Secure Certificateless-Based Authenticated Key Agreement Protocol in the Client-Server Setting

HOU Meng-bo , XU Qiu-liang School of Computer Science and Technology, Shandong University, Jinan, 250101, China

houmb@sdu.edu.cn; xuqiuliang@sdu.edu.cn

Abstract

E-learning communication security should be considered to ensure sensitive message transmission. Authenticated key agreement protocol in the client-server setting is the fundamental building block for ensuring client-server entity authentication, data confidentiality and integrity. So far, great deals of two-party authenticated key agreement protocols were proposed based on traditional public key cryptography and identity-based cryptography, but the certificateless-based authenticated key agreement protocol is seldom discussed. In this paper, we propose such a secure protocol from a certificateless public key encryption scheme due to Park et al. Compared to other comparable protocols, it achieves more security attributes, such as no-key escrow, perfect forward secrecy, known session-specific temporary information security and no-key control etc. Meanwhile, it keeps nice efficiency.

1. Introduction

E-learning applications should provide security mechanism to ensure secure communications between two parties (such as the clients and servers) over an open network. Two-party authenticated key agreement (AK) protocol is a fundamental cryptographic building block for such setting. It not only allows parties to compute a session key known only to them for subsequent session data confidentiality and integrity, but also ensures authenticity of the parties. An AK protocol provides key confirmation if one entity is assured that the partner entity possesses the secret key. A key agreement protocol that provides mutual key authentication as well as mutual key confirmation is called an authenticated key agreement protocol with key confirmation (AKC). Each AK protocol can be transformed to an AKC protocol.

AK or AKC protocols may employ either private or public key cryptography. Commonly, AK or AKC protocols are designed based on various public key cryptographic primitives, such as traditional public key cryptography (PKC) [11], identity-based cryptography (ID-PKC) [12], certificateless public key cryptography (CL-PKC) [1] and certificate-based public key cryptography (CB-PKC) [13].

So far, great deals of two-party AK or AKC protocols were proposed based on PKC and ID-PKC, but the CL-PKC-based authenticated key agreement protocol is seldom discussed. Most of the CL-PKC schemes are constructed by composing the standard PKC schemes and ID-PKC schemes. Such a method eliminates the need of certificates and management overheads that traditional PKC scheme has and the key-escrow problem of a users private key that may be inherent in the ID-PKC scheme. CL-PKC scheme provides another method to construct secure authenticated key agreement protocol. Al-Riyami and Paterson [1] first proposed a two-party certificateless AK protocol required each party to compute four bilinear pairings, such operations are computationally expensive. Later, Mandt and Tan [9] proposed such type of protocol which relies on the difficulty of the bilinear Diffie-Hellman problem (BDH). The protocol actually admits both key compromise impersonation and known session-specific temporary information security attack [10]. Wang et al. [6] also proposed a two-party certificateless AK protocol, it cant withstand key compromise impersonation too [10]. Shi and Li [5] proposed a certificateless two-party AK protocol based on the new key construction for certificateless public key encryption scheme due to Libert and Quisquater [7]. It doesnt provide perfect forward secrecy and known session-specific temporary information security. It is found that this protocol fails to provide implicit key authentication by demonstrating a man-in-the-middle attack by an outside attacker [10]. Actually, this protocol is

_____________________________ 978-1-4244-3930-0/09/$25.00 2009 IEEE

vulnerable to the key replicating attack (another form of the man-in-the-middle attack) as well. In a recent work, Wang et al. [4] presented the first certificateless AK protocol for grid computing based on the Diffie-Hellman key agreement protocol and certificateless public key cryptography. We found the scheme cannot withstand key compromise impersonation attack and key replicating attack, thus it doesnt possess some desirable security attributes. In 2007, Park et al. [2] proposed a CL-PKC encryption scheme (PCHL-CL-PKE scheme) that is IND-sID-CPA secure without random oracles under the q-BDHI and 1-BDHI assumptions. We construct a secure certificateless two-party AK protocol based on such certificateless public key encryption scheme. It achieves almost all the known security attributes of authenticated key agreement protocol. Wang et al. [15] proposed a provably secure identity-based authenticated key agreement protocols based on the ID-PKC scheme of Gentry [3] , it is somewhat similar to our scheme. But their scheme doesnt achieve perfect forward secrecy and known session-specific temporary information security. Compared to other comparable certificateless schemes, it achieves more security attributes, meanwhile, holds the nice performance.

