1. Introduction
Wireless mesh networks (WMNs) [1] use a new crucial technology for wireless network structure, with many features including multi-hops, self-organization, low installation costs, large-scale deployment and fault-tolerance. Mesh nodes consist of mesh clients (MCs) and mesh points (MPs). The MCs are often laptops, cell phones and other wireless devices. The MPs form a wireless mesh backbone to provide network access from one mesh node to another or to the Internet. A subset of mesh points work as mesh access points (MAPs) to connect mesh clients to the WMNs. Due to the features of distributed architecture, multi-hop wireless backbone and dynamic network topology, the WMNs provide an efficient and flexible networking method, but also bring great security challenges.
The IEEE 802.11s [2] defines the security of WMNs that are still using the IEEE 802.11i [3] standards with IEEE 802.11x [4] and 4-way handshake protocols. Current research of WMNs is based on a shared key scheme or a public key system. The shared key scheme relies heavily on key management, and the conventional public key infrastructure (PKI) has a requirement for large storage and management of the public key certifications. The IEEE 802.11s presents a new security structure MSA (Mesh Security Association) [5], however, its key framework is quite complicated. Numerous security schemes for WMNs using identity-based (ID-based) cryptography have been proposed over the years. The concept of ID-based cryptography (IBC) [6] was first introduced by Shamir in 1984. The basic idea of ID-based cryptosystem is that the entity’s public key is directly derived from its publicly known identity information such as an email address, an IP address, a telephone number or any other string of characters. The private key is issued by a trusted authority called the Private Key Generator (PKG). IBC completely eliminates the need for public-key distribution realized by conventional public-key certificates.
WMNs usually consist of several cooperating sub-networks called mesh trust domains. Establishing trust relationships between multi-domains is necessary and important in roaming scenarios. Most of the existing ID-based authentication protocols are based on the assumption that there exists only one single PKG. They consider the situation in which all the users belong to the same network. However, next generation wireless network is expected to establish a hybrid heterogeneous network with several types of wireless access technologies. In the circumstance of ubiquitous wireless network, there exists multiple independent and autonomous trust domains. It is unreasonable to assume that different trust domains use a single PKG. Different trust domains may be maintained by different PKGs in the real networks. Therefore, another kind of security handover scheme is needed for WMNs, namely an ID-based multi-domain security scheme with different PKGs.
A MP may lose all available current links when it moves away. Thus, it should be handed over to another MP in order to obtain access to the network again. Mutual authentication and key agreement are important for supporting the MPs’ secure and fast roaming ability across different trust domains. We propose an ID-based multi-domain WMNs security structure. We will present a novel multi-domain handover protocol based on the ID-based multi-domain security structure. The scheme is quite suitable for real WMNs circumstances because the system parameters of the PKGs can be totally different. Multi-hops wireless communication between the Authentication Server (AS) and MPs would result in high latency, low stability and potential service interruption. In our protocol, the AS is not involved during the handover authentication process. Thus, the protocol is well suitable for self-organized WMNs. By using the multi-domain ID-based signcryption technique we proposed, two MPs which belong to different trust domains will be able to achieve both a mutual authentication and an authenticated key establishment in a single one-round message exchange during the authentication phase. Furthermore, the transmitted data of both sides can be carried by the authentication messages.
2. Related Work
IEEE 802.11i defines a complete mutual authentication mechanism based on the EAP (Extensible authentication protocol) and IEEE 802.1x. However we believe it is not suitable for WMNs due to its centralized operations and multi-hops communication between the authentication server and the access points. The mutual re-authentication process still needs the AS to participate in executing the total IEEE 802.11i authentication procedures for any handover to occur. The IEEE 802.11s inherits the security architecture from IEEE 802.11i, so it will also suffer the above-mentioned drawbacks.
The shared key scheme has a key management burden, and the conventional public key infrastructure (PKI) has a large overhead storage requirement and has to deal with the management of the public key certifications. Shamir first presented the concept of ID-based cryptography in 1984. Several ID-based signature schemes have been proposed since then. It was not until 2001 that a satisfying ID-based encryption scheme was devised by Boneh and Franklin [7] using bilinear maps (the Wail or Tate pairing) over supersingular elliptic curves.
