On the security of a provably secure,efficient,and flexible authentication scheme for ad hoc wireless sensor networks

Abstract

In a recent paper, Chang and Le proposed an efficient smart card–based authenticated key exchange protocol (which is referred to as CL scheme) for heterogeneous ad hoc wireless sensor networks. However, we found that the CL scheme is subject to sensor capture attack which breaks the session key security of the CL scheme. An improved protocol is proposed to fix this problem.

Keywords

Cryptanalysis authenticated key exchange wireless sensor network security attack security model

Introduction

Wireless sensor networks (WSNs) play more and more important role in many critical practical applications, such as battle field monitoring, healthy data acquisition, and many others. In WSN-based applications, data collected and stored by sensors are usually valuable and sensitive, which should be protected against unauthorized access from malicious attackers. An ideal solution for providing both secrecy and authentication is to apply the well-known cryptographic primitive—authenticated key exchange (AKE). The “form” of an AKE protocol here is closely related to the system model of the deployed WSNs.

System model

We here consider a system model (shown in Figure 1) for heterogeneous ad hoc WSNs which involve three types of principles, that is, users (U), sensors (S), and a gateway node (GWN). In this system, a user may hold a smart card, who wants to access or configure a sensor (on-site) in terms of actual field conditions. The user’s smart card is used as a security tool to authenticate the user via both memorable password and its stored long-term symmetric authentication key. Meanwhile, an AKE protocol is typically executed among user’s smart card, sensor, and GWN to establish a secure channel between user and sensor. Since the smart card and sensor do not share an authentication key, the online authentication is carried out by the remote GWN which shares symmetric authentication keys with users and sensors, respectively.

Figure 1.

System model.

Related work

A sensor node is typically limited in power, storage, and computation resources. This has led to the development of so-called “lightweight” multi-factor user authentication schemes and AKE protocols for WSNs.^1–15 However, these AKE schemes have various protocol structures determined by underlying wireless sensor networks. For example, the protocols proposed in previous studies^10,12–17 are specifically designed for Internet of things (IoT), wherein the GWN stands in the middle of the user and the sensor to take charge of the communication between them. We refer the reader to the work by Ferrag et al.¹⁸ for more recently proposed lightweight AKE schemes. In this article, we primarily concern about the AKE schemes^{1,2,6,7,9–11} under the system model shown in Figure 1. Note that building a secure AKE protocol for WSNs is non-trivial, since more than two participants and multiple authentication factors might be involved. Any subtle errors may lead to a broken protocol. Specifically, several previous schemes are found^1,5,7,9,11 to be vulnerable to certain practical active attacks.

Chang and Le⁹ recently showed that a previous protocol proposed by Turkanovic et al.⁷ is vulnerable to stolen smart card attack, impersonation attack with node capture, sensor node spoofing attack, stolen verifier attack, and backward secrecy attack. As an improvement of Turkanovic et al.’s scheme, two lightweight AKE protocols (i.e. called P1 and P2) were introduced by Chang and Le⁹ (which will be referred to as CL scheme), which can provide both authentication and data privacy for the communication between user and sensor. The CL scheme can be considered as a trade-off between security and performance; that is, the CL scheme aims to satisfy the most desirable security attributes but provides high performance with low computation and communication cost (which are important for WSNs). In particular, only one authentication key is required to be stored at GWN. This dramatically improves the storage performance of GWN. Besides the efficiency, one of the advantages of the CL scheme is its provable security. The security of the CL scheme was proven in a model (which will be referred to as CL model) that is derived from the AKE model by Bellare et al.¹⁹ A protocol with security proof is reasonably necessary to formally show that its targeting security goals and properties (specified by the corresponding security model) are satisfied.

However, a security proof itself needs time to be further validated and discussed by researchers to avoid errors that were somehow overlooked. In 2016, Das et al.¹¹ instigated the weaknesses of CL protocols, that is, the CL protocols cannot resist with smart card lost/stolen attacks and session-specific temporary information attacks. The password update phase of the CL protocols was also criticized by Das et al. by lacking of local password verification during the authentication phase. In order to enhance the security of the CL protocols, an efficient three-factor AKE for WSNs is presented to eliminate the weaknesses of the CL protocols.

Our results

In this work, we further revisit the security results of the CL scheme. We first notice that some key elements (e.g. the freshness and security experiment) in the CL security model are not well-formulated at all. This may lead to an awkward situation that no protocols can be proven secure in the CL model. We hereby clarify the ambiguities and fix up the loopholes in the CL model by showing a revised version. Furthermore, we notice that some recently proposed multi-factor AKE protocols^11,14 are claimed to satisfy probably security. But similar problems can be also found in the models defined in these literature. Hence, our improved model can serve as a guidance to show how to formulate security definitions for three-party multi-factor AKE protocols. Researchers can simply derive new appropriate security models from ours to formally re-analyze the state-of-the-art “provable secure” AKE protocols^11,14 for WSNs.

In particular, we figure out that the CL scheme cannot provide session key security as claimed by the authors since it is unable to resist with sensor capture attack, namely, the security result of Chang and Le⁹ Theorem 2 is incorrect. We show that the attackers can make use of a corrupted sensor to impersonate arbitrary uncorrupted users to uncompromised sensors as it wishes. We notice that such corruption of a sensor is allowed in the security analysis of P2.⁹ It is not hard to see that such attack is very harmful in real-world applications. For example, if an attacker plants a malicious sensor, then it can intercept all communications among uncorrupted principles. In order to fix this problem, we give a simple and effective improvement with minimum modifications to P2. The improved scheme is also shown as an example to achieve the provable security with random oracles in our revised security model.

Organizations

The remainder of the article is organized as follows. Section “Security model” discusses the problems of the CL model and introduces our revised security model. Subsequently, in section “On the security of the CL protocol,” we introduce an attack against the CL scheme and our improvement. Section “Performance comparison” shows our experimental and comparison results. Finally, section “Conclusion” concludes this article.

Security model

The CL model⁹ is defined very vaguely and informally. Based on the CL model, it cannot be used to analyze the security and the corresponding proof of the CL protocol. In the sequel, we first give some remarks on relevant important notions which are defined inappropriately in the CL model. Second, we re-define the security definitions to obtain an improved security model. The notations used in the rest of the article are first recalled in Table 1.

