- Email: [email protected]
A pragmatic elliptic curve cryptography-based extension for energy-efficient device-to-device communications in smart cities
Journal Pre-proof A Pragmatic Elliptic Curve Cryptography-based Extension for Energy-Efficient Device-to-Device Communications in Smart Cities Tran Khanh Dang, Chau D.M. Pham, Thao L.P. Nguyen
PII:
S2210-6707(20)30084-6
DOI:
https://doi.org/10.1016/j.scs.2020.102097
Reference:
SCS 102097
To appear in:
Sustainable Cities and Society
Received Date:
1 June 2019
Revised Date:
13 February 2020
Accepted Date:
13 February 2020
Please cite this article as: Tran Khanh Dang, Chau D.M. Pham, Thao L.P. Nguyen, A Pragmatic Elliptic Curve Cryptography-based Extension for Energy-Efficient Device-to-Device Communications in Smart Cities, (2020), doi: https://doi.org/
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2020 Published by Elsevier.
of
A Pragmatic Elliptic Curve Cryptography-based Extension for Energy-Efficient Device-to-Device Communications in Smart Cities
Abstract
ro
The rise of Smart Cities with underlying adoptions of technologies like the
IoT and Cloud Computing has made the integration between them a promising field with different challenges including security. Authentication is one of
-p
the foremost attempts to address these issues. Allowing direct device-to-device rather than only device-to-service communications can introduce several bene-
re
fits like high data transmission rate and reliable communications even when the central clouds fail. However, the resource constraint nature of IoT devices makes it more difficult to develop secure protocols that can provide a sustainable de-
lP
ployment in practice. This article proposes an authentication scheme extension providing secure control from resourceful cloud servers to devices while also enabling the direct secure communications between them. The scheme is designed
ur na
to use ECC and low-cost operations to provide efficient resource and energy consumption. The protocol correctness is proven by using a formal security analysis with BAN-logic. Detailed analysis is presented to show its resilience to common attacks. A performance analysis is also given to show the scheme’s practical value as it only consumes at most 29 mJ on each device in addition to the amount required by the original protocol.
Jo
Keywords: iot authentication, d2d authentication, smart cities, energy efficiency, cloud integration, internet of things
Preprint submitted to Elsevier
February 12, 2020
1. Introduction The Internet of Things (IoT), which was first introduced by Kevin Ashton [1] in 1999, has opened new opportunities for the research community to study its wide variety of aspects. Single-function embedded devices have been 5
developed into smart things, such as smartphones, laptops, coffee machines, re-
of
frigerators, Google Home, Apple watches, etc. In other words, any device can be integrated into the IoT by equipping it with an Internet connection, sensor
and/or actuators, so they can recognize changes in their surroundings for cor-
10
ro
responding activities [2, 3]. These devices collect environmental information of their surroundings and send it to some central data servers where it is processed,
-p
manipulated, transformed and used to perform multiple tasks [4]. In the end, governments, organizations, and individuals enjoy these benefits of IoT. Applications of the IoT are available in many aspects of life thanks to its adoption
15
re
by a wide range of industries [5]. Nowadays, Smart Home, Smart University and even Smart City are not new definitions. New IoT products are introduced
lP
almost every day for all the aspects of our modern life. The number of IoT devices has now been more than 1 billion [6]. IHS forecasted the IoT market would reach 75.4 billion of devices by 2025 [7]. Being considered as the future of the Internet, IoT development comes with urgent requirements about the provision of security and privacy as the number
ur na
20
of deployed IoT devices rapidly increases. In 2012, Gartner, the market research company, affirmed in [8]: “The Internet of Things concept will take more than 10 years to reach the Plateau of Productivity - mainly due to security challenges, privacy policies, data and wireless standards, and the realization that the Internet of Things requires the build-out of a topology of services, applications and
Jo
25
a connecting infrastructure”. There were cases that researchers were successful in attacking IoT systems and took over the control of smart things or make the system unusable: [9, 10, 11, 12]. As we can see, security is one of the most important factors deciding the existence of an IoT system. How these devices can
30
interact and authenticate with each other is still a difficult question, which has
2
been attracting many researchers. Authentication in IoT is different from the other system because of its specific properties: the uncontrolled environment, the heterogeneity, the requirement of scalability, and the limited resources [13]. Computation activities for IoT devices cannot be complex. 35
The most popular model of an IoT eco-system is all machines directly connected and controlled by centralized servers in local networks. These servers
of
are often deployed with powerful storage and computing resources so that they can handle complicated processes and computations for their client nodes. The
40
ro
sensed data from the IoT devices are sent to a central server or a cloud by using
communication infrastructure [14]. In other words, in this model client nodes completely depend on their servers for any tasks such as computing, storing,
-p
accessing the Internet and applications, guaranteeing security and so on. Any actions of nodes in the same networks are involved with the administration of
45
re
their server. This model is widely applied in practice, especially in IoT systems due to the fact that such systems have considerable diversity in their devices with very different resource capabilities and other features. Thus, focusing on
lP
servers as the centralized management systems without the need for paying too much attention to the device end’s details make this model easier to be employed and justified. On the other hand, it nevertheless puts too much workload on the servers as well as possibly breaks down the whole system when these servers
ur na
50
become out of usage. This model can severely suffer when attackers flood a huge number of physical objects into the network at an unexpected scale. To restrain the dependence on servers, scientists thought about the Device-
to-Device (D2D) communication [15, 16, 17]. Unlike Human-to-Human (H2H)
55
communications, there is no human interaction in D2D. Hence, devices must
Jo
be designed for self-establishing connections and authentications with others. There are two kinds of D2D: Standalone D2D and Network-Assisted D2D. These two structures differ by the existence of a helping infrastructure to organize communication and resource utilization. In Network-Assisted D2D, a gateway
60
is required for the operation, and devices are connected by cellular networks. This requires a high capacity and energy efficiency mobile networks, which is 3
not affordable in some countries and areas. About Standalone D2D, devices initiate requests for communicating with nearby devices by short-range connection mechanisms such as Bluetooth. One device will send signals to express 65
its connection request with other devices. Consequently, devices will need to authenticate not only with the servers but also among themselves. This will be useful in case there is no connection from devices to servers, i.e. power blackout
of
and servers do not have the backup power resource. In this case, the IoT systems still work because most of the embedded devices have the battery within
and will be unaffected by the local area power outage. So, they can continue
ro
70
their connection with others without interruption. As a result, one device needs to itself verify that it is connecting to legit devices without servers. The list of
-p
things in the network system then has to be stored and well managed by each node, which will be a problem for small devices. Because most of the smart devices are designed for specific tasks, they have very limited resources in the
re
75
term of memory, energy, and CPU, which means they cannot run the complex algorithms for registration or authentication or store too much data. It is clear
lP
that authentications in the two models above are having themselves many advantages and also weaknesses, raising the motivations of finding a better way 80
to retain their good characteristics while avoiding their outages. In this article,
ur na
we propose an authentication protocol using a hybrid model in which servers still take the responsibility for controlling the access rights and managing the list of the things in the IoT local network, while supporting in device-device authentication phase before they can start their communications on their owns.
85
The protocol is based mostly on the Elliptic Curve Cryptography (ECC) and low-cost operations such as exclusive-or, concatenation, and hash function to
Jo
achieve the efficiency in resource consumption. It is then evaluated and validated in terms of the resilience against common attacks as well as the storage and energy amount used.
90
The main contributions of our work are as follows: • This research contributes a new authentication solution that can be used
4
for low-powered devices with limited computational capabilities, especially in the IoT environment. • This work simultaneously proposes a way to apply the elliptic curve cryp95
tography into designing a protocol that helps entities mutually authenticate each other.
of
• From an existing protocol that originally only supports the authentication between devices and the cloud servers, this research extends and improves
100
ro
it so that it can provide secure communication for direct connections of device-to-device.
-p
• The research also raises and addresses different security aspects of devices in the IoT.
re
The rest of this article is organized as follows. Section 2 reviews some related works recently proposed. In Section 3, we do preliminary literature about 105
ECC. We then make clear about our motivation for this scheme in Section 4. In
lP
Section 5, we provide reviews of Wang et al.’s authentication scheme which has inspired us to improve their work as well as introducing our extended scheme. Section 6 is where we thoroughly explain our proposed scheme. In Section 7, we
110
ur na
demonstrate the resilience of our proposed protocol to different attacks. Performance analyses are carried out and reported in Section 8. Finally, concluding remarks and future work are shown in Section 9.
2. Related works
Jo
Authentication plays an important role in every system. It is one of the se-
curity aspects to protect them from possible attacks. This process helps to allow
115
only legitimate entities to access a system. As this is an essential process, there have been many kinds of research and studies for different specific solutions for IoT. In fact, proposing an authentication protocol is to suggest a way in which we can first verify if an object has the rights to connect and communicate with
5
one or some other objects in the same systems, and then establish secure chan120
nels between them so that they can talk to each other without worrying about their partners’ identities. Solutions for the above goals can be categorized into two main groups, which are the ones using asymmetric cryptosystems and the rest using symmetric schemes [18]. Furthermore, besides complex cryptographic techniques to achieve security, other approaches have also been suggested such as voting protocol employ the blind signature techniques and dynamic ballots
of
125
for authentication and guaranteeing users’ privacy in electronic voting [19] or
ro
key-based management and rating-based authentication [16] with the hope to avoid the high computational cost of cryptographic operations.
In the first group, it was common for proposed schemes to be based on the Public Key cryptography [20]. This cryptographic scheme has been widely
-p
130
used, especially in the context of the Internet. The Transport Layer Security
re
(TLS) [21] is a very popular standard protocol in which digital certificates of websites are distributed to their clients as public keys in order to verify identities of servers and secure the communications following. However, TLS is not suitable for IoT because of its strict underlying TCP transport protocol which
lP
135
is not a good choice for limited-resource devices. To deal with this problem, another transport protocol – Datagram Transport Layer Security (DTLS) [22]
ur na
which operates on Unreliable Transport Protocol (UDP) but still provides the same security level has been proposed to replace TLS. In 2012, [23] proposed
140
an implementation for DTLS on sensors with Trusted Platform Module (TPM) installed. Despite its advantages of high security and data integrity with reasonable energy amount consumed, the need of deploying TPM hardware for each sensor is expensive and not scalable. Another direction is using raw public
Jo
keys to encrypt messages exchanged with the assumption that everyone knows
145
each other’s public keys in a system. Rabin et al. [24] proposed a protocol with the design quite similar to RSA, which is a public key cryptosystem widely used for secure data transmission. Although their proposed scheme consumed energy as much as RSA for encryption, decryption using this scheme is much faster because it needs only one squaring for each message. Nonetheless, the 6
150
requirement of a high cost of computations and energy makes it inconvenient when applying to IoT systems. Recent researches [25, 26] tried to replace RSA with Elliptic Curve Cryptography (ECC), which has been proved to achieve less energy in consideration of the same security levels [27]. Overall, this approach requires public keys to be first distributed and stored in each device in the whole
155
network. In other words, the key distribution mechanism is the main challenge
of
of such solutions. And the fact that each device has to maintain others’ public keys makes them inefficient in the aspect of storage and scalability.
ro
Solutions in the second group were based on symmetric cryptographic schemes in which the protocols aimed to securely distribute the symmetric keys, i.e. se160
cret keys, to the whole system. Those keys would be used for encrypting and
-p
decrypting later communications. The main challenges for such solutions were how these keys can be generated and safely distributed to target objects while
re
not being stolen by any hackers attacking into these processes. [28] proposed a broadcast authentication scheme based on Bloom filter data structure. Using 165
an enhanced version of Bloom filter, i.e. XOR Bloom Filter Authentication,
lP
the scheme reduces communications’ delay and cost by decreasing the computational overhead as well as their error rates. In [29], the authors proposed an ultra-lightweight protocol for heterogeneous wireless sensor network which
170
ur na
used nonces, XOR, concatenation operations for mutual authentication between sensors and users in the same network. ECC, an approach to public key cryptography, was introduced by Miller [30] and Koblitz [31]. ECC is considered to be more suitable for building up lightweight public key cryptosystems due to its smaller key size and lower arithmetic requirement compared with the popular RSA at the same security level. Therefore, ECC has been widely considered to replace RSA in public key cryptosystems. Many remote authentication schemes
Jo
175
have been implemented based on it to reduce the computation loads for small devices [32, 33, 34, 35]. Besides, the integration between cloud computing and the IoT is rapidly
motivated by the benefits they bring when being combined. The unlimited 180
resources and computing capabilities of cloud computing are expected to com7
pensate for the technical constraints of the IoT devices. On the other hand, the IoT which highly promotes the connectivity and data exchange between heterogeneous objects can expand the scope of application domains and services for cloud computing [36]. The needs as well as challenges for a secure integra185
tion between these two technologies have been addressed and attracted interest from many researchers in different domains [37] such as mobile applications,
of
smart health care monitoring tools, smart home and smart city applications [38, 39]. Authors in [36] also addresses the security and privacy issues for such
190
ro
integration by constructing an architecture including a security “wall” installed
between the Cloud Server and the Internet. [40] proposes an anonymous mutual authentication to authenticate mobile users and the service providers using
-p
bilinear pairing without including the use of SSL. This scheme allows a mobile user to access a lot of services from various service providers through a single
195
re
private key in the mobile cloud computing atmosphere. [41] designs a protocol to address the authentication process between IoT gateways and mobile clients with pseudonym identities based on ECC. Wang et. al in [34] also propose an
lP
authentication protocol in which devices needed to register with a centralized server to create secret cookie data. The cookie data are then used in another authentication phase to generate a session key for the device’s current session with the server. In this study, the author pointed out the security holes in two
ur na
200
previous versions of this protocol [32, 33] and proposed potential enhancements. Also, the authors analyzed and proved their proposed protocol was resilient to different attacks. Meanwhile in the aspect of resource consumption, because this protocol is based on ECC and only uses simple operations like XOR, con-
205
catenation and hash functions, as well as requires to store not too much data
Jo
on devices’ ends. Due to those factors, it seems to be really suitable for the IoT environment. However, in their works, they only handled the authentication between devices and their servers, while communications among devices have been missing throughout the development of Wang et. al’s protocol. That is
210
the motivation for us to propose a new protocol.
8
3. Elliptic Curve Cryptography ECC is a type of public-key cryptography whose basement is the algebraic structure of elliptic curves over finite fields. ECC was first time introduced by Koblitz and Victor Miller individually in the middle of the 1980s. Comparing to 215
other types of public-key cryptography, ECC requires a shorter key length for
of
the same level of security. Table 1 shows the result of NIST (National Institute of Standards and Technology) about the security level of RSA/DSA and ECC
based on the key size. As we can see, ECC key size ratio comparing with
220
ro
RSA/DSA is much smaller. Smaller key size is more effective since it needs
fewer hardware resources and less memory for storage, so it does not cost a lot
-p
of arithmetic computations [42]. Besides, with quantum computing [43], RSA question is becoming easier to solve, ECC gains a higher trust in Cryptologist Community. Hence, ECC Cryptography is suitable to apply to the context of
225
re
IoT devices which usually have resource constraints and require a high level of security.
lP
The security of a cryptographic system is defined by the relative complexity of the mathematical problem it is based on. An algorithm is said to be secure if it cannot be solved in polynomial time. The security of ECC, in this case, depends on the complexity of the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECLDP can be explained as follows: Giving a multiple P of Q, the
ur na
230
elliptic curve discrete log problem is to find k(k ∈ N), such that kQ = P . If the attacker somehow gets P and Q, it is impossible for him to calculate k if k is significantly large. k is the discrete logarithm of P to the base Q. An elliptic curve in ECDLP is a plane curve over a finite field which consists
of the points (x, y) satisfying the equation (1). The differences values of a and
Jo
235
b create different elliptic curves where:
y 3 = x3 + ax + b where 4a3 + 27b2 6= 0
9
(1)
Key size (bits) RSA/DSA
ECC
16:1
1024
160
10:1
2048
224
12:1
3072
256
20:1
7680
384
30:1
15360
521
of
Key size ratio
Table 1: Comparisons between RSA/ DSA and ECC based on key sizes for the same security
ro
levels.
-p
4. Motivation
How we can reduce the workload of the servers but also utilize it to keep the security level of the system is a big challenge and also our main concern. Embedded devices are not designed to handle complex computing tasks, so we need
re
240
a security solution that is both lightweight and efficient. Applying Standalone
lP
D2D in a smart system context, two devices have to first authenticate with each other to prevent every security defect from happening afterward. A smartphone of your neighbor should not be able to open the doors of your house. As a result, 245
we need to address an important problem: How a “thing” knows that the others
ur na
are “friends” and let them authenticate when the server is unreachable. This is the crucial motivation of this article. We will use Smart Home, the basic and major building block of implementing
the smart cities, as an example of this problem [44]. As in Figure 1, there are
250
some entities can be connected to a Smart Home system. The devices, in this
Jo
case, can be a smartphone, a smartwatch or even a car with embedded SoC allowing it to be “smart”. Basically, the main server of the house controls the authentication of devices as well as knows which device can join the system. Nevertheless, when the number of devices becomes big in the future, managing
255
many things can cause a high workload for the server and probably affect the network traffic. Moreover, when the server gets any problem and is out of
10
of ro
-p
Figure 1: Smart home network architecture
service, the whole organization will become unusable. Supposing that we have a PC acting as a server in our Smart Home system. When this PC is broken,
260
re
we cannot turn on the lights in the kitchen or open the garage door, since the connections to the controller have been lost. The more we are dependent on the
lP
server, the more serious your system gets when the server is attacked. DDoS attacks can make your Smart Home system come to a standstill. One of the possible solutions is to connect all the devices, so when the
265
ur na
servers are down, one of the remained things can act as a controller for the other devices. Figure 2 expresses our idea about an improved network architecture for a Smart Home system. We will utilize the server for complex algorithms only while restraining the server interference in devices’ connections. All the devices would have the ability to connect and authenticate with other devices within the smart home network via the help of the server in their initial phase. With our above example, if the PC is out of usage, the smartphone or tablet can act
Jo
270
as controllers because they have been registered with the kitchen lights and the garage door. As a result, security in this architecture is a huge problem while we are trying to connect a lot of things with each other. Many dangerous situations can happen if strangers try to open the garage door with their smartphones.
275
Without security, this architecture cannot be successful in the real world. We
11
need to make sure that illegal things are not able to join the network. In this research, we will propose a protocol that supports D2D authentication with the assistance of the centralized gateway server. Since there are two phases in a security scheme: registration and authentication, in our proposed scheme, after 280
registering with each other via help from servers, two devices can communicate with each other securely without the existence of server in the authentication
of
phase. Via this scheme, we expect to solve the issue about the dependence of
IoT devices on their servers to minimize the damage when the servers go down
285
ro
but still maintain the security of the whole smart systems.
