Lightweight authentication protocols for wearable devices

ARTICLE IN PRESS

JID: CAEE

[m3Gsc;March 14, 2017;17:0]

Computers and Electrical Engineering 0 0 0 (2017) 1–13

Contents lists available at ScienceDirect

Computers and Electrical Engineering journal homepage: www.elsevier.com/locate/compeleceng

Lightweight authentication protocols for wearable devicesR Ashok Kumar Das a,∗, Sherali Zeadally b, Mohammad Wazid a a b

Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India College of Communication and Information, University of Kentucky, Lexington, KY 40506, USA

a r t i c l e

i n f o

Article history: Received 29 December 2016 Revised 9 March 2017 Accepted 9 March 2017 Available online xxx Keywords: Attack Healthcare Protocol Security Threat Wearable devices

a b s t r a c t In the wearable communication environment, wearable devices are used for various applications including fitbit flex tracks steps, sleep cycles, workout stats, and recording healthrelated sensitive information. The decreasing costs and increasing performance of Information Communication Technologies (ICTs) have made wearable devices more cost effective. Different types of wearable devices are being used today by citizens to improve their health and lifestyle. However, the data (such as health-related or movement data) generated from the user’s daily activities is often private and therefore, ensuring the security and privacy of this data is important. First, we present some emerging trends of wearable devices followed by a discussion of the main security and functionality requirements along with the threats to the wearable communication environment. We then present a review of some of the recently proposed lightweight authentication protocols for wearable devices based on performance metrics such as computation cost and communication cost. We also compare these authentication protocols in terms of various security features they support. Finally, we discuss some future challenges in the area of security protocols for wearable devices that need to be addressed in the future. © 2017 Elsevier Ltd. All rights reserved.

1. Introduction Wearable technology, which uses wearable devices, is an emerging technology in which computing devices such as smart watches, sports watches, fitness tracker, glasses, smart fabrics, smart jewelry, etc., are incorporated into clothing items and accessories, which can comfortably be worn on the body [1]. Wearable devices are used by various applications including fitbit flex tracks steps, sleep cycles and workout stats. These devices typically send the tracked information to a user’s smartphone [2]. Some wearable computing devices are also being used in the medical field, because these devices can monitor patients’ vital parameters such as heart rate, blood glucose level, etc., and send the information to the user’s smartphone [3]. A google glass gives a reality experience to the user and supplies information on demand [4]. Many more wearable devices are also available in the market and people are using them for various types of applications. 1.1. Emergence and trends of wearable devices A wearable device is very popular because it is light, small, convenient to use and carry and has dressing characteristics. The operation and usage of wearable devices are typically different from common computers and mobile phones. For inR

Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. Debiao He. Corresponding author. E-mail addresses: [email protected], [email protected] (A.K. Das), [email protected] (S. Zeadally), [email protected] (M. Wazid). ∗

http://dx.doi.org/10.1016/j.compeleceng.2017.03.008 0045-7906/© 2017 Elsevier Ltd. All rights reserved.

Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE 2

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

Fig. 1. Market value trends of wearable devices (Source: [7]).

Fig. 2. Authentication model for wearable devices (adapted from [8]).

stance, for a scenario where a computer is needed, but because of the space restriction an actual computer cannot be used. In this case, wearable devices will be useful. Today, wearable devices are not only being used for tracking the fitness of a person/patient, but they are also being deployed in other applications such as contactless payments. For example, Near Field Communication (NFC) wearable payments are being integrated into fitbit device [5], and android pay is being made possible with android wear watches. According to Juniper research [6], mobile and wearable payments will reach $100 billion by 2018. Wearable technology has made a great impact on daily life. The sales of wearable devices is expected to reach 177 million from 22 million in the next five years [7]. As the market develops, wearable devices are being extensively deployed and used by all kinds of users, who are connecting them to the Internet through other devices such as smartphones and tablets. Fig. 1 illustrates the latest rising trends of wearable devices (market value in million USD) [7]. 1.2. Authentication model of wearable devices A typical authentication model for wearable devices is depicted in Fig. 2, which is adapted from [8,9]. Initially, the registration of various users and different devices such as wearable device, smartphone and cloud server is performed by the trusted Registration Authority (RA). After the successful registration of these entities, the information such as pseudo-random identity, pseudo-password and secret keys required for the various authentication steps, are stored in these devices and is also provided to the various users. In the model shown in Fig. 2, a person can wear several wearable devices, such as a smartglass (eyes), smartwatch (wrist), a motion augmentation device on shoulder, smart socks (feet), and movement tracking device (thigh). All these wearable devices track the corresponding physical phenomena (e.g., heart rate, blood pressure, distance tracking, calories burnt, etc.) and send the tracked information to his/her smartphone by using some wireless communication technology (for example, Bluetooth). The smartphone communicates with a cloud server, where the data will be Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE

ARTICLE IN PRESS A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

[m3Gsc;March 14, 2017;17:0] 3

stored for further analysis and decision making by an expert, such as a doctor, if the user wants to consult that doctor. The external parties, such as doctors and relatives of patients, can access the data stored in the cloud server after a successful authentication process between an external party and the cloud server. This authentication model supports two types of authentications [8,9]. • If a user wants to see all information sent by the wearable devices to his/her smartphone, the authentication between a wearable device and the smartphone is required for secure communication. We consider this type of authentication as the local authentication. • If a user wants to consult with a doctor. In this case, the data sent by the wearable devices need to be stored in the cloud server. The stored data in the cloud server can be used by the doctor for remote monitoring and consultation. Thus, the authentication among a wearable device/smartphone, a cloud server and an external party user (in this case, a doctor) is needed for secure communication among them. This type of authentication is referred as the remote authentication.