Table 1.

Notations.

$U_{i}$	User
$GWN$	Gateway node
$S_{j}$	Sensor node
$I D_{i}$	Identity of a party
$SI D_{j}$	Identity of a sensor
$I D_{GWN}$	Identity of GWN
$ℐ D$	General identity which might denote an
	Identity in ${ID, SID, I D_{GWN}}$
$p w_{i}$	Password of $U_{i}$
$S C_{i}$	Smart card of $U_{i}$
$X_{GWN}$	Long-term secret of GWN
$T_{i}$	Timestamp
$Δ_{T}$	Expected transmission delay
$r_{i}, K_{i}$	Random numbers
$P$	Point on an elliptic curve
$P \cdot x$	x-axis value of the point P
$\| \|, \oplus, h ()$	Concatenation, XOR, and hash operation

Remarks on the CL security model

We hereby mainly discuss the problems of the CL model from the following two perspectives: (1) freshness and (2) security experiment. Note that all these elements are fundamental to a security model, which are unfortunately not well addressed by the CL model. We review the freshness defined in the CL model:

Freshness

The instance $Π_{U_{i}}^{u}$ or $Π_{S_{j}}^{t}$ is fresh if their session key $SK$ has not been revealed to the adversary $A$ .⁹

The problems of such freshness definition are summarized as follows:

In the CL model, there is no $RevealKey$ query (as in the work by Bellare et al.¹⁹) which allows the adversary to obtain the session key of a session. Hence, there is no way for an adversary to reveal the session key in the CL security experiment.

$CorruptSC$ and $CorruptS$ queries are defined without any restrictions on this freshness definition. This implies that an adversary $A$ can trivially ask a $CorruptSC (Π_{U_{i}}^{l})$ query to obtain the long-term secret key of $U_{i}$ , even for the target session. Then $A$ is able to run some protocol instance with $Π_{S_{j}}^{t}$ on behalf of $U_{i}$ and select $Π_{S_{j}}^{t}$ as the test session in the security experiment. In this situation, $A$ can always win using her own ephemeral secret key and the long-term secret key of $U_{i}$ .

According to the above discussions, we, first, have the conclusion that no protocol can be secure in the CL model.

Second, the security experiment is not clearly defined. There is no formulation on the timing of oracle queries which are performed in the security experiment. For example, whether an adversary can keep asking oracle queries after the Test query. This would also affect the security definition. Note that the adversary is allowed to ask many $Test$ queries in the CL model. However, the guess bit $b'$ returned by an adversary is not associated with a specific Test query so that we cannot correctly evaluate the advantage of an adversary.

Improved security model

We here define a security model which is suitable for proving the CL protocol. This model follows from indistinguishability-based AKE security models.^19–22 In the following, let $ℓ, ρ, d \in N$ be positive integers. In the execution environment, we fix a set of $ℓ$ honest users and $ρ$ sensors at all. We may use a general $I D$ in the following to denote one of these kinds of identity in ${ID, SID, I D_{GWN}}$ .

We assume that each honest party can only sequentially execute the protocol. This restriction is used to prevent replay attacks. This is characterized by a collection of oracles ${Π_{I D_{i}}^{s} : i \in [ℓ], s \in [d]}$ for users, oracles ${Π_{SI D_{j}}^{t} : j \in [ρ], t \in [d]}$ for sensors, and oracles ${Π_{I D_{GWN}}^{z} : z \in [(ρ + ℓ) d]}$ for GWN. Each oracle $Π_{I D}^{s}$ behaves as party $I D$ carrying out a process to execute the $s th$ protocol instance with some partner (which is determined during the protocol execution). All oracles of $I D$ have access to the authentication credential–related information stored on the devices (e.g. the smart card of a user and GWN). For time $T_{i}$ and pre-specified time interval $Δ_{T}$ , only one protocol instance can be executed within time period $[T_{i}, T_{i} + Δ_{T}]$ .

Moreover, we assume each oracle $Π_{I D}^{s}$ maintains a list of independent internal state variables including (1) $Φ_{I D}^{s}$ —execution state $Φ_{I D}^{s} \in {accept, reject}$ , (2) ${pid}_{I D}^{s}$ —identity of the intended communication partner, (3) $T_{I D}^{s}$ —timestamp at when the oracle is executed, (4) $K_{I D}^{s}$ —session key, and (5) ${TM}_{I D}^{s}$ —the protocol messages orderly sent and received by $Π_{I D}^{s}$ . Furthermore, we will always assume (for simplicity) that $K_{I D}^{s} = \emptyset$ if an oracle has not reached accept state (yet).

Adversarial model

An active adversary $A$ in this model is formalized as a probabilistic polynomial time (PPT) Turing Machine. The active attack powers of an adversary are formulated by allowing it to ask the following queries:

$Execute (I D_{i}, s, SI D_{j}, t, I D_{GWN}, u)$ : If $Π_{I D_{i}}^{s}$ , $Π_{SI D_{j}}^{t}$ , and $Π_{I D_{GWN}}^{u}$ have not yet been used, this oracle executes the protocol between these instances and gives the transcript of this execution to the adversary. This oracle query models passive eavesdropping of a protocol execution.

$Send (I D_{i}, s, m)$ : The adversary can use this query to send any message $m$ of his own choice to the oracle $Π_{I D_{i}}^{s}$ . The oracle will respond with the next message $m^{*}$ (if any) to be sent according to the protocol specification and its internal states. Oracle $Π_{I D_{i}}^{s}$ would be initiated via sending the oracle the first message $m = (T, I D_{j})$ consisting of a special initialization symbol $T$ and the identity $I D_{j}$ of the intended partner. After answering a $Send$ query, the oracle variables will be updated depending on the specific protocol.

$RevealKey (I D_{i}, s)$ : Oracle $Π_{I D_{i}}^{s}$ responds with the contents of the variable $K_{I D_{i}}^{s}$ if and only if the oracle $Π_{I D_{i}}^{s}$ has reached an internal state $Φ_{I D_{i}}^{s} = accept$ and $I D_{i} \neq I D_{GWN}$ .

$CorruptSC (I D_{i})$ : This query returns information stored on the smart card of the user $I D_{i}$ .

$CorruptS (SI D_{j})$ : This query returns information stored on the sensor $SI D_{j}$ .

