Survey%20on%20Authentication%20Protocols%20for%20Mobile%20Devices

1
Survey on Authentication Protocols for Mobile
Devices

• By
• Muhammad Hasan, Lihua Duan, Tarik El Amsy
• Course 60-564
• Instructor Dr. A. K. Aggarwal
• Winter, 2006

2
Outline

• Introduction
• Background Information
• Discussion of the Selected Papers
• Testing Methodologies
• Conclusion
• References

3
Introduction

• Challenges on security and quality of service
  (QOS) of Wireless Networks
• Unprotected open mediums
• Burst volume of communications
• IETF AAA Working Group
• AAA (Authentication, Authorization, and
  Accounting )
• Several AAA protocols proposed
• RADIUS
• DIAMETER

4
RADIUS (Remote Authentication Dial In User
Service)

• Based on UDP.
• Client/server protocol.
• Takes care of Server availability,
  Retransmission, and Timeouts.
• Details found at RFC 2865.

5
RADIUS Packet
The Whole Packet
MAC header IP header UDP header RADIUS header Data
RADIUS Header
32-bit

Code ID Length
Authenticator Authenticator Authenticator
Attributes.. Attributes.. Attributes..
6
DIAMETER

• Improvement over RADIUS
• Uses reliable transport protocols (TCP or SCTP)
• It uses transport level security (IPSEC or TLS)
• support for RADIUS
• It has larger address space for AVPs (Attribute
  Value Pairs) and identifiers (32-bit instead of
  8-bit)
• peer-to-peer protocol, not client-server 
  supports server-initiated messages
• Details found at RFC 3588

7
Diameter Packet
The Whole Packet
MAC header IP header TCP header Diameter header Data
Diameter Header
32-bit

Version Msg. Length
Flags Code
Application ID Application ID
Hop by Hop ID Hop by Hop ID
End to End ID End to End ID
AVP .. AVP ..
8
The General Architecture
9
Inter-network intra-network roaming

• Inter-network roaming takes place When the user
  moves from one ISP to another ISP
• Intra-network roaming takes place when the user
  moves from cell to cell within the ISP.

Inter-network roaming
Intra-network roaming
10
Existing GSM Authentication
Mobile Client
VLR/LAS
HLR/HAS
IMSI
VLR Visiting Location Register RAND A Random
Number Generated by HLRHLR Home Location
Register SRES KA, RAND
(Encrypted with one-way fn)IMSI International
Mobile Subscriber Identity Kt temporary
authentication key TMSI Temporary Mobile
Subscriber Identity
11
Strong Password Protocols

• The aim of strong password protocols is to
  authenticate the user while protecting the
  password against dictionary attacks by online
  eavesdroppers.
• Two earlier strong password protocols EKE and
  protocol of Gong. et al.

12
EKE (Encrypted Key Exchange) Protocol

• It provides secure authentication between user
  and a server using a weak secret.
• Generates per session public- private key pairs.
• Major Drawback Doing private key operations on
  client side makes it infeasible to use with
  computationally restricted devices ( Mobile
  devices).
• In 2002 Zhu et al. presents a variant of RSA-EKE
  for mobile devices.

13
The protocol of Gong et al.

• Contains a trusted third party which is
  continuously available online as in Kerberos.
• The parties in the system authenticate each other
  by the help of the trusted server.

14
GSM User Authentication Protocol
Paper 1

• By Özer Aydemir, Ali Aydin Selçuk

• Dept. of Computer Eng.
• Bilkent University
• Ankara TURKEY

TÜBTAK UEKAE LTAREN Research Center Ankara TURKEY
15
Paper 1 GSM User Authentication Protocol (GUAP)

• Objectives
• User can authenticate with his/her password
  instead of the embedded key.
• Breaks the dependency on the SIM card during
  authentication.
• Users will be able to reach their accounts
  without their SIM cards, via any cellular phone,
  Internet, or a special network

16
GUAP ( Cont. )

• Resembles the approach of Gong et al.
• Three entities involved in the authentication.
• VLR plays the trusted server role
• Random nonces for freshness guarantee
• of the sessions.

17
Functionality of GUAP

18
Security Issues

• The existence of the correct n1 value in the
  fifth message indicates that it is the HLR that
  has decrypted the first message and sending this
  output.
• The random nonce n2 protects HLRs response
  encrypted by p against dictionary attacks on p by
  an attacker who gets to know k or by VLR.
• Random c protects first message against
  regeneration by VLR.