1.3. Use of wearable devices Today people use wearable devices in different domains. We present some of the applications, where the wearable devices are currently being used below [8,9]. Healthcare: Wearable devices can be used for monitoring of different types of health-related parameters, such as heart rate, respiration rate, body temperature, blood glucose level, etc. Day-to-day activities: Various types of day-to-day activities, such as stride length, distance traveled, step count, speed, sleep quality, sleep patterns, sit ups, press ups, calories burned, etc., can be monitored using wearable devices. Law-enforcement: The use of wearable cameras by law-enforcement personnel has been receiving a lot of attention recently. A law enforcement officer can wear devices on his/her head or wrist, which are mounted with screens for accessing information in real-time as well. The usage of such wearable devices becomes effective (in contrast to the use of smartphones) in situations where a suspect is being chased. Reality experience: Wearable devices, such as google glass [10], can take pictures or real-time videos which can be further used for various purposes. For example, a doctor, who is doing some surgery, can wear the google glass, and the vision of the glass can be provided in real-time to the audience (for example, other doctors, relatives of patients, etc.). Business: Business travelers may use wearable devices, such as headsets, in order to access information on unfamiliar locales without having to pull out their smartphones. Wearable devices can also be used to arrange meetings. For example, smartwatches, integrated in the corporate calendars, can be used to inform each of the board member about changes in the meeting schedule.

1.4. Our research contributions We summarize the contributions as follows: • We discuss the security and functionality requirements that need to be considered when designing security protocols for wearable devices. We also discuss various security threats related to the wearable communication environment. • We then focus on lightweight security protocols for wearable devices. The emphasis on lightweight security is important because wearable devices are generally resource-constrained, with limited memory, communication and computation capabilities, and battery power. • We present a comparative study of recently proposed lightweight security protocols for wearable devices. • Finally, we identify some of the challenges in the area of security protocols for wearable devices that still need to be addressed in the future.

1.5. Organization of the paper The rest of the paper is organized as follows. We discuss various security issues associated with wearable devices in the next section. Next, we discuss recently proposed lightweight security protocols for wearable devices. Then, we present a comparative study of recently proposed lightweight security protocols. In the following section, we discuss some future challenges that still need to be addressed in the area of lightweight security protocols for wearable devices. Finally, we make some concluding remarks in the last section. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE 4

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

2. Security with wearable devices Wearable devices are being used in various sectors including healthcare and fitness. The deployment of these devices is enabling more efficient health monitoring, fitness tracking, optimizations that can improve the performance of athletes, and other benefits. However, wearable devices often use wireless technologies for most of their communications which provides an opportunity to an adversary to tamper with the transmitted data between the wearable devices and the smartphone (mobile terminal) of a user. Thus, various security threats arise which may impose a serious challenge for designers and implementers of security protocols for wearable devices. For example, according to a report published in June 2015, a set of attackers compromised medical devices (blood gas analyzers) with malware to gain successful access to the hospital network [11]. In the following section, we list the security and functionality requirements that are needed to design secure and computationally efficient security protocols for wearable devices because of their limited resources.

2.1. Security requirements We need the following security requirements in a wearable communication environment. Confidentiality: Data exchanged between end-point entities, such as between wearable devices and the smartphone of a user should be kept confidential. In most applications, data is highly sensitive (for example, medical data of a patient) [12]. To provide confidentiality, an encryption technique is needed to protect the transmitted data over insecure wireless communication channels. Integrity: The exchanged data should not be altered in between the transmission. For example, the sensitive vital parameters of a person collected by the mobile terminal of that person from the wearable devices must not be modified, which are monitored by a doctor. One-way cryptographic hash function or hashed message authentication code can be used to ensure the integrity to the exchanged data. Authentication: Authentication is a mechanism to determine whether someone or something is, in fact, who or what it is declared to be respectively. If a wearer wants to access the data from a wearable device, his/her mobile terminal (smartphone) first needs to be authenticated by the wearable device. There are two kinds of authentications possible. In local authentication, the user credentials, such as identity, password and/or biometrics information are provided to the mobile terminal of a user, which are essential to authenticate with the wearable device. In remote authentication, a remote user may access the data from a wearable device. By using remote user authentication mechanism, the endpoints entities, such as between wearable devices and the cloud server/doctor can mutually authenticate with each other for exchanging data securely. Several authentication mechanisms are available in the literature for both local and remote authentication purposes [8,9], [13–15]. Authorization: Authorization is a mechanism to give someone permission to do or have something. There are different types of users (for example, athletes, patients and doctors), who may use the data of wearable devices. After the successful authentication process, the authorization process determines whether a user has the authority to access the data or up to what level he/she can access the data. Several access control mechanisms are proposed in the literature to support authorization [16]. Availability: Availability refers to the ability of a user to access data in a specified location and in the correct format within a specified duration of time. Since wearable devices are vulnerable to malware injection and Denial-of-Service (DoS) attack or Distributed Denial-of-Service (DDoS) attack, a malicious user can gain access to the wearable devices remotely by using malicious program (for example, malware). In order to provide availability, system level and/or network level security for the wearable device, smartphone and cloud server are needed. Anonymity: In the wearable communication environment, wearable devices are used in combination with a smartphone (mobile terminal) in public places. Therefore, there is a need to protect the useful information (for example, identity), from the malicious users. It is worth noting that malicious users can be either insider or external adversaries. To prevent replay and man-in-the-middle attacks, the wearable devices should be anonymous [9,17]. Forward secrecy: When an entity (wearable device or user/smartphone) leaves the network, it must not be able read any future messages after its departure. In order to ensure this, the forward secrecy property needs to be incorporated in the wearable communication environment. Backward secrecy: When a new wearable device or user/smartphone joins in the network, it must not read any previously transmitted messages. In order to ensure this, the backward secrecy property is also needed in the wearable communication environment. Traceability: Traceability is a process by which an adversary A can find out the source of the transmitted messages. A security protocol is untraceable, if A cannot determine the actual source of the transmitted messages. In the wearable communication environment, all wearable devices and smartphones should be untraceable. In order to provide traceability feature, we can incorporate different mechanisms, which may include temporary identities of wearable devices and smartphones for each session, and current system timestamps.

Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

5

2.2. Functionality requirements of lightweight security protocols for wearable devices The following functionality requirements of a wearable communication environment are also needed. Low communication cost: As we mentioned previously, in a wearable communication environment, wearable devices with limited resources are used. To design a lightweight security protocol in such environment, we need to minimize the number of transmitted messages during all communications among the various entities involved. Low computation cost: In the wearable communication environment, to design a lightweight security protocol we require lightweight operations, such as one-way hash, bitwise XOR, symmetric key cryptographic operations, etc., so that the communication cost required by the resource-constrained wearable devices remains low. Low storage cost: Due to resource limitations of wearable devices, it is desirable to store only a minimum but sufficient number of credentials in the memory of wearable devices. Thus, we need to design a lightweight security protocol to achieve this goal. Lightweight: As wearable devices have limited processing, storage, and communication capabilities, for them to operate efficiently, they need to operate on lightweight authentication protocols [9] but not at the expense of security of the implemented protocols. Thus, researchers need to design a security protocol which can provide better trade-offs among the security, and processing, storage, and communication costs. No trusted third-party device involvement: A wearable device typically connects to a smartphone (mobile terminal) via a wireless communication technology such as WiFi or Bluetooth. So, there is no need to involve any trusted third-party in the process of mutual authentication [9]. Hence, it is desirable that wearable devices and the smartphone/user directly authenticate with each other, and then establish session keys between them for secure communication.

2.3. Security threats to wearable communication environment We discuss various potential security threats to the wearable communication environment below. Online/offline password guessing attack: The wearable devices and the smartphone of a user can be stolen or lost by an adversary A. The information stored in these devices can be then extracted using power analysis attacks [18]. With the help of the intercepted messages and extracted information, A can then try to determine the password of a user using the password dictionary attack in both online and offline modes. Replay attack: A replay attack is an unauthorized action in which an adversary A tries to deceive another legitimate user in the network through the reuse of obtained information [19]. In other words, it is an attempt by an unauthorized third party (A) to record the exchanged messages during transmission. Man-in-the-middle attack: A man-in-the-middle attack is an attack in which an adversary A secretly relays and possibly alters the communicating messages between two parties, who believe that they are directly communicating with each other [19]. The entire conversation is then controlled by A. To execute such an attack, A needs to intercept all relevant exchanged messages between two victims, and then to inject new ones into the network [20]. Privileged-insider attack: A privileged insider user, being an adversary A of the registration authority, can become aware of some secret information of a user which are supplied during the registration phase. Suppose A has stolen smartphone/wearable device. A can then extract information from stolen smartphone/wearable device using the power analysis attacks [18]. After that using the extracted information, A can try to derive the secret credentials (for example, password) of a legitimate user. Stolen smartphone attack: The smartphone of a user can be stolen by an adversary A. The information stored in smartphone can be then extracted by using power analysis attacks [18]. By exploiting the extracted information, A can try to drive secret credentials, which may be required for authentication between the wearable devices and the user. Therefore, a security protocol should protect all the secret credentials even if the smartphone is stolen. Impersonation attack: In an impersonation attack, an adversary A assumes the identity of one of the legitimate users/devices in the network. A can try to insert or modify a message, and claims that the message has come from an authorized source. In the wearable communication environment, different types of impersonation attacks are possible, such as wearable device impersonation attack, smartphone impersonation attack and user impersonation attack. Denial-of-Service (DoS)attack: In this attack an adversary A seeks to make devices or other useful resources unavailable to its intended users. In the case of the wearable communication environment, A may try to inject some malicious programs, such as malware, in the wearable device. In the presence of malware, wearable device cannot function properly or sometimes it may also fail to give the required services [11]. In another type of DoS attack, called the distributed DoS, A may try to flood the targeted devices (for example, wearable device and smartphone) with superfluous requests in order to overload them so that they cannot provide services to a legitimate user. Gope et al. [21] presented a method to deal with DoS attacks in designing lightweight anonymous authentication protocol for wireless sensor networks without compromising any anonymity support. The techniques proposed in [21] can be used to protect DoS attacks for the wearable communication environment. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE 6

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

Stolen wearable device attack: Suppose a user has lost a wearable device or a wearable device is stolen by an adversary A. The information stored in that wearable device can then be easily extracted using power analysis attacks [18]. Using the extracted information, A may try to derive the secret credentials, such as the identity of the wearable device and the secret key. By using the extracted information, A can further manufacture a new wearable device, and can fool the wearer if he/she wears that device.

