Abstract

Wireless sensor networks (WSNs) are used to monitor various environmental conditions including movement, pollution level, temperature, humidity, and etc. Secure authentication is very important for the success of WSNs. Li et al. proposed a three-factor anonymous authentication scheme in WSNs over Internet of things (IoT). They argued that their authentication scheme achieves more security and functional features, which are required for WSNs over IoT. Especially, they insisted that their user authentication scheme provides security against sensor node impersonation attack, and resists session-specific temporary information attack and various other attacks. However, this paper shows some security weaknesses in Li et al.’s scheme, especially focused on sensor node masquerading attack, known session-specific temporary information attack and deficiency of perfect forward secrecy. Especially, security considerations are very important to the modern IoT based applications. Thereby, the result of this paper could be very helpful for the IoT security researches.

Keywords

Security Considerations on Three-Factor Anonymous Authentication Scheme for WSNs

Share and Cite:

1. Introduction

The Internet of things (IoT) refers to a concept of connected objects and devices of all types over the Internet wired or wireless [1] [2] [3] [4]. In such a dynamic system, devices are interconnected to transmit useful measurement information and control instruction via distributed wireless sensor networks (WSNs). A WSN is a network formed with a large number of sensor nodes where each node is with sensors to detect physical phenomena. Many security solutions were proposed but they could not be applied to WSNs security due to the unique characteristics of WSNs.

Various security schemes were proposed to protect WSNs and IoT [5] - [12]. Das proposed a two-factor user authentication over WSNs using smartcard [5]. Many studies showed some weaknesses of Das’s scheme, which lacks feature of user anonymity, key agreement and mutual authentication. Furthermore, they showed that it suffers from attacks including password guessing, sensor node capture, gateway bypassing and denial-of-service attacks [6] [7] [8] [9] [10]. After those works, Jiang et al. proposed an untraceable user authentication scheme using elliptic curves cryptosystem (ECC) [11]. Recently, Li et al. showed that Jiang et al.’s scheme has functional and security flaws and proposed a three-factor anonymous authentication scheme for WSNs in IoT environments [12]. They provided BAN logic verification with security analysis and argued that their scheme provides security against sensor node impersonation attack, resists session-specific temporary information attack, and various other attacks.

However, we find some common security flaws in Li et al.’s scheme, which are weak against sensor node masquerading attack, suffer from known session-specific temporary information attack and do not provide perfect forward secrecy.

The remaining parts of this paper are as follows: Section 2 introduces fuzzy commitment scheme used in this paper; the review of Li et al.’s scheme in [12] is given in Section 3; Section 4 describes the security considerations on Li et al.’s scheme. Finally, Section 5 concludes the paper.

2. Fuzzy Commitment Scheme

Juels and Wattenberg proposed a fuzzy commitment scheme F(.), which is a cryptographic primitive [13]. F(.) allows an entity to commit a chosen value while keeping it hidden to others in the system with the ability to reveal the committed value later. The committed value is binding thus cannot be changed by either party. Suppose $h(.):{\left\{0,1\right\}}^{*}\to {\left\{0,1\right\}}^n$ is a secure hash function which can commit a code word $c\in C$ using an n bit witness y as $F\left(c,y\right)=\left\{\alpha ,\delta \right\}$, where $\alpha =h\left(c\right)$ and $\delta =y\oplus c$ . The commitment $F\left(c,y\right)=\left\{\alpha ,\delta \right\}$ can be opened using witness y', which is relatively close to y, but no need to be the same as y. To open the commitment using y', the receiver computes $c\prime =f\left(y\prime \oplus \delta \right)=f\left(c\oplus \left(y\prime \oplus y\right)\right)$ and checks whether $\alpha =h\left(c^{\prime }\right)$. If they are equal, the commitment is successfully open. Otherwise, the witness y' is not valid. This paper uses fuzzy commitment scheme due to the noisy characteristic of biometrics. In this scenario, biometric template can be treated as the witness y, and c can be opened by the input biometric y', which is close to y.

3. Three-Factor Anonymous Authentication Scheme

Li et al. proposed a three-factor anonymous authentication scheme based on fingerprint identification for WSNs in IoT environments [12]. Their scheme consists of three entities, user U_i, gateway node GWN and sensor node S_j. GWN is considered as a trusted member and communicates data between U_i and S_j. Initially, GWN needs to setup system parameters. For that, GWN selects an additive group G over a finite field F_p on an elliptic curve, where the generator is a point P and its order is a large prime n. GWN generates a random number $x\in Z_n^{\ast }$ as the private key and calculates the corresponding public key X = xP. Besides, GWN chooses a master secret key K_GWN. GWN keeps x and K_GWN secretly, and publishes the parameters {E, F_p, P, X, G}. Table 1 shows the notations used in this paper.

