On the Security of Anonymous Authentication Protocol for Mobile Pay-TV ()
1. Introduction
With the increased integration of pay-TV and wireless communication, multimedia pay service plays an important role in mobile broadcast TV services [1]. As these services are usually delay-sensitive due to high mobility feature and frequent handoffs, a fast and secure authentication scheme for such mobile broadcast TV services should be developed.
In order to reduce the delay introduced by the high mobility features and frequent handoffs and guarantee a secure and convenient access of services by authorized subscribers, a secure access management mechanism is required. This access management is provided by a conditional access system (CAS). A typical model of CAS consists of two parts, a head end system and numerous receivers, and the model is comprised of several important components [2], which include:
• Subscriber Authorization/Management System (SAS/ SMS):subsystems responsible for subscriber authorization and management;its works including key management, user authentication,entitlement messages delivery,subscriber information management and rights management.
• Encrypter: a component for enciphering Control Word (CW), keys, or sensitive information.
• Multiplexer (MUX): a component for multiplexing A/V, data or IP into MPEG-2 transport stream.
• Scrambler: a component for signal scrambling.
• Transmitter: a subsystem for signal transmission.
• Receiver: a subscriber device with a CAS module used for access control.
Several CASs have been proposed to guarantee a secure and convenient access of services by authorized subscribers. Many studies have classified these schemes into symmetrical key-based schemes and public keybased schemes.
Public key-based conditional access system [3-5] may realize privacy preservation and avoid communicating with a third party during the handoff process. These methods suffer the heavy computation burden. In [6], a subscriber first has to register his subscriber information with a signature to a provider by applying public key cryptosystem. When a subscriber wants to subscribe to any programs, he uses his device to send a subscription message to the provider. The provider then sends a receipt with a signature for confirming this subscription to the subscriber. However, the scheme [6] only protects the customers’ privacy, but not the provider’s [2]. In [7], an “e-ticket” scheme for the authentication of pay-TV system is proposed. The scheme employed an encrypted authentication message with a blind and anonymous signature based on RSA public key cryptosystem to do the mutual-authentication to protect the privacy for both customers and service provider. The schemes proposed in [8] and [9] are based on a public-key cryptosystem employing the technique of the multi-key RSA. While transmitting a requested TV program, the multimedia server and proxy server cooperatively encrypt the requested program without collusion attacks. In public-key cryptosystem each user possess a unique public/private key pair, so a multimedia server has to encrypt services with each user’s specific public key which makes them inefficient and not suitable for mobile pay-TV systems.
Symmetrical key-based conditional access system [10-14] suffers from its troublesome key distribution and the involvement of a third party. In [14], an efficient anonymous authentication protocol for mobile pay-TV is proposed. The authors claim that their scheme provides an anonymous authentication to users by preventing intruders from obtaining users IDs during the mutual authentication between mobile subscribers and head end systems. However, after analysis, it was found that the scheme does not provide anonymous authentication and users can be easily tracked while using their anonymous identity. The scheme also is subject to DoS attack.
In this paper an improved scheme that enhances the Chen’s scheme [14] is proposed. The deficiencies of the original scheme are demonstrated, and then a proposed improved scheme that eliminates these deficiencies is presented. The proposed scheme ensures the anonymity of the subscribers during handoffs operations, and ensures the anonymous mutual authentication between subscribers and head end systems with low computation and communication costs. Finally a mechanism that prevents denial of service attack is proposed.
The rest of this paper is organized as follows: Section 2 briefly reviews the Chen’s scheme. Section 3 presents the security analysis of Chen’s scheme. Section 4 presents the improved scheme. The security analysis and performance evaluation of the improved scheme are presented in Section 5. Finally, Section 6 concludes the paper.
2. Review of the Chen’s Scheme
The scheme proposed in [14] introduced an efficient and anonymous mutual authentication protocol that eliminates the high computational cost and prevents security attacks introduced in a previous related protocol [15]. There are four phases in Chen’s scheme, which includes initialization, issue, subscription and hand-off Phase.
