Recursive Protocol for Group-Oriented Authentication with Key Distribution

1
Recursive Protocol for Group-Oriented
Authentication with Key Distribution

• Source Journal of Systems and Software, Vol. 81,
  No. 7, pp. 1227-1239, Jul. 2008
• Author Tzong-Chen Wu, Thsia-Tzu Huang,
  Chien-Lung Hsu and Kuo-Yu Tsai
• Speaker Ting-Fang Cheng
• Date 2009/07/16

2
Introduction
Group-oriented communication
Authentication Group session key
Authentication Server

• Bull and Otway, 1997
• Is vulnerable to the domino attack
• Chang and Wu, 1998
• Does not achieve load-amortization
• Ryan and Schneider, 1998
• Requires extra O(n) waiting time in average for
  the completion of the recursion

3
Notations

• AS the authentication server
• Ui the entity involved in the protocol
• n the number of entities involved in the
  protocol
• IDi Uis identity
• Ki the secret key initially shared between Ui
  and AS
• HashK(.) a keyed one-way hash function using the
  key K
• .K a symmetric encryption function using the
  key K
• Ki,j a session key shared between Ui and Uj
• Ni a nonce generated by Ui
• the concatenation

4
Ryan-Schneider protocol (1/3)
Forward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS

1. U1?U2 X1 ID1, ID2, N1, HashK1(ID1ID2N1)
   
2. U2?U3 X2 ID2, ID3, N2, X1,
   HashK2(ID2ID3N2X1)
3. U3?U4 X3 ID3, ID4, N3, X2,
   HashK3(ID3ID4N3X2)
4. U4?AS X4 ID4, AS, N4, X3,
   HashK4(ID4ASN4X3)

5
Ryan-Schneider protocol (2/3)
Entity authentication and key establishment phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(6)

• Unravels and verifies X1, X2, X3, and X4
• Computes
• M1 ID1, ID2, K1,2?HashK1(N1ID2), ID1, ID2,
  N1K1,2
• M2 ID2, ID1, K1,2?HashK2(N2ID1), ID2, ID1,
  N2K1,2
• M3 ID2, ID3, K2,3?HashK2(N2ID3), ID2, ID3,
  N2K2,3
• M4 ID3, ID2, K2,3?HashK3(N3ID2), ID3, ID2,
  N3K2,3
• M5 ID3, ID4, K3,4?HashK3(N3ID4), ID3, ID4,
  N3K3,4
• M6 ID4, ID3, K3,4?HashK4(N4ID3), ID4, ID3,
  N4K3,4
• AS?U4 M1, M2, M3, M4, M5, M6

6
Ryan-Schneider protocol (3/3)
Backward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(7)
(9)
(6)
(8)

• U4 extracts K3,4 and verifies it from M6
• U4?U3 M1, M2, M3, M4, M5
• U3 extracts K2,3 and K3,4 and verifies them from
  M4 and M5, respectively
• U3?U2 M1, M2, M3
• U2 extracts K1,2 and K2,3 and verifies them from
  M2 and M3, respectively
• U2?U1 M1
• U1 extracts K1,2 and verifies it from M1

7
Performance evaluations
t0 t1 t2
t3 t4
Forward time scale
U1
U2
U3
U4
AS
Backward time scale
t4 t3 t2
t1 t0

• O(n) rounds of message
• 8 2n ? O(n)
• O(n) completion time
• 8t 2n ? O(n)
• O(n) waiting time in average
• (7t 5t 3t t)/4 4t n ? O(n)

n 4 t is the time unit for each round
8
Proposed protocol (1/4)
Binary tree structure n 2k (k is an integer)

• Step 1 assigns a number to each entity of
• the group from 1 to n
• Step 2 generates a parent for each two
• nodes, where each parent is
• assigned a number which is equal
• to its right node
• Step 3 if the number of nodes generated
• from Step 2 is not equal to 1, then
• returns to Step 2
• Step 4 assigns a direction of message
  transmission
• for each two nodes in each level
• (? forward ? backward)
• Step 5 assigns a direction of message
  transmission
• from root to AS

Un
AS
AS
U4
U2
U4
Un
U1
U3
U4
U2
Un-1
Un
9
Proposed protocol (2/4)
Forward phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4

• U1?U2 X1 X11, X12, where X11 (ID1N1)
  and X12 HashK1(ID1N1)
• U3?U4 X3 X31, X32, where X31 (ID3N3)
  and X32 HashK3(ID3N3)
• U2?U4 X2 X21, X22, where X21
  (ID2N2X11) and
• X22 HashK2(ID2N2X12)
• U4?AS X4 X41, X42, where X41
  (ID4N4X31X21) and
• X42 HashK4(ID4N4X32X22)

10
Proposed protocol (3/4)
Entity authentication and key establishment phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4

• Unravels and verifies X1, X2, X3, and X4
• Randomly chooses a group session key KG
• Computes
• M1 ID1, IDG, KG?HashK1(IDG N1), HashK1(IDG
  N1KG)
• M2 ID2, IDG, KG?HashK2(IDG N2), HashK2(IDG
  N2KG)
• M3 ID3, IDG, KG?HashK3(IDG N3), HashK3(IDG
  N3KG)
• M4 ID4, IDG, KG?HashK4(IDG N4), HashK4(IDG
  N4KG)

11
Proposed protocol (4/4)
Backward phase
(1)
(3)
(2)
U1
U2
U4
AS
(7)
(5)
(6)
(1)
U3
U4
(7)

• AS?U4 M1, M2, M3, M4
• U4 extracts KG and verifies it from M4
• U4?U2 M1, M2
• U2 extracts KG and verifies it from M2
• U2?U1 M1
• U4?U3 M3

12
Performance evaluations
t0 t1 t2
t3
Forward time scale
U1
U2
U4
AS
U3
U4
Backward time scale
t3 t2 t1 t0

• O(n) rounds of message
• 8 2n ? O(n)
• O( log n) completion time
• 6t 23 2( 1) 2(
  1) ? O( log n)
• O(log n) waiting time in average
• (5t 3t 5t t)/4 3.5t ( 1.5)
  ? O( log n)

n 4 t is the time unit for each round
13
Conclusions

• Perfect forward secrecy
• Direct authentication
• No timestamps
• Nondisclosure
• Independency
• Integrity
• Practicality and efficiency
• Is performed in a recursive but parallel manner
• Only uses one-way hash function and exclusive-or
  operations