Post on 13-May-2023
Key-escrow Resistant ID-based AuthenticationScheme for IEEE 802.11s Mesh Networks
Aymen Boudguiga, Maryline LaurentInstitut TELECOM, TELECOM SudParis, CNRS Samovar UMR 5157
9 rue Charles Fourier, 91011 Evry, FranceEmail: {Aymen.Boudguiga, Maryline.Laurent}@it-sudparis.eu
AbstractβNowadays, ID-based cryptography is re-ported as an alternative to Public Key Infrastructures(PKI). It proposes to derive the public key from thenodeβs identity directly. As such, there is no need forpublic key certificates, and direct benefit of this is toremove the burdensome management of certificates.However, the drawback is the need for a Private KeyGenerator (PKG) entity which can perform a keyescrow attack. In this article, we present an ID-basedauthentication scheme that is adapted to the IEEE802.11s mesh networks and resistant against key escrowattacks.
I. IntroductionID-based cryptography was initially introduced by A.
Shamir [1] to provide entities with public/private key pairswith no need for certificates, Certification Authority (CA)and PKI. Shamir assumes that each entity uses a pairof its identifiers as its public key. These identifiers haveto be unique. In addition, he assigned the private keygeneration function to a special entity which is calledPrivate Key Generator (PKG). That is, before accessingthe network, every entity has to contact the PKG to getback a smart card containing its private key. This privatekey is computed so it is bound to the public key of theentity.During the last decade, the ID-based cryptography hasbeen enhanced by the use of the Elliptic Curve Cryptogra-phy (ECC) [2]. As a consequence, new ID-based signatureschemes emerged and they differ from Shamirβs method inthat the PKG does not rely on smart cards to store theprivate key and the ciphering information.Note that ID-based cryptography requires lightweight im-plementations on clients. Compared to PKI certificatemanagement, there is no need for storing certificates,and the key revocation operation is much simpler. Keyrevocation in ID-based cryptography is bound to a validityperiod which is defined by the PKG. Interested readersmight refer to the article [3] for a good comparison betweenPKI and ID-based cryptography.The main problem of ID-based cryptography lies on thePKG which fully generates the private key of every entity,and as such, is given the knowledge to perform a keyescrow attack. With the usual strong assumption thatthe PKG is a trustworthy entity like in IEEE 802.11smesh network standards [4], this attack has never been
considered seriously. Nonetheless, the PKG can easilyimpersonate as the legitimate station (STA) or decryptthe latterβs ciphered traffic.In this article, we present a new ID-based authenticationmechanism for IEEE 802.11s mesh networks. The mainidea is to authenticate every station by an AuthenticationServer (AS) which delegates the station key generation tothe PKG. We propose to make the PKG generate a partialprivate key for every station. Then, the concerned stationuses this partial private key as a base to compute its ownprivate key. In the following, we show how this partialprivate key generation avoids the key escrow threat of thePKG.The article is organised as follows. After presenting theID-based cryptography, we introduce the IEEE 802.11smesh architecture. Then we present our authenticationscheme followed by its security analysis and its possibleenhancements. Finally conclusions are given.
