- Email: [email protected]
Secure and efficient user authentication scheme for multi-gateway wireless sensor networks
Accepted Manuscript
Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks Jangirala Srinivas, Sourav Mukhopadhyay, Dheerendra Mishra PII: DOI: Reference:
S1570-8705(16)30298-0 10.1016/j.adhoc.2016.11.002 ADHOC 1483
To appear in:
Ad Hoc Networks
Received date: Revised date: Accepted date:
15 October 2015 23 October 2016 2 November 2016
Please cite this article as: Jangirala Srinivas, Sourav Mukhopadhyay, Dheerendra Mishra, Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks, Ad Hoc Networks (2016), doi: 10.1016/j.adhoc.2016.11.002
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT
Ad Hoc Networks Ad Hoc Networks xx (2016) 1–32
CR IP T
Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks Jangirala Srinivasa , Sourav Mukhopadhyaya , Dheerendra Mishrab a Department
AN US
of Mathematics, Indian Institute of Technology, Kharagpur 721 302, India E-mail: [email protected], [email protected] b Department of Mathematics, LNM Institute of Information Technology, Jaipur, India E-mail: [email protected]
Abstract
PT
ED
M
By utilizing Internet of Things (IoT), the collected information from the sensor nodes in wireless sensor networks (WSNs) could be provided to the users who are permitted to get access of sensor nodes. As the information from the sensors are transmitted via public network and sensor nodes have limited battery, shift the focus on security and efficiency in WSNs. User authentication is the security task for limiting the access. It is achieved by equipping authorized users with passwords, tokens or biometrics. However, password and token are easy being stolen and forgotten; even biometrics inherit some limitation. More suitable approach is to combine both password and biometric authenticator to harvest benefits in security. This paper proposes a novel authentication and key agreement scheme for WSNs using biohashing. Biohashing facilitates elimination of false accept rates without increasing occurrence of false rejection rate. Additionally, biohashing has highly clear separation of imposter populations and genuine, and zero equal error rate level. The proposed scheme also supports dynamic node addition and user friendly password change mechanism. Using the BAN-logic, we prove that the proposed scheme provides mutual authentication. In addition, we simulate proposed scheme for the security against man-in-the middle attack and replay attack using the AVISPA tool, and the simulation results show that our scheme is safe. Through the informal security analysis, we show that the proposed scheme is secure against the known attacks for authentication protocols.
AC
CE
Keywords: Internet of Things (IoT), Wireless sensor networks(WSNs), Authentication.
1
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
2
1. Introduction
• The topology of a sensor network changes very frequently.
The evolution of wireless sensor networks (WSNs) during the last decade has turned out to be extremely prevalent. Recently, most of the highly qualified associations are adopting various kinds of WSNs applications and numerous research communities are also showing their interest in providing qualitative productivity towards these WSNs applications. Dynamic examination in WSNs investigated different new applications empowered by larger scale networks of sensor nodes equipped for detecting data from environments, process the sensed information and transmits it to the remote locations. WSNs are mostly used in, low bandwidth and delay tolerant, applications ranging from civil and military to environmental and healthcare monitoring [1]. A wider study on remote sensor frameworks can be found in [2]. The sensors are small, with constraints of limited processing and computing resources. Sensor nodes are low power and limited memory devices equipped with one or more sensors, memory, a processor, a radio, a power supply, and an actuator, which can be randomly deployed irrespective of the territory to enable real-time detection of the environment. The deployment of sensor nodes in a specific field can be done using planes, catapults or placing them one by one. A WSNs usually comprises of a number of sensor nodes working together to monitor at the environment. It can be structured or unstructured, where sensor nodes may be deployed in an ad hoc manner or pre-planned manner into the field [2]. The sensors can measure, sense, and gather information from the environment and then can be transmitted sensed data to the user. This enables the sensor networks to monitor a wide variety of ambient conditions (pressure, humidity, temperature, vehicular movement, etc.). Sensor nodes can be used for continuous sensing, event detection, event ID, location sensing, and local control of actuators. The concept of micro-sensing and wireless connection of these nodes promise many new application areas. It is possible to expand these applications with classification involving more categories such as space exploration, chemical processing and disaster relief [2]. In order to provide efficient and prompt services in WSNs to the users, the security concerns are arising even more crucially as the entire communication is done over the public channel [8, 3, 4, 9] with the following restrictions:
• Sensor nodes mainly use broadcast communication paradigm whereas most ad hoc networks are based on point-to-point communications. • Sensor nodes are limited in power, computational capacities, and memory.
AC
CE
PT
ED
M
AN US
CR IP T
With the new creation of Internet of Things (IoT), the global network can be interconnected and accessed. In WSNs environment, IOT has an important application, such as the sensed data in WSNs environment can be provided to the remote users. However, the sensed data are transmitted via public networks. The adversary has capability to intercept the communication over a public network. This makes the WSNs environment vulnerable to attacks. Thus, a communication protocol should achieve the mutual authentication and support key agreement. To ensure secure authorization, the authentication scheme should satisfy desirable security attributes, such as impersonation attack, password guessing attack, stolen verifier attack, device loss attack, replay attack, man-in-the middle attack[10, 22]. Additionally, the user should be allowed to choose and change the password, independently. Till date, numerous scholarly works are presented on the security of WSNs [11, 22, 8, 12, 13, 14, 16, 17, 18, 19, 20, 21]. The gateway nodes (GWN) based authentication schemes in the literature make an envision possible, that the mutual authentication and key agreement schemes should be lightweight with the component of desirable security. GWN assumes an imperative part in WSNs. In order to further reach the specific sensor node, the remote users are obliged to achieve the GWN through internet at first. In contrary, sensing data from the sensor nodes firstly get to the GWN and then to the user. Making the data available to the remote users must assure the mutual authentication before allowing the access the real-time data in WSNs over the network. The GWN based model consists of three types of entities, namely, sensor nodes, GWNs, and users. The sensor nodes are responsible for sending the realtime data, whereas the gateway nodes are responsible for receiving and forwarding the relevant data to the user and sensor node [16]. In order to access the desired sensor node, the user can complete his registration to any one of the gateway nodes and can establish authorized session with the sensors by performing mutual authentication and key agreement. The authentications schemes usually try to achieve the goal of computational efficiency and security attributes [6]. The design of
• Sensor nodes are prone to failures.
2
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
are in this way lightweight and exceptionally suitable for WSNs. In 2012, Vaidya et al. [32] presented that the schemes, such as Das’s, Khan et al. and Chen and Shih are not secured for the attacks, like stolen smart-card, node-capture and sensor-node impersonation. Thus, the Vaidya et al. presented a novel two-factor user authentication scheme to prevent most of the potential attacks and to provide mutual authentication and session-key establishment to the user. Deebak [15] identified that the Vaidya et al.’s scheme is vulnerable to stolen smartcard, gateway node bypassing and sensor-node key impersonation. Xu and Wang [33], and Turkanovic and Holbl [11] showed that Das et al.’s design has flaws and is infeasible for executions, independently. They have proposed enhanced version of Das et al.’s scheme. Similar to Das et al.’s scheme, it was demonstrated that Xu at al.’s scheme has also security pitfalls, which were presented and corrected by Li et al. [34] and Turkanovic and Holbl [35]. In spite of the fact that Das et al.’s scheme was produced for hierarchical WSNs and the key agreement executes among the user, cluster head, and base-station, and Xue et al.’s key agreement executes between the user, GWN, and the sensor node, both utilize the same authentication model. Xue et al. argue that such a model is efficient because it runs the last two communications, acknowledgment for the BS or GWN and the user, simultaneously. However, since both communications have to be run, it is insignificant regarding efficiency. In 2014, Turkanovic et al. [16] proposed a user authentication and key agreement model to overcome the security flaws of the earlier designed schemes. Farash et al. [17] shown that Turkanovic et al.’s scheme is insecure and inefficient for various security drawbacks such as session key agreement, mutual authentication between all parties, traceability, preservation of user anonymity, privileged-insider attack and password guessing attack. Farash et al.’s scheme still has the security pitfalls such as off-line password guessing attack, off-line identity guessing attack. Simultaneously, Amin and Biswas [36] shown that Turkanovic et al.’s scheme is insecure and inefficient for various security drawbacks such as off-line password guessing attack, off-line identity guessing attack, smart card theft attack, user impersonation attack, sensor node impersonation attack and also shown the scheme is vulnerable to inefficient authentication phase. To overcome these shortcomings, Amin and Biswas presented a secure lightweight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. For a comprehensive survey on user authentication in WSNs, one can refer to the survey paper [3].
CR IP T
lightweight authentication scheme involves non-public key parameters, while probably secure design uses public key parameters [5, 7]. Non-public key parameters based schemes presents computationally efficient solution for low-capacity devices, which also makes these designs low-cost. However, These designs have some limitations, such as they are inefficient to support forward secrecy and unlinkability in two-factor authentication [9, 10]. So, for the environment where computational efficient solutions are required, lightweight authentication schemes are being utilized instead of their limitations. Thus, design and analysis of lightweight authentication scheme is an area of interest.
AC
CE
PT
ED
M
AN US
1.1. Brief review of research & development in the field Wong et al. [23] proposed a user authentication scheme for WSNs in 2006. Their scheme is a lightweight architecture, which requires only the computation of hash functions. However, it was later proved to be vulnerable to stolen verifier attack and many logged-in users with the same login-id attack. Das [24] improved the security of Wong et al.’s scheme. He proposed an efficient password-based user authentication, which uses the temporal credentials (i.e. timestamps) for verification. Das’s scheme is also shown to be vulnerable to denial-of-service attack and node capture attack. Later on, Huang et al. [25], Nyang and Lee [26] and He et al. [27] proposed some improvements of Das’s scheme. But the presented schemes failed to overcome the security flaws found in Das’s scheme. In 2010, Khan and Alghathbar [28] presented an improvement in Das’s scheme. They solved the problem of mutual authentication and unsecured password by introducing pre-shared keys and masked passwords. Although Vaidya et al. [29] identified the security pitfalls in Khan and Alghathbar’s scheme. To overcome these security pitfalls, Vaidya et al. proposed an improved version of Khan and Alghathbar’s scheme. In 2010, Chen and Shih [30] also proposed an improvement of Das’s scheme. Their scheme ensures the mutual authentication among the all involved parties. However, their scheme does not resist replay attack and forgery attack. In 2012, Das et al. [31] and in 2013, Xue et al. [19] proposed authentication and key agreement schemes for WSNs using smart cards, independently. They outlined the schemes to support user to viably and securely connect to the nodes of a WSNs. Both the protocols assure several security components like password protection, key agreement, mutual authentication, and resilience against several attacks. In addition, their schemes have a dynamic node addition phase. Both schemes use the hash and XOR reckonings, and
3
3
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
4
our proposed scheme using the BAN Logic is presented. In Section 6.2, we simulate our scheme for the formal security verification using AVISPA tool to show that our scheme is secure against passive and active attacks. The informal security analysis based on the adversary model of the proposed scheme is presented in the Section 7. We compare the performance of our scheme and the other related existing schemes in Section 8. Finally, we conclude the paper in Section 9.
1.2. Contribution
CR IP T
The related work section presents the overall idea of the existing research regarding user authentication and key agreement protocols for WSNs, where it has been identified that many of the authentication protocols fail to satisfy desirable security attributes. Therefore, we are motivated to develop an authentication protocol that could achieve desirable security attributes and can also be applicable for practical applications. The contributions are listed below:
2. Mathematical Preliminaries
2.1. Biohashing Biometric systems for human authentication in security task to enable authorized access to computer network. Although, it could be done using passwords, pins or tokens, but these mechanism suffer the lack of security as they are being easy to forgot or stolen [37]. Biometric systems also suffers from specific security threats and inherent limitation such as noisy data due to environment poorly illuminated or dirty sensor. As a result, denial of access in biometric systems can be greatly observed, which impacts on the usability of the system by failing to identify a genuine user [38]. To address the issue of high false rejection, BioHashing mechanism is introduced [39]. Over solely biometrics, BioHashing has substantial functional advantages such as clean separation of the genuine, zero error rate and imposter populations. This allowing elimination of false accept rates without suffering from increased occurrence of false reject rates. BioHashing generates a vector of bits starting from the biometric feature set and a seed which represents the Hash key. The base procedure is presented in [39], which functions as follows.
AN US
• We have analyzed the security of recently proposed Amin and Biswas’s authentication scheme for WSNs, where we show that their scheme suffers from several attacks including leakage of sensors secret keys, server spoofing attack, stolen smart card attack, password guessing attack, impersonation attack, identity guessing attack.
• To overcome the security weaknesses of Amin and Biswas’s scheme, we have proposed an efficient and more secure WSNs authentication scheme that can preserve all the original merits of Amin and Biswas’s scheme and withstands the possible known attacks.
ED
M
• To strengthen our proposed scheme, the security analysis using the BAN Logic has been presented. Using the informal security analysis, we have also shown that our scheme can resist numerous security attacks which include the attacks found in Amin and Biswas’s scheme.
PT
• In addition, we have performed the simulation of the proposed scheme using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool, where the simulation results clearly indicate that our scheme is secure.
• Extraction of biometric feature represented in a vector form Γ ∈ Rn , where n is the feature length.
CE
• Use the input token to generate m pseudo-random vector {ri ∈ R M |i = 1, 2, · · · m}.
• Furthermore, the performance of our scheme is comparable to Amin and Biswas’s scheme and other related existing schemes.
AC
• Employ the Gram-Schmidt process to {ri ∈ R M |i = 1, 2, · · · m} and obtain orthonormal pseudorandam vectors {r⊥i ∈ Rn |i = 1, 2, · · · m} and n ≥ m.
1.3. Organization of the paper The road-map of the paper is as follows: In Section 2, we present the mathematical preliminaries, which includes biohashing technique, threat model and the necessary notations used in the paper. In Section 3, we present the brief review of the recently proposed Amin and Biswas’s scheme. in Section 4, we show security weaknesses of Amin and Biswas’s scheme. In Section 5, we discuss proposed lightweight authentication scheme for WSNs. In Section 6.1, security analysis of
• Calculate {hΓ|r⊥ii|i = 1, 2, · · · m}, where h.|.i indicate the inner product. • Calculate m−bit BioHash template, b = {bi |i = i = 1, 2, · · · m} using a threshold κ obtain from
4
1, ifhΓ|r⊥ii ≤ κ, bi = 0, ifhΓ|r⊥ii > κ.
(1)
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
5
2.2. Threat Model
3. Review of Amin and Biswas’s Scheme
In this paper, we use the following threat model considering the assumptions as follows [40, 41, 42, 43, 44, 45]:
Amin and Biswas’s scheme consists of six phases, namely, the system setup phase, registration phase (users registration and sensor nodes registration), the login phase, the authentication and key agreement phase, the password-change phase and the dynamic node addition phase. In addition with this Amin and Biswas’s scheme has System environment for the execution procedure of their protocol. We have utilized the notations in the scheme as summarized in Table 1. The detail description is as follows:
CR IP T
• An adversary can extract the information from the smart card by examining the power consumption or leaked information. • An adversary is able to eavesdrop all the communications between the parties involved such as a user and a server over a public channel.
3.1. System setup phase
• An adversary has the potential to modify, delete, redirect and resend the eavesdropped transmitted messages.
This phase runs in off-line mode by the system administrator(SA). S A selects unique identity IDS N j for each sensor node (1 < j < m) and computes P j = h(IDS N j kS ran ). The random number S ran is known to all the gateway nodes, which is maintained securely. Finally, SA stores < IDS N j , P j , S ran > into the sensor nodes’ memory and randomly or manually deploys each sensor node over a target region.
AN US
• An adversary can be a legal user or an outsider in any system. • An adversary can guess low entropy password and identity individually easily but guessing two secret parameters(eg. password, identity) are computationally infeasible in polynomial time.
3.2. Registration phase
M
• Practically, it is assumed that the protocol used in the authentication system is known to the attacker.
Description ith remote user jth sensor node Gateway node (base station) in WSNs Smartcard of user Ui Identity of user Ui Identity of home gateway node HGWN Identity of foreign gateway node FGWN Identity of sensor node S N j Master secret key of HGWN Master secret key of FGWN Secret nonces used by Ui , S j , HGWN and FGWN respectively Password of user Ui Time interval for the allowed transmission delay Time when a message received by an entity Session key shared between Ui and S j Secure collision-free cryptographic one-way hash function Concatenation of data A with data B Exclusive-OR of data A and data B
CE
3.2.1. Sensor node registration phase In this phase, through an open channel each sensor node firstly computes PS j = P j ⊕ S ran and further sends the pair < IDS N j , PS j > to the nearest gateway node. The home gateway node (HGWN) receives the message and sends the confirmation message to each sensor nodes after extracts P j = PS j ⊕ S ran and storing the pair < IDS N j , P j > in its own database. Moreover, HGWN stores the sensor identity in the public directory. Further, each sensor node destroys the S ran from its own memory.
AC
Symbol Ui S Nj GWN SC IDi IDGWNh IDGWNF IDS N j H XGWN F XGWN ri , r j , rh , r f PWi ∆T Tc SK h(·) AkB A⊕B
PT
ED
• Kerckhoffs’s principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
In Amin and Biswas’s scheme the registration phase is divided into two. First one is Sensor node’s registration and Second one is user’s registration. In order to get the services from any sensor node, the user needs to be registered with the WS N s. Once the user gets registered with the WS N s, he/she will be able to connect with the opted sensor node. Both users and sensor nodes undergo this registration process. Once the users get registered, GWN issues a smartcard with the secret credentials for the future communications.
3.2.2. User registration phase In order to access to the services of the sensor nodes, the user has to register with HGWN. The description is as follows:
Table 1: Notations and their meanings
5
ACCEPTED MANUSCRIPT
6
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
L2: On successful verification, S C computes Bi = h(DIDi kT IDi kXk ) = Ai ⊕ h(DID0i ⊕ PWR0i ), Ci = h(IDGWNh kBi kri kT 1 ), Di = Bi ⊕ ri by generating a random number ri .
R2: For each user, the home gateway node generates a random identity T IDi and computes Regi = h(DIDi kPWRi ), and Ai = h(DIDi kT IDi kXk ) ⊕ h(DIDi ⊕ PWRi ). Where Xk is long term secret key of HGWN.
L3: After computing Bi , Ci , Di , a login message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 > is sent to HGWN through a public channel, where IDS N j is the identity of the sensor node and T 1 is the current timestamp.
R3: Finally, the computed values < T IDi , DIDi > are stored in its memory by HGWN. For each user, HGWN issues a smartcard S C, which stores < Regi , Ai , IDGWNh , T IDi , h(·) >.
3.4.2. Authentication Phase After receiving the login message from Ui , HGWN checks whether the opted sensor node is a registered in its database or not. If the verification is successful, HGWN executes the Case-1 as the authentication and key agreement phase. Otherwise, HGWN transfers the message < IDGWNh , T IDi , IDS N j > to the rest of the gateway nodes, which are called foreign gateway nodes (FGNs) of the WSNs model. The IDS N j must match with any one of the foreign gateway nodes to execute Case-2 as the authentication phase . Case-1:
CR IP T
R1: Ui selects IDi , PWi and a random number r. Ui computes DIDi = h(IDi kr) and PWRi = h(PWi kr). Ui submits < DIDi , PWRi > to HGWN through secure channel.
R4: After receiving S C, Ui stores r.
ED
M
AN US
3.3. System environment phase Whenever a registered user wishes to get the services from the desired sensor node in the WSNs, first he extract the sensor’s identity from the public directory of HGWN. Then, he insert the smartcard and inputs login credentials. The authenticity of the user is verified by the smartcard reader. Once the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN which includes sensor node’s IDS N j , where the existence of the identity of the sensor node IDS N j is looked in its database. If IDS N j exists in HGWN’s database, the authentication phase executes Case-1. Otherwise, Case-2 will be considered. 3.4. Login and authentication phase The login and authentication process of the Amin and Biswas’s scheme is as follows: This phase can be seen as two phases. During the login phase, the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN through the public channel. The procedure of the login phase is described below:
?
PT
HGWN verifies the computed Ci0 = Ci which is transmitted in the message . If the verification holds, HGWN authenticates the user Ui . Otherwise, the connection is terminated.
CE
A2: HGWN computes Ei = h(IDS N j kDIDi kP j krk kT 2 ) , fi = P j ⊕ rk , yk = ri ⊕ h(rk ) and Gi = DIDi ⊕ h(IDS N j krk ) by generating a random number rk . After the computation, HGWN sends the message M2 =< Ei , fi , Gi , yk , T 2 > to the sensor node S N j through the public channel.
3.4.1. Login Phase Here in this phase, the smartcard needs to verify the legitimacy of the user. The smartcard does the computations as follows:
AC
A1: On receiving the login message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >, HGWN checks the validity of the timestamp, i.e., |T 2 − T 1 | ≤ ∆T , where ∆T is the transmission time and T 2 is the current timestamp of HGWN. If the verification is valid, using the transmitted value T IDi HGWN extracts DIDi from its own database. Further computes B0i = h(DIDi kT IDi kXk ), ri0 = B0i ⊕ Di and Ci0 = h(IDGWNh kB0i kri0 kT 1 ). After the computation
A3: On receiving the message, S N j checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T , where T 3 is the sensor node’s current timestamp. If the verification is valid, S N j extracts rk0 = P j ⊕ fi0 , ri0 = y0k ⊕ h(rk0 ), DID0i = G0i ⊕ h(IDS N j krk ), Ei0 = h(IDS N j kDID0i kP j krk0 kT 2 ). After the computation,
ID0i
L1: To start the login process, Ui inputs and PWi0 . Then, the following values are verified: DID0i = h(ID0i kr), PWR0i = h(PWi0 kr), and Reg0i = h(DID0i kPWR0i ). Then, S C compares the computed Reg0i with the stored to Regi to verify the correctness. If this comparison matches, then S C accepts the user login credentials and take further computations. Otherwise, S C rejects the login request.
?
S N j verifies Ei0 = Ei . If the verification does not hold, the connection is aborted. Otherwise, further computations takes place.
6
ACCEPTED MANUSCRIPT
7
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
A4: The sensor node S N j computes H j = h(Ei0 kDIDi kr j kT 3 ), K j = rk ⊕ r j by generating a random nonce r j . After the computations, the sensor node sends the message M3 =< H j , K j , T 3 > to HGWN through the public channel.
< ZS i , IDGWNF > to the home gateway node over a public channel. A9: Using the login message which was sent earlier by the user Ui , HGWN computes B∗i = h(DIDi kT IDi kXk ), Zi = ZS i ⊕ S ran and BZi = B∗i ⊕ Zi and sends < BZi , IDGWNF > to the user Ui .
A5: On receiving the message, HGWN checks the validity of the timestamp, i.e., |T 4 − T 3 | ≤ ∆T , where T 4 is HGWN’s timestamp. If the verification is valid, HGWN extracts r j = K j ⊕ rk and computes H 0j = h(Ei kDIDi kr j kT 3 ). After the computation, HGWN verifies the computed ? H 0j = H j , which is transmitted in the message . If the verification does not hold, the connection is aborted. Otherwise, HGWN computes Li = h(Ei kDIDi kr j krk kT 4 ), Qi = r j ⊕ ri and sends a message M4 =< Li , Ei , Qi , K j , T 4 > to Ui through a public channel.
CR IP T
A10: The user first extracts Zi = Bi ⊕ BZi and then further computes AAi = h(T IDi kZi kRi kT Ui ), BBi = Zi ⊕ Ri , where Ri is the random number and T Ui is the user’s current timestamp. The user finally sends the message M5 =< T IDi , AAi , BBi , T Ui > to the FGWN.
AN US
A11: FGWN first checks the validity of the timestamp i.e., |T F − T Ui | ≤ ∆T . Where ∆T is the transmission time, which is constant and T F is the timestamp of FGWN. If the verification is valid, using the transmitted value T IDi FGWN computes Zi0 = h(T IDi kXGWNF ), Ri = BBi ⊕ Zi and AA0i = h(T IDi kZi0 kR0i kT Ui ). After the computation
A6: On receiving the message, Ui checks the validity of the timestamp i.e., |T 5 − T 4 | ≤ ∆T , where T 5 is the user’s current timestamp. If the verification is valid, Ui extracts r0j = ri ⊕ Qi , rk0 = K j ⊕ r0j , Li0 = h(Ei kDIDi kr0j krk0 kT 4 ). After the computation, ?
M
Ui verifies Li0 = Li . If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
ED
A7: After successfully authenticate, Amin and Biswas’s protocol achieves mutual authentication. Then a common secret session-key S K = h(DIDi kri kr j krk ) is shared among the entities involved in the system. Using the current session key, the user can access the desired sensor node during the future communications.
A12: The foreign gateway FGWN, computes CCi = h(T IDi kZi0 kRF kP j kT F kRi ) , GGi = P j ⊕ RF , FFi = Zi ⊕ h(P j ) by generating a random number RF . After the computation FGWN send the message M6 =< T IDi , CCi , GGi , FFi , BBi , T F > to the sensor node S N j through the public channel.
PT
A13: On receiving the message, the sensor node S N j checks the validity of the timestamp i.e., |T j − T F | ≤ ∆T . Where ∆T is the transmission time, which is constant and T j is the sensor node’s current timestamp. If the verification is valid, the sensor node extracts R0F = P j ⊕ GGi , Zi0 = FFi ⊕ h(P j ), R0i = BBi ⊕ Zi and computes CCi0 = h(T IDi kZi0 kR0F kP j kT F kR0i ) . After the computation,
CE
Case-2: After receiving a login request message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 > from the user, HGWN verifies whether IDS N j is in its database. On verifying the identity of the sensor node and found the verification failed, HGWN sends a broadcast message IDS N j , T IDi , IDGWNh to the rest of the gateway nodes of the WSNs model.Anyone of the FGWN foreign gateway node (other gateway nodes) must possess the identity of the sensor node in order to execute the authentication phase. The execution of the authentication phase is described as follows:
?
AC
A8: On receiving the broadcast message IDS N j , T IDi , IDGWNh , FGWN extracts P j from the database which is corresponding to IDS N j . After the extraction of the P j , FGWN computes F Zi = h(T IDi kXGWN ), ZS i = Zi ⊕ S ran and transmit
?