2.1. Initialization Phase
This phase is invoked whenever user Ui registers to the subscribers’ database server (DBS) of HES via Subscriber Authorization System and Subscriber Management System (SAS/SMS) and the DBS saves Ui’s identity ID. Both Ui and HES uses a set-top-box (STB) as a secure channel during this phase. The following steps are performed to complete this phase [14]:
1) Ui chooses his IDi and pwi and generates a random number b for calculating. Then, Ui submits IDi and PWB to the pay-TV system server S.
2) S checks the database whether his IDi is already in the database or not. If IDi is already in the database, S checks whether Ui performs a re-registration or not. If Ui performs a re-registration then S sets IDi’s registration number N = N + 1 and updates IDi and N in the database otherwise S suggests Ui to choose another IDi. If IDi is not in the database then S sets N = 0 and stores values of IDi and N in the database.
3) S calculates K, UD, Q and K, UD, Q and R, where:
,
,
,
, where y is the secret key of the remote server stored in the hash function and x is the secret key of S.
4) S issues a smart card containing [K, R, Q] to Ui over a secure channel.
5) Ui stores the random number b on the smart card. Such that the smart card contains [K, R, Q, b].
2.2. Issue Phase
Assume that Ui’s mobile subscriber device (MSi) asks a service Rt and the HES performs this authentication process of issue phase for Ui to obtain a right code. The statements are described as follows:
1) Ui enters his IDi and PWi in order to login for obtaining the service, MSi performs the following computations.
• Calculates and to verify whether. If it does not hold, MSi terminates the request.
• Calculates and
• Generates a random number ni and calculates:
,
.
Here T1 is the current timestamp
• Sends the message to HES.
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• Calculates and verifies if IDi is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates
, where.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates
• Then, HES chooses a token for Ui and stores it into DBS, and calculates:
.
• Broadcasts the mutual authentication message
.
3) After receiving message m2 at the time T3, Ui checks the validity of. If it does not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
as the authentication session key to get service of the pay-TV system.
2.3. Subscription Phase
After obtaining a right code, Ui’s MSi asks a service Rt using and the HES performs this authentication process. The statements are described as follows:
1) Ui entries his IDi and PWi in order to login for obtaining the service, MSi performs the following computations.
• Calculates and to verify whether. If it does not hold, MSi terminates the request.
• Calculates and
.
• Generates a random number ni and calculates:
,
.
Here T1 is the current timestamp
• Sends the message to HES.
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• Calculates and verifies if IDi is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates
, where.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates.
• Then, HES chooses a token for Ui and calculates
and.
• Broadcasts the mutual authentication message
.
3) After receiving message m2 at the time T3, Ui checks the validity of. If it does not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
as the authentication session key to get service of the pay-TV system.
2.4. Hand-Off Phase
When MSi moves to a new coverage area that older HES cannot support such that a hand-off occurs, MSi needs to performer-authentication without re-login. The statements are described as follows:
1) MSi performs the following computations:
• Generates a random number ni and calculates:
,
.
Here T1 is the current timestamp
• Sends the message to HES.
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• Calculates and verifies if IDi is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates
, where.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates
• Then, HES chooses a token for Ui and calculates
and
• Broadcasts the mutual authentication message
3) After receiving message m2 at the time T3, Ui checks the validity of. If it does not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
to obtain new HES’s service.
3. Security Analysis of Chen’s Scheme
In [14] the authors claim several security properties such as anonymous service, mutual authentication, resisting replay attacks, resisting man-in-the-middle-attack, and forgery difficulty. However, in this section, it is shown that Chen’s scheme vulnerable to man-in-the-middleattack which leads to DoS attack. It is al so found that the scheme does not provide anonymous service. The aforementioned weaknesses are presented in detail as follows.
3.1. Corrections to Chen’s Scheme
Before we present the weakness of Chen’s scheme, there are some mistakes in the scheme that should be corrected. In step 3 of the initialization phase (Section 2.1), the system server S calculates R using the following equation:
(1)
Here, y is a secret key of the remote server S which is stored in the hash function and known only to S.