II. ID-based Key Generation and SignaturesWhen a node requires a private key, it provides the
PKG with the identity πΌπ· that it intends to use forits private key computation. The PKG then derives thenodeβs private key using some parameters which must bedefined in respect to the Bilinear Diffie-Hellman problem[5]. In order to generate these parameters, the PKG runsa Probabilistic Polynomial Time (PPT) algorithm whichtakes as input a security parameter π and outputs thegroups πΊ1 and πΊ2 and the pairing function π from πΊ1 ΓπΊ1in πΊ2. πΊ1 is an additive group of prime order π and πΊ2 is amultiplicative group of the same order π. Generally, πΊ1 is asubgroup of the group of points of an Elliptic Curve (EC)over a finite field and πΊ2 is a subgroup of a multiplicativegroup of a related finite field.The pairing function π has to be bilinear, non degenerateand efficiently computable. The non degeneracy propertymeans that there exists a point π β πΊ1 such thatπ(π, π ) ΜΈ= 1πΊ2 . The point π is used to compute anotherpoint πππ’π. Practically this kind of bilinear mapping isderived from the Weil or Tate pairing [6].In addition to the groups definition, some hash functionsneed to be defined in accordance to the ID-based signatureor encryption schemes that are going to be used. Forexample a hash function π» that verifies π» : {0, 1}* β πΊ1is defined in order to transform the nodeβs identity into an
EC point. The list containing the groups πΊ1 and πΊ2, thebilinear mapping π, the points π and πππ’π and the hashfunctions forms the public elements. These public elementsare distributed by the PKG to the network users becausethey are required during the public key derivation and thesignature operation.The key derivation operation starts when the PKG re-ceives the πΌπ· of the node that is requesting a private key.First, the PKG computes the userβs public key as ππ’ππΌπ· =π»(πΌπ·). Then, the PKG generates the corresponding pri-vate key using a local secret value π β Z*
π . Note that theprivate key is computed as: ππππ£πΌπ· = π Β·ππ’ππΌπ·. The secretvalue π is also used for πππ’π derivation from π : πππ’π = π Β·π .It is clear from the aforementioned key derivation schemethat the PKG is going to know every private key that itgenerates. This supposes that the PKG is a trustworthyentity which is not going to impersonate as the private keyowner by generating signature or deciphering encryptedtraffic aimed to the legitimate station. Generally, stationsmust ensure that the PKG is not going to make a keyescrow attack.
A. Paterson Signature SchemeK.G. Paterson proposed in 2002 an ID-based signature
scheme using ECC [7]. He defines three hash functionsπ»1, π»2 and π»3 such that: π»1 : {0, 1}* β πΊ1, π»2 :{0, 1}* β Z*
π and π»3 : πΊ1 β Z*π . So, Paterson public
elements are {πΊ1, πΊ2, π, π, π, πππ’π, π»1, π»2, π»3}. The PKGcomputes the userβs public key as ππ’ππΌπ· = π»1(πΌπ·). Then,the PKG generates the corresponding private key using alocal secret value π β Z*
π .In order to compute the signature of a message π , auser generates a secret random π β Z*
π and computes itssignature as the pair (π , π) β πΊ1 Γ πΊ1 where: π = π Β· π ,π = πβ1(π»2(π) Β· π + π»3(π ) Β· ππππ£πΌπ·).The signature verifier has only to compare π(π , π) toπ(π, π )π»2(π)Β· π(πππ’π, ππ’ππΌπ·)π»3(π ). The two values mustbe equal in order to consider the signature as valid.
B. Hess Signature SchemeF. Hess presented its ID-based signature scheme in
2003 [8]. His signature scheme keeps the previous publicparameters definition but it replaces π»2 and π»3 by a newhash function that we denote as π»4 : {0, 1}* Γ πΊ2 β Z*
π .In order to sign a message π , the user chooses an arbitrarypoint π1 β πΊ*
1 and a random number π β Z*π . In addition,
it executes the following steps:1) π = π(π1, π )π
2) π£ = π»4(π, π)3) π = π£ Β· ππππ£πΌπ· + π Β· π1
The signature is formed by the pair (π, π£) β πΊ1 Γ Z*π .
The signature verifier then has to compute:1) π = π(π, π ) Β· π(ππ’ππΌπ·, βπππ’π)π£
2) The signature is accepted if and only if π£ = π»4(π, π)Integration of this ID-based signature scheme into an EAPauthentication method was submitted by Wenju et al. in2009 [9].