3.1. Sensor Registration

Required values could be stored in the memory of sensors in advance before they are deployed in a particular area. GWN selects an identity SID_j for each sensor and computes the secret key $K_{GWN\text{-}S}=h\left(SI{D}_j\parallel K_{GWN}\right)$ for SID_j. Then, GWN stores {SID_j,K_GWN-S} in the memory of the sensor and deploys these sensors in a particular area to forming a WSN.

3.2. User Registration

When a user U_i hopes to acquire the sensory data of sensor node S_j in the WSN in specific area, he/she needs to register to GWN. The phase is as follow:

l) U_i chooses an identity ID_i and a password PW_i and generates a nonce a_i and calculates $RP{W}_i=h\left(P{W}_i\parallel a_i\right)$ . Then U_i imprints the biometric on specific device and gets the biometric information b_i. At last, U_i submits the registration request message {ID_i, RPW_i, b_i} to GWN via a secure manner.

2) When obtaining the registration request, GWN chooses a random codeword $c_i\in C$ for U_i, and calculates $F\left(c_i,b_i\right)=\left(\alpha ,\delta \right)$, where $\alpha =h\left(c_i\right)$ and $\delta =c_i\oplus b_i$. Then, GWN calculates $A_i=h\left(I{D}_i\parallel RP{W}_i\parallel c_i\right)$, $B_i=h\left(I{D}_i\parallel K_{GWN}\right)\oplus h\left(RP{W}_i\parallel c_i\right)$ . After that, GWN stores {α,δ, A_i, B_i, X, f(.)} in a SC, and distributes in to U_i through a secure channel. Finally, GWN stores ID_i in its database and deletes other information.

3) When gets the SC, U_i stores a_i into it, and the SC contains parameters {α,δ, A_i, B_i, X, f(.), a_i}.

3.3. Login and Authentication

When U_i wants to access the sensory data of SID_j, he/she should be authenticated by GWN first, and the following steps should be performed among U_i, GWN and SID_j.

l) U_i inserts SC into a card reader and imprints the biometric ${b^{\prime }}_i$ on a special device. Then SC calculates ${c^{\prime }}_i=f\left({b^{\prime }}_i\oplus \delta \right)=f\left(c_i\oplus \left(b_i\oplus {b^{\prime }}_i\right)\right)$ and checks $h\left({c^{\prime }}_i\right)?=\alpha =h\left(c_i\right)$. The session is terminated by SC if they are not equal. Otherwise, U_i passes the biometric verification and inputs ID_i and PW_i. U_i calculates ${A^{\prime }}_i=h\left(I{D}_i\parallel h\left(P{W}_i\parallel a_i\right)\parallel {c^{\prime }}_i\right)$ and checks ${A^{\prime }}_i?=A_i$. The session is rejected by SC if they are not equal. Otherwise, U_i’s password and identity are verified by SC. The SC chooses random numbers r_i and $s\in Z_n^{\ast }$, and calculates $M_{\text{1}}=B_i\oplus h\left(h\left(P{W}_i\parallel a_i\right)\parallel {c^{\prime }}_i\right)$, $M_{\text{2}}=sP$, $M_{\text{3}}=sX=sxP$, $M_{\text{4}}=I{D}_i\oplus M_{\text{3}}$, $M_{\text{5}}=M_{\text{1}}\oplus r_i$, $M_{\text{6}}=h\left(I{D}_i\parallel r_i\right)\oplus SI{D}_j$, and $M_{\text{7}}=h\left(M_{\text{1}}\parallel SI{D}_j\parallel M_{\text{3}}\parallel r_i\right)$. At last, U_i submits the login request message {M₂, M₄, M₅, M₆, M₇} to GWN.

