Professional Documents
Culture Documents
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/309308865
CITATIONS READS
0 148
3 authors:
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Eihab Bashier Mohammed Bashier on 20 October 2016.
Faculty of Computer Studies, National Ribat University, P.O. Box: 55, Khartoum, Sudan1
Faculty of Mathematical Sciences, University of Khartoum, P.O. Box: 321, Khartoum, Sudan2
(Email: eihabbashier@gmail.com)
(Received Feb. 21, 2016; revised and accepted May 6 & July 19, 2016)
the pairs of public and private keys of the users. If this The components of the proposed CL-PKI and their
third party is malicious, then the security of the whole in- functions are as follows:
frastructure could be compromised. For this, Girualt [6]
defined three levels of trust: At Level 1 trust, the au- 1) The Registration Authority (RA): The registra-
thority knows (or can easily compute) users’ secret keys tion authority plays the same role as the registration
and therefore, can impersonate any user at any time with- authority of the traditional PKI. The user might in-
out being detected (the KGC of the ID-PKC). At Level 2 teract with this authority and provides proofs of his
trust, the authority does not know users’ secret keys, but personal information like names, address, national ID
it can still impersonate a user by generating false guaran- number and email address. After the RA verifies the
tees (CL-PKC). At Level 3 the authority cannot compute information of the user, it gives the user a unique
users’ secret keys, and if it does so, it can be proven that random generated password for latter authentication
it generates false guarantees (The CA in the traditional purposes, in addition to the system parameters, gen-
PKI). erated by the KGC server in a token or any electronic
In 2013 Hassouna et al. [7] proposed an integrated media.
Certificateless public key infrastructure model (CL-PKI). 2) The Key Generation Center (KGC): The KGC
In their model, a different method for generating entity is responsible of generating its master secret and the
key pair has been introduced. Furthermore, Hassouna et system parameters. It has to keep it’s master se-
al. [7] incorporated a different binding technique to link cret in a secure storage and publish the system pa-
the entity’s identity with its corresponding keys to en- rameters in a public directory. The KGC also has
sure the uniqueness of the key pair. The direct security a database that holds the user identities with their
and management advantages of using this method of key password hashed by any strong cryptographic hash
generation are two-factor private key authentication, pri- function like MD5 or SHA-1.
vate key portability, private key recovery and private key
archiving [7]. Moreover, Hassouna et al. extended their 3) The KGC’s Public Directory (PD): The public
CL-PKI model by proposing a new security model for directory is responsible of storing the KGCs’ pub-
certificateless digital signature schemes. Then, they pro- lic parameters, users identities, users partial private
posed a strong and efficient provable secure certificateless keys, users public key and other user parameters. It
digital signature scheme [8] in the Random Oracle Model is controlled and updated by the KGC. The con-
(ROM) without stating its security proof. Recently, Has- tents of the PD are available for only the authen-
souna et al. [9] stated the complete security proof of the ticated users, who do not have the right to write in
digital signature scheme in the random oracle model [8]. it. The typical format of the public directory records
In this paper, we propose a Hierarchal Certificateless are given in Figure 1 and Figure 2, respectively.
Public Key Cryptography Scheme (HCL-PKC) and then
use it to construct a Hybrid PKI/CL-PKI scheme. These
two schemes are introduced in the context of Hassouna et
al.’s Cl-PKI model, hence they enjoy the security proper-
ties and key management features of Hassouna et al.’s [7] Figure 1: Systems’ parameters record
model.
The rest of this paper is organized as follows. We
state Hassouna et al.’s [7] CL-PKI model in Section 2.
Hassouna et al.’s [8] digital signature scheme is given in
Section 3. In Section 4, we introduce the proposed Hi-
erarchal Certificateless Public Key Cryptography Scheme
(HCL-PKC). In Section 5, we give the Hybrid PKI/CL- Figure 2: Contents of the public directory of a user
PKI scheme. Finally, Section 6 concludes the paper.
2 Hassouna et al.’s Certificate- Typically the RA has an offline connection with the
KGC. When the KGC generates the user’s password
less Public Key Infrastructure at the registration time, the RA passes it to the user
Model (CL-PKI) without knowing it.
