Attribute-Based Anonymous Handover Authentication Protocol for Wireless Networks

Mobile wireless networks are widely used in our daily lives. Seamless handover occurs frequently and how to guarantee security and efficiency during handover procedure is a major challenge. A handover authentication protocol with nice properties can achieve goals. Protocols proposed in recent years more or less have some security vulnerability. In this paper, we outline security requirements for handover authentication protocols and then propose an anonymous protocol based on a new attribute-based signature scheme. The proposed protocol realizes conditional privacy preserving, user revocation, and session key update as well as mutual authentication and anonymity. Besides, it achieves fine-grained access control due to attributes representing real identity. What is more, experiment shows the proposed protocol has a superior performance.


Introduction
Nowadays, due to the wide use of mobile smart devices (e.g., PDA, smart phone pad, laptop PC, and vehicle) in our daily lives, we can enjoy Internet access services through mobile wireless networks such as mobile telecommunication networks, WLANs, and vehicular ad hoc networks.As a result, mobile wireless networks attract a lot of attention from both academia and industry [1][2][3].Mobile nodes (MNs), access points (APs), and an authentication server (AS) are major entities in mobile wireless networks.Different types of entities have distinct features.For example, MNs have limited storage, computation, and communication capabilities; meanwhile APs have relatively formidable resources.MNs could move from one place to another one while APs have a limited geographical coverage.As a consequence, the handover occurs frequently.It needs an efficient security handover protocol when the handover occurs.An essential goal of the handover protocol is authentication.It aims to guarantee only valid MNs could access wireless networks and prevent illegal access request from adversaries.Mutual authentication is a basic requirement which a handover authentication protocol should meet.What is more, users' privacy, such as ID information and location information, should be protected, so that anonymity is of importance in handover process.An anonymous handover authentication protocol could meet this requirement.
Regardless of the technology implementation details, a typical handover authentication scenario is indicated in Figure 1.An MN registers to AS firstly, then it could connect to an AP for accessing the network.Assume an MN, say MN  , enters in the geography coverage of a new access point AP  from current one AP −1 , handover authentication protocol should be executed by MN  and AP  .If it is performed successfully, AP  can recognize whether MN  is a legal user.Only if MN  is legal will AP  accept its access request.At the same time, a session key for protecting subsequent communication should be established between AP  and MN  .
To design an anonymous handover authentication protocol is a hot issue for researchers.Generally, efficiency, security, and privacy should be considered carefully.First, an anonymous handover authentication protocol should have lightweight computation cost, especially on the MN side because of its limited resources.Further, the protocol should achieve good security such as data confidentiality and integrity for openness of wireless communication.At last, an anonymous handover authentication protocol should protect users' privacy in case of serious crime caused by the leakage of private information.Attribute-based signature (ABS) is a type of public key signature.Different from ID-based public key signature, in attribute-based signature, each user is tagged with a set of attributions.Attributes only expose group characteristics and hide individual characteristics which can provide anonymity.Introducing ABS to handover authentication protocols is an innovative idea for it can address the anonymity issue.However, designing an attribute-based handover authentication also presents some challenges because of computation complexity of common ABS.The ABS scheme usually involves lots of pairing operation which is a type of cryptographic operation with high computation complexity.Only ABS with low computation complexity is suitable for handover authentication protocols in wireless networks.
1.1.Related Works.Protocols with cryptographic technology are very suitable for handover authentication goal.In recent years, a lot of authentication protocols [4][5][6][7] were proposed for access control in various networks.In particular, ID-based public key cryptography (PKC) protocols are common in the latest proposed protocols.But some proposed protocols are not satisfactory.Wang et al. [8] figured out the roots of the identified failures in existing schemes.They are inherently unable to achieve key compromise impersonation resistance for authentication protocols in which the authentication server also acts as the registration center.He et al. [9] proposed a handover authentication protocol called Pair-Hand, which utilized ID-based PKC based on the bilinear pairing.Authors claimed PairHand had a better performance compared with previous protocols.However, He et al. [10] pointed out that PairHand had a risk of key compromise for an adversary could extract a private key from intercepted traffic.Although an improvement had been presented in [10], Yeo et al. [11] declared the new scheme also suffered from the compromised key problem.What a pity, Yeo et al. did not address this issue.Later, Tsai et al. [12] gave a securityenhanced handover authentication protocol.
Later, an efficient attack [13] was given to show the vulnerability in PairHand [9] and the authors proposed an improved protocol also based on bilinear paring.At the same time, He et al. [14] did some improvement to enhance He et al. 's protocol [9].Note that He et al. [15] and Liu et al. [16] independently presented two efficient handover authentication protocols without involving bilinear paring and map-to-point operation.
Due to the computation complexity of bilinear pairing and map-to-point operation, to design handover authentication protocols without them is an attractive job.Some handover authentication protocols [17][18][19][20] using Elliptic Curve Cryptography (ECC) could achieve the security goal with smaller key length.Li et al. [17] proposed a protocol using ECC.Meanwhile Chaudhry et al. [18] pointed out that Li et al. 's protocol suffered from impersonation attack and gave an enhanced security protocol.Xie et al. [19] also presented the vulnerability in [17] and then proposed an improved handover authentication protocol to address it.Yang et al. [20] presented a handover authentication protocol using ECC to strengthen security too.
Privacy protection requires handover authentication protocols to achieve anonymity.Some privacy-preserving protocols take advantage of pseudonyms to achieve anonymity [9][10][11]17].This type of method requires MNs to store a number of pseudonyms so that they can represent the true identifier to ensure privacy.Another type of method is using the group signature to provide anonymity [21].In this way, any group member could produce a valid signature without involving private identity information.Therefore APs could verify the signature but could not determine which member did the signature.However, schemes based on the group signature usually have higher computation cost.Recently, attributebased encryption was utilized to secure authentication [22].However, the authors did not present concrete attributebased encryption scheme and did not consider the high computation cost of common ABE scheme.Protocols with attribute-based encryption may not be suitable for confined devices in mobile wireless networks.