III. IEEE 802.11s Mesh Network Architecture
The IEEE 802.11s mesh network architecture is basedon the IEEE 802.11 architecture which is formed byStations (STAs), Access Points (APs) and a DistributionSystem (DS) [10]. In 802.11, every AP offers connectivityto a number of STAs and forms a Basic Service Set (BSS).The DS serves to interconnect different BSSs through awired network.The IEEE 802.11s standard introduces modifications tothe 802.11 architecture. First, the wired DS is replacedby a backbone composed of a set of wireless Mesh Points(MPs) (called also Mesh Routers or Mesh STA - MSTA).These wireless MPs provide multi-hop paths and peerto peer communications between the Mesh APs (MAPs).A MAP has the same capability as a traditional APcombined with a mesh router function. Mesh points whichoffer connectivity to external networks (either 802 LANsor layer 3 networks) are called Mesh Portals (MPP) orGateways. All these components (MPs, MAPs and MPPs)form the Mesh BSS (MBSS).The 802.11s architecture defines new functions for somemesh STAs in order to provide security services suchas station authentication and key derivation. The firstfunction is the Mesh Authenticator (MA) which acts asa pass-through server for the supplicant mesh STA byforwarding its authentication frames to the network Au-thentication Server (AS). The functions of βsupplicantβ,βauthenticatorβ and βauthentication serverβ are inheritedfrom the EAP standard [11]. In addition, the standarddefines the Mesh Key Distributor (MKD) as the entitythat derives the keys needed for the 4-Way Handshakethat occurs between the MA and the supplicant meshSTA. The MKDs serve to distribute the key derivationfunction that was used to be performed by the AS (inIEEE 802.11 networks). Each MA must be connected toan MKD because the latter is going to provide the formerwith the key needed to secure the communication with thesupplicant.When a mesh STA joins the network, it chooses a MAwhich will act as a pass-through server for its EAP messagesent to the AS. The supplicant STA authenticates itselfwith the AS using a 802.1X authentication [12]. It sendsEAP frames to the MA encapsulated using the EAPOLprotocol defined in [12]. The first EAP frame is theEAPOL-start frame and the upcoming frames representresponses to the AS requests. The MA uses the Mesh EAPMessage Transport Protocol to transport the EAP framesto the MKD which transfers them to the AS [4]. The MeshEAP Message Transport Protocol was defined to providemulti-hop EAP frame transport because EAP is a one-hopprotocol. In fact, EAP frames are traditionally exchangedbetween the supplicant (e.g. a STA) and the authenticator(e.g. an AP). Then, they are encapsulated over RADIUSor Diameter in order to be transferred to the AS. TheMesh EAP Message Transport Protocol uses the mesh EAPencapsulation frame which is a multi-hop action frame.The AS uses the reverse path to send EAP Requests to
the supplicant. When the mesh STA authentication endssuccessfully, the AS delegates the key derivation to theMKD. The MKD and the supplicant mesh STA create thekey hierarchy corresponding to the supplicant.The standard assumes that there is a security associationbetween the different authentication entities: AS-MKD,MKD-MA. In addition, another security association iscreated between the MA and the supplicant mesh STAafter a successful authentication of the latter by theAS. Figure 1 illustrates the different entities that areused during the 802.11s station authentication and keyderivation operations. Moreover, these entities do serve ourauthentication scheme presented in section IV-A.
Fig. 1. IEEE 802.11s security components.
