Cryptography Reference
In-Depth Information
overhead on a resourceful user device to provide security with efficiency on resource-
constrained sensor nodes. The user can also obtain a ID i and R i pair from the base sta-
tion through any other means—e.g., the Internet—before making a query to I . Note
that here ID i and R i are two identity elements of I and not the public keys, which is
different from the traditional public key crypto system in which public keys are verified
using the signed certificates. Here, if someone tries to use a fake ID i and R i pair, he can-
not generate a corresponding private key s i , which is generated using Prk . Generating
such a valid triplet without Prk would be equivalent to forging the Schnorr signature.
This setup allows the construction of efficient pairing-free ID-based schemes and
handles the problem of public keys/certificates.
5.3.5.5 Security Analysis
The security of this protocol is formally analyzed using the reductionist proof tech-
nique under the standard Computational Diffie-Hellman (CDH) assumption. By
assuming that the CDH assumption holds in G , we show that the proposed protocol
is secure in the ID-eCk model (Gorantla et al. 2008). Due to space limitations, the
security model and rigorous proof are omitted in this chapter.
Here, we informally discuss five security attributes pertaining to the proposed
protocol.
Authentication . The proposed protocol provides the required authentication. There is
only one message exchanged, and that is sent by the user. Authentication of that single
message is achieved by the verification of signature signed by the user. It is not feasible
for an adversary to sign a message on behalf of a user without knowing the user's private
key. Successful signature verification by the sensor node I proves that the ephemeral
public key is actually sent by a legitimate user U . On the other side, S i (= s i P ) computed
from I 's public information assures the user that the session key is, in fact, established
with I . Only the sensor node I with the valid corresponding private key s i can compute
the same session key. Authentication avoids the chances of the adversary mounting a
man-in-the-middle attack.
Key confidentiality . After the successful key establishment between a sensor node and a
user, the public parameters and the ephemeral public key L (= ts u P ) are the only infor-
mation available to the adversary. However, the adversary cannot compute the user
U 's private key s u and/or ephemeral private key t from L since we assume there is no
polynomial time algorithm to solve the ECDL problem. Furthermore, he cannot com-
pute the shared secret ts u s i P because it requires the knowledge of private keys of both
the sensor node and the user. Hence, the key is computable only by the user U and the
sensor node I .
Key compromise . The random value for the ephemeral private key t is separately gener-
ated for each session. Therefore, the established session key is computationally different
for different sessions. A session key established between a compromised sensor node
and a user would not enable an adversary to compute or learn any other session key
established between any other legitimate sensor node and a user. Furthermore, it would
Search WWH ::




Custom Search