International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 259 Authentication and Key Agreement Protocols Preserving Anonymity Kumar Mangipudi1, Rajendra Katti1, and Huirong Fu2∗ (Corresponding author: Huirong Fu) Department of Electrical and Computer Engineering, 1411 Centennial Blvd, 1 North Dakota State University, Fargo, ND 58105, USA. (Email: {kumar.mangipudi, rajendra.katti}@ndsu.edu) Department of Computer Science and Engineering, 2 Oakland University, Rochester, MI 48309, USA. (Email: [email protected]) (Received Sept. 7, 2005; revised and accepted Oct. 11 & Oct. 27, 2005) Abstract designed with an objective that the communicating par- ties execute a scheme, and when it is terminated, each Anonymity is a very important security feature in ad- of the parties should have certain assurance that they dition to authentication and key agreement features in know the other’s true identity and share a new and ran- communication protocols. In this paper, we propose two dom session-key derived from contributions of all the par- authentication and key agreement (AKA) protocols: the ties. This objective has to be accomplished irrespective AKA protocol with user anonymity (UAP) and the AKA of wired or wireless media. Client-server wireless commu- protocol with user and server anonymity (USAP). The nications, where a low end user and a server authenticate proposed protocols have the following advantages: first of each other, often demand for few message exchanges and all, they preserve anonymity, which is a security feature less computational loads. that was ignored in most of the previously proposed AKA Until now, numerous public key cryptography based protocols; secondly, they exploit the difference in capabil- AKA protocols ranging from the traditional RSA to El- ities between resource constrained clients and highly re- liptic Curve Cryptography (ECC) have been proposed. sourceful servers and thus are suitable for wireless applica- Recently, ECC has gained a lot of attention as ECC im- tions; thirdly, they resist known attacks; and finally, they plemented devices have higher strength per key bit, lower perform better in terms of the number of messages and power consumption, and smaller bandwidths as compared bits exchanged and computing time as compared to the to RSA based cryptosystems. Hence, it is more promis- previously proposed AKA protocols. For example, USAP ing to implement ECC in constrained platforms such as preserves user and server anonymity, exchanges 3 mes- wireless devices, handheld computers, and smart cards. sages with 1920 bits in total, and requires only 280 msec Apart from security services like authentication and of processing time on the user side when implemented on key agreement, the requirement for having anonymity is Mitsubishis M16C microprocessor. Similarly, the UAP gaining a lot of attention because transmitting a user’s is scalable, preserves user anonymity, requires 440 msec, identity in plain during the authentication process invades and exchanges 2560 bits. the user’s privacy and allows unauthorized access of his Keywords: Anonymity, authentication, Elliptic Curve personal information that may result in violation of his Cryptography (ECC), key agreement privacy and raise legal issues [5]. A literature survey on AKA protocols (included in Section 2 of this paper) re- vealed that most of the previously proposed protocols ig- 1 Introduction nored anonymity. A wireless authentication protocol that supports anonymity was proposed in [2, 3]. For the rest Authenticated Key Agreement (AKA) protocols provide of our discussion, we refer to this protocol as A-WAP. communicating parties with a random shared-key that Despite the authors’ claim, A-WAP on one hand fails to can subsequently be used to communicate confidentially. provide anonymity and on the other hand it succumbs to These protocols provide an efficient means of establish- several attacks as shown in [17, 26]. ing keys and therefore solve the problems associated with Preserving anonymity is a very broad and relative key management. Nonetheless, the AKA protocols are term. In user-server applications such as accessing or re- International Journal of Network Security, Vol.3, No.3, PP.259–270, Nov. 2006 260 questing services from a server, user anonymity is highly 2 Related Work appreciated as compared to server anonymity. In either case, the anonymity is defined with respect to the pub- There exists plethora of authentication schemes in the lit- lic. Note that in the above applications the server has to erature that are designed to address a variety of applica- identify and verify the user for accounting and billing pur- tions. The following is one of the many ways of classifying poses. As such in our design, while addressing anonymity those schemes based on the kinds of security services they we envision two kinds of applications. The first appli- support and the underlying cryptographic functions used cation is a more generic one such as in ad-hoc networks in their design: that requires only user anonymity, and the server