FGWN verifies the computed AA0i = AAi which is transmitted in the message . If the verification holds, the FGWN authenticates the user Ui . Otherwise, the connection is terminated.
the sensor node verifies the computed CCi0 = CCi which is transmitted in the message. If the verification does not hold, the connection is aborted. Otherwise, further computations takes place as follows:
A14: The sensor node S N j computes W j = h(IDS N j kP j ), DD j = h(T IDi kR j kW j kT j ), HH j = R j ⊕ W j , MM j = Zi ⊕ W j by generating a random nonce R j . After the computations, the sensor node sends the message 7
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
8
M7 =< T IDi , DD j , MM j , T j > to the FGWN through the public channel.
and rk . This shows that A can get the values ri , r j and rk after the authentication phase.
A15: On receiving the message, the foreign gateway node FGWN checks the validity of the timestamp i.e., |TGWN − T j | ≤ ∆T . Where ∆T is the transmission time, which is constant and TGWN is the FGWN’s current timestamp. If the verification is valid, FGWN computes R0j = HH j ⊕ W j , RRF = R j ⊕ RF . After the computation, FGWN sends a message M8 =< T IDi , DD j , MM j , RRF , T j , TGWN > to the user Ui through a public channel.
2: A can also get fi as HGWN transmits the message < Ei , fi , Gi , yk , T 2 > via public channel, where fi = P j ⊕ rk . 3: Using rk and fi , A extracts P j as P j = fi ⊕ rk .
CR IP T
It is clear from the above discussion that an adversary can get sensor secret key P j based on the valid assumptions mentioned in the threat model. 4.2. Leakage of the system key
A16: On receiving the message, the user Ui checks the validity of the timestamp i.e., |T U − TGWN | ≤ ∆T . Where T U is the user’s current timestamp. If the verification is valid, the user extracts W j = MM j ⊕ Zi , R j = HH j ⊕ W j , RF = RRF ⊕ R j , DD0j = h(T IDi kR j kW j kT j ). After the computa-
AN US
?
Security of Amin and Biswas’s scheme depends on the secrecy of random number S ran . Unfortunately, the adversary can achieve the security parameter S ran as follows: 1: After registering as a user (U A ) to HGWN, A selects a sensor node S N j , which is not registered with HGWN. A submits his login request < IDGWNh , T IDA , IDS N j , C A , DA , T A > to HGWN, where C A = h(IDGWNh ||BA ||rA ||T A ), DA = BA ⊕ rA and T A is the current timestamp.
tion, the user verifies the computed DD0j = DD j which is transmitted in the message. If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
ED
M
A17: After successfully authenticate, Amin and Biswas’s protocol achieves mutual authentication. Then a common secret session-key S K = h(T IDi kIDS N j kRi kR j kRF ) is shared among the entities involved in the system. Using the current session key, the user can access the desired sensor node during the future communications.
2: As IDS N j is not registered with home gateway node, then HGWN sends < IDS N j , T IDA , IDGWNh > to the other gateways in the system.
PT
3: On receiving the message < IDS N j , T IDA , IDGWNh >, the foreign gateway node FGWN extracts P j and sends the message < ZS A , IDGWN f > to HWGN, where F ZS A = ZA ⊕ S ran and ZA = h(T IDA kXGWN ).
4. Cryptanalysis of Amin and Biswas’s Scheme
4: On receiving the message < ZS A , IDGWN f >, HGWN computes BA = h(DIDA kT IDA kXk ), ZA = ZS i ⊕ S ran and BZA = BA ⊕ ZA , and then sends < BZA , IDGWNF > to U A .
CE
In this section, we show that Amin and Biswas’s scheme does not resist many attack based on adversary model 2.2. 4.1. Leakage of sensors secret keys
5: On receiving the message < BZA , IDGWN f >, A uses his credential Bi to retrieve ZA as ZA = BA ⊕ BZA . A can also get the message < ZS A , IDGWN f > as the message transmit via public channel.
AC
As per the threat model discussed in Section 2.2, an adversary (A) can also be a user in the system, and thus he can get all the security parameters, which a valid user gets in the system. Using these credentials, A can derive the sensor’s secret key P j in Amin and Biswas’s scheme, which can be later utilized to perform various attacks. The adversary can achieve P j by performing the following procedure:
6: A retrieves S ran using ZA and ZS A . It is clear from the above discussion that an adversary can achieve the security parameter S ran on which security of system is depend as S ran is used to compute the secret keys of all sensor nodes. This shows that security of Amin and Biswas’s scheme is compromised.
1: A can registered in the system as a user, and can initiate the login session, which will output ri , r j 8
ACCEPTED MANUSCRIPT
9
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
5: A retrieves ri using rk as ri = yk ⊕ h(rk ). Then, A retrieves Bi using ri as Bi = Di ⊕ h(ri ).
4.3. Server spoofing attack An adversary can perform server spoofing attack on Amin and Biswas’s scheme as follows: 1: A intercepts Ui ’s login message IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >.
M1
6: Using the retrieved parameters DIDi and Bi , A can masquerade as a valid user Ui to login to the system as follows:
=<
2: A first achieves P j as discussed in Section 4.1.
• A chooses a value rA and computes Ci∗ = h(IDGWNh kBi krA kT A ), D∗i = Bi ⊕ rA , where T A is the current timestamp used by A.
4: A retrieves DIDi using rk as DIDi h(IDS N j ||rk ).
CR IP T
3: Using the old transmitted message < Ei , fi , Gi , yk , T 2 > of HGWN, A retrieves rk as rk = fi ⊕ P j .
• A sends the message M1 =< IDGWNh , T IDi , IDS N j , Ci∗ , D∗i , T A > to HGWN through a public channel.
= Gi ⊕
• At HWGN end verification holds.
5: A retrieves ri using rk as ri = yk ⊕ h(rk ).
4.5. Stolen smartcard attack
6: A retrieves Bi using ri as Bi = Di ⊕ h(ri ).
We suppose that the user Ui0 s smart card was stolen by an attacker. Now, by the method of power analysis [44, 43] the attacker can extract the information stored on the smart card {Regi , Ai , IDGWNh , T IDi , r, h(·)}. Using the extracted information of smartcard and the intercepted messages on the unreliable channel, attacker imposes the following attacks :
AN US
7: A Selects two random numbers r11 and r12 and computes QA = r11 ⊕ ri , KA = r12 ⊕ r11 , E A = h(IDS N j kDIDi kP j kr12 kT A1 ) and LA = h(E A kDIDi kr11 kr12 kT A ), where T A1 and T A are current timestamp used by adversary. 8: A sends a message MA =< LA , E A , QA , KA , T A > to the user Ui .
ED
M
On receiving the message, when the user checks the validity of the timestamp i.e., |T 5 − T A | ≤ ∆T , where T 5 is the user’s current timestamp. The verification holds as adversary uses current timestamp. Then, the user ex0 0 0 tracts r11 = ri ⊕ QA , r12 = KA ⊕ r11 , and computes L0A =
4.5.1. Off-line password guessing attack The adversary guess the user’s password based on the valid assumptions of the threat model as adversary can get DID and r as follows: 1: A first achieves P j as discussed in Section 4.1.
?
0 0 h(E A kDIDi kr11 kr11 kT A ). Then, user verifies L0A = LA . The verification holds and it is confirmed that the sensor node is authentic. After the authentication, the user computes secret session-key S K = h(DIDi kri kr11 kr12 ). However, an adversary can also compute the session key as he knows DIDi , ri , r11 and r12 .
PT
2: Using the intercepted message < Ei , fi , Gi , yk , T 2 > of Ui , A retrieves rk as rk = fi ⊕ P j .
CE
3: A retrieves DIDi using rk as DIDi h(IDS N j krk ).
= Gi ⊕
4: Using the method of power analysis [44, 43], A extracts the stored information r and Regi = h(DIDi kPWRi ) from the stolen smart card.
1: A intercepts Ui ’s login message IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >.
5: A chooses a value PWig and computes PWRgi = h(PWig kr), and then verifies
AC
4.4. User impersonation attack An adversary can also impersonate a user in Amin and Biswas’s scheme as follows: M1
=<
?
Regi = h(DIDi kPWRgi ).
2: A first achieves P j as discussed in Section 4.1.
6: If verification holds, A succeeds in password guessing. Otherwise, A repeats the process.
3: Using the old transmitted message < Ei , fi , Gi , yk , T 2 > of HGWN, A retrieves rk as rk = fi ⊕ P j . 4: A retrieves DIDi using rk as DIDi h(IDS N j ||rk ).
It is clear from the above discussion that an adversary can successfully guess user’s password based on the valid assumptions of threat model.
= Gi ⊕ 9
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
4.5.2. Identity guessing attack The adversary guess the user’s identity based on the valid assumptions of the threat model as adversary can get DID and r as follows:
10
5.1. System setup phase It is an off-line mode, where system administrator(SA) generates the identity and security parameters for each sensor nodes. First, S A generates the identities {IDS N1 , IDS N2 , · · · IDS Nm } for each sensor node {S N1 , S N2 , · · · S Nm } such that no two distinct sensor node will get same identity. Then, S A computes P j = h(IDS N j ⊕ S ran ) for 1 ≤ j ≤ m, where S ran is a random secret known to all the gateway nodes. S A stores < IDS N j , P j > for 1 ≤ j ≤ m into the memory of sensor nodes before their deployment.
1: The adversary first achieves P j as discussed in Section 4.1.
CR IP T
2: Using the intercepted message < Ei , fi , Gi , yk , T 2 > of Ui , A retrieves rk as rk = fi ⊕ P j . 3: A retrieves DIDi as DIDi = Gi ⊕ h(IDS N j krk ). 4: Using the method of power analysis [44, 43], A extracts the stored information r from the stolen smart card.
5.2. Registration phase
The registration phase is divided into two sub phases. First one is Sensor node’s registration and Second one is user’s registration. In order to get the services from any sensor node, the user needs to be registered. Once the user gets registered, he will be able to connect with the opted sensor node. Both users and sensor nodes undergo this registration process. Once the users get registered, HGWN issues a smartcard with the secret credentials for the future communications.
A can get r as A knows all the stored parameters of smart card.
AN US
?
5: A chooses an identity IDgi and then verifies DIDi = h(IDgi kr).
6: If verification holds, the adversary A succeeds in guessing the identity of the user. Otherwise, A repeats the above step.
M
It is clear from the above discussion that an adversary can successfully guess user’s identity based on the valid assumptions mentioned in the threat model.
ED
5. Proposed Authentication Scheme (MAAS) for WSNs
PT
The proposed scheme uses Amin and Biswas’s scheme as a case study, which handles all the previously mentioned security shortcomings and vulnerabilities found in their scheme. In order to overcome the security flaws found in Amin and Biswas’s scheme, we propose an enhanced authentication and key agreement protocol, which enables the WSNs dynamically limitless growth without affecting the functionality of the registration or authentication process of both the user and sensor nodes. A precise interpretation of this fact is presented in the description of the system setup phase and registration phase of the proposed scheme. The proposed scheme consists of the following six phases: (i). System setup phase, (ii). Registration phase, (iii). System environment phase, (iv). Login, authentication and key agreement phase, (v). Dynamic node addition phase, and (vi). Password-change phase. We have also utilized the notations in our scheme as summarized in Table 1. These phases related to our scheme are described in the following subsections.
5.2.1. Sensor node registration phase In this phase, through an open channel each sensor node sends < IDS N j , T r , M j > to the nearest gateway node, where M j = h(IDS N j ||P j ||T r ) and T r is registration time. On receiving the message, HGWN computes ? P j = h(IDS N j ⊕S ran ) and verifies M j = h(IDS N j ||P j ||T r ). HGWN sends the confirmation message to node S N j if verification holds. HGWN stores {IDS N j , T r } in its database. Further, S N j stores registration time T r .
CE
5.2.2. User registration phase User completes his registration at HGWN, and achieves personalized security parameters to access sensor node. The registration phase is discussed in Figure 1. The description of registration mechanism is as follows:
AC
R1: Ui selects identity IDi , password PWi and a random number u. Ui computes DIDi = h(IDi ku) and RPWi = h(PWi kukIDi ), and then submits < DIDi , RPWi > to HGWN via secure channel. R2: On receiving registration request, HGWN checks the registration of DIDi . If DIDi is not registered, HGWN selects a random number T IDi and H computes Ki = h(DIDi kT IDi kXGWN ) and Yi = H Ki ⊕ RPWi , where XGWN is a 1024 bits secret key of HGWN . 10
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
R3: HGWN stores < T IDi , DIDi > in registered user database, and then issues a smart card S Ci to Ui including < Yi , T IDi , h(·) >.
5.4.1. Login Phase First, the smartcard needs to verify the legitimacy of the user. For the valid user, smartcard processes the login request. First, smartcard inquires to the gateway about available sensors by submitting his/her requirement. HGWN provides the sensor identity on the basis of availability and requirement. On receiving the sensor identity, user executes the login request. The description is given below:
R4: After receiving S Ci , Ui imprints his biometric key Bi and computes Ci = u ⊕ H(Bi ) and Vi = h(IDi ⊕ PWi ⊕ u). Ui stores Ci and Vi into S Ci . 5.3. System environment phase
RPWi = h(PWi kukIDi ).
M
AN US
L2: On the success of login, S Ci inquires for sensor identity as per requirement. By observing the user requirement and sensors availability, HGWN sends the available sensor’s identity IDS N j to Ui . Moreover, HGWN also provides the identity of a sensor node which are under some foreign gateway node in order to fulfil user’s requirement. L3: S Ci generates a random number ri and computes DIDi = h(IDi ku),D1 = h(Ki kDIDi kIDS N j ) ⊕ ri and D2 = h(DIDi kri kT IDi kKi kT 1 kIDS N j ), where T 1 is the current timestamp.
HGWN
{DIDi ,RPWi }
−−−−−−−−−−−−−→ S ecurechannel
S Ci =hYi ,IDGWN ,T IDi ,h(·)i
←−−−−−−−−−−−−−−−−−−−−−−
Computes H Ki = h(DIDi kT IDi kXGWN ), Yi = Ki ⊕ RPWi ,
L4: On computation of D1 and D2 , Ui sends the login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > to HGWN. 5.4.2. Authentication and key agreement Phase After receiving the login message of Ui , HGWN checks whether the requested sensor S N j is in the registered sensor list or not by checking its database. If the verification is successful, HGWN executes the Case-1 as the authentication and key agreement phase. Otherwise, HGWN transfers the user’s message < T IDi , IDS N j , D1 , D2 , T 1 > to the rest of the gateway nodes which are known as foreign gateway nodes (FGWN) of the WSNs model. The IDS N j must match with any one of the foreign gateway nodes FGWN to execute Case-2 as the authentication phase. The message exchange of login and authentication is discussed in Figure 2.
stores < T IDi , DIDi >
in its database
PT
S ecurechannel
selects a random number T IDi
CE
imprints his biometric key Bi Computes Ci = u ⊕ H(Bi ) Vi = h(IDi ⊕ PWi ⊕ u) stores Ci and Vi into S Ci .
L1: To start the login process, Ui inputs ID0i and PWi0 . Ui also imprints Bi . Then, S Ci computes u = Ci ⊕ ? H(Bi ) and verifies Vi = h(IDi ⊕PWi ⊕u). If verification holds, S Ci computes Ki = Yi ⊕ h(PWi kukIDi ).
ED
User Ui Chooses IDi , PWi . Selects a random number u, Computes DIDi = h(IDi ku),
CR IP T
The gateway node maintains the public directory of all the sensor nodes (S N j ’s). So, whenever a registered user want to get services from S N j he/she can pick the appropriate S N j ’s identity in the service environment of wireless sensors. In order to access the services, user first initiate the login session using his/her smart card. The authenticity of the user is verified in pre-smartcard authentication. Once the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN which includes sensor node’s IDS N j , where the existence of the identity of the sensor node IDS N j is looked in its database. If the IDS N j exists in HGWN’s database, the authentication phase executes Case-1. Otherwise, Case-2 will be considered. Figure 1: User registration phase of our scheme
11
5.4. Login, authentication and key agreement phase
AC
The gateway node maintains the public directory, which comprises the sensor nodes identities in WSN environment. This enable an user to select a sensor as per his requirement. To get services of a sensor S N j , user extracts IDS N j from the public directory. The registered user inserts his smartcard into a card reader to initiate the login and authentication phase. This phase can be seen as two phases. Once the legitimacy of the user is verified, a login message is forwarded to the home gateway node HGWN through the public channel in order to login to the desired sensor node S N j . The procedure of the login, authentication and key agreement phases are described below:
Case-1:
11
A1: On receiving the login message < T IDi , IDS N j , D1 , D2 , T 1 > at time T 2 , HGWN checks the validity of the timestamp i.e., |T 2 − T 1 | ≤ ∆T , Where ∆T is the threshold
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
12
Case-2:
for time delay in message transmission. If the verification passes, using pseudonym identity T IDi , HGWN extracts DIDi from its database. HGWN H computes Ki0 = h(DIDi kT IDi kXGWN ) and retrieves ri = D1 ⊕ h(Ki ||DIDi ||IDS N j ). Then, HGWN
After receiving a login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > from the user at the time T H , HGWN first checks |T H − T 1 | ≤ ∆T . If verification succeeds, HGWN verifies whether IDS N j is in its database. On verifying the identity of the sensor node, if verification failed, HGWN sends a broadcast message < IDS N j , T IDi , IDGWNh , L1 , T H > to the rest of the gateway nodes of the WSNs model, where L1 = h(IDS N j ||T IDi ||IDGWNh ||S ran kT H ). If any foreign gateway node founds the sensor identity in its database, FGWN verifies the freshness of the message and executes the mutual authentication. If IDS N j is found in the database of foreign Gateway FGWN, the authentication phase executes as follows. The message exchange is discussed in Figure 3.
?
verifies D02 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ). If the verification holds, HGWN authenticates the user Ui . Otherwise, the connection is terminated.
CR IP T
A2: HGWN generates a random number rh and computes P j = h(IDS N j ⊕ S ran ), D3 = h(P j ||T 2 ||T r ||IDS N j ||T IDi ) ⊕ rh , D4 = ri ⊕h(P j ||T IDi ||rh ||T 2 ), D5 = DIDi ⊕h(P j ||ri ||rh ||T 2 ) and D6 = h(IDS N j ||ri ||DIDi ||T r ||P j krh kT 2 ). HGWN contracts the login message M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > and sends to S N j .
A8: On receiving the broadcast message < IDS N j , T IDi , IDGWNh , L1 , T H > at time T H0 , FGWN first checks |T F − T H | ≤ ∆T . If verification succeeds, FGWN verifies ? L1 = h(IDS N j ||T IDi ||IDGWNh ||S ran kT H ). If the verification holds, FGNW computes KiF = F h(T IDi ||XGWN ), A1 = h(T IDi ||S ran ||IDGWNF ) ⊕ F (Ki ) and L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ). FGWN transmits the message M5 =< A1 , IDGWNF , L2 , T IDi , T F > to HGWN via public network.
AN US
A3: On receiving the message at time T 3 , S N j checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T . If the verification is valid, S N j extracts rh0 = h(P j ||T 2 ||T r ||IDS N j ||T IDi ) ⊕ D3 , ri0 = D4 ⊕ h(P j ||T IDi ||rh ||T 2 ), DID0i = D5 ⊕ h(P j ||ri ||rh ||T 2 ), ?
D6 = h(IDS N j ||ri ||DIDi ||T r kP j krh kT 2 ). If the verification does not hold, the connection is aborted.
M
A4: S N j generates a random number r j and computes D7 = r j ⊕ h(P j ||rh ||T 3 ) and D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 ||T r ). Then, S N j sends the message M3 =< D7 , D8 , T 3 > to HGWN.
ED
A9: HGWN receives the message M5 on time T ug f , then verifies the freshness of the message using |T ug f − T F | ≤ ∆T . If the verification holds, computes KiF = A1 ⊕ h(T IDi ||S ran ||IDGWNF ) and ver-
A5: On receiving the message at time T 4 , HGWN checks |T 4 − T 3 | ≤ ∆T . If the verification is valid, HGWN extracts r0j = D7 ⊕ h(P j ||rh ||T 3 )
?
PT
ifies L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ). If verification succeeds, HGWN computes Ki = H h(DIDi kT IDi kXGWN ), A2 = KiF ⊕ h(Ki ||IDGWNF ) F and L3 = h(Ki ||Ki ||IDS N j ||IDGWNF kT ug f ), then sends M6 =< A2 , L3 , IDGWNF , T ug f > to Ui .
?
CE
and verifies D8 = h(P j ||r0j ||T 2 ||rh ||T IDi ||ri ||T 3 ||T r ). If the verification does not hold, the connection is aborted. Otherwise, HGWN computes D9 = rh ⊕ h(Ki ||DIDi ||ri ), D10 = r j ⊕ h(Ki ||rh ||DIDi ||ri ) and D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ) and sends a message M4 =< D9 , D10 , D11 , T 4 > to the user Ui .
A10: From the received message Ui first checks if, |T 2 − T ug f | ≤ ∆T , where T 2 is the current timestamp of Ui . Further, extracts KiF =
AC
A6: On receiving the message at time T 5 , the user Ui checks |T 5 − T 4 | ≤ ∆T . If the verification is valid, the user extracts rh = D9 ⊕ h(Ki ||DIDi ||ri ), r j =
?
A2 ⊕ h(Ki ||IDGWNF ), and then verifies L3 = h(Ki ||KiF ||IDS N j ||IDGWNF kT ug f ). If verification holds, Ui computes A3 = h(KiF ||T IDi ||IDS N j ) ⊕ ri and L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ), where T 2 is the current timestamp. Then, Ui sends the login message M7 =< T IDi , IDS N j , A3 , L4 , T 2 > to FGWN.
?
D10 ⊕ h(Ki ||rh ||DIDi ||ri ), and then verifies D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ). If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
A7: On the success of mutual authentication, sessionkey S K = h(DIDi kri kr j krh kIDS N j ) is constricted by involved entities in the system. 12
A11: FGWN first checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T , where T 3 is the current times-
ACCEPTED MANUSCRIPT
13
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Figure 2: Case-1: Login and authentication phases of the proposed scheme
User Ui Inserts SC into a terminal. Inputs IDi and PWi . imprints his biometric key Bi Computes u = Ci ⊕ H(Bi ),
Gateway node HGWN
Sensor node S j
Checks if, |T 2 − T 1 | ≤ ∆T Using T IDi , extracts DIDi H Compute Ki0 = h(DIDi kT IDi kXGWN ) ri = D1 ⊕ h(Ki0 ||DIDi ||IDS N j ) ?
CR IP T
?
verifies Vi = h(IDi ⊕ PWi ⊕ u) Computes Ki = Yi ⊕ h(PWi kukIDi ). Generates a random number ri DIDi = h(IDi ku) D1 = h(Ki ||DIDi ||IDS N j ) ⊕ ri D2 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ) T 1 is current timestamp M1 =< T IDi , IDS N j , D1 , D2 , T 1 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
PT
ED
M
AN US
Checks if D02 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ) generate a random number rh Computes P j = h(IDS N j ⊕ S ran ), D3 = h(P j ||T 2 kT r ||IDS N j ||T IDi ) ⊕ rh , D4 = ri ⊕ h(P j ||T IDi ||rh ||T 2 ), D5 = DIDi ⊕ h(P j ||ri ||rh ||T 2 ), D6 = h(IDS N j ||ri ||DIDi kT r kP j krh kT 2 ), M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Checks if, |T 3 − T 2 | ≤ ∆T rh0 = h(P j ||T 2 ||T r kIDS N j ||T IDi ) ⊕ D3 , ri0 = D4 ⊕ h(P j ||T IDi ||rh ||T 2 ), DID0i = D5 ⊕ h(P j ||ri ||rh ||T 2 ), ?
D6 = h(IDS N j ||ri ||DIDi kT r kP j krh kT 2 ). generates a random number r j D7 = r j ⊕ h(P j ||rh ||T 3 ) D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 kT r ). M3 =< D7 , D8 , T 3 > ←−−−−−−−−−−−−−−−−−−−−−−−−
Checks if, |T 4 − T 3 | ≤ ∆T extracts r j = D7 ⊕ h(P j ||rh ||T 3 ) ?
CE
verifies D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 kT r ) computes D9 = rh ⊕ h(Ki ||DIDi ||ri ), D10 = r j ⊕ h(Ki ||rh ||DIDi ||ri ) D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ) M4 =< D9 , D10 , D11 , T 4 > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Check if, |T 5 − T 4 | ≤ ∆T extracts rh = D9 ⊕ h(Ki ||DIDi ||ri ), r j = D10 ⊕ h(Ki ||rh ||DIDi ||ri )
AC
?
verifies D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ). Shared session key S K = h(DIDi kri kr j krh kIDS N j ).
tamp of FGWN. If the verification is valid, usF ing T IDi , FGWN computes KiF = h(T IDi kXGWN ) and retrieves ri = A3 ⊕ h(KiF ||T IDi ||IDS N j ).
S ran , A4 = h(P j ||T 3 ||T r kIDS N j ||T IDi ) ⊕ r f , A5 = ri ⊕ h(P j ||T IDi ||r f ||T 3 ) and L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). FGWN sends the message M8 =< T IDi , A4 , A5 , L5 , T 3 > to S N j .
?
FGWN verifies L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ). If the verification holds, FGWN generates a random number r f and computes P j = h(IDS N j ⊕ 13
A12: On receiving the message at time T 4 , S N j checks the validity of the timestamp, i.e., |T 4 −
ACCEPTED MANUSCRIPT
14
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Figure 3: Case-2: authentication phases of the proposed scheme User Ui
Gateway node HGWN
Gateway node FGWN
Sensor node S j
−−−−−−−−−−−−−−−−−−−−−−−−−→ If |T F − T H | ≤ ∆T , ?
checks L1 = h(IDS N j kT IDi ||IDGWNh kS ran kT H ) F computes KiF = h(T IDi kXGWN ), A1 = h(T IDi ||S ran ||IDGWN f ) ⊕ (KiF ), L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ),
?
