An efficient and provably secure key agreement scheme for satellite communication systems

Satellite communication has played an important part in many different industries because of its advantages of wide coverage, strong disaster tolerance and high flexibility. The security of satellite communication systems has always been the concern of many scholars. Without authentication, user should not obtain his/her required services. Beyond that, the anonymity also needs to be protected during communications. In this study, we design an efficient and provably secure key agreement scheme for satellite communication systems. In each session, we replace user’s true identity by a temporary identity, which will be updated for each session, to guarantee the anonymity. Because the only use of lightweight algorithms, our proposed scheme has high performance. Furthermore, the security of the proposed scheme is proved in the real-or-random model and the performance analysis shows that the proposed scheme is more efficient than some other schemes for satellite communication systems.


Introduction
With the development of communication technology, satellite communication has played an important part in many industries, such as economy, politics, culture, military affairs, etc [1][2][3]. Compared with traditional satellite communication systems, the low-earth-orbit(LEO) satellite communication systems have the advantages of shorter transmission delay, higher efficiency, higher availability and higher cost performance. As shown in Fig 1, an LEO communication system is made up of mobile devices/users (U), gateways, LEO and the network control center (NCC). The most of entities in this LEO satellite communication system are connected wirelessly, the natural defects of the wireless communication bring great security risks, which will cause the system to be easily attacked by attackers.
In order to solve these problems, some low-Earth-orbit satellite communication protocols [4][5][6][7] have been proposed. In 1996, the first security satellite communication scheme was proposed by Cruickshank [8], but it cost too much computation. In 2003, Hwang et al. proposed an authentication scheme for mobile satellite communication system [9]. However, Chang et al. pointed out that their scheme couldn't proved perfect forward secrecy [10]. In 2009, Chen et al. proposed a self-verification scheme and claimed there was no sensitive information stored in the verification [11]. But Lee et al. pointed out the user's secret key is not secure in Chen et al.'s scheme when the hash value of user identity and another parameters are coprime numbers in 2011 [12]. In 2014, Zhang et al. proposed an improved authentication scheme [13]. But soon after, Qi et al. pointed out that Zhang et al.'s scheme was vulnerable to stolenverifier attack and denial of service attack [14]. In 2017, Qi et al. proposed an enhanced authentication with key agreement scheme based on ECC(Elliptic Curves Cryptography), but the scheme has poor performance and some security defects. In this paper, we propose an enhanced scheme and prove that our scheme is secure under the real-or-random model.
In this context, an effective satellite communication scheme must possess the following characteristics to ensure the secrecy of normal operations in mobile satellite communication systems: • Mutual authentication: NCC and user U can authenticate each other and generate a session key without being illegally obtained by the attacker.
• Perfect forward secrecy: if a session key or sensitive data is leaked to an attacker, he/she cannot obtain previous session keys from the preceding interception.
• Anonymity: the user's identity is securely hidden and an attacker cannot derive user identity in any way.
• Resistance to stolen-verifier attacks: an attacker may break into servers and steal verification table from trusted servers. However, he or she cannot use the data in the verification table to launch any attack.
• Resistance to smart card loss attacks: if an attacker gets a legal user's smart card in some way, he or she cannot derive sensitive data from it.
• Resistance to denial of service attacks: prevent attackers from occupying server resources illegally to ensure that the legal users can access the authentication server normally.
• Resistance to impersonation attacks: an attacker cannot attempt to communicate with a trusted server as a legitimate user and also cannot attempt to communicate with a legitimate user as a server.
The rest of this paper is organized as follows: We describe the detail of our proposed scheme in Section 2 and section 3 shows the security analysis of our scheme. Section 4 compares the security and the performance of our scheme with other related schemes. Finally, section 5 presents our conclusion.

Our proposed scheme
In this section, we propose an efficient and provably secure key agreement scheme for satellite communication systems. Some notions in our scheme are shown in Table 1. In the proposed scheme, we abandon the traditional temporary identity verification table, and adopt a dynamic temporary identity table [15]. Usually, the traditional temporary identity table only stores temporary identity of this time. However, when an attacker intercepts messages returned from NCC, the data in NCC's database has been updated and the data in the smart card has not been updated, so data inconsistency occurs between database and smart card. To solve this problem, we adopt a dynamic temporary identity table which consists of hash value of user's identity, shared hash value, dynamic temporary identity of last time and dynamic temporary identity of this time(shown in Table 2).
Our scheme contains the following phases: initialization phase, registration phase, login and authentication phase and password update phase. The details of our scheme are as follows.

Initialization phase
NCC chooses a large prime x as long-term private key randomly and specifies a secure hash algorithm h(�). In the meantime, NCC creates a table in the databases. The table stores four data for each legitimate user. Two of these data are the hash values which used to authenticate the identity. The remaining two are used to store user's dynamic ID. One ID is for last time, the other one is for this time. If a user fails to authenticate with the this time ID, he will try to re-authenticate with the last time ID.