3. Mathematical preliminaries In this section, we briefly discuss the following cryptographic primitives that we have used in our analysis of several security protocols for wearable devices.

3.1. One-way hash function The input of a one-way cryptographic hash function h: {0, 1}∗ → {0, 1}l is an arbitrary-length input a ∈ {0, 1}∗ , and the output is a fixed-length (say, l-bits) message digest or hash value h(a) ∈ {0, 1}l . The hash function may be the fingerprint of a file, a message, or other data blocks, and has the following important attributes [22]: • • • •

The hash function h can be applied to a data block of all sizes. For any given input a ∈ {0, 1}∗ , h(a) ∈ {0, 1}l is easy to operate, enabling easy implementation in software and hardware. The output length of h(a) ∈ {0, 1}l is fixed. One-way property. Deriving the input a ∈ {0, 1}∗ from the given hash value b = h(a ) ∈ {0, 1}l and h(·) is computationally infeasible. • Weak-collision resistant property. For any given input a ∈ {0, 1}∗ , finding any other input b ∈ {0, 1}∗ , with b = a such that h(b) = h(a ) is computationally hard. • Strong-collision resistant property. Finding a pair of inputs (a, b), with a = b, a, b ∈ {0, 1}∗ so that h(a ) = h(b) is also computationally infeasible. There are numerous applications, where the hash functions can be applied. For example, the hash function can be applied in the field of cryptology and information security, notably in digital signatures, Message Authentication Codes (MACs), and other forms of authentication. One fundamental property of h(·) is that its outputs are very sensitive to small perturbations of its inputs. An example of a secure h(·) is SHA-1 [23]. 3.2. Modular exponentiation Given positive integers x, e and n, to compute modular exponentiation xe (mod n ) using the fast exponentiation algorithm (repeated-square-and-multiply algorithm) [22], the following method is used. If e is a power of 2, that is, e = 2k , xe = ((((x2 )2 )2 )2 )2 . For example, x8 = ((x2 )2 )2 . However, if the exponent e is not a power of 2, we first represent e in binary as e = (bk−1 bk−2 . . . b1 b0 )2 = bk−1 2k−1 + bk−2 2k−2 + . . . b1 21 + b0 20 , with bk−1 = 1. Thus, e = (bk−1 2k−2 + bk−2 2k−3 + . . . + b1 ).2 + b0 = ((bk−1 2k−3 + bk−2 2k−4 + . . . + b2 ).2 + b1 ).2 + b0 . Next we have, e = ((bk−1 21 + bk−2 ).2 + . . . + b1 ).2 + b0 = ((2 + bk−2 ).2 + . . . + b1 ).2 + b0 . Hence, xe (mod n ) = ((((x2 .xbk−2 (mod n ))2 .xbk−3 (mod n ))2 . . . xb1 (mod n ))2 .xb0 (mod n )) (mod n ). These steps are shown in Algorithm 1 for computing y = xe (mod n ). In this algorithm, BitLength (e) represents Algorithm 1 Repeated-square-and-multiply (x, e, n). 1: 2: 3: 4: 5: 6: 7: 8: 9:

Set y = x. Compute k = BitLength (e ). for i = k − 2 → 0 do Compute y = y.y (mod n ). if (bi = 1) then Compute y = y.x (mod n ). end if end for return y.

the number of bits present in e. If l = log2 n, the computation of y = xe (mod n ) involves l modular squarings, l modular multiplications and l modular divisions. Thus, the time complexity involved in this algorithm is polynomial in l. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE

ARTICLE IN PRESS A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

[m3Gsc;March 14, 2017;17:0] 7

3.3. Quick response code In 1994, the Denso Company first proposed the Quick Response code (called the QR code), which is a two-dimensional code [24]. The QR code is a matrix notation containing data in both rows and columns. A linear one-dimensional code is the typical style with which all the information in the code is organized horizontally in bar and space widths, and read left to right by a scanner. The QR code has the ability to store large amounts of data as compared to linear one-dimensional code. For QR code, we can store a larger volume of data: numerical data with 7089 characters, alphanumeric data having 4296 characters and binary data of 2953 bytes. The QR code does require longer data processing time as compared to that for linear one-dimensional code. However, the QR code provides some attractive features such as high data reading speed and high data fault tolerant rate. Due to these features, the QR code has become one of the most popular techniques in recent years [9]. 3.4. Physical unclonable function The Physical Unclonable Function (PUF) is basically a variability-aware circuit which detects the mismatch in circuit components caused by manufacturing process variation. PUF is used for secret storage which needs secure non-volatile Electrically Erasable Programmable Read-Only Memory (EEPROM) or battery-backed Static Random-Access Memory (SRAM) [25] for secret key storage. Instead of storing secrets in digital memory, it is possible for PUFs to derive a secret from the physical characteristics of the integrated circuit (IC). There are two primary applications where PUFs can be used: 1) lowcost authentication and 2) secret key generation. Furthermore, there are two categories based on these two applications: 1) strong PUFs and 2) weak PUFs. Typically, strong PUFs are applied for authentication, whereas weak PUFs are applied for key storage purposes. A more in-depth discussion of PUFs and their applications is given in [25]. 4. Lightweight authentication protocols The main goals for designing lightweight security protocols in wearable devices are to satisfy the security and functionality requirements identified earlier, and provide protection against security threats posed in the wearable communication environment. Since the wearable devices are resource-constrained, we need to design lightweight security protocols in order to utilize the resources of wearable devices efficiently while maintaining a higher level of security against the various attacks discussed in Section 2.3. In this section, we review and discuss recently proposed authentication protocols [8,9,26] for wearable devices. 4.1. Review of Liu et al.’s scheme Liu et al. [9] proposed a new authentication scheme for the wearable communication environment. They presented two protocols. In the first protocol, they used Bluetooth as the main communication channel between a Wearable Device (WD) and a smartphone (Mobile Terminal) (MT) for transmitting public messages. They further used the QR code as visual OutOf-Band (OOB) channel to transmit secure authentication messages. Their second protocol is called a two-path challengeresponse authentication protocol. It is an auxiliary scheme which can be applied for some special situations which can reduce the time for pairing and also can improve the efficiency in mutual authentication between wearable devices and mobile terminal. In Liu et al.’s scheme, there are three entities involved: 1) user (U), 2) Wearable Device (WD), and 3) Mobile Terminal (MT). Their authentication model is based on the following agreements: • A user U may not be a specialist in this area, but he/she can simply operate the wearable devices. Both WD and MT belong to the same user U. • WD is resource constrained because it has limited computing capability and storage capacity. WD also has a limited and small display screen. • MT is more powerful (in terms of processing and storage capabilities) than WD. • One WD can only pair with one MT at the same time. Their scheme uses symmetric encryption/ decryption, one-way hash function and QR code encryption/ decryption for mutual authentication and secret key establishment between WD and MT. Apart from the authentication phase, their scheme supports the following additional features: • Password update: If a user U wishes to change his/her password in WD, U can regard MT as a trusted device and then proceed to update the original password with a new chosen password in WD with the help of MT. • Addition of users: If a user Ui wants to lend WD and MT to another user Uj . In this case, both WD and MT need to add Uj as a legal user. • Replacement of WD: Only the authorized primary-user has the right to replace a wearable device with another wearable device. This is needed as it can prevent the attackers from replacing WD to steal user’s data. • Replacement of MT: Like the replacement of WD, only the authorized primary-user has the right to replace a mobile terminal with another mobile terminal. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

ARTICLE IN PRESS

JID: CAEE 8

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13 Table 1 Communication overhead analysis. Scheme Liu et al. [9] (device pairing based authentication) (challenge-response based authentication) Sun et al. [26] Liu et al. [8]

Total number of messages

Total number of bits

3

2528

4

1504

3 7

4512 2720

4.2. Review of Sun et al.’s scheme Corner and Noble [27] introduced the concept of transient authentication for the mobile device. Transient authentication lifts the burden of authentication from a user with help of a wearable token (i.e., IBM Linux wristwatch [27]) that constantly attests to the user’s presence [28]. When the user departs, the token and device automatically lose contact, and then the device secures itself. The wearable token can automatically re-authenticate to the mobile device without the participation of the user of the wearable device. By using the wearable token approach, the authentication burden is shifted from the user to the wearable token. They utilized this idea to build a token system, called the Zero-Interaction Authentication (ZIA) system. In ZIA system, a user wears a small authentication token. The token then communicates with a mobile terminal (for example, laptop and smartphone) over a short-range wireless link. Whenever the mobile terminal requires decryption authority, it then acquires it from the token and authority is retained as long as it is necessary [29]. Sun et al. [26] then designed a new wearable token system for wearable communication environment based on transient authentication. Their scheme is based on Diffie–Hellman public key exchange protocol, which uses modular exponentiation operations. In addition, their scheme uses symmetric encryption/decryption and one-way hash function for mutual authentication and session key establishment between a wearable device and mobile device. Furthermore, their scheme also has the following characteristics: • It preserves the same security characteristics as the ZIA system offers. • It is more effective than the ZIA system. • It provides efficient mutual authentication and session key establishment by which the communication and computation costs of transient authentication are further reduced. Sun et al.’s scheme also performs better than the ZIA system in terms of storage, computation, and communication costs. 4.3. Review of Liu et al.’s scheme Liu et al. [8] proposed an authentication protocol for cloud-assisted wearable devices. In their protocol, a smartphone (P) and two wearable devices WDa and WDb can establish simultaneous interactions for local verification. After the verification stage, the cloud server S executes remote verification on WDa and WDb . Their protocol consists of the following four steps: • • • •

Challenge-response between P and WDa . Mutual authentication between P and WDb . Mutual authentication between P and WDa . Remote verification on WDa and WDb by the cloud server S. This protocol uses a one-way hash function, hashed message authentication code and PUF.

5. Comparative study of previously proposed authentication schemes for wearable devices In this section, we present a comparison of the communication cost and computation cost during authentication phase, and also functionality features of the three authentication protocols (i.e., Liu et al. [9], Sun et al. [26] and Liu et al. for wearable devices discussed above which include schemes of Liu et al. [9], Sun et al. [26] and Liu et al. [8]. 5.1. Communication overhead analysis The communication overhead analysis of various existing schemes is provided in Table 1. For comparative analysis, we assume that the identities of user and wearable devices are 160 bits each; random nonce/number is 160 bits; timestamp is 32 bits; hash digest is 160 bits (if we use SHA-1 as h(·) [23]) and block size of symmetric encryption/decryption is 128 bits (if the Advanced Encryption Standard (AES-128) is used). In addition, 1024-bit Diffie-Hellman protocol is assumed in our comparative study. Furthermore, we assume that the output of the PUF is 160 bits and the output of the QR code is 1024 Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

