Cryptanalysis and improvement of an elliptic curve based signcryption scheme for firewalls

In network security, firewall is a security system that observes and controls the network traffic based on some predefined rules. A firewall sets up a barrier between internal network and another outside unsecured network, such as the Internet. A number of signcryption schemes for firewall are proposed over the years, many of them are proved to have security flaws. In this paper, an elliptic curve based signcryption scheme for firewalls is analyzed. It is observed that the scheme is not secure and has many security flaws. Anyone who knows the public parameters, can modify the message without the knowledge of sender and receiver. The claimed security attributes of non-repudiation, unforgeability, integrity and authentication are compromised. After successful cryptanalysis of this scheme, we proposed a modified version of the scheme.


Introduction
In 1997 Zheng [1] introduced a new cryptographic scheme named Signcryption, which fulfills the functionalities of digital signature and encryption in a single logical step as shown in Fig 1. In traditional public key cryptography the process of both data encryption and authentication is achieved by first digitally signing the document and then encrypting the signed document for transmission over a public network (i.e, signature-then-encryption). It has two drawbacks of low efficiency and high computational cost. A Signcryption scheme reduces the computational cost as compared to signature-then-encryption scheme.
Encryption and digital signature are two basic security properties of any singcryption scheme. Such properties include integrity, non-repudiation, unforgeability and confidentiality. Forward secrecy and public verifiability are additional features that are provided depending upon the requirements.
Various signcryption schemes were introduced over the years, each scheme having its own benefits and drawbacks. In Zheng's signcryption scheme [1], the sender drives the secret key for symmetric encryption by using receivers public key. After receiving the signcrypted text, receiver gets the same secret key by using his private key. Jung et al [2] analysis shows that Zheng signcryption scheme [1] does not provide message confidentiality when the private key of sender is comporomised. He proposed a new signcryption scheme to overcome the drawbacks of Zheng [1]  Later on, Bao and Dang [3] modified Zheng's [1] scheme such that the judge can authenticate the signature without any use of recipient's private key. Gamage et al [4] modified Zheng [1] scheme so that anyone can authenticate the signature of the corresponding ciphertext. The proposed is based upon discrete logarithm problem (DLP) for firewalls authentications but does not provide multi-reciever functionality. Boneh et al [5] proposed a new aggregate signature scheme which reduces the size of certificate chains. If there are n distinct messages and n distinct users then aggregating all distinct n signatures to a single short signature in such a way that each user assures the authenticity of received message. The proposed scheme reduces the computational and communication cost as compared to single signature schemes. Horng et al [6] proposed an efficient certificate less aggregate signature scheme for vehicular sensor networks. The proposed scheme achieves the conditional privacy preservation and it is secure against existential forgery on adaptively chosen plaintext attack. Their scheme has less computational overhead as compared to existing aggregate signature scheme. Toorani and Shirazi [7] introduced a signcryption scheme based on elliptic curve with additional forward secrecy property. Selvi [8] introduced an identity based signcryption technique for multiple receivers by using bilinear pairing. For some recent authentication protocols and their applications, we refer to the work presented in [9]- [12].
Firewall is a security system that monitors the network traffic based on some rules. Some schemes are suitable for firewalls but each has its own drawbacks and limitations.
Recently, Iqbal et al [13] introduced a new efficient signcryption scheme based on elleptic curve for firewalls. They claim that their scheme is secure and no one can duplicate the original message. In this paper, our analylsis shows that the scheme proposed in [13] is not secure and has many security flaws.
This paper is organized as: First we present the signcryption scheme introduced by Iqbal et al [13], followed by the cryptanalysis section. The improvement and modification of the scheme of the scheme is described in the next section. Later, the security analysis of the modified scheme is discussed, followed by the conclusion section.