19
Improving mobile authentication with new AAA
protocols
Paper 2

• by H. Kim and H. Afifi
• Proc. IEEE Int. Conf. on Communications, May 2003
• An authentication protocol by combining the AAA
  framework and the USIM authentication mechanism

20
AAA USIM Authentication Protocol
PAS/AAA Broker
LAS
HAS
MU
UPC USIM-PROXY-CAPABILITY AV Authentication
Vector REND random number XRES Expected
Response RES Response
21
Some Issues

• USIM-PROXY-CAPABILITY (UPC) in the request
  message is forwarded to HAS through LASs
• One of PASs can choose to become a broker by
  checking if UPC field exists in the request
  message
• The number of AVs generated at HAS is an
  optimization problem

22
Paper 3
A lightweight authentication protocol with local
security association control in mobile networks

• by W. Liang and W. Wang
• Proc. IEEE Military Communications Conference,
  2004
• An authentication protocol by introducing local
  security association with optimal life time for
  mobile user

23
Authentication with Local Security Association
MU
LAS
HAS
LAS Local Authentication Server HAS Home
Authentication Server SA Security
Association MU Mobile User
K0 pre-defined shared key for MU and HAS Kul
new shared key for MU and LAS F0 session random
number against replay attack R1 random number
24
Refresh Local Security Association

• When the local security association expires, LAS
  will refresh it by sending to mobile user a new
  key and a new life time

• An optimal life time of the local security
  association is critical for the efficiency of the
  authentication

• the risk to crack the key is increasing as the
  life time is increasing
• the cost to refresh

25
Localized Authentication for Wireless LAN
Inter-network Roaming
Paper 4

• By Men Long , Chwan-Hwa John Wu , J. David
  Irwin
• Department of Electrical and Computer Engineering
• Auburn University

26
Localizing the Authentication

• A new approach in which an initial mutual
  authentication between a visited network and a
  roaming user can be performed locally without any
  intervention by the users home network.
• Advantages are low time delay and robustness.
• A practical certificate structure x.509
• Authentication adapts the SSL v3.0 handshake
  protocol.
• Local AAA server will approve or reject the
  authentication request. Home network AAA will not
  be part of the process

27
Local Authentication Handshake Messages

• Flow 1 client Hello
• Flow 2 server Hello
• Flow 3 Finished

NU , D
NS , CertS
EncPKs(k),Ek1 (CerU),SignSu (NS NU S U)
28
Protocol flow

• Message flow (1) (NU , D )
• same as ClientHello in SSLprotocol
• The user sends a random number NU as user nonce
  along with D domain name of the roaming user.
• Message flow (2) (NS , CertS )
• same as ServerHello in SSL protocol
• The AAA server will attempt to find its public
  key certificates CertS signed by domain D
  received in message 1 and sends the certificate
  CertS and servers nonce NS to the user.
• If it did not find a certificated signed by D
  then it will abort the session because there is
  no roaming agreement with this domain and the
  user get rejected.

29
Message flow (3)

• The user employs his home networks public key to
  verify the CertS.
• The user chooses a random number k as the
  pre-master secret and then encrypts it by Enc
  PKS (k) using the visited networks public key
  PKS in CertS.
• The users terminal applies a pseudo random
  function to the pre-master secret to derive a key
  k1.
• Then k1 encrypts the users certificate CertU by
  EK1 (CertU) via a symmetric cipher such as the
  AES-128 with an appropriate mode.
• Finally, the user signs the message NS NU
  S U using his private key SU, by DSA or the RSA
  methods.

EncPKs(k)
Ek1 (CerU)
SignSu (NS NU S U)
Encrypted User Certificate
Pre-master key
Signature message
30
Authentication Key Establishment

• The Visited network will Decrypt to obtain the
  pre-master secret k using its own private key
  SKs.
• It then applies the publicly known pseudorandom
  function to the pre-master secret to derive k1.
• Use k1 to decrypt and obtain the users
  certificate.
• The visited network will validate verify the
  authenticity of the users public key certificate
  and then the validity of the users signature.
• EncPKs(k),Ek1 (CerU),SignSu (NS NU S U)

31
Security Feature Comparison
WiFi GSM Local Authen.
Time overhead due to com. b/w Home Visited network Yes No
Impact resulting from home network failure Maximum Minimum
Visited network learns roaming users secret Yes No
Strong authentication against cryptanalysis No Yes
32
Testing Methodologies
Paper 1

• The HLR and VLR are simulated on a 2.4 GHz
  Pentium IV machine, and the mobile client runs on
  Suns KToolbar v.2.0 simulation toolkit
• The simulations are implemented in Java2 Standard
  Edition (J2SE) for HLR and VLR, and in Java2
  Mobile Edition (J2ME) for the mobile client.
• The cryptographic functions are inherited from
  the Bouncy Castle Lightweight Crypto API for both
  J2SE and J2ME.

33
Testing Methodologies
Paper 2

• Consists of LAS, AAA broker, and HAS.
• They are geographically separated and connected
  by routers.
• The performance of the proposed authentication
  protocol is evaluated by measuring the time spent
  for authentication.
• Two suites of experiments are performed according
  to
• the number of users
• the number of proxy agents.
• The gathered results reduces the spent time
  considerably compared with DIAMETER protocols.