Confidentiality, integrity, non-repudiation and authentication are the important security attributes for many cryptographic applications. The traditional approach to achieve these security attributes is “sign-then-encrypt”. A new standard for data protection called signcryption [8] was proposed by Zheng in 1997. Signcryption simultaneously fulfills both the functions of digital signature and public key encryption in a single logical step, and with a cost significantly lower than that required by "signature followed by encyption". Signcryption plays an important part in the application environments which demand to complete both encryption and signature. A signcryption scheme is deemed to be secure if it possesses confidentiality, unforgeability and non-repudiation. Malone-Lee [9] first presented ID-based signcryption by using bilinear pairing. Li [10] presents ID-based multi-PKG signcryption schemes which can achieve multi-domain signcryption. But these schemes require an assumption that different domains own different master private keys but still share the same pairing parameters.
Caimu Tang et al. [11] presented a mobile authentication scheme for wireless networks. In his protocol, a MC is registered to its home network and can be authenticated by visiting a network through a delegation passcode. However, the communication between the HLR (home location register) and the VLR (visited location register) will lead to high latency and low stability. Li et al. [12] proposed a ticket-based authentication protocol to support a faster handover in wireless local area networks. The authentication server pre-distributes the tickets to clients, one for each neighbor AP of the current AP. The client will deliver the corresponding ticket to the target AP for mutual authentication when it moves to the target AP. The protocol does not apply any public-key cryptography in order to minimize the re-authentication latency. But their schemes may not be suitable for all WMNs circumstances, for risk and cost caused by the multi-hop communication should be considered. Celia Li et al. [13, 14] proposed a mesh handover scheme, in which the AS is not required. But the major problem of the protocol for handover authentication is that all the neighbours of the current MAP share the same keys for handover authentication. For this reason, the client can not verify the AP’s identity because any AP that owns the authentication keys can impersonate the target AP. Li et al. [15] achieved roaming authentication without any home AS’s participation, which can not be applied in the environment of multi-domain wireless networks.
Zhu et al. [16] presented a more secure scheme for multi-domain wireless mesh networks combing PKI and IBC techniques. The MC which belongs to trust domain B can be authenticated by the target network of trust domain A. However, trusted authorities of both sides need to be involved during the authentication process, and the trust relationship between home domain and visited domain should be negotiated through PKI. He et al. [17] accomplished the authentication between mesh nodes belongs to different trust domains, but the home AS still needs to be involved, and system time synchronization is required. The interaction between home domain and visited domain causes high latency and low efficiency. A non-repudiable authentication scheme for wireless mesh networks was proposed in paper [18]. Although inter-domain authentication in the scheme is actualized by an ID-based signature, the author assumes that different domains share the same PKG system parameters. Gao et al. [19] applied ID-based proxy signature to multi-domain authentication protocols for WMNs. Authentication and key agreement depend on a trust relationship between the broker and the domain. Besides that, delegating the signing rights from the original signer to a proxy signer would result in more security risks. And proxy signature mechanism is sure to increase system complexity. As discussed above, the ID-based multi-domain authentication schemes, except Zhu’s, are based upon the assumption that: all the different domains share the same pairing parameters. The assumption limits the application scalabilities of these schemes. It is infeasible to satisfy the above assumption for real networks especially heterogeneous networks.
We are proposing a novel ID-based multi-domain handover protocol for mesh points in WMNs in which there are no restrictions on the PKG system parameters. As a result different domains may have totally different PKG system parameters including public system parameters, master keys and system public keys.
3. ID-based multi-domain handover protocol for mesh points in WMNs
Preliminaries
(1) Bilinear pairings:Let G1 be an additive group and G2 be a multiplicative group of the prime order q. Let P be an arbitrary generator of G1. The pairing e : G1×G1→G2 is called an admissible bilinear map if it has the following properties:
1)Bilinear: For ∀P,Q∈G1 and a,b∈, e(aP,bQ)=e(P,Q)ab.
2)Non-degenerate: ∀P,Q∈G1, e(aP,bQ)≠1G2, for 1G2 is an arbitrary generator of G2.
3)Computable: For ∀P,Q∈G1, there exists an efficient algorithm to compute e(P,Q).