Signcryption scheme of Iqbal et al
Recently, Iqbal et al [13] proposed a new signcryption scheme for firewalls. The proposed scheme is based on elliptic curve cryptography. An elliptic curve over a finite field F p consists of the points satisfying the equation y 2 = x 3 + ax + b mod p, where a, b belongs to F p (the multiplicative group of integers mod p) along with a point O at infinity. The entire security of elliptic curve cryptography is based upon elliptic curve discrete logarithm problem that is, given points A and B = nA on an elliptic curve, it is computationally hard to find the integer n. For details on elliptic curve cryptography we refer to [14].
The basic aim of their proposed scheme is to present a new signcryption scheme for firewalls. The authors claim that proposed scheme provides security attributes of integrity, message confidentiality, signature unforgeability, public verifiability, non-repudiation, and forward secrecy properity. Their analysis shows that proposed scheme is computationally efficient as compared to alraedy existing signcryption schemes. The scheme proposed by Iqbal et al [13] is described below.
Global parameters Both Alice and Bob agreed on the following parameters (Table 1). Algorithm 1. The Iqbal et al [13] scheme is described in four phases given below:

Key generation
• User A (Sender) • Selects an integer n A randomly as a private key such that n A < q • Calculates public key as elliptic curve point P A = n A G • User B (Receiver) • Selects an integer n B randomly as a private key such that n B < q • Calculate his Public key as elliptic curve point P B = n B G

Signcryption
Suppose that Alice(sender) wants to transmit a message m over a public network to Bob (receiver). First Alice checks the Bob,s certificate and verifies his public key P B . She performs the following steps to send a signcrypted text.
5. Find the plaintext m = D k (C) by using symmetric encryption scheme with shared key k.
7. Accept the message m only if stG = P � .

Cryptanalysis
In this section, Iqbal et al scheme [13] is cryptanalyzed. It is proved that the scheme has many security issues and weaknesses. Their scheme does not provide the message authenticity, unforgeability and non-repudiation. Mallory (an attacker) builds a new signcryption algorithm which generates the signcrypted text that is acceptable by unsigncryption algorithm. Suppose Mallory can intercept the network traffic between Alice and Bob and wants to generate a valid signcrypted text as described in Fig 2. Mallory performs the following operations to transmit a message m 0 of his choice.

Calculate the elliptic curve point as
Calculate the ciphertext C 0 = E k 0 (m 0 ) by using symmetric encryption scheme E k 0 with secret key k 0 .
6. Calculate the hash value as t 0 ¼ HðC 0 jjx 0 R jjID A jjy 0 R jjID B Þ: 7. The signature parameter s 0 is calculated as s 0 ¼ t 0 À 1 v 0 mod q: 8. Mallory sends (C 0 , R 0 , s 0 ) to Bob.  In this way Mallory makes a fake signcrypted text of his choice and sends it to Bob. After receiving the signcrypted message (C 0 , R 0 , s 0 ), first the firewalls successfully verifies the signature. Then at the receiver's end unsigncryption algorithm verifies the signcrypted text and then decrypts the message. Bob now believes that the message is sending by authentic person Alice. In this way Mallory, defeats the cryptosystem and now able to send any signcrypted text of his own choice.

Correctness
The same secret key k 0 is generated by Mallory and Bob. The elliptic curve point Q 0 , which is used for generation of secret key k 0 , is same.
After receiving the signcrypted text, unsigncryption algorithm correctly verifies the authenticity of received message.
Moreover, this scheme has no protection against Man-At-The-End (MATE) attack. For details on MATE attack, we refer to the work of Akhunzada et al [15] and the references their in.

Modification and improvement of Iqbal et al scheme
Our analysis shows that the claimed security properties of Iqbal et al [13] scheme are compromised. We modifies the scheme to ensure the basic properties of security. In proposed scheme, the method to generate common secret key is very weak. We modify the key generation process so that only authentic sender and receiver can generate valid common key. In step (5) of signcryption algorithm 1, we replace (ID A , ID B ) to (x S , y S ) in key generation phase. In our improved scheme, Only authentic sender can generate the signcrypted text that is verified by unsigncryption algorithm. In our improved scheme, global parameters and firwalls authentication is same as proposed by Iqbal et al [13]. Algorithm 2. Our modified signcryption scheme is described as:

Correctness
The same secret key k is generated by sender and receiver. The elliptic curve point Q is used for key generation, which is same in Step(4) of signcryption and Step(3) in Unsigncryption algorithm.