In [7], Hassouna et al. introduced several methods of
As stated in [7]: to make the CL-PKC schemes suitable authentication between the user and the KGC/PD. The
for practical applications, there is a need for some sort complete description of the model is as following:
of infrastructure as the traditional PKI. Therefore, Has-
souna et al. [7] proposed a CL-PKI model with three com- • Setup (running by the KGC): The KGC chooses
ponents: Registration Authority (RA), Key Generation a secret parameter k to generate G1 , G2 , P, e; where
Center (KGC) and Public Directory (PD). G1 and G2 are two groups of a prime order q, P is
International Journal of Network Security, Vol.19, No.4, PP.551-558, July 2017 (DOI: 10.6633/IJNS.201707.19(4).8) 553
a generator of G1 and e : G1 × G1 −→ G2 is a bi- Further issues such as the users’ authentication at the
linear map. The KGC generates a random system’s first time, updates of system’s parameters and users’ pass-
master key s ∈ Z∗q and computes the system public words, generation of public and private key pairs, private
key Ppub = sP . Then, the KGC chooses a cryp- key recovery; portability; archiving and public key revo-
tographic hash functions H1 and H2 , where H1 : cation are discussed in details in [7].
{0, 1}∗ × G1 −→ G1 and H2 : {0, 1}∗ −→ {0, 1}n .
Finally, the KGC publishes the system parameters
params=< G1 , G2 , e, P, Ppub , H1 , H2 , n >, and keeps 3 Hassouna et al.’s Certificateless
the secret master-key safe. Digital Signature Scheme
• Set-Secret-Value (running by the user): A user In this section, we provide details on the certificateless
m with an identity IDm downloads the system pa- digital signature scheme that was proposed by Hassouna
rameters. He/She then generates two random secret et al. and its functionality [8].
values xm , x0m ∈ Z∗q . Then, it computes Xm = x0m P
and sends Xm to the KGC. To provide two factor of • Setup (running by the KGC): The KGC chooses
authentication and protection for the user’s private a secret parameter k to generate G1 , G2 , P, e where
key against the device theft or compromise, the pro- G1 and G2 are two groups of a prime order q, P
posed scheme enforces the user to choose a strong is a generator of G1 and e : G1 × G1 −→ G2
password pass. The client device uses the hash func- is a bilinear map. The KGC randomly generates
tion H2 to generate zm = H2 (pass) and multiplies the system’s master key s ∈ Z∗q and computes the
the base point P by the hashed password to get zm P . system public key Ppub = sP . Then, the KGC
The hash function H2 must be capable to preserve chooses cryptographic hash functions H1 and H2 ,
∗
the large size of the hashed value zm to prevent the where H 1 : {0, 1} −→ G1 (Map-to-Point hash
brute-force attack on the point zm P . It then uses the function), and H 2 : {0, 1}n −→ Z∗q (any crypto-
hashed value zm as key along with the M AC func- graphic hash function like MD5 or SHA family).
tion to encrypt the secret value xm as M ACzm (xm ) Finally, the KGC publishes the system parameters
and sends a copy to the KGC’s public directory to params=< G 1 , G2 , e, P, P pub H1 , H2 , n >, while the
,
be stored together with the point zm P locally. It is secret master-key is saved and secured by the KGC.
worthy to notice that there is no need to store the • Set-Secret-Value (running by the user): A
password pass or its hash value zm . user m with an identity IDm downloads the sys-
tem parameters, generates two random secret values
• Partial-Private-Key-Extract (running by the xm , x0m ∈ Z∗q . Then, user m computes Xm = x0m P
KGC): When the KGC receives Xm from a user and sends Xm to the KGC. The proposed scheme en-
m with an identity IDm , the KGC first computes forces the user to choose a strong password pass, the
Qm = H1 (IDm ||Xm ), then it generates the partial system at the client side hashes the password to be
private key of user m as Dm = sQm . User m can zm = H2 (pass), multiplies the base point P by the
verify the correctness of his/her partial private key hashed password to be zm P , uses the hashed value
Dm , through testing whether e(Dm , P ) = e(Qm , P0 ). zm as key to encrypt the secret value xm and gener-
ates the Password-based Encryption Code (PEC) as
• Set-Public-Key (running by the user): The P ECzm (xm ), sends a copy of it to the KGC’s pub-
user m whose identity is IDm computes Qm = lic directory and stores it along with the point zm P
H1 (IDm ||Xm ), Ym = x0m Qm and sets < Xm , Ym > locally.
