IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE 2012 443Comments __________________________________________________________________________________________________________On the Security of a Ticket-Based Anonymity e-mail address, which avoids the use of certificates for public key verification in the conventional PKI (public key infrastructure) [9]. System with Traceability Property Boneh and Franklin [10] introduced the first functional and in Wireless Mesh Networks efficient ID-based encryption scheme based on bilinear pairings on elliptic curves. Specifically, let G 1 and G 2 be an additive group G G Huaqun Wang and Yuqing Zhang, Member, IEEE and a multiplicative group, respectively, of the same prime order p. The Discrete Logarithm Problem (DLP) is assumed to be hard in both G 1 and G 2 . Let P denote a random generator of G 1 and G G GAbstract—In 2011, Sun et al. [5] proposed a security architecture to ensure e : G 1 Â G 1 ! G 2 denote a bilinear map constructed by modified G G Gunconditional anonymity for honest users and traceability of misbehaving users for Weil or Tate pairing with the following properties:network authorities in wireless mesh networks (WMNs). It strives to resolve theconflicts between the anonymity and traceability objectives. In this paper, we 1. Bilinear: eðaP ; bQÞ ¼ eðP ; QÞab , 8P ; Q 2 G 1 and 8a; b 2 Z Ã , G Zpattacked Sun et al. scheme’s traceability. Our analysis showed that trusted where Z Ã denotes the multiplicative group of Z p , the Zp Zauthority (TA) cannot trace the misbehavior client (CL) even if it double-timedeposits the same ticket. integers modulo p. In particular, Z Ã ¼ fxj1 x p À 1g Zp since p is prime.Index Terms—WMNs, cryptanalysis, anonymity, traceability. 2. Nondegenerate: 9P ; Q 2 G 1 such that eðP ; QÞ 6¼ 1. G 3. Computable: There exists an efficient algorithm to com- Ç pute eðP ; QÞ; 8P ; Q 2 G 1 . G1 INTRODUCTION 2.2 Security DefinitionsANONYMITY and privacy issues have gained considerable research We give the security concepts that are used in Sun et al.’s schemeefforts in the literature [1], [2], [3], which have focused on as follows:investigating anonymity in different context or application scenar-ios. Nevertheless, unconditional anonymity may incur insider . Anonymity (Untraceability): The anonymity of a legitimateattacks since misbehaving users are no longer traceable. Therefore, client refers to the untraceability of the client’s networktraceability is highly desirable, such as in e-cash systems, where it is access activities. The client is said to be anonymous if theused for detecting and tracing double-spenders. TA, the gateway, and even the collusion of the two cannot Motivated by resolving the security conflicts of anonymity and link the client’s network access activities to his realtraceability in the emerging WMNs communication systems, Sun identity.et al. have proposed the initial design of a security architecture . Traceability: A legitimate client is said to be traceable if theachieving anonymity and traceability in http://ieeexploreprojects.blogspot.com the client’s network access activities to WMNs in [4], [5]. Their TA is able to linksystem borrows the restrictive partially blind signature technique the client’s real identity if and only if the clientfrom payment systems [6], [7], [8] and