Our Contributions.
To achieve security and efficiency as well as anonymity, we apply attribute-based signature to handover authentication protocols.We propose an attributebased authentication protocol with light computation cost on the MN side.Compared with ID-based authentication protocols, attribute-based authentication protocols have a nice advantage due to their natural anonymity feature.To be specific, the major contributions of this paper are as follows.
Firstly, we propose an ABS scheme with low computation complexity and give the security proof for it.Different from other ABS schemes, our ABS scheme is lightweight so that it is fit for handover authentication protocols in wireless networks.
Secondly, we design a new handover authentication protocol based on our new lightweight ABS scheme.The new protocol meets requirements on security and efficiency.What is more, it provides anonymity inherently.
Finally, we present detailed security analysis and performance analysis of our new protocol to demonstrate that it achieves security and efficiency indeed.
1.3.Organization.The rest of the paper is organized as follows.We introduce some preliminaries used in this paper in Section 2. In Section 3, we describe our designed ABS scheme in detail and give its security proof.An attribute-based handover authentication protocol is proposed in Section 4. Security analysis and performance evaluation are given in Section 5.In Section 6, we conclude the whole paper.It is well known that the following problems are hard for no probabilistic polynomial time algorithm can solve them.

Preliminaries
Discrete Logarithm (DL) Problem.Given   ∈  with an unknown integer  ∈  *  , the DL problem is computing  in polynomial time.
Computational Diffie-Hellman (CDH) Problem.Given   ,   ∈ , the goal of CDH problem is computing   , where ,  are two unknown integers in  *  .The CDH assumption means there is no probabilistic polynomial time algorithm that can solve the CDH problem with nonnegligible probability.

Security Requirements.
For wireless communication, an adversary could control the communication channel between the MN and the AP.To ensure security, handover authentication protocol should meet the following security requirements [12,14,15].
(1) Mutual authentication: to guarantee only a legal MN and AP could communicate in the wireless network, the protocol should provide mutual confirmation of the MN's and AP's legitimacy.(2) Session key establishment: the MN and AP should establish a unique random session key which guarantees confidentiality and integrity of the communication session.(3) User anonymity and nontraceability: to protect the user's privacy, except for AS, no one include the AP could extract MN's identity or link any messages to the same user through intercepted messages.(4) Provision of user revocation: service to the MN should be terminated once it comes to the expiration time.(5) Updating session key periodically: in order to ensure strong security, when MN always accesses the Internet through the same AP, the session key needs to be updated periodically.This technique could reduce the risk due to a compromised session key.
(6) Attack resistance: due to the open environment of mobile wireless networks, a handover authentication protocol should prevent common attacks such as the replay attack, the impersonation attack, and the manin-the-middle attack.

