cr)QIopphic srcurit) a w ciation IISAi. Consequently, the pmpased concatenated srcurit? &\sociation of Ihc I)SA for an inter-ISP tmst chain and an IS,\ for \lobile 1P user aulhmlicalion can alleviate the pmblem of 11)bmed pri\alr dirlibution l o r visited network enlilirs and p a l l y reduce Ihe nerd for and relianre on public key certiticatrr hir milbile nodes. Furthermore, the prupused protocol a n also rslahlirh il scccurity associalion among a11 Mobile I P related nodes and AA.\ rphted nodes.

I,rch I I'cru,.s - Mobile IP. AAA. IV ha*cd Cr)ptoyraph)

1. IUIKIOI>tI('IION
With the emergence of niohile siImmerce and uhiquitiw nctworking. the i m p m " e of security has dnmstically increased. For example. xcure miming from one nctu,ork IO mother v i a mohilc netuorks i s expected tu become a critical part of the mobile service oprator's sen ice area[ I]. Mobile IP networking IS rapidl) developing 3nd expanding. Rased on currently dcploycd niohile terminals. there arc hundreds 01 million, of Internet-ennbled terminal\. mdking roaming u i t h Mohile IP a reality for huge numbers of users. c With mobility a the escnlial chanctcri5tic for niohile networks. the Mubilc IP standard d u t i u n for use with the w i r e les, lntcmet uas devrlupd by the Internet Engineering Task Forcc(lE'lt~l2l. Mobile 1P enables a mobile host to mobr from one IP suh-network lo another. uhile maintaining I n active connection u,ith the home II' addres,. Ilowe\er. with Mohile IPIZ] .and rclatcd iadmicro mohility prosicolsl3]. ddincd in the cumnt ,randards as con,liruting 3 full) operable protocol suite. thcrc arc wiI xcurily prohlem, that need to bc solved For and rnhaiircmenc~required for U~rcIcss i e t u o r k ~ l 2 l [ 4 ~ . r

RG k e
KC\CIICII

15

I Senior

I!bI.It.IC.

1:ngmeer at ihr. f.lcarun,cr and TiIcc.,mm,inirai10(,. UJ:]L,n. KOREA. (cniiil R U I ~ c @ ~ irc.lr, ri

0-7M3.7757-51031117.03 02033 LEE.

1507

the Diameter protocol as an AAA service, the mobile identifies itself via a network access identifier(NA1) in the form of user@homedomain. As such, the authentication mechanism is not based on a fixed IP address, but rather on a NAl[6][71. Therefore, the current paper focuses on developing a simpler public key cryptography operation for a limited mobile device using identity-based rather than certificate-based public key cryptography. In addition, to estiblish a Mobile 1P security association using identity-based cryptography between all Mobile IP entities and all AAA entities, a concatenated security association is proposed that consists of a PKI-based Diameter security association(DSA) and identity-based cryptography security association(1SA). The Diameter Security Association provides a PKI-based universal and secure channel, which is used for identity(ID)-based key delivery between the AAA server of the visited and home ISP network. The remainder of this paper includes a brief introduction to ID-based cryptography in chapter 2, then chapter 3 describes the architecture and protocol of Mobile IP with AAA. Chapter 4 then presents the mobile application of identity-based cryptography, a concatenated security association process based on ID-based cryptography, and discusses the properties from a security perspective. Finally, chapter 5 offers some concluding remarks.
11. OVERVIEW OF IDENTITY(ID)-BASED Y P T O G R A P H Y CR

3) Compute the ciphertext C=< TP,uCBH(~;D),MCBG~(U) > wheregID = ~ ? ( Q I D , t Fp*. ~ ) P~~ DecrypkLet C =< U, V, W > he a ciphertext encrypted using the oublic key ID. Reiect the ciphertext if U is ~. not in GI. To decrypt C do the following: 1) C o m p u t e u = V @ H ( d ( d r ~ , U ) ) . 2) Comnute M = M/ FR 6,f u,l 3) Set T = H l ( u , A4) and reject the ciphertext if U # r P , otherwise do the following. 4) Ouput A4 as the corresponding message. Next, the ID-based signature scheme proposed by Cha and Cheon[ 121 is introduced. Setup:Follow the same process as with ID-based encryption, Z, yet using the hash function H z :{O, 1)' x GI i instead of H , H I and GI. As such, in the ID-based cryptography based on elliptic curves, the required system parameters are
~