L2 = h(T IDi ||IDGWN f ||KiF ||IDS N j kT F ). H Ki = h(DIDi kT IDi kXGWN ), A2 = KiF ⊕ h(Ki ||IDGWN f ) F L3 = h(Ki ||Ki ||IDS N j ||IDGWN f kT ug f ) M6 =< A2 , L3 , IDGWNF , T ug f > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
If |T 2 − T ug f | ≤ ∆T . extracts KiF = A2 ⊕ h(Ki ||IDGWN f ) ?
M7 =< T IDi , IDS N j , A3 , L4 , T 2 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Checks if, |T 3 − T 2 | ≤ ∆T F KiF = h(T IDi kXGWN ), ri = A3 ⊕ h(KiF ||T IDi ||IDS N j ),
AN US
verifies L3 = h(Ki ||KiF ||IDS N j ||IDGWN f kT ug f ) A3 = h(KiF ||T IDi ||IDS N j ) ⊕ ri L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j )
CR IP T
M5 =
←−−−−−−−−−−−−−−−−−−−−−−−−−−− If |T ug f − T F | ≤ ∆T , computes F Ki = A1 ⊕ h(T IDi ||S ran ||IDGWN f ),
?
M
L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ), generates a random number r f P j = h(IDS N j ⊕ S ran ) A4 = h(P j ||T 3 ||T r kIDS N j ||T IDi ) ⊕ r f , A5 = ri ⊕ h(P j ||T IDi ||r f ||T 3 ) L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ) M8 =< T IDi , A4 , A5 , L5 , T 3 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
ED
Checks if, |T 5 − T 4 | ≤ ∆T r j = A6 ⊕ h(P j ||r f ||T 4 )
PT
?
CE
?
L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). generates a random number r j A6 = r j ⊕ h(P j ||r f ||T 4 ) L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ) M9 =< A6 , L6 , T 4 > ←−−−−−−−−−−−−−−−−−−−−−−−−
?
L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ) A7 = r f ⊕ h(KiF ||T IDi ||ri ), A8 = r j ⊕ h(KiF ||r f ||T IDi ||ri ) L7 = h(KiF kT IDi ||r j ||T 2 ||r f kT 5 ||ri )
M10 =< A7 , A8 , L7 , T 5 > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−− Checks if |T 6 − T 5 | ≤ ∆T . extracts r f = A7 ⊕ h(KiF ||T IDi ||ri ) r j = A8 ⊕ h(KiF ||r f ||T IDi ||ri ), L7 = h(KiF kT IDi ||r j ||T 1 ||r f kT 4 ||ri ).
Checks if, |T 4 − T 3 | ≤ ∆T extracts r f = A4 ⊕ h(P j ||T 3 kT r ||IDS N j ||T IDi ), ri = A5 ⊕ h(P j ||T IDi ||r f ||T 3 ),
Shared session key S K = h(T IDi kri kr j kr f kIDS N j ).
?
T 3 | ≤ ∆T . If the verification is valid, S N j extracts r f = A4 ⊕ h(P j ||T 3 ||T r kIDS N j ||T IDi ), ri =
L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ). If verification holds, FGWN computes A7 = r f ⊕ h(KiF ||T IDi ||ri ), A8 = r j ⊕ h(KiF ||r f ||T IDi ||ri ) and L7 = h(KiF kT IDi ||r j ||T 2 ||r f kT 5 ||ri ) and sends the message M10 =< A7 , A8 , L7 , T 5 > to Ui via public channel.
?
AC
A5 ⊕ h(P j ||T IDi ||r f ||T 3 ), and then verifies L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). If the verification holds, S N j generates a random number r j and computes A6 = r j ⊕ h(P j ||r f ||T 4 ) and L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ). Then, S N j sends the message M9 =< A6 , L6 , T 4 > to the FGWN.
A13: On receiving the message at time T 5 , FGWN checks the validity of the timestamp i.e., |T 5 − T 4 | ≤ ∆T . If the verification is valid, HGWN extracts r j = A6 ⊕ h(P j ||r f ||T 4 ) and verifies
A14: On receiving the message at time T 6 , Ui checks the validity of the timestamp i.e., |T 6 − T 5 | ≤ ∆T . If the verification is valid, Ui extracts r f = A7 ⊕ h(KiF ||T IDi ||ri ) and r j = ?
14
A8 ⊕ h(KiF ||r f ||T IDi ||ri ), and then verifies L7 = h(KiF kT IDi ||r j ||T 1 ||r f kT 4 ||ri ). If the verification
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
15
6. Security Analysis of the Proposed Scheme
does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
In this section, we first proof the mutual authentication and session key agreement using the BAN logic. Secondly, we have simulated the proposed protocol using the AVISPA simulation tool as shown in figure 4, which ensures the security of protocol against the active attacks, such as the replay attack and man-in-the-middle attack. In 2015, Wang et al. [10] pointed out that the formal methods (e.g., random oracle model, BAN logic) cannot capture the structural mistakes, and assuring soundness of authentication protocols still remains an open issue. Therefore, it is clear that the formal security analysis/verification using the BAN logic and AVISPA tool does not guarantee that a cryptographic protocol is secure against all attacks. The formal security analysis using the BAN logic[46] only proves the secure mutual authentication between sensor nodes and HGWN/FGWN. On the other hand, the formal security verification using AVISPA tool [47, 48] guarantees that whether a designed security protocol is secure against the replay and man-in-the-middle attacks. Finally, we then show that our scheme has the ability to resist various known attacks based on the adversary model, which including the sensor node capture attack.
CR IP T
A15: After successfully mutual authentication, a common secret session-key S K = h(T IDi kri kr j kr f kIDS N j ) is constructed by involved entities in the system. Using the current session key, the user can access the desired sensor node during the future communications. 5.5. Dynamic node addition phase
AN US
It may happen that a new sensor node needed to be added over the target field as and when required, after the establishment of WSNs. So, the systemadministrator(S A) deploys the new sensor node over the target region by performing the system setup phase in off-line mode. Then after, the newly added sensor node undergoes the sensor node registration phase and introduces the new sensor node into the setup network model.
M
5.6. Password change phase
In smart card based authentication protocols should be able to address password change attack [6] so that user with valid smart card and personal credentials can initiate the password change phase. Additionally, user should be able to choose and change the password without interaction with the server, i.e., “user-friendly password selection and change”. In the proposed password change phase, user can change the password without interaction with the server. A user with valid credentials and smart card can initiate the password change as:
6.1. Authentication proof using the BAN logic
PT
ED
In this section, we provide a formal protocol analysis of our proposed scheme using the BAN logic method [46]. The BAN logic is used to verify the correctness of the authentication protocol with key agreement. The protocol correctness refers to the communication parties: a legal user Ui and an accessed sensor node S j who share a fresh shared session key with each other after the protocol is executed. We first provide some notations of the BAN logic as follows:
CE
P1: Ui inputs IDi and PWi . Ui imprints Bi . S Ci computes u = Ci ⊕ H(Bi ). To resist password change ? attack S Ci verifies Vi = h(IDi ⊕ PWi ⊕ u). Using this condition , S Ci identifies the correctness of user credentials. If verification holds, S Ci asks for the new password.
AC
• P|≡ X: The principal P believes the announcement X. • P / X: P considers X, which means that a message containing X is received by P where X can be read by P.
P2: On receiving new password PWinew , S Ci computes RPWi = h(PWi ||u||IDi ), RPWinew = h(PWinew ||u||IDi ), Yinew = Yi ⊕ RPWi ⊕ RPWinew and Vinew = h(IDi ⊕ PWinew ⊕ u).
• P|∼ X: P sometime stated X, which means that P|≡ X as P once stated it in sometime. • P|⇒ X: P commands X, P has complete authority on X, and P considers X as trusted (Jurisdiction over X).
P3: S Ci replace the stored parameters Vi and Yi with Vinew and Yinew , respectively. 15
ACCEPTED MANUSCRIPT
16
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
• ](X): The message X is fresh, which means that no any entity sent a message containing X at whenever ahead of current round.
If P believes Q believes the message set (X, Y), P also believes Q believes the message X. Rule (6). Session key rule: For shared secret keys:
SK
P|≡ ](X), P|≡ Q|≡ X
• P|≡ Q ←→ P: P and Q use S K (shared key) to communicate with each other.
k
SK
• P ←→ Q : P and Q use S K as a shared secret between them.
CR IP T
P and Q is said to believe X, if P believes that the shared session key is fresh. Then P belives the session key k with Q . According to the analytic procedures of the BAN logic, our proposed protocol should satisfy the following goals:
• < X >Y : The formula X is combined with the formula Y. • (X): The formula X is hashed value.
SK
Goal 1. HGWN|≡ (Ui ←→ HGWN);
• (X, Y): The formulas X and Y are combined and then hashed .
SK
Goal 2. HGWN|≡ Ui |≡ (Ui ←→ HGWN); SK
Goal 3. S N j |≡ (HGWN ←→ S N j );
• (X, Y)k : The formulas X and Y are combined and then hashed with the key k.
AN US
k
M
(2)
ED
SK
Goal 9. FGWN|≡ (HGWN ←→ FGWN).
SK
Goal 10. FGWN|≡ HGWN|≡ (HGWN ←→ FGWN). SK
Goal 11. HGWN|≡ (FGWN ←→ HGWN). SK
Goal 12. HGWN|≡ FGWN|≡ (FGWN ←→ HGWN). SK
Goal 13. FGWN|≡ (Ui ←→ FGWN); SK
Goal 14. FGWN|≡ Ui |≡ (Ui ←→ FGWN).
(3)
SK
Goal 15. S N j |≡ (FGWN ←→ S N j );
SK
Goal 16. S N j |≡ FGWN|≡ (FGWN ←→ S N j );
PT
CE
AC
SK
Goal 8. Ui |≡ HGWN|≡ (HGWN ←→ Ui );
SK
Goal 17. FGWN|≡ (S N j ←→ FGWN); SK
Goal 18. FGWN|≡ S N j |≡ (S N j ←→ FGWN). SK
Goal 19. Ui |≡ (FGWN ←→ Ui );
(4)
(5)
If one part is known to be fresh, the entire formula must be fresh. Rule (5). Belief rule: P|≡ Q|≡ (X, Y) . P|≡ Q|≡ (X)
SK
Goal 7. Ui |≡ (HGWN ←→ Ui );
If P believes that Q has jurisdiction over X, and P believes that Q believes a message X, P also believes X. Rule (4). Freshness rule: P|≡ ](X) . P|≡ ](X, Y)
SK
Goal 6. HGWN|≡ S N j |≡ (S N j ←→ HGWN).
If P believes that X is expressed recently (freshness) and P believes that Q once said X, P believes that Q believes X. Rule (3). Jurisdiction rule: P|≡ Q|≡ X, P|≡ Q|⇒ X . P|≡ X
SK
Goal 5. HGWN|≡ (S N j ←→ HGWN);
P is said to believe Q, if P believes that k is shared with Q and P sees X is encrypted under k. Rule (2). Nonce verification rule: P|≡ ](X), P|≡ Q|∼ X . P|≡ Q|≡ X
SK
Goal 4. S N j |≡ HGWN|≡ (HGWN ←→ S N j ).
In order to describe logical postulates of BAN logic in formal terms [46], we present the following rules: Rule (1). Message meaning rule: For shared secret keys: P|≡ Q ←→ P, P / {X}k . P|≡ Q| ∼ X
(7)
.
P|≡ P ←→ Q
(6) 16
SK
Goal 20. Ui |≡ FGWN|≡ (FGWN ←→ Ui ). Prior to the formal analysis, we first idealize the communicated messages of our proposed protocol to alleviate the analysis between Ui and S j , which are as follows: Message 1: Ui → HGWN : T IDi , IDS N j , D1 , D2 :< ri >Ki , T 1 . Message 2: HGWN → S N j : T IDi , D3 :< rk >P j , D4 , D5 , D6 , T 3 . Message 3: S N j → HGWN : D7 , D8 :< r j , rk , T IDi >P j , T5. Message 4: HGWN → Ui : D9 , D10 , D11 :< ri , r j , rk >DIDi , T 7 .
ACCEPTED MANUSCRIPT
17
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Message 5: HGWN → FGWN : IDS N j , T IDi , IDHGWN , Li . Message 6: FGWN → HGWN : A1 , IDHGWN , L2 :< T IDi , IDFGWN >KiF , T IDi . Message 7: HGWN → Ui : A2 , L3 :< Ki , IDFGWN >KiF , IDFGWN . Message 8: Ui → FGWN : T IDi , IDS N j , A3 , L4 :< ri >KiF , T 2 . Message 9: FGWN → S N j : T IDi , A4 , A5 , L5 :< ri , P j >r f ) , T 3 . Message 10: S N j → FGWN : A6 , L6 :< P j , T IDi >r j ,r f ,ri , T 4 . Message 11: FGWN → Ui : A7 , A8 , L7 :< T IDi , ri , r f , r j >KiF , T 5 . Based on our proposed protocol, we make some initial state assumptions, which are listed as follows: A1 : Ui |≡ ](ri , r j , rk , r f ); A2 : HGWN|≡ ](ri , r j , rk ); A3 : S N j |≡ ](ri , r j , rk , r f ); A4 : FGWN|≡ ](r, r j , r f ); Pj
C2 : HGWN|≡ (HGWN ←→ S N j ); Pj
C3 : S N j |≡ (S N j ←→ HGWN); KiF ,A3
P j ,r f ,A5
C6 : FGWN|≡ (FGWN ←→ S N j );
CR IP T
M
DIDi
C5 : Ui |≡ (Ui ←→ FGWN);
SK
Step 5: HGWN|≡ (Ui ←→ HGWN). (Goal 1) From Step 5 and assumption A2 , we apply the nonce verification rule and jurisdiction rule to get:
AN US
Ki
C1 : Ui |≡ (Ui ←→ HGWN);
C4 : HGWN|≡ (HGWN ←→ Ui );
Step 1: HGWN / IDHGWN , T IDi , IDS N j , D1 , D2 :< ri >Ki , T 1 . From Step 1 and assumption C1 , we apply the message meaning rule to get: Step 2: HGWN|≡ Ui |∼ ri . From assumption A2 and Step 2, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 3: HGWN| ≡ Ui | ≡ ri . Where ri is the necessary parameter of the session key of the proposed protocol. According to B1 , S 3 and the jurisdiction rule is applied, we get Step 4: HGWN|≡ ri . From the assumption A2 and Step 3, we apply the session key rule to obtain:
A7 ,r f
ED
A6
C7 : S N j |≡ (S N j ←→ FGWN);
C8 : FGWN|≡ (FGWN ←→ Ui ); S ran
C9 : HGWN|≡ (HGWN ←→ FGWN); KiF
PT
C10 : FGWN|≡ (FGWN ←→ HGWN); B1 : HGWN|≡ (Ui → ri ); B2 : S N j |≡ (HGWN → rk ); B3 : HGWN|≡ (S N j → r j ); B4 : Ui |≡ (HGWN → rk ); B5 : FGWN|≡ (Ui → ri ); B6 : S N j |≡ (FGWN → r f ); B7 : FGWN|≡ (S N j → r j ); B8 : Ui |≡ (FGWN → rk ); B9 : HGWN|≡ (FGWN → KiF ); B10 : FGWN|≡ (HGWN → S ran ); Further, we demonstrate our proposed protocol based on the rules of the BAN logic and the efficiency by showing Ui and S N j share a common session key S K to ensure the secure communication by achieving the intended goals using the initial assumptions. The inside information descriptions are as follows. According to the message 1, we could obtain:
SK
Step 6: HGWN|≡ Ui |≡ (Ui ←→ HGWN). (Goal 2) According to the message 2, we could obtain: Step 7: S N j / T IDi , D3 :< rk >P j , D4 , D5 , D6 , T 3 According to C2 , Step 7, we apply the message meaning rule, we get: Step 8: S N j |≡ HGWN|∼ rk From assumptions A3 and Step 8, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 9: S N j |≡ HGWN|≡ rk . Where rk is the necessary parameter of the session key of the proposed protocol. From Steps 9 and B2 , we apply the jurisdiction rule to obtain: Step 10: S N j |≡ rk From Steps 9 and A3 , and the session key rule is applied to obtain: SK
CE
Step 11: S N j |≡ HGWN ←→ S N j . (Goal 3) From Step 11 and assumption A3 , and nonce verification rule is applied, to get: SK
AC
Step 12: S N j |≡ HGWN|≡ HGWN ←→ S N j . (Goal 4) According to the message 3, we could obtain: Step 13: HGWN / D7 , D8 : hr j , rk iP j , T 5 . From Step 13 and assumption C3 , we apply the message meaning rule to get: Step 14: HGWN|≡ S N j |∼ r j . From assumption A2 and Step 14, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 15: HGWN|≡ S N j |≡ r j , where r j is the necessary parameter of the session key of the proposed protocol. According to Step 15 and B3 , we apply the jurisdiction rule to obtain: 17
ACCEPTED MANUSCRIPT
18
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Step 16: HGWN| ≡ r j . From the assumption A2 and Step 15, we apply the session key rule to obtain:
From Step 32 , we apply the nonce verification rule to get: Step 33: HGWN|≡ FGWN|≡ KiF . From Steps 33 and B9 , we apply the jurisdiction rule to obtain: Step 34: HGWN|≡ KiF . According to Step 33 and Step 34, the session key rule is applied, we get:
SK
Step 17: HGWN|≡ (S N j ←→ HGWN). (Goal 5) From Step 17 and the assumption A2 , we apply the nonce verification rule to get: SK
Step 18: HGWN|≡ S N j |≡ S N j ←→ HGWN. (Goal 6) According to the message 4, we could obtain: Step 19: Ui / D9 , D10 , D11 :< ri , r j , rk >DIDi , T 7 . From Step 19 and assumption C4 , we apply the message meaning rule to get: Step 20: Ui |≡ HGWN|∼ rk . From assumptions A1 and Step 20, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 21: Ui |≡ HGWN|≡ rk . Where rk is the necessary parameter of the session key of the proposed protocol. According to B4 and Step 21, we apply the jurisdiction rule to obtain: Step 22: Ui |≡ rk . According to A1 and Step 21, we apply the session key rule to obtain:
SK
CR IP T
Step 35: HGWN|≡ (FGWN ←→ HGWN). (Goal 11) According to Step 35, We apply the nonce verification rule to get: SK
AN US
SK
Step 23: Ui |≡ HGWN ←→ Ui . (Goal 7) From Step 23 and assumption A1 , we apply the nonce verification rule to get: SK
ED
M
Step 24: Ui |≡ HGWN|≡ (HGWN ←→ Ui ). (Goal 8). According to the message 5, we could obtain: Step 25: FGWN / IDS N j , T IDi , IDFGWN , Li :< S ran >IDS N j . From Step 25 and assumption C9 , we apply the message meaning rule to get: Step 26: FGWN|≡ HGWN|∼ S ran . From Step 26 , we apply the nonce verification rule to get: Step 27: FGWN|≡ HGWN|≡ S ran . From Steps 27 and B8 , we apply the jurisdiction rule to obtain: Step 28: FGWN|≡ S ran . According to Step 27 and Step 28, the session key rule is applied, we get:
SK
PT
CE
SK
SK
Step 30: FGWN|≡ HGWN|≡ (HGWN ←→ FGWN). (Goal 10) According to the message 6, we could obtain: Step 31: HGWN / A1 , IDHGWN , L2 :< T IDi , KiF >IDFGWN . From Step 31 and assumption C10 , we apply the message meaning rule to get: Step 32: HGWN|≡ FGWN|∼ KiF .
SK
Step 41: Ui |≡ HGWN ←→ Ui . (Goal 7) From Step 41 and assumption A1 , we apply the nonce verification rule to get: Step 42: Ui |≡ HGWN|≡ (HGWN ←→ Ui ). (Goal 8). According to the message 8, we could obtain: Step 43: FGWN / T IDi , IDS N j , A3 , L4 :< ri >KiF , T 2 . From Step 43 and assumption C1 0, we apply the message meaning rule to get: Step 44: FGWN|≡ Ui |∼ ri . From assumptions A4 and Step 44 , we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 45: FGWN| ≡ Ui | ≡ ri . Where ri is the necessary parameter of the session key of the proposed protocol. From Steps 45 and B5 , we apply the jurisdiction rule to obtain: Step 46: FGWN|≡ ri . According to A4 and Steps 45 and 46, the session key rule is applied, we get:
Step 29: FGWN|≡ (HGWN ←→ FGWN). (Goal 9) According to Step 29, We apply the nonce verification rule to get:
AC
Step 36: HGWN|≡ FGWN|≡ (FGWN ←→ HGWN). (Goal 12) According to the message 7, we could obtain: Step 37: Ui / A2 , L3 :< KiF , IDFGWN >Ki . From Step 37 and assumption C5 , we apply the message meaning rule to get: Step 38: Ui |≡ HGWN|∼ KiF . From assumptions A4 and Step 38, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 39: Ui |≡ HGWN|≡ KiF . According to B9 and Step 39, we apply the jurisdiction rule to obtain: Step 40: Ui |≡ KiF . According to A1 , A4 and Step 40, we apply the session key rule to obtain:
SK
Step 47: FGWN|≡ (Ui ←→ FGWN). (Goal 13) According to A4 , and Step 47 and nonce verification rule is to get: SK
18
Step 48: FGWN|≡ Ui |≡ (Ui ←→ FGWN). (Goal 14)
ACCEPTED MANUSCRIPT
19
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
According to the message 9, we could obtain: Step 49: S N j / T IDi , A4 , A5 , L5 :< ri , P j >r f , T 3 According to C2 , B5 and Step 49, we apply the message meaning rule, we get: Step 50: S N j |≡ FGWN|∼ ri , P j , r f From assumptions A3 and Step 50, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 51: S N j | ≡ FGWN| ≡ ri , P j , r f . Where ri and r f are the necessary parameter of the session key of the proposed protocol. From Steps 51 and B6 , we apply the jurisdiction rule to obtain: Step 52: S N j |≡ ri , P j , r f From Steps 52 and A3 , and the session key rule is applied to obtain:
Step 64: Ui |≡ r f . According to A1 and Steps 63 and 64, we apply the session key rule to obtain: SK
Step 65: Ui |≡ FGWN ←→ Ui . (Goal 19) From Step 65 and assumption A1 , we apply the nonce verification rule to get: SK
CR IP T
Step 66: Ui |≡ FGWN|≡ (FGWN ←→ Ui ). (Goal 20). According to Steps 5 , 6, 11, 12, 17, 18, 23, 24, 29, 30,35, 36, 41, 42, 48, 47, 53, 54, 59, 60, 65 and 66, it is clear that our protocol successfully achieves all the goals (Goals 1-20). Both Ui and S N j believe that they share a secure session key S K = h(DIDi kri kr j krk kIDS N j ) with each other via HGWN/FGWN. 6.2. Simulation of proposed scheme using AVISPA tool
SK
AN US
Step 53: S N j |≡ FGWN ←→ S N j . (Goal 15) From Step 53 and assumption A3 , and nonce verification rule is applied, to get: SK
M
Step 54: S N j |≡ FGWN|≡ FGWN ←→ S N j . (Goal 16) According to the message 10, we could obtain: Step 55: FGWN / A6 , L6 : hT IDi , ri , P j , r j , rk ir f , T 4 . From Step 55 and assumption C7 , we apply the message meaning rule to get: Step 56: FGWN|≡ S N j |∼ r j . From assumption A4 and Step 56, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 57: FGWN|≡ S N j |≡ r j , where r j is the necessary parameter of the session key of the proposed protocol. According to Step 57 and B7 , we apply the jurisdiction rule to obtain: Step 58: FGWN| ≡ r j . From the assumption A4 and Step 58, we apply the session key rule to obtain:
ED
Figure 4: Architecture of AVISPA tool
PT
In this section, we simulate our scheme for the formal security verification using AVISPA tool as shown in figure 4. Note that the formal security verification using AVISPA tool only guarantees that whether a designed security protocol is secure against the replay and man-in-the-middle attacks. AVISPA is a powerful modular and expressive formal language for specifying protocols and their security properties, which integrates different back-ends that implement a variety of state-ofthe-art automatic analysis techniques [47]. AVISPA is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. In recent years, AVISPA becomes a tool for the security verification against the replay and man-in-the-middle attacks [49]. The four back-ends supported in AVISPA are the On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based ModelChecker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). The detailed descriptions of these backends can be found in [47].
SK
CE
Step 59: FGWN|≡ S N j ←→ FGWN). (Goal 17) From Step 59 and the assumption A4 , we apply the nonce verification rule to get: SK
AC
Step 60: FGWN|≡ S N j |≡ S N j ←→ FGWN. (Goal 18) According to the message 11, we could obtain: Step 61: Ui / A7 , A8 , L7 :< T IDi , ri , r f , r j >KiF , T 5 . From Step 61 and assumption C8 , we apply the message meaning rule to get: Step 62: Ui |≡ FGWN|∼ r f . From assumptions A1 and Step 62, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 63: Ui |≡ FGWN|≡ r f . Where r f is the necessary parameter of the session key of the proposed protocol. According to A1 and Step 63, we apply the jurisdiction rule to obtain: 19
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
The security protocols to be analyzed under the AVISPA are first specified in the HLPSL (High Level Protocols Specification Language). HLPSL is a roleoriented language [47], which is based on various roles: the basic roles represent each participant role, and composition roles represent the scenarios of basic roles. Note that each role represented in HLPSL is independent from the others, which gets some initial information by parameters, and then communicates with the other roles by channels. An intruder is always denoted by i and it is always modeled using the DolevYao model [41]. Hence, the intruder can be acted as a legitimate role in a protocol run. The role system also defines a number of sessions, and a number of principals and some basic roles. HLPSL is first translated using HLPSL2IF translator in order to convert into the intermediate format (IF), which is then fed to one of the backends to produce the output format (OF). OF typically has the following sections [48]:
20
• text: It is often used as nonces. These values can be also used for messages. For example, if T i is of type text (fresh), then T i0 represents a fresh value which the intruder cannot guess easily. • nat: It represents the natural numbers in nonmessage contexts. • const: It basic type denotes the constants.
CR IP T
• hash func: It represents cryptographic hash functions. Note that for a given plaintext message P and encryption key K, {P} K denotes the symmetric/public-key encryption. The associative “·” operator is always used for concatenation purpose.