The remainder of this paper is organized as follows. Section 2 gives the technical backgrounds. We present the new construction of the secure and efficient two-party certificateless AK protocol in Section 3. Then we analyze the security attributes and performance in Section 4. Finally, we present the conclusion.

2. Preliminaries

2.1. Desirable security attributes of AK (or AKC) protocols

It is desirable for AK and AKC protocols to possess the following security attributes [8].

1) Known-key secrecy. Each run of the protocol should result in a unique secret session key. The disclosure of one session key should not compromise other session keys.

2) Forward secrecy. If long-term private keys of one or more of the entities are compromised, the secrecy of previously established session keys should not be affected. We say that a system has perfectforward secrecy if the long-term keys of all the entities involved may be corrupted without compromising any session key previously established by these entities.

3) PKG forward secrecy. In identity-based systems, the PKGs master key may be corrupted without

compromising the security of session keys previously established by any users. It certainly implies perfect forward secrecy.

4) Key-compromise impersonation. The compromise of an entity As long-term private key will allow an adversary to impersonate A, but it should not enable the adversary to impersonate other entities to A.

5) Unknown key-share resilience. An entity A should not be able to be coerced into sharing a key with any entity C when in fact A thinks that she is sharing the key with another entity B.

6) No-key control. None of the party involed could decide the final session key to be some predefined values.

7) Known session-specific temporary information security. Some random private information is used as an input of the session key generation function. The exposure of this private temporary information should not compromise the secrecy of (other) generated session key.

8) Message independence. Flows of a protocol run should be unrelated. Of course, this property makes the most sense in the context of an AK protocol. It is not suitable to AKC protocols.

2.2. Bilinear groups

Let be a cyclic additive group of prime order q and be a cyclic multiplicative group also of prime order q, P is a generator of , assume that the discrete logarithm problem (DLP) is hard in both and .An admissible pairing e is a bilinear map

, which satisfies the following three properties:

1G

2

1 1G

G

1G

1G 2G

2:e G G

Bilinear: for 1,P Q G and *, qa b Z , we have ;( ,e aP bQ) ( , )abe P Q=

Non-degenerate: ( , ) 1e P P ; Computable: If 1,P Q G , one can compute

( , ) in polynomial time efficiently.

2

The Weil and the modified Tate pairings on elliptic curves can be used to construct such bilinear maps.

e P Q G

2.3. Computational complexity assumptions

The security of this scheme is based on the some computation complexity assumptions, they are defined as follows:

Computational Diffie-Hellman assumption (CDH): for 2g G

a

is the generator of , and , given

2G*, qa b Z g and bg , computing abg is hard.

q-Bilinear Diffie-Hellman Inversion assumption (q-BDHI): Given a tuple 2 ( ) 11( , , ,..., )

q qg g g g G + for a random *pZ as input, compute is hard. 1/ 2( , )e g g G

Informally, we can also say that the decision q-BDHI problem in refers to the problem where given

a tuple 1G

2

,..., ( ) 11( , , , )q q

2g g g g T G G + for a random

*pZ , a polynomial-time attacker E is to decide

whether T e or 1/)g ( ,g= ( , )T e g g = for random *pZ

1G

.We say that the decision ( , assumption holds in if no t-time algorithm has advantage at least

in solving the decision ( , problem in .

