Practical anonymous user authentication scheme with security proof

Abstract

An authenticated key distribution scheme preserving user anonymity is important to those e-commerce applications where user anonymity is required or desirable. However, the previous works on this issue have security flaws. This paper shows the security weaknesses of a recently published work, and then proposes our new scheme, which not only overcomes the weaknesses but also improves the computational performance. The security of the proposed scheme is rigorously examined in a modified Bellare–Rogaway model.

Introduction

In the distributed computing environments, entity authentication is crucial to prevent unauthorized entities from obtaining system resources. Usually, the process of authentication involves the exchanges of entities' identities, and authenticated key generation, etc. (Hwang et al., 2004, Tseng and Jan, 1998). However, in some applications, it is desirable or even necessary to maintain entity anonymity (Chien, 2007, Chien and Chen, 2005, Lee and Chang, 2000, Yang et al., 2004, Yoon and Yoo, 2005, Lu et al., 2007), because a lot of sensitive information such as entity's identification, entity movement, individual preferences or web surfing patterns can be collected if the entities identifications are not protected during the authentication process. Therefore, those schemes that do not preserve users' anonymity cannot apply well to those environments where the protection of entities' identities is required.

In this paper, we concern the anonymity issue of two-party key agreement schemes. In the rest of this paper, we call the initiating entity of a two-party key agreement protocol the client, the responder of the protocol the server, and any entity except the two communicating parties of a specific protocol instance the outsider. According to the different degree of entity anonymity requirement, we classify the 2-party key agreement schemes into following four types. Type 1—the anonymity of both the communicating parties is not required; this type corresponds to those conventional two-party key agreement schemes like that in Hwang et al., 2004, Tseng and Jan, 1998. Type 2—the client's identity is protected from the outsiders, but the anonymity of the server is not required. The schemes like that in Chien and Chen (2005) correspond to this type. The scenarios happen for those cases where the servers have well-known IP addresses or well-known domain names on the Internet but the clients want to keep anonymity when they access the service. (3) Type 3—the client's identity is protected from the outsiders, but the anonymity of the server is only protected from un-registered entities. The scenarios for such a type are like that, in a mission-oriented ad hoc network, the clients and the servers want to protect their identities from outsiders, while all the pre-registered clients know the IP address or MAC address of the servers. Those recently published works like Lee and Chang, 2000, Yang et al., 2004, Yoon and Yoo, 2005 can be classified as this type. Type 4—both the anonymity of the client and that of the server are protected from outsiders (Lu et al., 2007), and no priori information about the identity of the communicating party is known when the client and the server start the protocol. Table 1 summarizes the classification of 2-party key agreement schemes, according to the anonymity property.

This paper focuses on the schemes of Type 3. The schemes like that in Lee and Chang, 2000, Yang et al., 2004, Yoon and Yoo, 2005 belong to this type. Lee and Chang (2000), based on the difficulty of factorization and the one-way hash functions, proposed a user identification and key distribution scheme with user anonymity. However, security weaknesses of the Lee–Chang scheme have been reported, and Yang et al. (2004) proposed a new efficient scheme to enhance security. Recently, Yoon and Yoo (2005) showed that all the previous schemes (Lee and Chang, 2000, Yang et al., 2004) are vulnerable to security attacks, and proposed their improved scheme, which has the following merits: (1) the user anonymity is preserved; (2) each user only needs to maintain one secret; (2) the service provider is not required to record the password file for the users; (3) no master key updating is needed if a new service provider is added in the system.

However, we find that none of the above-mentioned schemes is secure. In addition to the reported weaknesses, this paper will point out that even the Yoon–Yoo scheme fails to preserve the client anonymity, where an attacker can use the public parameters to verify the client identity. We refer to this attack the identity guessing attack, where the attacker enumerates all possible identities of the target, and then verifies his guess, based on the eavesdropped communications. Like passwords, identities are low-entropy information so that it is feasible for an attacker to enumerate all possible passwords and all possible identities of a target and iteratively pick up one possible password/one possible identity to launch his attack. The well-known password guessing attacks (Ding and Horster, 1995, Halevi and Krawczyk, 1998) against password-based key exchange are like that the attacker enumerates all possible passwords, iteratively picks up one guessed password, and then verifies his guess. Therefore, one key issue in designing secure password-based key exchange is to deter the attacker from verifying his guess on the public parameters and the transmissions, even assuming the attacker might have picked up the right password. During the past few years, the password guessing threats and the techniques to deter the attacks are well studied like (Ding and Horster, 1995, Halevi and Krawczyk, 1998, Chien et al., 2005); however, to our best knowledge, this is the first work to highlight the identity guessing attack and prove the security in a formal model. This is because conventional key exchange schemes do not consider user anonymity, and only very few works like (Chien, 2007, Lu et al., 2007) started to notice the anonymity and the moving pattern privacy in mobile environments.

To raise the level of security, we propose a new anonymous user identification and key agreement scheme, and prove its security in a modified Bellare–Rogaway model. The Bellare–Rogaway model (Bellare and Rogaway, 1995) (usually called BR95 model) and the Bellare–Pointcheval–Rogaway model (usually called BPR2000 model) (Bellare and Rogaway, 1995, Bellare et al., 2000) are well-known models for defining the security of key exchange schemes. In these models, they consider the indistinguishability of the session key. Put it simply, after modeling an attacker's capability of launching various attacks, the attacker is given either a real session key or a random one from the same key space, and the model is to test the attacker's capability of differentiating a real key from a random one. However, the models do not consider the anonymity. We, therefore, prove the security in a modified model. In the modified model, the adversary cannot fully control the communication since an outsider cannot learn the identities of communicating entities and cannot fully control the partnership, and the security of anonymity is modeled as the adversary's capability of differentiating the real identity from a random one from the same identity space. Based on the FAC problem and the CDHP_N problem (the detailed definitions are described in Section 3), we will prove both the indistinguishability of the session key and the anonymity property in our modified model.

The rest of the paper is organized as follows. Section 2 reviews the Yoon–Yoo scheme and points out the weaknesses. Section 3 presents our protocol, which is followed by the security proofs and the performance analysis in Section 4. Finally, Section 5 states our conclusions.