In a more general context, according to [45] the first and foremost requirement for IoT systems is to supply the communication between devices. This is
-p
because devices are the main users in the IoT systems. And D2D automatic communication without any interruption from a centralized control is expected
290
re
to be the intrinsic part of the IoT [46]. In fact, D2D communication refers to the paradigm where direct connectivity between devices takes place without routing the data through other network architecture. These communications introduce
lP
several benefits such as high data transmission rate, reliable communications even when the network fails, energy-efficiency as devices use lower transmission power in close range [47]. D2D communication is also required to be secure to protect the data transmitted. Therefore, it is necessary to also provide mutual
ur na
295
authentication between devices.
5. Preview of Wang-Scheme In our protocol, we extend an existing scheme of Wang et al. [34], hereinafter
Jo
referred to as Wang-Scheme. Wang-Scheme improves a scheme introduced by
300
Kalra and Sood [32], which aims to authentication for resource-constrained devices in the IoT environment along with better security assurance. Understanding about Wang-Scheme is necessary before getting to our proposed protocol. Table 2 lists the notations used in Wang-Scheme. In their scheme, Wang et al. assume there is a trusted server and several devices Di (Di ∈ D) wanting
12
of ro
Figure 2: Improved Smart home network architecture
to connect to this server. X is the secret value that is only held by the server.
-p
305
There are also other public parameters such as two cryptographic hash functions
re
H and h, an elliptic curve E and a generator G on E. H maps an arbitrary string to a string lH -bit, while h maps an arbitrary string to a string lh -bit. G is an additive group on E and G is a generator of this group. Figure 3 describes two phases of Wang-Scheme. In the registration phase,
lP
310
when an embedded device needs to register with the server, it chooses a unique IDi and sends IDi to the server. After receiving the request from Di , the server
ur na
generates a random number Ri of length lH -bit then computes CKi , CKi0 , Ti ,
Ai and A0i as follow:
Jo
315
CKi = h(Ri k X k EXP T ime k IDi )
(2)
CKi0 = CKi × G
(3)
Ti = Ri ⊕ H(X)
(4)
Ai = h(Ri ⊕ H(X) k CKi0 )
(5)
13
of
Table 2: Description of the notations used in Wang-Scheme.
Description
Di
An embedded device registered in the system
D
The set of devices D = {D1 , D2 , ..., Di }
S
The server
A
The attacker
IDi
The identification of the device Di
H
A cryptographic hash function with an output of lH -bit
re
-p
ro
Notation
l
H = {0, 1}∗ → {0, 1} H
h
A cryptographic hash function with an output of lh -bit l
lP
h = {0, 1}∗ → {0, 1} h
G
An additive group implemented by an elliptic curve
G
A generator of the group G - a public parameter The expiry time of a particular device
ur na
EXP T ime
The server’s secret key
SK
A session key outputted at the end of a scheme
k
Concatenation operation
⊕
XOR operation
×
Linear multiplication with a point on the elliptic curve
Jo
X
14
A0i = Ai × G
(6)
CKi0 is then sent back to the device as a response from the server for the 320
registration phase. The server stores the values of {IDi , EXP T ime, Ti , A0i }, whereas the device stores the value of CKi0 . These values will be required in
of
the next phase when the authentication between the device and the server takes place.
In the authentication phase, the embedded device generates a lh -bit long
random number N1 . From N1 , P1 and P2 are calculated by (7) and (8), then
ro
325
-p
sent to the server for authentication.
(7)
P2 = H(P1 k N1 × CKi0 )
(8)
re
P1 = N 1 × G
Through EXP T ime, X and Ti , the server can recompute CK and use it
lP
to check if P1 and P2 are valid by computing P20 as (9) and comparing it to P2 . P20 = H(P1 k CKi × P1 )
In case P20 = P2 showing that they are valid, the server will randomly gen-
ur na
330
(9)
Jo
erate a long number N2 , and compute P3 and P4 as (10) and (11).
P3 = N2 × G
(10)
P4 = H(P20 k N2 × A0i )
(11)
With the calculated results, the server returns the value of {Ti , P3 , P4 } to
Di . Now, it is the turn of device to verify the server by reconstructing Ai .
335
Ai is calculated as (12) from CK 0 and Ti . If Ai is correct, then P40 which is
15
calculated as (13) will equal to P4 , and the process is continued. Otherwise, the authentication process fails when P4 and P40 have different values.
(12)
P40 = H(P2 k Ai × P3 )
(13)
of
Ai = h(Ti × CKi0 )
The device uses P3 and P40 to compute Vi and SKi as (14) and (15). Vi is afterwards sent to the server for crosschecking with computed Vi0 in (16). Vi is
ro
340
supposed to have the same value as Vi . If it does, the authentication process will accomplish. And SKi in (15) and SKi0 in (17) will be equal to each other.
-p
SKi then becomes the secret key between Di and the server for their current session. • On the device:
re
345
lP
Vi = H(P40 k N1 × P3 )
SKi = H(P3 k N1 × P3 )
ur na
• On the server:
(14)
(15)
Vi0 = H(P4 k N1 × P3 )
(16)
SKi0 = H(P3 k N2 × P1 )
(17)
Figure 3 describes the authentication process in Wang-Schene. This scheme
is demonstrated by the authors to be robust against different types of attacks
Jo
350
and suitable in the IoT context since it does not require a lot of CPU resources. The ECC-based mutual authentication protocol between devices and the server provides a safer authentication environment but also reduces the power intake for computations comparing with RSA. However, in this scheme the server con-
355
trols everything. Furthermore, all connections between devices must go through
16
it, which is not very efficient as we have stated. Therefore, in the next section, we introduce a new scheme which not only keeps the security but also reduces the dependence on servers in device cooperation of this protocol.
6. Proposed Scheme In this section, we present the complete authentication protocol between de-
of
360
vices in the IoT network, which is an extension of Wang-Scheme [34]. As we have stated in Section 5, Wang-Scheme is designed to resolve the security holes
ro
existing in its previous versions [34, 32] and is proved to be safe from various
attacks. On considering the idea of this protocol, we have been deeply inspired by its performance since most of the computations use low-cost operations such
-p
365
as exclusive-or (XOR), concatenation, hash function in the combination with ECC. Furthermore, devices using this protocol are also not required to store
re
too much data for authentication. However, they only proposed mutual authentication between registration servers and devices, while such authentication between end-devices was ignored in Wang-Scheme as well as its previous works.
lP
370
In fact, communications between end-devices happen very often especially in the IoT context, thus they should be treated as seriously as those between them and servers. Our proposed protocol aims to fill this gap while preserving the
375
ur na
advantages of computation and storage efficiency of the original protocols. 6.1. An overview of network entities IoT systems consist of various kinds of components highly connected to
each other in which all components can communicate and interact with each other. These components are very diverse ranging from large devices like servers,
Jo
household devices, cars, gateways, etc. to small ones such as smartphones or
380
sensors. Our proposed protocol is partially based on the centralized management model for the connection, authentication and access control among IoT devices. Therefore, despite the fact that they are different in term of functions, resource constraints and sizes, those IoT components are represented by two main types of entities in our protocol: 17
Device Di
Server S
REGISTRATION Choose a unique ID IDi Request to register with ID
i −−−−−−−−−−−−−−−−−−−−− →
Generate a random lH − bit string Ri CKi0 = CKi × G Ti = Ri ⊕ H(X)
of
CKi = h(Ri k X k EXP T IM Ei k IDi )
ro
Ai = h(Ri ⊕ H(X) k CKi0 ) A0i = Ai × G
Store {Ai , Ti , IDi , EXP T imei } CKi0
Store
-p
←−−−−−−−−−−−−−−−−−−−−− {IDi , CKi0 }
Generate a random N1 ∈ [2, 2lh ] P1 = N1 × G
lP
P2 = H(P1 k N1 × CKi0 )
re
LOGIN AND AUTHENTICATION
ID ,P1 ,P2
ur na
−−−−−−−−−−i−−−−−−−−−−−→ Reconstruct CKi using stored Ti , EXP T imei and secrect X Generate a random N2 ∈ [2, 2lh ]
P20 = H(P1 k CKi × P1 ), abort if P20 6= P2 P3 = N2 × G T ,P3 ,P4
←−−−−−−−−i−−−−−−−−−−−−−
P4 = H(P20 k N2 × A0i ) Ai = h(Ti k CKi0 )
P40
= H(P2 k Ai × P3 ), abort if P40 6= P4
Jo
Vi = H(P40 k N1 × P3 )
SKi = H(P3 k N1 × P3 ) V
i −−−−−−−−−−−− −−−−−−−−−→
Vi0 = H(P4 k N2 × P1 ), abort if Vi0 6= Vi SKi0 = H(P3 k N2 × P1 )
Figure 3: The authentication scheme proposed by Wang et al.
18
385
• Trusted servers: The centralized servers which are responsible for storing, managing, authenticating and controlling access of devices within their systems. Our study works with the assumption that those servers are trustful and well-protected that it is very hard for attackers to compromise their security or cause any data leakage. • Devices: Other components controlled and managed by the servers are
of
390
devices. Although these devices may vary in their size and character-
istics as mentioned, in this research, we mainly focus on ones with low
ro
computational and storage capabilities, as well as limited energy capacity.
In fact, concentrating the control on just some centralized trusted servers brings many advantages in the context of IoT systems. In fact, servers have
-p
395
great capabilities of computation and storage while not being limited to their
re
power consumption. Therefore, having these servers store most of the data and handle complicated computations will reduce the workload on other devices in the system. The existence of these centralized servers also helps the whole system quickly employ complex management policies such as access control or the
lP
400
privileges provisions for devices and users. Those advantages of the centralized model greatly outweigh other models, which have inspired us to continue
ur na
developing the protocol based on it. 6.2. Protocol description
405
The proposed authentication protocol consists of three main phases as rep-
resented in Figure 4:
Jo
• Phase 1: Registration
This is the very first step for every device when joining the system. Its purpose is to register a device’s identity with the server. At the end of this
410
phase when the server completes calculating and storing its authentication data, the device will be responded with a secure cookies data used for later authentication phases.
19
of ro -p re lP ur na Jo
Figure 4: Three phases of the authentication protocol.
20
• Phase 2: Authentication between the servers and device The authentication process happens before devices can start their connections with the 415
rest of the network, which is firstly between them and the servers. In this phase, the device presents its credentials, i.e. its cookies data, to the server. The server then verifies those credentials of the devices to know if it is allowed to connect. Simultaneously, the device also needs to be
420
of
guaranteed that it is actually connecting to the true server. That is why by the end of this phase valid devices and the server should be mutu-
created.
-p
• Phase 3: Authentication between two devices
ro
ally authenticated by each other and their common session keys will be
As communications among devices happen more often than between them 425
and the servers in IoT systems, they also need to be mutually authen-
re
ticated by each other before making communications. The goal of this phase is similar to the second phase, that is, their identities are verified,
changed. 430
lP
and common session keys are created for later securing the messages ex-
The protocol in Phase 1 and Phase 2 is kept the same as the original pro-
ur na
tocol which we have described in Section 5 and Figure 3. In this article, we integrate and extend the original protocols with Phase 3, when two devices
mutually prove their authenticity with each other. This is also the main contribution of this work. Hence, for the sake of easy understanding, in this article we
435
keep the notations almost the same as those of the original protocol shown in Table 2 so that readers can better follow up. The subsequent description of our
Jo
scheme will be based on the case study, that is, after completing Phase 1 and Phase 2, the two devices, let us say D1 and D2 , have successfully authenticated with the server S, and with the session keys SK1 and SK2 respectively gen-
440
erated. Next, they want to start a new connection between them to exchange some data. Providing that the connection request is first coming from D1 , the authentication process between them in Phase 3 will be as follows. 21
• Step 1: To prepare for the authentication request with D2 , D1 generates a random number N1 of lh -bit. N1 is then used to compute P1 and P2 as
P1 = N 1 × G
(18)
N10 = N1 .h(SK1 )
of
(18), (19) and (20).
P2 = H(P1 k N10 × G)
(19)
ro
445
(20)
-p
• Step 2: P1 , P2 and ID1 , are sent from D1 to D2 in a connection request. When D2 receives this request, it generates another random nonce having 450
the same length with N1 (lh -bit). Using this nonce, D2 computes P3 as
re
(21).
P3 = N 2 × G
(21)
lP
Next, D2 asks the server to verify the connection request of D1 by forwarding this request plus the value of P3 to the server. As we know, after completing Phase 2 each device is authenticated by the server and a common session key is generated at the end of that phase. Hence, all
ur na
455
later messages between devices and the server will be encrypted with their session keys in order to guarantee their security by preventing overhearing and tampering. Such encrypted communications are denoted by Enc() as
shown in Figure 5.
• Step 3: When the server receives the message from D2 , it first retrieves
Jo
460
the information about D1 and D2 from its database to check whether they are having the permissions for communicating with each other or not. In detail, the server needs to check and make sure the following statements are true.
22
– D1 and D2 have been successfully authenticated with the server and
465
their sessions have not been expired yet. – D1 and D2 are permitted to connect and communicate with each other. Please note that in this proposed scheme, we only consider the minimum requirements that allowed any two devices to connect. Further constraints
of
470
can be added depending on the security requirements of particular systems. If both of the above statements are true, the server will use P1 and
ro
its stored session key SK1 with D1 to compute P20 as (22). This value should be equal to the received value of P2 as shown in the proof (23).
-p
P20 = H(P1 k h(SK1 ) × P1 )
re
Proof:
(22)
P20 = H(P1 k h(SK1 ) × P1 )
lP
= H(P1 k h(SK1 ) × (N1 × G)) = H(P1 k (h(SK1 ).N1 ) × G) = H(P1 k N10 × G)
475
(23)
ur na
≡ P2
Comparing P2 and P20 , the server will abort the authentication process between the two devices if these values do not equal to each other. Otherwise, it calculates P4 as in (24), then encrypts it with SK2 before sending it back to D2 so that the two devices can continue generating the common
Jo
cryptographic key between them.
480
P4 = H(P3 k h(SK1 ) × P1 )
(24)
• Step 4: On receiving the value instead of an aborting message from the server, D2 is guaranteed that the connection request is truly generated by
23
D1 . Therefore, D2 generates an expiry time EXP T ime12 , sends P3 and P4 to D1 , then continues to calculate the common session key between them by (25). SK12 = H(P1 k N2 × P1 ) 485
(25)
However, D2 will not store this session key to its database until it receives
of
a final confirmation from D1 when it is sure that the two devices have been able to generate the same session key themselves. The reason for this final confirmation will be explained in the next steps.
490
ro
• Step 5: When receiving the response from D2 , D1 needs to verify if it is truly D2 (but not an adversary) it is talking to. In order to do this, D1
-p
re-computes P40 by (26) and compares the result with the value P4 received from D2 . The fact that only the server having the ability to generate P4
re
(with SK1 ) then securely sending this value to D2 guarantees that D2 is not impersonated by any adversary. As a result, D1 can now authenticate 495
D2 .
Proof:
lP
P40 = H(P3 k N10 × G)
(26)
ur na
P40 = H(P3 k N10 × G) = H(P3 k (N1 .h(SK1 )) × G) = H(P3 k h(SK1 ) × (N1 × G)) = H(P3 k h(SK1 ) × P1 ) ≡ P4
(27)
Jo
The common session key SK21 with D2 is calculated by (28). We can see that SK21 should equals SK12 as N1 × P3 ≡ N2 × P1 ≡ (N1 .N2 ) × G. After achieving the common session key, D1 sends the encryption of P1 by the key SK21 to D2 . Similarly, D1 chooses an expiry time EXP T ime21 .
500
It completes the authentcation process after storing ID2 , EXP T ime21
24
and SK21 to its memory. SK21 = H(P1 k N1 × P3 )
(28)
• Step 6: D2 receives the confirmation from D1 . It then decrypts the confirmation message with the key created in Step 4. If P1 can be achieved from the decrypted message, D2 finally updates ID1 , the key SK12 and the expiry time EXP T ime12 to its storage. This final step is necessary
of
505
because any hacker can capture a connection request from D1 and replay
ro
it afterwards. If D2 does not wait for this final confirmation, it may mistakenly update an invalid session key and the current secure connection with D1 will be corrupted. Hence, the final confirmation from D1 will help to avoid such replay attack.
-p
510
We can see that the protocol is designed to achieve another important prop-
re
erty: Only the two devices know the common session key between them. It is true that even the server who supports their mutual authentication cannot
515
lP
compute this session key. In fact, this brings many advantages from the perspective of security and privacy, which will be further discussed and analyzed in Section 7. We also note that any message in this phase is associated with
ur na
a timeout to prevent any long delay. If any message is expired before the authentication process completes, the protocol will be terminated and the process will be then considered as failed. Figure 5 summarizes the whole process of this
520
phase.
7. Security analysis
Jo
In this section, we prove that our proposed authentication protocol is secure
and resilient to different attacks by conducting a thorough security analysis of the scheme. Our work includes a formal security analysis with Burrows-
525
Abadi-Needham Logic (BAN-logic) as well as an informal analysis to prove the resilience of the proposed scheme to different popular attacks. The analysis mainly focuses on Phase 3 in which two devices mutually authenticate each 25
Device D1
Device D2
Server S
Generate a random nonce: N1 ∈ [2, 2lh ] N10 = (N1 h(SK1 )) × G P1 = N1 × G
of
P2 = H(P1 k N10 )
P ,P ,ID
Generate a randon nonce:
-p
N2 ∈ [2, 2lh ]
ro
1 2 1 − −−−−−−−−− −−−−−− −−−−−−− →
P 3 = N2 × G
SID2 ,{P1 ,P2 ,P3 ,ID1 }SK
lP
re
2 − −−−−−−−−−−−−−−−−−−−−− − →
?
P20 = H(P1 k h(SK1 ) × P1 ) = P2 P4 = H(P3 k h(SK1 ) × P1 )
{P3 ,P4 }SK
← −−−−−−−−−−−−−−−2−−−−−−− −
P ,P
ur na
3 4 ← −−−−−−−−−−− −−−−−−−−−−− −
?
P40 = H(P3 k N10 ) = P4
SK12 = H(P1 k N1 × P3 )
Store {SK12 , ID2 , EXP T ime12 }
M ={P1 }SK
Jo
− −−−−−−−−−−−−−−−12 −−−−−−− →
SK21 = H(P1 k N2 × P1 )
Store {SK21 , ID1 , EXP T ime21 } if M can be decrypted with SK21
Figure 5: Representations of the authentication protocol between two devices with the support of the centralized server.