(2) Decisional Bilinear Diffie-Hellman Problem (DBDHP): Given (P,aP,bP,cP), for some a,b,c∈Z∗q and an element θ∈G2, decide whether θ=e(P,Q)abc.
3.1 ID-based multi-domain security structure of WMNs
The network model we considered in this paper is portrayed in Fig. 1. There are multiple independent and autonomous trust domains in the WMNs. Each domain has its own PKG which generates and distributes the private keys for the nodes in the domain. The PKGs are supposed to be trusted. In order to make our scheme applicable in real WMNs circumstances, we have allowed each PKG to use totally different system parameters, including different public parameters
Fig. 1.ID-based multi-domain security structure of WMNs
A MP may lose all currently available links during its movement. Thus, the MP must handover to another MP in order to obtain access to the network again. Fig. 2 shows the ID-based multi-domain handover for MPs in WMNs. We take the networks U and V for instance.
Fig. 2.ID-based multi-domain handover for mesh points in WMNs
3.2 ID-based multi-domain signcryption protocol
The encrypted random numbers used as challenges will enhance the security during the handover protocol. However, a simple signature scheme cannot implement random numbers encryption. Both signature and encryption should be considered in the scheme. Signcryption simultaneously fulfills both signature and public key encryption in a single logical step with a cost significantly lower than that required by "signature followed by encyption". Therefore, we have proposed a novel ID-based multi-domain signcryption scheme which can be used to achieve secure handovers for MPs in WMNs in the future. There are no restrictions on PKG system parameters so they can be totally different in the different trust domains. Let us describe the signcryption scheme before representing the handover protocol. The scenario studied in this section is pictured in Fig. 2.
Setup:
The system parameters for network domain U are generated as follows. Define be an additive group and be a multiplicative group of the prime order qU. PU is an arbitrary generator of . The pairing eU : ×→ is a bilinear map. Let , and be three cryptography hash functions where :{0,1}∗→, : →{0,1}∗, :{0,1}∗×→. The PKGU chooses a master private key sU∈ randomly and computes a corresponding system public key PubU=sUPU. The PKGU publishes PubU and keeps the master private key sU secret. The public system parameters of PKGU are <,,qU,PU,PubU,eU,,,>.
The similar process is implemented for network domain V. Define be an additive group and be a multiplicative group of the prime order qV. PV is an arbitrary generator of . The pairing eV : ×→ is a bilinear map. Let , and be three cryptography hash functions where :{0,1}∗→, : →{0,1}∗, :{0,1}∗×→. The PKGV chooses a master private key sV∈ randomly and computes a corresponding system public key PubV=sVPV. The PKGV publishes PubV and keeps the master private key sV secret. The public system parameters of PKGV are <,,qV,PV,PubV,eV,,,>.
Extract:
Suppose Alice that registers with PKGU and gets its private key where QAlice=(IDAlice), IDAlice∈{0,1}∗.
Suppose Bob that registers with PKGV and gets its private key where QBob=(IDBob), IDBob∈{0,1}∗.
Signcrypt:
To send a message m to Bob,
Alice operates as follows.
The SigncryptAlice,Bob(m) is {c,TA1,TA2,σ}.
Unsigncrypt:
When receiving SigncryptAlice,Bob(m), Bob operates as follows.
The correctness can be easily verified by the following equations.
A brief security analysis is described as follows. Our signcryption scheme possesses confidentiality, unforgeability and non-repudiation. More details see in Section 4.1.
confidentiality
It is computationally infeasible for an attacker who may be anyone other than Alice and Bob to obtain any partial information on the contents of a signcrypted text. No one except Bob can achieve m from {c,TA1,TA2,σ}, because only Bob owns SBob to calculate the decryption key w∗=eV(TA2,SBob).
unforgeability
It is computationally infeasible for an attacker to impersonate Alice in creating a signcrypted text. An attacker can obtain PubU and h, but cannot get a1 nor SAlice. For σ=a1PubU+hSAlice, no one can forge a Alice’s signature.
non-repudiation
It is computationally infeasible for anyone to deny the fact that they are the originator of a signcrypted text. Once Bob verifies Alice’s signature, Alice cannot repudiate the signature because nobody is able to forge her signature.
