會談啟始協議(Session Initiation Protocol, SIP) 提供整合語音與多媒體通訊服務，達到多媒體通訊協定目的，是目前網路電話(Voice over Internet Protocol, VoIP)最常採用的技術之一。一般SIP是採用主從式架構(client-server)，所有通訊個體需透過代理伺服器(proxy server)協助建立通訊連線，此架構的優點為簡單、維護容易。目前正在發展同儕式(Peer-to-Peer, P2P)的SIP(P2PSIP)標準藉由P2P網路架構具良好的容錯性和傳輸效能，以提供良好SIP服務品質。本論文分別就SIP與P2PSIP網路架構的特性，設計具身分鑑別的金鑰協議機制，提供通訊個體達到為機密性(confidentiality)、鑑別性(authenticity)以及可用性(availability)等安全需求。
首先針對SIP主從式(client-server)網路架構特性，提出通訊個體與伺服器之間(2-party)僅使用通行碼的身分鑑別協定(Password-based Authentication, PA)，簡稱SIP-2-PA。SIP-2-PA方法是以單向雜湊函數(one-way hash function)與互斥或(eXclusive OR, XOR)等低複雜度運算為基礎，適用於低資源語音通訊的SIP環境中，除此之外，SIP-2-PA方法可抵抗伺服器偽裝攻擊(server spoofing attacks)，以達到客戶端與伺服器端的相互鑑別(mutual authentication)，以及抵抗離線通行密碼猜測攻擊(off-line password guessing attacks)以及重送攻擊(replay attacks)。
考量主從式SIP通訊環境中，通訊個體之間身分鑑別與秘密通訊的安全需求，以橢圓曲線密碼系統(elliptic curve cryptosystem)與具自我驗證公鑰系統(self-certified public key cryptosystem)為基礎，分別針對在同一個代理伺服器(intra-domain)範圍以及在不同代理伺服器範圍(inter-domain)的SIP通訊環境，設計兩個以通行碼為基礎的鑑別式金鑰協議(Password-based Authenticated Key Agreement, PAKA)，所有的通訊個體利用通行密碼與所信賴的代理伺服器進行身分鑑別後，由代理伺服器為通訊個體產生以通行密碼為秘密參數(私鑰)基礎的相對應的具自我驗證的公鑰，之後，通訊個體利用具自我驗證公鑰特性，在執行PAKA時不需再額外執行公鑰驗證的程序。
針對P2PSIP無代理伺服器等中繼角色協助的網路架構特性，本論文以身分基底密碼系統(identity-based cryptosystem)與橢圓曲線雙線性配對(bilinear pairings)函數為基礎設計適用於P2PSIP通訊環境的身分基底的鑑別式金鑰協議方法(Identity-based Authenticated Key Agreement for P2PSIP, P2PSIP-ID-2AKA)，通訊個體只需要使用彼此的識別資訊(identification, ID)即可以同時達到身分鑑別與建立共享交談金鑰以達成秘密通訊的目的。考量群體通訊應用的需求，本論文將P2PSIP-ID-2AKA方法擴展到群體通訊環境的應用，設計一個有效率的動態群體鑑別式金鑰協議方法(Identity-based Dynamic Group Authenticated Key Agreement for P2PSIP, P2PSIP-ID-GAKA)，在此方法中，所有通訊個體在建立群體金鑰的過程，通訊回合數與執行橢圓曲線乘法運算的次數都是固定的，與群體通訊個體的個數無關。除此之外，具動態群體管理特性，當群體共享金鑰建立後，允許群體通訊個體加入或離開，且滿足金鑰更新的前推安全(forward secrecy)與後推安全(backward secrecy)。
基於基於橢圓曲線離散對數問題(Elliptic Curve Discrete Logarithm Problem, ECDLP)以及雜湊函數Diffie-Hellman (Hash-based Diffie-Hellman, HDH)等安全假設，本論文所提出SIP-3-PAKA方法、SIP-4-PAKA方法、P2PSIP-ID-2AKA方法以及P2PSIP-ID-GAKA方法都滿足Blake-Wilson與Menezes提出一個安全的金鑰交換協定應滿足的基本安全目標與安全需求，包含內隱的金鑰安全(implicit key authentication)、外顯的金鑰安全(explicit key authentication)、已知金鑰安全(known key secrecy)、完美前推安全(perfect forward secrecy)、金鑰控制安全(key control secrecy)，以及抵抗金鑰破解後的假冒攻擊(key compromise impersonation)與不知金鑰已分享攻擊(unknown key shared)等安全需求。

Session Initiation Protocol (or SIP for short) is an application-layer signaling for creating, modifying, and terminating multimedia sessions with one or more participants. SIP is rapidly becoming the dominant signaling protocol for calls over the Internet due to its simplicity, good efficiency. However, there are some problems in centralized client-server SIP structure, such as, poor scalability, disaster recovery capacity. Using peer-to-peer (or P2P for short) network in SIP instead of SIP server is expected to be a perfect method to solve the bottleneck in client-server pattern. Considering good robust and high expansibility, the P2PSIP system has been popular because of distributed operations and low deployment costs.