26
other. The security proofs for Phase 1 and Phase 2 (Registration and DeviceServer Authentication) should be referred to [34]. 530
7.1. Formal analysis We present a formal analysis of our proposed protocol with the BAN-logic [48]. BAN-logic has been widely known and applied to formally prove the cor-
of
rectness of mutual authentication and key agreement protocol. Hence, our goal for this analysis is to prove our proposed scheme can successfully achieve the 535
mutual authentication and session key agreement between participants. Before
ro
going into the details, we briefly describe the basic notations as well as the
7.1.1. BAN-logic overview a) Notations. • P |≡ X: P believes that X holds.
re
540
-p
logical postulates of BAN-logic.
• P / X: P sees the formula X.
lP
• P ⇒ X: P has jurisdiction over X, which means P has completely control over the formula X.
545
ur na
• P |∼ X: P once said X. The principal P at some time sent a message including the statement X.
• #(X): The formula X is fresh, that is, X has not been sent in a message at any time before the current run of the protocol. K
• P ← → Q: P and Q share a secret key K. P and Q can use K to commu-
Jo
nicate with each other and it is only known to them. K
550
• 7−→ B: P has K as a public key. The corresponding secret key (the inverse of K, denoted K −1 ) will never be discovered by any other principal. X
− B: The formula X is a secret known only to P and Q, and possibly • A( −+ to principals trusted by them. Only P and Q may use X to prove their identities to one another. 27
555
• {X}Y : Encryption of X with key K. • hXiY : This represents X combined with the formula Y ; it is intended that Y be a secret, and that its presence proves the identity of whoever utters hXiY . • αX : The elliptic curve multiplication by an integer X. b) Logical postulates of the BAN logic.
of
560
• The message meaning rule for shared key:
ro
K
R1 :
P |≡ Q ← → Q, P / {X}K P |≡ Q |∼ X
-p
• The message meaning rule for public key: K
P |≡7−→ Q, P / {X}K −1 P |≡ Q |∼ X
re
R2 :
• The message meaning rule for shared secret: Y
P |≡ Q |∼ X
lP
R3 :
( − Q, P / hXiY P |≡ P − +
• The nonce verification rule:
P |≡ #(X), P |≡ Q |∼ X P |≡ Q |≡ X
ur na
R4 :
• The belief rules:
R5 :
P |≡ Q |≡ (X, Y ) P |≡ (X, Y ) , R6 : P |≡ X P |≡ Q |≡ X
• The said rule:
Jo
R7 :
P |∼ (X, Y ) P |∼ (X, Y ) , R8 : P |∼ X P |∼ X
• The see rule: K
R9 :
P |≡ P ← → Q, P / {X}K P / (X, Y ) , R10 : , P /X P /X K
R11 :
P |≡ 7−→ P, P / {X}K P /X 28
• The fresh promotion rule: R12 :
P |≡ #(X) P |≡ #(X) , R13 : P |≡ #(X, Y ) P |≡ #(αX )
• The random rule: P choose random X A |≡ #(X)
• The jurisdiction rule: P |≡ Q ⇒ X, P |≡ Q |≡ X P |≡ X
ro
R15 : • The session key rule:
P |≡ #(k), P |≡ Q |≡ X
-p
R16 :
k
P |≡ P ← →Q
re
in which with X the necessary elements for a key is meant. 7.1.2. Device-Device authentication (Phase 3)
lP
• Goals: SK
12 Goal 1. D1 |≡ D1 ←−−→ D2 565
SK
ur na
12 Goal 2. D1 |≡ D2 |≡ D1 ←−−→ D2
SK
12 Goal 3. D2 |≡ D1 ←−−→ D2
SK
12 Goal 4. D2 |≡ D1 |≡ D1 ←−−→ D12
Jo
570
• Idealized messages:
M1 : D1 → − D2 : αN1 , hαN1 iSK1
575
of
R14 :
M2 : D2 → − G : {αN1 , hαN1 iSK1 }SK
2
29
M3 : S → − D2 : {αN2 , hαN1 , αN2 iSK1 }SK
2
M4 : D2 → − D1 : αN2 , hαN1 , αN2 iSK1 580
of
M5 : D1 → − D2 : {αN1 }SK12
• Assumptions: SK
ro
1 S A1 : D1 |≡ D1 ←−→ 585
SK
-p
1 −− − − A2 : D1 |≡ D1 ( S −− +
SK
SK
590
2 −− − − A4 : D2 |≡ D2 ( S −− +
SK
SK
lP
1 A5 : S |≡ D1 ←−→ S
re
2 A3 : D2 |≡ D2 ←−→ S
595
ur na
1 −− − − A6 : S |≡ D1 ( S −− +
SK
2 A7 : S |≡ D2 ←−→ S
SK
2 −− − − A8 : S |≡ D2 ( S −− +
A9 : D1 |≡ D2 ⇒ N2
Jo
600
A10 : D1 |≡ D2 ⇒ αN2
A11 : D2 |≡ D1 ⇒ N1
605
30
A12 : D2 |≡ D1 ⇒ αN1
A13 : If D1 |≡ S |≡ X then D1 |≡ D2 |≡ X. This assumption comes from the public knowledge of the network about the server S’s control in the D2D authentication process.
of
610
• Verification:
S1 : D1 |≡ N1
-p
615
ro
(1) From the fact that D1 generates N1 we get:
S2 : D1 |≡ #(N1 ) 620
lP
(3) We apply R13 to S2 to get:
re
(2) We apply R14 to the fact that D1 chooses a random nonce N1 to derive:
S3 : D1 |≡ #(αN1 )
625
ur na
(4) From the fact that D2 generates N2 we get:
S4 : D2 |≡ N2
(5) We apply R14 to the fact that D2 chooses a random nonce N2 to derive:
S5 : D2 |≡ #(N2 )
Jo
630
(6) We apply R13 to S5 to derive: S6 : D2 |≡ #(αN2 )
635
31
(7) From M4 we get: S7 : D1 / (αN2 , h(αN1 , αN2 )iSK1 )
640
(8) We apply R9 to S7 to derive:
of
S8 : D1 / h(αN1 , αN2 )iSK1
ro
(9) Applying R3 to A2 and S8 we get: 645
650
S10 : D1 |≡ #(αN1 , αN2 )
re
(10) Applying R12 to A2 and S3 we get:
-p
S9 : D1 |≡ S |∼ (αN1 , αN2 )
lP
(11) We apply R4 to S9 and S10 to derive: S11 : D1 |≡ S |≡ (αN1 , αN2 )
ur na
655
(12) We apply R5 to S11 to derive:
S12 : D1 |≡ S |≡ αN1
S13 : D1 |≡ S |≡ αN2
Jo
660
(13) With A13 , S12 and S13 , we have: S14 : D1 |≡ D2 |≡ αN1
665
32
S15 : D1 |≡ D2 |≡ αN2
(14) We apply R16 to S15 and A10 to derive:
670
S16 : D1 |≡ αN2
of
(15) From S16 and S2 we derive: (as SK12 = H(αN1 k αN1 N2 ))
-p
(16) We apply R16 to S17 and S15 to derive:
ro
S17 : D1 |≡ #(SK12 )
675
SK
re
12 S18 : D1 |≡ D1 ←−−→ D2 (Goal 1)
(17) We apply R6 to S15 to derive:
S19 : D1 |≡ D2 |≡ N2
lP
680
ur na
(18) From S14 and S19 we derive: SK
12 S20 : D1 |≡ D2 |≡ D1 ←−−→ D2 (Goal 2)
685
(19) As the protocol takes advantage of the ECDLP and ECDHP, we can
derive the following statements to support the further process of deriving belief
Jo
of D1 and D2 :
690
αN1 N2
( −− −− − − D2 S21 : D1 |≡ D1 − − + αN1 N2
−− −− − − D2 S22 : D2 |≡ D1 ( −− +
33
(20) M5 can be rewritten as: 695
M50 : D1 → − D2 : hαN1 , αN2 iαN1 N2 (21) From M50 we have: S23 : D2 / hαN1 , αN2 iαN1 N2
of
700
ro
(22) We apply R3 to S22 and S23 to derive:
705
S25 : D2 |≡ #(αN1 , αN2 )
(24) We apply R4 to S24 and S25 to derive:
lP
710
re
(23) We apply R12 to S6 to derive:
-p
S24 : D2 |≡ D1 |∼ (αN1 , αN2 )
ur na
S26 : D2 |≡ D1 |≡ (αN1 , αN2 )
(25) We apply R6 to S26 to derive:
715
S27 : D2 |≡ D1 |≡ αN1
Jo
S28 : D2 |≡ D1 |≡ αN2
720
(26) We apply R1 5 to S27 and A12 to derive: S29 : D2 |≡ αN1
34
(27) From S16 and S2 we derive: (as SK12 = H(αN1 k αN1 N2 )) 725
S30 : D2 |≡ #(SK12 )
(28) We apply R1 6 to S2 7 and S30 to derive: SK
12 D2 (Goal 3) S31 : D2 |≡ D1 ←−−→
of
730
ro
(29) We apply R6 to S15 to derive:
-p
S32 : D2 |≡ D1 |≡ N1 735
SK
re
(30) From S28 and S32 we derive: 12 S33 : D2 |≡ D1 |≡ D1 ←−−→ D2 (Goal 4)
740
lP
7.2. Informal analysis 7.2.1. Security properties
• Mutual authentication: As shown in our proposed protocol, each device
ur na
is able to authenticate the identity of the other. Therefore, the mutual authentication is achieved with this scheme.
• Confidentiality: Confidentiality refers to the cipher algorithm and key
745
agreement, and confidentiality of private device data. These demands are successfully fulfilled in the proposed protocol. At the end of Phase 3, two
devices agree on a common session key for securing their further conversa-
Jo
tions. Despite private data of devices being used during the authentication phase, the protocol still guarantees the confidentiality of such data with
750
the use of random nonces for each run and final wrappers with hash functions. This way even if an attacker captures the data (P2 , P4 ) while being transmitted, it can neither re-use nor derive the actual secret session keys wrapped inside. 35
• Perfect forward/backward secrecy: In our proposed protocol, each session 755
is computed from random numbers generated at each device. Hence, the keys are random and not the same for different sessions. These properties help us avoid attackers from guessing keys of other sessions when they have one. Also, they cannot use this key to decrypt messages of different
760
to provide the perfect forward/backward secrecy property. 7.2.2. Resistance to attacks
of
sessions in neither the past nor the future, which proves our scheme is able
ro
• Replay attack: In this attack model, attackers capture and store the messages exchanged between two devices to later repeat these messages. This
765
-p
way, attackers may fool their victims to treat those messages as valid and successfully impersonate someone else. For example in Phase 3, an attacker can capture the first connection request from D1 to D2 . After a
re
while, it tries to re-send this message to D2 to make D2 believes that D1 is requesting another connection session. This replayed message success-
770
lP
fully bypasses the verification of the server, because the server can only check if the packet was generated by D1 but cannot check if it was actually sent from this device in the current run. However, such attempts
ur na
of attack would fail at the next step when P3 and P4 are responded to the attacker. The attacker does not hold the corresponding nonce of the replayed message so it cannot compute the new session key between the
775
two devices. For D2 , when receiving the response from the server, it does
not immediately update the computed session key but waits for a confirmation from D1 . When the timeout for this confirmation is reached, the
Jo
authentication process at D1 will be aborted.
• Impersonation attack: In this case, attackers send connection requests
780
with the identities of other devices to impersonate them. Thanks to the support of the server, attackers who do not hold the right session key cannot generate a valid message (P2 ). Therefore, they fail to attack D2 by impersonating D1 using its identification. 36
• Stolen session key attack (agent compromised): This attack happens when 785
attackers steal the session key of a device. With the stolen key, the attackers can only read the messages sent in the corresponding session of this device. They cannot deduce or re-compute any private information about their victims such as CKi0 or their session keys with other devices or servers. • Stolen-Verifier attack: The proposed protocol is against attacks of inter-
of
790
nal users in the system. For attackers who are some other devices, they
ro
cannot impersonate or access the private information of another device as discussed in the previous attacks. In case attackers are some of the
795
-p
administrators who control the server, their administrative privileges may become a serious issue. Indeed, authentication models with centralized servers playing key-distributing roles usually face the same problems of
re
privacy. Since those servers control the session keys of every device, they can access and read all messages transmitted in the system. As a result,
800
lP
those systems failed to guarantee users’ privacy. The proposed protocol tries to avoid this issue by only granting the server a support role in the authentication process between devices. In other words, the server cannot compute the final session key between the two devices because it cannot
ur na
recover the values of N1 and N2 , which are freshly generated and only known by D1 and D2 respectively. Therefore, communications between
805
devices remain safe even when the server database is leaked.
• Offline dictionary attack: In this type of attack, the attacker will try to capture the messages between stack holders and try to guess the sensitive
Jo
information in them. In our model, we use N1 and N2 , which are random numbers generated in every authentication session, to generate the session
810
key. We do not use any sensitive information or meaningful phrase such as password, hence, our proposed protocol is safe with this kind of attack.
• Brute force attack: In order to make this attack successful, attacker must guess the correct N1 and N2 via P1 , P2 , P3 and P4 . Even when he can 37
get these values, he cannot have the session key SK1 and SK2 between 815
D1 and D2 with the server. Hence, this attack is not applicable in our protocol. • Man-in-the-middle attack: This is an attack where the attacker secretly relays and possibly changes the messages in communication between two
820
of
devices which believe they are directly communicating with each other.The malicious users may be able to capture P1 , P2 , P3 and P4 by eavesdropping.
However, without N1 and N2 , there is nothing attacker can do, since in
ro
ECC cryptography, we can prove that guess N1 from P1 = N1 × G is
-p
impossible.
Table 3: Security comparisons with the previous scheme.
Ours
Wang-Scheme
X
D2D authentication
X
Resistance to replay attack
X
X
Resistance to impersonation attack
X
X
Resistance to known session key attack
X
X
Resistance to offline dictionary attack
X
X
Resistance to stolen-verifier attack
X
X
Resistance to man-in-the-middle attack
X
X
ur na
Mutual authentication
lP
re
Property
X
Table 3 summarizes the security offered by the proposed scheme in com-
parison with the previous work. The above analysis proves that the proposed
Jo
825
protocol is resistant to different kinds of attacks while providing data integrity as every modification in transferred messages will cause the authentication process to be terminated. The model also provides the final important result that is the mutual authentication between devices.
38
830
8. Performance Analysis While making sure the proposed protocol is able to survive different attacks, another important aspect to be analyzed is the performance of its energy consumption. As we have emphasized our point throughout the article, schemes designed for IoT must be suitable for devices with very constrained power. A protocol will fail in practice if it cannot prove itself to be such designs. The
of
835
analysis will mostly focus on end devices, which are supposed to be resource-
ro
constrained objects. 8.1. Base-scheme D2D authentication
840
-p
We remind that the proposed scheme is an extension to [34], i.e. the basescheme, in which an additional phase for D2D authentication is provided. Therefore, to analyze the performance of this additional phase comparing to the base-
re
scheme, we assume that there is an approach to D2D authentication in this scheme by simply applying the protocol on the two devices exactly the same as
845
lP
the authors of [34] do on a device and the centralized server. In other words, in the third phase, one of the two devices now plays the role of the server in the second phase. It also means this device will have to take every operation the servers needs to take to authenticate the other device. For this scenario, the
ur na
requested device (D2 ) will play the role of the server.
8.2. Computational costs
850
We first analyze the cost for computations used in the proposed authentica-
tion protocol by each devices. Three operations to be evaluated for the scheme are hash, elliptic curve point multiplication and encryption/decryption with
Jo
symmetric session keys. We define the cost of hashing operation as Th , multipli-
cation operations on elliptic curves as Te and symmetric encryption/decryption
855
as Ts . So for Phase 2, the computational overheads are the same for both proposed scheme and the base-scheme [34], which are correspondingly TiII =
5Th + 5Te for the device and TSII = 4Th + 3Te for the server.
39
Similarly, with the proposed scheme the computational overheads in Phase 3 are T1III = 4Th +3Te +4Ts for D1 . The value of 4Ts , i.e. 4 encryption/decryption 860
operations, comes from the assumption of using the symmetric cryptography with 128-bit key size. In this phase D1 needs to encrypt {P1 } in the last verification message by its newly established session key with D2 . As P1 is 442-bit long corresponding to 4 blocks of data to be encrypted, the number
865
of
of encryption/decryption operations taken by D1 in Phase 3 is then 4. The same explanation can be given for the values of 14Ts consumed by both D2
ro
and the server, giving their computational costs of T2III = Th + 2Te + 14Ts
and TsIII = 4Th + 2Te + 14Ts respectively. With regard to the simple approach to D2D authentication by [xx] as described in Section 8.1, the corresponding
870
-p
values can be derived from the values calculated for Phase 2. All computational costs for every entity in each scheme are summarized in Table 4. Table 4 shows
re
that for D2D authentication, the numbers of hashing and elliptic curve multiplication operations taken by are the same for the two schemes for D1 , while there is a significant difference for D2 as in Wang-Scheme more operations are
875
lP
needed for this device. On the other hand, devices in the proposed scheme need to take some additional symmetric encryption/decryption operations which are
ur na
not required in Wang-Scheme. [34]. 8.2.1. Energy consumption
In order to further analyze the computation costs of both protocols, we now
calculate the costs in terms of energy consumption for each one. As the proposed
880
protocol uses different cryptographic algorithms including hashing, elliptic curve cryptography and symmetric cryptography, which have many options, we first
Jo
choose specific configurations for such algorithms that will be used throughout the following analysis. The hash function SHA-1 is chosen for hashing operations. For the elliptic curve, a strong and secured variant for which ECDLP and
885
ECDH are believed to hold - Curve m-221, is used. (29) presents the equation of this curve. The order of G is thus 221-bit, i.e lh is 221-bit. Symmetric encryption/decryption is supposed to use AES with 128-bit key size in ECB mode.
40
Di
Operation
Proposed protocol
Wang-Scheme
Th
5
5
0
0
Ts
Device-Server
Te
authentication
Th
D1
D2
ur na
D2D
5
5
4
4
0
0
Te
3
3
Th
4
5
Ts
4
0
Te
3
5
Th
1
4
Ts
14
0
Te
2
3
Th
3
Ts
14
Te
1
re
Ts
lP
Server
authentication
Jo
Server
ro
Device
-p
Phase
of
Table 4: Computational cost comparison between the proposed scheme and the base-scheme.