hence can achieve the misbehaves, i.e., one or both of the following occurs:anonymity of unlinking user identities from activities, as well as ticket-reuse and multiple-deposit.the traceability of misbehaving users. Furthermore, the proposed . Ticket-reuse: One type of misbehavior of a legitimate clientpseudonym technique renders user location information unex- that refers to the client’s use of a depleted ticket (val = 0).posed. Unfortunately, we found that their scheme is not as secure . Multiple-deposit: One type of misbehavior of a legitimateas they claimed. In this paper, we demonstrate that Sun et al.’s client that refers to the client’s disclosure of his validscheme cannot trace the misbehavior clien (CL) even if it double- ticket and associated secrets to unauthorized entities ortime deposits the same ticket. clients with misbehavior history so that these coalescing The rest of this paper is organized as follows: Section 2 clients can gain network access from different gatewaysintroduces some preliminaries. In Section 3, an overview of the simultaneously.ticket-based anonymity system with traceability property in . Collusion: The colluding of malicious TA and gateway toWMNs is presented. An attack method to the ticket-based trace a legitimate client’s network access activities in theanonymity system is proposed in Section 4. We conclude in TA’s domain (i.e., to compromise the client’s anonymity).Section 5. . Framing: A type of attack mounted by a malicious TA in order to revoke a legitimate client’s network access2 PRELIMINARIES privilege. In this attack, the TA can generate a false account number and associate it with the client’s identity.2.1 IBC from Bilinear Pairings The TA can then create valid tickets based on the falseID-based cryptography (IBC) allows the public key of an entity to account number and commit fraud (i.e., misbehave). Bybe derived from its public identity information such as name and doing so, the TA is able to falsely accuse the client of misbehaving and thus revoke his access right.. H. Wang is with the School of Information Engineering, Dalian Ocean 2.3 Network Architecture University, No. 52 Heishijiao Street, Shahekou District, Dalian, Liaoning, China, P.C. 116023. E-mail: wanghuaqun@yahoo.com.cn. The wireless mesh backbone consists of mesh routers (MRs) and. Y. Zhang is with the National Computer Network Intrusion Protection gateways (GWs) interconnected by ordinary wireless links. Mesh Center, GUCAS, Beijing, China, P.C. 100049. routers and gateways serve as the access points of the WMN and E-mail: zhangyg@gucas.ac.cn. the last resorts to the Internet, respectively. Each WMN domain orManuscript received 18 Aug. 2010; accepted 4 Oct. 2011; published online 26 trust domain (to be used interchangeably) is managed by a domainOct. 2011. administrator that serves as a trusted authority (TA), e.g., theRecommended for acceptance by R. Sandhu.For information on obtaining reprints of this article, please send e-mail to: central server of a campus WMN. The TA and associated gatewaystdsc@computer.org, and reference IEEECS Log Number TDSC-2010-08-0145. are connected by high speed wired or wireless links, displayed asDigital Object Identifier no. 10.1109/TDSC.2011.53. solid and bold dashed lines, respectively. TAs and gateways are 1545-5971/12/$31.00 ß 2012 IEEE Published by the IEEE Computer Society