, )t q BD

, )t q BDHI

HI

2.4. Revisit the PCHL-CL-PKE encryption scheme

In 2007, Park et al. [2] proposed a certificateless public key encryption scheme (PCHL-CL-PKE scheme) based on the Gentry [3] ID-PKC encryption scheme in the selective-ID security model, which is provably secure against chosen plaintext attacks without random oracle under the q-BDHI and 1-BDHI assumptions. The scheme works as follows:

Let and be bilinear groups of prime order1G 2G p ,and let be the bilinear pairing. 1 1G 2G:e G

Setup: To provide a private key generation service, the private key generator (PKG) selects a random generators 1g G and random elements . It selects a random

1,h u G*pZ , defines 1 1g g G=

,

. The system public parameters are 1, ,g g h u >< and the master private key of the PKG is .

Extract-Partial-Private-Key: To generate a partial private key for the identity pID Z , the PKG generates a random ID ps Z

,ID IDh >

, and outputs the partial private key

as , whereIDd s=< 1/ ( )( )IDs ID IDh hg = . The PKG ensures that and it always assigns identical ID IDsfor a given identity ID.

Set-User-Key: The user picks a random *ID px Z

)

as a secret value, the full private key of user ID is

and the full public key is , where

, ,ID ID ID IDSK x s h=< >

,ID ID IDPK X Y=< > 1(ID IDx xIDg g ID IDX g= = and

IDxIDY u= .

Encryption: The sender picks *pr Z randomly,using the receivers identity ID, sets the ciphertext to be ( is the plaintext): 2m G

1 2 3( , , ) ( , ( , ) , ( , ) ).r rIDC C C C X e g g m e g h

= =

Decryption: To decrypt ciphertext ,the identity ID computes .

1 2 3( , , )C C C C=

1 2 3) IDx sC C= 1/( ,ID IDm e C h

Consistence: The recipient can correctly decrypt Cto acquire the plaintext , becausem

r

)

1/1 2

/ ( )( ) 1/( )

( , )

( , ) ( , )( , )

ID ID

ID ID

x sID

s ID rsr ID ID

r

e C h Ce g h g e g ge g h

=

=

3. The proposed AK scheme

We construct a new certificateless two-party AK protocol based on the PCHL-CL-PKE encryption scheme due to Park et al [2].

Suppose two entities called the client and the server who wish to establish a shared secret session key, and a PKG that is responsible for the creation and distribution of entitys private keys using its master private key. The protocol consists of three phases, i.e.Setup, Key Generation and Key Agreement. The Setup and Key Generation stages are identical to that of PCHL-CL-PKE encryption scheme.

Setup. The PKG first generates the system parameters 1, , ,g g h u< >

1

and its master private key and master public key 1g g G=

:{0,1}* {0,1}

. In addition, defines a hash function as session key derivation function and k

1kH1=|sk| , sk is the session

key of the client and the server derived from the protocol.

Key Generation. For the client with identity , we define its full private key as , the full public key as PK where

cID

c, ,c c cSK x s h=< >,c c cX Y= < >

1(c c ) cx ID x

c cX g g g

= = and cxcY = u ; For the server with identity sID

, ,s s s sSK x s h=< >

,s s sPK X Y= < >

, we define its full private key as , the full public key as

; We define 1 ,cIDg g g =c 1 sIDg sg g= ,and ( , )Tg e g g= .

Key Agreement. The client and the server run the following protocol to establish a shared session key skwith implicit key authentication. The protocol is a 2-pass procedure, the details are as follows.

1) The client picks *c R pr Z , and computes

11 121c c cT T T= , where ,

11

crc sT g= 12

crc TT g=

then sends to the server. 1cT2) The server picks *s R pr Z , and computes

11 121s s sT T T= , where

11

srs cT g= , 12 s

rs TT g=

then sends 1sT to the client. 3) The client computes

11 122( , ) ( ) ( , )c cs rc s c sT e T h T e g h= ,

,123

( , )c cr rc sT T e g g= = sr

s4

c cx x xc sT Y u= =

1 1 2 3 4(c c s c s c c )csk H ID ID T T T T T= .4) The server computes

11 122( , ) ( ) ( , )s ss rs c s cT e T h T e g h= ,

123( , )s s cr rs cT T e g g= =

r ,

4s s cx x x

s cT Y u= =

1 1 2 3 4(s c s c s s s )ssk H ID ID T T T T T= .Correctness verification. At the end of the

protocol execution, the client and the server will agree on the same session key, for