- I

p=-ams

=< p,n, p p u b , H , HI,H , , G > P, zG

Let E be an elliptic curve defined by yz = x3 1 over F, where F, is a finite field with the prime order p , p = 2mod3, and p = 6q - 1 for some prime q > 3. Let GI be an order q cyclic subgroup of EIF, and Gz be a subgroup of F;z where F> is the multiplicative gmup of F,.(see [ I I], [I31 for more mathematical details). The modified Weil pairing 8 is a map from GI x GI to Gz satisfying the following properties(see [ I l l , [I31 formoredetails): I ) Bilinear : For all P,Q E GI and all a , b E Z
2) Non-degenerate : b(P, P) E G is a generator of Gz. 2

ExtrackFollow the same orocess as in the above scheme Sien: To sign a given message m E {0,1}* under the prisien {O.l}* onSign: vale vate key d I D do the following: I ) Choose T E Z, at random and compute Q I D=

G(ID).
2) Output a signature corresponding t o m
0

= (TQID,

(T

+~ I ~ I D )

B(aP,bQ) = 8(P,Q)Ob. .. . .,

It should be noted that the original Weil . pairing does not sat. isfy the non-degenerate propelty. First, the ID-based encryption scheme proposed by Boneh and Franklin[l I] is introduced. Setup:The algorithm proceeds as follows: I ) Choose a generator P of GI, pick a random s E Z; and set Ppub= sP. 2) Choose a hash function H: FPz {O, 1)" for GI. some n and a hash function G: { O , 1)' 3) ChooseahashfunctionH1: {O,l}"x{O, 1}" --t F,, and a hash function GI: {O, l}" --t (0, l}", 4) The message space is M = {0,1}". The master-key is s E 2,. The system parameters H are params=< p, n,P, Ppub, , H1,G, G1 >. ExtrackGiven an identity I D set Q I D= G ( f D )and set the private key d r D = S Q I D where s is the master key. f EncryptTo encrypt h E {0, l}n under the public key based on t h e m do the following: 1 ) Convert ID into a p i n t &IO using the hash function G. 2) Choose U E {0,1}" at random and set T =

where h = H ~ ( . ~ , T Q I D ) . V e r i f y h t U = (U, be the given signature for message m. V) To verify do the following: I ) Compute h = Hz(m,U). 2) Output accept if 6(P,V) = B(P',b, U + ~ Q I D ) . reject otherwise.
111. MOBILE IP WITH AAA STRUCTURE

--

HI(u,W.

Until now, identity-based cryptography has not been discussed much as a new emerging application area. Yet, a novel identity-based &SA was recently proposed by Boneh that combines the attractive features of identity-based cryptography and mediated RSA. This identity-based scheme is still in an early developmental stage, plus the inherent feature of a mobile environment is still a closed network as regards security for the next few years. In relation to identity-based cryptography. several papers have conducted a comparison of security and performance. However, the current paper focuses on the introduction of identity-based cryptography in a Mobile IP environment, as well as the possibility of Mobile IP with AAA, as an authentication protocol. Within the context of mobility, a mobile node belonging to the home domain often needs to use resources provided by a foreign domain. The AAA infrastructure verifies the user's credentials and provides a service policy to the serving network for which the user is authorized. The AAA infrastructure may also provide reconciliation of charges

1508

*d". ................. Rag

* M R . *DR

* D R .