444 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE 2012assumed to be capable of handling computationally intensive At the end, the client checks if the following equalities hold:tasks. In addition, they are assumed to be protected in private eðP ; 1 Þ ¼ yB Y and eðm; 1 Þ ¼ XB Z, where y ¼ eðPpub ; H1 ðIDT A ÞÞ.places and cannot be easily compromised due to their important If the verification succeeds, the client calculatesroles in the WMN. The WMNs of interest here are those where the 01 ¼ 1 þ H1 ðIDT A Þ, 02 ¼ 2 ; ¼ B, and outputs theTA provides free Internet access but requires the clients (CLs) to be signature ðU 0 ; V 0 ; X0 ; ; 01 ; 02 Þ on ðT N; W ; cÞ, where T N ¼ m0 .authorized and affiliated members, generally for a long term, as In Step 3 above, m ¼ u1 P1 þ u2 P2 ¼ þ u2 P2 6¼ 0, where u1 2Rthe employees or students in the case of enterprise and hospital Z Ã and u2 ¼ 1, Zp m0 ¼ m, U 0 ¼ U þ H1 ðIDT A Þ À
H1 ðcÞ,WMNs or campus WMNs. Such individual WMN domains can be V 0 ¼ V þ
Ppub , R ¼ eðm0 ; H1 ðIDT A ÞÞ, W ¼ gv1 gv2 , w h e r e 1 2building blocks of an even larger metropolitan WMN domain. g1 ¼ eðP1 ; H1 ðIDT A ÞÞ, g2 ¼ eðP2 ; H1 ðIDT A ÞÞ, and v1 ; v2 2R Z Ã , Zp X0 ¼ X , Y 0 ¼ Y g , where g ¼ eðP ; H1 ðIDT A ÞÞ, Z 0 ¼ Z R . Given m0 , W , the shared information c, and the tuple ðU 0 ; V 0 ; X0 ; ; 01 ; 02 Þ,3 REVIEWING SUN ET AL.’s TICKET-BASED SCHEME the verifier computes:We only restrict Sun et al.’s scheme within the home domain. Theticket-based security architecture consists of ticket issuance, ticket Y 0 ¼ eðP ; 01 ÞeðPpub ; H1 ðIDT A ÞÞÀdeposit, fraud detection, and ticket revocation protocols. Our Z 0 ¼ eðm0 ; 01 ÞX 0Àpaper designed the attack methods on the ticket issuance, ticketdeposit, and fraud detection. So, we omit the ticket revocation and accepts the signature ifprotocol in the section. Some notations are used in Sun.’s scheme. eð02 ; P ÞWe list them as follows: ! : single-hop communications; ¼ eðU 0 þ H2 ðm0 jjU 0 jjV 0 jjRjjW jjX0 jjY 0 jjZ 0 ÞH1 ðIDT A Þ; !! : multi-hop communications; Ppub ÞeðH1 ðcÞ; V 0 Þ jj: concatenation; holds. c is defined as ðval; exp; misbÞ, where val, exp, and misb IDx : the real identity of an entity x; P Sx : the pseudonym self-generated by a client x by using his denote the ticket value, expiry date/time, and the client’sreal identity IDx ; misbehavior level, respectively. c is the commonly agreed informa- H1 ðIDx Þ=Àx : public/private key of the entity x; tion negotiated at the beginning of the ticket generation algorithm. 0 0 0 0 0 P Sx =Àx : the self-generated pseudonym/private key pairs based The valid ticket is ticket ¼ fT N; W ; c; ðU ; V ; X ; ; 1 ; 2 Þg at the fon the above public/private key pairs; output, where TN is the unique serial number of the ticket which SIGÀx ðmÞ: signature on a message m using Àx ; can be computed from the client’s account number . V ERðSIGÞ: verification process; ðU 0 ; V 0 ; X0 ; ; 1 ; 2 Þ is the signature on ðT N; W ; cÞ, where W is SKEk ðDÞ: symmetric encryption on plaintext D using the necessary for verifying the validity of the signature in the ticketshared secret key k; deposit protocol. http://ieeexploreprojects.blogspot.com HMACk ðmÞ: keyed-hash message authentication code on a 3.2 Ticket Depositmessage m