as his/her long-term public key Pm . Finally, user m
sends Ym to the KGC. • Partial-Private-Key-Extract (running by the
KGC): On receiving Xm computed by user m
• Set-Private-Key (running by the user): Every with identity IDm , the KGC first computes Qm =
time a user wants to calculate and use his/her full H1 (IDm ), then it generates the partial private key
private key, he/she enters his/her password, the sys- of user m as Dm = sQm .
0 0
tem hashes it as zm , calculates zm P and compares it • Set-Public-Key (running by the user): The user
with the stored point zm P . If the comparison results m with identity IDm computes Qm = H1 (IDm ),
in a match , then the password is correct and the Ym = x0m Qm and sets < Xm , Ym > as his/her long-
user is authenticated. Then, the user uses (zm ) as a term public key Pm . Finally, user m sends Ym to the
key to decrypt the stored M ACzm (xm ), and uses the KGC.
extracted value xm to calculate the full private key
by (xm + zm )Dm . In case of mismatch , the system • Set-Private-Key: User m’s private key is Sm =
aborts the process. We must note here that the pri- (xm + zm )Dm = (xm + zm )sQm = (xm +
vate key is never stored on the client and it will be zm )sH1 (IDm ). Also, the user generates the secret
deleted after every usage. term Zm = xm P .
International Journal of Network Security, Vol.19, No.4, PP.551-558, July 2017 (DOI: 10.6633/IJNS.201707.19(4).8) 554
• Sign: The user generates the signature of the mes- – Partial private key queries: Upon receiving
sage M using his secret terms {xm , Zm } as follows: a partial private key query for an identity
ID, C returns the partial private key with
1) The signer generates a big random integer a ∈ respect to identity ID to AI .
G∗2 .
– Public key queries: Given an identity ID, C
2) The signer calculates M Pm = H1 (m) ∈ G∗1 . returns the corresponding public key terms
3) The signer calculates M P1m = axm M Pm ∈ G∗1 . < XA , YA > to AI .
0 – Replace public key: Given an identity ID
4) The signer calculates sm = e(M Pm , Zm )axm =
0 with a pair of values (x01 1
ID , pkID ) which are
e(M Pm , P )axm xm .
chosen by AI , C updates the user ID orig-
5) The signer sends σ = (m, M P1m , sm ) as the sig- inal secret/public key (x0ID , pkID ) to the
nature. new (x01 1
ID , pkID ).
– Z − key Extraction queries: This is a new
• Verify: After receiving the signature σ =
oracle in this security model, given an iden-
(m, M P1m , sm ), the verifier uses the public key <
tity ID, C returns the corresponding Z −
Xm , Ym > of user m to verify the signature as fol-
key value ZID .
lows:
– Replace Z − key: This is a new ora-
1) The verifier checks whether e(Xm , Qm ) = cle in this security model which on input
e(Ym , P ). If it holds then user m’s public key 1
(ID, x1ID , ZID ), C replaces the user ID
is authenticated, otherwise the signature is re- 1
original term (xID , ZID ) by (x1ID , ZID ).
jected. – Private key queries. Upon receiving a pri-
0
2) The verifier calculates M Pm = H1 (m) ∈ G∗1 . vate key query for an identity ID, C returns
0
the corresponding private key skID to AI .
3) If M P1m = M Pm or sm = e(H1 (m), Xm ) then
– Sign queries: Proceeding adaptively, AI can
the verifier rejects the signature. Otherwise, the
request signatures on any messages m with
verifier calculates rm = e(M P1m , Xm ).
respect to an identity ID. C computes sig-
4) The verifier accepts the signature iff rm = sm , nature, and returns to AI .
otherwise he/she rejects the signature.