IV. ID-based Authentication SchemeNowadays, most of the authentication schemes that
are being proposed for wireless networks uses the 802.1Xstandard [12]. The authentication method proposed bythis standard are either based on the verification of a secretshared between two STAs or a signature mechanism thatuses certificates to authenticate the public/private key pairused for signing. Management of public/private key re-quires deploying CAs to control the generation, revocationand duration of certificates. This is disadvantageous inwireless environments, such as ad-hoc and mesh networks,where stations may have some power and memory con-straints and CA reachability is not guaranteed.To mitigate these disadvantages while keeping usage ofpublic/private key, we propose a new ID-based authentica-tion scheme which permits STA to authenticate itself to anAS when it initially joins the network. The authenticationis based on the assumption that the AS and the supplicantSTA are initialized with a shared secret (i.e. a password).That is, the AS and the STA are using the ID-basedcryptography concepts in order to exchange this passwordand to derive the keys needed to secure the exchangedmessages.When STA (or MSTA) joins the network for the firsttime, it starts an authentication with the AS. During thisauthentication, the STA and the AS verify alternatively
their passwords. If the authentication is successful, theAS orders the MKD to generate the STA private key asdescribed in section IV-A. For subsequent authentications,the STA uses a signature mechanism to authenticate itselfto any peers.While adapting the ID-based cryptography concepts to the802.11s mesh architecture, we faced the problem of the keyescrow attack that could be performed by the MKD. Infact, the MKD is able to deduce either the AS private keyor any STA private key because we use it as a PKG, andby definition the PKG generates every STA private key.As such, the MKD is able to impersonate as the AS or theSTA. To counteract these possible impersonation attacks,we proposed a mechanism that uses a token. That is, theMKD only generates a partial private key for the STAwhile the STA generates the other part of its private keyusing a secret that is bound to the information includedin the token. In addition, we enhanced the public elementswith a new EC point that is only used for the AS signatureverification. The AS secretly computes this point ππ΄π andits corresponding private key. In fact, the AS does not relyon the MKD for its private key computation. Furthermore,the AS is in charge of defining the public elements anddistributing them over the different MKDs.First, the AS runs a Probabilistic Polynomial Time (PPT)algorithm as cited in section II. This algorithm generatesthe groups πΊ1 and πΊ2 and the bilinear mapping π. TheAS then extends these elements with the hash functionsand the two public EC points π and πππ’π in order to getthe public elements which are necessary for the ID-basedcryptography usage.The point ππ΄π is computed such that ππ΄π = π π΄π Β·π whereπ π΄π β Z*
π is a secret only known by AS and it verifiesπ π΄π ΜΈ= π . As such, every STA is able to verify an ASsignature which is computed using its ππππ£π΄π . To do so,the STA has only to replace ππ π’π by ππ΄π in Paterson orHess signature schemes. The interest of introducing ππ΄π
is to avoid that the MKD impersonates as the AS. Ofcourse, the AS entrusts the MKDs for the STAs partialprivate key derivation. That is why, the AS provides MKDswith the public elements and the secret π used for πππ’π
computation. However, it does not provide the secret π π΄π ,nor it does not use the same secret π to compute the ASprivate key such that ππππ£π΄π = π Β· ππ’ππ΄π . Otherwise,every MKD would be able to impersonate as the AS and torecover the STAs passwords during their authentications.The MKD generates a partial private key using the STApublic key and the secret π received from the AS. Whenreceiving this partial private key, the STA has to combineit with a secret random π to generate its full private keyππππ£ππ π΄. This random value was previously sent withprivacy to AS. In fact, the STA sends (π Β· π ) to the AS.The STA then requires from the AS to generate a tokenthat contains (π Β· π ), the lifetime of the private key beingcomputed and its identity.
A. Station Initial AuthenticationThe initial authentication occurs when STA joins the
network for the first time or after being disconnected fora while. To perform an ID-based authentication, the STAmust first get the public elements that are published bythe AS. Then STA authenticates itself to the AS using apreshared secret. This secret may be a password, and isnoted as pwd in our authentication scheme.Note that the public elements are defined accord-ing to the selected ID-based signature scheme. If Pa-terson signature scheme is in use, the public ele-ments are: {πΊ1, πΊ2, π, π»1, π»2, π»3, π, πππ’π, ππ΄π}. If Hesssignature scheme is used, the public elements are:{πΊ1, πΊ2, π, π»1, π»4, π, πππ’π, ππ΄π}. These parameters areused for signature or keys computations.When STA initially joins the network, it receives theBeacon frames from its one-hop neighbors. The Beaconframe contains the Mesh Security Capability informationelement [4]. This information element indicates whetherthe sender of the Beacon is an MA. In addition, it indicatesthe MKD domain to which this MA is connected. Basedon the configuration information carried in the receivedBeacon, the newly arrived STA selects the MA which isgoing to relay its authentication frames. The Beacon framegives the STA information about its future MA clock sothat the STA synchronizes its clock according to the MAβsone. Clock synchronization is important in order to getaccurate timestamps. After choosing its MA, the STAstarts the authentication scheme presented in Figure 2.
