The Improving of IKE with PSK for Using in Mobile Computing Environments

Abstract

The rapid increase in using mobile communication networks for transmitting confidential data and conducting commercial transactions such as mobile e-commerce is creating large demands in designing secure mobile business systems. However, the mobile devices and mobile communication network have some weakness. It can cause some problems using traditional VPN technologies in mobile computing environments immediately. Currently, mobile users' authentication in IKE is being done using certificates or PSK with aggressive mode commonly. They have serious security related issues (for PSK with aggressive mode) and need high deployment and maintain cost (for certificates). In this paper, we propose a new approach that is based on PSK where the IKE negotiation phase is modified for using in mobile computing environments. The modified IKE consists of four messages, and the responder doesn't need to store any state while receiving message 1. It uses strong cookies and pre-calculated DHpp stack, etc technologies to counter IP flooding attacks and man-in-the-middle DoS attacks, because it does not require the responder to perform heavy computations before the initiator has authenticated itself. Otherwise, for one mobile user, it has a group of PSKs to be random selected, and the initiator and responder exchange identity info and agree on PSK with Hash (PSK-ID|IDi) or Hash (PSK-ID|IDr) info. Therefore, it provides the initiator and responder's identity protection and prevention of passive dictionary based attacks on pre-shared keys.