無線通訊的安全技術及電子商務應用之研究 Security Technologies on Wireless Communications and Applications in Electronic Commerce 指導教授: 張真誠 教授 研究生: 李榮三 Dept. of Computer Science and Information Engineering, National Chung Cheng University
Outline Part 1: Security Technologies for Wireless Communications Part 2: Applications to Electronic Business MSN lab
Introduction Authentication & Data Integrity Electronic Commerce Global system for mobile communications (GSM) Anonymous authentication mechanism Secure Communications for Ad Hoc Networks Electronic Commerce Electronic voting Oblivious transfer MSN lab
Efficient Authentication Protocols for GSM LAI1 LAI2 LAI3 LAI4 LAI5 LAI6 VLR HLR MSN lab
Current GSM authentication system HLR: The home location register VLR: The visitor location register IMSI: The international mobile subscriber module TMSI: The temporary mobile subscriber identity K: The secret key shared between MS and HLR A3( )/A8( ), A5( ): two one-way functions, en/decryption function MSN lab
Current GSM authentication system(1/2) MS VLR HLR Request (TMSI, LAI) SRES=A3(R, K) IMSI Kc=A8(R, K) n sets {SRES,R,Kc} SRES’=A3(R, K) TMSI’, R Kc=A8(R, K) SRES’ SRES= SRES’ MSN lab
Current GSM authentication system(2/2) MS VLR Request (TMSI’) SRES,R,Kc R SRES’=A3(R, K) SRES= SRES’ SRES’ Kc=A8(R, K) MSN lab
Drawbacks Unilateral authentication between VLR and MS Storage overhead Bandwidth consumption MSN lab
Protocol 1 (Phase 1) MSN lab CERT_VLR=A3(R,K) CERT_VLR’=A3(R,K) HLR Request (TMSI ,LAI,T) CERT_VLR=A3(R,K) IMSI, T CERT_VLR’=A3(R,K) Kc=A8(R, K) Kc=A8(R, K) CERT_VLR, R, Kc TMSI’, CERT_VLR, R, R1, T SRES’=A5(R1, Kc) SRES=A5(R1, Kc) SRES’ MSN lab
Protocol 1 (Phase 2) MSN lab CERT_VLR’j =A3(Tj,Kc) CERT_VLRj=A3(Tj,Kc) Request (TMSI’, Tj) CERT_VLR’j =A3(Tj,Kc) CERT_VLRj=A3(Tj,Kc) CERT_VLRj, Rj, Tj SRES’j=A5(Rj, Kc) SRESj=A5(Rj, Kc) SRESj’ MSN lab
Protocol 2 (Phase 1) MSN lab CERT_VLR=A3(T, K) CERT_VLR’=A3(T, K) HLR Request (TMSI ,LAI,T) CERT_VLR=A3(T, K) IMSI, T CERT_VLR’=A3(T, K) Kc=A8(R, K) Kc=A8(R, K) CERT_VLR, R, Kc TMSI’, CERT_VLR, R, T SRES’=A5(R||T, Kc) SRES=A5(R||T, Kc) SRES’ T TMSI’, T MSN lab
Request (TMSI’, SRESj, Tj) Protocol 2 (Phase 2) MS VLR SRES’j=A5(Tj||Tj-1, Kc) Request (TMSI’, SRESj, Tj) SRES’j=A5(Tj||Tj-1, Kc) CERT_VLR’j =A3(Tj,Kc) CERT_VLRj, Rj, Tj CERT_VLRj=A3(Tj,Kc) Tj TMSI’, Tj MSN lab
Analyses Mutual Authentication Reduce storage overhead Avoid bandwidth consumption Round efficiency (Protocol 2) MSN lab
Comparisons between current GSM authentication protocols and ours Original [14] [15] [49] [51] Ours MA1 No Yes MA2 SSO SBC AC - MSN lab
Anonymous Authentication Scheme for Wireless Communications To enhance the privacy of mobile subscriber Foreign Agent (FA)->VLR Home Agent (HA)->HLR MSN lab
The flowchart of Zhu and Ma’s scheme MS FA HA n, EKL(r0), IDHA, TMS R1, n, EKL(r0), TMS, SIGFA, CertFA, TFA R2, [h(IDMU) || r0] KUFA,SIGHA, CertHA, THA EK(TCertMS) The flowchart of Zhu and Ma’s scheme MSN lab
The flowchart of our scheme C1 = h(h(X) r) IDi MS FA HA IDHA, C1, r, EKMH(h(C1⊕T1) || N1 || T1) IDFA, EKFH(EKMH(h(C1⊕T1) || N1 || T1) || C1 || r || N2 || T2) ESK(h(N1) || TIDi), EKMH(h(N2) || T1+1) EKFH(h(N1) || T2+1), EKMH(h(N2) || T1+1) SK = h(h(N1) h(N2)) The flowchart of our scheme MSN lab
Comparisons between related works and ours 154% 1.06% 1.45% [42] [43] Ours MS FA HA NA 1/2 2/1 1/1 NE 4 2 NS 1/0 0/1 2/2 NH 5 NO 3 1 MSN lab
Secure Communications for Cluster-based Ad Hoc Networks Using Node Identities nodes Clusterhead Radio range The structure of NTDR MSN lab
Trust Authority (TA) ed 1 (mod ψ(N)) MIDi, Ki = e(logg(MIDi2)) modψ(N) CHIDj, CKj = e(logg(CHIDj2)) modψ(N) AUC=h(KMH) MSN lab
The authentication flowchart of our scheme MIDi CHIDj CHIDj, CIDj MIDi, AUC, T The authentication flowchart of our scheme MSN lab
The communicating nodes are within one hop clusterhead CHIDj CIDj nodes MID2 within one hop Limit of beacon messages MID1 The communicating nodes are within one hop MSN lab