AN US
6.3. Specifying the Protocol
• SUMMARY: This section represents that whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.
M
• DETAILS: This is a section, which either explains under what condition the tested protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.
PT
ED
• PROTOCOL, GOAL and BACKEND: These are the sections denote the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.
CE
• Finally, after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice-Bob format.
AC
Some basic types supported in HLPSL are discussed below for better understanding of the specifications of various roles described in Section 6.3 [47]: • agent: It is used for a principal name. The intruder is always assumed to have the special identifier i. • public key: It is for agents’ public keys in a publickey cryptosystem. For example, given a public (respectively private) key PK, its inverse private (respectively public) key is obtained by inv PK. • symmetric key: It is for the keys for a symmetrickey cryptosystem. 20
In this section, we provide the descriptions of the specifications of various roles in HLPSL for our scheme. Three basic roles for a user Ui , the GWN and an accessed sensor node S j are implemented in HLPS L. Apart from these roles, we need to specify the roles for the session, goal and environment in HLPS L. We have implemented our scheme for the formal security verification during the registration phase including the user and sensor node registration phases, login phase and authentication and key agreement phase. We discuss the details for the role of the initiator as shown in Figure 5. Ui first receives the start signal, changes its state from 0 to 1, which is maintained by the variable State. Ui then sends the registration request message {DIDi , RPWi } to the GWN through a secure channel during the user registration phase with the help of S END( ) operation.The type declaration channel(dy) means that the channel is for the Dolev-Yao threat model [41]. The declaration secret() indicates that the < IDi , PWi > are only known to the user Ui . In transition 2, the Ui receives the smart card containing the information {Yi , T IDi , IDHGWN } securely from the GWN with the help of RECV( ) operation securely and changes its state from 1 to 3. During the login phase, Ui generates a random number Ri0 and timestamp T 10 using new() operation. As a login request message Ui sends {T IDi , IDS N j , D1 , D2 , T 1 } to the accessed home gateway node HGWN through an insecure channel. By the declaration witness(Ui, HGWN, user gateway ri, Ri0 ) mean that Ui has freshly generated the random number Ri and a timestamp T 1 for HGWN and the declaration request(Ui, HGWN, user gateway ri, Ri0 )) indicates that HGWN authenticates the Ui . Moreover, the declaration secret(Ri0 , sub2, Ui, HGWN, S N j) tells
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
21
Figure 6: Role specification in HLPSL for the GWN
CR IP T
%Send smartcard information securely /\Sran':=new() /\Pj':= H(IDsnj.Sran')/\secret({Pj', Sran'},sub5,{HGWN,SNj})
M
2. State = 1 /\ RECV({Yi.IDgwnh.TIDi}_SK1)=|> % Ui receives from GWN via a secure channel % Login phase and authentication phase State' := 2 /\ Ri':=new() /\ T1':= new() /\ D1':= xor(H(Ki.DIDi.IDsnj), Ri') /\ D2':= H(DIDi.Ri'.TIDi.Ki.T1'.IDsnj) /\ SEND(TIDi.IDsnj.D1.D2.T1) % Send login message to the HGWN /\ witness(Ui, HGWN, user_gateway_ri, Ri') /\ secret({Ri'},sub2,{Ui,HGWN,SNj}) /\ request(Ui,HGWN,user_gateway_ri,Ri') % Receives messages from HGWN
%%%%%%%%%%% Role for GWN %%%%%%%%%%%%%%%%%%%% role gateway(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by HGWN def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, PSj, Sran : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc : hash_func const user_gateway_ri, gateway_snode_rk, snode_gateway_rj, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id init State := 0 transition % Receives registration request message from user 1. State = 0 /\ RECV({DIDi.RPWi}_SK1) =|> State' := 1 /\ TIDi':=new() /\ Ki':= H(DIDi.TIDi'.Xk) /\ Yi':= xor(Ki', RPWi) /\ secret({Xk}, sub3,{HGWN}) /\ secret({DIDi}, sub4,{HGWN,Ui}) /\ SEND({Yi'.IDgwnh.TIDi'}_SK1)
AN US
% symmetric key between Ui and GWN SK1 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by Ui def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, Sran, SKi : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc : hash_func const user_gateway_ri, gateway_snode_rk, snode_gateway_rj, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id init State := 0 transition % Start User registration phase % Ui sends < DIDi, RPWi > to GWN via a secure channel 1. State = 0 /\ RECV(start) =|> State' := 1 /\ R' :=new() /\ DIDi':= H(IDi.R') /\ RPWi':=H(PWi.R'.IDi) /\ SEND({DIDi'. RPWi'}_SK1) % Send registration request to the HGWN /\ secret({IDi,PWi},sub1,Ui)
3. State = 2 /\ RECV(D9'.D10'.D11'.T4)=|> State' := 3 /\ Rk':=xor(D9,H(Ki.DIDi.Ri)) /\ Rj':=xor(D10, H(Ki.Rk.DIDi.Ri)) /\ D11':=H(Ki.DIDi.Rj.T1.Rk.T4.Ri) /\ SKi':= H(DIDi.Ri.Rj.Rk.IDsnj) end role
2. State = 1 /\ RECV(IDsnj.PSj') =|> State' := 2 /\ Pj':= xor(PSj',Sran) % Receive Login message from user 3. State= 2 /\ RECV(TIDi.IDsnj.D1.D2.T1)=|> State':=3 /\ Rk':=new() /\ T3':= new() /\ D3':=xor(H(Pj.T3.IDsnj.TIDi),Rk') /\ D4':= xor(Ri,H(Pj.TIDi.Rk'.T3')) /\ D5':=xor(DIDi, H(Pj.Ri .Rk'.T3')) /\ D6':= H(IDsnj.Ri.DIDi.Pj.Rk'.T3')
ED
% send message to the snode node /\ SEND(TIDi.D3'.D4'.D5'.D6'.T3') /\secret({Rk'}, sub6, {Ui,HGWN,SNj}) /\ request(HGWN,SNj,gateway_snode_rk,Rk')
PT
4. State=3 /\RECV(D7.D8.T5)=|> State':=4 /\ T6':= new() /\Rj':= xor(D7,H(Pj.Rk.T5)) /\ D9':= xor(Rk,H(Ki.DIDi.Ri)) /\ D10':= xor(Rj, H(Ki.Rk.DIDi.Ri)) /\ D11':= H(Ki.DIDi.Rj.T1.Rk.T4.Ri) % send message to the user /\ SEND(D9'.D10'.D11'.T4) end role
CE
Figure 5: Role specification in HLPSL for the user Ui
AC
that the random number Ri’ is only known to the < Ui, HGWN, S N j >. During the authentication and key agreement phase, Ui waits for the acknowledgment message {D90 .D100 .D100 .T 7} via a public channel and changes its state from 3 to 5. Finally, Ui accepts the legitimacy of S N j by checking the timestamp T 7 generated by S N j . The Ui computes the session S Ki0 := H(DIDi.Ri.R j.Rk.IDS N j and uses it for the future communications over the public channel. In Figure 6, we have presented the role for the home gateway node HGWN in HLPS L language. Initially, HGWN receives registration message {DIDi , RPWi }
with the help of RECV( ) operation from the Ui securely. After that, HGWN generates a temporary identity and computes the smartcard parameters and finally, sends the registration reply message {Yi , T IDi , IDHGWN } with the help of S END( ) operation securely to the Ui . After that, HGWN generates a random number S ran with the help of the new() operation and computes a secret parameter P j which is shared between the gateway and sensor nodes. The declaration secret(P j0 , S ran0 , sub5, HGWN, S N j) indicates 21
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
22
Figure 7: Role specification in HLPSL for the sensor S j
% Start sensor node Registration 1. State = 0 /\ RECV(start) =|> State' := 1 /\ PSj':=xor(Pj,Sran) /\ SEND(IDsnj.PSj') % Send registration message to HGWN 2. State = 1 /\ RECV(TIDi.D3.D4.D5.D6.T3 ) =|>
M
% Receive message from HGWN State' := 2 /\ Rj':=new() /\ T3':=new() /\ Rk':= xor(H(Pj.T3'.IDsnj.TIDi),D3) /\ Ri':=xor(D4,H(Pj.TIDi.Rk'.T3')) /\DIDi':= xor(D5,H(Pj.Ri'.Rk'.T3')) /\ D7':=xor(Rj',H(Pj.Rk.T3')) /\ D8':= H(Pj.Rj'.T3'.Rk.TIDi.Ri.T3) /\ SEND(D7'.D8'.T3')
ED
% Send message to the HGWN /\ secret({Rj'},sub7,{Ui,HGWN,SNj}) /\ witness(SNj,Ui,snode_user_rj,Rj') /\ request(SNj,HGWN,snode_gateway_rj,Rj')
PT
end role
CR IP T
init State := 0 transition
role environment() def= const ui, snj, hgwn: agent, sk1, sk2 : symmetric_key, h : hash_func, idi,pwi,didi,rpwi,tidi,idgwnh,idsnj,yi,vi,ci, ki, r,ri,rj,rk, t1,t2,t3,t4,t5,t6,t7,xk,pj,psj, sran: text, d1, d2,d3,d4,d5,d6,d7,d8, d9,d10,d11: message, user_gateway,gateway_snode,snode_user, sub1, sub2,sub3,sub4,sub5,sub6,sub7: protocol_id % Represents Intruder Knowledge intruder_knowledge = {ui, snj, hgwn, h,yi,idgwnh,idsnj,vi, ci,tidi,d1,d2,t1,d3,d4,d5,d6,t3,d7,d8,t5,d9,d10,d11,t4} composition session(ui, snj, hgwn, sk1, sk2, h)/\ session(i, snj, hgwn, sk1, sk2, h) /\ session(ui, i, hgwn, sk1, sk2,h) /\ session(ui, snj, i, sk1, sk2,h) end role goal
AN US
%%%%%%%%%%% Role for snode node Sj %%%%%%%%%%%%%% role snode(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by SNj def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, PSj, Sran, SKi : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc: hash_func const user_gateway_ri, snode_gateway_rj, gateway_snode_rk, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id
role session(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func) def= local SI, SJ, RI, RJ, TI,TJ,PI, PJ : channel (dy) composition user(Ui, SNj, HGWN, SK1, H, SI, RI) /\ gateway(Ui, SNj, HGWN, SK1, SK2, H, SJ, RJ) /\ snode(Ui, SNj, HGWN, SK1, SK2, H, TI, TJ) end role
% Verifies authentication of the random numbers used authentication_on user_gateway_ri authentication_on gateway_snode_rk % authentication_on gateway_user_rk authentication_on snode_user_rj authentication_on snode_gateway_rj
CE
% user_gateway_ri, gateway_snode_rk, snode_user_rj end goal environment()
Figure 8: Role specification in HLPSL for the session and environment
AC
that the secret parameters (P j0 , S ran0 ) are shared between HGWN and SNj. During the sensor node registration phase, HGWN first receives {IDsn j.Ps j0 } with the help of the RECV() operation and then further computes P j0 := xor(PS j0 , S ran) and stores P j0 in its memory of the corresponding IDsn j. In transition 3, HGWN receives the message {T IDi.IDsn j.D1.D2.T 1} as a login request with
% Verifies secrecy of the confidential information secrecy_of sub1 secrecy_of sub2 secrecy_of sub3 secrecy_of sub4 secrecy_of sub5 secrecy_of sub6 secrecy_of sub7
the help of RECV( ) operation from the Ui over the public channel and then generates a random number Rk0 and timestamp T 20 with the help of the new() operation. After that, the HGWN sends the message {T IDi.D3.D4.D5.D6.T 20 } to the SNj with the help of the S END( ) operation over the public channel.The declaration secret(Rk0 , sub6, Ui, HGWN, S N j) tells that the pa22
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
rameter Rk0 is only known to the < Ui, HGWN, S N j > and the request(HGWN, S N j, hgateway snode rk, Rk0 ) indicates that the SNj authenticates HGWN. In transition 4, HGWN receives the message {D7.D8.T 3} as a request with the help of RECV( ) operation from the S N j over the public channel and then generates a timestamp T 4 and sends the message {D9.D10.D11.T 40 } to the Ui with the help of the S END( ) operation over the public channel. In Figure.7, we have presented the role of the sensor node S N j in HLPS L language. Initially, the S N j computes PS j0 := xor(P j, S ran) and then sends the message {IDsn j.PS j0 } to HGWN with the help of the S END( ) operation over the public channel. Then, the SNj receives the message {T IDi.D3.D4.D5.D6.T 20 } with the help of RECV( ) operation from the HGWN over the public channel and then generates a random number R j0 and timestamp T 30 with the help of the new() operation. After that, the S N j sends the message {D70 .D80 .T 30 } to HGWN. The declaration secret(R j0 , sub7, Ui, HGWN, S N j) indicates that the random number R j is only known to the entities of the system. Moreover, the declaration witness(S N j, Ui, snode user r j, R j0 ) tells that the S N j generates R j0 freshly for the Ui. In Figure.8, we have presented the roles for the session, goal and the environment in HLPS L language. In the session segment, all the basic roles including the roles for the Ui, HGWN and the (S N j)are instanced with concrete arguments. The environment section contains the global constant and composition of one or more session and the intruder knowledge is also given. It may be noted that we have provided all the public parameters including all the transmitted messages between the entities involved. The current version() of HLPS L supports the standard authentication and secrecy goals. In our implementation, the following secrecy goals and authentications are verified.
23
AN US
CR IP T
6. The secrecy of sub6 represents that the secret parameters < Rk > is shared among < Ui, HGWN, S N j >. 7. The secrecy of sub7 represents that the secret parameters < R j > are shared between < Ui, HGWN, S N j >. 8. The authentication on user gateway ri represents that the (Ui) generates a random number (ri) and if the (HGWN) receives it through message securely, the (HGWN) then authenticates the (Ui). 9. The authentication on snode gateway r j represents that the (SNj) generates a random number (rj) and if the (HGWN) receives it through message securely, the (HGWN) then authenticates the (SNj). 10. The authentication on gateway snode rk represents that the (HGWN) generates a random number (rk) and if the (S N j) receives it through message securely, the (S N j) then authenticates the (HGWN).
CE
PT
ED
M
6.4. Simulation Results We have simulated our proposed authentication scheme for the Case-1 under the OFMC and CL-AtSe backends using the Security Protocol ANimator for AVISPA (SPAN) [47]. The following verifications are executed in our scheme ([49]): • Executability check on non-trivial HLPSL specifications: Due to some modeling mistakes, it may be possible that the protocol model cannot execute to completion. As a result, it may be possible that the AVISPA backends cannot find an attack, if the protocol model cannot reach to a state where that attack can happen. An executability test is thus extremely essential [48]. Our implementation shows that the protocol description is well matched with the designed goals as specified in Figures 5-8 for the executability test. • Replay attack check: For the replay attack checking, the OFMC and CL-AtSe backends verify whether the legitimate agents can execute the specified protocol for the Case-1 by performing a search of a passive intruder. These back-ends provide the intruder the knowledge of some normal sessions between the legitimate agents. The test results reported in Figures.9a, indicate that our proposed authentication protocol for Case-1 is secure against the replay attack.
AC
1. The secrecy o f sub1 represents that the user confidential parameters < IDi, Pwi > are kept secret to only (Ui). 2. The secrecy of sub2 represents that the random number Ri is only known to < Ui, HGWN, S N j >. 3. The secrecy of sub3 indicates that the secret key Xgwnh of the home gateway node is kept secret to only (HGWN). 4. The secrecy of sub4 indicates that the parameter DIDi is only known to < Ui, HGWN, S N j >. 5. The secrecy of sub5 represents that the secret parameters < P j, S ran > are shared between < HGWN, S N j >.
• Dolev-Yao model check: Finally, for the Dolev-Yao model checking, the OFMC and CL-AtSe backends verifies if there is any man-in-the-middle attack possible by an intruder (i). Under OFMC, 216 23
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
nodes are visited and the depth is 6plies, where the search time is 3.13 seconds. Under CL-AtSe, the translation and computation times are 0.18 seconds and 0.00 seconds, respectively. The results reported in Figure.9, clearly show that our proposed authentication protocol for Case-1 fulfills the design properties and is secure under these backends.
property of the cryptographic one-way hash function. Therefore, our proposed protocol can resist privileged insider attack. 7.3. Session key computation attack Both the sender and receiver agree upon a common secret session key using which they can exchange their information securely over a public channel, after the mutual authentication of the sender and receiver is verified. Hence, the session key of the protocol should be protected by strong security protection to resist any attack by the attacker. In our proposed protocol, once the mutual authentication is established, the session key for Case-1 or Case-2 will be considered. Our session key relies on the secret parameters < DIDi , ri , r j , rh , IDS N j > for Case-1 and < T IDi , ri , r j , r f , IDS N j > for Case-2. In both the cases, these parameters are used in computing a hash value. Due to the non-invertible property of the cryptographic one-way hash function, the attacker cannot gain the advantage over the session key without knowing the secret parameters in any of the cases.
CR IP T
Note: We have simulated our proposed authentication scheme for the Case-1 under the OFMC and CLAtSe backends using the Security Protocol ANimator for AVISPA (SPAN), Case-2 can also be simulated similar to the Case-1. 7. Informal security analysis of our proposed scheme
AN US
7.1. Replay attack
24
In the replay attack, the attacker captures the previously transmitted messages and use them during the protocol execution to make the received entity believe that the transmitted message is from legal entity and fresh. In order to justify our protocol resist replay attack, we assume that the attacker has captured the previous executed messages of the protocol and later tries to transmit the same message to the targeted entity. The protocol rejects the attacker’s message due to invalid transmission time delay, as the protocol uses the systems timestamp and checks the transmission time delay. However, such type of scenarios suffer from clock synchronization problem. So, assume that the protocol strictly maintains global clock for synchronizing the timestamp. Hence, our proposed protocol can resist replay attack.
PT
ED
M
7.4. Gateway node impersonate attack
7.2. Privileged insider attack
AC
CE
Practically, it is assumed that the remote server is trusted. So, the server provides confidentiality to the users credentials, where leakage of any confidential parameters of the user is not permitted. But, it is observed that due to the presence of an insider, systems can get hacked. Therefore, the user’s information such as identity and password should be kept secret such that the insider of the remote server cannot gain control over the user’s information. In our proposed protocol, during the user’s registration phase, instead of the original identity and password we have transmitted the masked identity DIDi = h(IDi ku) and password RPWi = h(PWi krkIDi ) to the home gateway node. Hence, extracting the user’s password or identity by the insider of the remote server is computationally infeasible due to the non-invertible
Attacker extracts, the parameters from the transmitted message M2 =< T IDi , D3 , D4 , D5 , D6 , T 3 > over the public channel where, D3 = h(P j kT 2 kT r kIDS N j kT IDi )⊕ rh , D4 = h(P j kT IDi krh kT 2 ) ⊕ ri , D5 = h(P j kri krh kT 2 ) ⊕ DIDi , D6 = h(IDS N j kri kDIDi kT r kP j krh kT 2 ) after that attacker guesses the parameters < D03 , D04 , D05 , D06 , T 2 > and transmit to S N j . However the computation of D3 , D4 , D5 , D6 relies on the secret parameters < DIDi , P j , T r , rh , ri > respectively. It can be notable that attacker cannot extract these secret parameters from the protocol description due to non-invertible cryptographic one way hash function property. As the P j is high entropy shared secret key parameter between the HGWN and S N j . The attacker cannot guess it in polynomial time. Therefore our proposed protocol can resist Gateway node impersonation attack. 7.5. User impersonate attack
It is practical that the attacker traps the login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > of a legal user during the execution of the protocol, where D1 = h(Ki kDIDi kIDS N j ) ⊕ ri , D2 = h(DIDi kri kT IDi kKi kT 1 kIDS N j ). After that the attacker tries to generate another valid message which will be authenticated by HGWN. In order to do so, the attacker has to compute valid D1 , D2 . As the attacker cannot compute < Ki >, without the knowledge of 24
ACCEPTED MANUSCRIPT
25
CR IP T
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
(b) The result of the analysis using CL-AtSe backend
AN US
(a) The result of the analysis using OFMC backend
Figure 9: Simulation result for Case-1.
ED
M
H < IDi , PWi > and secret parameters < ri , XGWN >. However, it is infeasible to guess the trapped message in a polynomial time by the attacker due to unknown parameter in D1 , D2 . During the execution of the Case2 of the protocol, the attacker traps the message M7 =< T IDi , IDS N j , A3 , L4 , T 2 > which is transmitted over the public/open channel, where A3 = h(KiF kT IDi kIDS N j ) ⊕ ri and L4 = h(T IDi kri kKiF kT 2 kIDS N j ). It is clear that the attacker cannot compute another valid A3 , L4 paramH . It may eters without the knowledge of KiF , Ki , ri , XGWN be noted that the attacker cannot guess the secret key of the home/foreign gateway nodes within polynomial time due to its high entropy property. Therefore, it is also infeasible that the attacker cannot make and guess another valid message within polynomial time.
or exact user id and password at the same time, as it is computationally infeasible to guess the two parameters at a time and also, due to the non-invertible one-way hash function property. Hence, the attacker in no where to update the password of the user Ui . Therefore, the proposed scheme is free from the stolen smart card attack.
PT
7.7. Sensor node spoofing attack In order to masquerade as a legitimate sensor node S N j and to cheat the users, the attacker needs to compute the response message {M3 }, where M3 =< D7 , D8 , T 3 > and A7 and L6 are computed with the secret keys of Ui , S N j and HGWN in Case-1. As the attacker does not have the knowledge of the secret keys of the involved parties. Therefore, attacker cannot spoof the sensor node in Case-1. Further, the response message {M9 }, where M9 =< A6 , L6 , T 3 > and A6 is computed using the sensor node secret key r j and L6 is computed with the secret keys of Ui , S N j and FGWN in Case-2. As the attacker does not have the knowledge of the secret keys of the involved parties. Therefore, it is computationally infeasible to extract the secret credentials from the non-invertible cryptographic one-way hash function. Therefore, our scheme can resist sensor node spoofing attack.
AC
CE
7.6. Stolen-smart card attack, off-line identity guessing attack and off-line password guessing attack We suppose that the user Ui0 s smart card was stolen by an attacker, then the attacker can extract the information stored on the smart card {Yi , IDGWNh , T IDi , h(·), Vi , Ci } by using the method of power analysis [44, 43], where Vi = h(IDi ⊕ PWi ⊕ u), Ci = u ⊕ H(Bi ) and Yi = Ki ⊕ h(PWi kukIDi ). In order to compute the smartcard stored information, the attacker needs to know Bi , u, IDi , PWi , where this information is known only to the user. However, the biometric key Bi cannot be stolen and both user IDi and PWi are unknown to the attacker and both are well protected by the one way hash function . So, the attacker has no way to guess
7.8. Anonymity and unlinkability As shown above in section 7.6, it is clear from our proposed scheme that an attacker has noway to obtain 25
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
26
or guess the identity IDi of the user Ui as it is protected by the non-invertible cryptographic one way hash function. The use of pseudo identity make the system anonymous, however, lake of dynamic identity mechanism arises linkability problem [21]. The proposed scheme have some limitation over its advantage.
asks for a new password and initiate password change. The smartcard allows the user to update the password without any interaction with the GWN or sensor node S j . This shows that our proposed scheme has efficiency to detect incorrect input and low computation in updating the password.
7.9. Denial-of-service attack In the proposed scheme, we have three possibility where a registered user could encounter denial-ofservice, however, the proposed scheme is efficient to resist denial-of-service attack in all scenario as follows:
7.11. Mutual authentication
CR IP T
It means that each entities of the network should authenticate each other in order to verify legitimacy. During execution of the protocol, the gateway node authenticates the user based on the login message, and similarly sensor node authenticates gateway node and user. Finally, the user authenticates sensor node and gateway node. It has been observed that the protocol negotiates session key only after performing the mutual authentication between the entities involved.
AN US
• In first situation when user inputs incorrect credentials (identity or password) unknowingly during login phase, however, the smart card can correctly verify the login credentials using the condi? tion Vi = h(IDi ⊕ PWi ⊕ u). This ensures that only with the correct input of user credentials a login message will be executed. Thus, there will not be occurrence of denial-of-service scenario for a valid user in login attempt.
7.12. Session key agreement
PT
ED
M
• Adversary may also try to engage sensors by replaying the messages so that valid user login attempt may deny or delayed, however, the transmitted messages M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > (in Case-1) and M8 =< T IDi , A4 , A5 , L5 , T 3 > (in Case -2) includes the timestamp. The sensors verify the freshness of timestamp before professing the requests. This shows that a sensor can efficiently encounter the fake request in the proposed scheme, which shows the security of proposed scheme against denial of service attack.
AC
CE
Authenticated key agreement (AKA) schemes can only add additionally protection to the scheme by implying timestamps or other primitives to defend against DoS attack. However, an adversary can also mount an application layer DoS attack. It is a form of DoS attack, where attackers target the application layer of the open systems interconnection (OSI) model. The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack.
The main aim of the key agreement protocol is to negotiate session key so that each entities can communicate securely. The proposed protocol computes session key S K between the user, gateway and sensor node on the success of mutual authentication. Therefore, the proposed scheme supports authenticated session key agreement. In our proposed scheme a user and sensor agree on a common session key S K = h(DIDi kri kr j krh kIDS N j ) in Case-1 and S K = h(T IDi kri kr j kr f kIDS N j ) in Case2 of the authentication phase. Both the user and the sensor node contribute session secrets in S K, i.e. the user chooses temporal secret ri , sensor chooses r j and gateway contributes rh in Case-1 or r f in Case-2. If an adversary A need to gain control over the session key S K, A need the values ri , r j , rh , r f , which are protected with the secret keys during transmission. Thus, only authorized parties will be able to retrieve the temporal secrets. We have already assumed the gateway node is the trusted authority. Thus, our scheme ensures that only the legitimate parties can compute the session key S K.