41
N/A
Table 5 summarizes the configurations on these cryptographic algorithms. The device is assumed to be used is Tmote Sky (also known as TesloB). Table 5 890
also presents the energy consumption estimated for operations taken in both schemes. According to the results in [49], SHA-1 consumes 57 µJ per operation. An Elliptic Curve Diffie-Hellman operation consumes only 9.48 µJ [34]. And encryption and decryption with AES need only 9 µJ for each operation
of
with 128-bit data [47]. y 2 = x3 + 117050x2 + x mod p221 − 3
ro
(29)
-p
Table 5: Summary of energy consumption per operation.
Description
Energy consumption (µJ)
Th
Hash operation with SHA-
57
1 Ts
Symmetric
re
Notation
encryp-
9
lP
tion/decryption with AES per 128-bit block Te
Elliptic curve multiplica-
9, 480
895
ur na
tion using Curve M-221
The estimations of the data length to be encrypted and transmitted are
presented in Table 6. These estimations will be used to calculate the number of encryption/decryption operations performed. Table 7 shows the energy consumption comparison between the enhanced scheme and [34]. A device in
Jo
Phase 1 with the proposed scheme consumes the same energy amount of 47,685
900
µJ as Wang-Scheme. In Phase 2, i.e. D2D authentication, the proposed scheme shows a difference in performance between two devices taking part in it. D1 , i.e. the initiating device, needs to take 4 hash operations, encryption on 4 blocks of 128-bit and 3 elliptic curve multiplication operations. The higher number of multiplication operations results in higher energy consumption, which is 28,704
42
ID1 , ID2
< 64-bit
N1 , N2
221-bit
P1 , P3
442-bit
P2 , P4
128-bit
EXP T ime
64-bit
SK1 , SK2
128-bit
Message {ID1 , P1 , P2 }
6 blocks of 128-bit
Message {ID1 , P1 , P2 , P3 }
9 blocks of 128-bit
Message {P4 }
1 block of 128-bit
Message {P1 }
4 blocks of 128-bit
-p
ro
Length
µJ approximately. Comparing with D2 , i.e. the requested device, it needs 1
re
905
Data
of
Table 6: Data length of variables and messages exchanged.
hash operation, encryption/decryption operation on 14 data block of 128-bit
lP
referred from Table 6, and 2 multiplication operations on the elliptic curve. As a result, the requested device D2 only consumes 19,143 µJ. The difference in energy required for each device in this phase shows an interesting property: the 910
requested device needs to spend considerably fewer resources for processing an
ur na
authentication request from the initiating device. In fact, this property is an advantage in the scenario of a DDoS attack, in which an attacker attempts to overwhelm the target with a huge number of invalid requests. In those cases, we do not want the target device to waste too much energy resources on pro-
915
cessing those requests before the attack is detected, which can be provided by
Jo
the D2D authentication phase. On the other hand, the corresponding values for such devices with Wang-Scheme are 47,685 µJ and 28,668 µJ, showing that our proposed scheme can achieve more efficient energy consumption. Figure 6 clearly displays this enhancement.
43
Table 7: Energy consumption comparisons.
Device-Server
Di
authentication
D1
Operation
Proposed protocol
Wang-Scheme
Th
5
5
Ts
N/A
N/A
Te
5
5
Total (µJ)
47, 685
Th
4
Ts
3
5
28, 704
47, 685
1
4
14
0
Te
2
3
Total (µJ)
19, 143
28, 668
authentication
Th
ur na
lP
re
Ts
-p
Total (µJ)
40,000
5 0
D2D
50,000
47, 685
4
Te
D2
of
Device
ro
Phase
µJ
30,000 20,000
Jo
10,000 0
Proposed protocol
Wang-Scheme
Device 1 (D1 )
Device 2 (D2 )
Figure 6: Energy consumption required by the schemes for D2D authentication phase.
44
920
8.2.2. Processing time We also set up the experiments to measure the processing time taken by each device using the proposed protocol. The implementation was written in Python and was run on Intel i5-8250U, CPU 1.60GHz × 8. The average processing time of devices in the protocols are summarized in Table 8. We also show the
925
comparison between the schemes, especially in the D2D phase, by Figure 7. The
of
results show that in both protocols it takes a device only 0.522s approximately
to do all the operations needed for the authentication with the server. The
ro
authentication between devices takes a little less time, which is 0.427s for the initiating device (D1 ) and 0.225s for the responding device (D2 ) when using our 930
proposed scheme. Meanwhile with [34] it takes a bit longer for the two devices,
-p
i.e. 0.522s for D1 and 0.497s for D2 .
re
Table 8: Processing time of devices in seconds.
Device
Proposed protocol
Wang-Scheme
Device-Server
Di
0.522s
0.522s
authentication
Server
0.497s
0.497s
D1
0.417s
0.522s
D2
0.225s
0.497s
D2D
ur na
authentication
lP
Phase
8.3. Storage requirement
Regarding the storage needed, each device needs only spaces to store a ses-
sion key (128-bit length) for each device it communicates with. In addition, an expiry time (64-bit) may also be stored for the session. For those reasons, our
Jo
935
enhanced protocol successfully preserves the advantages of the original one as most of the data needed for authentication are stored at the server, which will lower the storage burden at the device end.
45
50,000 40,000
µJ
30,000
of
20,000
ro
10,000 0
Wang-Scheme
Device 1 (D1 )
Device 2 (D2 )
-p
Proposed protocol
re
Figure 7: Processing time required by the schemes for D2D authentication phase.
9. Conclusions and Future Work
The rapid development of Smart Home, Smart City and many other domains
lP
940
of the IoT has proved itself as an important part of the future of the Internet. The IoT unique nature introduces new challenges to security requirements,
ur na
which are much different from previous technology trends. In this article, we have addressed this issue by introducing a new authentication scheme allowing
945
both device-to-server and device-to-device communications in IoT systems. If a device gets the approval from its control server to be a part of the system, this server will support it in authenticating with other devices. When the authentication process completes, two devices can communicate without the participation
Jo
of their server. It is essential to not only reduce the workload of the servers
950
but also to restrain the server-dependence of embedded devices. This new authentication protocol is proposed in order to achieve such important goals. We use ECC and simple operations to provide an authentication protocol not only light-weight but also safe. Security analysis conducted in our work shows the resistance to common cyber attacks in the IoT environment of the proposed
46
955
scheme. Furthermore, we have proven that our scheme only consumes an additional amount of approximately 29 mJ for the device-to-device authentication phase and takes just 128-bit for storing its session key and a small space for its expiry time. Moreover, through theoretical profound analysis (based on the BAN-logic [48]), we have also demonstrated that the newly introduced scheme is
960
safe and can be applied for light-weight embedded devices. These findings have
of
established the more promising practical value of our newly proposed scheme comparing to the previous work in a variety of emerging real-world application
ro
domains nowadays, especially in smart cities and resilient environments.
In the future, we will carry out further research about privacy preservation 965
in the protocol to improve the security level of the proposed scheme. Since most
-p
of the embedded devices nowadays have sensors to detect changes in the real world, the information they contain may accordingly be sensitive and should
re
not be exposed. The association of the authentication process and different kinds of privacy protection [19, 50, 51, 17, 52] are possibilities to extend the 970
security capabilities of our protocol, especially with resource-constrained IoT
lP
devices. On this account, which data can be shared between two devices after completing authenticating is an indispensable problem that should be further studied. Furthermore, to leverage more practical scenarios, in particular where
975
ur na
lightweight IoT devices do not directly communicate with the centralized server, but via authorized gateways to form different subnetworks, a new protocol is needed. This work is also of our great interest in the future because it will bring a flexible and efficient organizational structure for many more practical systems, in which it does not constrain the number of network protocols to be used.
Jo
Acknowledgement
980
We would like to thank all members of the project and staffs of AC Lab/HCMUT
for their meaningful help and comments during this manuscript preparation.
47
Funding Statement This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number B2018-20-08.
985
References
of
[1] K. Ashton, et al., That ‘internet of things’ thing, RFID journal 22 (7) (2009) 97–114.
ro
[2] Q. Zhou, J. Zhang, Research prospect of internet of things geography, in:
2011 19th International Conference on Geoinformatics, IEEE, 2011, pp. 1–5.
-p
990
[3] Y. Yu, J. Wang, G. Zhou, The exploration in the education of professionals in applied internet of things engineering, in: 2010 4th International
re
Conference on Distance Learning and Education, IEEE, 2010, pp. 74–77. [4] Y. Hao, P. Helo, The role of wearable devices in meeting the needs of cloud manufacturing: A case study, Robotics and Computer-Integrated
lP
995
Manufacturing 45 (2017) 168–179. [5] Everything
you
need
to
know
about
iot
ur na
https://www.simplilearn.com/iot-applications-article,
applications,
accessed:
2019-
Nov-30.
1000
[6] Ihs.
n.d.
nected
number
worldwide
millions),
of
in
internet 2017
and
of
things
2018,
by
(iot)
devices
selected
type
con(in
https://www.statista.com/statistics/789615/ accessed:
November
Jo
worldwide-connected-iot-devices-by-type/, 22, 2018.
1005
[7] Ihs. n.d. internet of things (iot) connected devices installed base worldwide from 2015 to 2025 (in billions), https://www.statista.com/ statistics/471264/iot-number-of-connected-devices-worldwide/, accessed: November 22, 2018. 48
[8] H. LeHong, A. Velosa, Hype cycle for the internet of things, Gartner Group 1010
21. [9] P. Desai, A. Sheth, P. Anantharam, Semantic gateway as a service architecture for iot interoperability, in: 2015 IEEE International Conference on Mobile Services, IEEE, 2015, pp. 313–319.
1015
of
[10] Y. Oren, A. D. Keromytis, From the aether to the ethernet—attacking the
internet using broadcast digital television, in: 23rd {USENIX} Security
ro
Symposium ({USENIX} Security 14), 2014, pp. 353–368.
[11] S. Cesare, Breaking the security of physical devices, Presentation at Black-
-p
hat 14.
[12] L. Liang, K. Zheng, Q. Sheng, X. Huang, A denial of service attack method for an iot system, in: 2016 8th International Conference on Information
re
1020
Technology in Medicine and Education (ITME), IEEE, 2016, pp. 360–364.
lP
[13] E. Vasilomanolakis, J. Daubert, M. Luthra, V. Gazis, A. Wiesmaier, P. Kikiras, On the security and privacy of internet of things architectures and systems, in: 2015 International Workshop on Secure Internet of Things (SIoT), IEEE, 2015, pp. 49–57.
ur na
1025
[14] Z. A. Khan, Using energy-efficient trust management to protect iot networks for smart cities, Sustainable cities and society 40 (2018) 1–15.
[15] R. Alkurd, R. M. Shubair, I. Abualhaol, Survey on device-to-device communications: Challenges and design issues, in: 2014 IEEE 12th Interna-
1030
tional New Circuits and Systems Conference (NEWCAS), IEEE, 2014, pp.
Jo
361–364.
[16] K. K. Tran, M. K. Pham, T. K. Dang, A light-weight tightening authentication scheme for the objects’ encounters in the meetings, in: International Conference on Future Data and Security Engineering, Springer, 2018, pp.
1035
83–102.
49
[17] T. K. Dang, K. T. Tran, The meeting of acquaintances: A cost-efficient authentication scheme for light-weight objects with transient trust level and plurality approach, Security and Communication Networks 2019 (8123259) (2019) 1–18. 1040
[18] K. T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication
of
protocols for the internet of things, Ad Hoc Networks 32 (2015) 17–31. [19] T. A. T. Nguyen, T. K. Dang, Enhanced security in internet voting protocol
ro
using blind signature and dynamic ballots, Electronic Commerce Research 13 (3) (2013) 257–272.
[20] G. Simmons, An introduction to shared secret and/or shared control
-p
1045
schemes and their application, Contemporary cryptology.
re
[21] T. Dierks, C. Allen, The tls protocol version 1.0 (1999).
[22] E. Rescorla, N. Modadugu, Datagram transport layer security version 1.2
1050
lP
(2012).
[23] T. Kothmayr, C. Schmitt, W. Hu, M. Br¨ unig, G. Carle, A dtls based endto-end security architecture for the internet of things with two-way authen-
ur na
tication, in: 37th Annual IEEE Conference on Local Computer NetworksWorkshops, IEEE, 2012, pp. 956–963.
[24] M. O. Rabin, Digitalized signatures and public-key functions as intractable
1055
as factorization, Tech. rep., Massachusetts Inst of Tech Cambridge Lab for Computer Science (1979).
Jo
[25] D. He, S. Zeadally, An analysis of rfid authentication schemes for internet of things in healthcare environment using elliptic curve cryptography, IEEE internet of things journal 2 (1) (2014) 72–83.
1060
[26] S. A. Chaudhry, M. S. Farash, H. Naqvi, M. Sher, A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography, Electronic Commerce Research 16 (1) (2016) 113–139. 50
[27] N. Gura, A. Patel, A. Wander, H. Eberle, S. C. Shantz, Comparing elliptic curve cryptography and rsa on 8-bit cpus, in: International workshop on 1065
cryptographic hardware and embedded systems, Springer, 2004, pp. 119– 132. [28] S.-M. Chang, S. Shieh, W. W. Lin, C.-M. Hsieh, An efficient broadcast au-
of
thentication scheme in wireless sensor networks, in: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, ACM, 2006, pp. 311–320.
ro
1070
[29] H. Khemissa, D. Tandjaoui, S. Bouzefrane, An ultra-lightweight authentication scheme for heterogeneous wireless sensor networks in the context
-p
of internet of things, in: International Conference on Mobile, Secure, and Programmable Networking, Springer, 2017, pp. 49–62.
[30] V. S. Miller, Use of elliptic curves in cryptography, in: Conference on the
re
1075
theory and application of cryptographic techniques, Springer, 1985, pp.
lP
417–426.
[31] N. Koblitz, Elliptic curve cryptosystems, Mathematics of computation 48 (177) (1987) 203–209.
[32] S. Kalra, S. K. Sood, Secure authentication scheme for iot and cloud servers,
ur na
1080
Pervasive and Mobile Computing 24 (2015) 210–223.
[33] C.-C. Chang, H.-L. Wu, C.-Y. Sun, Notes on “secure authentication scheme for iot and cloud servers”, Pervasive and Mobile Computing 38 (2017) 275– 278.
[34] K.-H. Wang, C.-M. Chen, W. Fang, T.-Y. Wu, A secure authentication
Jo 1085
scheme for internet of things, Pervasive and Mobile Computing 42 (2017) 15–26.
[35] K. Mahmood, J. Arshad, S. A. Chaudhry, S. Kumari, An enhanced anonymous identity-based key agreement protocol for smart grid advanced meter-
51
1090
ing infrastructure, International Journal of Communication Systems 32 (16) (2019) e4137. [36] C. Stergiou, K. E. Psannis, B.-G. Kim, B. Gupta, Secure integration of iot and cloud computing, Future Generation Computer Systems 78 (2018) 964–975. [37] C. Stergiou, K. E. Psannis, B. B. Gupta, Y. Ishibashi, Security, privacy &
of
1095
efficiency of sustainable cloud computing for big data & iot, Sustainable
ro
Computing: Informatics and Systems 19 (2018) 174–184.
[38] F. Ullah, M. A. Habib, M. Farhan, S. Khalid, M. Y. Durrani, S. Jabbar,
1100
-p
Semantic interoperability for big-data in heterogeneous iot infrastructure for healthcare, Sustainable cities and society 34 (2017) 90–96.
re
[39] R. Ande, B. Adebisi, M. Hammoudeh, J. Saleem, Internet of things: Evolution and technologies from a security perspective, Sustainable Cities and
lP
Society.
[40] S. Jegadeesan, M. Azees, P. M. Kumar, G. Manogaran, N. Chilamkurti, 1105
R. Varatharajan, C.-H. Hsu, An efficient anonymous mutual authentication technique for providing secure communication in mobile cloud computing
ur na
for smart city applications, Sustainable Cities and Society 49 (2019) 101522.
[41] A. G. Reddy, D. Suresh, K. Phaneendra, J. S. Shin, V. Odelu, Provably secure pseudo-identity based device authentication for smart cities environ-
1110
ment, Sustainable cities and society 41 (2018) 878–885.
[42] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete
Jo
logarithms on a quantum computer, SIAM review 41 (2) (1999) 303–332.
[43] M. Bafandehkar, S. M. Yasin, R. Mahmod, Z. M. Hanapi, Comparison of ecc and rsa algorithm in resource constrained devices, in: International
1115
Conference on IT Convergence and Security, IEEE, 2013, pp. 1–3.
52
[44] A. Iqbal, F. Ullah, K. H. Anwar, K. Sup, Interoperable internet-of-things platform for smart, Networks 54 (15) (2010) 2787–2805. [45] E. De Poorter, I. Moerman, P. Demeester, Enabling direct connectivity between heterogeneous objects in the internet of things through a network1120
service-oriented architecture, EURASIP Journal on Wireless Communica-
of
tions and Networking 2011 (1) (2011) 61. [46] O. Bello, S. Zeadally, Intelligent device-to-device communication in the
ro
internet of things, IEEE Systems Journal 10 (3) (2014) 1172–1182.
[47] L. Militano, G. Araniti, M. Condoluci, I. Farris, A. Iera, Device-to-device communications for 5g internet of things, EAI Endorsed Trans. Internet
-p
1125
Things 1 (1) (2015) 1–15.
re
[48] M. Burrows, M. Abadi, R. M. Needham, A logic of authentication, Proceedings of the Royal Society of London. A. Mathematical and Physical
1130
lP
Sciences 426 (1871) (1989) 233–271.
[49] F. Kausar, S. Hussain, J. H. Park, A. Masood, Secure group communication with self-healing and rekeying in wireless sensor networks, in: International Conference on Mobile Ad-Hoc and Sensor Networks, Springer, 2007, pp.
ur na
737–748.
[50] T. Q. N. Tran, T. K. Dang, T. S. Tran, Fine grained attribute based access
1135
control model for privacy protection, in: International Conference on Future Data and Security Engineering (FDSE), Springer, 2016, pp. 305–316.
[51] A. Tewari, B. Gupta, Cryptanalysis of a novel ultra-lightweight mutual
Jo
authentication protocol for iot devices using rfid tags, The Journal of Supercomputing 73 (3) (2017) 1085–1102.
1140
[52] T. A. T. Nguyen, T. K. Dang, Privacy preserving biometric-based remote authentication with secure processing unit on untrusted server, IET Biometrics 8 (1) (2019) 79–91.