2) When receiving the login request, GWN calculates ${M^{\prime }}_{\text{3}}=x{M}_{\text{2}}=xsP$, $I{D^{\prime }}_i=M_{\text{4}}\oplus {M^{\prime }}_{\text{3}}$, and checks if $I{D^{\prime }}_i$ is in the database. If not, the request is terminated by GWN. Otherwise, GWN calculates ${M^{\prime }}_{\text{1}}=h\left(I{D^{\prime }}_i\parallel K_{GWN}\right)$, ${r^{\prime }}_i=M_{\text{5}}\oplus {M^{\prime }}_{\text{1}}$, $SI{D^{\prime }}_j=M_{\text{6}}\oplus h\left({r^{\prime }}_i\parallel I{D}_i\right)$, ${M^{\prime }}_{\text{7}}=h\left(M_{\text{1}}\parallel SI{D^{\prime }}_j\parallel {M^{\prime }}_{\text{3}}\parallel {r^{\prime }}_i\right)$ , and checks ${M^{\prime }}_{\text{7}}?=M_{\text{7}}$ . The session is rejected by GWN if they are not equal. Otherwise, GWN generates a random number r_g, and calculates ${K^{\prime }}_{GWN\text{-}S}=h\left(SI{D^{\prime }}_j\parallel K_{GWN}\right)$, $M_{\text{8}}=I{D^{\prime }}_i\oplus {K^{\prime }}_{GWN\text{-}S}$, $M_{\text{9}}=r_g\oplus h\left(I{D^{\prime }}_i\parallel {K^{\prime }}_{GWN\text{-}S}\right)$, $M_{\text{1}0}=r_g\oplus {r^{\prime }}_i$ and $M_{\text{11}}=h\left(I{D^{\prime }}_i\parallel SI{D^{\prime }}_j\parallel {K^{\prime }}_{GWN\text{-}S}\parallel {r^{\prime }}_i\parallel r_g\right)$ . At last, GWN submits message {M₈, M₉, M₁₀, M₁₁} to S_j.

3) When receiving the message, S_j calculates $I{D^{″}}_i=M_{\text{8}}\oplus K_{GWN\text{-}S}$, ${r^{\prime }}_g=h\left(I{D^{″}}_i\parallel K_{GWN\text{-}S}\right)\oplus M_{\text{9}}$, ${r^{″}}_i={r^{\prime }}_g\oplus M_{\text{1}0}$, ${M^{\prime }}_{\text{11}}=h\left(I{D^{″}}_i\parallel SI{D}_j\parallel K_{GWN\text{-}S}\parallel {r^{″}}_i\parallel {r^{\prime }}_g\right)$, and checks ${M^{\prime }}_{\text{11}}?=M_{\text{11}}$. The session is rejected by S_j if the equation is not true. Otherwise, S_j generates a random number r_j, and calculates $M_{\text{12}}=r_j\oplus K_{GWN\text{-}S}$, $S{K}_j=h\left(I{D^{″}}_i\parallel SI{D}_j\parallel {r^{″}}_i\parallel {r^{\prime }}_g\parallel r_j\right)$, $M_{\text{13}}=h\left(K_{GWN\text{-}S}\parallel S{K}_j\parallel r_j\right)$.Finally, S_j responses the message {M₁₂, M₁₃} to GWN.

4) After getting the message from S_j, GWN calculates ${r^{\prime }}_j=M_{\text{12}}\oplus {K^{\prime }}_{GWN\text{-}S}$, $S{K}_{GWN}=h\left(I{D^{\prime }}_i\parallel SI{D^{\prime }}_j\parallel {r^{\prime }}_i\parallel r_g\parallel {r^{\prime }}_j\right)$ , ${M^{\prime }}_{\text{13}}=h\left(K_{GWN\text{-}S}\parallel S{K}_{GWN}\parallel {r^{\prime }}_j\right)$, and checks ${M^{\prime }}_{\text{13}}?=M_{\text{13}}$. The session is rejected if they are not equal. Otherwise, GWN calculates $M_{\text{14}}={M^{\prime }}_{\text{1}}\oplus r_g$, $M_{\text{15}}={r^{\prime }}_i\oplus {r^{\prime }}_j$ and $M_{\text{16}}=h\left(I{D^{\prime }}_i\parallel S{K}_{GWN}\parallel r_g\parallel {r^{\prime }}_j\right)$. Finally, GWN submits the message {M₁₄, M₁₅, M₁₆} to U_i.