3.3 ID-based multi-domain handover protocol
We propose an ID-based multi-domain handover protocol for mesh points in WMNs based upon the signcryption scheme in 3.2. A MP loses all links with other MPs in its home domain U if it roams to visited domain V. It should handover to one MP in domain V to acquire network service. Thus a fast and secure handover authentication process is needed to avoid a great deal of data loss. The detailed procedure of the protocol is described in Fig. 3.
Fig. 3.Procedures for the ID-based multi-domain handover protocol for the mesh points in WMNs
When MPi moves to the visited network V, it can obtain the identifiers, frequencies and link qualities of its surrounding mesh access points. According to some decision algorithms, MPichooses only one mesh access point. Let us take the access point MPj for example. The detailed description of cross-domain handover authentication protocol is as follows.
In the open system authentication phase, MPi sends an association requirement message to MPj. MPj then replies to MPi’s requirement with an association response message indicating acceptance or rejection. MPi and MPj generate random numbers and respectively. The random numbers are used as challenges for authentication. Then MPi and MPj exchange the random numbers and their respective public system parameters of PKGs: <,,qU,PU,PubU,eU,,,> and <,,qV,PV,PubV,eV,,,>.
In the authentication phase, the procedure is described below.
1. MPi →
MPi signcrypts m1 and with its own private key SMPi and MPj’s public key . m1 is a plaintext to be transferred from MPi to MPj, and its value is null if there is no message to be delivered.
(1) Choose a1∈, a2∈ randomly and compute TA1=a1PU, TA2=a2PV.
(2) Compute wMPi=eV(a2PubV,).
(3) Compute the ciphertext cMPi=⊕, where (MPi encyptes the by using MPj’s public key , thus only MPj is able to decypt the ciphertext cMPi.)
(4) Compute
(5) Compute the signature (The ciphertext cMPi is signed by MPi using its private key SMPi.)
Then MPi sends to MPj the message: {IDMPi,IDMPj,SigncryptMPi,MPj()}, where SigncryptMPi,MPj({cMPi,TA1,TA2,σMPi}
2. When receiving the message: {IDMPi,IDMPj,SigncryptMPi,MPj()} from MPi, MPj follows these steps;
(1) Validate IDMPi and IDMPj to confirm the identity of each other.
(2) Compute Accept the message cMPi if and only if the equation holds. (MPj checks MPi’s signature using MPi’s public key QMPi to make sure that the message is indeed from MPi.)
Step (2) is using MPi’s public key QMPi to confirm MPi’s signature of the message in order to authenticate the identity of MPi.
(3) Compute wMPi∗=eV(TA2,SMPj).
(4) Recover =(wMPi∗)⊕cMPi. (The plaintext is recovered from the ciphertext cMPi by MPj’s private key SMPi. Thus no one but MPj is able to obtain .)
Step (3) (4) is using MPj’s private key SMPi to recover the message , =m1∥. MPj then gets data m1 and random number .
(5) Confirm the challenge number .(MPj decides whether is the challenge number it sent to MPi. This step is to resist replay attacks.)
At this point the identity of MPi is confirmed by MPj. Meanwhile, the data m1 is successfully received by MPj.
3. MPj® MPi : {IDMPj,IDMPi,SigncryptMPj,MPi()}.
MPj signcrypts m2 and with its own private key SMPj and MPi’s public key QMPi. m2 is a plaintext to be transferred from MPj to MPi, and its value is null if there is no message to be delivered.
(1) Choose b1∈, b2∈ randomly and compute TB1=b1PV, TB2=b2PU.
(2) Compute =eU(b2PubU,QMPi).
(3) Compute the ciphertext cMPj=()⊕mMPj, where mMPj=m2∥. (MPj encyptes the mMPj by using MPi’s public key QMPi, thus only MPi is able to decrypt the ciphertext cMPj.)
(4) Compute hMPj=(cMPj,TB1)
(5) Compute the signature σMPj=b1PubV+hMPjSMPj. (The ciphertext cMPj is signed by MPj using its private key SMPj.)