Registration phase
To be a legal user, he/she must submit his/her registration request to NCC (see in Fig 2).
Next, user U sends {hID, hPW} as registration request to NCC in a secure channel. step 2: After receiving registration message, NCC generates a random number r 1 and computes with NCC's private key x and registration message. Next, NCC generates two temporary identity T id , T ido and initializes T ido to null. After that, NCC stores {hID, T id , T ido , hPW} in the database. Then, NCC writes {T id , R, r 1 , h(�)} into a smart card. step 3: NCC delivers the smart card to user U in a secure channel. step 4: User U computes with the data stored in smart card. Then user U writes {Verify, Z} into the smart card.

Login and authentication phase
Login and authentication phase are indispensable steps for user to get services from server.
The following operations are intended to achieve the goal (see in Fig 3). step 1: User U inserts his/her smart card into card reader and inputs ID u and PW. Then, U computes and verifies whether Verify = Verify 0 is true. If not, the session will be broken off. Otherwise, user U generates a number r 2 and computes Then, user U sends {Q, S, T id } to LEO in a public channel. step 2: LEO receives the login request from U and forwards the login request {Q, S, T id , LEO id } to NCC. step 3: After receiving the login request from LEO, NCC begins to match T id in the dynamic verification table (Table 2). Firstly, NCC searches the column of Dynamic identity of this time (T id ). If there is a value equals to T id , NCC extracts the corresponding hID, hPW and chooses a new temporary identity T idnew . Then NCC replaces (T ido , T id ) with (T id , T idnew ). Else, NCC keeps searching the column of Dynamic identity of last time(T ido ) in the verification table to see if there is a value equals to T id . If so, NCC extracts the corresponding hID, hPW, chooses a new temporary identity T idnew and replaces (T ido , T id ) with (T ido , T idnew ). If NCC cannot match T id in the dynamic verification table, it will reject the login request. step 4: After completion of matching, NCC computes P @ ¼ hðhIDjjxÞ and checks whether S and S 0 are equal. If not, NCC breaks off the session. Else, NCC generates a random number r 3 and computes SK will be using as the session key between user U and NCC. After that, NCC delivers {v 1 and compares whether v 2 and v 2 0 are equal. If verification is failed, the session will be broken off. Else, user U computes the session key SK = h(hID 0 ||r 2 ||r 2 0 ||P 0 ).

Password update phase
To enhance security, users are advised to update their passwords at set intervals. To complete the process, user U will perform the following steps(see in Fig 4). step 1: User U inserts the smart card and inputs ID u ,PW,PW new where PW new is the new password chosen by himself/herself. Then user U computes After that, user U checks whether Verify equals to Verify 0 . If not, user U breaks off the session. Else, user U generates a random number r p and computes After that, user U sends {Q, S, T id , ChPW} to LEO. step 2: LEO forwards the message received form user with LEO id to NCC. step 3: Upon receiving the message, NCC executes the step 3 in Login and authentication phase to obtain hID and hPW. Then NCC computes P @ ¼ hðhIDjjxÞ and checks whether S equals to S 0 . If not, NCC aborts the session. Else, NCC generates a new temporary identity T idnew and computes

Security analysis
In this section, we will show that our scheme is provably secure in the real-or-random model.

Security model
In H(x): This is a hash query. If a record (x, h) exists in the hash list, h is returned. Otherwise, return a uniformly random string h and store (x, h) in the table.
Semantic security: Providing the above-mentioned queries, the adversary A may interact with the participants to help him/her verify the value of b. If he/she can guess correctly, the scheme fails to provide semantic security. Let Succ denotes the event that A wins. A has an advantage Adv ake ðAÞ ¼ jPr½Succ� À 1 2 j in breaking the semantic security of the scheme. If Adv ake (A) is negligible, the scheme is secure under the real-or-random model.

