User identity based authentication mechanisms for network security enhancement Mohamed Abid To cite this version: Mohamed Abid. User identity based authentication mechanisms for network security enhancement. Other [cs.OH]. Institut National des Télécommunications, 2011. English. ￿NNT: 2011TELE0005￿. ￿tel-00629931v2￿ HAL Id: tel-00629931 https://theses.hal.science/tel-00629931v2 Submitted on 30 Mar 2012 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Ecole Doctorale EDITE Thèse présentée pour l’obtention du diplôme de Docteur de Télécom & Management SudParis Doctorat conjoint Telecom & Management SudParis (TMSP) – Université Pierre et Marie Curie (UPMC) Spécialité : informatique et réseaux Par Mohamed ABID Des mécanismes d’authentification basés sur l’identité de l’utilisateur pour renforcer la sécurité des réseaux Soutenue le 01/02/2011 devant le jury composé de : Hatem BETTAHAR Rapporteur Université de Technologie de Compiègne Lionel BRUNIE Rapporteur INSA Lyon Bernadette DORIZZI Examinatrice Institut Telecom SudParis Guy PUJOLLE Examinateur UPMC Paris 6 Hassnaa MOUSTAFA Examinatrice Telecom R&D (Orange Labs) Patrick SENAC Examinateur ISAE Toulouse Dijana PETROVSKA- Examinatrice Institut Telecom SudParis DELACRÉTAZ Hossam AFIFI Directeur de thèse Institut Telecom SudParis Thèse n° 2011TELE0005 Ecole Doctorale EDITE Thèse présentée pour l’obtention du diplôme de Docteur de Télécom & Management SudParis Doctorat conjoint Telecom & Management SudParis (TMSP) – Université Pierre et Marie Curie (UPMC) Spécialité : informatique et réseaux Par Mohamed ABID User Identity Based Authentication Mechanisms for Network Security Enhancement Soutenue le 01/02/2011 devant le jury composé de : Hatem BETTAHAR Rapporteur Université de Technologie de Compiègne Lionel BRUNIE Rapporteur INSA Lyon Bernadette DORIZZI Examinatrice Institut Telecom SudParis Guy PUJOLLE Examinateur UPMC Paris 6 Hassnaa MOUSTAFA Examinatrice Telecom R&D (Orange Labs) Patrick SENAC Examinateur ISAE Toulouse Dijana PETROVSKA- Examinatrice Institut Telecom SudParis DELACRÉTAZ Hossam AFIFI Directeur de thèse Institut Telecom SudParis Thèse n° 2011TELE0005 Abstract Inthisthesis, wedesignnewauthenticationmechanismsbasedonuseridentity. There- fore,webringimprovementsinaccesscontrolfordifferentclassesofnetworkssuchasHome Network, Governmental Network and Cellular Network. The identity can be biometric public features, simple strings (email addresses, login...), etc. The goal of our work is to design innovative solutions that secure and personalize authentication mechanisms. We have three main solutions in the thesis depending on the deployed identity. The first solution concerns the use of biometric in Home Network’ authentication mechanisms. In the Home Network (HN) case study, we aim at personalizing the access of each user in the HN and preventing illegitimate users (passing by the HG) to have any access. Our approach of personalized access also permits each user to use any device in the HN, while being able to access his/her appropriate profile. We propose a new bio- metric authentication method, while keeping in mind the constraint of the non storage of the users’ Biometric Template BT in the Home Gateway (HG). To satisfy this con- straint, we propose using the fuzzy vault method to hide a secret that should be used for authentication. The HG has the role of generating a secret for each user session, which are hidden by the BT. The user needs to recover the secret in order to be authenticated. The personalized users’ access in the proposed solution, allows controlling the access for each broadband access line depending on the user that is being connected. The second solution proposes e-Passport authentication mechanisms. The crypto- graphic parameters are generated using the biometric templates and hence, personal- ized for the user. In travel document case study, we present our proposal which intro- duces a new e-Passport authentication mechanisms based on the Elliptic Curve Diffie- Hellman (ECDH) Key Agreement protocol. This protocol is needed to generate a session key used to authenticate the traveler and the Inspection System (IS) to exchange secure data. We designed two protocols. In the first one, the elliptic curve, used in the biomet- ric cryptosystem, are generated from the minutiae data (fingerprint) of the e-Passport holder. In the second one, we use iris code to generate the elliptic curve. We analyzed the security of our solution with respect