key establishment protocols for secure mobile communications

Key Establishment Protocols for Secure Mobile Communications A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area Networks”, IEEE Personal Communications Presented by Yanxia Zhao

Upload: erik

Post on 25-Feb-2016




3 download


Key Establishment Protocols for Secure Mobile Communications. A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area Networks”, IEEE Personal Communications Presented by Yanxia Zhao. Content. Introduction Public-key cryptosystems Secret-key cryptosystems - PowerPoint PPT Presentation


Page 1: Key Establishment Protocols for Secure Mobile Communications

Key Establishment Protocols for Secure Mobile Communications

A. Aziz and W. Diffie, “Privacy and Authentication for Wireless Local Area Networks”, IEEE Personal Communications

Presented by Yanxia Zhao

Page 2: Key Establishment Protocols for Secure Mobile Communications


Introduction Public-key cryptosystems Secret-key cryptosystems Aziz-Diffie protocol Conclusions

Page 3: Key Establishment Protocols for Secure Mobile Communications

Introduction Mobile applications have special

vulnerabilities. the wireless medium introduces new

opportunities for eavesdropping on wireless data communications.

Active intrusions through the wireless medium are made easier.

Security is a critical issue in mobile application, both for the users and providers of such system.

Page 4: Key Establishment Protocols for Secure Mobile Communications

Introduction (contd.) Design goals of authentication and key

management Protocols:

Prevent unauthorized access to mobile network.

Provide the mutual authentication between a base station and a mobile station.

Page 5: Key Establishment Protocols for Secure Mobile Communications

Introduction (contd.) Types of Key Establishment Protocols for mobile

communication Secret-key cryptosystems: GSM(Global System for Mobile

Communications) U.S. Digital Cellular System

Public-key cryptosystems: MSR+DH Protocol Beller and Yacobi’s Protocol Aziz-Diffie Protocol

Page 6: Key Establishment Protocols for Secure Mobile Communications

Secret Key Cryptography

Secret Key Cryptography involves the use of a single key. The same key is used for Encryption and Decryption.

Plain text Cipher textEncryption

Plain textCipher textDecryption


Figure 1 A secret key cryptographic system

Page 7: Key Establishment Protocols for Secure Mobile Communications

Secret Key Cryptography (Contd.) Secret Key Systems provide Strong Authentication

functionality. This implies that someone can prove knowledge of a secret without revealing it. Authentication is generally implemented using a Challenge-Response mechanism.


Challenge B




rA encrypted with KAB


rB encrypted with KAB

Figure 2 Challenge –Response MechanismA and B share a secret key KAB

Page 8: Key Establishment Protocols for Secure Mobile Communications

Advantage of Secret-key based protocol

The Secret-key based protocol supports inexpensive mobile stations of low power and light weight. So the Secret-key based protocol is suitable for high dynamic mobile system.

Page 9: Key Establishment Protocols for Secure Mobile Communications

Disadvantage of Secret-key based protocol The key management of the secret-key based

protocol is more complicated and more dangerous than that of public-key based one. Each mobile station must keep its secret

information, which of all should be stored in Authentication Center (AC).

AC becomes the critical component in the system because it should participate in all key establishment protocol executions.

The communication overhead of AC is increased and one must replicate the AC to reduce the overhead. However, the replication of AC increases the risk of the system.

Page 10: Key Establishment Protocols for Secure Mobile Communications

Public Key Cryptography In Public Key Cryptography, each individual user

has two keys: a Private Key (that is not revealed to anyone else) and a Public Key (that is open to the public). Encryption is done using the Public Key and Decryption is done using the Private Key.

Plain text

Plain textCipher text

Cipher textEncryption


Public KeyPrivate Key

Figure 3. A Public Key Cryptographic System

Page 11: Key Establishment Protocols for Secure Mobile Communications

Public Key Cryptography (contd.)

Encrypt mA

using eB

Encrypt mB

using eA

Decrypt to mB using dA

Decrypt to mA using dB


Figure 4. Information transfer in a Public Key Cryptographic System.

A’s <Public Key, Private Key> pair is <eA,dA> and B’s pair is <eB,dB>

Page 12: Key Establishment Protocols for Secure Mobile Communications

Public Key Cryptography (contd.)

Digital signatures : Public Key Cryptography also facilitates digital signatures, whereby a person can “sign” a plain-text using his Private Key and anyone can verify the person’s identity by using the Public Key of that person.

Plain text

Plain textSigned Message

Signed Message


Private KeyPublic Key

Figure 5. Digital Signatures in Public Key System

Page 13: Key Establishment Protocols for Secure Mobile Communications

Advantage of Public-key based protocol

The public-key based protocols only need CA (Certificate Authority) which certifies the public-keys of mobile stations and base stations.

CA is less critical than AC (in secret-key based protocol) because CA only certifies public-keys, whereas AC should manage all secret information.

Page 14: Key Establishment Protocols for Secure Mobile Communications

Disadvantage of Public-key based protocol

Public-key based protocol is not fully utilized because of the poor computing power and the small battery capacity of a mobile station. Consequently, many researches for key establishment protocols focus on minimizing computational overhead of a mobile station without loss of security.

Page 15: Key Establishment Protocols for Secure Mobile Communications

Overview of Aziz-Diffie protocol The protocol proposed by Aziz and Diffie uses

public-key cryptographic techniques in order to secure the wireless link. Public-key cryptography is used to do session key setup and authentication.

Each participant in the protocol generates a public key/private key pair. The private key is kept securely by the owner of the key pair. The public key is submitted, over an authenticated channel, to a trusted certification authority (CA).

