Common use of Informal Security Analysis Clause in Contracts

Informal Security Analysis. We now informally discuss the strength of the proposed protocol with respect to the required security features for an identity-based mutual authentication scheme, to be applied in a SG context [10,11]. • Resistance against replay attacks. There are two options, either M1 is replayed in the same period of R2 usage or it is replayed when a new R2 is determined by the SP. In the first case, the same key as before is derived. However by capturing M2, which is a hash value containing the SK, no additional information can be derived by the attacker. If the server keeps track of the parameters R1 sent during the period in which R2 remains constant, further action of the SP can be avoided. In the second case, a new session key is generated by the SP. However, when checking the hash value S1 a contraction is found by the SP as the SK is different. The session is then stopped immediately. • Resistance against impersonation attacks. There are again two options, impersonation of messages M0 and M1. First, it is impossible to impersonate the message M0 as it is used to construct the SK by both the SM and the SP. Even if the SM is using R2, sent from a malicious entity, the corresponding SK computed by the SM will not correspond with the SK computed by the SP and at the point where S1 is validated. At that moment, the session will be terminated. Also impersonation of the message M1 sent by the SM is impossible. This follows from the fact that M1 consists of the parameter R1. Only the SP is able to derive from R1 the common shared key K with the SM in order to decrypt the ciphertext C for finding the identity and certificate of the SM. From these two parameters and the strength of the ECQV certificate mechanism, the SP can construct the corresponding public key PA of the SM. The construction of the SK by the SP exploits the usage of this public key PA and its own private key dB, which is also derivable by the SM who is in possession of the correct corresponding private key dA and the public key PB of the SP. Consequently, it is impossible for an attacker to impersonate M1 without knowledge of a valid private-public key pair of a SM or to impersonate M2 without knowledge of the private key dB of the SP. • Resistance against MITM attacks. For the same reasons as explained in the replay and impersonation attacks, it is impossible to execute a MITM attack. Note that this resistance also strongly relies from the authentication feature established through the ECQV certificate mechanism. • Anonymity. From the messages X0, X0, X0 sent in the protocol, no information on the identity of the SM can be derived. The only identity related information is hidden in the message C, which is encrypted using a key only derivable by the SP. • Resistance against DoS attacks. First of all, we here consider DoS attacks from the side of the server as resistance from the SM is easier to obtain by just blocking the amount of sent requests. Compared to the previous schemes in literature [10–12,14], our scheme is initiated by the SP with one single and common message to all interested SMs. Consequently, no separated buffers from received messages of different unknown SMs need to be saved by the SP. Upon arrival of a message M1 from a particular SM, the SP can immediately check the validity and integrity of it in one single phase. If the check is not successful, it can drop the request and go to the next received message.

Informal Security Analysis. We now informally discuss the strength of the proposed protocol with respect to the required security features for an identity-based mutual authentication scheme, to be applied in a SG context [10,11]. • Resistance against replay attacks. There are two options, either M1 is replayed in the same period of R2 usage or it is replayed when a new R2 is determined by the SP. In the first case, the same key as before is derived. However by capturing M2, which is a hash value containing the SK, no additional information can be derived by the attacker. If the server keeps track of the parameters R1 sent during the period in which R2 remains constant, further action of the SP can be avoided. In the second case, a new session key is generated by the SP. However, when checking the hash value S1 a contraction is found by the SP as the SK is different. The session is then stopped immediately. • Resistance against impersonation attacks. There are again two options, impersonation of messages M0 and M1. First, it is impossible to impersonate the message M0 as it is used to construct the SK by both the SM and the SP. Even if the SM is using R2, sent from a malicious entity, the corresponding SK computed by the SM will not correspond with the SK computed by the SP and at the point where S1 is validated. At that moment, the session will be terminated. Also impersonation of the message M1 sent by the SM is impossible. This follows from the fact that M1 consists of the parameter R1. Only the SP is able to derive from R1 the common shared key K with the SM in order to decrypt the ciphertext C for finding the identity and certificate of the SM. From these two parameters and the strength of the ECQV certificate mechanism, the SP can construct the corresponding public key PA of the SM. The construction of the SK by the SP exploits the usage of this public key PA and its own private key dB, which is also derivable by the SM who is in possession of the correct corresponding private key dA and the public key PB of the SP. Consequently, it is impossible for an attacker to impersonate M1 without knowledge of a valid private-public key pair of a SM or to impersonate M2 without knowledge of the private key dB of the SP. • Resistance against MITM attacks. For the same reasons as explained in the replay and impersonation attacks, it is impossible to execute a MITM attack. Note that this resistance also strongly relies from the authentication feature established through the ECQV certificate mechanism. • Anonymity. From the messages X0M0, X0M1, X0 M2 sent in the protocol, no information on the identity of the SM can be derived. The only identity related information is hidden in the message C, which is encrypted using a key only derivable by the SP. • Resistance against DoS attacks. First of all, we here consider DoS attacks from the side of the server as resistance from the SM is easier to obtain by just blocking the amount of sent requests. Compared to the previous schemes in literature [10–12,14], our scheme is initiated by the SP with one single and common message to all interested SMs. Consequently, no separated buffers from received messages of different unknown SMs need to be saved by the SP. Upon arrival of a message M1 from a particular SM, the SP can immediately check the validity and integrity of it in one single phase. If the check is not successful, it can drop the request and go to the next received message.