using k. After obtaining a valid ticket, the client may deposit it anytime the3.1 Ticket Issuance network service is desired before the ticket expires, using the ticketThe TA (i.e., Trusted Authority) publishes the parameters within its deposit protocol shown below. Sun et al.’s scheme restricts thetrust domain as ðp; G 1 ; G 2 ; e; P ; P1 ; P2 ; H1 ; H2 ; H3 ; Ppub Þ using the ticket to being deposited only once at the first gateway according G Gstandard IBC (i.e., identity based cryptography) domain initializa- to val before exp.tion, where ðP ; P1 ; P2 Þ are random generators of G 1 , and G 1. CL !! GW : Ppub ¼ P P SCL ; m0 ; W ; c; ¼ ðU 0 ; V 0 ; X0 ; ; 01 ; 02 Þ; t5 ; e : G1 ÂG1 ! G2 G G G SIG f ðm0 jjW jjcjjjjt5 Þ; ÀCL H1 : f0; 1gÃ ! G 1 G 2. GW !! CL : IDGW ; d ¼ H3 ðRjjW jjIDGW jjT Þ; t6 ; HMACk0 ðdjjt6 Þ; H2 : G 3 Â G 5 ! Z Ã G1 G2 Zp 3. CL !! GW : H3 : G 2 Â G 2 Â IDGW Â time ! Z Ã ; G G Zp P SCL ; r1 ¼ dðu1 Þ þ v1 ; r2 ¼ d þ v2 ; t7 ; HMACk0 ðr1 jjr2 jjt7 Þ; andthe order of G 1 and G 2 is p, G 1 is a Gap Diffie-Hellman group. TA G G G 4. GW !! CL :chooses r 2R Z Ã and Q 2R G 1 , Zp G and the client chooses IDGW ; misb; exp; t8 ;;
; ; ; ; ; 2R Z Ã . The ticket issuance protocol is demon- Zpstrated as: SIGÀGW ðP SCL jjIDGW jjmisbjjexpjjt8 Þ. At the end, the gateway checks if the equality gr1 gr2 ¼ Rd W holds. 1 2 1. CL !! T A: At the end of Step 1, the gateway will perform V ERðÞ before Steps IDCL ; m; t1 ; HMACk ðmjjt1 Þ; 2 and 3 can proceed, and R can be derived as R ¼ eðm0 ; H1 ðIDT A ÞÞ 2. T A !! CL : from the received information. T is the date/time the ticket is deposited. A symmetric key k0 can be derived locally by the gateway IDT A ; X ¼ eðm; ÀT A Þ; Y ¼ eðP ; QÞ; Z ¼ eðm; QÞ; and the client as k0 ¼ eðÀGW ; P SCL Þ, and k0 ¼ eðH1 ðIDGW Þ; ÀCL Þ, g U ¼ rH1 ðIDT A Þ; V ¼ rP ; t2 ; HMACk ðXjjY jjZjjUjjV jjt2 Þ; respectively, after learning each other’s ID (or pseudonym). The deposited ticket record is record ¼ ðticket; r1 ; r2 ; T ; rem; logÞ, where 3. CL !! T A: rem and log denote the remaining value of the ticket and the logged data of the client’s noncompliant behavior, respectively. IDCL ; t3 ; HMACk ðBjjt3 Þ; The value of rem is initially set to val. B ¼ À1 H2 ðm0 jjU 0 jjV 0 jjRjjW jjX0 jjY 0 jjZ 0 Þ þ ; 4. T A !! CL : 3.3 Fraud Detection IDT A ; 1 ¼ Q þ BÀT A ; When the TA detects duplicate deposits using the ticket records 2 ¼ ðr þ BÞÀT A þ rH1 ðcÞ; t4 ; HMACk ð1 jj2 jjt4 Þ reported by gateways, the TA will have the view of at least two
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE 2012 445different challenges from gateways and two corresponding sets of Y 0 ¼ eðP ; 01 ÞeðPpub ; H1 ðIDT A ÞÞÀ ; Z 0 ¼ eðm0 ; 01 ÞX0À :responses from the same client. By solving the equation sets below Based on the forge procedures, Y 0 ¼ Y 0 ; Z 0 ¼ Z 0 . Thus,based on these challenges and responses, the TA is able to obtainthe identity information encoded in the message and hence the real H2 ðm0 jjU 0 jjV 0 jjRjjW jjX0 jjY 0 jjZ 0 Þidentity of the misbehaving client. The fraud detection protocol is ¼ H2 ðm0 jjU 0 jjV 0 jjRjjW jjX 0 jjY 0 jjZ 0 Þ:shown as: GW ! T A: IDGW ; m0 ; W ; c; ¼ ðU 0 ; V 0 ; X0 ; ; 01 ; 02 Þ; r1 ; r2 ; T ; t9 , So,HMACk00 ðm0 jjW jjcjjjjr1 jjr2 jjT jjt9 Þ, where k00 is the preshared eð02 ; P Þsymmetric key between the gateway and the TA. The TA performs ¼ eð2 ; P ÞV ERðÞ. If the signature is verified, the TA checks if m0 (or T N) ¼ eððr þ BÞÀT A þ rH1 ðcÞ; P Þhas been stored. If m0 is not stored, the TA will store the followinginformation: m0 ; c; T ; r1 ; r2 for future fraud detection. If m0 has been ¼ eðV 0 ; H1 ðcÞÞeððr þ BÞÀT A À