53
PII:
S2210-6707(20)30084-6
DOI:
https://doi.org/10.1016/j.scs.2020.102097
Reference:
SCS 102097
To appear in:
Sustainable Cities and Society
Received Date:
1 June 2019
Revised Date:
13 February 2020
Accepted Date:
13 February 2020
Please cite this article as: Tran Khanh Dang, Chau D.M. Pham, Thao L.P. Nguyen, A Pragmatic Elliptic Curve Cryptography-based Extension for Energy-Efficient Device-to-Device Communications in Smart Cities, (2020), doi: https://doi.org/
This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2020 Published by Elsevier.
of
A Pragmatic Elliptic Curve Cryptography-based Extension for Energy-Efficient Device-to-Device Communications in Smart Cities
Abstract
ro
The rise of Smart Cities with underlying adoptions of technologies like the
IoT and Cloud Computing has made the integration between them a promising field with different challenges including security. Authentication is one of
-p
the foremost attempts to address these issues. Allowing direct device-to-device rather than only device-to-service communications can introduce several bene-
re
fits like high data transmission rate and reliable communications even when the central clouds fail. However, the resource constraint nature of IoT devices makes it more difficult to develop secure protocols that can provide a sustainable de-
lP
ployment in practice. This article proposes an authentication scheme extension providing secure control from resourceful cloud servers to devices while also enabling the direct secure communications between them. The scheme is designed
ur na
to use ECC and low-cost operations to provide efficient resource and energy consumption. The protocol correctness is proven by using a formal security analysis with BAN-logic. Detailed analysis is presented to show its resilience to common attacks. A performance analysis is also given to show the scheme’s practical value as it only consumes at most 29 mJ on each device in addition to the amount required by the original protocol.
Jo
Keywords: iot authentication, d2d authentication, smart cities, energy efficiency, cloud integration, internet of things
Preprint submitted to Elsevier
February 12, 2020
1. Introduction The Internet of Things (IoT), which was first introduced by Kevin Ashton [1] in 1999, has opened new opportunities for the research community to study its wide variety of aspects. Single-function embedded devices have been 5
developed into smart things, such as smartphones, laptops, coffee machines, re-
of
frigerators, Google Home, Apple watches, etc. In other words, any device can be integrated into the IoT by equipping it with an Internet connection, sensor
and/or actuators, so they can recognize changes in their surroundings for cor-
10
ro
responding activities [2, 3]. These devices collect environmental information of their surroundings and send it to some central data servers where it is processed,
-p
manipulated, transformed and used to perform multiple tasks [4]. In the end, governments, organizations, and individuals enjoy these benefits of IoT. Applications of the IoT are available in many aspects of life thanks to its adoption
15
re
by a wide range of industries [5]. Nowadays, Smart Home, Smart University and even Smart City are not new definitions. New IoT products are introduced
lP
almost every day for all the aspects of our modern life. The number of IoT devices has now been more than 1 billion [6]. IHS forecasted the IoT market would reach 75.4 billion of devices by 2025 [7]. Being considered as the future of the Internet, IoT development comes with urgent requirements about the provision of security and privacy as the number
ur na
20
of deployed IoT devices rapidly increases. In 2012, Gartner, the market research company, affirmed in [8]: “The Internet of Things concept will take more than 10 years to reach the Plateau of Productivity - mainly due to security challenges, privacy policies, data and wireless standards, and the realization that the Internet of Things requires the build-out of a topology of services, applications and
Jo
25
a connecting infrastructure”. There were cases that researchers were successful in attacking IoT systems and took over the control of smart things or make the system unusable: [9, 10, 11, 12]. As we can see, security is one of the most important factors deciding the existence of an IoT system. How these devices can
30
interact and authenticate with each other is still a difficult question, which has
2
been attracting many researchers. Authentication in IoT is different from the other system because of its specific properties: the uncontrolled environment, the heterogeneity, the requirement of scalability, and the limited resources [13]. Computation activities for IoT devices cannot be complex. 35
The most popular model of an IoT eco-system is all machines directly connected and controlled by centralized servers in local networks. These servers
of
are often deployed with powerful storage and computing resources so that they can handle complicated processes and computations for their client nodes. The
40
ro
sensed data from the IoT devices are sent to a central server or a cloud by using
communication infrastructure [14]. In other words, in this model client nodes completely depend on their servers for any tasks such as computing, storing,
-p
accessing the Internet and applications, guaranteeing security and so on. Any actions of nodes in the same networks are involved with the administration of
45
re
their server. This model is widely applied in practice, especially in IoT systems due to the fact that such systems have considerable diversity in their devices with very different resource capabilities and other features. Thus, focusing on
lP
servers as the centralized management systems without the need for paying too much attention to the device end’s details make this model easier to be employed and justified. On the other hand, it nevertheless puts too much workload on the servers as well as possibly breaks down the whole system when these servers
ur na
50
become out of usage. This model can severely suffer when attackers flood a huge number of physical objects into the network at an unexpected scale. To restrain the dependence on servers, scientists thought about the Device-
to-Device (D2D) communication [15, 16, 17]. Unlike Human-to-Human (H2H)
55
communications, there is no human interaction in D2D. Hence, devices must
Jo
be designed for self-establishing connections and authentications with others. There are two kinds of D2D: Standalone D2D and Network-Assisted D2D. These two structures differ by the existence of a helping infrastructure to organize communication and resource utilization. In Network-Assisted D2D, a gateway
60
is required for the operation, and devices are connected by cellular networks. This requires a high capacity and energy efficiency mobile networks, which is 3
not affordable in some countries and areas. About Standalone D2D, devices initiate requests for communicating with nearby devices by short-range connection mechanisms such as Bluetooth. One device will send signals to express 65
its connection request with other devices. Consequently, devices will need to authenticate not only with the servers but also among themselves. This will be useful in case there is no connection from devices to servers, i.e. power blackout
of
and servers do not have the backup power resource. In this case, the IoT systems still work because most of the embedded devices have the battery within
and will be unaffected by the local area power outage. So, they can continue
ro
70
their connection with others without interruption. As a result, one device needs to itself verify that it is connecting to legit devices without servers. The list of
-p
things in the network system then has to be stored and well managed by each node, which will be a problem for small devices. Because most of the smart devices are designed for specific tasks, they have very limited resources in the
re
75
term of memory, energy, and CPU, which means they cannot run the complex algorithms for registration or authentication or store too much data. It is clear
lP
that authentications in the two models above are having themselves many advantages and also weaknesses, raising the motivations of finding a better way 80
to retain their good characteristics while avoiding their outages. In this article,
ur na
we propose an authentication protocol using a hybrid model in which servers still take the responsibility for controlling the access rights and managing the list of the things in the IoT local network, while supporting in device-device authentication phase before they can start their communications on their owns.
85
The protocol is based mostly on the Elliptic Curve Cryptography (ECC) and low-cost operations such as exclusive-or, concatenation, and hash function to
Jo
achieve the efficiency in resource consumption. It is then evaluated and validated in terms of the resilience against common attacks as well as the storage and energy amount used.
90
The main contributions of our work are as follows: • This research contributes a new authentication solution that can be used
4
for low-powered devices with limited computational capabilities, especially in the IoT environment. • This work simultaneously proposes a way to apply the elliptic curve cryp95
tography into designing a protocol that helps entities mutually authenticate each other.
of
• From an existing protocol that originally only supports the authentication between devices and the cloud servers, this research extends and improves
100
ro
it so that it can provide secure communication for direct connections of device-to-device.
-p
• The research also raises and addresses different security aspects of devices in the IoT.
re
The rest of this article is organized as follows. Section 2 reviews some related works recently proposed. In Section 3, we do preliminary literature about 105
ECC. We then make clear about our motivation for this scheme in Section 4. In
lP
Section 5, we provide reviews of Wang et al.’s authentication scheme which has inspired us to improve their work as well as introducing our extended scheme. Section 6 is where we thoroughly explain our proposed scheme. In Section 7, we
110
ur na
demonstrate the resilience of our proposed protocol to different attacks. Performance analyses are carried out and reported in Section 8. Finally, concluding remarks and future work are shown in Section 9.
2. Related works
Jo
Authentication plays an important role in every system. It is one of the se-
curity aspects to protect them from possible attacks. This process helps to allow
115
only legitimate entities to access a system. As this is an essential process, there have been many kinds of research and studies for different specific solutions for IoT. In fact, proposing an authentication protocol is to suggest a way in which we can first verify if an object has the rights to connect and communicate with
5
one or some other objects in the same systems, and then establish secure chan120
nels between them so that they can talk to each other without worrying about their partners’ identities. Solutions for the above goals can be categorized into two main groups, which are the ones using asymmetric cryptosystems and the rest using symmetric schemes [18]. Furthermore, besides complex cryptographic techniques to achieve security, other approaches have also been suggested such as voting protocol employ the blind signature techniques and dynamic ballots
of
125
for authentication and guaranteeing users’ privacy in electronic voting [19] or
ro
key-based management and rating-based authentication [16] with the hope to avoid the high computational cost of cryptographic operations.
In the first group, it was common for proposed schemes to be based on the Public Key cryptography [20]. This cryptographic scheme has been widely
-p
130
used, especially in the context of the Internet. The Transport Layer Security
re
(TLS) [21] is a very popular standard protocol in which digital certificates of websites are distributed to their clients as public keys in order to verify identities of servers and secure the communications following. However, TLS is not suitable for IoT because of its strict underlying TCP transport protocol which
lP
135
is not a good choice for limited-resource devices. To deal with this problem, another transport protocol – Datagram Transport Layer Security (DTLS) [22]
ur na
which operates on Unreliable Transport Protocol (UDP) but still provides the same security level has been proposed to replace TLS. In 2012, [23] proposed
140
an implementation for DTLS on sensors with Trusted Platform Module (TPM) installed. Despite its advantages of high security and data integrity with reasonable energy amount consumed, the need of deploying TPM hardware for each sensor is expensive and not scalable. Another direction is using raw public
Jo
keys to encrypt messages exchanged with the assumption that everyone knows
145
each other’s public keys in a system. Rabin et al. [24] proposed a protocol with the design quite similar to RSA, which is a public key cryptosystem widely used for secure data transmission. Although their proposed scheme consumed energy as much as RSA for encryption, decryption using this scheme is much faster because it needs only one squaring for each message. Nonetheless, the 6
150
requirement of a high cost of computations and energy makes it inconvenient when applying to IoT systems. Recent researches [25, 26] tried to replace RSA with Elliptic Curve Cryptography (ECC), which has been proved to achieve less energy in consideration of the same security levels [27]. Overall, this approach requires public keys to be first distributed and stored in each device in the whole
155
network. In other words, the key distribution mechanism is the main challenge
of
of such solutions. And the fact that each device has to maintain others’ public keys makes them inefficient in the aspect of storage and scalability.
ro
Solutions in the second group were based on symmetric cryptographic schemes in which the protocols aimed to securely distribute the symmetric keys, i.e. se160
cret keys, to the whole system. Those keys would be used for encrypting and
-p
decrypting later communications. The main challenges for such solutions were how these keys can be generated and safely distributed to target objects while
re
not being stolen by any hackers attacking into these processes. [28] proposed a broadcast authentication scheme based on Bloom filter data structure. Using 165
an enhanced version of Bloom filter, i.e. XOR Bloom Filter Authentication,
lP
the scheme reduces communications’ delay and cost by decreasing the computational overhead as well as their error rates. In [29], the authors proposed an ultra-lightweight protocol for heterogeneous wireless sensor network which
170
ur na
used nonces, XOR, concatenation operations for mutual authentication between sensors and users in the same network. ECC, an approach to public key cryptography, was introduced by Miller [30] and Koblitz [31]. ECC is considered to be more suitable for building up lightweight public key cryptosystems due to its smaller key size and lower arithmetic requirement compared with the popular RSA at the same security level. Therefore, ECC has been widely considered to replace RSA in public key cryptosystems. Many remote authentication schemes
Jo
175
have been implemented based on it to reduce the computation loads for small devices [32, 33, 34, 35]. Besides, the integration between cloud computing and the IoT is rapidly
motivated by the benefits they bring when being combined. The unlimited 180
resources and computing capabilities of cloud computing are expected to com7
pensate for the technical constraints of the IoT devices. On the other hand, the IoT which highly promotes the connectivity and data exchange between heterogeneous objects can expand the scope of application domains and services for cloud computing [36]. The needs as well as challenges for a secure integra185
tion between these two technologies have been addressed and attracted interest from many researchers in different domains [37] such as mobile applications,
of
smart health care monitoring tools, smart home and smart city applications [38, 39]. Authors in [36] also addresses the security and privacy issues for such
190
ro
integration by constructing an architecture including a security “wall” installed
between the Cloud Server and the Internet. [40] proposes an anonymous mutual authentication to authenticate mobile users and the service providers using
-p
bilinear pairing without including the use of SSL. This scheme allows a mobile user to access a lot of services from various service providers through a single
195
re
private key in the mobile cloud computing atmosphere. [41] designs a protocol to address the authentication process between IoT gateways and mobile clients with pseudonym identities based on ECC. Wang et. al in [34] also propose an
lP
authentication protocol in which devices needed to register with a centralized server to create secret cookie data. The cookie data are then used in another authentication phase to generate a session key for the device’s current session with the server. In this study, the author pointed out the security holes in two
ur na
200
previous versions of this protocol [32, 33] and proposed potential enhancements. Also, the authors analyzed and proved their proposed protocol was resilient to different attacks. Meanwhile in the aspect of resource consumption, because this protocol is based on ECC and only uses simple operations like XOR, con-
205
catenation and hash functions, as well as requires to store not too much data
Jo
on devices’ ends. Due to those factors, it seems to be really suitable for the IoT environment. However, in their works, they only handled the authentication between devices and their servers, while communications among devices have been missing throughout the development of Wang et. al’s protocol. That is
210
the motivation for us to propose a new protocol.
8
3. Elliptic Curve Cryptography ECC is a type of public-key cryptography whose basement is the algebraic structure of elliptic curves over finite fields. ECC was first time introduced by Koblitz and Victor Miller individually in the middle of the 1980s. Comparing to 215
other types of public-key cryptography, ECC requires a shorter key length for
of
the same level of security. Table 1 shows the result of NIST (National Institute of Standards and Technology) about the security level of RSA/DSA and ECC
based on the key size. As we can see, ECC key size ratio comparing with
220
ro
RSA/DSA is much smaller. Smaller key size is more effective since it needs
fewer hardware resources and less memory for storage, so it does not cost a lot
-p
of arithmetic computations [42]. Besides, with quantum computing [43], RSA question is becoming easier to solve, ECC gains a higher trust in Cryptologist Community. Hence, ECC Cryptography is suitable to apply to the context of
225
re
IoT devices which usually have resource constraints and require a high level of security.
lP
The security of a cryptographic system is defined by the relative complexity of the mathematical problem it is based on. An algorithm is said to be secure if it cannot be solved in polynomial time. The security of ECC, in this case, depends on the complexity of the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECLDP can be explained as follows: Giving a multiple P of Q, the
ur na
230
elliptic curve discrete log problem is to find k(k ∈ N), such that kQ = P . If the attacker somehow gets P and Q, it is impossible for him to calculate k if k is significantly large. k is the discrete logarithm of P to the base Q. An elliptic curve in ECDLP is a plane curve over a finite field which consists
of the points (x, y) satisfying the equation (1). The differences values of a and
Jo
235
b create different elliptic curves where:
y 3 = x3 + ax + b where 4a3 + 27b2 6= 0
9
(1)
Key size (bits) RSA/DSA
ECC
16:1
1024
160
10:1
2048
224
12:1
3072
256
20:1
7680
384
30:1
15360
521
of
Key size ratio
Table 1: Comparisons between RSA/ DSA and ECC based on key sizes for the same security
ro
levels.
-p
4. Motivation
How we can reduce the workload of the servers but also utilize it to keep the security level of the system is a big challenge and also our main concern. Embedded devices are not designed to handle complex computing tasks, so we need
re
240
a security solution that is both lightweight and efficient. Applying Standalone
lP
D2D in a smart system context, two devices have to first authenticate with each other to prevent every security defect from happening afterward. A smartphone of your neighbor should not be able to open the doors of your house. As a result, 245
we need to address an important problem: How a “thing” knows that the others
ur na
are “friends” and let them authenticate when the server is unreachable. This is the crucial motivation of this article. We will use Smart Home, the basic and major building block of implementing
the smart cities, as an example of this problem [44]. As in Figure 1, there are
250
some entities can be connected to a Smart Home system. The devices, in this
Jo
case, can be a smartphone, a smartwatch or even a car with embedded SoC allowing it to be “smart”. Basically, the main server of the house controls the authentication of devices as well as knows which device can join the system. Nevertheless, when the number of devices becomes big in the future, managing
255
many things can cause a high workload for the server and probably affect the network traffic. Moreover, when the server gets any problem and is out of
10
of ro
-p
Figure 1: Smart home network architecture
service, the whole organization will become unusable. Supposing that we have a PC acting as a server in our Smart Home system. When this PC is broken,
260
re
we cannot turn on the lights in the kitchen or open the garage door, since the connections to the controller have been lost. The more we are dependent on the
lP
server, the more serious your system gets when the server is attacked. DDoS attacks can make your Smart Home system come to a standstill. One of the possible solutions is to connect all the devices, so when the
265
ur na
servers are down, one of the remained things can act as a controller for the other devices. Figure 2 expresses our idea about an improved network architecture for a Smart Home system. We will utilize the server for complex algorithms only while restraining the server interference in devices’ connections. All the devices would have the ability to connect and authenticate with other devices within the smart home network via the help of the server in their initial phase. With our above example, if the PC is out of usage, the smartphone or tablet can act
Jo
270
as controllers because they have been registered with the kitchen lights and the garage door. As a result, security in this architecture is a huge problem while we are trying to connect a lot of things with each other. Many dangerous situations can happen if strangers try to open the garage door with their smartphones.
275
Without security, this architecture cannot be successful in the real world. We
11
need to make sure that illegal things are not able to join the network. In this research, we will propose a protocol that supports D2D authentication with the assistance of the centralized gateway server. Since there are two phases in a security scheme: registration and authentication, in our proposed scheme, after 280
registering with each other via help from servers, two devices can communicate with each other securely without the existence of server in the authentication
of
phase. Via this scheme, we expect to solve the issue about the dependence of
IoT devices on their servers to minimize the damage when the servers go down
285
ro
but still maintain the security of the whole smart systems.