Then MPj sends to MPi the message: {IDMPj,IDMPi,SigncryptMPj,MPi(mMPj)}, where SigncryptMPj,MPi(mMPj)={cMPj,TB1,TB2,σMPj}
In addition, MPj is able to calculate the session key between MPi and MPj. MPj computes KMPj,MPi=eV(SMPj,TA2)eU(QMPi,b2PubU), =b2TA1, =b1TA2, and then gets the session key skMPj,MPi=H(KMPj,MPi,,,TA1,TA2,TB1,TB2,IDMPi,IDMPj), where H:{0,1}∗→{0,1}k, k is the length of the session key.
4. When receiving the message: {IDMPj,IDMPi,SigncryptMPj,MPi(mMPj)} from MPj, MPi follows these steps;
(1) Validate IDMPj and IDMPi to confirm the identity of each other.
(2) Compute . Accept the ciphertext cMPj if and only if the equation holds. (MPi checks MPj’s signature using MPj’s public key to make sure that the message is indeed from MPj.)
Step (2) is using MPj’s public key to confirm MPj’s signature of the message in order to authenticate the identity of MPj.
(3) Compute =eU(TB2,SMPi).
(4) Recover mMPj=()⊕cMPj. (The plaintext mMPj is recovered from the ciphertext cMPj by MPi’s private key SMPi. Thus no one but MPi is able to obtain mMPj.)
Step (3) (4) is using MPi’s private key SMPi to recover the message mMPj, mMPj=m2∥. MPi then gets data m2 and random number .
(5) Confirm the challenge number . (MPi decides whether is the challenge number it sent to MPj. The step is to resist replay attacks.)
At this point the identity of MPj is confirmed by MPi. Meanwhile, the data m2 is successfully received by MPi.
MPi is able to calculate the session key between MPi and MPj. MPi computes KMPi,MPj=eU(SMPi,TB2)eV(a2PubV), =a1TB2, =a2TB1, and then gets the session key skMPi,MPj=H(KMPi,MPj,,,TA1,TA2,TB1,TB2,IDMPi,IDMPj), where H:{0,1}∗→{0,1}k, k is the length of the session key.
To this, mutual authentication between MPi and MPj is completed.
The correctness of the session key can be easily verified. It is easy to verify KMPi,MPj=KMPj,MPi, = and = by the following equations.
KMPi,MPj=eU(SMPi,TB2)eV(,a2PubV)=eU(sUQMPi,b2PU)eV(,a2sVPV)
=eU(QMPi,PU)sUb2eV(,PV)a2sV
KMPj,MPi=eV(SMPj,TA2)eU(QMPi,b2PubU)=eV(sV,a2PV)eU(QMPi,b2sUPU)
=eV(,PV)sVa2eU(QMPi,PU)b2sU
==a1b2PU
==a2b1PV
For skMPi,MPj=skMPj,MPi, MPi and MPj share the same session key.
4. Security analysis
4.1 Security analysis of the ID-based multi-domain signcryption protocol
First of all, the security definitions for multi-domain ID-based signcryption scheme (MPIDSC) are described in [10].
Definition 1 (Confidentiality). A multi-PKG ID-based signcryption scheme is said to have indistinguishability against adaptive chosen ciphertext attacks (IND-MPIDSC-CCA2) if no polynomially bounded adversary has a non-negligible advantage in the game. (More details about the game are given in definition3 of [10]).
Definition 2 (Unforgeability). A multi-PKG ID-based signcryption scheme is said to have existential unforgeability against adaptive chosen message attacks (EUF-MPIDSC-CMA) if no polynomially bounded adversary has a non-negligible advantage in the game. (More details about the game are given in definition4 of [10]).
Similarly, we can prove that our scheme is both IND-MPIDSC-CCA2 and EUF-MPIDSC-CMA secure.
Theorem 1 (Confidentiality). In the random oracle model, we assume we have an IND-MPIDSC-CCA2 adversary called Α that is able to distinguish ciphertext during the game of Definition 1 with an advantage ε when running in a time t and asking at most times (i=1,2,3, j=U,V) queries, at most qS times signcryption queries and qU times unsigncryption queries. And there exists a distinguisher Χ that can solve the DBDH problem in a time t'=t+(qS+4qU)te with an advantage , where te denotes the computation time of the bilinear map.