$Test (I D_{i}, s)$ : If oracle $Π_{I D_{i}}^{s}$ has state $Φ_{I D_{i}}^{s} \neq accept$ or $K_{I D i}^{s} = \emptyset$ or $I D_{i} = I D_{GWN}$ , then the oracle returns some failure symbol ⊥. Otherwise, it flips a random bit $b$ , samples a random key $K_{0} \overset{$}{\to} K ake$ , and sets $K_{1} = K_{I D_{i}}^{s}$ , where $K ake$ is a session key space. Finally, the key $K_{b}$ is returned. The oracle $Π_{I D_{i}}^{s}$ selected by adversary in this query is called as test oracle.

Secure AKE protocols

During the protocol execution, two oracles may interact with each other to exchange messages for key establishment. We here define a notion concerning partnership following Bellare and Rogaway²² which is specifically introduced for three-party AKE. Note that the patterning notion in Chang and Le⁹ is defined in a similar way (but quite informal).

Let $pf : I D_{i}, s, {pid}_{I D_{i}}^{s}, T_{I D_{i}}^{s}, {TM}_{I D_{i}}^{s} \to (I D_{j}, t)$ be a partner function²² which is a map on given execution states of $Π_{I D_{i}}^{s}$ points to its partner oracle $Π_{I D_{j}}^{t}$ , where $I D_{j} \in {pid}_{I D_{i}}^{s}$ and $t \in [d]$ . The output of partner function should be uniquely determined by ${TM}_{I D_{i}}^{s}$ of each oracle. In terms of the CL protocol, we realize $pf$ by returning $(I D_{j}, t)$ if and only if all of the following conditions are held:

Both $Π_{I D_{i}}^{s}$ and $Π_{I D_{j}}^{t}$ accept.

$I D_{j} \in {pid}_{I D_{i}}^{s}$ and $I D_{i} \in {pid}_{I D_{j}}^{t}$ ;

$0 \leq | T_{I D_{i}}^{s} - T_{I D_{j}}^{t} | \leq Δ_{T}$ ;

${TM}_{I D_{i}}^{s} \subseteq {TM}_{I D_{j}}^{t}$ or ${TM}_{I D_{j}}^{t} \subseteq {TM}_{I D_{i}}^{s}$ .

$Π_{I D_{j}}^{t}$ is the unique oracle (which meets the above conditions).

Correctness

We say an AKE protocol $Π$ is correct if two accepted oracles $Π_{I D_{i}}^{s}$ and $Π_{I D_{j}}^{t}$ are partner, then both oracles hold the same session key.

In order to define the security, we define two notions on oracle freshness that describe the active attacks allowed in the following security experiment. Let $Π_{I D_{i}}^{s}$ be an accepted oracle with intended partner $I D_{j}$ , where $(I D_{i}, I D_{j}) \neq I D_{GWN}$ . And let $Π_{I D_{j}}^{t}$ be an oracle (if it exists), such that $Π_{I D_{i}}^{s}$ is a partner oracle of $Π_{I D_{j}}^{t}$ , that is, $pf (I D_{i}, s, {pid}_{I D_{i}}^{s}, T_{I D_{i}}^{s}, {TM}_{I D_{i}}^{s}) \to (I D_{j}, t)$ .

Definition 1

Oracle Freshness with Forward Secrecy (OFFS)—the oracle $Π_{I D_{i}}^{s}$ is said to be $OFFS - fresh$ if none of the following conditions holds:

$A$ queried $RevealKey (I D_{i}, s)$ ;

If $Π_{I D_{j}}^{t}$ exists, $A$ queried $RevealKey (I D_{j}, t)$ ;

If $I D_{i}$ is user, $A$ queried either $CorruptSC (I D_{i})$ or $CorruptS (SI D_{j})$ prior to the acceptance of $Π_{I D_{i}}^{s}$ ;

If $I D_{i}$ is sensor, $A$ queried either $CorruptS (SI D_{i})$ or $CorruptSC (I D_{j})$ prior to the acceptance of $Π_{I D_{i}}^{s}$ .

Definition 2

Oracle Freshness without Forward Secrecy (OFwoFS)—the oracle $Π_{I D_{i}}^{s}$ is said to be OFwoFS-fresh if none of the following conditions holds:

$A$ queried $RevealKey (I D_{i}, s)$ ;

If $Π_{I D_{j}}^{t}$ exists, $A$ queried $RevealKey (I D_{j}, t)$ ;

If $I D_{i}$ is user, $A$ queried either $CorruptSC (I D_{i})$ or $CorruptS (SI D_{j})$ ;

If $I D_{i}$ is sensor, $A$ queried either $CorruptS (SI D_{i})$ or $CorruptSC (I D_{j})$ .

We let $O F = {OFFS, OFwoFS}$ .

Security experiment ${EXP}_{Π, A}^{ake} (λ, O F)$

On input security parameter $1^{λ}$ , the security experiment is proceeded as a game between a challenger $C$ and an adversary $A$ based on AKE protocol $Π$ , where the following steps are performed:

At the beginning of the game, the challenger $C$ implements the collection of oracles ${Π_{I D_{i}}^{s} : i \in [ℓ], s \in [d]}$ for users and ${Π_{SI D_{j}}^{t} : j \in [ρ], t \in [d]}$ for sensors, and ${Π_{I D_{GWN}}^{z} : z \in [(ρ + ℓ) d]}$ for GWN. All long-term pre-shared key for users, sensors, and GWN are generated, respectively. $C$ gives the adversary $A$ all identities as input.

$A$ may issue a polynomial number of queries regarding $Execute$ , $Send$ , $CorruptSC$ , $CorruptS$ , and $RevealKey$ .

At some point, $A$ may issue $Test (I D_{i}, s)$ queries during the experiment. After the $Test$ query, $A$ can keep asking other queries as it wishes.

At the end of the game, $A$ may terminate and output a bit $(b', I D_{i}, s)$ as its guess for $b$ of $Test (I D_{i}, s)$ query. Then the experiment would return a failure symbol ⊥ if one of the following conditions is held: (1) $A$ has not issued any $Test$ query, or (2) the $Test (I D_{i}, s)$ query returns a failure symbol ⊥, or (3) the test oracle is not $O F - fresh$ .

