Security Considerations on Three-Factor Anonymous Authentication Scheme for WSNs ()
1. Introduction
The Internet of things (IoT) refers to a concept of connected objects and devices of all types over the Internet wired or wireless [1] [2] [3] [4]. In such a dynamic system, devices are interconnected to transmit useful measurement information and control instruction via distributed wireless sensor networks (WSNs). A WSN is a network formed with a large number of sensor nodes where each node is with sensors to detect physical phenomena. Many security solutions were proposed but they could not be applied to WSNs security due to the unique characteristics of WSNs.
Various security schemes were proposed to protect WSNs and IoT [5] - [12]. Das proposed a two-factor user authentication over WSNs using smartcard [5]. Many studies showed some weaknesses of Das’s scheme, which lacks feature of user anonymity, key agreement and mutual authentication. Furthermore, they showed that it suffers from attacks including password guessing, sensor node capture, gateway bypassing and denial-of-service attacks [6] [7] [8] [9] [10]. After those works, Jiang et al. proposed an untraceable user authentication scheme using elliptic curves cryptosystem (ECC) [11]. Recently, Li et al. showed that Jiang et al.’s scheme has functional and security flaws and proposed a three-factor anonymous authentication scheme for WSNs in IoT environments [12]. They provided BAN logic verification with security analysis and argued that their scheme provides security against sensor node impersonation attack, resists session-specific temporary information attack, and various other attacks.
However, we find some common security flaws in Li et al.’s scheme, which are weak against sensor node masquerading attack, suffer from known session-specific temporary information attack and do not provide perfect forward secrecy.
The remaining parts of this paper are as follows: Section 2 introduces fuzzy commitment scheme used in this paper; the review of Li et al.’s scheme in [12] is given in Section 3; Section 4 describes the security considerations on Li et al.’s scheme. Finally, Section 5 concludes the paper.
2. Fuzzy Commitment Scheme
Juels and Wattenberg proposed a fuzzy commitment scheme F(.), which is a cryptographic primitive [13]. F(.) allows an entity to commit a chosen value while keeping it hidden to others in the system with the ability to reveal the committed value later. The committed value is binding thus cannot be changed by either party. Suppose
is a secure hash function which can commit a code word
using an n bit witness y as
, where
and
. The commitment
can be opened using witness y', which is relatively close to y, but no need to be the same as y. To open the commitment using y', the receiver computes
and checks whether
. If they are equal, the commitment is successfully open. Otherwise, the witness y' is not valid. This paper uses fuzzy commitment scheme due to the noisy characteristic of biometrics. In this scenario, biometric template can be treated as the witness y, and c can be opened by the input biometric y', which is close to y.
3. Three-Factor Anonymous Authentication Scheme
Li et al. proposed a three-factor anonymous authentication scheme based on fingerprint identification for WSNs in IoT environments [12]. Their scheme consists of three entities, user Ui, gateway node GWN and sensor node Sj. GWN is considered as a trusted member and communicates data between Ui and Sj. Initially, GWN needs to setup system parameters. For that, GWN selects an additive group G over a finite field Fp on an elliptic curve, where the generator is a point P and its order is a large prime n. GWN generates a random number
as the private key and calculates the corresponding public key X = xP. Besides, GWN chooses a master secret key KGWN. GWN keeps x and KGWN secretly, and publishes the parameters {E, Fp, P, X, G}. Table 1 shows the notations used in this paper.
3.1. Sensor Registration
Required values could be stored in the memory of sensors in advance before they are deployed in a particular area. GWN selects an identity SIDj for each sensor and computes the secret key
for SIDj. Then, GWN stores {SIDj,KGWN-S} in the memory of the sensor and deploys these sensors in a particular area to forming a WSN.
3.2. User Registration
When a user Ui hopes to acquire the sensory data of sensor node Sj in the WSN in specific area, he/she needs to register to GWN. The phase is as follow:
l) Ui chooses an identity IDi and a password PWi and generates a nonce ai and calculates
. Then Ui imprints the biometric on specific device and gets the biometric information bi. At last, Ui submits the registration request message {IDi, RPWi, bi} to GWN via a secure manner.
2) When obtaining the registration request, GWN chooses a random codeword
for Ui, and calculates
, where
and
. Then, GWN calculates
,
. After that, GWN stores {α,δ, Ai, Bi, X, f(.)} in a SC, and distributes in to Ui through a secure channel. Finally, GWN stores IDi in its database and deletes other information.
3) When gets the SC, Ui stores ai into it, and the SC contains parameters {α,δ, Ai, Bi, X, f(.), ai}.
3.3. Login and Authentication
When Ui wants to access the sensory data of SIDj, he/she should be authenticated by GWN first, and the following steps should be performed among Ui, GWN and SIDj.
l) Ui inserts SC into a card reader and imprints the biometric
on a special device. Then SC calculates
and checks
. The session is terminated by SC if they are not equal. Otherwise, Ui passes the biometric verification and inputs IDi and PWi. Ui calculates
and checks
. The session is rejected by SC if they are not equal. Otherwise, Ui’s password and identity are verified by SC. The SC chooses random numbers ri and
, and calculates
,
,
,
,
,
, and
. At last, Ui submits the login request message {M2, M4, M5, M6, M7} to GWN.
2) When receiving the login request, GWN calculates
,
, and checks if
is in the database. If not, the request is terminated by GWN. Otherwise, GWN calculates
,
,
,
, and checks
. The session is rejected by GWN if they are not equal. Otherwise, GWN generates a random number rg, and calculates
,
,
,
and
. At last, GWN submits message {M8, M9, M10, M11} to Sj.
