MEXT Working Group Y. Qiu Internet-Draft J. Zhou Expires: September 11, 2009 Institute for Infocomm Research March 10, 2009 Authentication Between Mobile Node and Home Agent draft-qiu-mext-mn-ha-secure-01 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 11, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Qiu & Zhou Expires September 11, 2009 [Page 1] Internet-Draft MN-HA authentication March 2009 Abstract Mobile IPv6 relies on IPsec for securing the signaling between the MN and HA. However, the tight coupling of the mobility protocol with IPsec is detrimental to broader implementation and deployment. This document proposes a scheme based on Identity-Based Cryptography mechanism to authenticate the mobile node and signaling of home biding update to home agent. Hence, the use of IPsec could be avoided. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Brief Overview of IdentityBased Cryptography . . . . . . . . . 5 4. Using Identity-Based Signature Scheme in MIP6 . . . . . . . . 6 4.1. Key Generation Centre . . . . . . . . . . . . . . . . . . 6 4.2. The Processing of Identity-Based Signature between MN and HA . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Security Consideration . . . . . . . . . . . . . . . . . . . . 8 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 7. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 8. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 9 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 Qiu & Zhou Expires September 11, 2009 [Page 2] Internet-Draft MN-HA authentication March 2009 1. Introduction Draft [1] analyzed the disadvantages of using IPsec in MIP6 [2]: o While the idea of reusing IPsec for mobility signaling may have been sound, IPsec itself is not a good fit for various reasons: A MIP6 host implementation must also ensure that IPsec and IKEv2 are part of the stack to begin with which is unnecessary dependency. o Use of IPsec in most hosts today is for VPN connectivity: IPsec has not evolved into a generic security mechanism for hosts. o With IPsec, HA scalability (in terms of number of connections/ BCEs) is limited by the number of IPsec SAs that can be terminated. o Implementation complexity: While MIP6 by itself is straightforward to implement on the MN and HA, the interactions that are needed with IPsec and IKEv2 make the protocol unexpectedly difficult. o It cannot be assumed that every host will have IPsec and IKEv2. Coupling MIP6 with IPsec and IKEv2 results in lesser number of hosts supporting IP mobility. o The way that the IPsec code sits in the usual kernel, and the access mechanisms for the SA database, are not very convenient for use by straightforward implementations of Mobile IPv6. o In certain environments the use of IPsec and IKEv2 for establishing the SA is considered as an overhead. o Use of IPsec caused undesirable changes to protocol design. Hence, this document describes an alternate secure scheme between mobile nodes and home agents based on identity-based cryptography mechanism. The identity-based cryptography can significantly reduce the system complexity and the cost for establishing and managing the public key authentication framework known as Public Key Infrastructure (PKI) because users' identifier information such as email or IP addresses instead of digital certificates can be used as public key for encryption or signature verification. 2. Terminology Throughout this document we use the commonly adopted terminology defined in [2]. The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", Qiu & Zhou Expires September 11, 2009 [Page 3] Internet-Draft MN-HA authentication March 2009 and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [3]. Qiu & Zhou Expires September 11, 2009 [Page 4] Internet-Draft MN-HA authentication March 2009 3. Brief Overview of IdentityBased Cryptography The identity-based cryptography scheme is introduced by Shamir [4]. This mechanism enables any pair of users to communicate securely and to verify each other's signatures without exchanging private or public keys, and without keeping key directories. The scheme assumes the existence of trusted key generation centres that issue each user the personalized information when he first joins the network. The personalized information enables the user to sign and encrypt the messages he sends and to decrypt and verify the message he receives in a totally independent way. The key generation centre can be closed after all personalized information is issued and the network can continue to function in a completely decentralized way. Instead of generating a random pair of public/secret keys and publishing the public keys, in identity-based cryptography, the user chooses his name, network address, and any his unique identities as his public key. The corresponding secret key is computed by key generation centre and issued to the user in the personalized information when he first joins to the network. Qiu & Zhou Expires September 11, 2009 [Page 5] Internet-Draft MN-HA authentication March 2009 4. Using Identity-Based Signature Scheme in MIP6 In this section, we describe how to employ identity-based cryptograph in home biding update. We revise the signature scheme of "identity- based signatures from bilinear pairings" developed by Hess [5] in order to suit to MIP6 specification. 