5) When receiving messages from GWN, U_i calculates ${r^{″}}_g=M_{\text{14}}\oplus M_{\text{1}}$, ${r^{″}}_j=M_{15}\oplus r_i$, $S{K}_i=h\left(I{D^{\prime }}_i\parallel SI{D^{\prime }}_j\parallel r_i\parallel {r^{″}}_g\parallel {r^{″}}_j\right)$, ${M^{\prime }}_{\text{16}}=h\left(I{D}_i\parallel S{K}_i\parallel {r^{″}}_g\parallel {r^{″}}_j\right)$, and checks ${M^{\prime }}_{\text{16}}?=M_{\text{16}}$. The session is rejected if they are not equal. Otherwise, the authentication process is completed.

Finally, U_i can access the sensory data of S_j via GWN, and a session key SK_i = SK_GWN = SK_j is shared among U_i, GWN and S_j. The conceptual phase is shown in Figure 1.

3.4. Password Change

When U_i wants to update the password, he/she inserts SC into a reader, and imprints the biometric information ${b^{\prime }}_i$ on a special device. Then, SC calculates ${c^{\prime }}_i=f\left(\delta \oplus {b^{\prime }}_i\right)=f\left(c_i\oplus \left(b_i\oplus {b^{\prime }}_i\right)\right)$, and checks $h\left({c^{\prime }}_i\right)?=\alpha =h\left(c_i\right)$ . The session is rejected by SC if the equation is not true. Otherwise, U_i passes the biometric verification and inputs ID_i and PW_i. U_icalculate ${A^{\prime }}_i=h\left(I{D}_i\parallel h\left(P{W}_i\parallel a_i\right)\parallel {c^{\prime }}_i\right)$ and checks ${A^{\prime }}_i?=A_i$. If they are not equal, the request is declined by SC. Otherwise, a new password $P{W}_i^{\ast }$ is allowed to be input. SC calculates $A_i^{\ast }=h\left(I{D}_i\parallel h\left(P{W}_i^{\ast }\parallel a_i\right)\parallel {c^{\prime }}_i\right)$ and $B_i^{\ast }=B_i\oplus h\left(h\left(P{W}_i\parallel a_i\right)\parallel {c^{\prime }}_i\right)\oplus h\left(h\left(P{W}_i^{\ast }\parallel a_i\right)\parallel {c^{\prime }}_i\right)$. Finally, SC updates A_i and B_i with $A_i^{\ast }$ and $B_i^{\ast }$, respectively.

4. Security Consideration on Li et al.’s Scheme

In this section, security weaknesses of Li et al.’s scheme are analyzed based on a threat model.

4.1. Threat Model

A threat model is an imperative module of the research of an authentication scheme. The threat model is a process for enhancing security by classifying vulnerabilities and objectives, and then defining preventive measures of threats to the system. In this work, a threat is a potential malicious attack from an adversary that can cause damage to the assets. We base the threat model on the following assumptions, which is based on Dolev and Yao threat model [14].

· Any IoT device may be corrupted and turned into a device controlled by the adversary. We refer this as a malicious device. We assume that all cryptographic keys of the malicious device are known to the adversary.

· An adversary is able to eavesdrop all the communications between the entities involved in the communication chancel over a public channel.

· An adversary has the potential to modify a message, delete, redirect and resend the eavesdropped transmitted messages.

· An adversary can be a legal user or an outsider in any system.

· An adversary can guess low entropy secret and identity individually easily but guessing two secret parameters is computationally infeasible in polynomial time.

· It is assumed that the protocol used in the authenticated key agreement system is known to the attacker.

· We assume that cryptosystems should be secure even if everything about the system, except the session key, is public knowledge.

Furthermore, we add more assumptions to Delev and Yao model that are for the proper cryptanalysis of Li et al.’s scheme as follows:

· An adversary can extract the information from smartcard or any device by examining power consumption and leaked information [15] [16].

· An adversary can steal the database from GWN, which works as a verification table of ID_i.

4.2. Sensor Node Impersonation Attack

When an attacker collects any session’s C2 message for the login and authentication betweenGWN to S_j and gets the ID_i database in GWN, he/she can masquerade as GWN to U_i or S_j to GWN. For the attack, the attacker could select any $I{D^{\prime }}_i$ in the database and compute ${K^{\prime }}_{GWN\text{-}S}=M_{\text{8}}\oplus I{D^{\prime }}_i$, ${r^{\prime }}_g=h\left(I{D^{\prime }}_i\parallel {K^{\prime }}_{GWN\text{-}S}\right)\oplus M_{\text{9}}$, ${r^{\prime }}_i={r^{\prime }}_g\oplus M_{\text{1}0}$, ${M^{\prime }}_{\text{11}}=h\left(I{D^{\prime }}_i\parallel SI{D}_j\parallel {K^{\prime }}_{GWN\text{-}S}\parallel {r^{\prime }}_i\parallel {r^{\prime }}_g\right)$, and checks ${M^{\prime }}_{\text{11}}?=M_{\text{11}}$. The attacker chooses the next candidate $I{D^{\prime }}_i$ and applies validation of it again. Otherwise, the attacker’s guess of $I{D^{\prime }}_i$ is the correct identifier of U_i. Furthermore, the attacker acquires the important long-term secret key between GWN and S_j correctly, which is ${K^{\prime }}_{GWN\text{-}S}$.