In a more general context, according to [45] the first and foremost requirement for IoT systems is to supply the communication between devices. This is
-p
because devices are the main users in the IoT systems. And D2D automatic communication without any interruption from a centralized control is expected
290
re
to be the intrinsic part of the IoT [46]. In fact, D2D communication refers to the paradigm where direct connectivity between devices takes place without routing the data through other network architecture. These communications introduce
lP
several benefits such as high data transmission rate, reliable communications even when the network fails, energy-efficiency as devices use lower transmission power in close range [47]. D2D communication is also required to be secure to protect the data transmitted. Therefore, it is necessary to also provide mutual
ur na
295
authentication between devices.
5. Preview of Wang-Scheme In our protocol, we extend an existing scheme of Wang et al. [34], hereinafter
Jo
referred to as Wang-Scheme. Wang-Scheme improves a scheme introduced by
300
Kalra and Sood [32], which aims to authentication for resource-constrained devices in the IoT environment along with better security assurance. Understanding about Wang-Scheme is necessary before getting to our proposed protocol. Table 2 lists the notations used in Wang-Scheme. In their scheme, Wang et al. assume there is a trusted server and several devices Di (Di ∈ D) wanting
12
of ro
Figure 2: Improved Smart home network architecture
to connect to this server. X is the secret value that is only held by the server.
-p
305
There are also other public parameters such as two cryptographic hash functions
re
H and h, an elliptic curve E and a generator G on E. H maps an arbitrary string to a string lH -bit, while h maps an arbitrary string to a string lh -bit. G is an additive group on E and G is a generator of this group. Figure 3 describes two phases of Wang-Scheme. In the registration phase,
lP
310
when an embedded device needs to register with the server, it chooses a unique IDi and sends IDi to the server. After receiving the request from Di , the server
ur na
generates a random number Ri of length lH -bit then computes CKi , CKi0 , Ti ,
Ai and A0i as follow:
Jo
315
CKi = h(Ri k X k EXP T ime k IDi )
(2)
CKi0 = CKi × G
(3)
Ti = Ri ⊕ H(X)
(4)
Ai = h(Ri ⊕ H(X) k CKi0 )
(5)
13
of
Table 2: Description of the notations used in Wang-Scheme.
Description
Di
An embedded device registered in the system
D
The set of devices D = {D1 , D2 , ..., Di }
S
The server
A
The attacker
IDi
The identification of the device Di
H
A cryptographic hash function with an output of lH -bit
re
-p
ro
Notation
l
H = {0, 1}∗ → {0, 1} H
h
A cryptographic hash function with an output of lh -bit l
lP
h = {0, 1}∗ → {0, 1} h
G
An additive group implemented by an elliptic curve
G
A generator of the group G - a public parameter The expiry time of a particular device
ur na
EXP T ime
The server’s secret key
SK
A session key outputted at the end of a scheme
k
Concatenation operation
⊕
XOR operation
×
Linear multiplication with a point on the elliptic curve
Jo
X
14
A0i = Ai × G
(6)
CKi0 is then sent back to the device as a response from the server for the 320
registration phase. The server stores the values of {IDi , EXP T ime, Ti , A0i }, whereas the device stores the value of CKi0 . These values will be required in
of
the next phase when the authentication between the device and the server takes place.
In the authentication phase, the embedded device generates a lh -bit long
random number N1 . From N1 , P1 and P2 are calculated by (7) and (8), then
ro
325
-p
sent to the server for authentication.
(7)
P2 = H(P1 k N1 × CKi0 )
(8)
re
P1 = N 1 × G
Through EXP T ime, X and Ti , the server can recompute CK and use it
lP
to check if P1 and P2 are valid by computing P20 as (9) and comparing it to P2 . P20 = H(P1 k CKi × P1 )
In case P20 = P2 showing that they are valid, the server will randomly gen-
ur na
330
(9)
Jo
erate a long number N2 , and compute P3 and P4 as (10) and (11).
P3 = N2 × G
(10)
P4 = H(P20 k N2 × A0i )
(11)
With the calculated results, the server returns the value of {Ti , P3 , P4 } to
Di . Now, it is the turn of device to verify the server by reconstructing Ai .
335
Ai is calculated as (12) from CK 0 and Ti . If Ai is correct, then P40 which is
15
calculated as (13) will equal to P4 , and the process is continued. Otherwise, the authentication process fails when P4 and P40 have different values.
(12)
P40 = H(P2 k Ai × P3 )
(13)
of
Ai = h(Ti × CKi0 )
The device uses P3 and P40 to compute Vi and SKi as (14) and (15). Vi is afterwards sent to the server for crosschecking with computed Vi0 in (16). Vi is
ro
340
supposed to have the same value as Vi . If it does, the authentication process will accomplish. And SKi in (15) and SKi0 in (17) will be equal to each other.
-p
SKi then becomes the secret key between Di and the server for their current session. • On the device:
re
345
lP
Vi = H(P40 k N1 × P3 )
SKi = H(P3 k N1 × P3 )
ur na
• On the server:
(14)
(15)
Vi0 = H(P4 k N1 × P3 )
(16)
SKi0 = H(P3 k N2 × P1 )
(17)
Figure 3 describes the authentication process in Wang-Schene. This scheme
is demonstrated by the authors to be robust against different types of attacks
Jo
350
and suitable in the IoT context since it does not require a lot of CPU resources. The ECC-based mutual authentication protocol between devices and the server provides a safer authentication environment but also reduces the power intake for computations comparing with RSA. However, in this scheme the server con-
355
trols everything. Furthermore, all connections between devices must go through
16
it, which is not very efficient as we have stated. Therefore, in the next section, we introduce a new scheme which not only keeps the security but also reduces the dependence on servers in device cooperation of this protocol.
6. Proposed Scheme In this section, we present the complete authentication protocol between de-
of
360
vices in the IoT network, which is an extension of Wang-Scheme [34]. As we have stated in Section 5, Wang-Scheme is designed to resolve the security holes
ro
existing in its previous versions [34, 32] and is proved to be safe from various
attacks. On considering the idea of this protocol, we have been deeply inspired by its performance since most of the computations use low-cost operations such
-p
365
as exclusive-or (XOR), concatenation, hash function in the combination with ECC. Furthermore, devices using this protocol are also not required to store
re
too much data for authentication. However, they only proposed mutual authentication between registration servers and devices, while such authentication between end-devices was ignored in Wang-Scheme as well as its previous works.
lP
370
In fact, communications between end-devices happen very often especially in the IoT context, thus they should be treated as seriously as those between them and servers. Our proposed protocol aims to fill this gap while preserving the
375
ur na
advantages of computation and storage efficiency of the original protocols. 6.1. An overview of network entities IoT systems consist of various kinds of components highly connected to
each other in which all components can communicate and interact with each other. These components are very diverse ranging from large devices like servers,
Jo
household devices, cars, gateways, etc. to small ones such as smartphones or
380
sensors. Our proposed protocol is partially based on the centralized management model for the connection, authentication and access control among IoT devices. Therefore, despite the fact that they are different in term of functions, resource constraints and sizes, those IoT components are represented by two main types of entities in our protocol: 17
Device Di
Server S
REGISTRATION Choose a unique ID IDi Request to register with ID
i −−−−−−−−−−−−−−−−−−−−− →
Generate a random lH − bit string Ri CKi0 = CKi × G Ti = Ri ⊕ H(X)
of
CKi = h(Ri k X k EXP T IM Ei k IDi )
ro
Ai = h(Ri ⊕ H(X) k CKi0 ) A0i = Ai × G
Store {Ai , Ti , IDi , EXP T imei } CKi0
Store
-p
←−−−−−−−−−−−−−−−−−−−−− {IDi , CKi0 }
Generate a random N1 ∈ [2, 2lh ] P1 = N1 × G
lP
P2 = H(P1 k N1 × CKi0 )
re
LOGIN AND AUTHENTICATION
ID ,P1 ,P2
ur na
−−−−−−−−−−i−−−−−−−−−−−→ Reconstruct CKi using stored Ti , EXP T imei and secrect X Generate a random N2 ∈ [2, 2lh ]
P20 = H(P1 k CKi × P1 ), abort if P20 6= P2 P3 = N2 × G T ,P3 ,P4
←−−−−−−−−i−−−−−−−−−−−−−
P4 = H(P20 k N2 × A0i ) Ai = h(Ti k CKi0 )
P40
= H(P2 k Ai × P3 ), abort if P40 6= P4
Jo
Vi = H(P40 k N1 × P3 )
SKi = H(P3 k N1 × P3 ) V
i −−−−−−−−−−−− −−−−−−−−−→
Vi0 = H(P4 k N2 × P1 ), abort if Vi0 6= Vi SKi0 = H(P3 k N2 × P1 )
Figure 3: The authentication scheme proposed by Wang et al.
18
385
• Trusted servers: The centralized servers which are responsible for storing, managing, authenticating and controlling access of devices within their systems. Our study works with the assumption that those servers are trustful and well-protected that it is very hard for attackers to compromise their security or cause any data leakage. • Devices: Other components controlled and managed by the servers are
of
390
devices. Although these devices may vary in their size and character-
istics as mentioned, in this research, we mainly focus on ones with low
ro
computational and storage capabilities, as well as limited energy capacity.
In fact, concentrating the control on just some centralized trusted servers brings many advantages in the context of IoT systems. In fact, servers have
-p
395
great capabilities of computation and storage while not being limited to their
re
power consumption. Therefore, having these servers store most of the data and handle complicated computations will reduce the workload on other devices in the system. The existence of these centralized servers also helps the whole system quickly employ complex management policies such as access control or the
lP
400
privileges provisions for devices and users. Those advantages of the centralized model greatly outweigh other models, which have inspired us to continue
ur na
developing the protocol based on it. 6.2. Protocol description
405
The proposed authentication protocol consists of three main phases as rep-
resented in Figure 4:
Jo
• Phase 1: Registration
This is the very first step for every device when joining the system. Its purpose is to register a device’s identity with the server. At the end of this
410
phase when the server completes calculating and storing its authentication data, the device will be responded with a secure cookies data used for later authentication phases.
19
of ro -p re lP ur na Jo
Figure 4: Three phases of the authentication protocol.
20
• Phase 2: Authentication between the servers and device The authentication process happens before devices can start their connections with the 415
rest of the network, which is firstly between them and the servers. In this phase, the device presents its credentials, i.e. its cookies data, to the server. The server then verifies those credentials of the devices to know if it is allowed to connect. Simultaneously, the device also needs to be
420
of
guaranteed that it is actually connecting to the true server. That is why by the end of this phase valid devices and the server should be mutu-
created.
-p
• Phase 3: Authentication between two devices
ro
ally authenticated by each other and their common session keys will be
As communications among devices happen more often than between them 425
and the servers in IoT systems, they also need to be mutually authen-
re
ticated by each other before making communications. The goal of this phase is similar to the second phase, that is, their identities are verified,
changed. 430
lP
and common session keys are created for later securing the messages ex-
The protocol in Phase 1 and Phase 2 is kept the same as the original pro-
ur na
tocol which we have described in Section 5 and Figure 3. In this article, we integrate and extend the original protocols with Phase 3, when two devices
mutually prove their authenticity with each other. This is also the main contribution of this work. Hence, for the sake of easy understanding, in this article we
435
keep the notations almost the same as those of the original protocol shown in Table 2 so that readers can better follow up. The subsequent description of our
Jo
scheme will be based on the case study, that is, after completing Phase 1 and Phase 2, the two devices, let us say D1 and D2 , have successfully authenticated with the server S, and with the session keys SK1 and SK2 respectively gen-
440
erated. Next, they want to start a new connection between them to exchange some data. Providing that the connection request is first coming from D1 , the authentication process between them in Phase 3 will be as follows. 21
• Step 1: To prepare for the authentication request with D2 , D1 generates a random number N1 of lh -bit. N1 is then used to compute P1 and P2 as
P1 = N 1 × G
(18)
N10 = N1 .h(SK1 )
of
(18), (19) and (20).
P2 = H(P1 k N10 × G)
(19)
ro
445
(20)
-p
• Step 2: P1 , P2 and ID1 , are sent from D1 to D2 in a connection request. When D2 receives this request, it generates another random nonce having 450
the same length with N1 (lh -bit). Using this nonce, D2 computes P3 as
re
(21).
P3 = N 2 × G
(21)
lP
Next, D2 asks the server to verify the connection request of D1 by forwarding this request plus the value of P3 to the server. As we know, after completing Phase 2 each device is authenticated by the server and a common session key is generated at the end of that phase. Hence, all
ur na
455
later messages between devices and the server will be encrypted with their session keys in order to guarantee their security by preventing overhearing and tampering. Such encrypted communications are denoted by Enc() as
shown in Figure 5.
• Step 3: When the server receives the message from D2 , it first retrieves
Jo
460
the information about D1 and D2 from its database to check whether they are having the permissions for communicating with each other or not. In detail, the server needs to check and make sure the following statements are true.
22
– D1 and D2 have been successfully authenticated with the server and
465
their sessions have not been expired yet. – D1 and D2 are permitted to connect and communicate with each other. Please note that in this proposed scheme, we only consider the minimum requirements that allowed any two devices to connect. Further constraints
of
470
can be added depending on the security requirements of particular systems. If both of the above statements are true, the server will use P1 and
ro
its stored session key SK1 with D1 to compute P20 as (22). This value should be equal to the received value of P2 as shown in the proof (23).
-p
P20 = H(P1 k h(SK1 ) × P1 )
re
Proof:
(22)
P20 = H(P1 k h(SK1 ) × P1 )
lP
= H(P1 k h(SK1 ) × (N1 × G)) = H(P1 k (h(SK1 ).N1 ) × G) = H(P1 k N10 × G)
475
(23)
ur na
≡ P2
Comparing P2 and P20 , the server will abort the authentication process between the two devices if these values do not equal to each other. Otherwise, it calculates P4 as in (24), then encrypts it with SK2 before sending it back to D2 so that the two devices can continue generating the common
Jo
cryptographic key between them.
480
P4 = H(P3 k h(SK1 ) × P1 )
(24)
• Step 4: On receiving the value instead of an aborting message from the server, D2 is guaranteed that the connection request is truly generated by
23
D1 . Therefore, D2 generates an expiry time EXP T ime12 , sends P3 and P4 to D1 , then continues to calculate the common session key between them by (25). SK12 = H(P1 k N2 × P1 ) 485
(25)
However, D2 will not store this session key to its database until it receives
of
a final confirmation from D1 when it is sure that the two devices have been able to generate the same session key themselves. The reason for this final confirmation will be explained in the next steps.
490
ro
• Step 5: When receiving the response from D2 , D1 needs to verify if it is truly D2 (but not an adversary) it is talking to. In order to do this, D1
-p
re-computes P40 by (26) and compares the result with the value P4 received from D2 . The fact that only the server having the ability to generate P4
re
(with SK1 ) then securely sending this value to D2 guarantees that D2 is not impersonated by any adversary. As a result, D1 can now authenticate 495
D2 .
Proof:
lP
P40 = H(P3 k N10 × G)
(26)
ur na
P40 = H(P3 k N10 × G) = H(P3 k (N1 .h(SK1 )) × G) = H(P3 k h(SK1 ) × (N1 × G)) = H(P3 k h(SK1 ) × P1 ) ≡ P4
(27)
Jo
The common session key SK21 with D2 is calculated by (28). We can see that SK21 should equals SK12 as N1 × P3 ≡ N2 × P1 ≡ (N1 .N2 ) × G. After achieving the common session key, D1 sends the encryption of P1 by the key SK21 to D2 . Similarly, D1 chooses an expiry time EXP T ime21 .
500
It completes the authentcation process after storing ID2 , EXP T ime21
24
and SK21 to its memory. SK21 = H(P1 k N1 × P3 )
(28)
• Step 6: D2 receives the confirmation from D1 . It then decrypts the confirmation message with the key created in Step 4. If P1 can be achieved from the decrypted message, D2 finally updates ID1 , the key SK12 and the expiry time EXP T ime12 to its storage. This final step is necessary
of
505
because any hacker can capture a connection request from D1 and replay
ro
it afterwards. If D2 does not wait for this final confirmation, it may mistakenly update an invalid session key and the current secure connection with D1 will be corrupted. Hence, the final confirmation from D1 will help to avoid such replay attack.
-p
510
We can see that the protocol is designed to achieve another important prop-
re
erty: Only the two devices know the common session key between them. It is true that even the server who supports their mutual authentication cannot
515
lP
compute this session key. In fact, this brings many advantages from the perspective of security and privacy, which will be further discussed and analyzed in Section 7. We also note that any message in this phase is associated with
ur na
a timeout to prevent any long delay. If any message is expired before the authentication process completes, the protocol will be terminated and the process will be then considered as failed. Figure 5 summarizes the whole process of this
520
phase.
7. Security analysis
Jo
In this section, we prove that our proposed authentication protocol is secure
and resilient to different attacks by conducting a thorough security analysis of the scheme. Our work includes a formal security analysis with Burrows-
525
Abadi-Needham Logic (BAN-logic) as well as an informal analysis to prove the resilience of the proposed scheme to different popular attacks. The analysis mainly focuses on Phase 3 in which two devices mutually authenticate each 25
Device D1
Device D2
Server S
Generate a random nonce: N1 ∈ [2, 2lh ] N10 = (N1 h(SK1 )) × G P1 = N1 × G
of
P2 = H(P1 k N10 )
P ,P ,ID
Generate a randon nonce:
-p
N2 ∈ [2, 2lh ]
ro
1 2 1 − −−−−−−−−− −−−−−− −−−−−−− →
P 3 = N2 × G
SID2 ,{P1 ,P2 ,P3 ,ID1 }SK
lP
re
2 − −−−−−−−−−−−−−−−−−−−−− − →
?
P20 = H(P1 k h(SK1 ) × P1 ) = P2 P4 = H(P3 k h(SK1 ) × P1 )
{P3 ,P4 }SK
← −−−−−−−−−−−−−−−2−−−−−−− −
P ,P
ur na
3 4 ← −−−−−−−−−−− −−−−−−−−−−− −
?
P40 = H(P3 k N10 ) = P4
SK12 = H(P1 k N1 × P3 )
Store {SK12 , ID2 , EXP T ime12 }
M ={P1 }SK
Jo
− −−−−−−−−−−−−−−−12 −−−−−−− →
SK21 = H(P1 k N2 × P1 )
Store {SK21 , ID1 , EXP T ime21 } if M can be decrypted with SK21
Figure 5: Representations of the authentication protocol between two devices with the support of the centralized server.