m a -

sAl

Fig. I. Mobile IP with AAA Tnisl Chain Model

between the serving and home domains. As an AAA protocol, the Diameter protocol attempts to expand on RADIUS'S[ 141 known shortcomings and is being developed by the IETF AAA Working Group[2][6][71[151 1171. Diameter's Mobile IP application allows an AAA server to authenticate, authorize. and collect accounting information for a Mobile IP service rendered to a mobile node. Figure 1 illustrates the trust model for Mobile IP with AAA. In the Mobile IP registration process, the foreign(serving) authentication server(AAAF) requests proof from the external home authentication server(AAAH) that the external mobile node has acceptable credentials. The AAA infrastructure verifies the user's credentials and provides a service policy to the serving network for which the user is authorized. The AAA infrastructure may also provide reconciliation of charges between the serving and home domains. As an AAA protocol, the Diameter protocol attempts to expand on RADIUS's[l4] known shortcomings and is being developed by the IETF AAA Working Group[21[61[71[151[ 161[191. Diameter's Mobile IP application allows an AAA server to authenticate, authorize, and collect accounting information for a Mobile IP service rendered to a mobile node. Figure I illustrates the trust model for Mobile IP with AAA. In the Mobile IP registration process, the foreign(serving) authentication server(AAAF) requests proof from the external home authentication server(AAAH) that the external mobile node has acceptable credentials. Figure 2 illustrates the Mobile IP registration and AAA protocol message flow161, 171, [151. The authentication message from the mobile node to the AAA server includes a Network Access Identifier(NA1). The NAI has the following format : user@realm. The RRQ message also includes an MN-AAA authentication extension to make the FA forward the request to the AAA. The MN performs the If MAC operations using the MN-AAA key KMN-AAA. the mobile node is successfully authenticated by the home authentication server, the home authentication server decides the lifetime for the new authentication key and sends the result.

SA1( Cert. based P K I )

0
Fig. 3. modified Mobile IP wilh AAA Tmsl Chain M d l oe

tography(see Section II) in user authentication. Plus, the proposed protocol can use PKl(public key infrastructure)-based Cryptographic Message Syntax (CMS) for inter-ISP security schemes. CMS is also used to carry X.509 certificates. Figure 3 presents the concatenated security association, while Table I lists the DSA requirements for CMS. As a result. a certificatebased PKI trusted model is applied to the AAAF, AAAB, and AAAH servers, while identity-based cryptography is applied to all the other Mobile I nodes. Establishing the DSA involves F ' the initiator issuing a Diameter Security Association Request (DSAR) message, then a Diameter Security Association Am swer (DSAA) is issued in response. Table I presents the recommended DSAFUDSAA supporting types of AAA entities according to IETF specifications. TABLE I
REQU~REMENT DSA OF
FOR

IV. CONCATENATED WIRELESS ROAMING SECURITY AND PROTOCOL USING ASSOCIATION AUTHENTICATION ID-BASEDCRYPTOGRAPHY
A. Concatenated Wireless Roaming Security Association

CMS

The current paper proposes a concatenated wireless roaming security association for Mobile IP with AAA authentication using ID-based cryptography, thereby reducing the key management problem compared to certificate-based public key cryp1509

Diameter Server Proxy Agent Diameter Client Relay Agent

Should

Notation ID

SIo
aaah@

<< M >> S I D
{'WID

Meaning Identity(e-mail style) i.e. NAI Private Key corresponding to ID AAAHs NAI HA's NAI NM's NAI Message Signature of M using S J D Encryption of A4 with ID

First, the DSA for CMS is established by two ISPs through AAA servers, when a mobile node moves to a foreign network and wants to receive service from a DSA established foreign network for a period of time. Second, a private key corresponding to the ID of the foreign agent is generated in the AAAH server and delivered through the DSA. Consequently, the proposed security association based on identity-based cryptography is established among all Mobile IP nodes and the AAAH server. Thereafter, secure communications among the Mobile IP nodes and the AAAH server can be achieved using the established ISA(1dentity-based cryptography Security Association) without the DSA. The proposed concatenated security association procedure is as follows: It is assumed that the section of AAAF-AAAB-AAAF has a CMS- based public key structure. The ID of the Foreign Agent is encrypted and sent to AAAH through AAAF-AAAH. AAAH generate at private key for the Foreign Agent, encrypts it. and sends it securely to the Foreign Agent. All Mobile IP nodes and AAAH server establish a security association using identity based cryptography.

B. Mobile IP Authentication Protocol using ID-Based Crypwmpb

In contrast, in [4], Jacobs and Belganl propose an Mobile IP protocol based on certificate-based public key cryptography. In their scheme, all the nodes participating in the protocol have a certificate. The protocol proposed in151 is also certificate-based public key cryptography, yet, in this case, the MN does not use certificate-based public key cryptography operations, thereby avoiding the drawback of Jacobs and Belgard's protocol. Table 11 presents the essential notations. Before describing the proposed protocol, certain requirements are needed: All nodes involved in Mobile IF' with AAA can calculate ID-based cryptography operations. AAAH is an ID-based cryptography system. Therefore it is a Private Key Generator(PKG) for mobile nodes and has a master key. In the current scenario, the ID is the NAI(see Section 111). HA has a private key corresponding to its NAI. MN possesses a private key corresponding to its NAI. As the same domain network, FA and AAAF have a secure channel.