So, the attacker could impersonate as S_j after the success of the reply message formation as follows. 1) The attacker generates a random number r_j, and computes $M_{\text{12}}=r_j\oplus {K^{\prime }}_{GWN\text{-}S}$, $S{K}_j=h\left(I{D^{\prime }}_i\parallel SI{D}_j\parallel {r^{\prime }}_i\parallel {r^{\prime }}_g\parallel r_j\right)$, $M_{\text{13}}=h\left({K^{\prime }}_{GWN\text{-}S}\parallel S{K}_j\parallel r_j\right)$. Finally, the attacker responses the message {M₁₂, M₁₃} to GWN. 2) GWN cannot figure out that the message is from the attacker. So, GWN authenticates the attacker’s message. Therefore, the attacker can be authenticated to GWN with forming the session key $S{K}_j=h\left(I{D^{\prime }}_i\parallel SI{D}_j\parallel {r^{\prime }}_i\Vert {r^{\prime }}_g\parallel r_j\right)$, which is the same to U_i and GWN’s session key.

4.3. Known Session-Specific Temporary Information Attack

For a user authentication scheme with key agreement, if the session key is secure even though the session-specific temporary information, such as random numbers generated by system entities for the session key, is compromised, the authentication scheme can be called secure against to known session-specific temporary information attack [17]. In Li et al.’s scheme, the session key, where and are temporary keys, is generated by U_i, GWN and S_j, respectively. Any adversary with ID_i can calculate the session key SK. Therefore, Li et al.’s scheme is vulnerable to known session-specific temporary information attack.

4.4. Deficiency of Perfect Forward Secrecy

Perfect forward secrecy is a required feature for the key agreement scheme, which gives assurances the session key is not compromised even if the long-term secret key of the server is compromised. But Li et al.’s scheme does not achieve perfect forward secrecy.

In Li et al.’s scheme, the attacker can compute all the session keys among U_i, GWN and S_j if the attacker knows one of long-term keys as follows. 1) The attacker gets {M₈, M₉, M₁₀, M₁₁} and {M₁₂, M₁₃} in the previous communication between GWN and S_j. 2) The attacker knows one of long-term secret K_GWN-S of S_j and could derive $I{D^{\prime }}_i=M_{\text{8}}\oplus K_{GWN\text{-}S}$, ${r^{\prime }}_g=h\left(I{D^{\prime }}_i\parallel K_{GWN\text{-}S}\right)\oplus M_{\text{9}}$, ${r^{\prime }}_i={r^{\prime }}_g\oplus M_{\text{1}0}$ and ${r^{\prime }}_j=M_{\text{12}}\oplus K_{GWN\text{-}S}$. So, the attacker can compute $S{K}_j=h\left(I{D^{\prime }}_i\parallel SI{D}_j\parallel {r^{\prime }}_i\Vert {r^{\prime }}_g\parallel {r^{\prime }}_j\right)$ . Therefore, Li et al.’s scheme does not provide perfect forward secrecy.

5. Conclusion

In this paper, we present a cryptanalysis of Li et al.’s three-factor anonymous authentication scheme for WSNs in IoT environments. We have shown that an attacker can easily disturb the secrecy of Li et al.’s scheme by performing sensor node masquerading attack. Furthermore, it is vulnerable to known session-specific temporary information attack and has deficiency of perfect forward secrecy. Security is one of the most significant challenges for the success of IoT. IoT faces various challenges including active device monitoring, improper device updates, lack of efficient and robust security protocols and user unawareness. Thereby, IoT research should be done not just focused on the technological developments but also considering IoT security and privacy concerns.

Acknowledgements

The results in this paper are the parts of Mr. Beaton Ofesi Denice Kapito’s Master degree thesis. This work was supported by Basic Science Research program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B04032598).

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

References