A High Efficiency ABS Scheme
Different from ID-based signature scheme taking identity to generate the public key, attribute-based signature scheme utilizes attributes to produce the public key.It has a nice property that an adversary could not determine the identity according to user's attributes.Attributes refer to some features a user may have, such as gender, job, and privilege.Let the universal set of attributes be  = { 1 ,  2 , . . .,   } and for each   its value set be and the access structure is denoted as where   ,   ∈   .There are 4 algorithms in our proposed ABS scheme.
ABS.Setup.The AS takes a security parameter  with universal attribute set  and outputs system public parameters  and master key .

ABS.KeyGen.
Upon receiving a register request with an attribute list , the AS runs the algorithm to generate a secret key   with input , params, and sends   to the user securely.
ABS.Sign.To sign a message msg, the signer runs this algorithm with input msg, ,   and returns the signature .
ABS.Verify.To verify a signature, the verifier runs the algorithm with msg, , and  and outputs "reject" or "accept" according to the validity of the signature.

ABS.KeyGen(L, params).
A user sends its attribute list  and identity information ID to register at the AS.The AS computes a k-bit string V = ().Let V  denote the th bit of V and  be a subset of {1, 2, . . ., }, where  = { | V  = 1}.Then the AS randomly chooses a number  ∈  *  and computes Note that if  +  = 0 mod , the AS selects a new .Finally, the AS sends the generated private key   = ( 0 ,  1 ) to the user.For security, the user can verify whether the following equation holds: ABS.Sign(msg,W, sk  ).If the user's attribute list  satisfies the access structure, a message msg is signed by the user with its private key   = ( 0 ,  1 ) as follows.The user computes a kbit string  = (msg).let   denote the th bits of  and  be a subset of {1, 2, . . ., }, where  = { |   = 1}.Then the signer selects random numbers   ,  ∈  *  , and computes where  =   + ∑ ∈   .So the signature of msg is  = ( 1 ,  2 ,  3 ).

Security Analysis.
We analyze the security of above proposed ABS scheme according to the security model defined in Section 3.1.

Lemma 2.
If there is an adversary that makes at most   ,   queries for key query and signing query, respectively, and breaks the proposed signature scheme with nonnegligible probability , then there exists a challenger that can solve the CDH problem with advantage Proof.Suppose  is an adversary that wins the attack game with advantage .We construct an algorithm  to act as a challenger for the adversary.Suppose  is given a CDH instance (,   ,   ), where  is a generator of a cyclic group  of order  and  does not know , .In order to compute   , the simulation communication is as follows.
Setup.Let  V = 2(  +   ),   = 2  , and  randomly selects Finally  calculates system parameters as follows: Security and Communication Networks 5 so Query.Algorithm  acts as a challenger to communicate with an adversary  as follows.
(i) Key Query.On receiving a key query on attribute list ,  could generate related private key if (V) ̸ = 0 mod , although  does not know the master key. randomly selects  ∈   and calculates where  =   + ∑ ∈   .Then  sends   to  and  could verify it.For an attacker, the above private key and the one generated by a true challenger are undistinguishable, because where ) .
Signing Query.When  issues a signing query on (msg, ), if () ̸ = 0 mod ,  chooses ,  ∈   randomly and calculates where   =  −   () . ( Sends  to , and  could verify the validity of the signature.Of course, for attacker , the signature generated by  is undistinguishable from the one generated by a true challenger. If () = 0 mod ,  will abort.Similar to key query, we set () ̸ = 0 mod   as the condition of generating a valid signature.= 0 mod  or (V * ) ̸ = 0 mod ,  will abort.If ( * ) = 0 mod  and (V * ) = 0 mod ,  computes and outputs

Forgery
which is the solution to the given CDH problem.
We analyze the probability of  outputting the solution to CDH problem, namely,  not aborting.For the case without aborting, we require that all key queries will have (V) ̸ = 0 mod , and all signing queries will have () ̸ = 0 mod  and that ( * ) = 0 mod  and (V * ) = 0 mod  in forgery.