In step 1 of the issue phase (Section 2.2), the mobile subscriber MS extracts from R by computing
and use it to compute
and as follows:
(2)
(3)
As shown in Equations (2) and (3), the authors use
and to compute and
respectively, which is not possible; since the MSi does not know the secret key y to be able to compute
and. So, the MS could not compute and as and are one way hash functions i.e. it is not possible to extract y from both and. The same mistake is found in step 1 of the subscription phase (Section 2.3) and step 1 of the hand-off phase (Section 2.4) when computing (,) and (,) respectively. To correct this mistake, the MS should replace y by in Equations (2) and (3). This mistake can also be corrected by just replacing by y in Equation in the initialization phase i.e.. We chose the second option.
3.2. Attack on Anonymous Service
The Chen’s scheme is subject to MS tracking attack. This attack can be performed as follows:
1) An attacker registers to the subscribers’ database server (DBS) like any other user and chooses his and and generates a random number b for calculating. Then, A submits and PWB to the pay-TV system server S.
2) S calculates:
.
S issues a smart card containing [K, R, Q] to A over a secure channel.
3) The attacker A reads R from its smart card and compute.
Note that based on the corrections presented in section 3.1, is replaced by in the step 2. Using the computed the attacker A can perform MS tracing attack during issue phase, subscription or hand-off phases as follows:
1) The attacker A intercept message m during any of the three phases and extracts, and from m. Using these three values and the computed, the attacker can compute the MS’ ID () as follows:
(4)
This allows the attacker to track MSi; since is a fixed value for each user Ui.
2) The attacker A can also know the service that the MSi asked from HES by intercepting message m during the issue phase and extracting and from m. Using these two values and the computed, the attacker can compute as follows:
(5)
3) The attacker A can also know the right code that used by MSi to access service by intercepting message m during the subscription or the hand-off phases and extracting or respectively from m. Using either of these two values and the computed, the attacker can compute as follows:
(6)
(7)
3.3. Denial of Service Attack
The scheme is subject to denial of service attack. This attack can be performed through two methods. The first method can be performed during the subscription and hand-off phases by applying man-in-the-middle attack as follows:
1) The attacker A intercept message m2 during any of the two phases and extract:
or
respectively.
2) The attacker generates a random session key and computes:
or
3) After receiving message m2, Ui calculates the session key:
• or
This results in Ui and HES using different session keys (respectively) which prevent Ui from getting the service of the pay-TV system.
The second method can be performed during the handoff phase as follows:
1) The attacker uses a rogue HES to transmit messages using a high signal strength in order to force MSi to discard the signal sent by the legitimate HES and roam with the rogue HES.
2) When MSi roam with the rogue HES, it needs to perform re-authentication without re-login by sending, where:
.
3) The rogue HES receives the message and immediately reply with message, where
and is a random value generated by the rogue HES.
4) After receiving message m2 at the time T3, Ui checks the validity of which should hold; since should equal to the round trip time (RTT) between Ui and the rogue HES. Note that should be less than or equal to 200 milliseconds as stated in [16]. It is clear that the RTT between Ui and the rogue HES is less than 200 milliseconds; since they are within the transmission range of each other.
5) Ui calculates and checks whether and accepts the rogue HES’s request of mutual authentication.
6) Ui calculates the false authentication session key
, which prevents Ui from getting the service of the pay-TV system.
4. The Improved Scheme
To withstand the above attacks, we propose an improved scheme based on the original Chen’s scheme [14] with lightweight modifications. The improved scheme introduces few modifications to the four phases as follows.
4.1. Initialization Phase
As assumed in [14], both S and its HESs share a secret key x. Both Ui and HES use a set-top-box (STB) as a secure channel during this phase. The following steps are performed to complete this phase:
1) Ui chooses his IDi and pwi and generates a random number b for calculating. Then, Ui submits IDi and PWB to the pay-TV system server S.
2) S checks the database whether his IDi is already in the database or not. If IDi is already in the database, S checks whether Ui performs a re-registration or not. If Ui performs a reregistration then S sets IDi’s registration number N = N + 1 and updates IDi and N in the database otherwise S suggests Ui to choose another IDi. If IDi is not in the database then S sets N = 0 and stores values of IDi and N in the database.