Security proof
Theorem 1: Let S ID and S PW be uniformly distributed dictionary of user identity and password, respectively. |S ID | and |S PW | denoted the size of S ID and S PW . |H| denotes the range space of the hash function. Beyond that, we denote q h and q s to represent the number of H(x) oracle queries and the total number of queries executed by A. Then, we have Adv ake A ð Þ � q h 2 = 2 jHj þ max q s = jS ID j�jS PW j ; q s = 2 k n o Proof: We define several attack games from game Gm 0 to game Gm 3 . For each game Gm i , Succ i denotes the event that A has successfully guessed the bit b in the test session. The games are listed as follows: Game Gm 0 : This game models the real attack by the adversary. We have Game Gm 1 : To increase the advantage of success, A launches an eavesdropping attack by querying the Excute(U i , NCC) oracle. Since the session key SK is computed by hID, r 2 ,r 3 and P, A tries to obtain these values from the messages transmitted in the public channel. We know that r 2 = Q � P � hPW, r 3 = v 1 � P and P = h(hID||x) = R � h(hID||r 1 ). The hID is concealed in the hash function. Thus, A cannot get the values of hID, r 2 , r 3 and P. In this game, the Excute(U i , NCC) query dose not provide any advantage compared to game Gm 0 and we have Game Gm 2 : In this game, we add the send query to simulate an active attack. In order to pass the authentication, A must use H(x) query to fabricate messages. No collisions will be found in the input while querying H(x) oracle, because every message contains some different random numbers. By the birthday paradox, we can get Game Gm 3 : We transfer game Gm 2 to this game by adding the CorruptSC(U i ) query or the CorruptDB(U i ) query.
Case 1: The adversary asks the CorruptSC(U i ) query. Then he/she can extract {T id , R, r 1 , Verify, Z} stored in the user U i 's smart card. For the adversary, 1 ) and P = h(hID||x) = R � h(hID||r 1 ). So A tries a dictionary attack with the possible identity and password of the user in S ID and S PW . Since the scale of the dictionary is |S ID | and |S PW |, the adversary need to guess the correct values of U's identity and password simultaneously. In this case, the probability of a successful dictionary attack is negligible. So, we have Case 2: The adversary A asks the CorruptDB(NCC) query. Then he/she can extract {hID, T id , T ido , hPW} stored in NCC's database. For the adversary, P = h(hID||x). So A tries a dictionary attack with the possible private key of NCC. So, we have where k is the security parameter. The adversary A can choose case 1 or case 2 as the last game Gm 3 . From game Gm 0 to game Gm 3 , all the oracles are simulated and A has no choice but querying the Test query and guessing the bit b in the last game. Therefore, Combining (1)-(6), we can derive The advantage for an adversary to guess the correct session key is negligible since |H|,|S ID | � |S PW | and 2 k are beyond the polynomial time. So our scheme can provide semantic security in the real-or-random model.

Other security features
In this section, we will analyze the security and practicability of our scheme [17][18][19][20].
Provide credible mutual authentication: In login and authentication phase, NCC can authenticate user U only when user U submits correct identity ID u , password PW which can satisfy the equation S 0 = h(hID||r 2 0 ||T id ) = S. An attacker cannot falsify valid S and Q to pass NCC's authentication without the correct identity and password. User U can authenticate NCC only when the user receives the correct message {v 1 , v 2 , v 3 } which can satisfy the equation v 2 0 = h (P 0 ||r 2 ||r 3 0 ||T idnew 0 ) = v 2 . But an attacker cannot counterfeit the correct message {v 1 , v 2 , v 3 } without P. Thus, our scheme provides credible mutual authentication.
Provide perfect forward secrecy: Forward secrecy means an attacker cannot obtain the past session keys even he/she has got NCC's private key, users' password and users' identity. In our scheme, the session key SK = h(hID||r 2 ||r 3 0 ||P 0 ) is established with the user's identity, the random number r 2 , r 3 and the hash value P = h(hID||x). Even if an attacker obtains those sensitive data, he/she cannot obtain other session keys because he/she cannot derive r 2 = P � hPW � Q without user U's corresponding hPW. Therefore, our scheme can provide forward secrecy.
Provide anonymity: Some traditional schemes often transmitted users identity ID u in the public channel, which may lead to leakage of identity information, obviously those schemes can not provide anonymity. There are also some schemes claim that they can provide anonymity. But their identities usually can be guessed by attackers. In our scheme, we transmit temporary identity T id instead of user's identity ID u , and the temporary identity will be updated after each session. And the attacker cannot guess ID u from R = P � h(hID||r 1 ), Verify = h(ID u ||r 0 || PW||r 1 ), Z = r 0 � h(PW||ID u ) or other equations. So our scheme can provide anonymity.
Resist stolen-verifier attack: Stolen-verifier attack means an insider attacker may steal the data in the database, and he can derive users' password or impersonate legal users to send legitimate login requests. In our scheme, the database stores {hID, T ido , T id , hPW}, if the insider attacker steals these data, he/she cannot derive users' password PW without the random number r 0 . In addition to this, the insider attacker cannot impersonate legal users to send legitimate login requests Q = P 0 � r 2 � h(PW � r 0 0 ) and S = h(hID||r 2 ||T id ) to NCC without the password PW, the secret data P and the random number r 0 . Therefore, our scheme can resist the stolenverifier attack.
Resist smart card loss attack: Assume an attacker gets user U's smart card and extracts the parameters {T id , R, r 1 , h(�), Verify, Z} from it and the attacker also intercepts the communication message between user U and NCC. But these parameters do not help him/her perform any attacks without the user's password PW and identity ID u . Thus, our scheme can resist smart loss attack.
Resist denial-of-service attack: In login and authentication phase, after NCC authenticating user U, an attacker may intercept and modify the message {v 1 , v 2 , v 3 } which is forwarded from NCC to U. Obviously, the modified message cannot pass the authentication of user U and the updating of temporary identity will be inconsistent between NCC and user U which must lead to the denial-of-service attack. To avoid that, our scheme adopts dynamic temporary identity (see in Table 2), and NCC stores the temporary identity both of this time and last time. Even the update is inconsistent, the legal user also can login successfully next time with the old temporary identity. Thus, our scheme can resist denial-of-service attack.
Resist impersonation attack: Impersonation attack means that an attacker impersonates a legal user to login NCC or impersonates NCC to communicate with a legal user. In our scheme, if the attacker intends to impersonate a legal user U, he/she must computes Q = P 0 � r 2 � h (PW � r 0 0 ) and S = h(hID||r 2 ||T id ). However, Q and S are established with the secret data P, the temporary identity T id , the password PW and the identity ID u . All of those data are secret, so the attacker cannot impersonate a legal user. On the other hand, even if the attacker obtains the temporary identity of the user, he/she cannot know P 0 = h(hID||x) without NCC's private key x. So the attacker cannot masquerade as NCC without P to compute the correct message {v 1 , v 2 , v 3 }. Therefore, our scheme can resist impersonation attack.