Security analysis
The modified scheme provides the confidentiality of message. The common shared secret key k is used for symmetric encryption and decryption which is only known to sender and receiver. The scheme ensures authentication, as it is certificate based. The validity of certificates is verified in signcryption and unsigncryption phases. Bob (receiver) can verify that the received message is not altered by Mallory (attacker). So our scheme provides message integrity. Without the knowledge of private key k of Alice (sender), no one can generate the valid signcrypted text. Our scheme also provides signature unforgeability, non-repudiation, ciphertext-only authentication, public verification and forward secrecy of message confidentiality. The computational cost in signcryption, unsigncryption and signature verification phase is same as given in [13]. The communication cost of modified scheme is also same as in [13]. The comparison of modified scheme with the existing schemes is described in Table 2 below. We now discuss some attack models for our improved signcryption scheme and give counter measures against these attacks.

Man-At-The-End (MATE)attack
Previously Man-At-The-End (MATE) attack is neglected largely in security analysis by researchers because it is difficult to model, analyze and evaluate predominantly [15]. Since the attacker is human, therefore can utilize all the capabilities of a human mind. Beside the adversary has authorized and unlimited access to the device and this results in all security protections to stand up for an adversary for a specific period of time. The MATE attack has different forms depending upon the physical scenario of compromised device. At an individual level, altering attack is possible in which adversary altered the integrity of piece of software [22]. In reverse engineering attack, the adversary trace the intellectual property rights from the device software and then disrupts the privacy right of vendor [23]. Similarly, in cloning attack an adversary creates and issues the copies of software by vilating the copyright laws [24]. Sometime an adversary may attavk by crafting his own exploit code using the publicly available codes to make it hard to be reconised by an antivirus software [25].
Although MATE attack is difficult to analyze and model but there are mechanism to protect your device. The techniques to protect against MATE attack are: digital asset protection, software protection, hardware protection and hardware -based software protection. For further details on core protection mechanism against this attack we refer to [15].

Man-In-The middle-attack
In man-in-middle attack, an adversary intercepts the network traffic between two parties and alter the information in such a way that both parties believes they are communicating with each other. The proposed Signcryption scheme of Iqbal et al is not secure against man-in-middle attack and an active attacker modifies the signcrypted text that is verified by unsigncryption algorithm.
Our modified Signcryption scheme overcome this security issue and resist against man-inmiddle attack. Adversary get the signcrypted text (C, R, s) from publicly transmitted message but unable to modify the signcrypted message of his choice. The private key of Alice is used for key generation process in Step(5) of signcryption algorithm and then used for signature generation in Step (9) of signcryption algorithm. If attacker generates a signcrypted text with any fake key then unsigncryption algorithm will not be able to verify the signature in Step (8) of unsigncryption algorithem and hence the message M will not be accepted.

Conclusion
In this paper, the security of Iqbal et al [13] scheme is analyzed and it is proved that that it has many security flaws. In their proposed scheme, one can easily generate the signcrypted text of his choice that is acceptable by unsigncryption algorithm. Their scheme does not provide message authentication, integrity, non-repudiation and unforgeability as claimed in [13] (Table 1). We modified their scheme to ensure the compromised security attributes. Our improved scheme provides the security attributes of authentication, message confidentiality, unforgeability, integrity, non-repudiation, Public Verification, authentication of ciphertext-only, forward Secrecy and firewall Suitability. The comparison of the modified signcryption scheme with the existing schemes in the literature is highlighted in Table 2.