Key Agreement Phase Sample Clauses

Key Agreement Phase. In the key agreement phase, the sensor node and the CS chooses an elliptic curve EP(a, b), y2 = x3 + ax + b mod P, where P is a generator point on EP(a, b). The key agreement phase generates a shared key between a sensor node (SN) and the CS. The entire key agreement process is illustrated in Figure 2. QSN = h(tokenSN || IDSN || STAMPp1 ) HDP1 = h(QSN || tokenSN || IDSN || STAMPp1 ) (IDSN , STAMPp1, QSN , HDp1 ) Step 1 Checks HD p1 , STAMPp1 QSN1 = h(tokenSN || IDSN || STAMPp1 ) QSN = ?QSN1 Step 2 Checks HD p 2 , STAMPp 2 Generates (F, f ), (R, r) Chooses a1 c (0, m1 ) HDp 2 = h(F || tokenSN || R || STAMPp 2 ) (F, R, a1, STAMPp 2 , HDp 2 ) Generates (E, e) Chooses a2 c (0, m2 ) HDp3 = h(QSN || tokenSN || IDSN || STAMPp3 ) (E, a2 , STAMPp3 , HDp3 ) Checks HD p3 , STAMPp3 y = hash(HDp1 || HDp 2 || HDp3 ) M = m * m , M = M / m , y = M –1(mod m )(1 S i S 2) y = hash(HDp1 || HDp 2 || HDp3 ) x ÷ a1 y1M1 + a2 y2M 2 (mod M ) SKSN = e(Fx + yR) x ÷ a1 y1M1 + a2 y2M 2 (mod M ) SKCS = E( fx + yr) Step 1: After the SN is registered, some initialization parameters are obtained, including the sensor node identity IDSN, the authentication token tokenSN, and the Chinese Remainder Theory parameters m1andm2. Then, the SN computes the most important authority message digest: QSN = h(tokenSN ||IDSN ||STAMPp1) and the hash digest of the current package HDp1, where the index variable p1 represents the first phase in key agreement. All these parameters, QSN, IDSN, STAMPp1, andHDp1, will be sent to the CS. After receiving these parameters, the CS computes QSN1 = h(tokenSN ||IDSN ||STAMPp1) and verifies whether the equation (QSN = QSN1) makes sense. If this equation is not true, this key agreement step will be stopped immediately. Step 2: After successful verification, the CS generates two pairs of public keys and private keys: (F, f ) and (R, r). Subsequently, the CS chooses a random number a1(0 < a1 < m1). Then, the CS sends parameters F, R, a1, STAMPPp2, and HDp2 to the sensor node. Step 3: When the sensor node receives the parameters from the CS, the sensor node generates a pair of public and private keys (E, e), chooses a random number a2(0 < a2 < m2), and then computes HDP3 = h(E||a2||tokenSN ||STAMPp3).

Key Agreement Phase. In the key agreement phase, two rounds are required for generating a common conference key for multiple partici- pants, and the way of message exchanges is with respect to the group data sharing model established by the structure E of the (v, k + 1, 1)-design.

Key Agreement Phase. In this phase, FA and HA can be authenticated, and a secure session key between MN and FA can be established. The steps of this phase are shown as follows. Step 1. HA computes K = EcP KF A (rMN ||rF A) and S = EcA(rMN rF A IDF A PKF A), and sends the message (K, S) to FA. Step 2. After receiving the message, FA decrypts K with d × PKHA to recover rMN and rF A. If the recovered rF A and the original one are identical, FA believes that the mobile user MN is a valid user. Then FA forwards S to MN. Step 3. Upon receiving the message S from FA, MN first decrypts S with e × PKHA, where e × PKHA = c × A, for recovering {rMN , rF A, IDF A, PKF A}. If the rMN and the IDF A are both verified, MN be- lieves that FA is authenticated. Finally, both MN and FA can compute the agreed session key SK = Ed×A(rMN ⊕ rFA) = Ee×PKF A (rMN ⊕ rFA). The above two phases are outlined in Figure 2.

Key Agreement Phase. This phase occurs between the vehicles 𝑉𝑖 and ▇▇ without an intervention of a third- party server. This phase is demonstrated in Fig. 2. 𝑝 𝑖 Step 1. 𝑉𝑖 selects a random number 𝑥 𝜖 𝑍∗ and calculates 𝜏 = 𝑥𝐺, and sends {𝐼𝐷 , 𝑅 , 𝜏 } to 𝑉 . �� 𝑖 𝑖 𝑗 𝑝 𝑖 Step 2. Upon reception of the message, ▇▇ selects a random number 𝑦 𝜖 𝑍∗ and 𝜏 = 𝑦𝐺 and sends the message < 𝐼𝐷𝑗 , ▇▇, 𝜏𝑗 > to 𝑉𝑖 . At the same time, it obtains the public key of 𝑉𝑖 as 𝑄𝑖 = 𝑅𝑖 + ℎ1(𝐼𝐷𝑖 ∥ 𝑅��)𝐾𝑝𝑢𝑏 and calculates 𝐾𝑗 = ℎ2(𝑑𝑗𝑄𝑖)𝑦𝜏𝑖 and the session key 𝑆𝐾𝑗 = ℎ3(𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑗 ∥ 𝑦𝑄𝑖 ∥ 𝑑𝑗 𝜏𝑖). Step 3. 𝑉𝑖 receives the message < 𝐼𝐷𝑗 , ▇▇, 𝜏𝑗 > and obtains public key 𝑄𝑗 = ▇▇ + ℎ1(𝐼𝐷𝑗 ∥ ▇▇)𝐾𝑝𝑢𝑏, and calculates ��𝑖 = ℎ2(𝑑𝑖𝑄𝑗)𝑥𝜏𝑗 and obtains the session key 𝑆𝐾𝑖 = ℎ3 (𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑖 ∥ 𝑥𝑄𝑗 ∥ 𝑑𝑖 𝜏𝑗 ). Fig. 2. Authentication process in Li et al.’s protocol 3.4. Weakness of Li et al.’s protocol The following summarizes security issues of ▇▇ et al.’s protocol.