3) Forgery. Eventually, AI outputs a certifi-
cateless signature σ ∗ on message m∗ cor-
3.1 Hassouna et al.’s Security Model responding to public key pkID∗ for an
identity ID∗ . AI wins the game if
In Hassouna et al. [8] two types of adversaries were con-
Verify(params, ID∗ , pkID∗ , m∗ , σ ∗ ) = 1 and the
sidered: Type I and Type II adversaries according to the
following conditions hold:
term Zm as follows:
– AI has never been queried Partial private
1) Type I Adversary AI : This adversary is allowed key oracle on ID∗ .
to replace the term Zm by a valid value of his choice, – AI never replaced the user ID∗ ’s public key.
but is not allowed to replace users’ public keys and
– AI has never been queried Private key ora-
has not access to the master secret key s.
cle on ID∗ .
2) Type II Adversary AII : This adversary has an ac- – AI has never been queried Sign oracle on
cess to the master secret key s, and is allowed to re- (ID∗ , m∗ ).
place users public keys with valid values of his choice,
but is not allowed to replace the term Zm . The success probability of AI is defined as the prob-
ability that it wins in game I.
Type I adversary represents an outsider attacker and type
II attacker is a malicious KGC. Two games are defined as • Game II. This game is performed between a chal-
follows. lenger C and a Type II adversary AII as follows.
• Game I. The first game is performed between a chal- 1) Setup. The challenger C runs AII on k and a
lenger C and a Type I adversary AI as follows. special Setup, and returns a master secret key
msk and public system parameters params to
1) Setup. The challenger C runs Setup algorithm AII .
and generates a master secret key msk and pub- 2) Queries. In this phase, AII can adaptively ac-
lic system parameters params. C gives params cess the Private key oracle, Public key oracle,
to AI , while keeping msk secret. Replace public key oracle, Z − key oracle, Re-
2) Queries. AI may adaptively issue the following place Z − key oracle and Sign oracle, which are
queries to C. the same as that in Game I.
International Journal of Network Security, Vol.19, No.4, PP.551-558, July 2017 (DOI: 10.6633/IJNS.201707.19(4).8) 555
3) Forgery. AII outputs a certificateless signature paper [1]. Their HCL-PKE did not provide a trust Level 3
σ ∗ on message m∗ corresponding to public key at the sense of Girualt’s definition [6]. Therefore, it was
pkID∗ for an identity ID∗ . AII wins the game not acceptable as alternative to the traditional hierarchal
if Verify(params, ID∗ , pkID∗ , m∗ , σ ∗ ) = 1 and PKI. In this section, we use Hassouna et al.’s [8] signature
the following conditions hold: scheme as assistant technique to propose a new Hierarchal
– AII has never been queried Private key or- Certificateless Cryptography scheme (HCL-PKC) which
acle on ID∗ . is based on Hassouna et al.’s [7] CL-PKI model. The pro-
posed HCL-PKC (See Figure 3) is straightforward and
– AII has never been queried Replace Z −key
∗ could provide a trust Level 3.
oracle on ID .
– AII has never been queried Signature oracle • Root KGC Setup. The KGC chooses a secret pa-
∗ ∗ rameter k to generate G1 , G2 , P, e, where G1 (addi-
on (ID , m ).
tive group) and G2 (multiplicative group) are two
The success probability of AII is defined as the prob- groups of a large prime order q, P is a generator of G1
ability that it wins in Game II. and e : G1 × G1 −→ G2 is a bilinear map. The KGC
randomly generates the system’s master keys x0 , x00 ∈
Accordingly, the security definitions of any certificateless
Z∗q and computes the system public key X0 = x00 P
digital signature scheme in the Random Oracle Model
and the private key term Z0 = x0 P . Then, the KGC
(ROM) can be given as follows.