Finally, the experiment returns $1$ if $b = b'$ ; Otherwise, $0$ is returned.

Formally, an instance $Π_{I D_{i}}^{s}$ represents an online attack if both following conditions hold at the time of the Test query: (1) at some point, the adversary queried $Send (I D_{i}, s, m^{*})$ and $I D_{i}$ is not corrupted and (2) at some point, the adversary queried $RevealKey (I D_{i}, s)$ or $Test (I D_{i}, s)$ . The number of online attacks represents a bound on the number of passwords the adversary could have tested in an online fashion. Let $D$ be the maximum bit length of a user’s password. The maximum number of online attacks that $A$ can perform to the owner of the test oracle is bound by $d$ .

Definition 3

Session Key Security—Given a correct AKE protocol $Π$ and an adversary $A$ which runs the above security experiment without failure, we then define the advantage of $A$ as follows

A d v_{Π, A}^{a k e} (λ, O ℱ) : = | \Pr [E X P_{Π, A}^{a k e} (λ, O ℱ) = 1] - \frac{1}{2} |

We say that a correct AKE protocol $Π$ is session-key-secure if for all adversaries $A$ the advantage such that ${Adv}_{Π, A}^{ake} (λ, O F) \leq d ℓ / D + negl (λ)$ where $negl (λ)$ is a negligible function in the security parameter $λ$ .

On the security of the CL protocol

A sensor capture attack against the CL protocol

CL Protocol

We first briefly review the P2 protocol.⁹ The user registration phase is shown in Figure 2. The protocol execution of P2 is depicted in Figure 3.

Figure 2.

Registration phase of Chang and Le.⁹

Figure 3.

P2 of Chang and Le.⁹

A sensor capture attack against P2

We here describe a sensor capture attack against the session key security of P2.⁹ The protocol P1 has the same problem.⁹ In this attack, we will make use of some compromised sensor to impersonate an arbitrary honest user. Note that the corruption of sensor is allowed in Theorem 2.⁹ In real-world applications, such compromised sensor might be also registered by an attacker as well. The core attack idea is to extract the secret $Y_{i} = h (f_{i} | | T_{1})$ which is used to compute the authentication message $H_{j}$ . However, $Y_{i}$ is only computed involving an honest user $U_{i}$ ’s secret $f_{i}$ and timestamp $T_{1}$ . This implies that the $Y_{i}$ can be re-used many times in different sessions (to impersonate $U_{i}$ to any uncompromised sensors) during $T_{1} + Δ_{T}$ .

The concrete attack steps performed by an adversary $A$ are described as follows:

$A$ corrupts some sensor say $SI D_{j}$ to obtain its long-term secret $f_{j}$ , that is, via $CorruptS (SI D_{j})$ . The goal of $A$ , for instance, is to impersonate some honest user $U_{i}$ to communicate with another uncompromised sensor $S_{v}$ .

$A$ asks $U_{i}$ to run a protocol instance $Π_{I D_{i}}^{s}$ with sensor $SI D_{j}$ , that is, via sending $Π_{I D_{i}}^{s}$ the first message as $Send (I D_{i}, s, (T, SI D_{j}))$ . $A$ intercepts the message $m_{1} = {M I_{i}, Z_{i}, N_{i}, T_{1}}$ .

$A$ gets timestamp $T_{2}$ and honestly computes $A_{j} : = h (f_{j} | | N_{i} | | T_{2})$ which is computable via compromised $f_{j}$ .

$A$ sends $m_{2} = {M I_{i}, N_{i}, SI D_{j}, A_{j}, T_{1}, T_{2}}$ to GWN and receives $m_{3} = {F_{ij}, H_{i}, E_{i}, T_{3}}$ .

$A$ computes $Y_{i} : = F_{ij} \oplus h (f_{j} | | T_{3})$ . At this point, we stress that the $A$ is able to impersonate $U_{i}$ to $SI D_{v}$ at time $T_{1}$ . We next show that the attack is possible if the time consumption of the above execution is less than $Δ_{T}$ . This is very like to happen, for example, $Δ_{T} = 1 min$ .

$A$ selects a random $a^{*}$ and $K_{i}^{*} = a^{*} P$ and computes $Z_{i}^{*} : = K_{i}^{*} \oplus Y_{i}$ and $N_{i}^{*} : = h (Y_{i} | | M I_{i} | | SI D_{v})$ . The message $m_{1}^{*} = {M I_{i}, Z_{i}^{*}, N_{i}^{*}, T_{1}}$ is sent to some oracle of sensor $SI D_{j}$ , say $Π_{SI D_{v}}^{l}$ .

Meanwhile $f_{j} : = h (SI D_{j} | | X_{GWN})$ would run the protocol with GWN honestly. $Π_{SI D_{v}}^{l}$ replies $A$ with message $m_{4}^{*} = {R_{iv}^{*}, E_{i}^{*}, T_{4}^{*}}$ where $R_{iv}^{*} = h (K_{i}^{*} | | T_{4}) \oplus K_{v}^{*}$ and $K_{v}^{*} = b^{*} P$ is chosen by $Π_{SI D_{v}}^{l}$ .

Finally, $A$ could compute $K_{v}^{*} : = h (K_{i}^{*} | | T_{4}) \oplus R_{iv}$ and session key $K^{*} : = h (a^{*} b^{*} P \cdot x)$ , where $a^{*} b^{*} P \cdot x$ is the x-coordinate of the point $a^{*} b^{*} P$ . Note that $K_{i}^{*}$ is chosen by $A$ of its own choice.

Note that based on such corrupted sensor, $A$ is able to launch (unlimited) the above attack to impersonate any honest users $U_{i}$ to any uncompromised sensors $S_{v}$ at an arbitrary time $T_{1}$ chosen by $A$ . This would enable us to break the session key security of P2. It is not hard to see that this attack is also very harmful in practice. We highlight that the similar attack can be also mounted to P1.

Since the attack mainly exploits the corrupted sensor to obtain the secret $Y_{i}$ which can be extracted from the ciphertext $F_{ij}$ based on the corrupted secret key $f_{j}$ . Therefore, the attack time roughly equals to the message delivery time of $m_{1}$ and $m_{2}$ and computation time of two hash operations (for computing $A_{j}$ and $Y_{i}$ ). If the attacker fails within a time $T_{1} + Δ_{T}$ , it can just choose another time $T_{1'}$ to start the attack again.

