Title: Recursive Protocol for Group-Oriented Authentication with Key Distribution
1Recursive Protocol for Group-Oriented
Authentication with Key Distribution
- Source Journal of Systems and Software, Vol. 81,
No. 7, pp. 1227-1239, Jul. 2008 - Author Tzong-Chen Wu, Thsia-Tzu Huang,
Chien-Lung Hsu and Kuo-Yu Tsai - Speaker Ting-Fang Cheng
- Date 2009/07/16
2Introduction
Group-oriented communication
Authentication Group session key
Authentication Server
- Bull and Otway, 1997
- Is vulnerable to the domino attack
- Chang and Wu, 1998
- Does not achieve load-amortization
- Ryan and Schneider, 1998
- Requires extra O(n) waiting time in average for
the completion of the recursion
3Notations
- AS the authentication server
- Ui the entity involved in the protocol
- n the number of entities involved in the
protocol - IDi Uis identity
- Ki the secret key initially shared between Ui
and AS - HashK(.) a keyed one-way hash function using the
key K - .K a symmetric encryption function using the
key K - Ki,j a session key shared between Ui and Uj
- Ni a nonce generated by Ui
- the concatenation
4Ryan-Schneider protocol (1/3)
Forward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
- U1?U2 X1 ID1, ID2, N1, HashK1(ID1ID2N1)
- U2?U3 X2 ID2, ID3, N2, X1,
HashK2(ID2ID3N2X1) - U3?U4 X3 ID3, ID4, N3, X2,
HashK3(ID3ID4N3X2) - U4?AS X4 ID4, AS, N4, X3,
HashK4(ID4ASN4X3)
5Ryan-Schneider protocol (2/3)
Entity authentication and key establishment phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(6)
- Unravels and verifies X1, X2, X3, and X4
- Computes
- M1 ID1, ID2, K1,2?HashK1(N1ID2), ID1, ID2,
N1K1,2 - M2 ID2, ID1, K1,2?HashK2(N2ID1), ID2, ID1,
N2K1,2 - M3 ID2, ID3, K2,3?HashK2(N2ID3), ID2, ID3,
N2K2,3 - M4 ID3, ID2, K2,3?HashK3(N3ID2), ID3, ID2,
N3K2,3 - M5 ID3, ID4, K3,4?HashK3(N3ID4), ID3, ID4,
N3K3,4 - M6 ID4, ID3, K3,4?HashK4(N4ID3), ID4, ID3,
N4K3,4 -
- AS?U4 M1, M2, M3, M4, M5, M6
6Ryan-Schneider protocol (3/3)
Backward phase
(1)
(3)
(4)
(2)
U1
U2
U3
U4
AS
(7)
(9)
(6)
(8)
- U4 extracts K3,4 and verifies it from M6
- U4?U3 M1, M2, M3, M4, M5
- U3 extracts K2,3 and K3,4 and verifies them from
M4 and M5, respectively - U3?U2 M1, M2, M3
- U2 extracts K1,2 and K2,3 and verifies them from
M2 and M3, respectively - U2?U1 M1
- U1 extracts K1,2 and verifies it from M1
7Performance evaluations
t0 t1 t2
t3 t4
Forward time scale
U1
U2
U3
U4
AS
Backward time scale
t4 t3 t2
t1 t0
- O(n) rounds of message
- 8 2n ? O(n)
- O(n) completion time
- 8t 2n ? O(n)
- O(n) waiting time in average
- (7t 5t 3t t)/4 4t n ? O(n)
n 4 t is the time unit for each round
8Proposed protocol (1/4)
Binary tree structure n 2k (k is an integer)
- Step 1 assigns a number to each entity of
- the group from 1 to n
- Step 2 generates a parent for each two
- nodes, where each parent is
- assigned a number which is equal
- to its right node
- Step 3 if the number of nodes generated
- from Step 2 is not equal to 1, then
- returns to Step 2
- Step 4 assigns a direction of message
transmission - for each two nodes in each level
- (? forward ? backward)
- Step 5 assigns a direction of message
transmission - from root to AS
Un
AS
AS
U4
U2
U4
Un
U1
U3
U4
U2
Un-1
Un
9Proposed protocol (2/4)
Forward phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4
- U1?U2 X1 X11, X12, where X11 (ID1N1)
and X12 HashK1(ID1N1) - U3?U4 X3 X31, X32, where X31 (ID3N3)
and X32 HashK3(ID3N3) - U2?U4 X2 X21, X22, where X21
(ID2N2X11) and - X22 HashK2(ID2N2X12)
- U4?AS X4 X41, X42, where X41
(ID4N4X31X21) and - X42 HashK4(ID4N4X32X22)
10Proposed protocol (3/4)
Entity authentication and key establishment phase
(1)
(3)
(2)
U1
U2
U4
AS
(1)
U3
U4
- Unravels and verifies X1, X2, X3, and X4
- Randomly chooses a group session key KG
- Computes
- M1 ID1, IDG, KG?HashK1(IDG N1), HashK1(IDG
N1KG) - M2 ID2, IDG, KG?HashK2(IDG N2), HashK2(IDG
N2KG) - M3 ID3, IDG, KG?HashK3(IDG N3), HashK3(IDG
N3KG) - M4 ID4, IDG, KG?HashK4(IDG N4), HashK4(IDG
N4KG)
11Proposed protocol (4/4)
Backward phase
(1)
(3)
(2)
U1
U2
U4
AS
(7)
(5)
(6)
(1)
U3
U4
(7)
- AS?U4 M1, M2, M3, M4
-
- U4 extracts KG and verifies it from M4
- U4?U2 M1, M2
- U2 extracts KG and verifies it from M2
- U2?U1 M1
- U4?U3 M3
12Performance evaluations
t0 t1 t2
t3
Forward time scale
U1
U2
U4
AS
U3
U4
Backward time scale
t3 t2 t1 t0
- O(n) rounds of message
- 8 2n ? O(n)
- O( log n) completion time
- 6t 23 2( 1) 2(
1) ? O( log n) - O(log n) waiting time in average
- (5t 3t 5t t)/4 3.5t ( 1.5)
? O( log n)
n 4 t is the time unit for each round
13Conclusions
- Perfect forward secrecy
- Direct authentication
- No timestamps
- Nondisclosure
- Independency
- Integrity
- Practicality and efficiency
- Is performed in a recursive but parallel manner
- Only uses one-way hash function and exclusive-or
operations