or the 1) Hash-based password authentication protocols [11, service provider is a public entity that provides public 16, 21, 24] services. Secondly, applications where a user and a spe- cific server communicate with each other while remaining 2) Public-key based authentication and key agreement anonymous to the public. A user accessing his/her bank (AKA) protocols (as discussed below) account or a remote office server is an example for second application. The proposed protocols, AKA protocol with 3) Symmetric-key authentication protocols [22] user anonymity (UAP) and AKA protocol with user and 4) Authentication schemes based on key-chains [19, 27] server anonymity (USAP), respectively address the above two applications. A complete description of the above mentioned authen- The following are the advantages of our protocols: first tication schemes are beyond the scope of this paper. As of all, they preserve anonymity, which is a security fea- such, this paper only refers to well-known and widely-used ture that was ignored in most of the previously proposed AKA protocols based on public-key cryptography. AKA protocols; secondly, they exploit the difference in ca- Diffie and Hellman first proposed the Diffie-Hellman pabilities between resource constrained clients and highly (DH) key exchange based on the discrete logarithm prob- resourceful servers and thus are suitable for wireless ap- lem in 1976 [10]. Since the original DH protocol is vul- plications; thirdly, they resist known attacks; and finally, nerable to a man-in-the-middle attack, modifications were they perform better in terms of the number of messages proposed to resist such attack [28]. Later, Bellovin and and bits exchanged and computing time. Since a user Merrit presented a password based key exchange protocol can be a low power device, as in wireless applications, for two-party communications known as Encrypted Key we measure the performance of our protocols from user’s Exchange (EKE) [7]. Further, an efficient and elegant perspective. The proposed USAP is computationally ef- scheme for EKE that was considered for standardization ficient with fewer message exchanges but is not scalable by the IEEE P1363 Standard working group is AuthA, as the user can communicate only with a specific server. which was later enhanced by Bresson et al. in [8] to re- Hence, the scalability as we envision is the ability of a user sist the denial-of-service attack. In [30], Zhang showed to communicate with a number of specific servers while that Strong Password only Authenticated Key Exchange preserving both user and server anonymity. On the other (SPEKE), a password authenticated key exchange pro- hand, the proposed UAP is scalable (a user can commu- tocol defined in [15] was susceptible to password guess- nicate with any arbitrary server rather than a specific ing attack. Wong and Chan [29] proposed a mutually server) but only at the cost of server anonymity and in- authenticated key exchange protocol for low power com- creased computational and communicational overhead as puting devices, which was later proven insecure against compared to USAP. For example, USAP preserves user unknown key-share attacks by Shim [23]. Zhu et al. pre- and server anonymity, exchanges 3 messages with 1920 sented a password based authenticated key exchange pro- bits, and requires only 280 msec of processing time on tocol based on RSA for imbalanced wireless networks in the user side when implemented on Mitsubishis M16C [31]. Further, protocols proposed by Beller et al. [6] and microprocessor. The UAP, preserves user anonymity, re- Aziz and Diffie [4] address mutual authentication and key quires 440 msec, and exchanges 2560 bits. These timings agreement issues for low end devices. Unfortunately, none are based on the authors’ analysis of MSR-Hybrid, a fast of the above protocols provides anonymity. A widely-used authenticated and key establishment protocol, for sensor standard for IPSec protocol suite is the Internet Key Ex- networks that does not support anonymity, requires 455 change (IKE) [12]. IKE has several drawbacks, and fur- msec, and exchanges 4448 bits in 4 messages [13]. ther, it transmits a user’s identity in clear. Just Fast The rest of this paper is organized as follows. We Keying (JFK) protocols proposed in [1] address the short- discuss various authentication schemes and review previ- comings of IKE. However, they too ignored anonymity ously proposed AKA protocols based on public-key cryp- of the communicating parties. In recent years, several tography in Section 2. Next, we introduce the design ECC-based key agreement protocols, such as the ECMQV criteria for our proposed protocols in Section 3. Then, protocol with ECC X509 certificates [25], implicit certifi- in Sections 4 and 5, we present the proposed UAP and cates and the Elliptic Curve Diffie-Hellman Ephemeral USAP, respectively. In Sections 6 and 7, we analyze the (ECDHE) protocol [9], A-WAP, and two fast authenti- security and compare the performance of our proposed cated key exchange protocols [13], were proposed.