An improved protocol

In order to fix the problem of P2 (cf. P1), the computation of $Y_{i}$ should be modified. Specifically, we suggest adding the sensor’s identity $SI D_{j}$ into the generation of $Y_{i}$ , that is, $Y_{i} = h (f_{i} | | M I_{i} | | SI D_{j})$ . We also include the messages exchanged between user and sensor into the session key generation so that the resultant session key is uniquely bound to a specific session. The rest of protocol execution of P2 remains the same. The improved protocol is shown in Figure 4 with minimum modifications. The improved protocol preserves all the properties of the original protocol such as session key security and perfect forward secrecy (PFS).

Figure 4.

The improved P2.

The improved protocol consists of four phases which are described as follows:

User registration phase. The user registration phase is shown in Figure 2.

The user $U_{i}$ selects an identity $I D_{i}$ and a password $p w_{i}$ and generates a random nonce $r_{i}$ . $U_{i}$ computes $M P_{i} : = h (r_{i} | | p w_{i})$ and sends the registration message $m_{Ureg} = {I D_{i}, M P_{i}}$ to the GWN over some secure channel.

Upon receiving $m_{Ureg}$ , GWN verifies the user’s identity and generates a random nonce $r_{i}$ . Then, GWN computes a pseudonym $M I_{i} : = h (r_{i'} | | I D_{i})$ for $U_{i}$ and uses its long-term key $X_{GWN}$ to compute $f_{i} : = h (M I_{i} | | x_{GWN})$ and $e_{i} : = M P_{i} \oplus f_{i}$ . Finally, $GWN$ creates a smart card $S C_{i} = {M I_{i}, e_{i}}$ and issues it to the user $U_{i}$ over some secure channel.

After receiving the smart card $S C_{i}$ , $U_{i}$ writes the value $r_{i}$ into it. Eventually, the smart card $S C_{i}$ stores ${M I_{i}, e_{i}, r_{i}}$ .

Sensor registration phase. The sensor registration phase should be also run over some secure channel. As for a sensor node $S_{j}$ , GWN first selects a unique identity $SI D_{j}$ . Then, GWN computes $f_{j} : = h (SI D_{j} | | X_{GWN})$ . Meanwhile, the tuple $(SI D_{j}, f_{j})$ is stored by GWN. Finally, the identity $SI D_{j}$ and the authentication key $f_{j}$ are written into the sensor node $S_{j}$ .

Authentication and key exchange phase. The following protocol steps are performed:

Message 1 (m1): $U_{i}$ to $S_{j}$

$U_{i}$ inputs its identity $I D_{i}$ and password $p w_{i}$ .

Upon receiving ${I D_{i}, p w_{i}}$ , the smart card $S C_{i}$ computes $M P_{i} : = h (r_{i} | | p w_{i})$ and the corresponding authentication key $f_{i} : = e_{i} \oplus M P_{i}$ .

$S C_{i}$ gets the current timestamp $T_{1}$ and selects a random value $a \in_{R} Z_{p}$ . Next, $S C_{i}$ computes an ephemeral public key $K_{i} : = aP$ , a ciphertext $Z_{i} : = K_{i} \oplus Y_{i}$ and an authentication message $N_{i} : = h (Y_{i} | | M I_{i} | | SI D_{j})$ .

The message $m_{1} = {M I_{i}, Z_{i}, N_{i}, T_{i}}$ is sent to the sensor $S_{j}$ .

Message 2 (m2): $S_{j}$ to GWN

Upon receiving $m_{1}$ , $S_{j}$ checks whether or not $T_{1}$ is a valid timestamp.

$S_{j}$ gets a timestamp $T_{2}$ and computes an authentication message $A_{j} : = h (f_{j} | | N_{i} | | T_{2})$ .

The message $m_{2} = {M I_{i}, N_{i}, SI D_{j}, A_{j}, T_{1}, T_{2}}$ is sent to GWN.

Message 3 (m3): GWN to $S_{j}$

Upon receiving $m_{2}$ , GWN aborts if either $T_{1}$ or $T_{2}$ is not valid.

GWN computes verification messages $f_{j'} = h (SI D_{j} | | X_{GWN})$ and $A_{j'} : = h (f_{j'} | | N_{i} | | T_{2})$ , $f_{i'} : = h (M I_{i} | | X_{GWN})$ , and $N_{i'} : = h (Y_{i'} | | M I_{i} | | SI D_{j})$ . GWN rejects if $N_{i'} \neq N_{i}$ and $A_{j'} \neq A_{j}$ .

Next, GWN gets a timestamp $T_{3}$ and computes an authentication key $Y_{i'} : = : = h (f_{i'} | | T_{1} | | SI D_{j})$ and a ciphertext $F_{ij} : = Y_{i'} \oplus h (f_{j'} | | T_{3})$ , and authentication messages $H_{j} : = h (Y_{i'})$ and $E_{i} : = h (f_{i'} | | N_{i'})$ .

The message $m_{3} = {F_{ij}, H_{i}, E_{i}, T_{3}}$ is sent to the sensor $S_{j}$ .

Message 4 (m4): $S_{j}$ to $U_{i}$

Upon receiving $m_{3}$ , $S_{j}$ checks $T_{3}$ , and computes the verification key $Y_{i'} : = F_{ij} \oplus h (f_{j} | | T_{3})$ . $S_{j}$ rejects if $H_{j} \neq h (Y_{i'})$ .

$S_{j}$ selects a random value $b \in_{R} Z_{p}$ and computes an ephemeral public key $K_{j} : = bP$ . Next, $S_{j}$ gets a timestamp $T_{4}$ and computes a ciphertext $R_{ij} : = h (K_{i} | | T_{4}) \oplus K_{j}$ .

The session key is computed as $K : = h (abP \cdot x | | K_{i} | | K_{j} | | M I_{i} | | SI D_{j} | | T_{1} | | T_{4})$ , where $abP \cdot x$ is the x-coordinate of the point $abP$ . The input of the hash function covers almost all protocol messages exchanged between user and sensor, so that the session key is uniquely bound to a session identified by such transcript.

The message $m_{4} = {R_{ij}, E_{i}, T_{4}}$ is sent to the user $U_{i}$ .