β Message 1: this message is sent to the AS. This
Fig. 2. ID-based authentication scheme.
message is referenced as the Start-authentication message.This first message like all the subsequent authenticationmessages transits through the MA.The supplicant STA includes a nonce π1, a timestampπ‘1 and its identity (πΌπ·ππ π΄) in this message. The π1 ischosen randomly to prove the freshness of the messageespecially when it is combined with the timestamp π‘1.These two values are used to prevent from replay attacks.The identity πΌπ·ππ π΄ represents the identity which is goingto be used for the STA public key derivation.
In order to avoid a DoS attack on the AS, we suppose thatthe MA is only accepting a certain number of requestsπ0 coming from the same STA during a certain period oftime. In addition, the AS does not accept more than π1authentication requests coming from the same MA.When the AS receives this message 1, it checks the times-tamp π‘1 value in order to verify the message freshness.Then it looks for the STA ππ€π in its password databaseusing the received identity πΌπ·ππ π΄. The AS uses this ππ€πfor generating message 2.β Message 2: it is generated by the AS as a response tomessage 1. It contains a sequence number π2 such thatπ2 = π1 + 1, a timestamp π‘2, the current public elementsand an AS signature. The AS signature is computed overthe string formed by the concatenation of π2, π‘2, the publicelements and the STA pwd. The pwd is included in thesignature only.When the supplicant STA receives message 2, it verifiesits freshness by checking the value of π‘2. In addition, itverifies the value of π2 because it is used to bind message2 to message 1. Then it uses the public elements to derivethe ASβs public key ππ’ππ΄π . The public key derivationconsists in hashing the identity of the AS using π»1. TheSTA concatenates its ππ€π to π2, π‘2 and the public elementsbefore checking the validity of the AS signature. If thesignature verification is successful, the STA authenticatesthe AS and the public elements. Else, the STA stops theauthentication processing.β Message 3: the supplicant STA chooses two randomnumbers π1 and π2. The random value π1 will be sent tothe AS. It will be used during the key encoding by theMKD. However, the random value π2 is kept secret bythe STA because it will be used for the STA private keycomputation in conjunction with the partial key receivedfrom the MKD.The supplicant STA then computes (π2 Β· π ) and gener-ates message 3. Message 3 contains the sequence numberπ3 = π1 + 2, the timestamp π‘3, the random π1, the point(π2 Β·π ), the ππ€π and a validity period which represents theSTA proposed lifetime (πΏ) for its upcoming private key. Allthese fields are ciphered using the AS public key ππ’ππ΄π .When receiving this message, the AS authenticates theSTA using the ππ€π.β Message 4: after successfully authenticating STA, theAS sends π1 and a challenge πΆ to the MKD for partialprivate key generation. These elements are sent encryptedusing ππ’πππΎπ·. This MKD can be identified thanks tothe identity of the MA which is attached to it. Each MAconnects only to one MKD.When receiving message 4 from the AS, the MKD verifiesthat the timestamp π‘4 is valid and it stores the sequencenumber π4 = π1 + 3 for the upcoming message (message5). Note that the same sequence number is going to beused in message 5 to easily identify request and responsemessages between the supplicant STA and the AS. Inaddition, the MKD generates the STA partial private keyas ππππ‘_ππππ£ππ π΄ = π Β· ππ’πππ π΄.β Message 5: after generating the STA partial private