ARTICLE IN PRESS

JID: CAEE

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

9

Table 2 Computation overhead comparison. Scheme Liu et al. [9] (device pairing based authentication) (challenge-response based authentication) Sun et al. [26] Liu et al. [8]

Computation cost 6Tenc /Tdec + 2Tqr + 6Th 2Tenc /Tdec + Tqr + 4Th 4Texp + 4Tenc /Tdec + 3Th 27Th + 4Tp

bits. The communication costs of Liu et al.’s scheme [9] are 2528 bits for device pairing based authentication and 1504 bits for challenge-response based authentication, respectively. In contrast, the communication cost for Sun et al.’s scheme [26] is 4512 bits, whereas it is 2720 bits for Liu et al.’s scheme [8]. From the analysis provided in this table, it is observed that Liu et al.’s both authentication schemes [9] incur lower communication costs as compared to other two protocols. 5.2. Computation overhead analysis The computation overhead analysis of three authentication schemes is shown in Table 2. The following notations are used in this analysis. Let Tp , Tenc /Tdec , Th , Texp and Tqr denote the time taken for computing a physical unclonable function P(·), an encryption/decryption using symmetric cryptosystem (for example, if we apply the AES-128 algorithm), a one-way cryptographic hash function h(·) (if we use SHA-1 hash algorithm), a modular exponentiation, and an QR code generation, respectively. The computation costs of Liu et al.’s protocols [9] are 6Tenc /Tdec +2Tqr +6Th (for device pairing based authentication) and 2Tenc /Tdec +Tqr +4Th (for challenge-response based authentication), respectively. The computation costs for Sun et al.’s scheme [26] and Liu et al.’s scheme [8] are 4Texp +4Tenc /Tdec +3Th and 27Th +4Tp , respectively. Since modular exponentiation is a more costly operation as compared to the other operations, such as one-way hash operation, symmetric encryption/decryption operation, PUF and QR code, both Liu et al.’s scheme [9] and Liu et al.’s scheme [8] are more computationally efficient as compared to Sun et al.’s scheme [26]. 5.3. Analysis of functionality features Finally, we present a comparison of the schemes of Liu et al. [9], Sun et al. [26] and Liu et al. [8] in Table 3. The comparison is based on the various functionality features supported (or not supported) by each scheme. From this table, we note that Liu et al.’s scheme provides more functionality features as compared to other two schemes of Sun et al. [26] and Liu et al. [8]. For example, Sun et al.’s scheme [26] and Liu et al.’s scheme [8] does not support the features AF12 - AF15 , whereas these features are supported by Liu et al.’s scheme [9]. However, the features AF2 , AF3 , AF7 , AF9 and AF11 are not supported by all the schemes. 6. Challenges and future research In this section, we identify some future design challenges of security protocols for wearable devices. • Most of the proposed security protocols for wearable devices in the literature do not support several functionality and security features, such as protection against stolen smartphone (mobile terminal) and wearable device attacks, strong replay attack, smartphone and wearable device impersonation attacks, and lack of supporting dynamic user addition, replacing wearable device and smartphone. To design a provably secure protocol for wearable devices, we need a rigorous security analysis. The well-known Dolev–Yao threat model (known as the DY model) [30] equates an adversary with the channel. In other words, all messages are delivered by the adversary, who can read, reply, forge, manipulate, delay, and delete them. However, the current de facto standard model in modeling key-exchange protocols is the Canetti–Krawczyk (CK)-adversary model [31], where the adversary is responsible for delivering messages (as in the DY model), and can further compromise private keys, session keys and session state. Thus, the security of an authentication key-exchange protocol should guarantee that the leakage of some forms of secret information, such as session ephemeral secrets, session key, or longterm private keys, should have the least possible effect on the security of other secret credentials of the communicated parties. The widely-accepted Burrows–Abadi–Needham logic (BAN logic) [32] is used to prove that two communicating parties can mutually authenticate each other correctly using trustworthy and fresh information. To achieve this, the BAN logic verifies the origin of the message, the origin’s trustworthiness and its freshness. Automated Validation of Internet Security Protocols and Applications (AVISPA) is a push-button tool for the automated validation of Internet security-sensitive protocols and applications, which provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different back-ends that implement a variety of state-of-the-art automatic analysis techniques [33]. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE 10

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13 Table 3 Analysis of functionality features. Feature

Liu et al. [9]

Sun et al. [26]

Liu et al. [8]

AF1 AF2 AF3 AF4 AF5 AF6 AF7 AF8 AF9 AF10 AF11 AF12 AF13 AF14 AF15

 × × N/A   ×  ×  ×    

× × ×   × ×  ×  × × × × ×

 × × N/A ×  ×  ×  × × × × ×

Note: AF1 : user anonymity preservation; AF2 : smartphone (mobile terminal) stolen attack protection; AF3 : wearable device stolen attack protection; AF4 : online/offline password guessing attack protection; AF5 : privileged-insider attack protection; AF6 : traceability preservation; AF7 : strong replay attack protection; AF8 : man-inthe-middle attack protection; AF9 : wearable device/smartphone impersonation attack protection; AF10 : denial-of-service attack protection; AF11 : use of non-tamper resistant wearable devices; AF12 : support of password update phase; AF13 : support of dynamic users addition phase; AF14 : support of replacing wearable devices phase; AF15 : support of replacing smartphone (mobile terminal) phase. N/A: not applicable; : a protocol is secure or it supports a feature; ×: a protocol is insecure or it does not support a feature.