So the probability of 𝐵 not aborting is
Pr (not abort) = Pr ( We have Pr ( Due to  V = 2(  +   ), we have Pr ( Randomly select a ∈ Z * p .
 j = ECDSA.Sig rmsg, sk j msg = I ABS.Sign(msg, L, sk ABS.Verify Similarly, we have Pr(⋂ , so that the probability of  not aborting is In general, if simulation does not abort and an attacker breaks the proposed signature scheme with nonnegligible probability , then  could give a solution to CDH problem with the probability   , where So we have the following theorem.
Theorem 3. The proposed attribute-based signature scheme is existence unforgeable against adaptive chosen message and attribute list attack under CDH assumption.

The Proposed Handover Authentication Protocol
Based on our designed signature scheme, we propose a new handover authentication protocol.We consider that each AP has a signing/verification key pair (, ) of a common digital signature scheme ECDSA [23].To guarantee revocation check, we make some extension of the algorithm .(⋅) in Section 3. The AS also generates extra revocation information for the user.For interval index   , the revocation information of the user is   =    (ID), where  is a random number selected for the user by AS and    (⋅) is a keyed hash chain.
In the following, we describe the protocol in detail.Assume the handover authentication protocol is carried out between MN  and AP  .According to the signature algorithm, MN  acquires its private key   and revocation information  , for each   .The protocol is illustrated in Figure 2.And the notations used to describe the protocol are listed as follows.(1) MN  could obtain the access structure  from the beacon message from AP  .If its attribute list satisfies the access structure, then MN  firstly selects a random number  ∈  *  and generates   = .Sign(msg, ,   ), where msg = ID AP  ‖   0 ‖  ‖  , .And then it sends {msg,   } to AP  .Here a timestamp  is added for revocation check and replay attack prevention.
(2) After receiving the signature message {msg,   } from MN  , AP  checks the time  to prevent replay attack and executes the revocation check (the details in Revocation).If it passes the above check, then AP  verifies the signature.If the signature is invalid, AP  rejects it; otherwise, AP  selects a random number  ∈  *  and computes   = .Sig(rmsg,   ), where rmsg = ID AP  ‖   0 ‖   0 .Then AP  sends {rmsg,   } back to MN  .Finally, AP  computes the session key  = (  0 )  and erases the random number  from its memory.
(3) Upon receiving {rmsg,   }, MN  verifies   according to .(⋅).If the algorithm returns 1, MN  generates the session key  = (  0 )  and erases the random number  from its memory.After that, MN  generates (ID AP  ‖   0 ‖   0 )  and then sends it to AP  .Here ()  refers to using a symmetric key  to encrypt a message .After receiving the encrypted message, AP  decrypts and verifies it with .If the message is valid, AP  believes that they have established a session key ; otherwise, it rejects the access request.
Session Key Update.When MN  is always connecting to the same AP, assume their current session key is   .They establish a new session key as follows.(1) MN  chooses a random number  ∈  *  , computes   0 ,  1 = (  ‖   0 ), and sends {  0 ,  1 } to the AP.(2) Upon receipt of {  0 ,  1 }, the AP uses current to   compute a verification code  1 = (  ‖   0 ) and compares it with  1 .If  1 does not match  1 , the AP rejects session key update; otherwise, the AP concludes that the message is from MN  .Then the AP randomly picks  ∈  *  , computes and erases  from its memory.Finally, AP transmits {  0 ,  2 } to MN i .(3) Upon receiving the message from the AP, MN  computes   +1 = (  0 )  , generates a verification code  2 = (  +1 ,   0 ,   0 ), and compares it with  2 .If  2 matches  2 , MN  erases  from its memory and believes that they have established a new session key  +1 ; otherwise, MN  rejects session key update.
Revocation.The detailed revocation check is described as follows.
(1) The AS generates a revocation list   which consists of revocation information corresponding to   and transmits it to every AP along with secret key   corresponding to the revoked user.This can prevent the revoked user access to the network.(2) Upon acquiring   , each AP updates  ,−1 as follows: for any  ,−1 ∈  −1 ,  , =    ( ,−1 ).Then AP stores both  −1 and   in its database.(3) During the handover authentication procedure, upon receipt of {msg,   }, the AP parses the revocation information  , and checks whether it is in the revocation list   .If  , is in   , the user is revoked.As a result, the handover request is rejected.Otherwise, the protocol performs next steps sequentially.