chooses cryptographic hash functions H1 and H2 ,
Definition 1. A certificateless signature scheme where H1 : {0, 1}∗ × G1 −→ G1 and H2 : {0, 1}∗ −→
∗
is (t, qH , qe , qz , qsk , qpk , qs , )-existentially unforgeable Zq . Finally, the KGC publishes the system parame-
against Type I adversary under adaptively chosen mes- ters params =< G1 , G2 , e, P, X0 , H1 , H2 , n >, while
sage attacks if no t-time adversary AI , making at most the secret master-keys are saved and secured by the
qH to the random oracles, qe partial private key queries, KGC.
qz to the Z − key queries, qsk private key queries, qpk
• Set-Secret-Value. The user at level t with iden-
public key queries and qs signature queries, have a
tity IDt , where ID0 is the identity of the root KGC
success probability at least in Game I.
downloads the system parameters params, generates
Definition 2. A certificateless signature scheme is two random secret numbers xt , x0t ∈ G∗2 . As in the
(t, qH , qz , qsk , qpk , qs , )-existentially unforgeable against signature scheme, we enforce the user to choose a
Type II adversary under adaptively chosen message at- strong password pass, the system at the client side
tacks if no t-time adversary AII , making at most qH to hashes the password to be zm = H2 (pass), multiplies
the random oracles, qz to the Z − key queries, qsk pri- the base point P by the hashed password to be zm P ,
vate key queries, qpk public key queries and qs signature uses the hashed value zm as a key to encrypt the
queries, have a success probability at least in Game II. secret value xm and generates the Password-based
Encryption Code (PEC) as P ECzm (xm ), sends copy
Definition 3. A certificateless signature scheme is ex- of it to the KGC’s public directory and stores copy
istentially unforgeable under adaptively chosen message of it along with the point zm P locally.
attack (EUF-CMA), if the success probability of any poly-
nomially bounded adversary in the above two games is • Set-Public-Key. The user at level t calculates its
negligible. public key (Xt , Yt ) as Xt = x0t P and Yt = x0t Qt where
Qt = H1 (IDt , Xt ). Then, the user sends Xt to the
Theorem 1. Hassouna et al.’s [8] digital signature previous user in the hierarchy IDt−1 .
scheme is secure against existential forgery under adap-
tively chosen message attacks in the random oracle model • Extract-Partial-Private-Key. The user at level
with the assumptions that CDHP(Computation Diffie- t − 1 accepts the request of the users at level t (the
Hellman Problem) and BDHP (Bilinear Diffie-Hellman request contains the terms Qt and Xt ) and calculates
Problem) in G1 are intractable. their partial private key Dt as Dt = xt−1 Qt . Fur-
thermore, the user at level t − 1 signs the public term
The full proof of Theorem 1 in the random oracle model Xt of the user at level t using the proposed CL-SS
is stated in [9]. scheme with the terms Zt−1 and the per-signature
random number at−1 and creates the signature as
(Xt , M P1t , st ) and puts this signature along with the
4 The Proposed Hierarchal Cer- rest of user’s public terms into the public directory
tificateless Public Key Cryptog- {IDt , Qt , Xt , Yt , M P1t , st }.
• PKI Domain’s User: User A in the PKI domain 6 Conclusions and Remarks
when encrypting/signing a message to user B in the
CL-PKI domain, he/she needs to do as follows: This paper used the Hassouna et al[8] signature scheme
and proposed a trust Level 3 hierarchal certificateless pub-
1) User A first request B’s certificate either directly lic key cryptography scheme. The proposed hierarchal
from user B or from the CL-PKI’s LDAP server. scheme is based on Hassouna et al.’s [7] CL-PKI model.
2) After the user A gets user B’s certificate, down- Therefore, it enjoys the same security features that CL-
loads the KGC’s certificate from his/her local PKI has, along with the interesting trust Level 3 satis-
LDAP server. Then, he/she uses CA’s public faction property. The paper also proposed a new Hybrid
key to validate the KGC’s certificate. If it is PKI/CL-PKI scheme that provides interoperability model
not valid, then user A rejects and aborts the between traditional PKI and CL-PKI systems in one or-
transaction. ganization under the X.509 certificate format.