In order to achieve confidentiality, authenticity, and availability for SIP and P2PSIP communication, this dissertation proposes one efficient authentication scheme and four authenticated key agreement (or AKA for short) schemes for entity-to-entity authentication in different SIP communication model. First, this dissertation proposes a password-based authentication scheme (SIP-2-PA) using the one-way hash function and XOR lightweight operations. The proposed SIP-2-PA scheme can be against server spoofing attacks, off-line password guessing attacks, and replay attacks.
Considering the entity-to-entity authentication in client-server SIP communication, this dissertation proposes two password-based authenticated key agreement schemes (or PAKA for short) based on the self-certified approach: SIP-3-PAKA and SIP-4-PAKA. SIP-3-PAKA scheme allows two communication parties in the intra-domain to authenticate each other and establish a shared session key. Extending SIP-3-PAKA scheme, SIP-4-PAKA scheme is used in the inter-domain SIP communication. In the proposed SIP-3-PAKA scheme and SIP-4-PAKA scheme, no public key certificates are required during the key agreement phase.
It is difficult to authenticate with each other communication party in the P2PSIP communication without trusted server. This dissertation first present an identity-based 2-party AKA scheme for P2PSIP (or P2PSIP-ID-2AKA for short) by only using the identitiy of communication party to achieve user authentication and key agreement. The proposed P2PSIP-ID-2AKA is easily generalized to group AKA (or P2PSIP-ID-GAKA for short) that allows n communication parties to authenticate with the others and share a secret key. The proposed P2PSIP-ID-GAKA scheme with 3-round and only requires constant point multiplication operations on elliptic curve, regardless of the number of participant parties. Besides, the proposed P2PSIP-ID-GAKA scheme enables addition and exclusion of communication parties as well as refreshing of the shared keys.
Under the elliptic curve discrete logarithm problem and the hash Diffie-Hellman assumption, this dissertation shows that all the proposed SIP-3-PAKA, SIP-4-PAKA, P2PSIP-ID-2AKA, and P2PSIP-ID-GAKA schemes achieve mutual implicit key authentication, explicit key authentication, known key secrecy, perfect forward secrecy, and key control secrecy, and is secure against key compromise impersonation attacks and unknown key shared attacks.

[ACMD10] M. abdalla, C. Chevalier, M. Manulis, and D. Pointcheval, “Flexible group key exchange with on demand computation of subgroup keys,” in Proceedings of Africacrypt 2010, LNCS 6055, pp. 351-368, 2010.
[AI11] R. Arshad and N. Ikram, “A novel authentication scheme for session initiation protocol based on elliptic curve cryptography,” in Proceedings of International Conference on Advanced Communication Technology 2011, pp.705-710, 2011.
[BCD02] E. Bresson, O. Chevassut, and D.Pointcheval, “Dynamic group Diffie-Hellman key exchange under standard assumptions,” in Proceedings of Advances in Cryptology - ASIACRYPT 2002, LNCS 2501, pp. 321-336, 2002.
[BCDQ01] E. Bresson, O. Chevassut, D. Pointcheval, and J.-J. Quisquater, “Provably authenticated group Diffie-Hellman key exchange,” in Proceedings of 8th ACM Conference on Computer and Communications Security - CCS 2001, pp. 255-264, 2001.
[BCP01] E. Bresson, O. Chevassut, and D. Pointcheval, “Provably authenticated group Diffie-Hellman key exchange - the dynamic case”, in Proceedings of Advances in Cryptology - ASIACRYPT 2001, LNCS 2248, pp. 290-309, 2001.
[BF01] D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” in Proceedings of Advances in Cryptology - CRYPTO 2001, LNCS 2139, pp. 213-229, 2001.
[BGLS03] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate and verifiably encrypted signatures from bilinear maps,” in Proceedings of Advances in Cryptology - EUROCRYPT 2003, LNCS 2656, pp. 416-432, 2003.
[BM98] S. Blake-Wilson and A. Menezes, “Authenticated Diffie-Hellman key agreement protocols”, in Proceedings of the 5th Annual Workshop on Selected Areas in Cryptography - SAC 1998, LNCS 1556, pp.339-361, 1998.
[BMSWD10]D. Bryan, P. Mattews, E. Shim, D. Willis, and S. Dawkins, “Concepts and terminology for peer to peer SIP,” draft-ietf-p2psip-concepts-03, 2010.