7.13. Secure message transmission between home and foreign gateway node
7.10. Efficient password change phase In our proposed scheme, the smart card first verifies the login credentials to validate the legitimacy of the user Ui . Once the verification in the correctness of the identity and the password is verified. The smartcard 26
In the proposed protocol, HGWN transmits a broadcast message < IDS N j , T IDi , IDGWNh , L1 > to the rest of the gateway nodes called as foreign gateway node (FGWN). After that, the FGWN transmits M5 =< A1 , IDGWNF , L2 , T IDi > to HGWN over public networks, where A1 = h(T IDi kS ran kIDGWNF ) ⊕ KiF and L2 = h(T IDi kIDGWNF kKiF kIDS N j ). It may be
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
noted that the attacker cannot gain the needful secret information from the transmitted message M5 =< A1 , IDGWNF , L2 , T IDi > as the computed parameters are secured with the non-invertible cryptographic one-way hash function. It is also noticeable that the attacker cannot extract any confidential parameter without the knowledge of KiF . Therefore, it is our claim that the proposed protocol provides strong security protection on the transmitted message between the home and foreign gateway nodes.
27
sensor node does not reveal any information about other sensor nodes and the user in order to compromise any other secure communication between the users and the non-compromised sensor nodes in the WSNs network. This shows that our scheme is secure against node capture attack. 7.16. Efficient sensor node addition phase facility
CR IP T
It may also happen that the new sensor node is required in the WS N s environment on demand at any time. In order to provide such type facility, we have presented an efficient dynamic node deployment phase in the proposed protocol. Therefore, the S A can efficiently include new sensor node on the target region after executing dynamic node deployment phase.
7.14. Many logged-in users with the same login-id attack As shown in [11], our proposed scheme also can withstand the many logged-in users with the same loginid attack, which is as follows: For a legal user it is very much essential to have his/her own smartcard SC, then only he/she will be able to login into the system. So, even if two or more users have the same login credentials < IDi , PWi > they will not be successful in login into the system as it requires the legal user’s biometric key, which only a legal user can have and the biometric key cannot be stolen. Therefore, our claim is that the proposed protocol can resist many logged-in users with same login-id attack.
AN US
8. Performance comparison with related schemes
M
7.15. Resilience against node capture attack
In this section, we compare the performance and functionality features of our proposed scheme with the related existing authentication schemes proposed for the WSNs. This evaluation gives an insight into the effectiveness of the proposed scheme.
AC
CE
PT
ED
Node capturing attack means that using retrieved information from compromise sensor node to mount attacks in WSNs environment. Adversary tries to retrieve information about other sensor nodes, and the users in order to compromise any other secure communication between the users and the non-compromised sensor nodes in the WSNs network. Suppose that an attacker captures a sensor node, say S j randomly in the network from which a legal user Ui is accessing the real-time data from S j . The attacker can easily compromise all the secret information including the captured node’s master key and session key shared with the user Ui , as sensor nodes are not equipped with tamper resistant hardware. In the Case-1, the secure session key between the user Ui and the sensor node S j is generated as S K = h(DIDi kri kr j krh kIDS N j ), where DIDi = h(IDi kr) = D5 ⊕ h(P j kri krh kT 2 ) and P j = h(IDS N j ⊕ S ran ). Each established session key between the user and the sensor node is distinct throughout the WSNs network and computing as it is computationally infeasible to guess the three parameters ri , r j , rh at a time from the transmitted message, due to the non-invertible one-way hash function property. And similarly, this can also be shown for the Case-2. It is clear that a captured
8.1. Comparison of security features In Table 2, we have discussed the security attributes of proposed scheme with related schemes [29, 30, 51, 11, 31, 19, 15, 32, 16, 17, 50, 36]. It is noted that most of the discussed schemes in Table 2 do not resist password guessing attack. Moreover, user anonymity, impersonation attack, server spoofing attack, sensor node capturing attack, proper mutual authentication are also alarming in existing schemes. In addition, the discussed schemes in table 2 are failed to resist stolen smartcard attack. On the other hand, our scheme protects anonymity and supports the security attributes mentioned in the Table2. Shifted the tables[3,4] to adjust in this page 8.2. Communication overhead comparison
In Table 3 , we have compared the communication overheads required during the login and authentication phases between our scheme and other schemes. We assume that the output of the one-way hash function h(·) is 160 bits (20 bytes), if we use SHA-1 hashing algorithm [52]. Further, we assume that each timestamp, random nonce/random number, identity of user/sensor node is 152 bits in length (19 bytes). In addition, for Yeh et al.’s scheme [51] and Turkanovic–Holbl’s 27
ACCEPTED MANUSCRIPT
28
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Table 4: Computation overhead comparison during the login and authentication phases
Vaidya [29] Chen and Shin [30] Yeh et al. [51] Das et al. [31] Turkanovic–Holbl [11] Xue et al. [19] Vaidya et al.[32] Deebak [15] Turkanovic et al. [16] Farash et al.[17] Das et al.[50] Case-1 Das et al.[50] Case-2 Amin and Biswas [36] Case-1 Amin and Biswas [36] Case-2 Proposed scheme case-1 Proposed scheme case-2
Table 2: Comparison of security features
[30]
√ √ √
× × √
× √ × √
× × √
× × √
× × × × √
× √
× ×
√
[51]
[11]
√ √
√ √
× × √
× × √
× √
× √
× √
× √ √ √ √ √
× × × ×
[31]
[19]
× × × × × × × × √
× × × × × √
√ × √ √
× × √ √ √ √ √
[15]
[32]
√ √ √ √ √ √ √ √ √ √ √ √ √
√ × × √ × √ √ √ × √ √
[16]
[17]
[36]
× √
× √
× √
× × × √
× × × × × × √
× × × √
× × √ √ √
√ √ √ √
× ×
× √
Total
Time(ms)
2T h 2T h 3T h + 2T ECC − − 6T h 2T h 5T h 5T h 7T h 3T h + 1T E/D 4T h + 1T E/D 5T h 5T h 6T h 5T h
6T h 4T h 1T h + 2T ECC 5T h + 1T E/D 4T h + 1T E/D 10T h 6T h 9T h 7T h 11T h 9T h + 1T E/D 10T h + 2T E/D 7T h 8T h 10T h 14T h
13T h 13T h 8T h + 8T ECC 10T h + 5T E/D 7T h + 5T E/D 29T h 12T h 26T h 19T h 32T h 17T h + 4T E/D 19T h + 5T E/D 20T h 20T h 29T h 35T h
0.0052 0.0044 58.8264 0.6555 0.6543 0.0116 0.0048 0.0104 0.0076 0.0128 0.528 0.6591 0.0080 0.0080 0.0116 0.0140
[50]
Ours
√ √ √ √ √ √ √ √ √ √ √ √ √
√ √ √ √ √ √ √ √ √ √ √ √ √
Scheme
M
[29]
User
Table 3: Communication overhead comparison during the login and authentication phases
√ × √ √ × √ √
ED
Security attributes S1 S2 S3 S4 S5 S6 S7 S8 S9 S 10 S 11 S 12 S 13
Sensor node
CR IP T
Base station/ gateway node 5T h 5T h 4T h + 4T ECC 5T h + 4T E/D 3T h + 4T E/D 13T h 4T h 12T h 7T h 14T h 5T h + 2T E/D 5T h + 2T E/D 8T h 7T h 13T h 16T h
AN US
Scheme
CE
PT
√ Note: = preserved; × = not preserved. S 1 : whether resists password guessing attack or not; S 2 : whether protects privileged-insider attack or not; S 3 : whether provides user anonymity or not; S 4 : whether resilient against stolen smart card attack or not; S 5 : whether secure against impersonation attack or not; S 6 : whether protects replay attack or not; S 7 : whether provides proper mutual authentication or not; S 8 : whether provides two-factor security or not; S 9 : whether session key agreement is provided or not; S 10 : Provides efficient password change phase; S 11 : Server Spoofing attack; S 12 : Sensor node capturing attack; S 13 : Many logged-in users attack;
scheme [11], we assume that the acknowledgment message requires 160 bits (20 bytes). In our scheme, during the login phase, the login request message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > requires 97 bytes. During the authentication and key agreement phase in Case1, the messages M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 >, M3 =< D7 , D8 , T 3 > and M4 =< D9 , D10 , D11 , T 4 > require 118 bytes, 59 bytes and 79 bytes, respectively. As a result, during the login and authentication phases in our scheme for Case-1, the total communication overhead becomes (97 + 118 + 59 + 79) = 353 bytes. During the authentication and key agreement phase in Case-
Vaidya [29] Chen and Shin [30] Yeh et al. [51] Turkanovic–Holbl [11] Das et al. [31] Xue et al. [19] Vaidya et al.[32] Deebak [15] Turkanovic et al. [16] Farash et al. [17] Das et al.[50] Case-1 Das et al.[50] Case-2 Amin and Biswas [36] Case-1 Amin and Biswas [36] Case-2 Proposed scheme case-1 Proposed scheme case-2
Total number of messages 5 4 4 4 4 6 5 4 4 4 3 6 4 8 4 7
Total number of bytes 197 bytes 235 bytes 252 bytes 352 bytes 372 bytes 413 bytes 296 bytes 315 bytes 489 bytes 434 bytes 391 bytes 673 bytes 373 bytes 642 bytes 353 bytes 547 bytes
AC
2, the messages between HGWN-FGWN, M5 ,M6 =< A2 , L3 , IDS N j >, M7 =< T IDi , IDS N j , A3 , L4 , T 2 >, M8 =< T IDi , A4 , A5 , L5 , T 3 >, M9 =< A6 , L6 , T 4 > and M10 =< A7 , A8 , L7 , T 5 > require 78 bytes, 59 bytes, 97 bytes, 98 bytes, 59 bytes and 79 bytes, respectively. As a result, during the login and authentication phases in our scheme for Case-2, the total communication overhead becomes (77+78+59+97+98+59+79) = 547 bytes. On the other hand, the communication overheads required during the login and authentication phases for Vaidya et al.’s scheme [29], Chen-Shin’s 28
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
scheme [30], Yeh et al.’s scheme [51], TurkanovicHolbi’s scheme[11], Das et al.’s scheme [31], Xue et al.’s scheme [19],Vaidya et al.[32], Deebak [15], Turkanovic et al.’s scheme[16], Farash et al.’s[17], Das et al.[50] Case-1 and Case-2, and Amin and Biswas’s scheme [36] are 197 bytes, 235 bytes, 252 bytes, 352 bytes, 372 bytes, 413 bytes, 296 bytes, 315 bytes, 489 bytes, 434 bytes, Case-1 (391 bytes) and Case-2 (673 bytes), and Case-1 (373 bytes) and Case-2 (642 bytes), respectively. Note that our scheme (Case-1) performs better than Das et al.’s scheme [31], Xue et al.’s scheme [19], Turkanovic et al.’s scheme [16], Farash et al.’s[17],Das et al.[50], and Amin and Biswas’s scheme[36]. However, our scheme requires more communication overhead as compared to that for other schemes mentioned in Table 3. It is justified because our scheme offers better security and functionality features as compared to those for other schemes as shown in Table 2.
29
AN US
CR IP T
It is clear from the Table 2 that proposed scheme satisfy more number of security attributes as compare to the existing schemes, but it requires computation of more hash functions in Case-2 as compare to other discussed schemes. The proposed scheme has higher computation overhead as compare to other lightweight authentication schemes in Case -2 (0.0140 ms) as discussed in Table 4, but it is efficient then Yeh et al. (58.8264 ms), Das et al. (0.6555 ms), TurkanovicHolbl (0.6543 ms), and Das et al. Case-1 (0.528 ms) and Case-2 (0.6591 ms) . Additionally, our proposed scheme has little higher computation overhead in Case1 (0.0116 ms) as compared to Amin and Biswas (0.0080 ms), Vaidya et al. (0.0048 ms), Deebak (0.0104 ms), Turkanovic et al. (0.0076 ms), Chen and Shin (0.0044 ms), and Vaidya (0.0052 ms), but has higher security features, also our proposed scheme is more efficient compare to Yeh et al., Das et al., Farash et al., Turkanovic-Holbl, and Das [50]. Moreover, due to the computational efficiency of one-way hash function, the proposed scheme is also a lightweight authentication scheme. This conclude that the proposed scheme is a lightweight authentication scheme for WSNs with higher security features.
AC
CE
PT
ED
M
8.3. Computational overhead comparison In WSNs, energy is a constraint and thus, the user authentication protocol must be light-weight in terms of computation. Our protocol only used the hash function, which is a light-weight function compared to other operations, including symmetric key encryption/decryption and public key cryptographic functions. We use the execution timings for various cryptographic operations presented in the literature [53]. To evaluate the execution timings of cryptographic operations, experiment is performed using MIRACL C/C++ Library and the system used 32-bit Windows 7 operating systems, Visual C++ 2008 Software. The running time of symmetric key encryption/decryption AES-128, elliptic curve point multiplication over the finite prime field F p , and SHA-1 hash function are T E/D ≈ 0.1303 ms, T ECC ≈ 7.3529 ms, and T h ≈ 0.0004 ms, respectively. Finally, in Table 4, we have compared the computational overhead between our scheme and other schemes during the login and authentication phases. In our scheme, during the login phase the computational overhead for a user Ui is 6T h , whereas in authentication phase the computational overheads for Case-1 are 13T h , 6T h and 4T h for HGWN, S N j and Ui , respectively. In Case-2, HGWN − FGWN, S N j and Ui computational overheads are 16T h , 5T h and 8T h , respectively. Moreover, the proposed scheme requires the computation of XOR operations and string concatenation. As computation cost of XOR and concatenation operations is comparably negligible to hash function, thus we have not included the computation cost of XOR and concatenation operations in the computation overhead analysis.
29
9. Conclusion
In this paper, we have analyzed the security pitfalls of recently proposed Amin-Biswas’s lightweight authentication and key agreement protocol. We have identified that Amin-Biswas’s scheme failed to resist server spoofing attack, stolen smart card attack, password guessing attack, impersonation attack, and identity guessing attack. In order to ensure the secure communication in WSNs, we have proposed an enhanced user authentication and key agreement protocol for WSNs using biohashing. Biohashing has significant functional advantages over solely biometrics, such as highly clear separation of imposter populations and genuine, and zero equal error rate level. Our proposed protocol efficiently supports for the dynamic node addition features and user friendly password change. Using the BAN-logic, we have shown that the proposed protocol ensures mutual authentication. The performance of the proposed scheme is also compared with related schemes. The proposed scheme has also some limitations along with its applicability to WSN’s environment, namely, lack of dynamic identity mechanism due to involve nonpublic key primitives and evaluation of test-bed and simulation in real-world environment. However, the use of pseudonym instead of user identity makes the communication anonymous. Additionally, we have simu-
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
[13] S. A. Chaudhry, M. S. Farash, H. Naqvi, S. H. Islam, T. Shon, A robust and efficient privacy aware handover authentication scheme for wireless networks, Wireless Personal Communications (2015) 1–25. [14] S. A. Chaudhry, K. Mahmood, H. Naqvi, M. K. Khan, An improved and secure biometric authentication scheme for telecare medicine information systems based on elliptic curve cryptography, Journal of Medical Systems 39 (11) (2015) 1–12. [15] B. D. Deebak, Secure and efficient mutual adaptive user authentication scheme for heterogeneous wireless sensor networks using multimedia client–server systems, Wireless Personal Communications, 87 (3) (2016) 1013–1035. [16] M. Turkanovi´c, B. Brumen, M. H¨olbl, A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion, Ad Hoc Networks 20 (2014) 96–112. [17] M. S. Farash, M. Turkanovi´c, S. Kumari, M. H¨olbl, An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the internet of things environment, Ad Hoc Networks. [18] K. Xue, P. Hong, C. Ma, A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture, Journal of Computer and System Sciences 80 (1) (2014) 195–206. [19] K. Xue, C. Ma, P. Hong, R. Ding, A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, Journal of Network and Computer Applications 36 (1) (2013) 316–323. [20] H. Tu, N. Kumar, D. He, J. Kim, C. Lee, An efficient passwordbased three-party authenticated multiple key exchange protocol for wireless mobile networks, The Journal of Supercomputing 70 (1) (2014) 224–235. [21] D. Wang, P. Wang, On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions, Computer Networks 73 (2014) 41 – 57. [22] D. Wang, N. Wang, P. Wang, S. Qing, Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity, Information Sciences 321 (2015) 162–178. [23] K. H. Wong, Y. Zheng, J. Cao, S. Wang, A dynamic user authentication scheme for wireless sensor networks, in: IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Vol. 1, pp. 244-251, 2006. doi: 10.1109/SUTC.2006.1636182 [24] M. L. Das, Two-factor user authentication in wireless sensor networks, IEEE Transactions on Wireless Communications, 8 (3) (2009) 1086–1090. [25] H.-F. Huang, Y.-F. Chang, C.-H. Liu, Enhancement of twofactor user authentication in wireless sensor networks, in: Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), IEEE, pp. 27–30, 2010. [26] D. Nyang, M.-K. Lee, Improvement of das’s two-factor authentication protocol in wireless sensor networks., IACR Cryptology ePrint Archive 2009 (2009) 631. [27] D. He, Y. Gao, S. Chan, C. Chen, J. Bu, An enhanced twofactor user authentication scheme in wireless sensor networks., Ad Hoc & Sensor Wireless Networks 10 (4) (2010) 361–371. [28] M. K. Khan, K. Alghathbar, Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks, Sensors 10 (3) (2010) 2450–2459. [29] B. Vaidya, D. Makrakis, H. T. Mouftah, Improved two-factor user authentication in wireless sensor networks, in: IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), IEEE, 2010, pp.
CR IP T
lated the proposed protocol for formal security verification using the AVISPA tool, and the simulation results shown that the proposed protocol is safe. Through the informal security analysis, we have shown that the proposed protocol satisfies known security attributes for authentication protocols. Moreover, the proposed protocol is required only the computation of hash functions to achieve mutual authentication. Computational efficiency of proposed protocol presents its lightweight attribute. This makes the proposed scheme more appropriate for WSNs environment. Acknowledgment
AN US
The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the editor. References
AC
CE
PT
ED
M
[1] M. Tubaishat, S. Madria, Sensor networks: an overview, Potentials, IEEE 22 (2) (2003) 20–23. [2] J. Yick, B. Mukherjee, D. Ghosal, Wireless sensor network survey, Computer networks 52 (12) (2008) 2292–2330. [3] S. Kumari, M. K. Khan, M. Atiquzzaman, User authentication schemes for wireless sensor networks: A review, Ad Hoc Networks 27 (2015) 159–194. [4] D. He, N. Kumar, N. Chilamkurti, A secure temporal-credentialbased mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks, Information Sciences 321 (2015) 263 – 277. [5] D. Wang, C. G. Ma, D. L. Gu, Z. S. Cui, Cryptanalysis of two dynamic id-based remote user authentication schemes for multiserver architecture, In: International Conference on Network and System Security, (2012) 462–475. [6] D. Wang, P. Wang, On the usability of two-factor authentication, In Proceedings of the 10th International Conference on Security and Privacy in Communication Networks (SecureComm 2014), pp. 141-150. [7] J. Qi, J. Ma, F. Wei, On the Security of a Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services, IEEE Systems Journal (2016) 1–4, doi: 10.1109/JSYST.2016.2574719 [8] D. He, D. Wang, Robust biometrics-based authentication scheme for multiserver environment, IEEE Systems Journal 9 (3) (2015) 816–823. [9] D. Wang, P. Wang, Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks, Ad Hoc Networks 20 (2014) 1–15. [10] D. Wang, D. He, P. Wang, C.-H. Chu, Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment, IEEE Transactions on Dependable and Secure Computing 12 (4) (2015) 428–442. [11] M. Turkanovic, M. Holbl, An improved dynamic passwordbased user authentication scheme for hierarchical wireless sensor networks, Elektronika ir Elektrotechnika 19 (6) (2013) 109– 116. [12] S. A. Chaudhry, H. Naqvi, M. Sher, M. S. Farash, M. U. Hassan, An improved and provably secure privacy preserving authentication protocol for sip, Peer-to-Peer Networking and Applications (2015) 1–15.
30
30
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
[50]
[51] [52]
AC
CE
PT
ED
M
AN US
[53]
Transactions on Information Forensics and Security (2015) 1– 14DOI: 10.1109/TIFS.2015.2439964. A. K. Das, A. K. Sutrala, S. Kumari, V. Odelu, M. Wazid, and X. Li, “An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks,” Security and Communication Networks, 2016. H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, H.-W. Wei, A secured authentication protocol for wireless sensor networks using elliptic curves cryptography, Sensors 11 (5) (2011) 4767–4779. Secure hash standard, fIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995. http://csrc.nist.gov/publications/fips/fi ps180-2/fips180-2.pdf. F. Wu, L. Xu, S. Kumari, X. Li, An improved and anonymous two-factor authentication protocol for health-care applications with wireless medical sensor networks, Multimedia Systems (2015) 1–11.
CR IP T
600–606. [30] T.-H. Chen, W.-K. Shih, A robust mutual authentication protocol for wireless sensor networks, Etri Journal 32 (5) (2010) 704–712. [31] A. K. Das, P. Sharma, S. Chatterjee, J. K. Sing, A dynamic password-based user authentication scheme for hierarchical wireless sensor networks, Journal of Network and Computer Applications 35 (5) (2012) 1646–1656. [32] B. Vaidya, D. Makrakis, H. Mouftah, Two-factor mutual authentication with key agreement in wireless sensor networks, Security and Communication Networks. [33] S. Xu, X. Wang, A new user authentication scheme for hierarchical wireless sensor networks, International Review on Computers and Software 8 (1) (2013) 197–203. [34] C.-T. Li, C.-Y. Weng, C.-C. Lee, An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks, Sensors 13 (8) (2013) 9589–9603. [35] M. Turkanovi´c, M. H¨olbl, Notes on a temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, Wireless personal communications 77 (2) (2014) 907–922. [36] R. Amin, G. Biswas, A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks, Ad Hoc Networks 36 (2016) 58–80. [37] L. Nanni, A. Lumini, Random subspace for an improved biohashing for face authentication, Pattern Recognition Letters 29 (3) (2008) 295–300. [38] L. Nanni, S. Brahnam, A. Lumini, Biohashing applied to orientation-based minutia descriptor for secure fingerprint authentication system, Electronics letters 47 (15) (2011) 851–853. [39] A. T. B. Jin, D. N. C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number, Pattern recognition 37 (11) (2004) 2245–2255. [40] W. H. Yang, S. P. Shieh, Password authentication schemes with smart cards, Computers & Security 18 (8) (1999) 727–733. [41] D. Dolev, A. C. Yao, On the security of public key protocols, IEEE Transactions on Information Theory 29 (2) (1983) 198– 208. [42] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. Shalmani, T. Manzuri, On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme, in: Advances in Cryptology - CRYPTO 2008, Vol. 5157 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2008, pp. 203–220. [43] T. S. Messerges, E. A. Dabbish, R. H. Sloan, Examining smartcard security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552. [44] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, 1999, pp. 388–397. [45] S. Mrdovic, B. Perunicic, Kerckhoffs’ principle for intrusion detection, in: Telecommunications Network Strategy and Planning Symposium, 2008. Networks 2008. The 13th International, IEEE, 2008, pp. 1–8. [46] M. Burrows, M. Abadi, R. Needham, A logic of authentication, ACM Transactions on Computer Systems 8 (1) (1990) 18–36. [47] AVISPA, Automated Validation of Internet Security Protocols and Applications, http://www.avispa-project.org/. Accessed on January 2015. [48] D. von Oheimb, The high-level protocol specification language hlpsl developed in the eu project avispa, in: Proceedings of APPSEM 2005 Workshop, 2005. [49] V. Odelu, A. Das, A. Goswami, A secure biometrics-based multi-server authentication protocol using smart cards, IEEE
31
31
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Biography
32
CR IP T
sistant Professor in the Department of Mathematics, the LNM Institute of Information Technology, Jaipur, India. His research interests include digital rights management system, access control in cloud, cryptographic protocols.
ED
M
AN US
Jangirala Srinivas completed his Bachelor of Science in 2003 from Kakatiya University, India. He has received Master of Science degree from Kakatiya University in 2008. He has received Master of Technology degree from IIT Kharagpur in 2011. Currently, he is pursuing his Ph.D in the Department of Mathematics, IIT Kharagpur. His research interests include authentication protocols, information security, digital rights management and cloud computing.
AC
CE
PT
Sourav Mukhopadhyay completed his B.Sc (Honours in Mathematics) in 1997 from University of Calcutta, India. He has done M.Stat (in statistics) and M.Tech (in computer science) from Indian Statistical Institute, India, in 1999 and 2001 respectively. He received his Ph.D. degree in the area of Cryptology (Computer Science) from Indian Statistical Institute, India in 2007. Currently, he is an Assistant Professor at IIT, Kharagpur. His research and teaching interests include network security, cryptology, mathematics, statistics and computer science. He has published more than 60 papers in international journals and conferences in these areas.
Dheerendra Mishra completed his Bachelor of Science and Master of Science degrees from Jiwaji University, India in 2003 and 2005, respectively. He received Ph.D. from the Indian Institute of Technology, Kharagpur, India, in 2014. Currently, he is working as an As32
Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks Jangirala Srinivas, Sourav Mukhopadhyay, Dheerendra Mishra PII: DOI: Reference:
S1570-8705(16)30298-0 10.1016/j.adhoc.2016.11.002 ADHOC 1483
To appear in:
Ad Hoc Networks
Received date: Revised date: Accepted date:
15 October 2015 23 October 2016 2 November 2016
Please cite this article as: Jangirala Srinivas, Sourav Mukhopadhyay, Dheerendra Mishra, Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks, Ad Hoc Networks (2016), doi: 10.1016/j.adhoc.2016.11.002
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT
Ad Hoc Networks Ad Hoc Networks xx (2016) 1–32
CR IP T
Secure and Efficient User Authentication Scheme for Multi-gateway Wireless Sensor Networks Jangirala Srinivasa , Sourav Mukhopadhyaya , Dheerendra Mishrab a Department
AN US
of Mathematics, Indian Institute of Technology, Kharagpur 721 302, India E-mail: [email protected], [email protected] b Department of Mathematics, LNM Institute of Information Technology, Jaipur, India E-mail: [email protected]
Abstract
PT
ED
M
By utilizing Internet of Things (IoT), the collected information from the sensor nodes in wireless sensor networks (WSNs) could be provided to the users who are permitted to get access of sensor nodes. As the information from the sensors are transmitted via public network and sensor nodes have limited battery, shift the focus on security and efficiency in WSNs. User authentication is the security task for limiting the access. It is achieved by equipping authorized users with passwords, tokens or biometrics. However, password and token are easy being stolen and forgotten; even biometrics inherit some limitation. More suitable approach is to combine both password and biometric authenticator to harvest benefits in security. This paper proposes a novel authentication and key agreement scheme for WSNs using biohashing. Biohashing facilitates elimination of false accept rates without increasing occurrence of false rejection rate. Additionally, biohashing has highly clear separation of imposter populations and genuine, and zero equal error rate level. The proposed scheme also supports dynamic node addition and user friendly password change mechanism. Using the BAN-logic, we prove that the proposed scheme provides mutual authentication. In addition, we simulate proposed scheme for the security against man-in-the middle attack and replay attack using the AVISPA tool, and the simulation results show that our scheme is safe. Through the informal security analysis, we show that the proposed scheme is secure against the known attacks for authentication protocols.