Key Agreement Phase. This phase occurs between the vehicles and without an intervention of a third- party server. This phase is demonstrated in Fig. 2. Step 1. selects a random number ∗ and calculates = , and sends { , , } to . Step 2. Upon reception of the message, selects a random number ∗ and = and sends the message < , , > to . At the same time, it obtains the public key of as = + ℎ1( ∥ ) and calculates = ℎ2() and the session key = ℎ3( ∥ ∥ ∥ ∥ ). Step 3. receives the message < , , > and obtains public key = + ℎ1( ∥ ), and calculates = ℎ2() and obtains the session key = ℎ3 ( ∥ ∥ ∥ ∥ ).

Key Agreement Phase. ▇▇▇▇▇ and ▇▇▇ each chooses random values a, b ∈ Z∗. Given these initializations, the protocol is as follows: Protocol messages: A −→ B: TA=aP B −→ A: TB=bP . After the above messages are exchanged, ▇▇▇▇▇ com- putes KAB = e(QB, PB)a · e(xASA, TB), and ▇▇▇ computes KBA as follows: h(ID). (For example, ▇▇▇▇▇’s partial private key from TA is SA = sQA, where QA = h(▇▇▇)); KBA = e(QA , PA )b · e(xBSB , TA). 5) Finally, TA distributes the partial private key SID to the user with the identity information ID via a secure channel. After the above steps, ▇▇▇▇▇ and ▇▇▇ get their partial private key SA and SB, respectively. User Setup Phase. A user (▇▇▇▇▇) does the following to set up her public/private key pair (For simplic- ity of description, here we only describe a simplified version of user setup phase which is suitable for grid computing.): 1) She firstly chooses a xA ∈ Z∗ as her own-chosen partial private keys; 2) Then computes PA = xAPPub = xAsP as her public key; 3) Publishes her public key via an open directory that all users in the system have access to. After the above two setup phases, when another user (▇▇▇) wants to send a message to ▇▇▇▇▇, he must obtain ▇▇▇▇▇’s public key. However, no authentication of this public key is necessary and no public key certificate is required. 3.3 The ▇▇-▇▇▇▇▇▇-▇▇▇▇▇▇▇▇ ▇▇-AK Protocol Al-Riyami and ▇▇▇▇▇▇▇▇ also gave the first certificateless authentication and key agreement (CL-AK) protocol in [2]. Here we briefly review their protocol (hereafter re- ferred to as the AP’s CL-AK) [2]. The AP’s CL-AK pro- tocol consists of two phases: Setup and Key Agreement.

Key Agreement Phase. 3.2.1 Negotiatory Keys (NKs) f A ( x) . But in this paper, we make use of negotiatory keys so as to enhance security. The generation of negotiatory keys is as follows. For example, let ▇▇▇▇▇ has the key set A = {a1 (= a11 || a12 ), a 2 ( = a 21 || a 22 ), ..., am (= am1 || am 2 )} , ▇▇▇ has the key set B = {b1 (= b11 || b12 ), b2 ( = b21 || b22 ), ..., bm (= bm1 || bm 2 )} , and h() generates the value of limited length. Also, ri and r ' are random numbers where r ≠ r and i i−1 i r ' ≠ r ' for 1 ≤ i ≤ m . We yield a negotiatory key by concatenating the first half of i−1 i the key and a hash function's value, and in reverse. That is, the half of Alice's negotia- tory keys consists of {s11 (= a11 || h(a11 )), s 21 ( = a 21 || h(a 21 )), ..., sm1 (= am1 || h(am1 ))} . The other half consists of {s12 (h(a12 ) || a12 ), s22 (h(a22 ) || a22 ), ..., sm1 (h(am 2 ) || am 2 )} . Similarly, the first half of Bob’s negotiatory keys consists of the follow- ing. {t11 (= b11 || h(b11 )), t 21 ( = b21 || h(b21 )), ..., tm1 (= bm1 || h(bm1 ))} . Also, the second half consists of {t12 (= h(b12 ) || b12 ), t22 (= h(b22 ) || b22 ), ..., tm 2 (= h(bm 2 ) || bm 2 )} .

Key Agreement Phase. In this phase, entities A and B that have private/public key pairs, ( X A = DA , xA , YA = ▇▇▇ , PA ) and ( X B = DB , xB , YB = IDB , PB ) respectively, execute protocol 1. Description of the protocol is as follows: • Entity A, as initiator of the protocol, chooses two random numbers, rA1, rA2 ∈R Ζ* , and computes TA1 = rA1P and TA2 = rA2 P such that k A1, k A2 ≠ 0 modn , where k A1 and k A2 are x-coordinates of points TA1 and TA2 respectively. Then A signs points TA1 and TA2 as follows: SA = (k A1 ⋅ k A2 )(xAk AQA + DA )+ (k A1rA1 + k A2rA2 )QA Where k A is x-coordinate of public key PA . At the end of the step, A sends quantities (TA1,TA2 , SA ,YA = ▇▇▇ , PA ) to B. kB1, kB2 ≠ 0 modn . Then he computes rB1, rB2 ∈R Ζ* and computes TB1 = rB1P and TB2 = rB2 P where, SB = (kB1 ⋅ kB2 )(xBkBQB + DB )+ (kB1rB1 + kB2rB2 )QB Where k B is x-coordinate of public key