Finalize: User $U_{i}$ .

Upon receiving message $m_{4}$ , $U_{i}$ checks the timestamp $T_{4}$ and computes the verification message $E_{i'} : = h (f_{i} | | N_{i})$ and rejects if $E_{i'} \neq E_{i}$ .

$U_{i}$ computes the session key $K : = h (abP \cdot x | | K_{i} | | K_{j} | | M I_{i} | | SI D_{j} | | T_{1} | | T_{4})$ .

User authentication key change phase. Suppose the user has been authenticated in an AKE session with his or her old password $p w_{i}$ , $S C_{i}$ has $M P_{i}$ in that session. Then the user $U_{i}$ inputs his new password ${pw}_{i}^{new}$ . After this, $S C_{i}$ computes ${MP}_{i}^{new} : = h (r_{i} | | {pw}_{i}^{new})$ and $e_{i}^{new} : = e_{i} \oplus M P_{i} \oplus {MP}_{i}^{new}$ . Finally, $S C_{i}$ stores $e_{i}^{new}$ .

The decisional Diffie–Hellman assumption

Let $G$ be a group of prime order $p$ under an elliptic curve. Let $P$ be a random generator of $G$ . The decisional Diffie–Hellman (DDH) problem is stated as follows: given tuple $(P, aP, bP, cP)$ for $a, b, c \overset{$}{\to} Z_{p}^{*}$ as input, it is hard to distinguish whether $c = ab$ .

Definition 4

For a group $G$ of prime order $p$ and an adversary $D$ , we define the following experiment:

${EXP}_{G, p, D}^{ddh} (λ)$

$P \overset{$}{\leftarrow} G$ ; $(a, b, γ) \overset{$}{\leftarrow} Z_{p}^{*}$ ; $β \overset{$}{\leftarrow} {0, 1}$ ;

if $β = 1$ then $Γ \leftarrow abP$ , otherwise $Γ \leftarrow γ P$ ;

$β' \leftarrow D (G, p, P, aP, bP, Γ)$ ; if $β = β'$ then return 1, otherwise return 0.

The advantage of $D$ in above experiment is defined as follows

{Adv}_{G, p, D}^{ddh} (λ) : = | \Pr [{EXP}_{G, p, D}^{ddh} (λ) = 1] - \frac{1}{2} |

We say that the $DDH$ problem relative to a group $G$ of prime order $p$ holds, if for all PPT adversaries $D$ the advantage ${Adv}_{G, p, D}^{ddh} (λ)$ is a negligible function in $λ$ .

Theorem 1

Suppose that the hash function $h$ is modeled as random oracle, the output bit length of the hash function is $ν$ , and the $DDH$ problem relative to a group $G$ with prime order $p$ holds, then the fixed protocol $P 2'$ is session-key-secure such that ${Adv}_{P 2', A}^{ake} (λ, OFFS) \leq d / D + q_{h} / 2^{ν - 3} + (d ℓ)^{2} \cdot {Adv}_{G, p, D}^{ddh} (λ)$ , where $q_{h}$ is the number of allowed random oracle query.

Due to this modification, each credential $Y_{i}$ is particularly bound to an execution between the user $I D_{i}$ and the sensor $SI D_{j}$ at time $T_{1}$ . Thus, the attacker is unable to abuse $Y_{i}$ involving some malicious sensor $SI D_{v}$ to impersonate $I D_{i}$ to some honest sensor $SI D_{j}$ .

Proof

The proof is proceeded following the game-based approach.²³ Let $Ad v_{ξ}$ denote the advantage of $A$ in Game $ξ$ .

Game 0

The first game is the real security experiment which is run between an adversary $A$ and an AKE challenger $C$ . Thus, we have that

{Adv}_{Π, A}^{ake} (λ) = Ad v_{0}

Meanwhile, $C$ will simulate the queries of $A$ as follows:

$Execute (I D_{i}, s, SI D_{j}, t, I D_{GWN}, u)$ and $Send (I D_{i}, s, m)$ queries will be honestly simulated as defined in section “Security model” following our protocol specification.

$RevealKey (I D_{i}, s)$ : The session key returned by this query is $SK = h (abP . x | | K_{i} | | K_{j} | | M I_{i} | | SI D_{j} | | T_{1} | | T_{4})$ .

$CorruptSC (I D_{i})$ : This query returns $S C_{i} = {M I_{i}, e_{i}, r_{i}}$ of $I D_{i}$ .

$CorruptS (SI D_{j})$ : This query returns the contents of $f_{j} = h (SI D_{j} | | X_{GWN})$ of $SI D_{j}$ .

$Test (I D_{i}, s)$ : This query will be honestly simulated as defined in section “Security model.” However, the test oracle (asked by this query) should keep fresh throughout the security experiment in the sense of Definition 1.

In this game, the challenger just simulates these queries following the protocol specification without any modification. In the subsequent games, we may change them step by step till the advantage of the adversary is zero.

Game 1

In this game, the challenger aborts if the adversary $A$ asks the random oracle $h (\cdot)$ with a user $U_{i} s$ password $p w_{i}$ and its randomness $r_{i}$ as input, that is, $M I_{i} = h (r_{i} | | p w_{i})$ . This implies that the adversary can ask a $Send (I D_{i}, s, m)$ query, such that $p w_{i} \in m$ . Recall that $p w_{i}$ is used to compute $M P_{i}$ which is used to decrypt $f_{i} = M I_{i} \oplus e_{i}$ . In this case, the adversary must be able to succeed in online attacks.