AC
CE
Keywords: Internet of Things (IoT), Wireless sensor networks(WSNs), Authentication.
1
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
2
1. Introduction
• The topology of a sensor network changes very frequently.
The evolution of wireless sensor networks (WSNs) during the last decade has turned out to be extremely prevalent. Recently, most of the highly qualified associations are adopting various kinds of WSNs applications and numerous research communities are also showing their interest in providing qualitative productivity towards these WSNs applications. Dynamic examination in WSNs investigated different new applications empowered by larger scale networks of sensor nodes equipped for detecting data from environments, process the sensed information and transmits it to the remote locations. WSNs are mostly used in, low bandwidth and delay tolerant, applications ranging from civil and military to environmental and healthcare monitoring [1]. A wider study on remote sensor frameworks can be found in [2]. The sensors are small, with constraints of limited processing and computing resources. Sensor nodes are low power and limited memory devices equipped with one or more sensors, memory, a processor, a radio, a power supply, and an actuator, which can be randomly deployed irrespective of the territory to enable real-time detection of the environment. The deployment of sensor nodes in a specific field can be done using planes, catapults or placing them one by one. A WSNs usually comprises of a number of sensor nodes working together to monitor at the environment. It can be structured or unstructured, where sensor nodes may be deployed in an ad hoc manner or pre-planned manner into the field [2]. The sensors can measure, sense, and gather information from the environment and then can be transmitted sensed data to the user. This enables the sensor networks to monitor a wide variety of ambient conditions (pressure, humidity, temperature, vehicular movement, etc.). Sensor nodes can be used for continuous sensing, event detection, event ID, location sensing, and local control of actuators. The concept of micro-sensing and wireless connection of these nodes promise many new application areas. It is possible to expand these applications with classification involving more categories such as space exploration, chemical processing and disaster relief [2]. In order to provide efficient and prompt services in WSNs to the users, the security concerns are arising even more crucially as the entire communication is done over the public channel [8, 3, 4, 9] with the following restrictions:
• Sensor nodes mainly use broadcast communication paradigm whereas most ad hoc networks are based on point-to-point communications. • Sensor nodes are limited in power, computational capacities, and memory.
AC
CE
PT
ED
M
AN US
CR IP T
With the new creation of Internet of Things (IoT), the global network can be interconnected and accessed. In WSNs environment, IOT has an important application, such as the sensed data in WSNs environment can be provided to the remote users. However, the sensed data are transmitted via public networks. The adversary has capability to intercept the communication over a public network. This makes the WSNs environment vulnerable to attacks. Thus, a communication protocol should achieve the mutual authentication and support key agreement. To ensure secure authorization, the authentication scheme should satisfy desirable security attributes, such as impersonation attack, password guessing attack, stolen verifier attack, device loss attack, replay attack, man-in-the middle attack[10, 22]. Additionally, the user should be allowed to choose and change the password, independently. Till date, numerous scholarly works are presented on the security of WSNs [11, 22, 8, 12, 13, 14, 16, 17, 18, 19, 20, 21]. The gateway nodes (GWN) based authentication schemes in the literature make an envision possible, that the mutual authentication and key agreement schemes should be lightweight with the component of desirable security. GWN assumes an imperative part in WSNs. In order to further reach the specific sensor node, the remote users are obliged to achieve the GWN through internet at first. In contrary, sensing data from the sensor nodes firstly get to the GWN and then to the user. Making the data available to the remote users must assure the mutual authentication before allowing the access the real-time data in WSNs over the network. The GWN based model consists of three types of entities, namely, sensor nodes, GWNs, and users. The sensor nodes are responsible for sending the realtime data, whereas the gateway nodes are responsible for receiving and forwarding the relevant data to the user and sensor node [16]. In order to access the desired sensor node, the user can complete his registration to any one of the gateway nodes and can establish authorized session with the sensors by performing mutual authentication and key agreement. The authentications schemes usually try to achieve the goal of computational efficiency and security attributes [6]. The design of
• Sensor nodes are prone to failures.
2
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
are in this way lightweight and exceptionally suitable for WSNs. In 2012, Vaidya et al. [32] presented that the schemes, such as Das’s, Khan et al. and Chen and Shih are not secured for the attacks, like stolen smart-card, node-capture and sensor-node impersonation. Thus, the Vaidya et al. presented a novel two-factor user authentication scheme to prevent most of the potential attacks and to provide mutual authentication and session-key establishment to the user. Deebak [15] identified that the Vaidya et al.’s scheme is vulnerable to stolen smartcard, gateway node bypassing and sensor-node key impersonation. Xu and Wang [33], and Turkanovic and Holbl [11] showed that Das et al.’s design has flaws and is infeasible for executions, independently. They have proposed enhanced version of Das et al.’s scheme. Similar to Das et al.’s scheme, it was demonstrated that Xu at al.’s scheme has also security pitfalls, which were presented and corrected by Li et al. [34] and Turkanovic and Holbl [35]. In spite of the fact that Das et al.’s scheme was produced for hierarchical WSNs and the key agreement executes among the user, cluster head, and base-station, and Xue et al.’s key agreement executes between the user, GWN, and the sensor node, both utilize the same authentication model. Xue et al. argue that such a model is efficient because it runs the last two communications, acknowledgment for the BS or GWN and the user, simultaneously. However, since both communications have to be run, it is insignificant regarding efficiency. In 2014, Turkanovic et al. [16] proposed a user authentication and key agreement model to overcome the security flaws of the earlier designed schemes. Farash et al. [17] shown that Turkanovic et al.’s scheme is insecure and inefficient for various security drawbacks such as session key agreement, mutual authentication between all parties, traceability, preservation of user anonymity, privileged-insider attack and password guessing attack. Farash et al.’s scheme still has the security pitfalls such as off-line password guessing attack, off-line identity guessing attack. Simultaneously, Amin and Biswas [36] shown that Turkanovic et al.’s scheme is insecure and inefficient for various security drawbacks such as off-line password guessing attack, off-line identity guessing attack, smart card theft attack, user impersonation attack, sensor node impersonation attack and also shown the scheme is vulnerable to inefficient authentication phase. To overcome these shortcomings, Amin and Biswas presented a secure lightweight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. For a comprehensive survey on user authentication in WSNs, one can refer to the survey paper [3].
CR IP T
lightweight authentication scheme involves non-public key parameters, while probably secure design uses public key parameters [5, 7]. Non-public key parameters based schemes presents computationally efficient solution for low-capacity devices, which also makes these designs low-cost. However, These designs have some limitations, such as they are inefficient to support forward secrecy and unlinkability in two-factor authentication [9, 10]. So, for the environment where computational efficient solutions are required, lightweight authentication schemes are being utilized instead of their limitations. Thus, design and analysis of lightweight authentication scheme is an area of interest.
AC
CE
PT
ED
M
AN US
1.1. Brief review of research & development in the field Wong et al. [23] proposed a user authentication scheme for WSNs in 2006. Their scheme is a lightweight architecture, which requires only the computation of hash functions. However, it was later proved to be vulnerable to stolen verifier attack and many logged-in users with the same login-id attack. Das [24] improved the security of Wong et al.’s scheme. He proposed an efficient password-based user authentication, which uses the temporal credentials (i.e. timestamps) for verification. Das’s scheme is also shown to be vulnerable to denial-of-service attack and node capture attack. Later on, Huang et al. [25], Nyang and Lee [26] and He et al. [27] proposed some improvements of Das’s scheme. But the presented schemes failed to overcome the security flaws found in Das’s scheme. In 2010, Khan and Alghathbar [28] presented an improvement in Das’s scheme. They solved the problem of mutual authentication and unsecured password by introducing pre-shared keys and masked passwords. Although Vaidya et al. [29] identified the security pitfalls in Khan and Alghathbar’s scheme. To overcome these security pitfalls, Vaidya et al. proposed an improved version of Khan and Alghathbar’s scheme. In 2010, Chen and Shih [30] also proposed an improvement of Das’s scheme. Their scheme ensures the mutual authentication among the all involved parties. However, their scheme does not resist replay attack and forgery attack. In 2012, Das et al. [31] and in 2013, Xue et al. [19] proposed authentication and key agreement schemes for WSNs using smart cards, independently. They outlined the schemes to support user to viably and securely connect to the nodes of a WSNs. Both the protocols assure several security components like password protection, key agreement, mutual authentication, and resilience against several attacks. In addition, their schemes have a dynamic node addition phase. Both schemes use the hash and XOR reckonings, and
3
3
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
4
our proposed scheme using the BAN Logic is presented. In Section 6.2, we simulate our scheme for the formal security verification using AVISPA tool to show that our scheme is secure against passive and active attacks. The informal security analysis based on the adversary model of the proposed scheme is presented in the Section 7. We compare the performance of our scheme and the other related existing schemes in Section 8. Finally, we conclude the paper in Section 9.
1.2. Contribution
CR IP T
The related work section presents the overall idea of the existing research regarding user authentication and key agreement protocols for WSNs, where it has been identified that many of the authentication protocols fail to satisfy desirable security attributes. Therefore, we are motivated to develop an authentication protocol that could achieve desirable security attributes and can also be applicable for practical applications. The contributions are listed below:
2. Mathematical Preliminaries
2.1. Biohashing Biometric systems for human authentication in security task to enable authorized access to computer network. Although, it could be done using passwords, pins or tokens, but these mechanism suffer the lack of security as they are being easy to forgot or stolen [37]. Biometric systems also suffers from specific security threats and inherent limitation such as noisy data due to environment poorly illuminated or dirty sensor. As a result, denial of access in biometric systems can be greatly observed, which impacts on the usability of the system by failing to identify a genuine user [38]. To address the issue of high false rejection, BioHashing mechanism is introduced [39]. Over solely biometrics, BioHashing has substantial functional advantages such as clean separation of the genuine, zero error rate and imposter populations. This allowing elimination of false accept rates without suffering from increased occurrence of false reject rates. BioHashing generates a vector of bits starting from the biometric feature set and a seed which represents the Hash key. The base procedure is presented in [39], which functions as follows.
AN US
• We have analyzed the security of recently proposed Amin and Biswas’s authentication scheme for WSNs, where we show that their scheme suffers from several attacks including leakage of sensors secret keys, server spoofing attack, stolen smart card attack, password guessing attack, impersonation attack, identity guessing attack.
• To overcome the security weaknesses of Amin and Biswas’s scheme, we have proposed an efficient and more secure WSNs authentication scheme that can preserve all the original merits of Amin and Biswas’s scheme and withstands the possible known attacks.
ED
M
• To strengthen our proposed scheme, the security analysis using the BAN Logic has been presented. Using the informal security analysis, we have also shown that our scheme can resist numerous security attacks which include the attacks found in Amin and Biswas’s scheme.
PT
• In addition, we have performed the simulation of the proposed scheme using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool, where the simulation results clearly indicate that our scheme is secure.
• Extraction of biometric feature represented in a vector form Γ ∈ Rn , where n is the feature length.
CE
• Use the input token to generate m pseudo-random vector {ri ∈ R M |i = 1, 2, · · · m}.
• Furthermore, the performance of our scheme is comparable to Amin and Biswas’s scheme and other related existing schemes.
AC
• Employ the Gram-Schmidt process to {ri ∈ R M |i = 1, 2, · · · m} and obtain orthonormal pseudorandam vectors {r⊥i ∈ Rn |i = 1, 2, · · · m} and n ≥ m.
1.3. Organization of the paper The road-map of the paper is as follows: In Section 2, we present the mathematical preliminaries, which includes biohashing technique, threat model and the necessary notations used in the paper. In Section 3, we present the brief review of the recently proposed Amin and Biswas’s scheme. in Section 4, we show security weaknesses of Amin and Biswas’s scheme. In Section 5, we discuss proposed lightweight authentication scheme for WSNs. In Section 6.1, security analysis of
• Calculate {hΓ|r⊥ii|i = 1, 2, · · · m}, where h.|.i indicate the inner product. • Calculate m−bit BioHash template, b = {bi |i = i = 1, 2, · · · m} using a threshold κ obtain from
4
1, ifhΓ|r⊥ii ≤ κ, bi = 0, ifhΓ|r⊥ii > κ.
(1)
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
5
2.2. Threat Model
3. Review of Amin and Biswas’s Scheme
In this paper, we use the following threat model considering the assumptions as follows [40, 41, 42, 43, 44, 45]:
Amin and Biswas’s scheme consists of six phases, namely, the system setup phase, registration phase (users registration and sensor nodes registration), the login phase, the authentication and key agreement phase, the password-change phase and the dynamic node addition phase. In addition with this Amin and Biswas’s scheme has System environment for the execution procedure of their protocol. We have utilized the notations in the scheme as summarized in Table 1. The detail description is as follows:
CR IP T
• An adversary can extract the information from the smart card by examining the power consumption or leaked information. • An adversary is able to eavesdrop all the communications between the parties involved such as a user and a server over a public channel.
3.1. System setup phase
• An adversary has the potential to modify, delete, redirect and resend the eavesdropped transmitted messages.
This phase runs in off-line mode by the system administrator(SA). S A selects unique identity IDS N j for each sensor node (1 < j < m) and computes P j = h(IDS N j kS ran ). The random number S ran is known to all the gateway nodes, which is maintained securely. Finally, SA stores < IDS N j , P j , S ran > into the sensor nodes’ memory and randomly or manually deploys each sensor node over a target region.
AN US
• An adversary can be a legal user or an outsider in any system. • An adversary can guess low entropy password and identity individually easily but guessing two secret parameters(eg. password, identity) are computationally infeasible in polynomial time.
3.2. Registration phase
M
• Practically, it is assumed that the protocol used in the authentication system is known to the attacker.
Description ith remote user jth sensor node Gateway node (base station) in WSNs Smartcard of user Ui Identity of user Ui Identity of home gateway node HGWN Identity of foreign gateway node FGWN Identity of sensor node S N j Master secret key of HGWN Master secret key of FGWN Secret nonces used by Ui , S j , HGWN and FGWN respectively Password of user Ui Time interval for the allowed transmission delay Time when a message received by an entity Session key shared between Ui and S j Secure collision-free cryptographic one-way hash function Concatenation of data A with data B Exclusive-OR of data A and data B
CE
3.2.1. Sensor node registration phase In this phase, through an open channel each sensor node firstly computes PS j = P j ⊕ S ran and further sends the pair < IDS N j , PS j > to the nearest gateway node. The home gateway node (HGWN) receives the message and sends the confirmation message to each sensor nodes after extracts P j = PS j ⊕ S ran and storing the pair < IDS N j , P j > in its own database. Moreover, HGWN stores the sensor identity in the public directory. Further, each sensor node destroys the S ran from its own memory.
AC
Symbol Ui S Nj GWN SC IDi IDGWNh IDGWNF IDS N j H XGWN F XGWN ri , r j , rh , r f PWi ∆T Tc SK h(·) AkB A⊕B
PT
ED
• Kerckhoffs’s principle: A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
In Amin and Biswas’s scheme the registration phase is divided into two. First one is Sensor node’s registration and Second one is user’s registration. In order to get the services from any sensor node, the user needs to be registered with the WS N s. Once the user gets registered with the WS N s, he/she will be able to connect with the opted sensor node. Both users and sensor nodes undergo this registration process. Once the users get registered, GWN issues a smartcard with the secret credentials for the future communications.
3.2.2. User registration phase In order to access to the services of the sensor nodes, the user has to register with HGWN. The description is as follows:
Table 1: Notations and their meanings
5
ACCEPTED MANUSCRIPT
6
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
L2: On successful verification, S C computes Bi = h(DIDi kT IDi kXk ) = Ai ⊕ h(DID0i ⊕ PWR0i ), Ci = h(IDGWNh kBi kri kT 1 ), Di = Bi ⊕ ri by generating a random number ri .
R2: For each user, the home gateway node generates a random identity T IDi and computes Regi = h(DIDi kPWRi ), and Ai = h(DIDi kT IDi kXk ) ⊕ h(DIDi ⊕ PWRi ). Where Xk is long term secret key of HGWN.
L3: After computing Bi , Ci , Di , a login message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 > is sent to HGWN through a public channel, where IDS N j is the identity of the sensor node and T 1 is the current timestamp.
R3: Finally, the computed values < T IDi , DIDi > are stored in its memory by HGWN. For each user, HGWN issues a smartcard S C, which stores < Regi , Ai , IDGWNh , T IDi , h(·) >.
3.4.2. Authentication Phase After receiving the login message from Ui , HGWN checks whether the opted sensor node is a registered in its database or not. If the verification is successful, HGWN executes the Case-1 as the authentication and key agreement phase. Otherwise, HGWN transfers the message < IDGWNh , T IDi , IDS N j > to the rest of the gateway nodes, which are called foreign gateway nodes (FGNs) of the WSNs model. The IDS N j must match with any one of the foreign gateway nodes to execute Case-2 as the authentication phase . Case-1:
CR IP T
R1: Ui selects IDi , PWi and a random number r. Ui computes DIDi = h(IDi kr) and PWRi = h(PWi kr). Ui submits < DIDi , PWRi > to HGWN through secure channel.
R4: After receiving S C, Ui stores r.
ED
M
AN US
3.3. System environment phase Whenever a registered user wishes to get the services from the desired sensor node in the WSNs, first he extract the sensor’s identity from the public directory of HGWN. Then, he insert the smartcard and inputs login credentials. The authenticity of the user is verified by the smartcard reader. Once the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN which includes sensor node’s IDS N j , where the existence of the identity of the sensor node IDS N j is looked in its database. If IDS N j exists in HGWN’s database, the authentication phase executes Case-1. Otherwise, Case-2 will be considered. 3.4. Login and authentication phase The login and authentication process of the Amin and Biswas’s scheme is as follows: This phase can be seen as two phases. During the login phase, the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN through the public channel. The procedure of the login phase is described below:
?
PT
HGWN verifies the computed Ci0 = Ci which is transmitted in the message . If the verification holds, HGWN authenticates the user Ui . Otherwise, the connection is terminated.
CE
A2: HGWN computes Ei = h(IDS N j kDIDi kP j krk kT 2 ) , fi = P j ⊕ rk , yk = ri ⊕ h(rk ) and Gi = DIDi ⊕ h(IDS N j krk ) by generating a random number rk . After the computation, HGWN sends the message M2 =< Ei , fi , Gi , yk , T 2 > to the sensor node S N j through the public channel.
3.4.1. Login Phase Here in this phase, the smartcard needs to verify the legitimacy of the user. The smartcard does the computations as follows:
AC
A1: On receiving the login message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >, HGWN checks the validity of the timestamp, i.e., |T 2 − T 1 | ≤ ∆T , where ∆T is the transmission time and T 2 is the current timestamp of HGWN. If the verification is valid, using the transmitted value T IDi HGWN extracts DIDi from its own database. Further computes B0i = h(DIDi kT IDi kXk ), ri0 = B0i ⊕ Di and Ci0 = h(IDGWNh kB0i kri0 kT 1 ). After the computation
A3: On receiving the message, S N j checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T , where T 3 is the sensor node’s current timestamp. If the verification is valid, S N j extracts rk0 = P j ⊕ fi0 , ri0 = y0k ⊕ h(rk0 ), DID0i = G0i ⊕ h(IDS N j krk ), Ei0 = h(IDS N j kDID0i kP j krk0 kT 2 ). After the computation,
ID0i
L1: To start the login process, Ui inputs and PWi0 . Then, the following values are verified: DID0i = h(ID0i kr), PWR0i = h(PWi0 kr), and Reg0i = h(DID0i kPWR0i ). Then, S C compares the computed Reg0i with the stored to Regi to verify the correctness. If this comparison matches, then S C accepts the user login credentials and take further computations. Otherwise, S C rejects the login request.
?
S N j verifies Ei0 = Ei . If the verification does not hold, the connection is aborted. Otherwise, further computations takes place.
6
ACCEPTED MANUSCRIPT
7
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
A4: The sensor node S N j computes H j = h(Ei0 kDIDi kr j kT 3 ), K j = rk ⊕ r j by generating a random nonce r j . After the computations, the sensor node sends the message M3 =< H j , K j , T 3 > to HGWN through the public channel.
< ZS i , IDGWNF > to the home gateway node over a public channel. A9: Using the login message which was sent earlier by the user Ui , HGWN computes B∗i = h(DIDi kT IDi kXk ), Zi = ZS i ⊕ S ran and BZi = B∗i ⊕ Zi and sends < BZi , IDGWNF > to the user Ui .
A5: On receiving the message, HGWN checks the validity of the timestamp, i.e., |T 4 − T 3 | ≤ ∆T , where T 4 is HGWN’s timestamp. If the verification is valid, HGWN extracts r j = K j ⊕ rk and computes H 0j = h(Ei kDIDi kr j kT 3 ). After the computation, HGWN verifies the computed ? H 0j = H j , which is transmitted in the message . If the verification does not hold, the connection is aborted. Otherwise, HGWN computes Li = h(Ei kDIDi kr j krk kT 4 ), Qi = r j ⊕ ri and sends a message M4 =< Li , Ei , Qi , K j , T 4 > to Ui through a public channel.
CR IP T
A10: The user first extracts Zi = Bi ⊕ BZi and then further computes AAi = h(T IDi kZi kRi kT Ui ), BBi = Zi ⊕ Ri , where Ri is the random number and T Ui is the user’s current timestamp. The user finally sends the message M5 =< T IDi , AAi , BBi , T Ui > to the FGWN.
AN US
A11: FGWN first checks the validity of the timestamp i.e., |T F − T Ui | ≤ ∆T . Where ∆T is the transmission time, which is constant and T F is the timestamp of FGWN. If the verification is valid, using the transmitted value T IDi FGWN computes Zi0 = h(T IDi kXGWNF ), Ri = BBi ⊕ Zi and AA0i = h(T IDi kZi0 kR0i kT Ui ). After the computation
A6: On receiving the message, Ui checks the validity of the timestamp i.e., |T 5 − T 4 | ≤ ∆T , where T 5 is the user’s current timestamp. If the verification is valid, Ui extracts r0j = ri ⊕ Qi , rk0 = K j ⊕ r0j , Li0 = h(Ei kDIDi kr0j krk0 kT 4 ). After the computation, ?
M
Ui verifies Li0 = Li . If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
ED
A7: After successfully authenticate, Amin and Biswas’s protocol achieves mutual authentication. Then a common secret session-key S K = h(DIDi kri kr j krk ) is shared among the entities involved in the system. Using the current session key, the user can access the desired sensor node during the future communications.
A12: The foreign gateway FGWN, computes CCi = h(T IDi kZi0 kRF kP j kT F kRi ) , GGi = P j ⊕ RF , FFi = Zi ⊕ h(P j ) by generating a random number RF . After the computation FGWN send the message M6 =< T IDi , CCi , GGi , FFi , BBi , T F > to the sensor node S N j through the public channel.
PT
A13: On receiving the message, the sensor node S N j checks the validity of the timestamp i.e., |T j − T F | ≤ ∆T . Where ∆T is the transmission time, which is constant and T j is the sensor node’s current timestamp. If the verification is valid, the sensor node extracts R0F = P j ⊕ GGi , Zi0 = FFi ⊕ h(P j ), R0i = BBi ⊕ Zi and computes CCi0 = h(T IDi kZi0 kR0F kP j kT F kR0i ) . After the computation,
CE
Case-2: After receiving a login request message M1 =< IDGWNh , T IDi , IDS N j , Ci , Di , T 1 > from the user, HGWN verifies whether IDS N j is in its database. On verifying the identity of the sensor node and found the verification failed, HGWN sends a broadcast message IDS N j , T IDi , IDGWNh to the rest of the gateway nodes of the WSNs model.Anyone of the FGWN foreign gateway node (other gateway nodes) must possess the identity of the sensor node in order to execute the authentication phase. The execution of the authentication phase is described as follows:
?
AC
A8: On receiving the broadcast message IDS N j , T IDi , IDGWNh , FGWN extracts P j from the database which is corresponding to IDS N j . After the extraction of the P j , FGWN computes F Zi = h(T IDi kXGWN ), ZS i = Zi ⊕ S ran and transmit
?
FGWN verifies the computed AA0i = AAi which is transmitted in the message . If the verification holds, the FGWN authenticates the user Ui . Otherwise, the connection is terminated.
the sensor node verifies the computed CCi0 = CCi which is transmitted in the message. If the verification does not hold, the connection is aborted. Otherwise, further computations takes place as follows:
A14: The sensor node S N j computes W j = h(IDS N j kP j ), DD j = h(T IDi kR j kW j kT j ), HH j = R j ⊕ W j , MM j = Zi ⊕ W j by generating a random nonce R j . After the computations, the sensor node sends the message 7
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
8
M7 =< T IDi , DD j , MM j , T j > to the FGWN through the public channel.
and rk . This shows that A can get the values ri , r j and rk after the authentication phase.
A15: On receiving the message, the foreign gateway node FGWN checks the validity of the timestamp i.e., |TGWN − T j | ≤ ∆T . Where ∆T is the transmission time, which is constant and TGWN is the FGWN’s current timestamp. If the verification is valid, FGWN computes R0j = HH j ⊕ W j , RRF = R j ⊕ RF . After the computation, FGWN sends a message M8 =< T IDi , DD j , MM j , RRF , T j , TGWN > to the user Ui through a public channel.