Security and performance comparison
In this section, we evaluate the performance of our proposed scheme with other three related schemes [14,21,22]. The computational cost in the login and authentication phase is compared in detail and the security features of these schemes are also analyzed.
In the proposed scheme, the traditional verification table is improved to form a dynamic one which can resist the denial-of-service attack. In addition, the value stored in the smart card is useless for the attacker to launch any attack. Even if the smart card is lost, user information will not be leaked out. As for the transmitting messages, we transmit user's temporary identity T id replace user's true identity ID u . Thus, anonymity has been achieved.
As shown in Table 3, the related schemes [14,21,22] have some design flaws and cannot satisfy all the security features. Qi et al. 0 s scheme [14] suffers from smart card loss attack, denial-of-service attack, off-line guessing attack, replay attack. In addition to this, their scheme also cannot provide forward secrecy and anonymity. Lin et al. 0 s scheme [21] satisfies most of the security requirements, where as they ignore the smart card loss attack. In Mo et al. 0 s scheme [22], they cannot resist stolen-verifier attack, smart card loss attack, impersonation attack and cannot provide forward secrecy. Compared with the related works, our scheme can resist most of the known attacks and provide password update service for users to choose. Since the registration phase just needs to be executed only once for a certain user, the password update phase isn't always executed and the login and authentication phase is executed each time, we focus on the performance of login and authentication phase.
The running time of a hash function is T h , the running time of a large number addition is T LA , the running time of an elliptic curve scalar point multiplication is T PM and the running time of a XOR operation is T x . Table 4 shows theoretical computational costs comparisons between the proposed scheme and other related schemes in the login and authentication phases. As we know, point multiplication based on elliptic curves is quite time-consuming operation [23][24][25][26], our proposed scheme and Lin et al. 0 s scheme have a great advantage on computational costs, because only hash, XOR and string connection operations are adopted in our scheme and Lin et al. 0 s scheme.
We carried out a simulation of these schemes with Miracl Library. The hardware platform for user and sever is given an Inter(R) Core(TM) i7-6700 HQ CPU @ 2.60GHz and 8.00GB memory. The length of the random number we used in our simulation is 1000 bits, each simulation was performed for 100 times and the logarithm of average execute time(ms) in the login and authentication phase are shown in    [21] scheme. The reason is that those schemes involve point operations of an elliptic curve [27][28][29][30]. Thus, they are not suitable for satellite communication systems due to the limited computational capability of the devices. Compared with our scheme, the computational overhead of Lin et al. 0 s scheme costs a little more and we offer more security features such as anonymity, which is not provided in Lin et al. 0 s scheme. Therefore, our proposed scheme provides an efficient and secure authentication for satellite communication systems.

Conclusions
In this paper, we proposed an efficient and provably secure key agreement scheme for satellite communication systems to provide credible mutual authentication. A dynamic temporary identity mechanism was adopted to ensure users' anonymity. Besides, the traditional verification table was replaced by a dynamic verification table to resist denial-of-service attack caused by inconsistent data updating between NCC and user U. In addition, our scheme only adopted lightweight hash and string operations, which reduced the computational cost in comparison with other related works. We also proved the proposed scheme is provably secure in the realor-random model. Therefore, the proposed scheme can meet the efficiency demands and security needs of communication satellite systems successfully.