key, the MKD encodes it as πΈπππ πππ£ = ππππ‘_ππππ£ππ π΄ +(π1 Β· π Β· π ). Recovering ππππ‘_ππππ£ππ π΄ from the encodedprivate key is equivalent to solving the Elliptic CurveDiscrete Logarithm Problem (ECDLP) [2]. The encodedpartial key is then signed by the MKD before being sentin message 5 to the STA. Message 5 contains also atimestamp π‘5 and the same sequence number as in message4 (π5 = π4 = π1 +3). In addition, it contains the challengeπΆ. This challenge will be used to prove that the STArecovery of its private key is successful.When receiving message 5, the STA which knows π1and πππ’π recovers its partial private key, as follows:ππππ‘_ππππ£ππ π΄ = ππππ‘_ππππ£ππ π΄ + (π1 Β· π Β· π ) β (π1 Β·πππ’π). Consequently, the supplicant STA becomes ableto compute its full private key as ππππ£ππ π΄ = πβ1
2 Β·ππππ‘_ππππ£ππ π΄ = πβ1
2 Β· π Β· ππ’πππ π΄.β Message 6: at this point, the STA requests a token fromthe AS. The STA includes the signature of the challenge πΆwith its ππππ£ππ π΄ using one of the signature schemes thatare presented in the section IV-B. This message containsalso the sequence number π6 = π1 + 4 and a timestampπ‘6. Upon receiving message 6, the AS checks the values ofthe sequence number and the timestamp. In addition, itverifies the STA signature of the challenge. If the signatureis valid, the AS deduces that the supplicant STA hassuccessfully derived its private key. As a consequence, theAS generates the STA token. The elements that will bepart of the token include the STA identity, the point(π2 Β·π ), the lifetime of the STA private key (L) and the AStimestamp π‘7. (token=πππππ πππ£π΄π
{πΌπ·ππ π΄βπ2 Β· πβπ‘7βπΏ}).β Message 7: it is sent by the AS to complete theauthentication and to deliver the token to the STA. It iscalled the Authentication-success message. It contains thesequence number π7 = π1 + 5, the timestamp π‘7 and thesigned token.After getting its token, the STA starts communicatingwith its peers. It can use one of the modified signatureschemes with its token to authenticate itself with any peer.The modified signature schemes are Paterson and Hesssignature schemes that have been adapted to the presenceof the token as presented in the section IV-B.
B. Signature ModificationAfter its authentication to the AS, STA uses a signature
mechanism along with a token to authenticate itself toits peer STAs. That is, we modified some of the existingsignature schemes so they are tightly related to the tokenand especially to the value of (π2 Β· π ) and the secret π2.As such, the signature sent by STA makes it possible forthe peer STAs to verify that the STA owns the private keybound to the value (π2 Β· π ) given within the token.When STA π΄ wants to authenticate STA π΅, π΄ sends achallenge to π΅ encrypted with ππ’ππ΅ which is deducedfrom the identity of π΅. Then, π΅ must respond with amessage containing its signature of the challenge and acopy of its token. The signature validity depends on thevalue of (π2 Β·π ) included in the token. In fact, the signature
modification concerns the use of the secret value π2 bythe signer and the use of (π2 Β· π ) by the verifier. So ifthe signature is valid, the verifier deduces that the signerknows the true value of the secret π2 and it was successfullyauthenticated by the AS.In the following we present the modifications that weintroduced to the different signature schemes in order toinclude the use of the STA secret element π2:β In Paterson signature scheme, a user computes thesignature of a message π as the pair (π , π) β πΊ1 Γ πΊ1where: π = π2 Β· π, π = πβ1
2 Β· π»2(π) Β· π + π»3(π ) Β· ππππ£πΌπ·.But only the π is sent to the verifier because the lat-ter gets the π value from the token. The verificationis not changed and consists in comparing π(π , π) toπ(π, π )π»2(π)Β· π(πππ’π, ππ’ππΌπ·)π»3(π ). The two values mustbe equal in order to consider the signature as valid.β When Hess signature scheme is chosen, the user picks anarbitrary point π1 β πΊ*
1 and a random π β Z*π . In addition,
it executes the following steps:1) π = π(π1, π )π
2) π£ = π»4(π, π)3) π = π£ Β· ππππ£πΌπ· + πβ1
2 Β· π Β· π1
The signature is formed by the pair (π, π£) β πΊ1 Γ Z*π .