3) S calculates the following values:
•
• A user authentication key for each user
, where x is the secret key of S.
• A new permutation of the MSi’s ID
() to be used by MSi’s as a new ID during the next communication with the HES.
• , and
• , and
4) S sends to Ui over the secure channel.
5) Ui computes and stores
.
The user Ui uses to identify itself to the next HES during the issue phase, the subscription phase or the hand-off phase. This new ID should be known to the next HES to be able to authenticate Ui. So, the current HES encrypt the new ID () along with user authentication key and send it to Ui which sends it to the next HES in the next phase. Note that only HESs can decrypt; since the decryption key is generated using the secret key x which is only known to the server S and its HESs.
4.2. Issue Phase
Assume that Ui’s mobile subscriber device (MSi) asks a service Rt and the HES performs this authentication process of issue phase for Ui to obtain a right code. The statements are described as follows:
1) Ui enters his IDi and PWi in order to login for obtaining the service, MSi performs the following computations.
• Calculates and to verify whether. If it does not hold, MSi terminates the request.
• Calculates
• Generates a random number ni and calculates:
.
Here T1 is the current timestamp
• Sends the message m to HES:
Here is the HMAC of the message m using the key yi
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• To validate the and the new ID ()HES calculates and
to get the user authentication key yi .
• Uses to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates
• Then, HES chooses a token for Ui and stores it into DBS, and calculates:
•
• Computes a new permutation of the MSi’s ID
() to be used by MSi’s as a new ID during the next communication with the HES.
• Compute, and
.
• ,.
• Broadcasts the mutual authentication message
.
3) After receiving message m2 at the time T3, Ui checks the validity of and uses yi to validate the HMAC. If they do not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
as the authentication session key to get service of the pay-TV system.
• Ui stores, , and.
4.3. Subscription Phase
After obtaining a right code, Ui’s MSi asks a service Rt using and the HES performs this authentication process. The statements are described as follows:
1) Ui entries his IDi and PWi in order to login for obtaining the service, MSi performs the following computations.
• Calculates and to verify whether. If it does not hold, MSi terminates the request.
• Calculates.
• Generates a random number ni and calculates
, and
. Here T1 is the current timestamp.
• Sends the message m to HES:
.
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• To validate the and the new ID (), HES calculates and
to get the user authentication key yi.
• Uses to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates.
• Then, HES chooses a token for Ui and calculates and
.
• Computes a new permutation of the MSi’s ID () to be used by MSi’s as a new ID during the next communication with the HES.
• Computes, and
.
• ,.
• Broadcasts the mutual authentication message
.
3) After receiving message m2 at the time T3, Ui checks the validity of and uses yi to validate the HMAC. If they do not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
as the authentication session key to get service of the pay-TV system.
• Ui stores, , and.
4.4. Hand-off Phase
When MSi moves to a new coverage area that older HES cannot support such that a hand-off occurs, MSi needs to performer-authentication without re-login. The statements are described as follows:
1) MSi performs the following computations:
• Calculates.
• Generates a random number ni and calculates
, and
. Here T1 is the current timestamp.
• Sends the message m to HES:
.
2) HES receives the message at the timestamp T2 and performs the following computations:
• Checks the validity of. If it does not hold, HES terminates the request.
• To validate the and the new ID (), HES calculates and
to get the user authentication key yi .
• Uses yi to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.
• Calculates and checks whether. If they are equal, HES accepts Ui’s request of authentication.
• Calculates
• Then, HES chooses a token for Ui and calculates and
•
• Computes a new permutation of the MSi’s ID
() to be used by MSi’s as a new ID during the next communication with the HES.
• Computes, and
•
• ,.
• Broadcasts the mutual authentication message
.
3) After receiving message m2 at the time T3, Ui checks the validity of and uses yi to validate the HMAC. If they do not hold, Ui terminates the request. Otherwise, Ui executes the following operations to authenticate HES.