11 122

1/ ( )

( ) 1/ ( )

( , ) ( ) ( , )

( ,( ) ) ( ) ( , )

( ,( ) ) ( ,

( , ) ( , )

( , ) ( , ) ( , ) ( , )

( , )

c c

scs c c s c

)s c c c s c

s c s c c

c

s c s s c

s rc s c s

r s ID r rc Tr ID s ID r s r

Tr s r s r

Tr s r r s r

r

T e T h T e g h

e g hg g e g he g hg g e g he g hg g e g he g g e g h e g g e g he g h

=

=

=

=

=

=s cr+

c

) s

2

(1)

11 122

1/ ( )

( ) 1/ ( )

( , ) ( ) ( , )

( ,( ) ) ( ) ( , )

( ,( ) ) ( ,

( , ) ( , )

( , ) ( , ) ( , ) ( , )

( , )

s s

ssc s s c s

c s s s c s

c s c s s

c s c c s s

s rs c s c

r s ID r rs Tr ID s ID r s r

Tr s r s r

Tr s r r s r

r

T e T h T e g h

e g hg g e g he g hg g e g he g hg g e g he g g e g h e g g e g he g h

=

=

=

=

=

=c sr+

(2)

It is obvious that from (1) and (2). With and

2c sT T=

3 3 ( , ) c sr r

c sT T e g g= = 4 4 s cx x

c s u= =T T , we can know c ssk sk sk= = .

No-Key Escrow. The PKG knows the long term key of the server and the client, so it can calculate as well as

11 12( , ) ( , ) ( )cr c s ce g h e T h T=

11 12( , ) ( )

ss

( , ) s cr ss c se T h T= e g h

2cT 2

, so the PKG can calculate or sT

cID

. Whilst the PKG knows the parameters < ,,

sID

( )ID

3 3c sT T= =

4cT 4

>, so it can calculate from and calculate

from , then it can

calculate and ,so can be calculated. But

and

1( cID

(11( )

r Icg T

=

)1( ) 1 modc cID p

=

1( ) ( ) 1 mods sID ID p

=

1( )11( )s c

r IDsg T

=

( , ) ( , )c s c sr r r re g g e g g=

1( )s

1)D

ID

c s

sT are calculated with the private key of the client and the server which was generated by themselves separately, so the PKG could not get it. This means that the PKG cannot calculate the final session key csk or ssk , i.e., the PKG is unable to

recover the session keys established by its users.

4. Security and efficiency

4.1. Security attributes

We analyze the proposed protocol according to the desirable security attributes for an authenticated key agreement protocol. It shows that such a scheme achieves almost all of the known desirable security attributes. Moreover, it can withstand some known attacks such as key replicating attack and public key replacement attack.

1) Known-key secrecy. In this scheme, and *cr Z q*

s qr Z are ephemeral private keys randomly chosen by the client and the server respectively. Even when its participants remain the same, all protocol runs will produce different session keys. Key replicating attack can be viewed as the violation to the known-key secrecy, we will discuss it in the section of no-key control.

2) Forward secrecy. This scheme achieves the perfect forward secrecy. Although the adversary can compute ,2cT 2sT , ,4cT 4sT by arming two entities full long-term private keys, he could not compute or3cT 3sT ,for calculating or3cT 3sT is a CDH hard problem.

3) PKG forward secrecy. No-key escrow is the inherent attribute of CL-PKC-based schemes. Compromise of the PKGs master private key doesnot enable an adversary (include the PKG) to reveal previously established session keys. In this scheme, although the adversary may generate partial private keys, in order to compute the established session key, both a short-term private key and the long-term private key of a party involved in a session must be obtained.