4.1. Key Generation Centre In MIP6, each mobile node must have a home agent at least. Therefore the home agent can role as the key generation centre. Since the sole purpose is to issue the personalized information to a mobile node when it first subscribes the service of home agent, the cost is one time overhead and should not downgrade obviously the performance of ordinary functions of home agents. 4.2. The Processing of Identity-Based Signature between MN and HA (1) When a mobile node registers to a home agent as client, the home agent will pick a random integer t, and computes Q_HA = t*P; (2) Then home agent generates the secret key of the mobile node: S_MN = t * SHA-1(MN_ID), and issue the Q_HA and S_MN as well as the generator P to the mobile node. The step (1) and (2) are typically done once for every subscribed mobile node. (3) When mobile node moves to a new network and gets its new care-of address, the mobile node sends a home binding update to its home agent: (a) Pick up a random integer k. (b) Compute r = e(S_MN, P)^k, while e is a bilinear function. (c) Compute v = SHA-1(CoA, r). (d) Compute u = v*S_MN + k*S_MN. (e) Finally, the mobile node sends v and u as well as the new CoA to its home agent. (4) Verify: On receiving the CoA with the signature (u, v), the home agent compute: (a) r = e(u*P) * e(SHA-1(MN_ID)-Q_HA)^v (b) accept the signature if and only if v = SHA-1(CoA, r) Qiu & Zhou Expires September 11, 2009 [Page 6] Internet-Draft MN-HA authentication March 2009 (5) Then home agent updates its biding cache with the new CoA. Qiu & Zhou Expires September 11, 2009 [Page 7] Internet-Draft MN-HA authentication March 2009 5. Security Consideration This document addresses a security issue in the between mobile node and home agent in mobile environment. The proposed solutions do not introduce any new vulnerability. Qiu & Zhou Expires September 11, 2009 [Page 8] Internet-Draft MN-HA authentication March 2009 6. IANA Considerations This document may specify IANA Type assignment(s) in subsequent versions. 7. Conclusion This document introduces an alternate secure scheme between mobile nodes and home agents based on identity-based cryptography mechanism. The identity-based cryptography can significantly reduce the system complexity and the cost for establishing and managing the public key authentication framework known as Public Key Infrastructure (PKI) because users' identifier information such as email or IP addresses instead of digital certificates can be used as public key for encryption or signature verification. 8. Acknowledgement . 9. References [1] Patil, B., Perkins, C., and H. Tschofenig, "Issues related to the design choice of IPsec for Mobile IPv6 security", draft-patil-mext-mip6issueswithipsec-00 (work in progress), October 2008. [2] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004. [3] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", RFC 2119, March 1997. [4] Shamir, A., "Identity-based Cryptosystems and Signature Schemes", CRYPTO 1984, LNCS 196 pages 47-53, Springer-Verlag, 1984. [5] Hess, F., "Efficient identity based signature schemes based on pairings", Selected Areas in Cryptography (SAC), LNCS 2595 pages 310-324, Springer-Verlag, 2002. [6] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [7] Kent, S., "IP Encapsulating Security Payload (ESP)", RFC 4303, Qiu & Zhou Expires September 11, 2009 [Page 9] Internet-Draft MN-HA authentication March 2009 December 2005. [8] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", RFC 2409, November 1998. [9] Kaufman, C., "Internet Key Exchange (IKEv2) Protocol", RFC 4306, December 2005. [10] Arkko, J., Devarapalli, V., and F. Dupont, "Using IPsec to Protect Mobile IPv6 Signaling Between Mobile Nodes and Home Agents", RFC 3776, June 2004. [11] Boyen, X. and L. Martin, "Identity-Based Cryptography Standard (IBCS) #1: Supersingular Curve Implementations of the BF and BB1 Cryptosystems", RFC 5091, December 2007. [12] Appenzeller, G., Martin, L., and M. Schertler, "Identity-Based Encryption Architecture and Supporting Data Structures", RFC 5408, January 2009. [13] Martin, L. and M. Schertler, "Using the Boneh-Franklin and Boneh-Boyen Identity-Based Encryption Algorithms with the Cryptographic Message Syntax (CMS)", RFC 5409, January 2009. Authors' Addresses Ying Qiu Institute for Infocomm Research 1 Fusionopolis Way, #21-01 Connexis Singapore 138632 Phone: +65-6408-2053 Email: qiuying@i2r.a-star.edu.sg Jianying Zhou Institute for Infocomm Research 1 Fusionopolis Way, #21-01 Connexis Singapore 138632 Phone: +65-6408-2075 Email: jyzhou@i2r.a-star.edu.sg Qiu & Zhou Expires September 11, 2009 [Page 10]