Ppub ; P Þstored, TA will compute the challenge d ¼ H3 ðRjjW jjIDGW jjT Þ and ¼ eðU 0 þ H2 ðm0 jjU 0 jjV 0 jjRjjW jjX0 jjY 0 jjZ 0 ÞH1 ðIDT A Þ;accuse the gateway if d is the same as the stored one. If d is Ppub ÞeðH1 ðcÞ; V 0 Þdifferent, the TA can conclude that misbehavior has occurred and ¼ eðU 0 þ H2 ðm0 jjU 0 jjV 0 jjRjjW jjX0 jjY 0 jjZ 0 ÞH1 ðIDT A Þ;will reveal the identity information by the two sets of equations: Ppub ÞeðH1 ðcÞ; V 0 Þ:r1 ¼ dðu1 Þ þ v1 ; r2 ¼ d þ v2 , r01 ¼ d0 ðu1 Þ þ v1 ; r02 ¼ d0 þ v2 . TA r Àr0solves for u1 ¼ r1 Àr1 and obtains the account number ¼ u1 P1 to Thus, the verifier accepts the forged signature ðU 0 ; V 0 ; X 0 ; ; 01 ; 02 Þ 0 2 2reveal the associated identity IDCL . on ðT N; W ; cÞ, where T N ¼ m0 . As m0 2R G 1 , it cannot satisfy the G restrictive m0 ¼ m.4 CRYPTANALYSIS OF THE TICKET-BASED SCHEME 4.2 Attack on the Traceability CL computes the unique account number ¼ u1 P1 , whereIn this section, we propose an attack on Sun et al.’s ticket-based u1 2R Z Ã , and transmits to TA and keeps u1 secret. When CL Zpanonymity scheme. We show that any CL can impersonate the TA wants to deposit a coin, CL first proves ownership of his accountto issue a ticket that cannot satisfy the message constraints. This ¼ u1 P1 and negotiates a common information c. According tomeans that the scheme’s fraud detection cannot hold. We give the our designed forge method, CL and TA perform the ticketdetails as follows. issuance protocol, and CL can get a signed ticket M 0 ¼ uP1 þ P24.1 Forge Attack on the Ticket Issuance Protocol instead of M 0 ¼ u1 P1 þ P2 , where u1 6¼ u 2R Z Ã . When CL and ZpLet c be the negotiated information. To obtain a ticket that cannot TA perform the deposit protocol twice with the same ticketsatisfy the restrictive m0 ¼ m, the CL performs the following fM 0 ; W ; cg, TA can get the values: http://ieeexploreprojects.blogspot.comprotocol with TA as follows: ticket ¼ fM 0 ; W ; c; ðU 0 ; V 0 ; X 0 ; ; 01 ; 02 Þg; 1. CL !! T A : record ¼ ðticket; r1 ; r2 ; T ; rem; logÞ; fIDCL ; m; t1 ; HMACk ðmjjt1 Þg; record0 ¼ ðticket; r01 ; r02 ; T 0 ; rem; logÞ; 2. T A !! CL : d ¼ H3 ðRjjW jjIDGW jjT Þ; . TA computes: X ¼ eðm; À Þ; Y ¼ eðP ; QÞ, d0 ¼ H3 ðRjjW jjIDGW jjT 0 Þ; TA Z ¼ eðm; QÞ; U ¼ rH1 ðIDT A Þ; V ¼ rP where R ¼ eðm0 ; H1 ðIDT A Þ, and r1 ¼ dðuÞ þ v1 ; r2 ¼ 0d þ v2 , . TA sends to CL: r Àr r01 ¼ d0 ðuÞ þ v1 , r02 ¼ d0 þ v2 . TA can solve for u ¼ r1 Àr1 . As u 0 2 2 has no any relationship with u1 , the information u cannot serve as a fIDT A ; X; Y ; Z; U; V ; t2 ; HMACk ðXjjY jjZjjUjjV jjt2 Þg proof to trace the dishonest double-deposit, i.e., the traceability 3. CL !! T A : cannot be satisfied. Fraud detection fails. . CL computes: 801 ; X0 ; m0 2 G 1 ; 8; ; ;
2 Z Ã , G Zp Y 0 ¼ eðP ; 01 ÞeðPpub ; H1 ðIDT A ÞÞÀ , 5 CONCLUSION Z 0 ¼ eðm0 ; 01 ÞX0À , We analyzed a ticket-based anonymity scheme in Sun et al.’s U 0 ¼ U þ H1 ðIDT A Þ À
H1 ðcÞ, security architecture. Our attack showed that the client can V 0 ¼ V þ
