Professional Documents
Culture Documents
Abstract — Transport layer security (TLS) protocol is widely certificates are needless any more, IBC-based schemes achieve
used in e-business and information systems for providing security less communication overheads and shorter handshake latency.
attributes such as authentication, confidentiality and integrity. Unfortunately, the IBC-based protocols proposed in the
However, the certificate-based mechanism which is adopted by literature so far [4] [5] are merely simple extensions of TLS in
most TLS handshake protocols results in complex certificate the GRID environment, and still suffer from too many
management overheads and long handshake latency. To overheads both in computation and communication.
overcome these disadvantages, a series of handshake protocols
were presented that applies identity-based encryption, signature, In this paper, four identity-based cryptography primitives
signcryption, and authenticated key agreement schemes are adaptively applied to TLS handshake protocol, then
respectively. Security analysis indicates that the identity-based security analysis and simulation experiments are conducted to
protocols have equivalent security level but more security validate the better effects and efficiencies. The remainder of the
attributes than the standard certificate-based schemes and the paper is organized as follows. Section II provides an overview
ones proposed in the literature so far. Experiment results show of TLS handshake protocol and identity-based cryptography.
that our schemes have commensurate cryptographic computation Our IBC-based protocols are detailedly presented in section III.
overheads comparing with other schemes, but achieve shorter In Section IV and V, results of security analysis and simulation
handshake latency especially in bandwidth-limited environments experiments are described. Finally, section VI summarizes our
because of less communication traffic.
conclusions and discusses future work.
Keywords - transport layer security; handshake protocol;
identity-based cryptography; bilinear pairing II. AN OVERVIEW OF TLS AND IBC
136
A. IBE-based handshake protocol key QS . If the verification result is false, C quits the protocol.
The Diffie-Hellman key exchange protocol is used in our Otherwise C selects a random number b, computes g b , and
new protocols to agree on a session key, and most of the then sends it to S in the ClientKeyExchange message. From
messages have to be extended for supporting new protocols. then on, a session key can be computed simultaneously.
Step 2: The server S selects a random number a, and then The computation load of IBSC schemes is less than that of
computes g a . If client authentication is needless, S sends g a in the combination of the IBE and the IBS schemes, which will be
the ServerKeyExchange message for key agreement. On the evaluated later.
contrary, S encrypts g a using the public key QC of the client C,
and sends the result EQc [ g a ] in the message. In addition, S sends D. IBAKA-based handshake protocol
the IdentityRequest message that declares client authentication Identity-based authenticated key agreement protocol
is requested, and sends the ServerHelloDone message. provides mutual key authentication using pairings. The
intrinsic feature of IBAKA makes it align well with the mode
Step 3: C gets g a directly or gets it by decryption. C selects
of mutual authentication. The IBAKA scheme proposed by
a random number b, and then computes g b . C encrypts it
Chen [9] is adopted in the protocol below.
using QS , and sends EQs [ g b ] in the ClientKeyExchange message.
Also C sends the IdentityVerify message for verification. At the Step 2: The server S selects a random number a, and
moment, C and S can compute the session key respectively. C computes TS aQS . Then S sends TS to the client C in the
computes K CS ( g a )b , while S computes K SC ( g b ) a after S ServerKeyExchange message. The IdentityRequest message is
gets g b by decryption. Since K CS K SC , a common session key also omitted.
is deduced.
Step 3: The client C randomly selects a number b, and then
It can be seen that authentication is arrived at by the IBE computes TC bQC . C sends it to S in the ClientKeyExchange
scheme. At last, a secure connection is established. message. After that C computes K CS e(TS bQS , SC ) , while S
gets K SC e( S S , TC aQC ) . According to [9], K CS is equal to K SC ,
B. IBS-based handshake protocol and a common session key can be arrived at.
Mutual authentication between the client and the server can The remarkable feature of the protocol is that it uses an
also be achieved by IBS schemes. The IBS-based handshake IBAKA protocol instead of a DH one. The protocol can also
protocol is described below. adopt other IBAKA protocols after adequate modifications.