The length of the password is assumed to be $D$ . Hence, if the adversary can input the correct $p w_{i}$ , then it is able to impersonate the user (e.g. after obtaining the victim’s smart card without compromising the secret information stored in the smart card). The probability that $A$ correctly guesses is about $1 / D$ . Note that $A$ can try $d ℓ$ times which is the maximum number of $Send$ query to all $ℓ$ parties. The winning probability of a successful online attack is bound to $d ℓ / D$ . Thus, we have that

Ad v_{0} \leq Ad v_{1} + \frac{d ℓ}{D}

Game 2

In this game, the challenger first aborts if a fresh oracle of $GWN$ receives a valid $N_{i}$ which is not sent by any fresh oracle of $U_{i}$ at a valid time. To generate a valid $N_{i}$ , the adversary $A$ has to either (1) break the one-wayness of the hash function or (2) randomly guess (correctly) the output of the random oracle $h (\cdot)$ for generating $N_{i}$ . If the case (1) holds, the adversary $A$ may be able to ask the random oracle $h (Y_{i} | | M I_{i} | | SI D_{j})$ and $h (f_{i})$ with the correct $f_{i}$ but without asking the corresponding $CorruptSC$ query. The abort event implies that the adversary is able to either find the pre-image of the hash value (after obtaining the protocol transcript via $Execute$ query) or forge the protocol message. Since each $N_{i}$ is used only once, either $f_{i}$ or $h (f_{i} | | T_{1})$ is protected by the one-wayness of the hash function $h$ . Hence, the probability of correctly generating a valid $N_{i}$ for $A$ is bound to $1 / 2^{ν - 1}$ . Furthermore, we add another similar abort rule that the challenger aborts if an oracle of $GWN$ receives a valid $A_{j}$ which is not sent by any fresh oracle of $S_{j}$ . The security of $A_{j}$ is quite similar to that of $N_{i}$ .

Since there are two such authentication messages, $N_{i}$ and $A_{j}$ , each of which has two related hash operations, $A$ can ask at most $q_{h}$ random oracle queries. We therefore have that

Ad v_{1} \leq Ad v_{2} + \frac{q_{h}}{2^{ν - 2}}

Game 3

In this game, the challenger aborts if one of the following conditions holds: (1) a fresh oracle of $S_{j}$ receives a valid $H_{i}$ which is not sent by any fresh oracle of $GWN$ or (2) a fresh oracle of $U_{i}$ receives a valid $E_{i}$ which is not sent by any fresh oracle of $GWN$ . With the similar arguments in the previous game, we have that

A d v_{2} \leq A d v_{3} + \frac{q_{h}}{2^{ν - 2}}

As a result in this game, we have the fact that the test oracle must have a partner oracle; otherwise, the challenger has aborted.

Game 4

In this game, we try to reduce the security to the DDH hard problem. We change the session key of the test oracle to be a random value. If there exists an adversary which can distinguish this game from the previous game, then we can make use of it build an algorithm $D$ to solve the DDH problem. Given a DDH challenge instance $(xP, yP, cP)$ , the job of $D$ is to distinguish $c = ? xy$ . Meanwhile, $D$ first guesses the test oracle and its partner oracle. If its guess is incorrect then it aborts. The abort probability is bound to $1 / (d ℓ)^{2}$ . In the following, we assume that $D$ ’s guess is correct. Then $D$ sets the ephemeral DH key of the test oracle to $xP$ and its partner oracle’s DH key as $yP$ . The session key of the test oracle is computed as $h (cP | | xP | | yP | | M I_{i} | | SI D_{j} | | T_{1} | | T_{4})$ . The other simulations are similar to the previous games. So that if $c = ab$ , then the game is identical to the previous game. Otherwise, it is equivalent to this game. Due to the hardness of the DDH problem, we have that

Ad v_{3} \leq Ad v_{4} + {Adv}_{G, p, D}^{ddh} (λ)

As the bit in the Test query is not used anymore, the advantage of an adversary in this game is zero, that is, $Ad v_{4} = 0$ . To sum up all probabilities in the above games, we get the result of this theorem.

Performance comparison

In this section, we compare our improved scheme with related existing similar lightweight AKE protocols of Shi and Gong⁴ (SG), Choi et al.⁶ (CLK+), Turkanovic et al.⁷ (TBH), and Das et al.¹¹ (DKO+) which are run under the same system model.

We approximately test the performance of compared protocols on PC with Intel Core i7, 4.2 GHz+8GB RAM, and Python 2.7. Let $t_{mul}$ and $t_{h}$ denote the estimated experimental time of 224-bits elliptic curve point multiplication and a SHA256 hash function operation (for 128 bytes message), respectively. We omit the cost of $XOR$ in the comparison, which is much smaller than the other two types of operations. We specifically have that $t_{mul} = 3.8 ms$ and $t_{h} = 0.007 ms$ . We consider a biometric computation required by Das et al.’s scheme as a hash operation. The comparison of computational cost is listed in Table 2.

Table 2.

Computation cost.

	User	Sensor	Gateway
SG⁴	$3 mul + 6 h$	$2 mul + 3 h$	$1 mul + 5 h$
	$11.442 ms$	$7.621 ms$	$3.835 ms$
CLK+⁶	$3 mul + 7 h$	$2 mul + 6 h$	$1 mul + 5 h$
	$11.449 ms$	$7.642 ms$	$3.835 ms$
TBH⁷	$6 h$	$4 h$	$7 h$
	$0.042 ms$	$0.028 ms$	$0.049 ms$
DKO+¹¹	$2 mul + 13 h$	$2 mul + 9 h$	$10 h$
	$7.691 ms$	$7.663 ms$	$0.07 ms$
Ours	$2 mul + 6 h$	$2 mul + 5 h$	$8 h$
	$7.642 ms$	$7.635 ms$	$0.056 ms$

In Figure 5, we compare the communication cost of our scheme with existing schemes. We make reasonable assumptions that each identity is 128 bits, each random nonce is 256 bits, each timestamp is 64 bits, each elliptic curve cryptography (ECC) group value is 224 bits, and each hash value is 256 bits.

Figure 5.

Communication cost.

Turkanovic et al.’s⁷ scheme (TBH) is more efficient than all other listed protocols but it does not provide PFS. Our improved scheme inherits the high performance of P2,⁹ which provides a trade-off between security and performance. Although the computation cost of our scheme is slightly more expensive than that of Shi et al.’s scheme (SG), our scheme is the most efficient one for the user and GWN among those compared protocols which satisfy PFS. Furthermore, our scheme has the best communication performance.

Conclusion

In this article, we revisited a recently proposed AKE scheme⁹ for WSNs. We have shown that there is a security vulnerability in this scheme. We also demonstrated a concrete attack and gave a solution for avoiding this attack. Some improvements for the security model have been given for analyzing the improved protocol. Since a good AKE protocol might need to provide as many security properties as possible, it might be interesting (as a future work) to further improve our protocol and Das et al.’s¹¹ scheme by incorporating more security attributes as introduced in recent literature.^12,24 Of course, one could also strengthen our security model to cover more active attacks for specific protocols.