34
Testing Methodologies
Paper 4

• Paper 4 , Localized Authentication Testing
  Methodology
• 2 phases
• Phase I, with a Pentium 4 (2.2 GHz) and 512 MB
• RSA encryption or signature verification time is
  0.28 milliseconds while the RSA decryption or
  signature-signing time is 5.53 milliseconds.
• Phase II ( SSL/TLS protocol ) .
• laptop Pentium 4 (1.8 GHz) 256 MB memory and
  IMAP server
• The results indicate that the time delay per SSL
  channel setup averages 24 milliseconds.
• According to the data from the phases 1 and 2,
  the expected time delay for the proposed protocol
  is about 30246 milliseconds.

35
Testing Methodology
Paper 3
36
Testing Methodology-cont.
Paper 3

• Suppose there are 10 hops for remote
  authentication

37
Conclusion

• DIAMETER, RADIUS, EKE and Gong et al.s are
  some of the earliest standardized AAA
  authentication protocols.
• To improve efficiency or adaptability, many new
  authentication protocols are proposed in the
  literature. We discuss four most recent ones.
• For those protocols aiming at improve efficiency,
  they usually share one common feature reduce the
  number of remote authentications by transforming
  them into local authentications.
• For those protocols aiming at improve
  adaptability, they often try to relax some
  hardware limitation for authentication, such as
  the use of SIM card.

38
References

• H.-Y. Lin, L. Harn, and V. Kumar, Authentication
  protocols in wireless communications, CAUTO 95,
  1995.
• M. Long, C. J. Wu, and J. D. Irwin, Localized
  authentication for wireless LAN inter-networking
  roaming, IEEE Wireless Communications and
  Networking Conference (WCNC), Vol.1, 2004, pp.
  264-267
• C. Perkins and P. Calhoun, Mobile IPv4
  challenge/response extensions, RFC3012, November
  2000.
• RFC 3588. Diameter Base Protocol. Available at
  http//www.ietf.org/rfc/rfc3588.txt.
• C. Rigney et al. RADIUS extensions, RFC 2869,
  available at http//bgp.potaroo.net/ietf/html/ids
  -wg-radext.html. June 2000.
• R. Rivest, The MD5 message digest algorithm,
  RFC 1321, April, 1992.
• S. Shieh, E. Ho, and Y. Huang, An efficient
  authentication protocol for Mobile Networks,
  Authentication Protocol hrn01 of Information
  Science and Engineering, vol. 15, 1999, pp.
  505-520.
• W. Simpson, PPP challenge handshake
  authentication protocol (CHAP), RFCI334, August
  1996.
• W. Stallings, Network security essentials,
  Applications and Standards, 2000.
• M. Xu and S. Upadhyaya, Secure communication in
  KS, in Vehculur Technology Conference, pp.
  2193-2197, 2001.
• http//www.cisco.com/warp/public/707/32.html.
• http//en.wikipedia.org/wiki/DIAMETER.
• KToolbar, A toolkit for J2ME, http//java.sun.com/
  j2me.
• Lightweight Crypto API, Bouncy Castle,
  http//www.bouncycastle.org

• B. Aboba and D. Simon, PPP EAP TLS
  authentication protocol, RFC 2716, October 1999.
• O. Aydemir and A. Selguk, A strong user
  authentication protocol for GSM, 14th IEEE
  International Workshops on Enabling Technologies
  Infrastructure for Collaborative Enterprise,
  2005, pp.150-153.
• S. M. Bellovin and M. Meritt, Encrypted Key
  Exchange Password based protocols secure against
  dictionary attacks, in Proceedings of the IEEE
  Symposium on Security and Privacy, May, 1992,
  pp.72-84.
• L. Biunk and J. Vollbmcht, PPP extensible
  authentication protocol, RFC2284, March 1998.
• L. DeIlUomo and E. Scanone, The mobility
  management and authentication, authorization
  mechanisms in mobile networks beyond 3G, 12th
  IEEE International Symposium on Personal, Indoor
  und Mobile Radio Communications, 2001, vol. 1,
  pp. c 44-c 4 8.
• A. Freier, P. Karlton, and P. Kocher, The SSL
  protocol version 3.0, available at
  http//wp.netscape.com/eng/ssl3/draft302.txt,
  Nov. 1996.
• S. Glass, T. Hiller, S. Jacobs, and C. Perkins,
  Mobile IP authentication, authorization and
  Accounting Requirements, RFC2977, October 2000.
• L. Gong, T. M. A. Lomas, R.M. Needham, and J. H.
  Saltzer, Protecting poorly chosen secrets from
  guessing attacks, IEEE Journal on Selected Areas
  in Communication, Vol.11, No.5, June 1993, pp.
  48-656.
• H. Kim and H. Afifi, Improving mobile
  authentication with new AAA protocols, Proc.
  IEEE Int. Conf. on Communications, Vol.1, May
  2003, pp. 497-501.
• W. Liang and W. Wang, A lightweight
  authentication protocol with local security
  association control in mobile networks, IEEE
  Military Communications Conference (MILCOM 2004),
  Vol. 1, 2004, pp. 225-231.
• .

39
Special Thanks to

• Dr. A.K. Aggarwal

40
Questions ?
Thank You