We require the formal security analysis under the random oracle model [34] and the CK adversary model, and the BAN logic. Furthermore, we need a formal security verification using the widely-accepted AVISPA tool to demonstrate that the security protocol is secure against replay and man-in-the-middle attacks. • Power usage remains a challenge for wearable devices. To address this challenge, we need to explore cost-effective energy-harvesting solutions [35]. Such solutions will enable energy harvesting from the environment so that the battery lifetime of the wearable devices will increase. • Another future research is to address confidentiality (privacy) issues. The privacy of the health related data of a user stored at the wearable devices and mobile terminal needs to be protected from malicious users [36]. Hence, a lightweight authentication protocol is required between wearable device and mobile terminal for maintaining the privacy of personal data of a user. • Current authentication protocols for wearable devices are mostly based on user’s password. There are well-known advantages of using biometric keys (for example, fingerprint, face, iris, hand geometry and palm-print, and so on) over traditional passwords (as pointed out in [37]): 1) biometric keys cannot be lost or forgotten, 2) biometric keys are very difficult to copy or share, 3) biometric keys are extremely hard to forge or distribute, 4) biometric keys cannot be guessed easily, and 5) the biometric of a user cannot be easily broken. The output of a conventional hash function h(·) is sensitive and it may also return completely different outputs even if there is a little variation in the inputs. The biometric information is prone to various noises during data acquisition, and the reproduction of actual biometric is hard in common practice. To avoid such problem, a fuzzy extractor method is preferred, which can extract a uniformly random string (such as secret biometric key) and public information (such as reproduction parameter) from the biometric template with a given error tolerance threshold value t. A fuzzy extractor consists of the following two functions G(·) and R(·): • G: It is a probabilistic function, which takes a user’s biometric template BIOi as input, and then outputs a secret key σ i ∈ {0, 1}l of bit-length l and a public reproduction parameter τ i , where G(BIOi ) = (σi , τi ). • R: It is a deterministic function, which takes a noisy biometric template BIOi , the public parameter τ i and the error tolerance threshold value t related to BIOi , and then it reproduces (recovers) the original biometric key σ i . In other words, R(BIOi , τi ) = σi provided that the Hamming distance between BIOi and BIOi is less than or equal to t. Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE

ARTICLE IN PRESS A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

[m3Gsc;March 14, 2017;17:0] 11

Multi-factor authentication solutions for wearable devices that combine a user’s biometric template along with password should be explored further in the future.