The signature verifier then has to compute:1) π = π(π, π2 Β· π ) Β· π(ππ’ππΌπ·, βπππ’π)π£
2) The signature is accepted if and only if π£ = π»4(π, π)Any ID-based signature can be changed to take intoconsideration the presence of the token. In fact, thesemodification can be applied to any signature scheme thatrelies on a pairing function π. We only have to add thesecret π2 to the signature generation process. In addition,we have to modify the signature verification algorithm inorder to use (π2 Β·π ). The point is that π2 and πβ1
2 disappearwhen multiplication is used in πΊ2.
C. Security DiscussionIn this section, we present how the aforementioned
authentication protocol removes some attacks and how itcan be enhanced to remove other threats:β Denial of service attack (DoS): To avoid that an attackermakes a DoS attack against the AS by sending a bigamount of Start-authentication messages, we decided tolimit the number of authentication requests to a thresholdπ0 at the level of the MA and to a threshold π1 at the levelof the AS. In fact, the MA accepts only π0 authenticationrequests coming from the same supplicant STA duringa certain period of time. In addition, the AS limits thenumber of authentication requests coming from the sameMA to π1. When the number of authentication requestsexceeds π0 or π1, the MA or the AS drops all the upcomingpackets received from the supplicant STA or the MArespectively.The use of π0 at the MA level removes DoS attacks butdoes not help against Distributed DoS attack (DDoS).In fact, an attacker may control many STAs and launcha DDoS attack against the AS by sending many Start-authentication messages corresponding to different (zom-
bie) STAs under control. The aim of the attack is to floodthe AS with a big amount of authentication requests. Thatis why, we proposed to use the second threshold π1 at thelevel of the AS.β Replay attack: The random number initially selectedcombined with the timestamp value serve to prevent fromreplay attacks. In fact, after receiving the Beacon fromits peer MA, the supplicant STA receives a timestampDelta value Ξ. This Ξ is used to verify the freshness ofthe received and sent message as presented in [13]. Forexample, when a supplicant STA sends its first Start-authentication message containing a nonce π1 and a times-tamp π‘1, the receiving AS compares the reception time(π‘πππππ) of the message to the timestamp π‘1 using Ξ asfollows: |π‘πππππ β π‘1|< Ξ. If this inequality does not hold,the AS rejects the received message. In addition, everySTA stores the last reception time and timestamp valuesreceived from its peers for future timestamp verification.Even with the use of Ξ, a window of vulnerability forreplay attacks exists until the timestamp expires. That iswhy we introduced the nonce π1 in the first message. Infact, as π1 is randomly selected, it adds more freshness tothe message. In addition, we impose the rule that π1 mustbe renewed for every authentication request sent duringa Ξ period which starts when the first authenticationrequest is sent. We assume that this random number isat least 128 bit length which implies that the probabilityof getting the same random number for two consecutiveauthentications is equal to 1/2128. For the upcoming mes-sage, π1 will be used to initiate a sequence number whichincreases the prevention against replay attacks.β Private key recovery by an attacker : Concerning theprivate key recovery, an attacker needs first to recover thepartial private key of the STA. He may get the encodedprivate key of a supplicant but he has to find the secret π1in order to recover the partial private key of the supplicant.The problem of finding π1 is equivalent to the discretelogarithm problem over an elliptic curve group (ECDLP)[2]. In addition, the full private recovery requires from anattacker to guess π2 from (π2 Β· π ) value which comes alsoto solve the ECDLP.β Key escrow attack: In order to avoid the key escrow prob-lem, every STA participates to the private key generationwith a secret value π2. This secret is included in the publictoken but after being multiplied by the point π . So neitherthe AS nor the MKD are able to compute the private keycorresponding to (π2 Β·π ). Note that the AS can technicallygenerate a fake token with a fake (πβ²
2 Β· π ) in order toimpersonate as STA, however, this is in contradiction withthe assumption that the AS must be trustworthy.