3) If the KGC’s certificate is valid, then user A
extracts KGC’s public key and uses it to ver-
ify B’s certificate by verifying the signature on References
the user B’s certificate using the Hassouna et al.
signature scheme. [1] S. S. Al-Riyami and K. G. Paterson, “Certificateless
public key cryptography,” in International Confer-
4) User A also can verify the expiry/revocation of ence on the Theory and Application of Cryptology
the user B’s certificate using either the CRL and Information Security, pp. 452–473, 2003.
mechanism or the OCSP protocol.
[2] D. Boneh and M. Franklin, “Identity-based encryp-
5) After user A authenticates user B, then users A tion from the weil pairing,” in Advances in Cryp-
and B can start the handshake protocol to agree tology (CRYPTO’01), LNCS 2139, pp. 213–229,
on the key size, generate per-session symmetric Springer-Verlag, 2001.
encryption key using ECDH protocol, agree on [3] A. W. Dent, B. Libert, and K. G. Paterson, “Cer-
the encryption algorithm, hash function and the tificateless encryption schemes strongly secure in
signature algorithm (ECDSA for PKI users and the standard model,” in Public Key Cryptography,
the Hassouna et al.’s one for CL-PKI users). pp. 344–359, 2008.
• CL-PKI Domain’s User: User B in the CL-PKI [4] T. Dierks and E. Rescorla, The Transport Layer Se-
domain when encrypting/signing a message to user curity (TLS) Protocol, IETF RFC 4346, 2006.
A in the PKI domain, he/she does the following: [5] N. A. Farah, M. Hassouna, M. Hashim, E. B. M.
Bashier, “A secure and efficient key agreement proto-
1) User B first requests A’s certificate either di- col based on certificateless cryptography,” University
rectly from user A or from the PKI’s LDAP of Khartoum, 2016. http://khartoumspace.uofk.
server. edu/handle/123456789/21502)
2) After user B gets user A’s certificate, downloads [6] M. Girault, “Self-certified public keys,” in Ad-
the CA’s certificate from his/her local LDAP vances in Cryptology (EUROCRYPT’91), LNCS 547,
server, then he/she uses KGC’s certificate to au- pp. 490–497, Springer, 1992.
thenticate the CA’s certificate (using Hassouna [7] M. Hassouna, B. Barri, N. Mohamed, and E. Bashier,
et al.’s signature scheme). If it is not valid, then “An integrated public key infrastructure model based
user B rejects and aborts the transaction. on certificateless cryptography,” International Jour-
nal of Computer Science and Information Security,
3) If the CA’s certificate is valid, then user B ex-
vol. 11, no. 11, pp. 1–10, 2013.
tracts CA’s public key and uses it to verify B’s
certificate (prefer to use ECDSA algorithm). [8] M. Hassouna, E. Bashier, and B. Barry, “A short
certificateless digital signature scheme,” in Inter-
4) User B also can verify the expiry/revocation of national Conference of Digital Information Process-
the user A’s certificate using either the CRL ing, Data Mining and Wireless Communications,
mechanism or the OCSP protocol as in the tra- pp. 120–127, 2015.
ditional PKI system.
[9] M. Hassouna, E. Bashier, and B. Barry, “A strongly
5) After user B authenticates user A, then users A secure certificateless digital signature scheme in the
and B can start the handshake protocol to agree random oracle model,” International Journal of Net-
on the encryption key size, generate per-session work Security, vol. 18, no. 5, pp. 938–945, 2016.
symmetric encryption key using ECDH proto- [10] A. V. N. Krishna, A. H. Narayana, K. M. Vani,
col, agree on the encryption algorithm, hash “Window method based cubic spline curve public key
function and the signature scheme (ECDSA for cryptography,” International Journal of Electronics
PKI users and Hassouna et al.’s one for CL-PKI and Information Engineering, vol. 4, no. 2, pp. 94–
users). 102, 2016.
International Journal of Network Security, Vol.19, No.4, PP.551-558, July 2017 (DOI: 10.6633/IJNS.201707.19(4).8) 558