26
other. The security proofs for Phase 1 and Phase 2 (Registration and DeviceServer Authentication) should be referred to [34]. 530
7.1. Formal analysis We present a formal analysis of our proposed protocol with the BAN-logic [48]. BAN-logic has been widely known and applied to formally prove the cor-
of
rectness of mutual authentication and key agreement protocol. Hence, our goal for this analysis is to prove our proposed scheme can successfully achieve the 535
mutual authentication and session key agreement between participants. Before
ro
going into the details, we briefly describe the basic notations as well as the
7.1.1. BAN-logic overview a) Notations. • P |≡ X: P believes that X holds.
re
540
-p
logical postulates of BAN-logic.
• P / X: P sees the formula X.
lP
• P ⇒ X: P has jurisdiction over X, which means P has completely control over the formula X.
545
ur na
• P |∼ X: P once said X. The principal P at some time sent a message including the statement X.
• #(X): The formula X is fresh, that is, X has not been sent in a message at any time before the current run of the protocol. K
• P ← → Q: P and Q share a secret key K. P and Q can use K to commu-
Jo
nicate with each other and it is only known to them. K
550
• 7−→ B: P has K as a public key. The corresponding secret key (the inverse of K, denoted K −1 ) will never be discovered by any other principal. X
− B: The formula X is a secret known only to P and Q, and possibly • A( −+ to principals trusted by them. Only P and Q may use X to prove their identities to one another. 27
555
• {X}Y : Encryption of X with key K. • hXiY : This represents X combined with the formula Y ; it is intended that Y be a secret, and that its presence proves the identity of whoever utters hXiY . • αX : The elliptic curve multiplication by an integer X. b) Logical postulates of the BAN logic.
of
560
• The message meaning rule for shared key:
ro
K
R1 :
P |≡ Q ← → Q, P / {X}K P |≡ Q |∼ X
-p
• The message meaning rule for public key: K
P |≡7−→ Q, P / {X}K −1 P |≡ Q |∼ X
re
R2 :
• The message meaning rule for shared secret: Y
P |≡ Q |∼ X
lP
R3 :
( − Q, P / hXiY P |≡ P − +
• The nonce verification rule:
P |≡ #(X), P |≡ Q |∼ X P |≡ Q |≡ X
ur na
R4 :
• The belief rules:
R5 :
P |≡ Q |≡ (X, Y ) P |≡ (X, Y ) , R6 : P |≡ X P |≡ Q |≡ X
• The said rule:
Jo
R7 :
P |∼ (X, Y ) P |∼ (X, Y ) , R8 : P |∼ X P |∼ X
• The see rule: K
R9 :
P |≡ P ← → Q, P / {X}K P / (X, Y ) , R10 : , P /X P /X K
R11 :
P |≡ 7−→ P, P / {X}K P /X 28
• The fresh promotion rule: R12 :
P |≡ #(X) P |≡ #(X) , R13 : P |≡ #(X, Y ) P |≡ #(αX )
• The random rule: P choose random X A |≡ #(X)
• The jurisdiction rule: P |≡ Q ⇒ X, P |≡ Q |≡ X P |≡ X
ro
R15 : • The session key rule:
P |≡ #(k), P |≡ Q |≡ X
-p
R16 :
k
P |≡ P ← →Q
re
in which with X the necessary elements for a key is meant. 7.1.2. Device-Device authentication (Phase 3)
lP
• Goals: SK
12 Goal 1. D1 |≡ D1 ←−−→ D2 565
SK
ur na
12 Goal 2. D1 |≡ D2 |≡ D1 ←−−→ D2
SK
12 Goal 3. D2 |≡ D1 ←−−→ D2
SK
12 Goal 4. D2 |≡ D1 |≡ D1 ←−−→ D12
Jo
570
• Idealized messages:
M1 : D1 → − D2 : αN1 , hαN1 iSK1
575
of
R14 :
M2 : D2 → − G : {αN1 , hαN1 iSK1 }SK
2
29
M3 : S → − D2 : {αN2 , hαN1 , αN2 iSK1 }SK
2
M4 : D2 → − D1 : αN2 , hαN1 , αN2 iSK1 580
of
M5 : D1 → − D2 : {αN1 }SK12
• Assumptions: SK
ro
1 S A1 : D1 |≡ D1 ←−→ 585
SK
-p
1 −− − − A2 : D1 |≡ D1 ( S −− +
SK
SK
590
2 −− − − A4 : D2 |≡ D2 ( S −− +
SK
SK
lP
1 A5 : S |≡ D1 ←−→ S
re
2 A3 : D2 |≡ D2 ←−→ S
595
ur na
1 −− − − A6 : S |≡ D1 ( S −− +
SK
2 A7 : S |≡ D2 ←−→ S
SK
2 −− − − A8 : S |≡ D2 ( S −− +
A9 : D1 |≡ D2 ⇒ N2
Jo
600
A10 : D1 |≡ D2 ⇒ αN2
A11 : D2 |≡ D1 ⇒ N1
605
30
A12 : D2 |≡ D1 ⇒ αN1
A13 : If D1 |≡ S |≡ X then D1 |≡ D2 |≡ X. This assumption comes from the public knowledge of the network about the server S’s control in the D2D authentication process.
of
610
• Verification:
S1 : D1 |≡ N1
-p
615
ro
(1) From the fact that D1 generates N1 we get:
S2 : D1 |≡ #(N1 ) 620
lP
(3) We apply R13 to S2 to get:
re
(2) We apply R14 to the fact that D1 chooses a random nonce N1 to derive:
S3 : D1 |≡ #(αN1 )
625
ur na
(4) From the fact that D2 generates N2 we get:
S4 : D2 |≡ N2
(5) We apply R14 to the fact that D2 chooses a random nonce N2 to derive:
S5 : D2 |≡ #(N2 )
Jo
630
(6) We apply R13 to S5 to derive: S6 : D2 |≡ #(αN2 )
635
31
(7) From M4 we get: S7 : D1 / (αN2 , h(αN1 , αN2 )iSK1 )
640
(8) We apply R9 to S7 to derive:
of
S8 : D1 / h(αN1 , αN2 )iSK1
ro
(9) Applying R3 to A2 and S8 we get: 645
650
S10 : D1 |≡ #(αN1 , αN2 )
re
(10) Applying R12 to A2 and S3 we get:
-p
S9 : D1 |≡ S |∼ (αN1 , αN2 )
lP
(11) We apply R4 to S9 and S10 to derive: S11 : D1 |≡ S |≡ (αN1 , αN2 )
ur na
655
(12) We apply R5 to S11 to derive:
S12 : D1 |≡ S |≡ αN1
S13 : D1 |≡ S |≡ αN2
Jo
660
(13) With A13 , S12 and S13 , we have: S14 : D1 |≡ D2 |≡ αN1
665
32
S15 : D1 |≡ D2 |≡ αN2
(14) We apply R16 to S15 and A10 to derive:
670
S16 : D1 |≡ αN2
of
(15) From S16 and S2 we derive: (as SK12 = H(αN1 k αN1 N2 ))
-p
(16) We apply R16 to S17 and S15 to derive:
ro
S17 : D1 |≡ #(SK12 )
675
SK
re
12 S18 : D1 |≡ D1 ←−−→ D2 (Goal 1)
(17) We apply R6 to S15 to derive:
S19 : D1 |≡ D2 |≡ N2
lP
680
ur na
(18) From S14 and S19 we derive: SK
12 S20 : D1 |≡ D2 |≡ D1 ←−−→ D2 (Goal 2)
685
(19) As the protocol takes advantage of the ECDLP and ECDHP, we can
derive the following statements to support the further process of deriving belief
Jo
of D1 and D2 :
690
αN1 N2
( −− −− − − D2 S21 : D1 |≡ D1 − − + αN1 N2
−− −− − − D2 S22 : D2 |≡ D1 ( −− +
33
(20) M5 can be rewritten as: 695
M50 : D1 → − D2 : hαN1 , αN2 iαN1 N2 (21) From M50 we have: S23 : D2 / hαN1 , αN2 iαN1 N2
of
700
ro
(22) We apply R3 to S22 and S23 to derive:
705
S25 : D2 |≡ #(αN1 , αN2 )
(24) We apply R4 to S24 and S25 to derive:
lP
710
re
(23) We apply R12 to S6 to derive:
-p
S24 : D2 |≡ D1 |∼ (αN1 , αN2 )
ur na
S26 : D2 |≡ D1 |≡ (αN1 , αN2 )
(25) We apply R6 to S26 to derive:
715
S27 : D2 |≡ D1 |≡ αN1
Jo
S28 : D2 |≡ D1 |≡ αN2
720
(26) We apply R1 5 to S27 and A12 to derive: S29 : D2 |≡ αN1
34
(27) From S16 and S2 we derive: (as SK12 = H(αN1 k αN1 N2 )) 725
S30 : D2 |≡ #(SK12 )
(28) We apply R1 6 to S2 7 and S30 to derive: SK
12 D2 (Goal 3) S31 : D2 |≡ D1 ←−−→
of
730
ro
(29) We apply R6 to S15 to derive:
-p
S32 : D2 |≡ D1 |≡ N1 735
SK
re
(30) From S28 and S32 we derive: 12 S33 : D2 |≡ D1 |≡ D1 ←−−→ D2 (Goal 4)
740
lP
7.2. Informal analysis 7.2.1. Security properties
• Mutual authentication: As shown in our proposed protocol, each device
ur na
is able to authenticate the identity of the other. Therefore, the mutual authentication is achieved with this scheme.
• Confidentiality: Confidentiality refers to the cipher algorithm and key
745
agreement, and confidentiality of private device data. These demands are successfully fulfilled in the proposed protocol. At the end of Phase 3, two
devices agree on a common session key for securing their further conversa-
Jo
tions. Despite private data of devices being used during the authentication phase, the protocol still guarantees the confidentiality of such data with
750
the use of random nonces for each run and final wrappers with hash functions. This way even if an attacker captures the data (P2 , P4 ) while being transmitted, it can neither re-use nor derive the actual secret session keys wrapped inside. 35
• Perfect forward/backward secrecy: In our proposed protocol, each session 755
is computed from random numbers generated at each device. Hence, the keys are random and not the same for different sessions. These properties help us avoid attackers from guessing keys of other sessions when they have one. Also, they cannot use this key to decrypt messages of different
760
to provide the perfect forward/backward secrecy property. 7.2.2. Resistance to attacks
of
sessions in neither the past nor the future, which proves our scheme is able
ro
• Replay attack: In this attack model, attackers capture and store the messages exchanged between two devices to later repeat these messages. This
765
-p
way, attackers may fool their victims to treat those messages as valid and successfully impersonate someone else. For example in Phase 3, an attacker can capture the first connection request from D1 to D2 . After a
re
while, it tries to re-send this message to D2 to make D2 believes that D1 is requesting another connection session. This replayed message success-
770
lP
fully bypasses the verification of the server, because the server can only check if the packet was generated by D1 but cannot check if it was actually sent from this device in the current run. However, such attempts
ur na
of attack would fail at the next step when P3 and P4 are responded to the attacker. The attacker does not hold the corresponding nonce of the replayed message so it cannot compute the new session key between the
775
two devices. For D2 , when receiving the response from the server, it does
not immediately update the computed session key but waits for a confirmation from D1 . When the timeout for this confirmation is reached, the
Jo
authentication process at D1 will be aborted.
• Impersonation attack: In this case, attackers send connection requests
780
with the identities of other devices to impersonate them. Thanks to the support of the server, attackers who do not hold the right session key cannot generate a valid message (P2 ). Therefore, they fail to attack D2 by impersonating D1 using its identification. 36
• Stolen session key attack (agent compromised): This attack happens when 785
attackers steal the session key of a device. With the stolen key, the attackers can only read the messages sent in the corresponding session of this device. They cannot deduce or re-compute any private information about their victims such as CKi0 or their session keys with other devices or servers. • Stolen-Verifier attack: The proposed protocol is against attacks of inter-
of
790
nal users in the system. For attackers who are some other devices, they
ro
cannot impersonate or access the private information of another device as discussed in the previous attacks. In case attackers are some of the
795
-p
administrators who control the server, their administrative privileges may become a serious issue. Indeed, authentication models with centralized servers playing key-distributing roles usually face the same problems of
re
privacy. Since those servers control the session keys of every device, they can access and read all messages transmitted in the system. As a result,
800
lP
those systems failed to guarantee users’ privacy. The proposed protocol tries to avoid this issue by only granting the server a support role in the authentication process between devices. In other words, the server cannot compute the final session key between the two devices because it cannot
ur na
recover the values of N1 and N2 , which are freshly generated and only known by D1 and D2 respectively. Therefore, communications between
805
devices remain safe even when the server database is leaked.
• Offline dictionary attack: In this type of attack, the attacker will try to capture the messages between stack holders and try to guess the sensitive
Jo
information in them. In our model, we use N1 and N2 , which are random numbers generated in every authentication session, to generate the session
810
key. We do not use any sensitive information or meaningful phrase such as password, hence, our proposed protocol is safe with this kind of attack.
• Brute force attack: In order to make this attack successful, attacker must guess the correct N1 and N2 via P1 , P2 , P3 and P4 . Even when he can 37
get these values, he cannot have the session key SK1 and SK2 between 815
D1 and D2 with the server. Hence, this attack is not applicable in our protocol. • Man-in-the-middle attack: This is an attack where the attacker secretly relays and possibly changes the messages in communication between two
820
of
devices which believe they are directly communicating with each other.The malicious users may be able to capture P1 , P2 , P3 and P4 by eavesdropping.
However, without N1 and N2 , there is nothing attacker can do, since in
ro
ECC cryptography, we can prove that guess N1 from P1 = N1 × G is
-p
impossible.
Table 3: Security comparisons with the previous scheme.
Ours
Wang-Scheme
X
D2D authentication
X
Resistance to replay attack
X
X
Resistance to impersonation attack
X
X
Resistance to known session key attack
X
X
Resistance to offline dictionary attack
X
X
Resistance to stolen-verifier attack
X
X
Resistance to man-in-the-middle attack
X
X
ur na
Mutual authentication
lP
re
Property
X
Table 3 summarizes the security offered by the proposed scheme in com-
parison with the previous work. The above analysis proves that the proposed
Jo
825
protocol is resistant to different kinds of attacks while providing data integrity as every modification in transferred messages will cause the authentication process to be terminated. The model also provides the final important result that is the mutual authentication between devices.
38
830
8. Performance Analysis While making sure the proposed protocol is able to survive different attacks, another important aspect to be analyzed is the performance of its energy consumption. As we have emphasized our point throughout the article, schemes designed for IoT must be suitable for devices with very constrained power. A protocol will fail in practice if it cannot prove itself to be such designs. The
of
835
analysis will mostly focus on end devices, which are supposed to be resource-
ro
constrained objects. 8.1. Base-scheme D2D authentication
840
-p
We remind that the proposed scheme is an extension to [34], i.e. the basescheme, in which an additional phase for D2D authentication is provided. Therefore, to analyze the performance of this additional phase comparing to the base-
re
scheme, we assume that there is an approach to D2D authentication in this scheme by simply applying the protocol on the two devices exactly the same as
845
lP
the authors of [34] do on a device and the centralized server. In other words, in the third phase, one of the two devices now plays the role of the server in the second phase. It also means this device will have to take every operation the servers needs to take to authenticate the other device. For this scenario, the
ur na
requested device (D2 ) will play the role of the server.
8.2. Computational costs
850
We first analyze the cost for computations used in the proposed authentica-
tion protocol by each devices. Three operations to be evaluated for the scheme are hash, elliptic curve point multiplication and encryption/decryption with
Jo
symmetric session keys. We define the cost of hashing operation as Th , multipli-
cation operations on elliptic curves as Te and symmetric encryption/decryption
855
as Ts . So for Phase 2, the computational overheads are the same for both proposed scheme and the base-scheme [34], which are correspondingly TiII =
5Th + 5Te for the device and TSII = 4Th + 3Te for the server.
39
Similarly, with the proposed scheme the computational overheads in Phase 3 are T1III = 4Th +3Te +4Ts for D1 . The value of 4Ts , i.e. 4 encryption/decryption 860
operations, comes from the assumption of using the symmetric cryptography with 128-bit key size. In this phase D1 needs to encrypt {P1 } in the last verification message by its newly established session key with D2 . As P1 is 442-bit long corresponding to 4 blocks of data to be encrypted, the number
865
of
of encryption/decryption operations taken by D1 in Phase 3 is then 4. The same explanation can be given for the values of 14Ts consumed by both D2
ro
and the server, giving their computational costs of T2III = Th + 2Te + 14Ts
and TsIII = 4Th + 2Te + 14Ts respectively. With regard to the simple approach to D2D authentication by [xx] as described in Section 8.1, the corresponding
870
-p
values can be derived from the values calculated for Phase 2. All computational costs for every entity in each scheme are summarized in Table 4. Table 4 shows
re
that for D2D authentication, the numbers of hashing and elliptic curve multiplication operations taken by are the same for the two schemes for D1 , while there is a significant difference for D2 as in Wang-Scheme more operations are
875
lP
needed for this device. On the other hand, devices in the proposed scheme need to take some additional symmetric encryption/decryption operations which are
ur na
not required in Wang-Scheme. [34]. 8.2.1. Energy consumption
In order to further analyze the computation costs of both protocols, we now
calculate the costs in terms of energy consumption for each one. As the proposed
880
protocol uses different cryptographic algorithms including hashing, elliptic curve cryptography and symmetric cryptography, which have many options, we first
Jo
choose specific configurations for such algorithms that will be used throughout the following analysis. The hash function SHA-1 is chosen for hashing operations. For the elliptic curve, a strong and secured variant for which ECDLP and
885
ECDH are believed to hold - Curve m-221, is used. (29) presents the equation of this curve. The order of G is thus 221-bit, i.e lh is 221-bit. Symmetric encryption/decryption is supposed to use AES with 128-bit key size in ECB mode.
40
Di
Operation
Proposed protocol
Wang-Scheme
Th
5
5
0
0
Ts
Device-Server
Te
authentication
Th
D1
D2
ur na
D2D
5
5
4
4
0
0
Te
3
3
Th
4
5
Ts
4
0
Te
3
5
Th
1
4
Ts
14
0
Te
2
3
Th
3
Ts
14
Te
1
re
Ts
lP
Server
authentication
Jo
Server
ro
Device
-p
Phase
of
Table 4: Computational cost comparison between the proposed scheme and the base-scheme.