The procedure of proposed protocol is consist of two steps. F ' First step is creation of ISA between all Mobile I nodes. FA also need identity based private key for Mobile IP security service. Next step is authentication and registration procedure. The signature and encryption techniques can be applied simultaneously to provide all the specified procedure. The proposed authentication scenario is described in figure 4, and the proposed protocol proceeds as follows: (I) MN: - calculate signature << M I >> S,, using private ,,, S where MI is RRQ message. keym (2) FA : - send IDS of MN and FA using secure channel of the PKI based AAAF-AAAH . (3) AAAH: - create and send private key of FA using secure channel of the PKI based AAAF-AAAH. - establish dynamic security association AAAH-FA, MN-FA and FA-HA respectively using identity based cryptography (4) FA : - verify << M I >> Smnawith mn@. - calculate signature and encryption(optiona1) ( 5 ) FA+AAAH : - FA authenticate using the mobile node's NAI and relays MN's message to AAAH through AAAF and AAAB for authentication of neighbor network. (6) AAAH: - verify << M I >> S,, using MN's NAI mn@ and authenticate MN. - generate needed Mobile IP session keys. (7) AAAH-HA : - AAAH transmits HAR message to HA. (8) H A : - calculate signature i c Mz >> S. using private he key S h o o where Mz is RRP message. (9) HA-AAAH : HA transmits M z , << MZ >> Shoe to AAAH. (IO) AAAH : - calculate << A43 >> Sa..ha using private key Saooho where M3 is AMA message containing M z , << Mz >> Sh.0. - calculate encryption(optiona1) (11) AAAH-FA : - AAAH sends AMA message containing Mz,<< Mz >> Shoe,<< M3 >> &e&O to FA through AAAB and AAAF. (12) FA : - verify << M3 >> SooohOwith a h @ . (13) FA-MN : FA relays M2, MZ >> shooto MN. << (14) MN : - verify << Mz >> S, with ha@ and authenticate HA.

1510

work to an end-to-end mobile communication environment between two mobile users. Reducing the computational load and the issue of key revocation are both areas for future studies.