Step 2: The server S selects a random number a, and
computes g a . S signs it by its private key S S , and sends g a and IV. SECURITY ANALYSIS
the signature result Sig Ss [ g a ] in the ServerKeyExchange The security of IBC is based on the hardness of several
message. The rest operation is similar to the IBE-based problems such as the bilinear Diffie-Hellman problem, the
protocol. computational Diffie-Hellman problem and so on. No
Step 3: The client C verifies the signature by public key QS . algorithm is known to be able to efficiently solve any of them
If it is invalid, C quits the protocol. Otherwise C selects a so far. More comprehensive description of security analysis of
random number b, computes g b , and then sends it in the IBC can be referred to [3] [8] [9].
ClientKeyExchange message. If client authentication is On the basis of security mechanisms of TLS, the proposed
requested, C signs g b by its private key SC , and appends it in protocols attain several basic security properties including
the forementioned message. authentication, confidentiality and integrity. In addition, the
Finally, the session key can be verified by the Finished protocols achieve the following security merits and are more
message. secure than the quondam ones.
Forward security: Owing to the freshness of session keys
C. IBSC-based handshake protocol which are derived from randomly chosen numbers by the client
Li proposed an IBC-based handshake protocol in which and the server, even if long term secret keys are disclosed to
mutual authentication and key agreement is attained by any adversary, session keys established before the compromise
combining IBE and IBS schemes together. Actually the would not be exposed.
combination can be replaced by identity-based signcryption Key authentication: The features of mutual authentication
with more efficiency. It must be pointed out that the protocol between the client and the server assure that only the
only fits the situation with mutual authentication. participants know the session key.
Step 2: The server S selects a random number a, and Mutual key agreement: Key agreement is finished by the
computes g a . S signcrypts g a by taking as input necessary close cooperation between the client and the server.
system parameters, S’s private key S S and the client C’s public
key QC . Then S sends the ciphertext result in the Resistance to the man-in-the-middle attack: The virtue of
ServerKeyExchange message. The IdentityRequest message is the IBC schemes that public keys are derived from the
not required any more. identities naturally guarantees that the IBC-based protocols are
resistant to the man-in-the-middle attack if long term keys are
Step 3: The client C unsigncrypts the message by taking as not compromised.
input system parameters, C’s private key SC and S’s public
137
V. PERFORMANCE EVALUATION IBSC-based scheme. The IBE-based scheme and Li’s scheme
In this section, two metrics including crypto processing take longer processing time, while the IBS-based and IBAKA-
time and handshake duration are used for performance based scheme achieve less time. It can also be seen that the
evaluation of different protocols in the handshake phase. load of the server is far less than that of the client in the IBSC-
based scheme, which would greatly improve the capability of
The simulation platform was made up of five computers in the server because it can accept more client connections in the
a local area network. The computers were all equipped with same conditions.
Pentium D 3.0G CPU, 2 GB memory, and the Windows XP
professional SP3 operating system. The public key algorithms
8
RSA
7 ECC
AverageProcessingTime˄ ms˅
6
0
Client Server
AverageProcessingTime˄ ms˅
spent on. Encryption/decryption and signature/verification are 10 IBE+IBS
IBSC
IBAKA
TABLE II. MAIN CRYPTO OPERATIONS WITH MUTUAL AUTHENTICATION B. Handshake duration
Besides the crypto processing time, the overall handshake
Client Server
duration also involves other delays due to message parsing and
RSA RSAverify RSAencrypt RSAsign 2* RSAverify RSAdecrypt
network latency for message transmission. Certificate parsing
ECC ECDSAverify ECDH op ECDSAverify ECDH op spends most of the parsing time among all messages, especially
IBE 2 P 1G1 1G2 2 P 1G1 1G2 in the condition with a long certificate chain. Generally, a
standard X.509 certificate is about 1.5KB in size. The IBC-
IBS 1P 3G1 1P 3G1 based schemes avoid the parsing and verification of certificates,
IBE+IBS 2 P 1G1 1P 1G1 3G2 and efficiently reduce the time of message parsing. Handshake
2 P 1G2 2G1 1G2
duration is also closely related to network throughput. When
IBSC
the throughput is as low as constrained channel conditions such
IBAKA 1P 2G1 1P 2G1 as wireless communications, the transport of certificate chain
The results shown in Fig. 3 are the average crypto will result in more latency. Comparing with the certificate-
processing time of ten operations of different protocols. based schemes, the IBC-based ones cut down the cost of
certificate transport and achieve less latency.