Proof. We assume that the distinguisher Χ receives a random instance (PV,aPV,bPV,cPV,h) of the DBDH problem to decide whether h=eV(PV,PV)abc is true or not. Χ will run Α as a subroutine and act as Α’s challenger in the IND-MPIDSC-CCA2 game. Α will consult Χ for answers to queries of random oracles (i=1,2,3, j=U,V), signcryption and unsigncryption. Correspondingly, Χ maintains 10 lists to store the answers. The lists are (i=1,2,3, j=U,V), respectively.
At the beginning of the game, Χ gives Α the system parameters with PubV=cPV and PubU=dPU, where c and d respectively simulate the master key for PKGV and PKGU. c and d are not known to Χ.
queries: Χ chooses a random number l∈{1,2,...,}. At the u-th query, if u=l, then Χ answers (IDu)=bPV ; if u≠l, Χ chooses a random number x∈, answers (IDu)=xPV and then puts (IDu,x) in the list .
queries: Χ chooses a random number x∈, answers (IDu)=xPU and then puts (IDu,x) in the list .
/ queries: When Α asks the queries, Χ will check the list /. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value h2∈(0,1)∗ will be chosen by Χ, and Χ then stores the query and answer in the list.
/ queries: When Α asks the queries, Χ will check the list /. If the corresponding hash value exists, the hash value will be returned to Α; otherwise, a random value h3 will be chosen by Χ, and Χ then stores the query and answer in the list.
ExtractV queries: If IDu=IDl, then Χ fails. Otherwise, Χ finds entry (IDu,x) from list , computes the private key corresponding to IDu: SIDu=cxPV, and returns to Α.
ExtractU queries: Χ finds entry (IDu,x) from list , computes the private key corresponding to IDu: SIDu=dxPU, and returns to Α.
Singcrypt queries: Let ID1 and ID2 denote the sender and the receiver respectively and m is the plaintext. There are two cases to consider.
Case 1: ID1≠IDl. Χ can get the private key of ID1: SID1. Χ chooses random numbers a1∈ and a2∈ randomly and computes TA1=a1PU, TA2=a2PV. Then Χ calculates w=eV(a2PubV,QID2), c=m⊕(w), h=(c,TA1), σ=a1PubU+hSID1. Χ returns message: {c,TA1,TA2,σ} to Α.
Case 2: ID1=IDl. Χ cannot get SID1, but can obtain SID2. Χ chooses random numbers a1,h∈ and a2∈ randomly. Then Χ computes TA2=a2PV, calculates w=eV(TA2,SID2), and runs c=m⊕(w). Χ computes TA1=a1PU-hQID1 and σ=a1PubU. Χ returns {c,TA1,TA2,σ} to Α and puts it to list .
Unsingcrypt queries: For an unsigncryption query on ciphertext {c,TA1,TA2,σ}, there are two cases to consider.
Case 1: ID2≠IDl. Χ checks if holds. If the equation holds, Χ can get the private key of ID2: SID2 to compute w=eV(TA2,SID2), and retruns m=c⊕(w) to Α.
Case 2: ID2=IDl. Χ always answers Α that the ciphertext: {c,TA1,TA2,σ} is invalid.
Α can ask a polynomially bounded number of queries adaptively again as in the first stage. Then Α will pick a challenged pair of identities : {IDA,IDB} and output two messages: {m0,m1}. Χ chooses v∈{0,1} and signcrypts mv. Then Χ randomly chooses σ∗∈, ∈, sets =aPV, θ=w (θ is the candidate answer for the DBDH problem). Finally, Χ computes c∗=(w)⊕mV and returns to Α.
Α runs a second series of queries which are the same as the first stage. At the end of the simulation, Α outputs v'∈{0,1}, if v'=v, Χ outputs θ=eV(,SIDl)=eV(aPV,cQIDl)=eV(aPV,cbPV)=eV(PV,PV)abc as a solution of the DBDH problem, otherwise X fails.
The probability that Α picks IDl as challenged identity is at least . The probability that Α does not submit query is at least . Every signcryption query requires one pairing operation and every unsigncryption query requires three pairing operations. Thus Χ can solve the DBDH problem in a time t'=t+(qS+4qU)te with an advantage
Theorem 2 (Unforgeability). The scheme is EUF-MPIDSC-CMA secure.