Page 16: Key Establishment Protocols for Secure Mobile Communications

Overview of Aziz-Diffie protocol (Contd.) The participant submits the information. The CA will

then issue a certificate to the participant. The certificate will contain a binding between the public key and a logical identifier of the participant , in the form of a document digitally signed using the CA’s private key.

Having obtained a certificate for each participant, as well as secure backup of the private keys, the mobile and base exchange certificates and engage in a mutual challenge-response protocol. The protocol allows negotiation of the shared-key algorithm.

Page 17: Key Establishment Protocols for Secure Mobile Communications

Notes on Nomenclature Public key of certification authority: Pub_CA Private key of certification authority: Priv_CA Public key of mobile host: Pub_Mobile Private key of mobile host: Priv_Mobile Public key of base station: Pub_Base Private key of base station: Priv_Base Certificate of mobile host: Cert_Mobile Certificate of base station: Cert_Base E(X,Y): the encryption of Y under key X MD(X): the message digest function value on contents X Sig(X,Y)=E(X,MD(Y)): the signature of Y with key X

Page 18: Key Establishment Protocols for Secure Mobile Communications

Initial connection setup between mobile host and base station using Aziz-Diffie protocol Message #1. MobileBase {Cert_Mobile, CH1, List of


Message #2. BaseMobile {Cert-Base, E(Pub_Mobile,RN1), Chosen SKCS, Sig(Priv_Base, {E(Pub_Mobile, RN1), Chosen SKCS, CH1, List of SKCSs}) }

Message #3. MobileBase {E(Pub_Base,RN2), Sig(Priv_Mobile, {E(Pub_Base, RN2), E(Pub_Mobile,RN1}) }

Page 19: Key Establishment Protocols for Secure Mobile Communications

Figure 6. Aziz-Diffie protocol for wireless networksCA-Certificate of A KA-Public key of A KA

-1-Private key of A RA, NA-random # generated by A RB-random # generated by B

Page 20: Key Establishment Protocols for Secure Mobile Communications

Description of Initial connection setup process At connection initiation time, a mobile requesting to

connect to the wired network would send message #1 to the base. It includes mobile’s host certificate, a 128 –bit randomly chosen challenge value (CH1), and a list of supported shared-key cryptosystem (SKCS) to the base.

Certificate = Sig(Priv_CA, {Serial Number, Validity Period, Machine Name, Machine Public Key, CA name})

The list of SKCSs is intended to allow for negotiation of SKCS with the base. The SKCS will be used to encrypt subsequent data packets.

Page 21: Key Establishment Protocols for Secure Mobile Communications

Description of Initial connection setup process(Contd.)

After receiving message #1, the base will attempt to verify the signature on Cert_Mobile. If the certificate is invalid, the base rejects the connection attempt. If the certificate is valid (the public key in the certificate belongs to a certified mobile host), the base will send Message #2 to the mobile:

Cert_Base a random number RN1 encrypted under the pub_Mobile the SKCS that the base chose out of the list of SKCSs the signature on some message using Priv_Base.

Page 22: Key Establishment Protocols for Secure Mobile Communications

Description of Initial connection setup process

(Contd.)Method of choosing shared-key cryptosystem (SKCS):

The SKCS is chosen from the intersection of the set of SKCSs proposed in message #1 by the mobile and the set the base supports. The base will choose the one it deems the most secure from the intersection of the two sets.

The selected algorithm is subsequently employed for encipherment of the call data once the initial connection is setup and a session key is established.

Page 23: Key Establishment Protocols for Secure Mobile Communications

Description of Initial connection setup process

(Contd.) After receiving message #2, the mobile validates the

certificate of the base (Cert_Base). If the certificate is valid, then the mobile will verify the signature on the message. If the signature doesn’t match, the base is deemed an imposter and the mobile will abort the connection attempt. Otherwise, the base is deemed authentic and the mobile will send Message #3:

a random number RN2 encrypted under the pub_Base the signature on the encrypted RN1 and RN2 using


Page 24: Key Establishment Protocols for Secure Mobile Communications

Description of Initial connection setup process

(Contd.) After receiving message #3, the base will verify the

signature in the message. If the signature verifies, the mobile is deemed an authentic host. Otherwise, the mobile is deemed an intruder and the base will reject the connection attempt.

If the connection attempt succeeds, then at this point mutual authentication has been setup. The mobile and base use (RN1 RN2) as the session key. Since both halves of the key are completely random, knowing either RN1 or RN2 tells an attacker nothing about the session key.

Page 25: Key Establishment Protocols for Secure Mobile Communications

Advantage of Aziz-Diffie Protocol

The protocol provides good forward secrecy. This approach requires the compromise of both the base’s and the mobile’s private keys in order for preceding traffic between that base and mobile to be compromised.

Page 26: Key Establishment Protocols for Secure Mobile Communications

Disadvantage of Aziz-Diffie Protocol

The protocol is computationally expensive. The expensive portions of public key cryptosystems are typically the private key operations. In this protocol, the mobile has to perform two operations using its private key. The base also performs two private key operations.

This protocol is also vulnerable to a man-in-the middle attack.

Page 27: Key Establishment Protocols for Secure Mobile Communications

Conclusions Aziz-Diffie Protocol provides good forward secrecy,

but it is computationally expensive and vulnerable to a man-in-the-middle attack.

The problem of designing correct protocols for authentication and key management is difficult to solve in any environment. In the mobile system, the extra constraints and requirements make this problem all the harder.

More suitable key establishment protocol needs to be developed for mobile communication.

Page 28: Key Establishment Protocols for Secure Mobile Communications

Any Question?