to the goals that we defined. We found that our solution fulfills its goals and prevents the system from the attacks. The use of biometric in the cryptographic solution is a very important issue as this biometric data is stored in the e-Passport Chip without a direct link to the security. This solution is validated by using iris biometrics. We performed tests on the NIST-ICE database of iris images to compute the False Rejection Rate and the False Acceptance Rate. The results obtained (e.g., FRR i of 0.2% and FAR of 3.6%) are satisfying and the use of iris biometrics is encouraging for the deploying of this solution. In the third solution, we worked on the Cellular Network and we used a simple string, like email addresses, as identifier to access to services. We choose the IP Multimedia Sub- system (IMS) which is an overlay architecture for the provision of multimedia services. We design a new service authentication mechanism relying on Identity Based Cryptogra- phy (IBC) for the IMS architecture. The goal was to authenticate the users using their public and private identifiers to overcome known weaknesses in the Authentication and Key Agreement (AKA) protocol. Security is assured using a symmetric protocol with a shared key (ks) between the User Equipement (UE) and the Home Subscriber Sys- tem (HSS), an asymmetric protocol for signature, and Diffie-Hellman for key agreement. We focused on the eavesdropping and impersonation attacks that can take place in clas- sical IMS scenario and we showed how our proposed solution can prevent against these attacks. We, then, proposed to add a Batch Verification on the Bootstrapping Server Function (BSF) to decrease signature verification delay and the authentication response time. To validate the performance of our proposed solution, we implemented the crypto- graphic operation in our proposed solution including the IBC procedures. We observed that the use of asymmetric cryptographic procedures leads to longer running time than symmetric procedures. However, the Batch Verification helps the BSF to verify the User Equipments (UEs) signature in a reasonable time. Key words : Authentication, Biometrics, Identity Based Cryptography (IBC), IP Multimedia Subsystem (IMS), Home Network (HN) ii Dedication For my Father’s memory, For my Grand parents memory, For my wife Najet, For my son Ali, For my mother, For Prof. Hatem Bettaher memory For my sisters and brother, For my -in laws (father, mother and brothers), For all those I appreciate... iii Acknowledgements In this thesis, I have been supported and supervised by many people to whom I would like to express my deepest gratitude: - My supervisor, Prof. Hossam Afifi: thank you for the stupendous effort you spent to be a great colleague and friend. - Prof. Hatem Bettaher and Prof. Lionel Brunie for accepting to review my dissertation and to be member of my Phd defense jury. - Prof. Bernadette Dorizzi, Prof. Guy Pujolle, Dr. Hassnaa Moustafa, Prof. Patrick Senac, Dr. Dijana Petrovska-Delacretaz to be member of my Phd defense jury. - The staff of TMSP; particularly, I want to thank: Dr. Abdallah M’hamed, Dr. Vincent Gauthier, . . . and especially our head of department Prof. Djamal Zeghlache for his helpful suggestions and advices. A very big thank goes to Isabelle Rebillard and Valerie Mateus for their patience and support. - A special thank for Dr. Hassnaa Moustafa and Dr. Dijana Petrovska- Delacretaz for their help and valuable advices. - A special thank for Dr. Eric Renault, Shoaib Saleem and Mehdi Mani for helping me to improve the language in my report. - This thesis reports implementation results that were conducted with the help of several colleagues. A special thank goes to Sondes Bannouri and Dingqi Yang for their contribution to the two demonstrators. - A special thank for Dorsaf Zekri and Amira Bradai for helping me to defend my thesis. - My family, especially my wife, my son, my mother, my systers and brother, my -in laws (father, mother and brothers) for the support, help, and encouragement. - My friends, both from TMSP and those who go back longer, especially Boutabia, Emad, Chedhly, Aroua, Teck, Bastien, Ahmad, khaled, Ghazi, Sanjey Kanade and Songbo Song. This thesis was supported by a research studentship from the ANR/RNRT France (Agence Nationale de la recherche/ Réseau National de Recherche en Télécommunica- tions). Project BIOTYFUL: BIOmetrics and crypTographY for Fair aUthentication Licensing [ANR-06-TCOM-018] (2006). v