The communicating process of Case 1 Cert=h(K12) MID1 MID2 MID1, T1, Cert The communicating process of Case 1 MSN lab
The communicating nodes are not within one hop CIDj clusterhead CHIDj nodes within one hop limit of beacon messages MID1 MID2 The communicating nodes are not within one hop MSN lab
MSN lab
The communicating nodes are not within the same cluster CID1 CID2 CHID2 CHID1 MID1 MID2 The communicating nodes are not within the same cluster MSN lab
MSN lab
Authentication Data-integrity Non-repudiation Non-impersonation Mobile nodes in the same cluster Mobile nodes are in different clusters Non-repudiation Non-impersonation MSN lab
Performance comparisons of authentication phase Role Scheme [76] Ours MIDi 3 PKI 1 exp + 2 sym + 2 h CHIDj MSN lab
Performance comparisons of communication phase (Nodes in the same cluster) Role Scheme [76] Ours MID1 8 sym + 1h 2 sym + 1h CHID1 8 sym 4 sym MID2 MSN lab
Performance comparisons of communication phase (Nodes in different clusters) Role Scheme [76] Ours MID1 8 sym + 1h 2 sym + 1h CHID1 8 sym 4 sym CHID2 MID2 4 sym + 1h MSN lab
An Anonymous Voting Mechanism Based on the Key Exchange Protocol Previous works: PKI Blind signature Diffie-Hellman key exchange protocol MSN lab
Blind signature Signer: ed 1 (mod ψ(N)) Client: message m, random number r m' = mre mod N Signer: s' = (m')d =mdr mod N Client: s = s'r-1 mod N =((mre)d)r-1 N = md mod n MSN lab
Diffie-Hellman key exchange protocol ga mod p Bob Alice gb mod p gab mod p MSN lab
Variant version yb=gxb mod p ya=gxa mod p gxaxb mod p ybxa mod p Bob Alice yb=gxb mod p ya=gxa mod p yaxb mod p gxaxb mod p MSN lab
Requirements Anonymity Fairness: no one can learn the temporary outcome Convenience Robustness: Mobility Uniqueness Completeness: only the eligible voter is allowed to vote Uncoercibility: each voter must be able to decide his intention Correctness Efficiency:within a reasonable period of time MSN lab
The whole structure of our proposed mechanism MSN lab
Comparisons between our scheme and other related works Requirement Scheme Ours [27] [3] [30] Anonymity Yes Fairness No Convenience High Low No mention Mid Robustness Mobility Uniqueness Completeness Uncoercibility Correctness Efficiency MSN lab
Choosing t-out-of-n Secrets by Oblivious Transfer Request t messages messages Bob Alice 1. Correctness Stocks 2. Privacy of Bob Message query 3. Privacy of Alice MSN lab
Chinese Remainder Theorem (CRT) To find a positive integer C that satisfies the following congruence, C ≡ 2 (mod 3), C ≡ 3 (mod 5), and C ≡ 3 (mod 7). MSN lab
Define Notations N: a large prime e/d: the public/private key of Alice, a1, a2, …, an: n messages d1, d2, …, dn: n relatively prime numbers IDi: the identity of message ai b1, b2, …, bt: t messages that Bob expected to get MSN lab
Alice Step 1: Computes D = d1* d2* …* dn, and constructs congruence system as, C ≡ a1 (mod d1), C ≡ a2 (mod d2), C ≡ an (mod dn). C = (D/d1)y1a1 + (D/d2)y2a2 + … + (D/dn)ynan mod D by CRT, where (D/di)yi ≡ 1 (mod di) MSN lab
Alice Step 2: Computes T1 = d1e mod N, T2 = d2e mod N, Tn = dne mod N, Step 3: Publish MSN lab
Alice Bob Request C (ID1, T1) (ID2, T2) (IDn, Tn) C and n pairs C and t pairs {1, 2, …, t} {β1, β2, …, βt} board MSN lab
Bob Step 1:(IDj, Tj), for j = 1, 2 to t Step 2: 1 = r1e * T1 mod N, 2 = r2e * T2 mod N, t = rte * Tt mod N, Step 3: Sends {1, 2, …, t} to Alice MSN lab
Alice Step 1: β1 = 1d = r1ed * T1d = r1 * T1d mod N, βt = td= rted * Ttd = rt * Ttd mod N, Step 2: Sends {β1,β2, …, βt} to Bob MSN lab
Bob Step 1: d1 = r1-1 *β1 = T1d = d1 ed mod N, dt = rt-1 *βt = Ttd = dt ed mod N. Step 2: b1 = C mod d1, b2 = C mod d2, bt = C mod dt. MSN lab
Comparisons Alice Bob Naor and Pinkas’s (t times) 4(t*n) exp 4t exp Wakaha and Ryota’s 4n exp (3t + 1) exp Ours n+t exp t exp MSN lab
Conclusions and Future Works Authentication GSM Ad hoc networks 3G,… Electronic commerce Electronic voting Oblivious transfer Electronic lottery MSN lab
無線通訊的安全技術及電子商務應用之研究 Security Technologies on Wireless Communications and Applications in Electronic Commerce Thanks!