One-Pass Key Establishment For Anonymous Wireless Oaming With Formal Security Model And Proof

The metropolitan-area Wireless Mesh Networks (WMNs) which accommodate thousands of self-managed network domains operated by numerous different Wireless Service Providers (WSPs), are expected to achieve interoperable, cost-effective and especially large-scale (such as city-wide) wireless access. It supports wireless roaming services which allow people to roam around with their mobile devices without being limited by the geographical area of their own home networks and access into different network domains to enjoy the services provided by different foreign WSPs rather than his home WSP. While the much effort has been made to address issues at physical, data link, and network layers, little attention has been paid to the security aspect central to the realistic deployment of WMNs and roaming service. For solving the security problems related to WMNs, i.e., confidentiality, authenticity, integrity, authorization and non-repudiation, we should have some way to establish a secure channel between the communicating parties.Consequently, as a critical issue to make ubiquitous and secure network access, a Key Establishment Protocol for Anonymous Wireless Roaming (KE-AWR Protocol) is expected to provide three basic kinds of services for the two communication parties. First, it ensures to build a secure channel between a mobile user and a foreign WSP. Namely, the two participants can establish a fresh session key which is a pure symmetric key shared by each other only. This key can be used for protecting data confidentiality and integrity of further communication. Second, it should ensure that a mobile user with a single sign-on (SSO) can carry on the KE-AWR protocol with a foreign WSP and also roams from one foreign network domain to another. Each of the two participants is convinced that it shares a secure session key with the intended party in an authentically way. Third, as an increasingly demanding requirement especially in wireless communication, privacy protection for a roaming user should be provided. Since eavesdropping is much easier to launch but more difficult to be detected when given the open nature of radio media, a KE-AWR protocol is required to keep mobile users’ identities and whereabouts anonymous. Besides these security attributes, efficiency is also an important requirement for a KE-AWR protocol because of the limited computing capability and restrained energy of the mobile devices held by roaming users. That is, a well designed scheme would not only satisfy the above security properties, but also be as lightweight as possible at mobile user’s side with both light computation load and small number of message flows in order to reduce latency and save energy.In this thesis, we present several novel solutions for the security, privacy and efficiency issues related to secure wireless roaming scenario. Particularly, we identify three aspects as our research outcomes:1. For our first outcome, we propose a novel One-Pass Key Establishment Protocol for Wireless Roaming (Protocol I) that achieves extremely on-line efficient at user side. To best of our knowledge, it seems to be the first One-Pass ID-based KE-AWR protocol ever presented in literatures. The protocol ensures that a fresh session key secreted from all other entities except user and foreign WSP is established in each run of protocol, by just sending one message (so called One-Pass) and eliminate any intervention of a third party. This protocol achieves secure key establishment as well as user anonymity. In addition, our protocol also achieves partial forward secrecy and partial key compromise impersonation security. Considering the imbalanced network architecture in WMNs, we focus on minimizing the number of both computational operations and communication flows at mobile user’s side. Actually, most computation of user can be pre-computed before the execution of protocol, and it leaves almost no cryptographic operations to be performed on-line for user. When compared with previous roaming protocols, our protocol requires the smallest bandwidth, the least number of message flows and achieves extremely on-line efficient for user.2. As our second result, we focus on improving the security performance for one-pass KE-AWR schemes. A one-pass protocol usually does not support the desirable properties that multi-round key establishment protocols may do, such as Perfect Forward Secrecy (PFS) and Perfect Key Compromise Impersonation (Perfect KCI). Consequently, we propose a novel solution for wireless roaming (Protocol II) which supports all the following three security properties which a one-pass protocol cannot satisfy, i.e.,(1) No Key Escrow (2) Perfect Forward Secrecy and;(3) Perfect Key Compromise Impersonation. By making use of the broadcast channel in wireless communication environment, via which a server may broadcast the public parameters shared by all roaming users who are in its signal radiation coverage, our propose protocol succeeds in providing these three attributes while still keeping the number of message flows to only one. So far as we know, it is the first one-pass KE-AWR protocol achieving PFS as well as perfect KCI security. As an improvement, we further extend the one-pass protocol to support key confirmation. Furthermore, the protocol is universal in the sense that it can be used by a user directly as key establishment protocol regardless of communicating with a foreign server or the home server. The total computational complexity of Protocol Ⅱ is comparable to that of Protocol I. However, as trade-off between efficiency and security, it needs an additional on-line Bilinear Pairing operation for mobile user during the runtime of the protocol.3. Finally, we point out that a formal treatment for wireless roaming in WMN systems is necessary and demonstrate the unreasonable aspects of classic CK and eCK model when adapting to analysis the security properties of a KE protocol for wireless roaming scenario. To address this gap, we firstly propose a variation of classic CK and eCK model which introduces the simulation of broadcast query and multiple Key Generation Centre scenario and also gives the re-defined session definitions and additional adversary capability related to roaming scenario. We call the variation as rCK model. To fulfill our construction of this model, for both previously proposed one-pass KE-AWR protocols, Protocol I and Protocol II, we present the formal security proofs of them under our rCK security model.