• Calculates and checks whether. If they are equal, Ui accepts HES’s request of mutual authentication.
• Ui calculates the certified token
as the authentication session key to get service of the pay-TV system.
• Ui stores, , and.
5. Security and Performance Analysis
In this section, the security of the proposed improved scheme with respect to the resistance to user tracking and denial of service attack is analyzed. This section also evaluates the performance of the proposed scheme.
5.1. Resistance to User Tracking
The proposed improved scheme prevents user tracking by ensuring the anonymity feature of users. As discussed in Section 3.2, an attacker can track a legitimate user by registering himself to the subscribers’ database server (DBS) like any other user, then receives which is used by the attacker to compute. Using the computed the attacker A can perform MS tracing attack as described in Section 3.2. The attacker is able to perform this attack; because the server S uses the same secret y to compute the R values for all users. So, if the attacker extracts from his R value, he can use the same to extract the IDs of other uses.
In the proposed scheme, the server S generate a unique user authentication key for each user using the hash of the user ID and the server’s own secret key x. This prevent an attacker A form using his user authentication key () to extract the IDs of other uses. The proposed scheme also preserves users’ privacy by using pseudo identity, to identify users. This pseudo identity generated using a one-way function combined with the user authentication key, , and the user’s previous: and is updated in each phase. So, it is impossible to anticipate the messages of the user each phase which guarantees indistinguishability. Also the integrity of messages exchanged between users and HES is guaranteed due to the use of timestamps and the HMAC of each message which is included with the message. The HMAC value is computed using the user authentication key () which is only known to Ui and HES.
5.2. Resistance to Denial of Service Attack
As discussed in Section 3.3, Chen’s scheme is subject to denial of service attack. The attacker can perform this attack because the integrity of message m2 of the subscription and hand-off phases is not guaranteed. So, an attacker can easily modify or during the subscription or hand-off phases without being detected by Ui which prevents him from getting the service of the payTV system.
In the proposed scheme, the integrity of messages exchanged between users and HES is guaranteed due to the use of timestamps and the HMAC of each message which is included with the message. The HMAC value is computed using the user authentication key, () which is only known to Ui and HES. This prevents the DoS attack that can be launched against the Chen’s scheme as described in Section 3.3. This also prevents the attacker from making an impersonation attack and replay attacks using the open values and some modified values.
5.3. Performance Analysis
This section evaluates the performance of the proposed scheme. To analyze the efficiency of the proposed scheme, the proposed scheme is compared with the Chen’s scheme [14]. The efficiency of the proposed scheme is analyzed with the same metrics used in Chen’s scheme analysis. We define the notation as the hash computation time and as the symmetric encryption/decryption time. The four phases of both the Chen’s scheme and the proposed scheme are simulated and implemented using OpenSSL library [17] on an Intel DualCore CPU at 2.30 GHz. Table 1 shows a comparison between the Chen’s scheme and the proposed scheme with respect to the hash computation time and the symmetric encryption/ decryption time. Note that we neglect the XOR operation since it is an extremely light-weight one. As shown in Table 1, the proposed scheme takes the following extra operation for each phase:
• It takes extra 3 hash operations and more two symmetric encryption/decryption about extra 62 μs for the initialization phase.
• It takes extra 6 hash operations and more four symmetric encryption/decryption about extra 81 μs for the issue phase.
• It takes extra 6 hash operations and more four symmetric encryption/decryption about extra 81 μs for the subscription phase.
• It takes extra 8 hash operations and more four symmetric encryption/decryption about extra 89 μs for the hand-off phase.
This indicates that the proposed scheme introduces a minor increase in computation overhead, which is the cost to enhance the security of the original scheme.
6. Conclusion
Recently, an efficient anonymous authentication protocol for mobile pay-TV is proposed [14]. However, the scheme is vulnerable to user tracking attack and denial of service attack. An improved scheme is proposed to prevent these two attacks by lightweight modifications and, thus, can be applied in environments requiring a high level of security. The improved scheme introduces a minor increase in computation overhead and maintains the
same number of messages of the original scheme.