Ppub , impersonate the TA to sign some tickets that cannot satisfy the R ¼ eðm0 ; H1 ðIDT A ÞÞ, restrictivity. Based on the forge attack, we analyzed the fraud W ¼ gv1 gv2 , 1 2 detection. Our analysis showed that Sun et al.’s ticket-based B ¼ À1 H2 ðm0 jjU 0 jjV 0 jjRjjW jjX 0 jjY 0 jjZ 0 Þ þ , anonymity scheme cannot satisfy the traceability. w h e r e g1 ¼ eðP1 ; H1 ðIDT A ÞÞ; g2 ¼ eðP2 ; H1 ðIDT A ÞÞ, v1 ; v2 2R Z Ã . Zp ACKNOWLEDGMENTS . CL sends to TA: fIDCL ; B; t3 ; HMACk ðBjjt3 Þg 4. T A !! CL : The authors sincerely thank the editor for allocating qualified and valuable referees. The authors sincerely thank the anonymous . T A c o mp u te s : 1 ¼ Q þ BÀT A ; 2 ¼ ðr þ BÞÀT A þ referees for their very valuable comments. This research is rH1 ðcÞ supported in part by the Natural Science Foundation of Liaoning . TA sends to CL: fIDT A ; 1 ; 2 ; t4 ; HMACk ð1 jj2 jjt4 Þg Province (No.20102042), by the China Post-doctor Science Fund CL computes 02 ¼ 2 , and outputs the signature (No.20110490061), by the Program for Liaoning Excellent Talents ðU ; V 0 ; X0 ; ; 01 ; 02 Þ on ðT N; W ; cÞ, where T N ¼ m0 . 0 in University (No.LJQ2011078), and by the Spanish government The forged signature can pass the verification as follows: through project CONSOLIDER INGENIO 2010 CSD2007-0004 According to the verification procedures, the verifier computes “ARES.”
446 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 9, NO. 3, MAY/JUNE 2012REFERENCES[1] M. Raya and J-P. Hubaux, “Securing Vehicular Ad Hoc Networks,” J. Computer Security, special issue on security of ad hoc and sensor networks, vol. 15, no. 1, pp. 39-68, 2007.[2] S. Brands, “Untraceable Off-Line Cash in Wallets with Observers,” Proc. CRYPTO ’93, pp. 302-318, 1993.[3] K. Wei, Y.R. Chen, A.J. Smith, and B. Vo, “Whopay: A Scalable and Anonymous Payment System for Peer-to-Peer Environments,” Proc. IEEE Intl’l Conf. Distributed Computing Systems, 2006.[4] J. Sun, C. Zhang, and Y. Fang, “A Security Architecture Achieving Anonymity and Traceability in Wireless Mesh Networks,” Proc. IEEE Conf. Computer Comm., pp. 1687-1695, 2008.[5] J. Sun, C. Zhang, Y. Zhang, and Y. Fang, “SAT: A Security Architecture Achieving Anonymity and Traceability in Wireless Mesh Networks,” IEEE Trans. Dependable and Secure Computing, vol. 8, no. 2, pp. 295-307, 2011.[6] X. Chen, F. Zhang, Y. Mu, and W. Susilo, “Efficient Provably Secure Restrictive Partially Blind Signatures from Bilinear Pairings,” Proc. Financial Cryptography 2006, pp. 251-265, 2006.[7] X. Chen, F. Zhang, and S. Liu, “ID-Based Restrictive Partially Blind Signatures and Applications,” J. Systems and Software, vol. 80, no. 2, pp. 164- 171, 2007.[8] X. Hu and S. Huang, “Analysis of ID-Based Restrictive Partially Blind Signatures and Applications,” J. Systems and Software, vol. 81, no. 11, pp. 1951-1954, 2008.[9] Y. Zhang, W. Liu, W. Lou, and Y. Fang, “Securing Mobile Ad Hoc Networks with Certificateless Public Keys,” IEEE Trans. Dependable and Secure Computing, vol. 3, no. 4, pp. 386-399, Oct. 2006.[10] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairings, Advances in Cryptology-Asiacrypt 2001, pp. 514-532, 2001.. For more information on this or any other computing topic, please visit ourDigital Library at www.computer.org/publications/dlib. http://ieeexploreprojects.blogspot.com
Be the first to comment