2: A can also get fi as HGWN transmits the message < Ei , fi , Gi , yk , T 2 > via public channel, where fi = P j ⊕ rk . 3: Using rk and fi , A extracts P j as P j = fi ⊕ rk .
CR IP T
It is clear from the above discussion that an adversary can get sensor secret key P j based on the valid assumptions mentioned in the threat model. 4.2. Leakage of the system key
A16: On receiving the message, the user Ui checks the validity of the timestamp i.e., |T U − TGWN | ≤ ∆T . Where T U is the user’s current timestamp. If the verification is valid, the user extracts W j = MM j ⊕ Zi , R j = HH j ⊕ W j , RF = RRF ⊕ R j , DD0j = h(T IDi kR j kW j kT j ). After the computa-
AN US
?
Security of Amin and Biswas’s scheme depends on the secrecy of random number S ran . Unfortunately, the adversary can achieve the security parameter S ran as follows: 1: After registering as a user (U A ) to HGWN, A selects a sensor node S N j , which is not registered with HGWN. A submits his login request < IDGWNh , T IDA , IDS N j , C A , DA , T A > to HGWN, where C A = h(IDGWNh ||BA ||rA ||T A ), DA = BA ⊕ rA and T A is the current timestamp.
tion, the user verifies the computed DD0j = DD j which is transmitted in the message. If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
ED
M
A17: After successfully authenticate, Amin and Biswas’s protocol achieves mutual authentication. Then a common secret session-key S K = h(T IDi kIDS N j kRi kR j kRF ) is shared among the entities involved in the system. Using the current session key, the user can access the desired sensor node during the future communications.
2: As IDS N j is not registered with home gateway node, then HGWN sends < IDS N j , T IDA , IDGWNh > to the other gateways in the system.
PT
3: On receiving the message < IDS N j , T IDA , IDGWNh >, the foreign gateway node FGWN extracts P j and sends the message < ZS A , IDGWN f > to HWGN, where F ZS A = ZA ⊕ S ran and ZA = h(T IDA kXGWN ).
4. Cryptanalysis of Amin and Biswas’s Scheme
4: On receiving the message < ZS A , IDGWN f >, HGWN computes BA = h(DIDA kT IDA kXk ), ZA = ZS i ⊕ S ran and BZA = BA ⊕ ZA , and then sends < BZA , IDGWNF > to U A .
CE
In this section, we show that Amin and Biswas’s scheme does not resist many attack based on adversary model 2.2. 4.1. Leakage of sensors secret keys
5: On receiving the message < BZA , IDGWN f >, A uses his credential Bi to retrieve ZA as ZA = BA ⊕ BZA . A can also get the message < ZS A , IDGWN f > as the message transmit via public channel.
AC
As per the threat model discussed in Section 2.2, an adversary (A) can also be a user in the system, and thus he can get all the security parameters, which a valid user gets in the system. Using these credentials, A can derive the sensor’s secret key P j in Amin and Biswas’s scheme, which can be later utilized to perform various attacks. The adversary can achieve P j by performing the following procedure:
6: A retrieves S ran using ZA and ZS A . It is clear from the above discussion that an adversary can achieve the security parameter S ran on which security of system is depend as S ran is used to compute the secret keys of all sensor nodes. This shows that security of Amin and Biswas’s scheme is compromised.
1: A can registered in the system as a user, and can initiate the login session, which will output ri , r j 8
ACCEPTED MANUSCRIPT
9
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
5: A retrieves ri using rk as ri = yk ⊕ h(rk ). Then, A retrieves Bi using ri as Bi = Di ⊕ h(ri ).
4.3. Server spoofing attack An adversary can perform server spoofing attack on Amin and Biswas’s scheme as follows: 1: A intercepts Ui ’s login message IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >.
M1
6: Using the retrieved parameters DIDi and Bi , A can masquerade as a valid user Ui to login to the system as follows:
=<
2: A first achieves P j as discussed in Section 4.1.
• A chooses a value rA and computes Ci∗ = h(IDGWNh kBi krA kT A ), D∗i = Bi ⊕ rA , where T A is the current timestamp used by A.
4: A retrieves DIDi using rk as DIDi h(IDS N j ||rk ).
CR IP T
3: Using the old transmitted message < Ei , fi , Gi , yk , T 2 > of HGWN, A retrieves rk as rk = fi ⊕ P j .
• A sends the message M1 =< IDGWNh , T IDi , IDS N j , Ci∗ , D∗i , T A > to HGWN through a public channel.
= Gi ⊕
• At HWGN end verification holds.
5: A retrieves ri using rk as ri = yk ⊕ h(rk ).
4.5. Stolen smartcard attack
6: A retrieves Bi using ri as Bi = Di ⊕ h(ri ).
We suppose that the user Ui0 s smart card was stolen by an attacker. Now, by the method of power analysis [44, 43] the attacker can extract the information stored on the smart card {Regi , Ai , IDGWNh , T IDi , r, h(·)}. Using the extracted information of smartcard and the intercepted messages on the unreliable channel, attacker imposes the following attacks :
AN US
7: A Selects two random numbers r11 and r12 and computes QA = r11 ⊕ ri , KA = r12 ⊕ r11 , E A = h(IDS N j kDIDi kP j kr12 kT A1 ) and LA = h(E A kDIDi kr11 kr12 kT A ), where T A1 and T A are current timestamp used by adversary. 8: A sends a message MA =< LA , E A , QA , KA , T A > to the user Ui .
ED
M
On receiving the message, when the user checks the validity of the timestamp i.e., |T 5 − T A | ≤ ∆T , where T 5 is the user’s current timestamp. The verification holds as adversary uses current timestamp. Then, the user ex0 0 0 tracts r11 = ri ⊕ QA , r12 = KA ⊕ r11 , and computes L0A =
4.5.1. Off-line password guessing attack The adversary guess the user’s password based on the valid assumptions of the threat model as adversary can get DID and r as follows: 1: A first achieves P j as discussed in Section 4.1.
?
0 0 h(E A kDIDi kr11 kr11 kT A ). Then, user verifies L0A = LA . The verification holds and it is confirmed that the sensor node is authentic. After the authentication, the user computes secret session-key S K = h(DIDi kri kr11 kr12 ). However, an adversary can also compute the session key as he knows DIDi , ri , r11 and r12 .
PT
2: Using the intercepted message < Ei , fi , Gi , yk , T 2 > of Ui , A retrieves rk as rk = fi ⊕ P j .
CE
3: A retrieves DIDi using rk as DIDi h(IDS N j krk ).
= Gi ⊕
4: Using the method of power analysis [44, 43], A extracts the stored information r and Regi = h(DIDi kPWRi ) from the stolen smart card.
1: A intercepts Ui ’s login message IDGWNh , T IDi , IDS N j , Ci , Di , T 1 >.
5: A chooses a value PWig and computes PWRgi = h(PWig kr), and then verifies
AC
4.4. User impersonation attack An adversary can also impersonate a user in Amin and Biswas’s scheme as follows: M1
=<
?
Regi = h(DIDi kPWRgi ).
2: A first achieves P j as discussed in Section 4.1.
6: If verification holds, A succeeds in password guessing. Otherwise, A repeats the process.
3: Using the old transmitted message < Ei , fi , Gi , yk , T 2 > of HGWN, A retrieves rk as rk = fi ⊕ P j . 4: A retrieves DIDi using rk as DIDi h(IDS N j ||rk ).
It is clear from the above discussion that an adversary can successfully guess user’s password based on the valid assumptions of threat model.
= Gi ⊕ 9
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
4.5.2. Identity guessing attack The adversary guess the user’s identity based on the valid assumptions of the threat model as adversary can get DID and r as follows:
10
5.1. System setup phase It is an off-line mode, where system administrator(SA) generates the identity and security parameters for each sensor nodes. First, S A generates the identities {IDS N1 , IDS N2 , · · · IDS Nm } for each sensor node {S N1 , S N2 , · · · S Nm } such that no two distinct sensor node will get same identity. Then, S A computes P j = h(IDS N j ⊕ S ran ) for 1 ≤ j ≤ m, where S ran is a random secret known to all the gateway nodes. S A stores < IDS N j , P j > for 1 ≤ j ≤ m into the memory of sensor nodes before their deployment.
1: The adversary first achieves P j as discussed in Section 4.1.
CR IP T
2: Using the intercepted message < Ei , fi , Gi , yk , T 2 > of Ui , A retrieves rk as rk = fi ⊕ P j . 3: A retrieves DIDi as DIDi = Gi ⊕ h(IDS N j krk ). 4: Using the method of power analysis [44, 43], A extracts the stored information r from the stolen smart card.
5.2. Registration phase
The registration phase is divided into two sub phases. First one is Sensor node’s registration and Second one is user’s registration. In order to get the services from any sensor node, the user needs to be registered. Once the user gets registered, he will be able to connect with the opted sensor node. Both users and sensor nodes undergo this registration process. Once the users get registered, HGWN issues a smartcard with the secret credentials for the future communications.
A can get r as A knows all the stored parameters of smart card.
AN US
?
5: A chooses an identity IDgi and then verifies DIDi = h(IDgi kr).
6: If verification holds, the adversary A succeeds in guessing the identity of the user. Otherwise, A repeats the above step.
M
It is clear from the above discussion that an adversary can successfully guess user’s identity based on the valid assumptions mentioned in the threat model.
ED
5. Proposed Authentication Scheme (MAAS) for WSNs
PT
The proposed scheme uses Amin and Biswas’s scheme as a case study, which handles all the previously mentioned security shortcomings and vulnerabilities found in their scheme. In order to overcome the security flaws found in Amin and Biswas’s scheme, we propose an enhanced authentication and key agreement protocol, which enables the WSNs dynamically limitless growth without affecting the functionality of the registration or authentication process of both the user and sensor nodes. A precise interpretation of this fact is presented in the description of the system setup phase and registration phase of the proposed scheme. The proposed scheme consists of the following six phases: (i). System setup phase, (ii). Registration phase, (iii). System environment phase, (iv). Login, authentication and key agreement phase, (v). Dynamic node addition phase, and (vi). Password-change phase. We have also utilized the notations in our scheme as summarized in Table 1. These phases related to our scheme are described in the following subsections.
5.2.1. Sensor node registration phase In this phase, through an open channel each sensor node sends < IDS N j , T r , M j > to the nearest gateway node, where M j = h(IDS N j ||P j ||T r ) and T r is registration time. On receiving the message, HGWN computes ? P j = h(IDS N j ⊕S ran ) and verifies M j = h(IDS N j ||P j ||T r ). HGWN sends the confirmation message to node S N j if verification holds. HGWN stores {IDS N j , T r } in its database. Further, S N j stores registration time T r .
CE
5.2.2. User registration phase User completes his registration at HGWN, and achieves personalized security parameters to access sensor node. The registration phase is discussed in Figure 1. The description of registration mechanism is as follows:
AC
R1: Ui selects identity IDi , password PWi and a random number u. Ui computes DIDi = h(IDi ku) and RPWi = h(PWi kukIDi ), and then submits < DIDi , RPWi > to HGWN via secure channel. R2: On receiving registration request, HGWN checks the registration of DIDi . If DIDi is not registered, HGWN selects a random number T IDi and H computes Ki = h(DIDi kT IDi kXGWN ) and Yi = H Ki ⊕ RPWi , where XGWN is a 1024 bits secret key of HGWN . 10
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
R3: HGWN stores < T IDi , DIDi > in registered user database, and then issues a smart card S Ci to Ui including < Yi , T IDi , h(·) >.
5.4.1. Login Phase First, the smartcard needs to verify the legitimacy of the user. For the valid user, smartcard processes the login request. First, smartcard inquires to the gateway about available sensors by submitting his/her requirement. HGWN provides the sensor identity on the basis of availability and requirement. On receiving the sensor identity, user executes the login request. The description is given below:
R4: After receiving S Ci , Ui imprints his biometric key Bi and computes Ci = u ⊕ H(Bi ) and Vi = h(IDi ⊕ PWi ⊕ u). Ui stores Ci and Vi into S Ci . 5.3. System environment phase
RPWi = h(PWi kukIDi ).
M
AN US
L2: On the success of login, S Ci inquires for sensor identity as per requirement. By observing the user requirement and sensors availability, HGWN sends the available sensor’s identity IDS N j to Ui . Moreover, HGWN also provides the identity of a sensor node which are under some foreign gateway node in order to fulfil user’s requirement. L3: S Ci generates a random number ri and computes DIDi = h(IDi ku),D1 = h(Ki kDIDi kIDS N j ) ⊕ ri and D2 = h(DIDi kri kT IDi kKi kT 1 kIDS N j ), where T 1 is the current timestamp.
HGWN
{DIDi ,RPWi }
−−−−−−−−−−−−−→ S ecurechannel
S Ci =hYi ,IDGWN ,T IDi ,h(·)i
←−−−−−−−−−−−−−−−−−−−−−−
Computes H Ki = h(DIDi kT IDi kXGWN ), Yi = Ki ⊕ RPWi ,
L4: On computation of D1 and D2 , Ui sends the login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > to HGWN. 5.4.2. Authentication and key agreement Phase After receiving the login message of Ui , HGWN checks whether the requested sensor S N j is in the registered sensor list or not by checking its database. If the verification is successful, HGWN executes the Case-1 as the authentication and key agreement phase. Otherwise, HGWN transfers the user’s message < T IDi , IDS N j , D1 , D2 , T 1 > to the rest of the gateway nodes which are known as foreign gateway nodes (FGWN) of the WSNs model. The IDS N j must match with any one of the foreign gateway nodes FGWN to execute Case-2 as the authentication phase. The message exchange of login and authentication is discussed in Figure 2.
stores < T IDi , DIDi >
in its database
PT
S ecurechannel
selects a random number T IDi
CE
imprints his biometric key Bi Computes Ci = u ⊕ H(Bi ) Vi = h(IDi ⊕ PWi ⊕ u) stores Ci and Vi into S Ci .
L1: To start the login process, Ui inputs ID0i and PWi0 . Ui also imprints Bi . Then, S Ci computes u = Ci ⊕ ? H(Bi ) and verifies Vi = h(IDi ⊕PWi ⊕u). If verification holds, S Ci computes Ki = Yi ⊕ h(PWi kukIDi ).
ED
User Ui Chooses IDi , PWi . Selects a random number u, Computes DIDi = h(IDi ku),
CR IP T
The gateway node maintains the public directory of all the sensor nodes (S N j ’s). So, whenever a registered user want to get services from S N j he/she can pick the appropriate S N j ’s identity in the service environment of wireless sensors. In order to access the services, user first initiate the login session using his/her smart card. The authenticity of the user is verified in pre-smartcard authentication. Once the legitimacy of the user is verified, then a login message is forwarded to the home gateway node HGWN which includes sensor node’s IDS N j , where the existence of the identity of the sensor node IDS N j is looked in its database. If the IDS N j exists in HGWN’s database, the authentication phase executes Case-1. Otherwise, Case-2 will be considered. Figure 1: User registration phase of our scheme
11
5.4. Login, authentication and key agreement phase
AC
The gateway node maintains the public directory, which comprises the sensor nodes identities in WSN environment. This enable an user to select a sensor as per his requirement. To get services of a sensor S N j , user extracts IDS N j from the public directory. The registered user inserts his smartcard into a card reader to initiate the login and authentication phase. This phase can be seen as two phases. Once the legitimacy of the user is verified, a login message is forwarded to the home gateway node HGWN through the public channel in order to login to the desired sensor node S N j . The procedure of the login, authentication and key agreement phases are described below:
Case-1:
11
A1: On receiving the login message < T IDi , IDS N j , D1 , D2 , T 1 > at time T 2 , HGWN checks the validity of the timestamp i.e., |T 2 − T 1 | ≤ ∆T , Where ∆T is the threshold
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
12
Case-2:
for time delay in message transmission. If the verification passes, using pseudonym identity T IDi , HGWN extracts DIDi from its database. HGWN H computes Ki0 = h(DIDi kT IDi kXGWN ) and retrieves ri = D1 ⊕ h(Ki ||DIDi ||IDS N j ). Then, HGWN
After receiving a login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > from the user at the time T H , HGWN first checks |T H − T 1 | ≤ ∆T . If verification succeeds, HGWN verifies whether IDS N j is in its database. On verifying the identity of the sensor node, if verification failed, HGWN sends a broadcast message < IDS N j , T IDi , IDGWNh , L1 , T H > to the rest of the gateway nodes of the WSNs model, where L1 = h(IDS N j ||T IDi ||IDGWNh ||S ran kT H ). If any foreign gateway node founds the sensor identity in its database, FGWN verifies the freshness of the message and executes the mutual authentication. If IDS N j is found in the database of foreign Gateway FGWN, the authentication phase executes as follows. The message exchange is discussed in Figure 3.
?
verifies D02 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ). If the verification holds, HGWN authenticates the user Ui . Otherwise, the connection is terminated.
CR IP T
A2: HGWN generates a random number rh and computes P j = h(IDS N j ⊕ S ran ), D3 = h(P j ||T 2 ||T r ||IDS N j ||T IDi ) ⊕ rh , D4 = ri ⊕h(P j ||T IDi ||rh ||T 2 ), D5 = DIDi ⊕h(P j ||ri ||rh ||T 2 ) and D6 = h(IDS N j ||ri ||DIDi ||T r ||P j krh kT 2 ). HGWN contracts the login message M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > and sends to S N j .
A8: On receiving the broadcast message < IDS N j , T IDi , IDGWNh , L1 , T H > at time T H0 , FGWN first checks |T F − T H | ≤ ∆T . If verification succeeds, FGWN verifies ? L1 = h(IDS N j ||T IDi ||IDGWNh ||S ran kT H ). If the verification holds, FGNW computes KiF = F h(T IDi ||XGWN ), A1 = h(T IDi ||S ran ||IDGWNF ) ⊕ F (Ki ) and L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ). FGWN transmits the message M5 =< A1 , IDGWNF , L2 , T IDi , T F > to HGWN via public network.
AN US
A3: On receiving the message at time T 3 , S N j checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T . If the verification is valid, S N j extracts rh0 = h(P j ||T 2 ||T r ||IDS N j ||T IDi ) ⊕ D3 , ri0 = D4 ⊕ h(P j ||T IDi ||rh ||T 2 ), DID0i = D5 ⊕ h(P j ||ri ||rh ||T 2 ), ?
D6 = h(IDS N j ||ri ||DIDi ||T r kP j krh kT 2 ). If the verification does not hold, the connection is aborted.
M
A4: S N j generates a random number r j and computes D7 = r j ⊕ h(P j ||rh ||T 3 ) and D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 ||T r ). Then, S N j sends the message M3 =< D7 , D8 , T 3 > to HGWN.
ED
A9: HGWN receives the message M5 on time T ug f , then verifies the freshness of the message using |T ug f − T F | ≤ ∆T . If the verification holds, computes KiF = A1 ⊕ h(T IDi ||S ran ||IDGWNF ) and ver-
A5: On receiving the message at time T 4 , HGWN checks |T 4 − T 3 | ≤ ∆T . If the verification is valid, HGWN extracts r0j = D7 ⊕ h(P j ||rh ||T 3 )
?
PT
ifies L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ). If verification succeeds, HGWN computes Ki = H h(DIDi kT IDi kXGWN ), A2 = KiF ⊕ h(Ki ||IDGWNF ) F and L3 = h(Ki ||Ki ||IDS N j ||IDGWNF kT ug f ), then sends M6 =< A2 , L3 , IDGWNF , T ug f > to Ui .
?
CE
and verifies D8 = h(P j ||r0j ||T 2 ||rh ||T IDi ||ri ||T 3 ||T r ). If the verification does not hold, the connection is aborted. Otherwise, HGWN computes D9 = rh ⊕ h(Ki ||DIDi ||ri ), D10 = r j ⊕ h(Ki ||rh ||DIDi ||ri ) and D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ) and sends a message M4 =< D9 , D10 , D11 , T 4 > to the user Ui .
A10: From the received message Ui first checks if, |T 2 − T ug f | ≤ ∆T , where T 2 is the current timestamp of Ui . Further, extracts KiF =
AC
A6: On receiving the message at time T 5 , the user Ui checks |T 5 − T 4 | ≤ ∆T . If the verification is valid, the user extracts rh = D9 ⊕ h(Ki ||DIDi ||ri ), r j =
?
A2 ⊕ h(Ki ||IDGWNF ), and then verifies L3 = h(Ki ||KiF ||IDS N j ||IDGWNF kT ug f ). If verification holds, Ui computes A3 = h(KiF ||T IDi ||IDS N j ) ⊕ ri and L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ), where T 2 is the current timestamp. Then, Ui sends the login message M7 =< T IDi , IDS N j , A3 , L4 , T 2 > to FGWN.
?
D10 ⊕ h(Ki ||rh ||DIDi ||ri ), and then verifies D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ). If the verification does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
A7: On the success of mutual authentication, sessionkey S K = h(DIDi kri kr j krh kIDS N j ) is constricted by involved entities in the system. 12
A11: FGWN first checks the validity of the timestamp, i.e., |T 3 − T 2 | ≤ ∆T , where T 3 is the current times-
ACCEPTED MANUSCRIPT
13
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Figure 2: Case-1: Login and authentication phases of the proposed scheme
User Ui Inserts SC into a terminal. Inputs IDi and PWi . imprints his biometric key Bi Computes u = Ci ⊕ H(Bi ),
Gateway node HGWN
Sensor node S j
Checks if, |T 2 − T 1 | ≤ ∆T Using T IDi , extracts DIDi H Compute Ki0 = h(DIDi kT IDi kXGWN ) ri = D1 ⊕ h(Ki0 ||DIDi ||IDS N j ) ?
CR IP T
?
verifies Vi = h(IDi ⊕ PWi ⊕ u) Computes Ki = Yi ⊕ h(PWi kukIDi ). Generates a random number ri DIDi = h(IDi ku) D1 = h(Ki ||DIDi ||IDS N j ) ⊕ ri D2 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ) T 1 is current timestamp M1 =< T IDi , IDS N j , D1 , D2 , T 1 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
PT
ED
M
AN US
Checks if D02 = h(DIDi ||ri ||T IDi ||Ki ||T 1 ||IDS N j ) generate a random number rh Computes P j = h(IDS N j ⊕ S ran ), D3 = h(P j ||T 2 kT r ||IDS N j ||T IDi ) ⊕ rh , D4 = ri ⊕ h(P j ||T IDi ||rh ||T 2 ), D5 = DIDi ⊕ h(P j ||ri ||rh ||T 2 ), D6 = h(IDS N j ||ri ||DIDi kT r kP j krh kT 2 ), M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Checks if, |T 3 − T 2 | ≤ ∆T rh0 = h(P j ||T 2 ||T r kIDS N j ||T IDi ) ⊕ D3 , ri0 = D4 ⊕ h(P j ||T IDi ||rh ||T 2 ), DID0i = D5 ⊕ h(P j ||ri ||rh ||T 2 ), ?
D6 = h(IDS N j ||ri ||DIDi kT r kP j krh kT 2 ). generates a random number r j D7 = r j ⊕ h(P j ||rh ||T 3 ) D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 kT r ). M3 =< D7 , D8 , T 3 > ←−−−−−−−−−−−−−−−−−−−−−−−−
Checks if, |T 4 − T 3 | ≤ ∆T extracts r j = D7 ⊕ h(P j ||rh ||T 3 ) ?
CE
verifies D8 = h(P j ||r j ||T 2 ||rh ||T IDi ||ri ||T 3 kT r ) computes D9 = rh ⊕ h(Ki ||DIDi ||ri ), D10 = r j ⊕ h(Ki ||rh ||DIDi ||ri ) D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ) M4 =< D9 , D10 , D11 , T 4 > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
Check if, |T 5 − T 4 | ≤ ∆T extracts rh = D9 ⊕ h(Ki ||DIDi ||ri ), r j = D10 ⊕ h(Ki ||rh ||DIDi ||ri )
AC
?
verifies D11 = h(Ki kDIDi ||r j ||T 1 ||rh kT 4 ||ri ). Shared session key S K = h(DIDi kri kr j krh kIDS N j ).
tamp of FGWN. If the verification is valid, usF ing T IDi , FGWN computes KiF = h(T IDi kXGWN ) and retrieves ri = A3 ⊕ h(KiF ||T IDi ||IDS N j ).
S ran , A4 = h(P j ||T 3 ||T r kIDS N j ||T IDi ) ⊕ r f , A5 = ri ⊕ h(P j ||T IDi ||r f ||T 3 ) and L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). FGWN sends the message M8 =< T IDi , A4 , A5 , L5 , T 3 > to S N j .
?
FGWN verifies L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ). If the verification holds, FGWN generates a random number r f and computes P j = h(IDS N j ⊕ 13
A12: On receiving the message at time T 4 , S N j checks the validity of the timestamp, i.e., |T 4 −
ACCEPTED MANUSCRIPT
14
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Figure 3: Case-2: authentication phases of the proposed scheme User Ui
Gateway node HGWN
Gateway node FGWN
Sensor node S j
−−−−−−−−−−−−−−−−−−−−−−−−−→ If |T F − T H | ≤ ∆T , ?
checks L1 = h(IDS N j kT IDi ||IDGWNh kS ran kT H ) F computes KiF = h(T IDi kXGWN ), A1 = h(T IDi ||S ran ||IDGWN f ) ⊕ (KiF ), L2 = h(T IDi ||IDGWNF ||KiF ||IDS N j kT F ),
?
L2 = h(T IDi ||IDGWN f ||KiF ||IDS N j kT F ). H Ki = h(DIDi kT IDi kXGWN ), A2 = KiF ⊕ h(Ki ||IDGWN f ) F L3 = h(Ki ||Ki ||IDS N j ||IDGWN f kT ug f ) M6 =< A2 , L3 , IDGWNF , T ug f > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
If |T 2 − T ug f | ≤ ∆T . extracts KiF = A2 ⊕ h(Ki ||IDGWN f ) ?