[BN03] C. Boyd and G. Nieto, “Round-optimal contributory conference key agreement,” in Proceedings of Advances in Cryptology - PKC 2003, LNCS 2567, pp. 161-174, 2003.
[CC07] Y.J. Choie, E. Jeong, and E. Lee, “On security proof of McCullagh-Barreto's key agreement protocol and its variants,” International Journal of Security and Networks, Vol. 2, No. 3, pp. 251-259, 2007.
[DH76] W. Diffie and M.E. Hellman, “New directions in cryptography,” IEEE Transaction on Information Theory, IT-22, pp. 644-654, 1976.
[DS05] A. Durlanik and I. Sogukpinar, “SIP authentication scheme using ECDH,” in Proceedings of World Academy of Science, Engineering and Technology, pp. 350-353, 2005.
[Elg85] T. ElGamal, “A public key cryptosystem and a signature scheme based on discrete logarithms,” IEEE Transactions on Information Theory, Vol. IT-31, No. 4, pp. 469-472, 1985.
[GDKLG06]D. Geneiatakis, T. Dagiuklas, G. Kambourakis, C. Lambrinoudakis, and S. Gritzalis, “Survey of security vulnerabilities in session initiation protocol,” IEEE Communications Surveys & Tutorials, Vol. 8, Issue 3, pp. 68-81, 2006.
[GKDLG05]D. Geneiatakis, G. Kambourakis, T. Dagiuklas, C. Lambrinoudakis, and S. Gritzalis, “SIP security mechanisms: a state-of-the-art review,” in Proceedings of International Network Conference - INC 2005, pp. 147-156, 2005.
[GS08] T. Guillet, A. Serhrouchni, and M. Badra, “Mutual authentication for SIP: a semantic meaning for the SIP opaque Values,” in Proceedings of International Conference on New Technologies, Mobility and Security - NTMS 2008, pp. 1-6, 2008.
[H11] H.323 Forum, http://www.h323forum.org/, 2011.
[HWB11] M.Hölbl, T. Welzer, and B. Brumen, “An improved two-party identity-based authenticated key agreement protocol uisng pairings,” accepted by Journal of Computer and System Sciences, 2011.
[HXSJ10] M. Hou, Q. Xu, G. Shanqing, and H. Jiang, “Cryptanalysis on identity-based authenticated key agreement protocol form pairings,” Journal of Networks, Vol. 5, No. 7, pp. 855-862, 2010.
[IETF92] Internet Engineering Task Force, “The MD5 message-digest algorithm,” RFC-1321, 1992.
[IETF98] Internet Engineering Task Force, “Security architecture for the internet protocol,” RFC-2401, 1998.
[IETF99] Internet Engineering Task Force, “HTTP authentication: basic and digest access authentication,” RFC-2617, 1999.
[IETF02] Internet Engineering Task Force, “SIP: session initiation protocol,” RFC-3261, 2002.
[IETF03] Internet Engineering Task Force, “Media gateway control protocol (MGCP),” RFC-3435, 2003.
[IETF06] Internet Engineering Task Force, “Diamter session initiation protocol (SIP) application,” RFC-4740, 2006.
[IETF10] Internet Engineering Task Force, “Elliptic Curve Cryptography (ECC) brainpool standard curves and curve generation,” RFC-5639, 2010.
[JLRBS11] C. Jennings, B. Lowekmp, E. Rescorla, and S.Baset, Schulzrinne, “ Resource location and discovery (RELOAD) base protocol,” draft-ietf-p2psip-base-15, 2011.
[JZJ10] H. Jiang, R. Zhang, and Y. Jia, “Authenticated key-exchange scheme based on SGC-PKE for P2PSIP,” in Proceedings of 2nd International Conference on Network Security, Wireless Communications and Trusted Computing, pp. 352-356, 2010.
[KHL04] K.Y. Choi, J.Y. Hwang, and D.H. Lee, “Efficient ID-based group key agreement with bilinear maps,” in Proceedings of Advances in Cryptology - PKC 2004, LNCS 2947, pp. 130-144, 2004.
[KLL04] H.K. Kim, S.M. Lee, and D.H. Lee, “Constrand-round authenticated group key exchange for dynamic groups,” in Proceedings of Advances in Cryptology - ASIACRYPT 2004, LNCS 3329, pp. 245-259, 2004.
[LHL04] S. M. Lee, J. H. Hang, and D. H. Lee, “Efficient password-based group key exchange,” in Proceedings of TrustBus 2004, LNCS 3184, pp. 191-199, 2004.
[LWT01] Y.C. Lin, T.C. Wu, and J.L. Tsai, “ID-based aggregate proxy signature scheme realizing warrant-based delegation,” accepted by Journal of Information Science and Engineering, 2011.