1) Without client authentication. As seen in Fig. 3 a), the
processing time of the client is always longer than that of the Fig. 4 depicts the average handshake duration of different
server. In all schemes, the IBE-based one spends the most time protocols as the network throughput changes.
both in the client and the server. It is remarkable that the As expected, handshake duration increases when the
processing time of the server is rather short in the IBS-based network throughput decreases. Because the transmitted data
schemes. amount of the IBC-based schemes is much less than that of the
2) Mutual authentication. Fig. 3 b) indicates that the RSA-based and the ECC-based one, the proposed schemes
processing time of both sides is almost the same except the achieve less duration at low network throughput. In the
138
condition of mutual authentication, the decrease ratios are even 2) Mutual authentication. From Fig. 5 b), it can be seen
higher because the amounts of certificate messages are doubled. that the IBE-based scheme and Li’s scheme perform worse for
they need more crypto processing time and larger amounts of
250
RSA transmitted data. The IBS-based and IBSC-based scheme
200
ECC
IBE accomplish better than the former two schemes. Among all the
IBC-based schemes, the IBAKA-based one achieves the best
IBS
Handshake Duration˄ ms˅
VI. CONCLUSIONS
IBS
300
IBE+IBS
Handshake Duration˄ ms˅
IBSC
250 IBAKA
200
Four improved TLS handshake protocols applying different
150
IBC primitives from pairings were designed in order to
100 overcome the shortages of complex certificate management and
50 long handshake latency which exists in current widely-used
0
0 200 400 600 800 1000 1200 1400 1600 1800 2000
TLS protocol. Security analysis asserts that the IBC-based
Network Throughput (Kbps)
b˅ Mutual Authentication protocols have equivalent security level but more security
attributes than the schemes in the literature until now.
Figure 4. Handshake duration. Experiment results show that our schemes have commensurate
crypto computation overheads comparing with other schemes,
Since the handshake duration of different schemes is nearly but achieve shorter handshake latency especially in bandwidth-
undistinguishably, Fig. 5 is used to more clearly compare the limited environments.
duration under three typical network throughput values, 400K,
1000K and 2000K bps. We are now in the process of designing more secure
handshake protocols with perfectly forward security and
60
RSA anonymity, and will conduct further study for performance
50
ECC
IBE optimization and application practicability of our schemes.
IBS
Handshake Duration˄ ms˅
40
REFERENCES
30
[1] T. Dierks and C. Allen, “The TLS protocol version 1.0,”
20 http://www.ietf.org/rfc/rfc2246.txt.
[2] A. Frier, P. Karlton and P. Kocher, “The SSL protocol version 3.0,”
10
http://wp.netscape.com/eng/ssl3/draft302.txt.
0
400 1000 2000
[3] D. Boneh and M. Franklin, “Identity-based encryption from the Weil
Network Throughput (Kbps)
a˅ Without Client Authentication
pairing,” CRYPTO 2001, LNCS 2139, pp. 213-229, 2001.
[4] H.W. Lim and K. Paterson, “Identity-based cryptography for grid
100
RSA
security,” Proc. e-Science'05, Melbourne, Australia, 2005.
90 ECC
IBE [5] H.W. Li, S.X. Sun and H.M. Yang, "Identity-based authentication
80 IBS
IBE+IBS protocol for grid," Journal of Systems Engineering and Electronics, vol.
Handshake Duration˄ms˅
70
60
IBSC
IBAKA 19, pp. 860-865, 2008.
50 [6] F.C. Kuo, H. Tschofenig and F. Meyer, “Comparison studies between
40 pre-shared and public key exchange mechanisms for transport layer
30
security,” Proc. IEEE Global Internet Symposium 2006, in conjunction
20
with INFOCOM 2006, Barcelona, Spain, 2006.
10
0
[7] V. Gupta, S. Gupta, and S. Chang, “Performance analysis of elliptic
400 1000
Network Throughput (Kbps)
2000
curve cryptography for SSL,” Proc. of WiSe'02, Atlanta, USA, 2002.
b˅ Mutual Authentication
139