D. Protocol enhancementThe proposed authentication mechanism can be en-
hanced to include the usage of a secret value π π correspond-ing to each ππΎπ·π. This implies that every MKD domainwill be differentiated by its own public elements. Thedistribution of the secrets π π to the ππΎπ·π is controlled
by the AS. This modification may be interesting in thecase where the AS wants to localize every STA using itskey pair or to identify STA movements during handoverprocess.In addition, the public key of STA may become dy-namic by modifying the public key generation as follows:ππ’ππΌπ· = π»(πΌπ·βπ2 Β· π ). In fact, the public key becomesbound to its corresponding private key because it willcontain (π2 Β· π ).
V. ConclusionIn this paper, we present an ID-based authentication
scheme for a mesh network station STA to authenticateand initialize its key pair while removing the key escrowattack. To closely match the IEEE 802.11s mesh networkneeds, we adapted our authentication scheme to the IEEE802.11s mesh architecture by assigning a specific role tothe Mesh Key Distributor (MKD). Our future works arefocusing on validating the proposed protocol and testingits performance in terms of time and computation power.Also evaluation of its scalability and ease of deploymentis part of our perspectives.
References[1] A. Shamir, βIdentity-based cryptosystems and signature
schemes,β in Proceedings of CRYPTO 84 on Advances in cryp-tology. New York, NY, USA: Springer-Verlag New York, Inc.,1985, pp. 47β53.
[2] D. Hankerson, A. J. Menezes, and S. Vanstone, Guide to EllipticCurve Cryptography. Secaucus, NJ, USA: Springer-Verlag NewYork, Inc., 2003.
[3] K. G. Paterson and G. Price, βA comparison between traditionalpublic key infrastructures and identity-based cryptography,βRoyal Holloway University of London, Tech. Rep., 2003.
[4] IEEE P802.11s/D2.06: Part 11: Wireless LAN MAC and Physi-cal layer specifications. Amendment 10: Mesh networking, IEEEWorking Draft Proposed Standard, Rev. 2.06, jan 2009.
[5] J. Baek, J. Newmarch, R. Safavi-naini, and W. Susilo, βA surveyof identity-based cryptography,β in Proc. of Australian UnixUsers Group Annual Conference, 2004, pp. 95β102.
[6] D. Boneh and M. K. Franklin, βIdentity-based encryption fromthe weil pairing,β in CRYPTO β01: Proceedings of the 21stAnnual International Cryptology Conference on Advances inCryptology. London, UK: Springer-Verlag, 2001, pp. 213β229.
[7] K. G. Paterson, βId-based signatures from pairings on ellipticcurves,β Electronics Letters, vol. 38, no. 18, pp. 1025 β 1026, 292002.
[8] F. Hess, βEfficient identity based signature schemes based onpairings,β in SAC β02: Revised Papers from the 9th AnnualInternational Workshop on Selected Areas in Cryptography.London, UK: Springer-Verlag, 2003, pp. 310β324.
[9] L. Wenju, S. Yuzhen, and W. Ze, βA wireless mesh networkauthentication method based on identity based signature,β inWireless Communications, Networking and Mobile Computing,2009. WiCom β09. 5th International Conference on, 24-26 2009,pp. 1 β4.
[10] IEEE Std 802.11-2007: Part 11: Wireless LAN MAC and Phys-ical layer specifications, IEEE Standard, Rev. Revision of IEEEStd 802.11-1999, jun 2007.
[11] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, andH. Levkowetz, βExtensible Authentication Protocol (EAP),βRFC 3748 (Proposed Standard), Internet Engineering TaskForce, Jun. 2004, updated by RFC 5247. [Online]. Available:http://www.ietf.org/rfc/rfc3748.txt
[12] IEEE Std 802.1X-2004: Port Based Network Access Control,IEEE Standard, dec 2004.
[13] J. Arkko, J. Kempf, B. Zill, and P. Nikander, βSEcure NeighborDiscovery (SEND),β RFC 3971 (Proposed Standard), Mar.2005. [Online]. Available: http://www.ietf.org/rfc/rfc3971.txt