4) Key-compromise impersonation. The proposed protocol is resistant to key-compromise impersonation. If an adversary wants to impersonate the server to the client arming with the private key of the client, although the adversary can replace the public key of the server to force and , he could not compute or

3c sT T= 3 44c sT T=

2cT 2sT without knowing the servers private key.

5) Unknown key-share resilience. Suppose an adversary E attempts to make the client believe a session key is shared with the server, while the server instead believes the key is shared with E. For E to launch this attack successfully, he should force the client and the server to share the same secret. However, the client and the server can never share the same key

because of that both parties use the identifier of the intended peer in computing the session key.

6) No key-control. For randomly selected short-term keys are used in generating session keys by two parties separately, neither party can decide the final session key. In practice, it is difficult to achieve perfect key control, since it is necessary for one party to initiate the protocol run and choose his ephemeral key first, so the responding party has the ability to estimate some of the bits of the session key through different choices of ephemeral keys. This deficiency exists in all interactive key agreement protocols [14].

Key replicating attack is one form of man-in-the-middle attack which affects no key-control security attribute [8]. In this scheme, any modification to the exchanged messages will lead to different session keys on two sides. An outside adversary may play a key replicating attack by replacing and1cT 1sT with

and1

'1ck

cT T= 1'

1sk

sT T=

2 2c sT T

for some k to force T , but it will lead to .

3c = 3sT

7) Known session-specific temporary information security. Compromising the short-term private keys of a session does not reveal the established key. In this scheme, obtaining the keys of and cr sr in any session between the client and the server allows the adversary to compute (or2cT 2sT ) and T (or3c 3sT ), but not (or4cT

4sT ), so the scheme achieves such a security attribute.8) Message independence. As an AK protocol, the

flows of this scheme are unrelated, because and cr

sr are selected by the client and the server independently.

Another problem should be considered is the public key replacement attack. With the security assurance of the underlying certificateless public key encryption scheme, the public key replacement attack could not work.

The comparisons of security attributes with other certificateless AK protocols [1,4,5,6,9] and identity-based AK protocol [15] are listed in Table 1 (Note. PFS: Perfect forward secrecy; KCI-R: Key-compromise impersonation; UKS-R: Unknown key-share resilience; KSSTIS: Known session-specific temporary information security; KRA-R: Key replicating attack resilience).

4.2. Efficiency

The efficiency of key agreement protocols is essentially measured by the computational and communication overhead. Communication overhead refers to the number of bits transmitted by each entity

to the cost of all arithmetic computations each entity must perform in order to carry out the key agreement. There are some schemes [1, 4, 5, 6, 9] which are based on certificateless public key encryption schemes, we give the performance comparisons in Table 2 (only consider the on-line operations).

in a protocol run, while computational overhead refers

Table 1. Security attributes comparisonsSecurity Attributes

rotocol PFS KCI KRA-RP -RUKS- KSSTIS R

Scheme h h[1] Scheme h h[4] Scheme h h h[5]*

S h h hcheme[6] Sch h h eme[9] Sch h h eme[15]

Ns

ewcheme

Table 2. Efficiency comparisonsComputational Operations

Protocol pairing tion ntiatiScalable expone

Multiplica onScheme 4 1[1] 2

Scheme 1 3 0 [4] Scheme 1 2 1 [5] Scheme 2 2 1 [6] Scheme 2 3 1 [9] Scheme 1 0 4 [15]

News 1 0 6 cheme

N and Scalable Multiplication operation costs are mu

. Conclusion

In this paper, we present a secure and efficient two-pa

ote. Pairing ch higher than exponentiation operations. .

5

rty authenticated key agreement protocol based on the a secure certificateless encryption scheme, which can be properly used in the client-server e-learning setting to ensure secure communication. Security

analysis shows that it achieves perfect forward secrecy, PKG forward secrecy and almost all the other known security attributes, such as known-key secrecy, key-compromise impersonation resilience, unknown key-share resilience, known session-specific temporary information security, message independence and no-key control. Compared to other comparable schemes, it is more secure and has nice efficiency.