7. Conclusion We have discussed the security and functionality requirements, and security threats to the wearable communication environment. Next, we presented some of the recently proposed lightweight authentication protocols for wearable devices and we compared them in terms of their security features as well as their communication and computation costs. Finally, we identified some future challenges that must be addressed in the area of lightweight security protocols designed specifically for resource-constrained wearable devices. Efficient, lightweight, robust and scalable authentication protocols will continue to play a fundamental role in ensuring that the security and privacy of information in the wearable communication environment are always protected. Acknowledgment We thank the anonymous reviewers for their valuable feedback on the paper which helped us to improve its quality and presentation. References [1] Tehrani K, Michael A. Introduction to wearable technology; 2016. http://www.wearabledevices.com/what- is- a- wearable- device. Accessed on October. [2] Chan M, Estève D, Fourniols JY, Escriba C, Campo E. Smart wearable systems: current status and future challenges. Artif Intell Med 2012;56(3):137–56. [3] Maldarelli C. This wearable patch uses sweat to monitor blood glucose levels; 2016. http://www.popsci.com/ this- wearable- patch- uses- sweet- to- monitor- blood- glucose- levels. Accessed on october. [4] Google Glass; 2016. https://developers.google.com/glass/distribute/glass- at- work. Accessed on October. [5] Nield D. The best wearable payment devices; 2016. http://www.wareable.com/wearable- tech/the- best- wearable- payment- devices- 976. Accessed on October. [6] Smith S. Mobile & wearable contactless payments; 2016. https://www.juniperresearch.com. Accessed on october. [7] Huang K. Wearables devices market and technology; 2016. http://www.slideshare.net/KevinHuang23/wearables-devices-market-and-technology. Accessed on October. [8] Liu W, Liu H, Wan Y, Kong H, Ning H. The yoking-proof-based authentication protocol for cloud-assisted wearable devices. Pers Ubiquitous Comput 2016;20(3):469–79. [9] Liu S, Hu S, Weng J, Zhu S, Chen Z. A novel asymmetric three-party based authentication scheme in wearable devices environment. J Netw Comput Appl 2016;60:144–54. [10] Sheehy A. 8 mind-blowing uses of wearable technology; 2016. http://www.govtech.com/fs/news/8- Mind- blowing- Uses- of- Wearable- Technology- Seriously. html. Accessed on october. [11] Patel M. The security and privacy of wearable health and fitness Devices; 2016. https://securityintelligence.com/ the- security- and- privacy- of- wearable- health- and- fitness- devices. Accessed on October. [12] Liu J, Sun W. Smart attacks against intelligent wearables in people-Centric internet of things. IEEE Commun Mag 2016;54(12):44–9. [13] Gope P, Hwang T. BSN-care: a secure IoT-based modern healthcare system using body sensor network. IEEE Sens J 2016;16(5):1368–76. [14] Li X, Ma J, Wang W, Xiong Y, Zhang J. A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments. Math Comput Model 2013;58(1–2):85–95. [15] Zeadally S, Tellez J, Baig Z. Security attacks and solutions in electronic health (E-health) systems. J Med Syst 2016;40(12). [16] Chatterjee S, Das AK, Sing JK. A novel and efficient user access control scheme for wireless body area sensor networks. J King Saud Univ Comput Inf Sci 2014;26(2):181–201. [17] Gope P, Hwang T. A realistic lightweight anonymous authentication protocol for securing real-Time application data access in wireless sensor networks. IEEE Trans Ind Electron 2016;63(11):7124–32. [18] Messerges TS, Dabbish EA, Sloan RH. Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 2002;51(5):541–52. [19] Das AK. An efficient and novel three-factor user authentication scheme for large-scale heterogeneous wireless sensor networks. Int J Commun Netw Distrib Syst July 2015;15(1):22–60. [20] Callegati F, Cerroni W, Ramilli M. Man-in-the-middle attack to the HTTPS protocol. IEEE Secur Priv 2009;7(1):78–81. [21] Gope P, Lee J, Quek TQS. Resilience of DoS attacks in designing anonymous user authentication protocol for wireless sensor networks. IEEE Sens J 2017;17(2):498–503. [22] Stallings W. Cryptography and network security: principles and practices. 3rd ed. Prentice Hall; 2003. [23] Secure hash standard. FIPS PUB 180-1, national institute of standards and technology (NIST), U.S. department of commerce, April 1995; September 2015. Available at http://csrc.nist.gov/publications/fips/fips180- 4/fips- 180- 4.pdf. [24] Wave D. QR code and QR code features; 2008. Available online at http://www.denso-wave.com/qrcode/qrfeature-e.html and http://www.densowave.com/qrcode/aboutqr-e.html. Accessed on November 2016. [25] Herder C, Yu MD, Koushanfar F, Devadas S. Physical unclonable functions and applications: a tutorial. Proc IEEE 2014;102(8):1126–41. [26] Sun DZ, Huai JP, Sun JZ, Zhang JW, Feng ZY. A new design of wearable token system for mobile device security. IEEE Trans Consum Electron 2008;54(4):1784–9. [27] Corner MD, Noble BD. Protecting file systems with transient authentication. Wireless Netw 2005;11(1):7–19. [28] Nicholson AJ, Corner MD, Noble BD. Mobile device security using transient authentication. IEEE Trans Mob Comput 2006;5(11):1489–502. [29] Corner MD, Noble BD. Zero-interaction authentication. In: Proceedings of the 8th annual international conference on mobile computing and networking (MobiCom ’02). Atlanta, Georgia, USA: ACM; 2002. p. 1–11. [30] Dolev D, Yao A. On the security of public key protocols. IEEE Trans Inf Theory 1983;29(2):198–208. [31] Canetti R, Krawczyk H. Analysis of key-exchange protocols and their use for building secure channels. In: Proceedings of the international conference on the theory and application of cryptographic techniques: advances in cryptology (EUROCRYPT’01). Springer, Innsbruck, Austria; 2001. p. 453–74. [32] Burrows M, Abadi M, Needham R. A logic of authentication. ACM Trans Comput Syst 1990;8(1):18–36. [33] AVISPA. Automated validation of internet security protocols and applications; 2016. Accessed on November. http://www.avispa-project.org/package/ usermanual.pdf. [34] Chatterjee S, Roy S, Das AK, Chattopadhyay S, Kumar N, Vasilakos AV. Secure biometric-Based authentication scheme using chebyshev chaotic map for multi-Server environment. IEEE Trans Depend Secure Comput 2016. doi:10.1109/TDSC.2016.2616876.

Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE 12

ARTICLE IN PRESS

[m3Gsc;March 14, 2017;17:0]

A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

[35] Shaikh FK, Zeadally S. Energy harvesting in wireless sensor networks: a comprehensive review. Renew Sustain Energy Rev 2016;55:1041–54. [36] Motti VG, Caine K. Users’ Privacy concerns about wearables. In: Financial cryptography and data security: FC 2015 international workshops, San Juan, Puerto Rico. Springer Berlin Heidelberg; 2015. p. 231–44. [37] Li CT, Hwang MS. An efficient biometric-based remote user authentication scheme using smart cards. J Netw Comput Appl 2010;33(1):1–5.

Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008

JID: CAEE

ARTICLE IN PRESS A.K. Das et al. / Computers and Electrical Engineering 000 (2017) 1–13

[m3Gsc;March 14, 2017;17:0] 13

Ashok Kumar Das received the Ph.D. degree in computer science and engineering, M.Tech. degree in computer science, and M.Sc. degree in mathematics from IIT Kharagpur, India. He is currently an Assistant Professor with Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. His research interests include cryptography and network security. Sherali Zeadally received his Bachelor’s degree in computer science from the University of Cambridge, United Kingdom, and his doctoral degree in computer science from the University of Buckingham, United Kingdom. He is an associate professor at the University of Kentucky. He is a Fellow of the British Computer Society and the Institution of Engineering Technology, United Kingdom. Mohammad Wazid received the M.Tech. degree in computer network engineering from Graphic Era University, Dehradun, India. He is currently pursuing the Ph.D. degree with the International Institute of Information Technology, Hyderabad, India. His current research interests include wireless sensor network security and security in smart grid and cloud computing.

Please cite this article as: A.K. Das et al., Lightweight authentication protocols for wearable devices, Computers and Electrical Engineering (2017), http://dx.doi.org/10.1016/j.compeleceng.2017.03.008