Proof. If an attacker is able to forge a signature for our scheme, he must be able to forge a signature for the following scheme. The signature scheme is a variant of Hess’s signature [20]. It has been proved that Hess’s signature and its variants have unforgeability against adaptive chosen ciphertext attacks, therefore our scheme is EUF-MPIDSC-CMA secure.
Sign: To sign a message m, ID1 follows these steps;
The signature is {TA1,σ}.
Verify: When receiving the signature: {TA1,σ}, the verifier ID2 accept the signature if and only if the equation holds.
4.2 Security analysis of ID-based multi-domain handover protocol
The security analysis of our proposed ID-based multi-domain signcryption is proved in section 4.1. Based on the security properities of the signcryption, the security of our handover protocol is discussed below.
1.Mutual authentication
Signcryption simultaneously fulfills both the functions of digital signature and public key encryption in a single logical step. MPi signcrypts mMPi with its private key SMPi and MPj’s public key QMPj, and then sends to MPj the message: {IDMPi,IDMPj,SigncryptMPi,MPj()}. MPj confirms MPi’s signature of the message using MPi’s public key QMPi, the identity of MPi is thus authenticated. In the same way, the identity of MPj is authenticated by MPi. Hence the mutual authentication is accomplished in a one-round signcryption message interaction between MPi and MPj during the authentication phase.
2. Key freshness
The session key sk is calculated from the hash function H(K,K1,K2,TA1,TA2,TB1,TB2,IDMPi,IDMPj), where K=KMPi,MPj=KMPj,MPi, K1==, K2==. K1 and K2 are derived from the random temporary keys a1, a2, b1, b2. The freshness of the random temporary keys ensures the freshness of the session key sk. Because the random temporary keys are generated by MPi and MPj respectively, neither of them can control the choice of the session key sk independently. Owing to mutual authentication between MPi and MPj, any attacker cannot impersonate MPi and MPj to generate a1, a2, b1, b2. Therefore, the sk is confidential and only MPi and MPj can know it. Each session key is fresh, random and independent.
3. Forward Secrecy
The random temporary keys are unpredictable for any party except MPi and MPj. Even if the intruder obtains secret information MPi and MP, he cannot obtain the past temporary keys and the past session key. Therefore, the scheme has the property of perfect forward secrecy. Furthermore, even if the PKGs are captured, the attacker can only get the long-term private keys of MPi and MPj but not the past temporary keys and the past session keys. Hence it also has the property of PKG perfect forward secrecy.
4. Known Key Security
Each run of authentication protocol chooses different random temporary keys to generate session keys as below.
sk=H(K,K1,K2,TA1,TA2,TB1,TB2,IDMPi,IDMPj), where K=KMPi,MPj=KMPj,MPi, K1==, K2==.
KMPi,MPj=eU(SMPi,TB2)eV(,a2PubV)=eU(sUQMPi,b2PU)eV(,a2sVPV)=eU(QMPi,PU)sUb2eV(,PV)a2sV
KMPj,MPi=eV(SMPj,TA2)eU(QMPi,b2PubU)=eV(sV,a2PV)eU(QMPi,b2sUPU)=eV(,PV)sVa2eU(QMPi,PU)b2sU
==a1b2PU,
==a2b1PV,
If the past session key is exposed, the intruder can get the past session key: where K∗=KMPi,MPj∗=KMPj,MPi∗=eU(QMPi,PU)sUb2∗eV(,PV)a2∗sV, K1MPi∗=K1MPj∗=a1∗b2∗PU, K2MPi∗=K2MPj∗=a2∗b1∗PV,
a1∗,a2∗,b1∗,b2∗ is the past random temporary keys. The current session key is generated by fresh random temporary keys a1,a2,b1,b2. The non-correlation of random numbers assures the intruder cannot obtain any current session key even if its past session key is exposed.
5. Resistance to Replay Attack
An intruder may record message flows and then retransmit them to trick the target MP for false authentication. In the association phase, MPi and MPj exchange the random numbers and . During the procedure of authentication, both sides of MPi and MPj should check the challenge numbers. Thus, this replay attack can be prevented since and are fresh and unpredictability.