Acknowledgment

This work was supported by National Natural Sci

eferences

] S.S. Al-Riyami and K.G. Paterson, Certificateless Public

rk, K.Y. Choi, J.Y. Hwang, and D.H. Lee,

ut

ao and H.Y. Bao, Efficient

uthenticated Key

Z.F Cao and L.C. Wang, Efficient

uater. On Constructing

A. Menezes, Key

Science, 1997, pp. 3045.

nt Protocols, In Advances in

ity of

Management Protocols, Work in

es, In CRYPTO84, Vol. 196 of Lecture

Revocation Problem, In EUROCRYPT03, Vol.

34, 1998, pp.

sed Authenticated Key Agreement Protocols in

ence Foundation of China (No. 60873232), also by Natural Science Foundation of Shandong Province, China (No. Y2007G37).

R

[1Key Cryptography, In C. S. Laih(eds.). Advances in Cryptology-ASIACRYPT 2003, Lecture Notes in Computer Science, Vol. 2894, Springer Berlin/Heidelberg, 2003, pp. 452-473.

[2] J. H. PaCertificateless Public Key Encryption in the Selective-ID Security Model (without random oracles), X T. Takagi et al. (Eds.), Pairing 2007, Lecture Notes in Computer Science,Vol. 4575, Springer Berlin/Heidelberg, 2007, pp. 6082.

[3] C. Gentry, Practical Identity-based Encryption withoRandom Oracles, Proc. of the EUROCRYPTO06, Lecture Notes in Computer Science, Vol. 4004, Berlin: Springer-Verlag, 2006, pp 445-464.

[4] S.B. Wang, Z.F CCertificateless Authentication and Key Agreement (CL-AK) for Grid Computing, International Journal of Network Security, Vol. 7 (3): 2008, pp. 342347.

[5] Y.J Shi and J.H Li, Two-party AAgreement in Certificateless Public Key Cryptography, Wuhan University Journal of Natural Sciences, Vol. 12(1), 2007, pp. 71-74.

[6] S.B. Wang,Certificateless Authenticated Key Agreement Protocol from Pairings, Wuhan University Journal of Natural Sciences,Vol.11 (5), 2006, pp. 1278-1282.

[7] B. Libert and J-J. QuisqCertificateless Cryptosystems from Identity Based Encryption, Lecture Notes in Computer Science, Vol. 3958 , Berlin/Heidelberg, 2006, pp. 474-490.

[8] S. Blake-Wilson, D. Johnson andAgreement Protocols and Their Security Analysis, In 6thIMA International Conference on Cryptography and Coding,Springer-Verlag, Vol. 1355 of Lecture Notes in Computer

[9] T.K. Mandt and C.H. Tan, Certificateless Authenticated Two-party Key AgreemeComputer Science - ASIAN 2006, Secure Software and Related Issues, Springer Berlin / Heidelberg, Vol. 4435 of Lecture Notes in Computer Science, 2008, pp. 37-44.

[10] C.M. Swanson, Security in Key Agreement: Two-party Certificateless Schemes. Masters thesis, UniversWaterloo, Canada, 2008.

[11] C. Adams and S. Farrell, Internet X.509 Public Key Infrastructure: Certificate progress, 2004.

[12] A. Shamir, Identity-based Cryptosystems and Signature SchemNotes in Computer Science, Berlin/Springer-Verlag, 1984, pp. 47-53.

[13] C. Gentry, Certificate-based Encryption and the Certificate2656 of Lecture Notes in Computer Science, Berlin/Springer-Verlag, 2003, pp. 272-293.

[14] C.J. Mitchell, M. Ward, P. Wilson, Key Control in Key Agreement Protocols, Electronics Letters980981.

[15] S.B. Wang, Z.F. Cao, X.L. Dong, Provably Secure Identity-bathe Standard Model, Chinese Journal of Computers, Vol. 30(10), 2007, pp. 1842-1854.