Security Analysis and Performance Evaluation
5.1.Security Analysis.We present the security analysis of the proposed protocol to check whether it achieves the security goal mentioned in Section 2.
Mutual Authentication.On one hand, AP authentication is ensured by the challenge-response pair msg,  .Sig(rmsg,   ).Due to the security of digital signature, only AP  that has   can generate a valid signature on a fresh challenge   0 from MN  .If the signature passes the verification .(⋅), it will demonstrate the AP is a trusted valid entity.On the other hand, the designed ABS scheme provides user authentication.Only the user that has the right key on right attribute list (satisfying the access structure) could generate the valid signature.In other words, a malicious node could neither impersonate a valid node nor pass the authentication.Therefore, the proposed protocol achieves mutual authentication.Key Establishment.As described in protocol, MN  and AP  , respectively, use   0 and   0 to complete DH key establishment.On one hand, MN  figures out (  0 )  .On the other hand, AP  figures out (  0 )  .Obviously, (  0 )  = (  0 )  .As a result, both compute the session key  =   0 .Besides, any adversary could not calculate the secret session key due to the CDH problem.
User Anonymity and Nontraceability.Due to the outstanding property of attribute-based signature, the identity information is not contained in the transmitted message in the whole handover authentication procedure.So except for the AS, nobody could tell the identity of the user including the AP.In addition, the request message msg does not contain any specific privacy information of the MN except for the revocation information  , .Since  , is a secure hash value, an adversary could not parse the identity of a user or trace the user.So user anonymity and nontraceability are guaranteed.
User Revocation.Once the revocation hash value  , of MN  exists in the revocation list   with   , it will exist in the database in the future due to update technique of the AP.If  , exists in   , it means MN  is revoked since the time   , and as a result the authentication fails.
Updating Session Key Periodically.As described in session key update phase, the MN and AP could establish a new session key successfully according to the current session key.In detail, The MN and AP leverage a new Diffie-Hellman key establishment procedure to generate a new session key.This is based on the hard DL problem and CDH problem.Once a new session key is established, the previous one is destroyed securely, so that adversaries could not reveal the new session key.
Besides, the protocol could prevent replay attack due to timestamp.It is important that only the AS could find the real identity of a user according to  , =    (ID  ) since   is selected for MN  by the AS.So the protocol achieves conditional privacy preservation too.
For convenience, we let P1, P2, P3, P4, P5, and P6 denote mutual authentication, user anonymity with nontraceability, session key update, conditional privacy preserving, session key establishment, and user revocation, respectively.Security comparisons between our protocol and 3 other protocols are presented in Table 1.In general, our protocol meets all the security requirements in the table while the other 3 protocols more or less have some security vulnerability.All protocols could guarantee session key establishment but only ours adds the session key update technique.Except for our protocol, the other 3 protocols do not meet the requirements of conditional privacy preserving and user revocation.Moreover, they neither achieve user anonymity nor achieve nontraceability, so that our protocol has an obvious advantage of security.
Note that our protocol has a nice exclusive property that it can achieve fine-grained access control due to the attributebased cryptography.For example, the AP can provide better service for specific users by indicating a required access structure, so that only the user with right attribute list can enjoy the service.

Performance Evaluation.
Although signal transmission also affects handover delay, in view of high speed rate of WLAN and only 3 interaction messages involved in our proposed protocol, we only discuss the authentication latency determined by the time of computation cost.We compare the computation cost of our protocol with that of some other protocols.For more reasonable simulation, we crosscompile the Pair-Based Cryptography (PBC) Library (version pbc-0.5.14) so that related cryptographic operations could be performed on mobile devices.We let a smart phone (HUAWEI honor 5C) and a personal computer (Acer) act as a MN and an AP, respectively, and select the type A pairing in PBC library as the bilinear pairing.Device information is listed in Table 2 and Table 3 presents time consumption of different operations on MN and AP.Note that we ignore the light cryptographic operations such as general hash operations.But one type of hash operation, called map-topoint (denoted as MTP in Table 3) hash operation, is not a lightweight cryptographic operation.To some extent, its time consumption can be compared with the pairing operation.Table 4 gives the performance comparison between our protocol and related works, where the time data in parentheses is calculated on the basis of data in Table 3.
As presented, our protocol does not have much computation cost which means it is feasible.There is no heavy cryptographic operation, such as pairing and map-to-point operation, on the MN side.Our protocol has lower computation cost on both the MN side and AP side.