6. Resistance to Man-in-the-Middle Attack
This protocol is proposed based on the IBC and ID-based signcryption. The entity’s public key is directly derived from the publicly known identity information in IBC and signcryption combines the functions of digital signature and public key encryption in a single step. The attacker can intercept the signcryption messages between MPi and MPj. But he can not obtain the real data in the signcryption messages because the data is encrypted by the private key of the receiver, and then the attacker could not be able to modify the data. The malicious middle-man cannot establish the secure association on behalf of the legitimate MPi and MPj.
5. Performance analysis
1. Low management overhead
The shared key scheme relies heavily on key management, and the conventional PKI has a large overhead storage requirement and has to deal with the management of the public key certifications. These will impose a heavy burden on management of WMNs. IBC has simplified the difficult task of issuing public keys, eliminated dependency on certification authority. Using an ID-based scheme, our handover protocol overcomes the drawbacks of the symmetric key system and the conventional PKI system.
2. Low communication cost
The mutual authentication and authenticated key establishment of two MPs which belong to different trust domains can be achieved in a single one-round message exchange during the authentication phase based on our proposed multi-domain ID-based signcryption scheme. Authentication directly between two MPs avoids multi-hop wireless communication which will result in high latency and heavy cost. Using features of signcryption, our protocol can accomplish exchange of temporary keys during the process of authentication in order to establish a session key.
3. No AS involvement
Most current handover schemes in WMNs need AS to act as a trust authority. Multi-hop wireless communication is demanded because AS is in general several hops away from MPs. As we all know, muti-hop communications may result in high delay, low stability and potential service interruption. We use IBC whose basic idea is that the entity’s public key is directly derived from its publicly known identity information. MPiand MPjexchange their respective public system parameters of PKGs. Therefore MPiand MPjcan obtain public key of the other side. Making use of our ID-based multi-domain signcryption scheme, handover authentication between MPiand MPjcan be completed directly by the two MPs. Authentication severs of both sides do not need to participate in handover protocols. It is suitable for application in WMNs with characters of self-organization.
4. No PKG parameters restricted
Almost all the ID-based multi-domain handover schemes are based upon the same assumption that all the different domains share the same pairing parameters. The applications of the schemes based on the assumption are limited because different domains may have totally different PKG system parameters including public system parameters, system master keys and system public keys in real WMNs environments. There are no restrictions on PKG system parameters in our proposed multi-domain ID-based signcryption scheme so that our handover scheme can be well applied to real WMNs circumstance.
5. Transmission data carried
Data transmission must be implemented after the authentication procedure in conventional handover schemes. In our handover scheme, data transmitted between two MPs can be carried by the authentication messages preventing transmission interruption on both sides owing to signcryption. Signcryption simultaneously fulfills both the functions of a digital signature and a public key encryption in a single logical step.
The receiver accepts the ciphertext signcrypted if and only if the following equation holds. Then the receiver recovers the data =(w∗)⊕cMPi. Note that no one except the right receiver can recover the data since only the right receiver MPj knows the private key SMPj to compute w∗=eV(TA2,SMPj).
Finally, we analyze the communication cost and computational cost of our protocol in Table 1. The operations with low computation complexity such as random number generation and hash function are trivial in comparison with bilinear pairing, thus can be omitted. The involved operations consist of bilinear pairing (BP) and scalar multiplication (SM). Although there are several pairing operations for MPs, they have enough computational capabilities and power supplies. Moreover, authentication directly between two MPs avoids multi-hop wireless communication between MP and AS. The communication latency between MPs is much lower than that between MP and AS, because AS is in general several hops away from the MPs. Muti-hop communication may result in long delays, low stability and potential service interruption. Therefore we get low communication latency in return for increased bilinear pairing operations. Meanwhile, the signcryption to which the bilinear pairing operations are applied make the data transmitted between the two mesh points able to be carried by the authentication messages. In a sense, the bilinear pairing operations should be considered acceptable.
Table 1.Numbers of messages and computational cost
6. Conclusion
In this paper, we have proposed a new ID-based multi-domain signcryption scheme and accordingly presented a novel ID-based multi-domain handover protocol for mesh points in WMNs. Our handover scheme can be well applied to real WMNs circumstance. Security and performance analysis shows that our protocol is secure and efficient. We plan to design a lightweight ID-based handover protocol for mesh clients which are common devices with low computational power.