41
N/A
Table 5 summarizes the configurations on these cryptographic algorithms. The device is assumed to be used is Tmote Sky (also known as TesloB). Table 5 890
also presents the energy consumption estimated for operations taken in both schemes. According to the results in [49], SHA-1 consumes 57 µJ per operation. An Elliptic Curve Diffie-Hellman operation consumes only 9.48 µJ [34]. And encryption and decryption with AES need only 9 µJ for each operation
of
with 128-bit data [47]. y 2 = x3 + 117050x2 + x mod p221 − 3
ro
(29)
-p
Table 5: Summary of energy consumption per operation.
Description
Energy consumption (µJ)
Th
Hash operation with SHA-
57
1 Ts
Symmetric
re
Notation
encryp-
9
lP
tion/decryption with AES per 128-bit block Te
Elliptic curve multiplica-
9, 480
895
ur na
tion using Curve M-221
The estimations of the data length to be encrypted and transmitted are
presented in Table 6. These estimations will be used to calculate the number of encryption/decryption operations performed. Table 7 shows the energy consumption comparison between the enhanced scheme and [34]. A device in
Jo
Phase 1 with the proposed scheme consumes the same energy amount of 47,685
900
µJ as Wang-Scheme. In Phase 2, i.e. D2D authentication, the proposed scheme shows a difference in performance between two devices taking part in it. D1 , i.e. the initiating device, needs to take 4 hash operations, encryption on 4 blocks of 128-bit and 3 elliptic curve multiplication operations. The higher number of multiplication operations results in higher energy consumption, which is 28,704
42
ID1 , ID2
< 64-bit
N1 , N2
221-bit
P1 , P3
442-bit
P2 , P4
128-bit
EXP T ime
64-bit
SK1 , SK2
128-bit
Message {ID1 , P1 , P2 }
6 blocks of 128-bit
Message {ID1 , P1 , P2 , P3 }
9 blocks of 128-bit
Message {P4 }
1 block of 128-bit
Message {P1 }
4 blocks of 128-bit
-p
ro
Length
µJ approximately. Comparing with D2 , i.e. the requested device, it needs 1
re
905
Data
of
Table 6: Data length of variables and messages exchanged.
hash operation, encryption/decryption operation on 14 data block of 128-bit
lP
referred from Table 6, and 2 multiplication operations on the elliptic curve. As a result, the requested device D2 only consumes 19,143 µJ. The difference in energy required for each device in this phase shows an interesting property: the 910
requested device needs to spend considerably fewer resources for processing an
ur na
authentication request from the initiating device. In fact, this property is an advantage in the scenario of a DDoS attack, in which an attacker attempts to overwhelm the target with a huge number of invalid requests. In those cases, we do not want the target device to waste too much energy resources on pro-
915
cessing those requests before the attack is detected, which can be provided by
Jo
the D2D authentication phase. On the other hand, the corresponding values for such devices with Wang-Scheme are 47,685 µJ and 28,668 µJ, showing that our proposed scheme can achieve more efficient energy consumption. Figure 6 clearly displays this enhancement.
43
Table 7: Energy consumption comparisons.
Device-Server
Di
authentication
D1
Operation
Proposed protocol
Wang-Scheme
Th
5
5
Ts
N/A
N/A
Te
5
5
Total (µJ)
47, 685
Th
4
Ts
3
5
28, 704
47, 685
1
4
14
0
Te
2
3
Total (µJ)
19, 143
28, 668
authentication
Th
ur na
lP
re
Ts
-p
Total (µJ)
40,000
5 0
D2D
50,000
47, 685
4
Te
D2
of
Device
ro
Phase
µJ
30,000 20,000
Jo
10,000 0
Proposed protocol
Wang-Scheme
Device 1 (D1 )
Device 2 (D2 )
Figure 6: Energy consumption required by the schemes for D2D authentication phase.
44
920
8.2.2. Processing time We also set up the experiments to measure the processing time taken by each device using the proposed protocol. The implementation was written in Python and was run on Intel i5-8250U, CPU 1.60GHz × 8. The average processing time of devices in the protocols are summarized in Table 8. We also show the
925
comparison between the schemes, especially in the D2D phase, by Figure 7. The
of
results show that in both protocols it takes a device only 0.522s approximately
to do all the operations needed for the authentication with the server. The
ro
authentication between devices takes a little less time, which is 0.427s for the initiating device (D1 ) and 0.225s for the responding device (D2 ) when using our 930
proposed scheme. Meanwhile with [34] it takes a bit longer for the two devices,
-p
i.e. 0.522s for D1 and 0.497s for D2 .
re
Table 8: Processing time of devices in seconds.
Device
Proposed protocol
Wang-Scheme
Device-Server
Di
0.522s
0.522s
authentication
Server
0.497s
0.497s
D1
0.417s
0.522s
D2
0.225s
0.497s
D2D
ur na
authentication
lP
Phase
8.3. Storage requirement
Regarding the storage needed, each device needs only spaces to store a ses-
sion key (128-bit length) for each device it communicates with. In addition, an expiry time (64-bit) may also be stored for the session. For those reasons, our
Jo
935
enhanced protocol successfully preserves the advantages of the original one as most of the data needed for authentication are stored at the server, which will lower the storage burden at the device end.
45
50,000 40,000
µJ
30,000
of
20,000
ro
10,000 0
Wang-Scheme
Device 1 (D1 )
Device 2 (D2 )
-p
Proposed protocol
re
Figure 7: Processing time required by the schemes for D2D authentication phase.
9. Conclusions and Future Work
The rapid development of Smart Home, Smart City and many other domains
lP
940
of the IoT has proved itself as an important part of the future of the Internet. The IoT unique nature introduces new challenges to security requirements,
ur na
which are much different from previous technology trends. In this article, we have addressed this issue by introducing a new authentication scheme allowing
945
both device-to-server and device-to-device communications in IoT systems. If a device gets the approval from its control server to be a part of the system, this server will support it in authenticating with other devices. When the authentication process completes, two devices can communicate without the participation
Jo
of their server. It is essential to not only reduce the workload of the servers
950
but also to restrain the server-dependence of embedded devices. This new authentication protocol is proposed in order to achieve such important goals. We use ECC and simple operations to provide an authentication protocol not only light-weight but also safe. Security analysis conducted in our work shows the resistance to common cyber attacks in the IoT environment of the proposed
46
955
scheme. Furthermore, we have proven that our scheme only consumes an additional amount of approximately 29 mJ for the device-to-device authentication phase and takes just 128-bit for storing its session key and a small space for its expiry time. Moreover, through theoretical profound analysis (based on the BAN-logic [48]), we have also demonstrated that the newly introduced scheme is
960
safe and can be applied for light-weight embedded devices. These findings have
of
established the more promising practical value of our newly proposed scheme comparing to the previous work in a variety of emerging real-world application
ro
domains nowadays, especially in smart cities and resilient environments.
In the future, we will carry out further research about privacy preservation 965
in the protocol to improve the security level of the proposed scheme. Since most
-p
of the embedded devices nowadays have sensors to detect changes in the real world, the information they contain may accordingly be sensitive and should
re
not be exposed. The association of the authentication process and different kinds of privacy protection [19, 50, 51, 17, 52] are possibilities to extend the 970
security capabilities of our protocol, especially with resource-constrained IoT
lP
devices. On this account, which data can be shared between two devices after completing authenticating is an indispensable problem that should be further studied. Furthermore, to leverage more practical scenarios, in particular where
975
ur na
lightweight IoT devices do not directly communicate with the centralized server, but via authorized gateways to form different subnetworks, a new protocol is needed. This work is also of our great interest in the future because it will bring a flexible and efficient organizational structure for many more practical systems, in which it does not constrain the number of network protocols to be used.
Jo
Acknowledgement
980
We would like to thank all members of the project and staffs of AC Lab/HCMUT
for their meaningful help and comments during this manuscript preparation.
47
Funding Statement This research is funded by Vietnam National University Ho Chi Minh City (VNU-HCM) under grant number B2018-20-08.
985
References
of
[1] K. Ashton, et al., That ‘internet of things’ thing, RFID journal 22 (7) (2009) 97–114.
ro
[2] Q. Zhou, J. Zhang, Research prospect of internet of things geography, in:
2011 19th International Conference on Geoinformatics, IEEE, 2011, pp. 1–5.
-p
990
[3] Y. Yu, J. Wang, G. Zhou, The exploration in the education of professionals in applied internet of things engineering, in: 2010 4th International
re
Conference on Distance Learning and Education, IEEE, 2010, pp. 74–77. [4] Y. Hao, P. Helo, The role of wearable devices in meeting the needs of cloud manufacturing: A case study, Robotics and Computer-Integrated
lP
995
Manufacturing 45 (2017) 168–179. [5] Everything
you
need
to
know
about
iot
ur na
https://www.simplilearn.com/iot-applications-article,
applications,
accessed:
2019-
Nov-30.
1000
[6] Ihs.
n.d.
nected
number
worldwide
millions),
of
in
internet 2017
and
of
things
2018,
by
(iot)
devices
selected
type
con(in
https://www.statista.com/statistics/789615/ accessed:
November
Jo
worldwide-connected-iot-devices-by-type/, 22, 2018.
1005
[7] Ihs. n.d. internet of things (iot) connected devices installed base worldwide from 2015 to 2025 (in billions), https://www.statista.com/ statistics/471264/iot-number-of-connected-devices-worldwide/, accessed: November 22, 2018. 48
[8] H. LeHong, A. Velosa, Hype cycle for the internet of things, Gartner Group 1010
21. [9] P. Desai, A. Sheth, P. Anantharam, Semantic gateway as a service architecture for iot interoperability, in: 2015 IEEE International Conference on Mobile Services, IEEE, 2015, pp. 313–319.
1015
of
[10] Y. Oren, A. D. Keromytis, From the aether to the ethernet—attacking the
internet using broadcast digital television, in: 23rd {USENIX} Security
ro
Symposium ({USENIX} Security 14), 2014, pp. 353–368.
[11] S. Cesare, Breaking the security of physical devices, Presentation at Black-
-p
hat 14.
[12] L. Liang, K. Zheng, Q. Sheng, X. Huang, A denial of service attack method for an iot system, in: 2016 8th International Conference on Information
re
1020
Technology in Medicine and Education (ITME), IEEE, 2016, pp. 360–364.
lP
[13] E. Vasilomanolakis, J. Daubert, M. Luthra, V. Gazis, A. Wiesmaier, P. Kikiras, On the security and privacy of internet of things architectures and systems, in: 2015 International Workshop on Secure Internet of Things (SIoT), IEEE, 2015, pp. 49–57.
ur na
1025
[14] Z. A. Khan, Using energy-efficient trust management to protect iot networks for smart cities, Sustainable cities and society 40 (2018) 1–15.
[15] R. Alkurd, R. M. Shubair, I. Abualhaol, Survey on device-to-device communications: Challenges and design issues, in: 2014 IEEE 12th Interna-
1030
tional New Circuits and Systems Conference (NEWCAS), IEEE, 2014, pp.
Jo
361–364.
[16] K. K. Tran, M. K. Pham, T. K. Dang, A light-weight tightening authentication scheme for the objects’ encounters in the meetings, in: International Conference on Future Data and Security Engineering, Springer, 2018, pp.
1035
83–102.
49
[17] T. K. Dang, K. T. Tran, The meeting of acquaintances: A cost-efficient authentication scheme for light-weight objects with transient trust level and plurality approach, Security and Communication Networks 2019 (8123259) (2019) 1–18. 1040
[18] K. T. Nguyen, M. Laurent, N. Oualha, Survey on secure communication
of
protocols for the internet of things, Ad Hoc Networks 32 (2015) 17–31. [19] T. A. T. Nguyen, T. K. Dang, Enhanced security in internet voting protocol
ro
using blind signature and dynamic ballots, Electronic Commerce Research 13 (3) (2013) 257–272.
[20] G. Simmons, An introduction to shared secret and/or shared control
-p
1045
schemes and their application, Contemporary cryptology.
re
[21] T. Dierks, C. Allen, The tls protocol version 1.0 (1999).
[22] E. Rescorla, N. Modadugu, Datagram transport layer security version 1.2
1050
lP
(2012).
[23] T. Kothmayr, C. Schmitt, W. Hu, M. Br¨ unig, G. Carle, A dtls based endto-end security architecture for the internet of things with two-way authen-
ur na
tication, in: 37th Annual IEEE Conference on Local Computer NetworksWorkshops, IEEE, 2012, pp. 956–963.
[24] M. O. Rabin, Digitalized signatures and public-key functions as intractable
1055
as factorization, Tech. rep., Massachusetts Inst of Tech Cambridge Lab for Computer Science (1979).
Jo
[25] D. He, S. Zeadally, An analysis of rfid authentication schemes for internet of things in healthcare environment using elliptic curve cryptography, IEEE internet of things journal 2 (1) (2014) 72–83.
1060
[26] S. A. Chaudhry, M. S. Farash, H. Naqvi, M. Sher, A secure and efficient authenticated encryption for electronic payment systems using elliptic curve cryptography, Electronic Commerce Research 16 (1) (2016) 113–139. 50
[27] N. Gura, A. Patel, A. Wander, H. Eberle, S. C. Shantz, Comparing elliptic curve cryptography and rsa on 8-bit cpus, in: International workshop on 1065
cryptographic hardware and embedded systems, Springer, 2004, pp. 119– 132. [28] S.-M. Chang, S. Shieh, W. W. Lin, C.-M. Hsieh, An efficient broadcast au-
of
thentication scheme in wireless sensor networks, in: Proceedings of the 2006 ACM Symposium on Information, computer and communications security, ACM, 2006, pp. 311–320.
ro
1070
[29] H. Khemissa, D. Tandjaoui, S. Bouzefrane, An ultra-lightweight authentication scheme for heterogeneous wireless sensor networks in the context
-p
of internet of things, in: International Conference on Mobile, Secure, and Programmable Networking, Springer, 2017, pp. 49–62.
[30] V. S. Miller, Use of elliptic curves in cryptography, in: Conference on the
re
1075
theory and application of cryptographic techniques, Springer, 1985, pp.
lP
417–426.
[31] N. Koblitz, Elliptic curve cryptosystems, Mathematics of computation 48 (177) (1987) 203–209.
[32] S. Kalra, S. K. Sood, Secure authentication scheme for iot and cloud servers,
ur na
1080
Pervasive and Mobile Computing 24 (2015) 210–223.
[33] C.-C. Chang, H.-L. Wu, C.-Y. Sun, Notes on “secure authentication scheme for iot and cloud servers”, Pervasive and Mobile Computing 38 (2017) 275– 278.
[34] K.-H. Wang, C.-M. Chen, W. Fang, T.-Y. Wu, A secure authentication
Jo 1085
scheme for internet of things, Pervasive and Mobile Computing 42 (2017) 15–26.
[35] K. Mahmood, J. Arshad, S. A. Chaudhry, S. Kumari, An enhanced anonymous identity-based key agreement protocol for smart grid advanced meter-
51
1090
ing infrastructure, International Journal of Communication Systems 32 (16) (2019) e4137. [36] C. Stergiou, K. E. Psannis, B.-G. Kim, B. Gupta, Secure integration of iot and cloud computing, Future Generation Computer Systems 78 (2018) 964–975. [37] C. Stergiou, K. E. Psannis, B. B. Gupta, Y. Ishibashi, Security, privacy &
of
1095
efficiency of sustainable cloud computing for big data & iot, Sustainable
ro
Computing: Informatics and Systems 19 (2018) 174–184.
[38] F. Ullah, M. A. Habib, M. Farhan, S. Khalid, M. Y. Durrani, S. Jabbar,
1100
-p
Semantic interoperability for big-data in heterogeneous iot infrastructure for healthcare, Sustainable cities and society 34 (2017) 90–96.
re
[39] R. Ande, B. Adebisi, M. Hammoudeh, J. Saleem, Internet of things: Evolution and technologies from a security perspective, Sustainable Cities and
lP
Society.
[40] S. Jegadeesan, M. Azees, P. M. Kumar, G. Manogaran, N. Chilamkurti, 1105
R. Varatharajan, C.-H. Hsu, An efficient anonymous mutual authentication technique for providing secure communication in mobile cloud computing
ur na
for smart city applications, Sustainable Cities and Society 49 (2019) 101522.
[41] A. G. Reddy, D. Suresh, K. Phaneendra, J. S. Shin, V. Odelu, Provably secure pseudo-identity based device authentication for smart cities environ-
1110
ment, Sustainable cities and society 41 (2018) 878–885.
[42] P. W. Shor, Polynomial-time algorithms for prime factorization and discrete
Jo
logarithms on a quantum computer, SIAM review 41 (2) (1999) 303–332.
[43] M. Bafandehkar, S. M. Yasin, R. Mahmod, Z. M. Hanapi, Comparison of ecc and rsa algorithm in resource constrained devices, in: International
1115
Conference on IT Convergence and Security, IEEE, 2013, pp. 1–3.
52
[44] A. Iqbal, F. Ullah, K. H. Anwar, K. Sup, Interoperable internet-of-things platform for smart, Networks 54 (15) (2010) 2787–2805. [45] E. De Poorter, I. Moerman, P. Demeester, Enabling direct connectivity between heterogeneous objects in the internet of things through a network1120
service-oriented architecture, EURASIP Journal on Wireless Communica-
of
tions and Networking 2011 (1) (2011) 61. [46] O. Bello, S. Zeadally, Intelligent device-to-device communication in the
ro
internet of things, IEEE Systems Journal 10 (3) (2014) 1172–1182.
[47] L. Militano, G. Araniti, M. Condoluci, I. Farris, A. Iera, Device-to-device communications for 5g internet of things, EAI Endorsed Trans. Internet
-p
1125
Things 1 (1) (2015) 1–15.
re
[48] M. Burrows, M. Abadi, R. M. Needham, A logic of authentication, Proceedings of the Royal Society of London. A. Mathematical and Physical
1130
lP
Sciences 426 (1871) (1989) 233–271.
[49] F. Kausar, S. Hussain, J. H. Park, A. Masood, Secure group communication with self-healing and rekeying in wireless sensor networks, in: International Conference on Mobile Ad-Hoc and Sensor Networks, Springer, 2007, pp.
ur na
737–748.
[50] T. Q. N. Tran, T. K. Dang, T. S. Tran, Fine grained attribute based access
1135
control model for privacy protection, in: International Conference on Future Data and Security Engineering (FDSE), Springer, 2016, pp. 305–316.
[51] A. Tewari, B. Gupta, Cryptanalysis of a novel ultra-lightweight mutual
Jo
authentication protocol for iot devices using rfid tags, The Journal of Supercomputing 73 (3) (2017) 1085–1102.
1140
[52] T. A. T. Nguyen, T. K. Dang, Privacy preserving biometric-based remote authentication with secure processing unit on untrusted server, IET Biometrics 8 (1) (2019) 79–91.
53