Among those security properties, PFS has been a de facto standard property of AKE. Recently proposed lightweight AKE protocols,^4,6,9,12,25 all achieve PFS based on Diffie–Hellman key exchange (DHKE). Since two exponential operations are required in DHKE, it is not efficient for either smart card or sensor due to its low processing resources. Another open problem is to construct lightweight AKE protocols which provide PFS without relying on Diffie–Hellman–like primitives.

Footnotes

Handling Editor: Al-Sakib Khan Pathan

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship, and/or publication of this article: This study was supported by the Research Project of the Humanities and Social Sciences of the Ministry of Education of China (grant nos 16YJC870018 and 15YJC790061), National Natural Science Foundation of China (grant nos 11647097, 61502064, and 61503052), Open project of Key laboratory of higher education of Sichuan province for enterprise informatization and IoT (grant no. 2015WZJ02), Research Foundation of the Natural Foundation of Chongqing City (grant nos cstc2013jcyjA0076, cstc2016jcyjA40019, and cstc2017jcyjAX0277), China Post-doctoral Science Foundation (grant no. 2017M612911), and Scientific and Technological Research Program of Chongqing Municipal Education Commission (grant nos KJ1600932 and KJ1600928).

ORCID iD

Zheng Yang:

References

Gao

Chan

et al . An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens Wirel Ne 2010; 10(4): 361–371.

Das

Sharma

Chatterjee

et al . A dynamic password-based user authentication scheme for hierarchical wireless sensor networks. J Netw Comput Appl 2012; 35(5): 1646–1656.

Xue

Hong

et al . A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. J Netw Comput Appl 2013; 36(1): 316–323.

Shi

Gong

. A new user authentication protocol for wireless sensor networks using elliptic curves cryptography. Int J Distrib Sens N 2013; 2013: 730831.

Turkanovic

Holbl

. An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks. Elektron Elektrotech 2013; 19(6): 109–116.

Choi

Lee

Kim

et al . Security enhanced user authentication protocol for wireless sensor networks using elliptic curves cryptography. Sensors 2014; 14(6): 10081–10106.

Turkanovic

Brumen

Hlbl

. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw 2014; 20(2): 96–112.

Chang

Hsueh

Cheng

. A dynamic user authentication and key agreement scheme for heterogeneous wireless sensor networks. Wireless Pers Commun 2016; 89(2): 447–465.

Chang

. A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks. IEEE T Wirel Commun 2016; 15(1): 357–366.

10.

Jung

Kim

Choi

et al . An anonymous user authentication and key agreement scheme based on a symmetric cryptosystem in wireless sensor networks. Sensors 2016; 16(8): E1299.

11.

Das

Kumari

Odelu

et al . Provably secure user authentication and key agreement scheme for wireless sensor networks. Secur Commun Netw 2016; 9: 3670–3687.

12.

Challa

Wazid

Das

et al . Secure signature-based authenticated key establishment scheme for future IoT applications. IEEE Access 2017; 5: 3028–3043.

13.

Jiang

Zeadally

et al . Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 2017; 5: 3376–3392.

14.

Park

Park et al . Provably secure and efficient authentication protocol for roaming service in global mobility networks. IEEE Access 2017; 5: 25110–25125.

15.

Ali

Pal

Kumari

et al . A secure user authentication and key-agreement scheme using wireless sensor networks for agriculture monitoring. Future Gener Comp Sy. Epub ahead of print 15 July 2017. DOI: 10.1016/j.future.2017.06.018.

16.

Shim

K-A

. BASIS: a practical multi-user broadcast authentication scheme in wireless sensor networks. IEEE T Inf Foren Sec 2017; 12(7): 1545–1554.

17.

Wazid

Das

Kumar

et al . Design of lightweight authentication and key agreement protocol for vehicular ad hoc networks. IEEE Access 2017; 5: 14966–14980.

18.

Ferrag

Maglaras

Janicke

et al . Authentication protocols for Internet of Things: a comprehensive survey. Secur Commun Netw 2017; 2017: 6562953.

19.

Bellare

Pointcheval

Rogaway

. Authenticated key exchange secure against dictionary attacks. In: Advances in cryptology—EUROCRYPT, Bruges, 14–18 May 2000, pp.139–155. Heidelberg: Springer.

20.

Jager

Kohlar

Schäge

et al . On the security of TLS-DHE in the standard model. In: Advances in cryptology—CRYPTO, Santa Barbara, CA, 19–23 August 2012, pp.273–293. Heidelberg: Springer.

21.

Yang

Zhu

et al . Towards modelling perfect forward secrecy in two-message authenticated key exchange under ephemeral-key revelation. Secur Commun Netw 2015; 8(18): 3356–3371.

22.

Bellare

Rogaway

. Provably secure session key distribution: the three party case. In: 27th annual ACM symposium on theory of computing, Las Vegas, NV, 29 May–1 June 1995, pp.57–66. New York: ACM Press.

23.

Shoup

. Sequences of games: a tool for taming complexity in security proofs. Cryptology ePrint Archive, Report 2004/332, 2004, http://eprint.iacr.org/

24.

Yaqoob

Ahmed

ur Rehman

et al . The rise of ransomware and emerging security challenges in the Internet of Things. Computer Networks 2017; 129: 444–458.

25.

Chen

Martínez

Castillejo

et al . A privacy protection user authentication and key agreement scheme tailored for the Internet of Things environment: PriAuth. Wirel Commun Mob Com 2017; 2017: 5290579.

On the security of a provably secure,efficient,and flexible authentication scheme for ad hoc wireless sensor networks

Abstract

Keywords

Introduction

System model

Related work

Our results

Organizations

Security model

Remarks on the CL security model

Freshness

Improved security model

Adversarial model

Secure AKE protocols

Correctness

Definition 1

Definition 2

Security experiment EXP Π , A ake ( λ , O F )

Definition 3

On the security of the CL protocol

A sensor capture attack against the CL protocol

CL Protocol

A sensor capture attack against P2

An improved protocol

The decisional Diffie–Hellman assumption

Definition 4

Theorem 1

Proof

Game 0

Game 1

Game 2

Game 3

Game 4

Performance comparison

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References

Security experiment ${EXP}_{Π, A}^{ake} (λ, O F)$