Documente Academic
Documente Profesional
Documente Cultură
Client-Server Setting
HOU Meng-bo , XU Qiu-liang
School of Computer Science and Technology, Shandong University, Jinan, 250101, China
houmb@sdu.edu.cn; xuqiuliang@sdu.edu.cn
Abstract
E-learning communication security should be
considered to ensure sensitive message transmission.
Authenticated key agreement protocol in the clientserver setting is the fundamental building block for
ensuring client-server entity authentication, data
confidentiality and integrity. So far, great deals of twoparty authenticated key agreement protocols were
proposed based on traditional public key cryptography
and
identity-based
cryptography,
but
the
certificateless-based authenticated key agreement
protocol is seldom discussed. In this paper, we
propose such a secure protocol from a certificateless
public key encryption scheme due to Park et al.
Compared to other comparable protocols, it achieves
more security attributes, such as no-key escrow,
perfect forward secrecy, known session-specific
temporary information security and no-key control etc.
Meanwhile, it keeps nice efficiency.
1. Introduction
E-learning applications should provide security
mechanism to ensure secure communications between
two parties (such as the clients and servers) over an
open network. Two-party authenticated key agreement
(AK) protocol is a fundamental cryptographic building
block for such setting. It not only allows parties to
compute a session key known only to them for
subsequent session data confidentiality and integrity,
but also ensures authenticity of the parties. An AK
protocol provides key confirmation if one entity is
assured that the partner entity possesses the secret key.
A key agreement protocol that provides mutual key
authentication as well as mutual key confirmation is
called an authenticated key agreement protocol with
key confirmation (AKC). Each AK protocol can be
transformed to an AKC protocol.
_____________________________
978-1-4244-3930-0/09/$25.00 2009 IEEE
2. Preliminaries
2.1. Desirable security attributes of AK (or
AKC) protocols
It is desirable for AK and AKC protocols to possess
the following security attributes [8].
1) Known-key secrecy. Each run of the protocol
should result in a unique secret session key. The
disclosure of one session key should not compromise
other session keys.
2) Forward secrecy. If long-term private keys of
one or more of the entities are compromised, the
secrecy of previously established session keys should
not be affected. We say that a system has perfect
forward secrecy if the long-term keys of all the
entities involved may be corrupted without
compromising any session key previously established
by these entities.
3) PKG forward secrecy. In identity-based systems,
the PKGs master key may be corrupted without
Informally, we can also say that the decision qBDHI problem in G1 refers to the problem where given
a tuple ( g , g , g ,..., g ( ) , T ) G1q +1 G2 for a random
Z *p , a polynomial-time attacker E is to decide
2
YID = u
and
xID
.
Encryption: The sender picks r Z *p randomly,
ID
and gT = e( g , g ) .
Key Agreement. The client and the server run the
following protocol to establish a shared session key sk
with implicit key authentication. The protocol is a 2pass procedure, the details are as follows.
1) The client picks rc R Z *p , and computes
Tc1 = Tc11 Tc12 , where Tc11 = g src , Tc12 = gTrc
Tc 2 = e(Ts11 , hc ) (Ts12 ) sc e( g , h) rc ,
Tc 3 = Ts12rc = e( g , g ) rc rs ,
Tc 4 = Ysxc = u xc xs
skc = H ( IDc IDs Tc1 Ts1 Tc 2 Tc 3 Tc 4 ) .
Ts 4 = Ycxs = u xs xc
sk s = H ( IDc IDs Tc1 Ts1 Ts 2 Ts 3 Ts 4 ) .
Correctness verification.
At the end of the
protocol execution, the client and the server will agree
on the same session key, for
Tc 2 = e(Ts11 , hc ) (Ts12 ) sc e( g , h) rc
= e( g crs ,(hg sc )1/ ( IDc ) ) ( gTrs ) e( g , h) rc
sc
(1)
= e( g rs , g sc ) e( g rs , h) e( g , g ) rs sc e( g , h) rc
= e( g , h) rs + rc
Ts 2 = e(Tc11 , hs ) (Tc12 ) ss e( g , h) rs
= e( g src ,(hg ss )1/ ( IDs ) ) ( gTrc ) e( g , h) rs
ss
(2)
= e( g rc , g ss ) e( g rc , h) e( g , g ) rc ss e( g , h) rs
= e( g , h) rc + rs
and Tc 4 = Ts 4 = u x x ,
s c
we can
11
12
from
calculate
g = (Ts11 )
rs
( IDc ) 1
and
then
g = (Tc11 )
rc
it
can
( IDs )1
rc
rs
s1
will lead to Tc 2 Ts 2 .
7) Known session-specific temporary information
security. Compromising the short-term private keys of
a session does not reveal the established key. In this
scheme, obtaining the keys of rc and rs in any session
between the client and the server allows the adversary
to compute Tc 2 (or Ts 2 ) and Tc 3 (or Ts 3 ), but not Tc 4 (or
Ts 4 ), so the scheme achieves such a security attribute.
8) Message independence. As an AK protocol, the
flows of this scheme are unrelated, because rc and
rs are selected by the client and the server
independently.
Another problem should be considered is the public
key replacement attack. With the security assurance of
the underlying certificateless public key encryption
scheme, the public key replacement attack could not
work.
The comparisons of security attributes with other
certificateless AK protocols [1,4,5,6,9] and identitybased AK protocol [15] are listed in Table 1 (Note.
PFS: Perfect forward secrecy; KCI-R: Keycompromise impersonation; UKS-R: Unknown keyshare resilience; KSSTIS: Known session-specific
temporary information security; KRA-R:
Key
replicating attack resilience).
h
h
[1]
Scheme
h
[4]
Scheme
h
h
h
[5]*
Scheme
h
h
[6]
Scheme
[9]
Scheme
h
[15]
New
scheme
Table 2. Efficiency comparisons
Computational Operations
Protocol
Scalable
exponentiati
pairing
Multiplication on
Scheme
4
2
1
[1]
Scheme
1
3
0
[4]
Scheme
1
2
1
[5]
Scheme
2
2
1
[6]
Scheme
2
3
1
[9]
Scheme
1
0
4
[15]
New
1
0
6
scheme
Note. Pairing and Scalable Multiplication operation costs are much higher than
exponentiation operations.
.
4.2. Efficiency
5. Conclusion
In this paper, we present a secure and efficient twoparty authenticated key agreement protocol based on
the a secure certificateless encryption scheme, which
can be properly used in the client-server e-learning
setting to ensure secure communication. Security
Acknowledgment
References
[1] S.S. Al-Riyami and K.G. Paterson, Certificateless Public
Key Cryptography, In C. S. Laih(eds.). Advances in
Cryptology-ASIACRYPT 2003, Lecture Notes in Computer
Science, Vol. 2894, Springer Berlin/Heidelberg, 2003, pp.
452-473.
[2] J. H. Park, K.Y. Choi, J.Y. Hwang, and D.H. Lee,
Certificateless Public Key Encryption in the Selective-ID
Security Model (without random oracles), X T. Takagi et al.
(Eds.), Pairing 2007, Lecture Notes in Computer Science,
Vol. 4575, Springer Berlin/Heidelberg, 2007, pp. 6082.