[Kob87] N. Koblitz, “Elliptic curve cryptosystems,” Mathematics of Computation, Vol. 48, No. 177, pp. 203-209, 1987.
[KY03] J. Katz, M. Yung, “Scalable procotols for authenticated group key exchange,” in Proceedings of Advances in Cryptology - CRYPTO 2003, LNCS 2729, pp. 110-125, 2003.
[Man09] M. Manulis, “Group key exchange enabling on demand derivation of peer-to-peer keys,” in Proceedings of Applied Cryptography and Network Security - ACNS 2009, LNCS 5536, pp. 1-19, 2009.
[MB05] N. McCullagh and P.S.L.M. Barreto, “A new two-party identitiy based authenticated key agreement,” in Proceedings of CT-RSA 2005, LNCS 3376, pp. 262-274, 2005.
[Mil85] V. Miller, “Uses of elliptic curves in inryptography,” Advances in Cryptology - CRYPTO 1985, LNCS 218, pp. 417-426, 1985.
[NIST93] National Institute of Standards and Technology, “Secure hash standard,” U. S. Department of Commerence, NIST FIPS PUB 180, 1993.
[NIST02] National Institute of Standards and Technology, “Secure hash standard,” U. S. Department of Commerence, NIST FIPS PUB 180-2, 2002.
[NIST07] National Institute of Standards and Technology, “Call for a New 'hash' algorithm,” U. S. Department of Commerence, November 8, 2007, available at
http://www.nist.gov/itl/csd/sha_110807.cfm
[NIST09] National Institute of Standards and Technology, “Digital signature standard (DSS),” U. S. Department of Commerence, NIST FIPS PUB 186-3, 2009.
[Ran05] J. Randall, “Hash function update due to potential weakness found in SHA-1,” RSA Lab., Juen 30, 2011, available at http://www.rsa.com/rsalabs/node.asp?id=2834
[RS04] J. Randall and M. Szydlo, “Collisions for SHA0, MD5, HAVAL, MD4, and RIPEMD, but SHA1 still secure,” RSA Lab., June 30, 2011, available at
http://www.rsasecurity.com/rsalabs/node.asp?id=2738
[RSA78] R.L. Rivest, A. Shamir, and L.M. Adleman, “A method for obtaining digital signatures and public-key cryptosystem,” Communications of the ACM, Vol. 21, No. 2, 1978, pp. 120-126.
[SEB11] H. Song, R. Even, and D. Bryan, “P2PSIP overlay diagnostics,” draft-ietf-p2psip-diagnostics-05, 2011.
[Sha87] A. Shamir, “Identity-based cryptosystems and signature schemes,” in Proceedings of Advance in Cryptology - CRYPTO 1984, LNCS 196, pp. 47-53, 1984.
[Shim03] K. Shim, “Efficient ID-based authenticated key agreement protocol on Weil pairing,” Electronics Letters, Vol. 39, No. 8, 2003, pp. 653-654.
[Sma02] N.P. Smart, “Identity-based authenticated key agreement protocol based on Weil pairing,” Electronics Letters, Vol. 38, No. 13, 2002, pp. 630-632.
[SVP02] S. Salsano, L. Veltri, and D. Papalilo, “SIP security issues: the SIP authentication procedure and its processing load,” IEEE Network, Vol. 16, Issue 6, pp. 38-44, 2002.
[Tsa09] J.L. Tsai, “Efficient nonce-based authentication scheme for session initiation protocol,” International Journal of Network Security, Vol. 9, No. 1, pp. 12-16, 2009.
[Tse05] Y.M. Tseng, “A rubust multi-party key agreement protocol resistant to malicious participants,” The Computer Journal, Vol. 48, No. 4, pp. 480-487, 2005.
[WY05] X. Wang and H. Yu, “How to break MD5 and other hash functions,” in Proceedings of Advances in Cryptology - EUROCRYPT 2005, LNCS 3494, pp. 561-576, 2005.
[YLJQ10] L. Yu, X. Liao, H. Jin, and P. Qin, “A hierachical VoIP system based on peer-to-peer SIP: a manageable approach,” in Proceedings of 2010 10th International Conference on Computer and Informatiion Technology - CIT 2010, pp. 2494-2500, 2010.
[YWL05] C.C. Yang, R.C. Wang, and W. T. Liu, “Secure authentication scheme for session initiation protocol,” Computers and Security, Vol. 24, Issue 5, pp. 381-386, 2005.
[YYKHJC10] E.J. Yoon, K.Y. Yoo, C. Kim, Y.S. Hong, M. JO, and H.H. Chen, “A secure and efficient SIP authentication scheme for converged VoIP networks,” Computer Communications, Vol. 33, No. 14, pp. 1674-1681, 2010.