V. CONCLUSION The current paper introduced a Mobile IP authentication protocol using ID-based cryptography, thereby providing certain advantages with regard to key management and security. Furthermore, an identity-based security association is connected to a PKI-based CMS security association. An additional scenario that applies ID-based cryptography to all global nodes based on the I h 6 protocol could also he included to improve the proposed protocol. REFERENCES
Fig. 4. Mobile 1P Registralion and AAA Protocd
[ I ] L. Becchetti and P, Mahanen and L. Munor "Enhancing IP service Pmvisian over HelemgeneousWireless Networks." in IEEE Communications Magazine. pp. 74-81. August 2002. 121 "IETF IP Routing far WirelesdMobile Hosts (mobileip) Working G ~ O U Q Charter:' i h r t p ~ l l w w w . i e t f . o r ~ t m ~ . ~ ~ ~ ~ ~ m ~ b i l e i p - l n [JI C. S. Hang. K. W.Yim. D. Y Lee and D. S. Yun "An Efficient Fardl tolerance Protocol with Backup Foreign Agents in a Hierarchical local Registration Mobile 1P:'in ETRl Jaw". Vol. 24. No. I, Feb. 2002. 141 s. Jacobs. s. Belgard "Mobile IP public Key Based Authentication. lntemet Drah." <drah-jacobs-mabileip-pki-auth-03.1~1< in http:llwww.ietf.org.. july 2001 [5] sufattio. hm K. Y. "Mobile IP ~ Pro1acalr:A ~~~~~i~~ ~ ~ Attack ~ i and New Secure Minimal Public-Key Based Aulhenlicalion.' in I-SPAN '99. lune 1999. 161 p, R, Calhoun, T, Johansson. G . Zom. AAA working croup lntemet Draft: <drafl-ietf-aaa-diameter-I7.rrt> in http:llwww.ietf.org. 171 P. R. Calhoun. I. Arfio. C. E. Perkins "IETF A A A Working Group lntemel Drah:' <d~h-ielf-aaa-diameter-mobileip-13.ta> in hnp:iiwww.ietf,org. I81 A. Shamir "ldentily-base cryptosystems and riganlure schemes.' in Proc. of Cryplo '84. LNCS. vol. 196. pp. 47-53. Springer-Verlag 1985. [9] U. Feige. A. Fiat and A. Shamir"2ero-knowlrdge p m f s of identity." in J. Cryptology. vol. I. pp. 77-94 1988. [IO] A. Fiat and A. Shamir "HOWto pmve yourselk Praclical solutions to identification and siganture problems:' in Pme. Cryplo '86. pp. 186-194 1986. I1I1 D. Boneh and M. Franklin"ldenli1y Based Encryption from the Weil Pairings." in PmC. of Crypt0 ZWI. LNCS Vol. 2139. pp. 213-229. SpringerVerlag ZWI. I121 I. C. Cha and I. H. Cheon "An Idenlily-Baaed Signature fmm Gap DifioHellman Groups:' in Cvptology ePrint Archive. http:lIeprint.iacr~~~rgn002/018/ 2wZ. I131 A. Menezes "Elliptic Curve Public Key Cryplosystemr." i Kluwer Acan demic Publishers 1993. 1141 C. Rigney et al. "Remote Authenlieation Dial In User Service (RADIUS)," in IETF RFC 2138, Apr. 1997. 1151 P R. caihaun. . a m . P pan. H. Amtar -im AAA working . G . Group Internet:' Draft.<drafl-ielf-aaa-diameter-fram~~*.Ol.txl> Diamcler Framework Documen1.h hnp:llwww.ietf.org. 1161 P. R. Calhoun. S. Farrell, W. Bulley "lm A A Working Gmup InterA ne1 Drah." <drah-ielf-aaa-diamcter-cms-see-04.fxt<~ CMS Se.~ C W ' Application. i hWlwww.ielf.org. n [I71 M. Christopher "'AAA PmtocoIs. Aulhentication. Authorization. and Accounting for the Intemet:' in IEEE lntemel Computing NovemberDecember 1999. [I T.Hiller e l al."Cdma2WO wireless Data Requirements for AAA:' in RFC 81 3141. June 2001. [I91 S. Glass. T. Hiller. S. Jacobs. C. Perkins "IETF Mobile IP Working Gmup.: Mobile IP Authenticstion. Authorization. and Accounting Requirements," in RFC 2977 I201 R. Caceres and L.lftde."lmproving Ihe Performance of Reliable T a s rnpon P~O~OCOIS in Mobile Computing Environments:' in IEEE JSAC. "01. 13. no. 5.85C~57 June 1995. I211 C. E. Peckins."Mobile IPjoinsFoKeswithAAA."inlEEEPersonalCom~~

C. Security Propenies
The proposed scheme provides a security association be. Mobile Ip nodes and AAA nodes using based cryptography. There are two main techniques used in this scheme: Digital signatures provide authentication, integrity, and data origin authentication, while encryption provides confidentiality (using asymmetric techniques to encrypt a content encryption key, which is then used for hulk encryption). Both techniques can be used simultaneously to provide all the specified security services. Since enclyption and signature are possible on a specified security this can protect against a Dos attack, replay attack, redirect attack, and session steeling attack. The proposed protocol h a the follow. ing properties from a security perspective: Since ID-based cryptography is applied to Mobile I auP thentication, the proposed protocol does not need the MNAAA key of the original Mobile IP with the AAA protocol. Therefore, the AAAH key management overhead is removed. The proposed protOCOl does not have the additional requirement of a public key infrastructure(PI3) compared to the schemes in 141, [SI. Since the MN also authenticates the HA, mutual authentication is achieved. The AAAH can safely transmit the MN-HA key and MNFA key tu the MN, as the HA encrypts the MN-HA key and MN-FA key using the M N s NAI. Since the FA also authenticates or encrypts both the M N s .. message and the AAAH's message, the proposed protocol is basically secure against a replay attack. As the proposed protocol can be implemented by algorithms based on elliptic curves, the performance is improved. The current proposal is concentrated on the roaming security and although it Offers enhanced security the speed of authentication takes time due to pairing computation. Yet, since the proposed protocol is based on public key cryptosystems, it is difficult to compare its computational operation. An end-to-end security protocol can also be designed by extending the authentication protocol between a user and a net-

tween

association

. .

municalions,

2ooo,

1511