3) When receiving the message, Sj calculates
,
,
,
, and checks
. The session is rejected by Sj if the equation is not true. Otherwise, Sj generates a random number rj, and calculates
,
,
.Finally, Sj responses the message {M12, M13} to GWN.
4) After getting the message from Sj, GWN calculates
,
,
, and checks
. The session is rejected if they are not equal. Otherwise, GWN calculates
,
and
. Finally, GWN submits the message {M14, M15, M16} to Ui.
5) When receiving messages from GWN, Ui calculates
,
,
,
, and checks
. The session is rejected if they are not equal. Otherwise, the authentication process is completed.
Finally, Ui can access the sensory data of Sj via GWN, and a session key SKi = SKGWN = SKj is shared among Ui, GWN and Sj. The conceptual phase is shown in Figure 1.
Figure 1. Login and authentication of Li et al.’s scheme.
3.4. Password Change
When Ui wants to update the password, he/she inserts SC into a reader, and imprints the biometric information
on a special device. Then, SC calculates
, and checks
. The session is rejected by SC if the equation is not true. Otherwise, Ui passes the biometric verification and inputs IDi and PWi. Uicalculate
and checks
. If they are not equal, the request is declined by SC. Otherwise, a new password
is allowed to be input. SC calculates
and
. Finally, SC updates Ai and Bi with
and
, respectively.
4. Security Consideration on Li et al.’s Scheme
In this section, security weaknesses of Li et al.’s scheme are analyzed based on a threat model.
4.1. Threat Model
A threat model is an imperative module of the research of an authentication scheme. The threat model is a process for enhancing security by classifying vulnerabilities and objectives, and then defining preventive measures of threats to the system. In this work, a threat is a potential malicious attack from an adversary that can cause damage to the assets. We base the threat model on the following assumptions, which is based on Dolev and Yao threat model [14].
· Any IoT device may be corrupted and turned into a device controlled by the adversary. We refer this as a malicious device. We assume that all cryptographic keys of the malicious device are known to the adversary.
· An adversary is able to eavesdrop all the communications between the entities involved in the communication chancel over a public channel.
· An adversary has the potential to modify a message, delete, redirect and resend the eavesdropped transmitted messages.
· An adversary can be a legal user or an outsider in any system.
· An adversary can guess low entropy secret and identity individually easily but guessing two secret parameters is computationally infeasible in polynomial time.
· It is assumed that the protocol used in the authenticated key agreement system is known to the attacker.
· We assume that cryptosystems should be secure even if everything about the system, except the session key, is public knowledge.
Furthermore, we add more assumptions to Delev and Yao model that are for the proper cryptanalysis of Li et al.’s scheme as follows:
· An adversary can extract the information from smartcard or any device by examining power consumption and leaked information [15] [16].
· An adversary can steal the database from GWN, which works as a verification table of IDi.
4.2. Sensor Node Impersonation Attack
When an attacker collects any session’s C2 message for the login and authentication betweenGWN to Sj and gets the IDi database in GWN, he/she can masquerade as GWN to Ui or Sj to GWN. For the attack, the attacker could select any
in the database and compute
,
,
,
, and checks
. The attacker chooses the next candidate
and applies validation of it again. Otherwise, the attacker’s guess of
is the correct identifier of Ui. Furthermore, the attacker acquires the important long-term secret key between GWN and Sj correctly, which is
.
So, the attacker could impersonate as Sj after the success of the reply message formation as follows. 1) The attacker generates a random number rj, and computes
,
,
. Finally, the attacker responses the message {M12, M13} to GWN. 2) GWN cannot figure out that the message is from the attacker. So, GWN authenticates the attacker’s message. Therefore, the attacker can be authenticated to GWN with forming the session key
, which is the same to Ui and GWN’s session key.
4.3. Known Session-Specific Temporary Information Attack
For a user authentication scheme with key agreement, if the session key is secure even though the session-specific temporary information, such as random numbers generated by system entities for the session key, is compromised, the authentication scheme can be called secure against to known session-specific temporary information attack [17]. In Li et al.’s scheme, the session key, where and are temporary keys, is generated by Ui, GWN and Sj, respectively. Any adversary with IDi can calculate the session key SK. Therefore, Li et al.’s scheme is vulnerable to known session-specific temporary information attack.
4.4. Deficiency of Perfect Forward Secrecy
Perfect forward secrecy is a required feature for the key agreement scheme, which gives assurances the session key is not compromised even if the long-term secret key of the server is compromised. But Li et al.’s scheme does not achieve perfect forward secrecy.
In Li et al.’s scheme, the attacker can compute all the session keys among Ui, GWN and Sj if the attacker knows one of long-term keys as follows. 1) The attacker gets {M8, M9, M10, M11} and {M12, M13} in the previous communication between GWN and Sj. 2) The attacker knows one of long-term secret KGWN-S of Sj and could derive
,
,
and
. So, the attacker can compute
. Therefore, Li et al.’s scheme does not provide perfect forward secrecy.
5. Conclusion
In this paper, we present a cryptanalysis of Li et al.’s three-factor anonymous authentication scheme for WSNs in IoT environments. We have shown that an attacker can easily disturb the secrecy of Li et al.’s scheme by performing sensor node masquerading attack. Furthermore, it is vulnerable to known session-specific temporary information attack and has deficiency of perfect forward secrecy. Security is one of the most significant challenges for the success of IoT. IoT faces various challenges including active device monitoring, improper device updates, lack of efficient and robust security protocols and user unawareness. Thereby, IoT research should be done not just focused on the technological developments but also considering IoT security and privacy concerns.
Acknowledgements
The results in this paper are the parts of Mr. Beaton Ofesi Denice Kapito’s Master degree thesis. This work was supported by Basic Science Research program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B04032598).