Author: Yi-Pin Liao, Shuenn-Shyang Wang

17
1 A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves Author: Yi-Pin Liao, Shuenn-Shyang Wang Source: Computer Communications, Vol. 33, 201 0, pp. 372-380 Presenter: Tsuei-Hung Sun ( 孫孫孫 ) Date: 2010/9/1

description

A new secure password authenticated key agreement scheme for SIP using self-certified public keys on elliptic curves. Author: Yi-Pin Liao, Shuenn-Shyang Wang Source: Computer Communications, Vol. 33, 2010, pp. 372-380 Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/1. Outline. - PowerPoint PPT Presentation

Transcript of Author: Yi-Pin Liao, Shuenn-Shyang Wang

Page 1: Author: Yi-Pin Liao, Shuenn-Shyang Wang

1

A new secure password authenticated key agreement scheme for SIP usingself-certified public keys on elliptic curves

Author: Yi-Pin Liao, Shuenn-Shyang Wang

Source: Computer Communications, Vol. 33, 2010, pp. 372-380

Presenter: Tsuei-Hung Sun (孫翠鴻 )

Date: 2010/9/1

Page 2: Author: Yi-Pin Liao, Shuenn-Shyang Wang

2

Outline

• Introduction

• Motivation

• Scheme

• Security analysis

• Performance evaluation

• Advantage vs. weakness

• Comment

Page 3: Author: Yi-Pin Liao, Shuenn-Shyang Wang

3

Introduction

• Related work– Public Switched Telephone Networks (PSTNs)

– Voice over Internet Protocol (VoIP)

– Session Initial Protocol (SIP)

Page 4: Author: Yi-Pin Liao, Shuenn-Shyang Wang

4

Introduction

• Network entities in SIP– User agent – Proxy server– Redirect server– Registrar server

• Security in SIP – end-to-end: certificates, PKI.– hop-by-hop: IPsec, TLS.

IPsec: Internet Protocol Security (IPsec) TLS: Transport Layer Security

Page 5: Author: Yi-Pin Liao, Shuenn-Shyang Wang

5

Introduction

(user agent client, UAC)

(user agent server, UAS)

INVITEmessage

INVITEmessage

Redirect server

DNS lookup

INVITEmessage

Ask Bob’s ip

RING and OK message

ACK massage

BYE message

OK message

Media Session

Page 6: Author: Yi-Pin Liao, Shuenn-Shyang Wang

6

Introduction

• SIP authentication scheme – HTTP Digest authentication protocol

• not providing security at an acceptable level.

– S/MIME (Secure/Multipurpose Internet Mail Extensions)

• user’s certificates

• no consolidated authority

– SIP over SSL (SIPL)• requires end user’s certificate

• increase the workload of SIP proxy servers.

Page 7: Author: Yi-Pin Liao, Shuenn-Shyang Wang

7

Introduction

Fig. HTTP Digest authentication scheme for SIP-based service.

Page 8: Author: Yi-Pin Liao, Shuenn-Shyang Wang

8

Motivation

• HTTP Digest authentication protocol flaw– Lack of mutual authentication between the client and the

server.– Previously configure password table, and it cannot apply to

different network domains.– The header filed of SIP message.

• Goal– No need any password table.– Achieves mutual authentication for communication parties

with different SIP domains. – Change password quickly and securely.

Page 9: Author: Yi-Pin Liao, Shuenn-Shyang Wang

9

Scheme - Setup

TA

S1. random select *qT ZS

S2. PSPK TT

Public

S3.publish ),,,,P,,( 211 HHhPKqG T Server )( jj SIDS

S4. ,*qj Zk PkK jj

S5. send to TA),( jj KSID

Secure channeljrS6. random select and compute

jjj KPrR

jTxjjj rsRSIDhs )(

Secure channelS7. send to),( jj sR jS S8. jjj kss

PsPK jj

TA: trust authority G1: An additive cycle group of a prime order q. P: Generator of group G1

: The secure one way hash function , where n is the length of output. :The suitable key derivation functions

)(h)(/)( 21 HH

n}1,0{}1,0{ *

Page 10: Author: Yi-Pin Liao, Shuenn-Shyang Wang

10

Scheme - Registration

Fig. The registration phase of the user client.

Secure channel

Secure channel

Page 11: Author: Yi-Pin Liao, Shuenn-Shyang Wang

11

Scheme - Mutual authentication and session key agreement

public channel

Page 12: Author: Yi-Pin Liao, Shuenn-Shyang Wang

12

Scheme - Password change

Step 1:

Compute

Check

equal: continue not equal: stop.

Step 2:

change password, enter new password and compute

)( ** xiiii KUPWhms

PsPK ii *?

newiUPW

)( xi

newii

newi KUPWhsm

Page 13: Author: Yi-Pin Liao, Shuenn-Shyang Wang

13

Security analysis

• Replay attack• Forgery attack• Offline password guessing attack• Man-in-the-middle attack• Insider attack• Signaling attack• Session key security

– Known-key security

– Perfect forward secrecy

Page 14: Author: Yi-Pin Liao, Shuenn-Shyang Wang

14

Performance evaluation

mech TT

Th: the time spent in simple hashing operation; Taec: the time spent in point addition of elliptic curve; Tmec: the time spent in scalar multiplication of elliptic curve.

Table. The performance evolution of our scheme.

hT6

Page 15: Author: Yi-Pin Liao, Shuenn-Shyang Wang

15

Performance evaluation

[3] J. Franks et al., HTTP Authentication: Basic and Digest Access Authentication. [9] C.C. Yang et al., Secure authentication scheme for session initiation protocol. [10] Jared Ring, Kim-Kwang Raymond Choo, Ernest Foo, Mark Looi, A new authentication mechanism and key agreement protocol for SIP using identity-based cryptography. [11] F. Wang, Y. Zhang, A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography.[12] D. Geneiatakis, C. Lambrinoudakis, A lightweight protection mechanism against signaling attacks in a SIP-Based VoIP environment.[13] L. Wu et al., A new provably secure authentication and key agreement protocol for SIP using ECC.

Page 16: Author: Yi-Pin Liao, Shuenn-Shyang Wang

16

Advantage vs. weakness

• Advantage– Achieves mutual authentication and session key agreement.– Does not need to maintain any password or verification table

in the server.– Prevents various possible attacks induced by open networks

and the standard of SIP message.– Can be applied to authenticate the users with different SIP

domains.– Provides users to update password quickly and securely.– Avoid key escrow problem.

• Weakness– If user’s password is leaked and smart card loss, all stored in

the smart card secret parameters are exposed.

Page 17: Author: Yi-Pin Liao, Shuenn-Shyang Wang

17

Comment

• This paper let SIP message achieve mutual authentication, but it is run between server and user, not end-to-end.

• The header filed of SIP message contain some content of individuals or other confidential information. This paper dose not protect them, but [12] proposed the Integrity-Auth header to solve.