Conclusions and Future works
In this paper, we summarize the security requirements a handover authentication protocol should meet.After reviewing previous ID-based protocols in recent years, we point out that they have some vulnerability to some extent.We design an ABS scheme based on which we present an anonymous handover authentication protocol.Security analysis demonstrates our proposed protocol meets various security requirements, especially inherent anonymity with attributebased cryptography.What is more, concrete experiments on a smart phone and a personal computer show that our proposed protocol is practical in mobile wireless networks.
Our proposed protocol achieves user revocation property.Besides, attribute revocation could provide more flexible access control.If an attribute is revoked, the secret key corresponding to it is no longer valid.What a pity, to achieve attribute revocation, computation cost will be high.The new protocol does not involve this property.Therefore, our work focus is to achieve attribute revocation with light computation cost.Note that access structure in our proposed protocol is as simple as a single AND gate.It is also our future work to introduce more complex access structure into
(i) : specified access structure (ii) : timestamp (iii) ID AP  : identity of AP  (iv)  , : revocation information with time interval index   for MN  (v) : attribute list owned by MN (vi)   : MN's secret private key on attribute list  (vii) , : random numbers in  *  (viii)   ,   : digital signature of MN  and AP  , respectively (ix) : session key.
2.1.Bilinear Pairings and Computational Assumptions.Let ,   be cyclic groups of prime order  and  be a generator of .A map  :  ×  →   is a bilinear pairing if it satisfies the following properties: (1) being bilinear: (  ,   ) = (, )  , When  issues a signing query with a message msg, access structure ,  runs ABS.Sign algorithm and returns a signature  to .Forgery.outputs a tuple (msg * ,  * ,  * ,  * ).If the following conditions hold, an attack is successful:(1) .(msg*,*,* ) = .(2)doesnotissuethe key query on  * .(3)doesnotissue the signing query on (msg * ,  * ).The probability of a successful attack is defined as 's advantage V  .Definition 1.An attribute-based signature is existentially unforgeable against adaptive chosen message if there is no probabilistic polynomial time adversary that has a nonnegligible advantage in the game.3.2.Construction..(,).The AS chooses two cyclic groups ,   of prime order  with a bilinear map  :  ×  →   , random numbers  ∈  *  ,  1 =   ,  2 ∈ , where  is a generator of  and sets the value  1 = ( 1 ,  2 ),  2 = (,  2 ).Then AS randomly selects   ∈ Z *  ,   ∈ , a klength vector  = (  ) with elements chosen at random from 3.1.SecurityModel.Similar to security against existential forgery on adaptively chosen message attacks, we define the security model through a game between a challenger  and an attacker .The game is defined below.Setup.The challenger  runs the ABS.Setup algorithm and outputs params and .The challenger keeps  secret and sends params to .Query.makes a series of queries to  adaptively, and  responses in the following way.(i)KeyQuery.Attacker  issues this query to acquire private key   related to attribute list .runs ABS.KeyGen algorithm with input (, ) and sends the output   to .(ii)Signing Query.*  , and a k-length vector  = (  ) with elements chosen at random from .So the public parameters set is . Finally, if  does not abort during above queries, the adversary outputs a forgery  * = ( * 1 ,  * 2 ,  * 3 ) on message msg * , access structure  * with a probability .Here we assume  * 1 =   2   * 2 ⋅(  ∏ ∈   )  * ,  * 2 =   * ,  * 3 =   * 2 , and  does not issue a signing query on msg * and key query on  * which satisfies  * .If ( * ) ̸

Table 1 :
Security comparisons of four protocols.

Table 3 :
Time consumption of different operations (in ms).

Table 4 :
Evaluation of computation cost (in ms).