Transcript 投影片

A new secure password authenticated key
agreement scheme for SIP using
self-certified public keys on elliptic curves
Author: Yi-Pin Liao, Shuenn-Shyang Wang
Source: Computer Communications, Vol. 33, 2010, pp. 372-380
Presenter: Tsuei-Hung Sun (孫翠鴻)
Date: 2010/9/1
1
Outline
•
•
•
•
•
•
•
Introduction
Motivation
Scheme
Security analysis
Performance evaluation
Advantage vs. weakness
Comment
2
Introduction
• Related work
– Public Switched Telephone Networks (PSTNs)
– Voice over Internet Protocol (VoIP)
– Session Initial Protocol (SIP)
3
Introduction
• Network entities in SIP
–
–
–
–
User agent
Proxy server
Redirect server
Registrar server
• Security in SIP
– end-to-end: certificates, PKI.
– hop-by-hop: IPsec, TLS.
IPsec: Internet Protocol Security (IPsec)
TLS: Transport Layer Security
4
Introduction
Redirect
server
DNS lookup
Ask Bob’s ip
INVITE
message
RING and OK
message
INVITE
message
INVITE
message
ACK massage
Media Session
BYE message
(user agent client, UAC)
OK message
(user agent server, UAS)
5
Introduction
• SIP authentication scheme
– HTTP Digest authentication protocol
• not providing security at an acceptable level.
– S/MIME (Secure/Multipurpose Internet Mail Extensions)
• user’s certificates
• no consolidated authority
– SIP over SSL (SIPL)
• requires end user’s certificate
• increase the workload of SIP proxy servers.
6
Introduction
7
Fig. HTTP Digest authentication scheme for SIP-based service.
Motivation
• HTTP Digest authentication protocol flaw
– Lack of mutual authentication between the client and the
server.
– Previously configure password table, and it cannot apply to
different network domains.
– The header filed of SIP message.
• Goal
– No need any password table.
– Achieves mutual authentication for communication parties
with different SIP domains.
– Change password quickly and securely.
8
Scheme - Setup
Public
TA
S3.publish (G1 , q, P, PKT , h, H1, H 2 )
S1. random select ST  Z q*
S2. PKT  ST  P
Server S j ( SID j )
*
S4. k j  Z q , K j  k j  P
S5. send ( SID j , K j ) to TA
S6. random select r j
and compute
Secure channel
R j  rj  P  K j
s j  h( SID R jx )  sT  rj
j
S7. send ( R j , s j ) to S j
Secure channel
S8. s j  s j  k j
PK j  s j  P
TA: trust authority G1: An additive cycle group of a prime order q. P: Generator of group G1
h () : The secure one way hash function {0,1}*  {0,1}n , where n is the length of output.
9
H1 () / H 2 () :The suitable key derivation functions
Scheme - Registration
Secure channel
Secure channel
Fig. The registration phase of the user client.
10
Scheme - Mutual authentication and
session key agreement
public channel
11
Scheme - Password change
Step 1:
*
*
x
s

m

h
(
UPW
K
Compute i
i
i
i )
Check PK i  ? si*  P
equal: continue not equal: stop.
Step 2:
change password, enter new password and UPWi new
new
new
x
m

s

h
(
UPW
K
compute i
i
i
i )
12
Security analysis
•
•
•
•
•
•
•
Replay attack
Forgery attack
Offline password guessing attack
Man-in-the-middle attack
Insider attack
Signaling attack
Session key security
– Known-key security
– Perfect forward secrecy
13
Performance evaluation
Table. The performance evolution of our scheme.
Th  Tmec
6Th
Th: the time spent in simple hashing operation;
Taec: the time spent in point addition of elliptic curve;
Tmec: the time spent in scalar multiplication of elliptic curve.
14
Performance evaluation
[3] J. Franks et al., HTTP Authentication: Basic and Digest Access Authentication.
[9] C.C. Yang et al., Secure authentication scheme for session initiation protocol.
[10] Jared Ring, Kim-Kwang Raymond Choo, Ernest Foo, Mark Looi, A new authentication mechanism and key
agreement protocol for SIP using identity-based cryptography.
[11] F. Wang, Y. Zhang, A new provably secure authentication and key agreement mechanism for SIP using
certificateless public-key cryptography.
[12] D. Geneiatakis, C. Lambrinoudakis, A lightweight protection mechanism against signaling attacks in a SIP-Based
VoIP environment.
15
[13] L. Wu et al., A new provably secure authentication and key agreement protocol for SIP using ECC.
Advantage vs. weakness
• Advantage
– Achieves mutual authentication and session key agreement.
– Does not need to maintain any password or verification
table in the server.
– Prevents various possible attacks induced by open networks
and the standard of SIP message.
– Can be applied to authenticate the users with different SIP
domains.
– Provides users to update password quickly and securely.
– Avoid key escrow problem.
• Weakness
– If user’s password is leaked and smart card loss, all stored
in the smart card secret parameters are exposed.
16
Comment
• This paper let SIP message achieve mutual
authentication, but it is run between server and user,
not end-to-end.
• The header filed of SIP message contain some content
of individuals or other confidential information. This
paper dose not protect them, but [12] proposed the
Integrity-Auth header to solve.
17