M7 =< T IDi , IDS N j , A3 , L4 , T 2 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
Checks if, |T 3 − T 2 | ≤ ∆T F KiF = h(T IDi kXGWN ), ri = A3 ⊕ h(KiF ||T IDi ||IDS N j ),
AN US
verifies L3 = h(Ki ||KiF ||IDS N j ||IDGWN f kT ug f ) A3 = h(KiF ||T IDi ||IDS N j ) ⊕ ri L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j )
CR IP T
M5 =
←−−−−−−−−−−−−−−−−−−−−−−−−−−− If |T ug f − T F | ≤ ∆T , computes F Ki = A1 ⊕ h(T IDi ||S ran ||IDGWN f ),
?
M
L4 = h(T IDi ||ri ||KiF ||T 2 ||IDS N j ), generates a random number r f P j = h(IDS N j ⊕ S ran ) A4 = h(P j ||T 3 ||T r kIDS N j ||T IDi ) ⊕ r f , A5 = ri ⊕ h(P j ||T IDi ||r f ||T 3 ) L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ) M8 =< T IDi , A4 , A5 , L5 , T 3 > −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→
ED
Checks if, |T 5 − T 4 | ≤ ∆T r j = A6 ⊕ h(P j ||r f ||T 4 )
PT
?
CE
?
L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). generates a random number r j A6 = r j ⊕ h(P j ||r f ||T 4 ) L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ) M9 =< A6 , L6 , T 4 > ←−−−−−−−−−−−−−−−−−−−−−−−−
?
L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ) A7 = r f ⊕ h(KiF ||T IDi ||ri ), A8 = r j ⊕ h(KiF ||r f ||T IDi ||ri ) L7 = h(KiF kT IDi ||r j ||T 2 ||r f kT 5 ||ri )
M10 =< A7 , A8 , L7 , T 5 > ←−−−−−−−−−−−−−−−−−−−−−−−−−−−− Checks if |T 6 − T 5 | ≤ ∆T . extracts r f = A7 ⊕ h(KiF ||T IDi ||ri ) r j = A8 ⊕ h(KiF ||r f ||T IDi ||ri ), L7 = h(KiF kT IDi ||r j ||T 1 ||r f kT 4 ||ri ).
Checks if, |T 4 − T 3 | ≤ ∆T extracts r f = A4 ⊕ h(P j ||T 3 kT r ||IDS N j ||T IDi ), ri = A5 ⊕ h(P j ||T IDi ||r f ||T 3 ),
Shared session key S K = h(T IDi kri kr j kr f kIDS N j ).
?
T 3 | ≤ ∆T . If the verification is valid, S N j extracts r f = A4 ⊕ h(P j ||T 3 ||T r kIDS N j ||T IDi ), ri =
L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ). If verification holds, FGWN computes A7 = r f ⊕ h(KiF ||T IDi ||ri ), A8 = r j ⊕ h(KiF ||r f ||T IDi ||ri ) and L7 = h(KiF kT IDi ||r j ||T 2 ||r f kT 5 ||ri ) and sends the message M10 =< A7 , A8 , L7 , T 5 > to Ui via public channel.
?
AC
A5 ⊕ h(P j ||T IDi ||r f ||T 3 ), and then verifies L5 = h(IDS N j ||ri ||T IDi kT r kP j kr f kT 3 ). If the verification holds, S N j generates a random number r j and computes A6 = r j ⊕ h(P j ||r f ||T 4 ) and L6 = h(P j ||r j ||T 3 ||r f ||T IDi ||ri ||T 4 kT r ). Then, S N j sends the message M9 =< A6 , L6 , T 4 > to the FGWN.
A13: On receiving the message at time T 5 , FGWN checks the validity of the timestamp i.e., |T 5 − T 4 | ≤ ∆T . If the verification is valid, HGWN extracts r j = A6 ⊕ h(P j ||r f ||T 4 ) and verifies
A14: On receiving the message at time T 6 , Ui checks the validity of the timestamp i.e., |T 6 − T 5 | ≤ ∆T . If the verification is valid, Ui extracts r f = A7 ⊕ h(KiF ||T IDi ||ri ) and r j = ?
14
A8 ⊕ h(KiF ||r f ||T IDi ||ri ), and then verifies L7 = h(KiF kT IDi ||r j ||T 1 ||r f kT 4 ||ri ). If the verification
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
15
6. Security Analysis of the Proposed Scheme
does not hold, the connection is aborted. Otherwise, it is confirmed that the sensor node is authentic.
In this section, we first proof the mutual authentication and session key agreement using the BAN logic. Secondly, we have simulated the proposed protocol using the AVISPA simulation tool as shown in figure 4, which ensures the security of protocol against the active attacks, such as the replay attack and man-in-the-middle attack. In 2015, Wang et al. [10] pointed out that the formal methods (e.g., random oracle model, BAN logic) cannot capture the structural mistakes, and assuring soundness of authentication protocols still remains an open issue. Therefore, it is clear that the formal security analysis/verification using the BAN logic and AVISPA tool does not guarantee that a cryptographic protocol is secure against all attacks. The formal security analysis using the BAN logic[46] only proves the secure mutual authentication between sensor nodes and HGWN/FGWN. On the other hand, the formal security verification using AVISPA tool [47, 48] guarantees that whether a designed security protocol is secure against the replay and man-in-the-middle attacks. Finally, we then show that our scheme has the ability to resist various known attacks based on the adversary model, which including the sensor node capture attack.
CR IP T
A15: After successfully mutual authentication, a common secret session-key S K = h(T IDi kri kr j kr f kIDS N j ) is constructed by involved entities in the system. Using the current session key, the user can access the desired sensor node during the future communications. 5.5. Dynamic node addition phase
AN US
It may happen that a new sensor node needed to be added over the target field as and when required, after the establishment of WSNs. So, the systemadministrator(S A) deploys the new sensor node over the target region by performing the system setup phase in off-line mode. Then after, the newly added sensor node undergoes the sensor node registration phase and introduces the new sensor node into the setup network model.
M
5.6. Password change phase
In smart card based authentication protocols should be able to address password change attack [6] so that user with valid smart card and personal credentials can initiate the password change phase. Additionally, user should be able to choose and change the password without interaction with the server, i.e., “user-friendly password selection and change”. In the proposed password change phase, user can change the password without interaction with the server. A user with valid credentials and smart card can initiate the password change as:
6.1. Authentication proof using the BAN logic
PT
ED
In this section, we provide a formal protocol analysis of our proposed scheme using the BAN logic method [46]. The BAN logic is used to verify the correctness of the authentication protocol with key agreement. The protocol correctness refers to the communication parties: a legal user Ui and an accessed sensor node S j who share a fresh shared session key with each other after the protocol is executed. We first provide some notations of the BAN logic as follows:
CE
P1: Ui inputs IDi and PWi . Ui imprints Bi . S Ci computes u = Ci ⊕ H(Bi ). To resist password change ? attack S Ci verifies Vi = h(IDi ⊕ PWi ⊕ u). Using this condition , S Ci identifies the correctness of user credentials. If verification holds, S Ci asks for the new password.
AC
• P|≡ X: The principal P believes the announcement X. • P / X: P considers X, which means that a message containing X is received by P where X can be read by P.
P2: On receiving new password PWinew , S Ci computes RPWi = h(PWi ||u||IDi ), RPWinew = h(PWinew ||u||IDi ), Yinew = Yi ⊕ RPWi ⊕ RPWinew and Vinew = h(IDi ⊕ PWinew ⊕ u).
• P|∼ X: P sometime stated X, which means that P|≡ X as P once stated it in sometime. • P|⇒ X: P commands X, P has complete authority on X, and P considers X as trusted (Jurisdiction over X).
P3: S Ci replace the stored parameters Vi and Yi with Vinew and Yinew , respectively. 15
ACCEPTED MANUSCRIPT
16
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
• ](X): The message X is fresh, which means that no any entity sent a message containing X at whenever ahead of current round.
If P believes Q believes the message set (X, Y), P also believes Q believes the message X. Rule (6). Session key rule: For shared secret keys:
SK
P|≡ ](X), P|≡ Q|≡ X
• P|≡ Q ←→ P: P and Q use S K (shared key) to communicate with each other.
k
SK
• P ←→ Q : P and Q use S K as a shared secret between them.
CR IP T
P and Q is said to believe X, if P believes that the shared session key is fresh. Then P belives the session key k with Q . According to the analytic procedures of the BAN logic, our proposed protocol should satisfy the following goals:
• < X >Y : The formula X is combined with the formula Y. • (X): The formula X is hashed value.
SK
Goal 1. HGWN|≡ (Ui ←→ HGWN);
• (X, Y): The formulas X and Y are combined and then hashed .
SK
Goal 2. HGWN|≡ Ui |≡ (Ui ←→ HGWN); SK
Goal 3. S N j |≡ (HGWN ←→ S N j );
• (X, Y)k : The formulas X and Y are combined and then hashed with the key k.
AN US
k
M
(2)
ED
SK
Goal 9. FGWN|≡ (HGWN ←→ FGWN).
SK
Goal 10. FGWN|≡ HGWN|≡ (HGWN ←→ FGWN). SK
Goal 11. HGWN|≡ (FGWN ←→ HGWN). SK
Goal 12. HGWN|≡ FGWN|≡ (FGWN ←→ HGWN). SK
Goal 13. FGWN|≡ (Ui ←→ FGWN); SK
Goal 14. FGWN|≡ Ui |≡ (Ui ←→ FGWN).
(3)
SK
Goal 15. S N j |≡ (FGWN ←→ S N j );
SK
Goal 16. S N j |≡ FGWN|≡ (FGWN ←→ S N j );
PT
CE
AC
SK
Goal 8. Ui |≡ HGWN|≡ (HGWN ←→ Ui );
SK
Goal 17. FGWN|≡ (S N j ←→ FGWN); SK
Goal 18. FGWN|≡ S N j |≡ (S N j ←→ FGWN). SK
Goal 19. Ui |≡ (FGWN ←→ Ui );
(4)
(5)
If one part is known to be fresh, the entire formula must be fresh. Rule (5). Belief rule: P|≡ Q|≡ (X, Y) . P|≡ Q|≡ (X)
SK
Goal 7. Ui |≡ (HGWN ←→ Ui );
If P believes that Q has jurisdiction over X, and P believes that Q believes a message X, P also believes X. Rule (4). Freshness rule: P|≡ ](X) . P|≡ ](X, Y)
SK
Goal 6. HGWN|≡ S N j |≡ (S N j ←→ HGWN).
If P believes that X is expressed recently (freshness) and P believes that Q once said X, P believes that Q believes X. Rule (3). Jurisdiction rule: P|≡ Q|≡ X, P|≡ Q|⇒ X . P|≡ X
SK
Goal 5. HGWN|≡ (S N j ←→ HGWN);
P is said to believe Q, if P believes that k is shared with Q and P sees X is encrypted under k. Rule (2). Nonce verification rule: P|≡ ](X), P|≡ Q|∼ X . P|≡ Q|≡ X
SK
Goal 4. S N j |≡ HGWN|≡ (HGWN ←→ S N j ).
In order to describe logical postulates of BAN logic in formal terms [46], we present the following rules: Rule (1). Message meaning rule: For shared secret keys: P|≡ Q ←→ P, P / {X}k . P|≡ Q| ∼ X
(7)
.
P|≡ P ←→ Q
(6) 16
SK
Goal 20. Ui |≡ FGWN|≡ (FGWN ←→ Ui ). Prior to the formal analysis, we first idealize the communicated messages of our proposed protocol to alleviate the analysis between Ui and S j , which are as follows: Message 1: Ui → HGWN : T IDi , IDS N j , D1 , D2 :< ri >Ki , T 1 . Message 2: HGWN → S N j : T IDi , D3 :< rk >P j , D4 , D5 , D6 , T 3 . Message 3: S N j → HGWN : D7 , D8 :< r j , rk , T IDi >P j , T5. Message 4: HGWN → Ui : D9 , D10 , D11 :< ri , r j , rk >DIDi , T 7 .
ACCEPTED MANUSCRIPT
17
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Message 5: HGWN → FGWN : IDS N j , T IDi , IDHGWN , Li . Message 6: FGWN → HGWN : A1 , IDHGWN , L2 :< T IDi , IDFGWN >KiF , T IDi . Message 7: HGWN → Ui : A2 , L3 :< Ki , IDFGWN >KiF , IDFGWN . Message 8: Ui → FGWN : T IDi , IDS N j , A3 , L4 :< ri >KiF , T 2 . Message 9: FGWN → S N j : T IDi , A4 , A5 , L5 :< ri , P j >r f ) , T 3 . Message 10: S N j → FGWN : A6 , L6 :< P j , T IDi >r j ,r f ,ri , T 4 . Message 11: FGWN → Ui : A7 , A8 , L7 :< T IDi , ri , r f , r j >KiF , T 5 . Based on our proposed protocol, we make some initial state assumptions, which are listed as follows: A1 : Ui |≡ ](ri , r j , rk , r f ); A2 : HGWN|≡ ](ri , r j , rk ); A3 : S N j |≡ ](ri , r j , rk , r f ); A4 : FGWN|≡ ](r, r j , r f ); Pj
C2 : HGWN|≡ (HGWN ←→ S N j ); Pj
C3 : S N j |≡ (S N j ←→ HGWN); KiF ,A3
P j ,r f ,A5
C6 : FGWN|≡ (FGWN ←→ S N j );
CR IP T
M
DIDi
C5 : Ui |≡ (Ui ←→ FGWN);
SK
Step 5: HGWN|≡ (Ui ←→ HGWN). (Goal 1) From Step 5 and assumption A2 , we apply the nonce verification rule and jurisdiction rule to get:
AN US
Ki
C1 : Ui |≡ (Ui ←→ HGWN);
C4 : HGWN|≡ (HGWN ←→ Ui );
Step 1: HGWN / IDHGWN , T IDi , IDS N j , D1 , D2 :< ri >Ki , T 1 . From Step 1 and assumption C1 , we apply the message meaning rule to get: Step 2: HGWN|≡ Ui |∼ ri . From assumption A2 and Step 2, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 3: HGWN| ≡ Ui | ≡ ri . Where ri is the necessary parameter of the session key of the proposed protocol. According to B1 , S 3 and the jurisdiction rule is applied, we get Step 4: HGWN|≡ ri . From the assumption A2 and Step 3, we apply the session key rule to obtain:
A7 ,r f
ED
A6
C7 : S N j |≡ (S N j ←→ FGWN);
C8 : FGWN|≡ (FGWN ←→ Ui ); S ran
C9 : HGWN|≡ (HGWN ←→ FGWN); KiF
PT
C10 : FGWN|≡ (FGWN ←→ HGWN); B1 : HGWN|≡ (Ui → ri ); B2 : S N j |≡ (HGWN → rk ); B3 : HGWN|≡ (S N j → r j ); B4 : Ui |≡ (HGWN → rk ); B5 : FGWN|≡ (Ui → ri ); B6 : S N j |≡ (FGWN → r f ); B7 : FGWN|≡ (S N j → r j ); B8 : Ui |≡ (FGWN → rk ); B9 : HGWN|≡ (FGWN → KiF ); B10 : FGWN|≡ (HGWN → S ran ); Further, we demonstrate our proposed protocol based on the rules of the BAN logic and the efficiency by showing Ui and S N j share a common session key S K to ensure the secure communication by achieving the intended goals using the initial assumptions. The inside information descriptions are as follows. According to the message 1, we could obtain:
SK
Step 6: HGWN|≡ Ui |≡ (Ui ←→ HGWN). (Goal 2) According to the message 2, we could obtain: Step 7: S N j / T IDi , D3 :< rk >P j , D4 , D5 , D6 , T 3 According to C2 , Step 7, we apply the message meaning rule, we get: Step 8: S N j |≡ HGWN|∼ rk From assumptions A3 and Step 8, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 9: S N j |≡ HGWN|≡ rk . Where rk is the necessary parameter of the session key of the proposed protocol. From Steps 9 and B2 , we apply the jurisdiction rule to obtain: Step 10: S N j |≡ rk From Steps 9 and A3 , and the session key rule is applied to obtain: SK
CE
Step 11: S N j |≡ HGWN ←→ S N j . (Goal 3) From Step 11 and assumption A3 , and nonce verification rule is applied, to get: SK
AC
Step 12: S N j |≡ HGWN|≡ HGWN ←→ S N j . (Goal 4) According to the message 3, we could obtain: Step 13: HGWN / D7 , D8 : hr j , rk iP j , T 5 . From Step 13 and assumption C3 , we apply the message meaning rule to get: Step 14: HGWN|≡ S N j |∼ r j . From assumption A2 and Step 14, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 15: HGWN|≡ S N j |≡ r j , where r j is the necessary parameter of the session key of the proposed protocol. According to Step 15 and B3 , we apply the jurisdiction rule to obtain: 17
ACCEPTED MANUSCRIPT
18
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Step 16: HGWN| ≡ r j . From the assumption A2 and Step 15, we apply the session key rule to obtain:
From Step 32 , we apply the nonce verification rule to get: Step 33: HGWN|≡ FGWN|≡ KiF . From Steps 33 and B9 , we apply the jurisdiction rule to obtain: Step 34: HGWN|≡ KiF . According to Step 33 and Step 34, the session key rule is applied, we get:
SK
Step 17: HGWN|≡ (S N j ←→ HGWN). (Goal 5) From Step 17 and the assumption A2 , we apply the nonce verification rule to get: SK
Step 18: HGWN|≡ S N j |≡ S N j ←→ HGWN. (Goal 6) According to the message 4, we could obtain: Step 19: Ui / D9 , D10 , D11 :< ri , r j , rk >DIDi , T 7 . From Step 19 and assumption C4 , we apply the message meaning rule to get: Step 20: Ui |≡ HGWN|∼ rk . From assumptions A1 and Step 20, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 21: Ui |≡ HGWN|≡ rk . Where rk is the necessary parameter of the session key of the proposed protocol. According to B4 and Step 21, we apply the jurisdiction rule to obtain: Step 22: Ui |≡ rk . According to A1 and Step 21, we apply the session key rule to obtain:
SK
CR IP T
Step 35: HGWN|≡ (FGWN ←→ HGWN). (Goal 11) According to Step 35, We apply the nonce verification rule to get: SK
AN US
SK
Step 23: Ui |≡ HGWN ←→ Ui . (Goal 7) From Step 23 and assumption A1 , we apply the nonce verification rule to get: SK
ED
M
Step 24: Ui |≡ HGWN|≡ (HGWN ←→ Ui ). (Goal 8). According to the message 5, we could obtain: Step 25: FGWN / IDS N j , T IDi , IDFGWN , Li :< S ran >IDS N j . From Step 25 and assumption C9 , we apply the message meaning rule to get: Step 26: FGWN|≡ HGWN|∼ S ran . From Step 26 , we apply the nonce verification rule to get: Step 27: FGWN|≡ HGWN|≡ S ran . From Steps 27 and B8 , we apply the jurisdiction rule to obtain: Step 28: FGWN|≡ S ran . According to Step 27 and Step 28, the session key rule is applied, we get:
SK
PT
CE
SK
SK
Step 30: FGWN|≡ HGWN|≡ (HGWN ←→ FGWN). (Goal 10) According to the message 6, we could obtain: Step 31: HGWN / A1 , IDHGWN , L2 :< T IDi , KiF >IDFGWN . From Step 31 and assumption C10 , we apply the message meaning rule to get: Step 32: HGWN|≡ FGWN|∼ KiF .
SK
Step 41: Ui |≡ HGWN ←→ Ui . (Goal 7) From Step 41 and assumption A1 , we apply the nonce verification rule to get: Step 42: Ui |≡ HGWN|≡ (HGWN ←→ Ui ). (Goal 8). According to the message 8, we could obtain: Step 43: FGWN / T IDi , IDS N j , A3 , L4 :< ri >KiF , T 2 . From Step 43 and assumption C1 0, we apply the message meaning rule to get: Step 44: FGWN|≡ Ui |∼ ri . From assumptions A4 and Step 44 , we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 45: FGWN| ≡ Ui | ≡ ri . Where ri is the necessary parameter of the session key of the proposed protocol. From Steps 45 and B5 , we apply the jurisdiction rule to obtain: Step 46: FGWN|≡ ri . According to A4 and Steps 45 and 46, the session key rule is applied, we get:
Step 29: FGWN|≡ (HGWN ←→ FGWN). (Goal 9) According to Step 29, We apply the nonce verification rule to get:
AC
Step 36: HGWN|≡ FGWN|≡ (FGWN ←→ HGWN). (Goal 12) According to the message 7, we could obtain: Step 37: Ui / A2 , L3 :< KiF , IDFGWN >Ki . From Step 37 and assumption C5 , we apply the message meaning rule to get: Step 38: Ui |≡ HGWN|∼ KiF . From assumptions A4 and Step 38, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 39: Ui |≡ HGWN|≡ KiF . According to B9 and Step 39, we apply the jurisdiction rule to obtain: Step 40: Ui |≡ KiF . According to A1 , A4 and Step 40, we apply the session key rule to obtain:
SK
Step 47: FGWN|≡ (Ui ←→ FGWN). (Goal 13) According to A4 , and Step 47 and nonce verification rule is to get: SK
18
Step 48: FGWN|≡ Ui |≡ (Ui ←→ FGWN). (Goal 14)
ACCEPTED MANUSCRIPT
19
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
According to the message 9, we could obtain: Step 49: S N j / T IDi , A4 , A5 , L5 :< ri , P j >r f , T 3 According to C2 , B5 and Step 49, we apply the message meaning rule, we get: Step 50: S N j |≡ FGWN|∼ ri , P j , r f From assumptions A3 and Step 50, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 51: S N j | ≡ FGWN| ≡ ri , P j , r f . Where ri and r f are the necessary parameter of the session key of the proposed protocol. From Steps 51 and B6 , we apply the jurisdiction rule to obtain: Step 52: S N j |≡ ri , P j , r f From Steps 52 and A3 , and the session key rule is applied to obtain:
Step 64: Ui |≡ r f . According to A1 and Steps 63 and 64, we apply the session key rule to obtain: SK
Step 65: Ui |≡ FGWN ←→ Ui . (Goal 19) From Step 65 and assumption A1 , we apply the nonce verification rule to get: SK
CR IP T
Step 66: Ui |≡ FGWN|≡ (FGWN ←→ Ui ). (Goal 20). According to Steps 5 , 6, 11, 12, 17, 18, 23, 24, 29, 30,35, 36, 41, 42, 48, 47, 53, 54, 59, 60, 65 and 66, it is clear that our protocol successfully achieves all the goals (Goals 1-20). Both Ui and S N j believe that they share a secure session key S K = h(DIDi kri kr j krk kIDS N j ) with each other via HGWN/FGWN. 6.2. Simulation of proposed scheme using AVISPA tool
SK
AN US
Step 53: S N j |≡ FGWN ←→ S N j . (Goal 15) From Step 53 and assumption A3 , and nonce verification rule is applied, to get: SK
M
Step 54: S N j |≡ FGWN|≡ FGWN ←→ S N j . (Goal 16) According to the message 10, we could obtain: Step 55: FGWN / A6 , L6 : hT IDi , ri , P j , r j , rk ir f , T 4 . From Step 55 and assumption C7 , we apply the message meaning rule to get: Step 56: FGWN|≡ S N j |∼ r j . From assumption A4 and Step 56, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 57: FGWN|≡ S N j |≡ r j , where r j is the necessary parameter of the session key of the proposed protocol. According to Step 57 and B7 , we apply the jurisdiction rule to obtain: Step 58: FGWN| ≡ r j . From the assumption A4 and Step 58, we apply the session key rule to obtain:
ED
Figure 4: Architecture of AVISPA tool
PT
In this section, we simulate our scheme for the formal security verification using AVISPA tool as shown in figure 4. Note that the formal security verification using AVISPA tool only guarantees that whether a designed security protocol is secure against the replay and man-in-the-middle attacks. AVISPA is a powerful modular and expressive formal language for specifying protocols and their security properties, which integrates different back-ends that implement a variety of state-ofthe-art automatic analysis techniques [47]. AVISPA is a push-button tool for the automated validation of Internet security-sensitive protocols and applications. In recent years, AVISPA becomes a tool for the security verification against the replay and man-in-the-middle attacks [49]. The four back-ends supported in AVISPA are the On-the-fly Model-Checker (OFMC), Constraint Logic based Attack Searcher (CL-AtSe), SAT-based ModelChecker (SATMC) and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP). The detailed descriptions of these backends can be found in [47].
SK
CE
Step 59: FGWN|≡ S N j ←→ FGWN). (Goal 17) From Step 59 and the assumption A4 , we apply the nonce verification rule to get: SK
AC
Step 60: FGWN|≡ S N j |≡ S N j ←→ FGWN. (Goal 18) According to the message 11, we could obtain: Step 61: Ui / A7 , A8 , L7 :< T IDi , ri , r f , r j >KiF , T 5 . From Step 61 and assumption C8 , we apply the message meaning rule to get: Step 62: Ui |≡ FGWN|∼ r f . From assumptions A1 and Step 62, we apply the freshness conjuncatenation rule and nonce verification rule to get: Step 63: Ui |≡ FGWN|≡ r f . Where r f is the necessary parameter of the session key of the proposed protocol. According to A1 and Step 63, we apply the jurisdiction rule to obtain: 19
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
The security protocols to be analyzed under the AVISPA are first specified in the HLPSL (High Level Protocols Specification Language). HLPSL is a roleoriented language [47], which is based on various roles: the basic roles represent each participant role, and composition roles represent the scenarios of basic roles. Note that each role represented in HLPSL is independent from the others, which gets some initial information by parameters, and then communicates with the other roles by channels. An intruder is always denoted by i and it is always modeled using the DolevYao model [41]. Hence, the intruder can be acted as a legitimate role in a protocol run. The role system also defines a number of sessions, and a number of principals and some basic roles. HLPSL is first translated using HLPSL2IF translator in order to convert into the intermediate format (IF), which is then fed to one of the backends to produce the output format (OF). OF typically has the following sections [48]:
20
• text: It is often used as nonces. These values can be also used for messages. For example, if T i is of type text (fresh), then T i0 represents a fresh value which the intruder cannot guess easily. • nat: It represents the natural numbers in nonmessage contexts. • const: It basic type denotes the constants.
CR IP T
• hash func: It represents cryptographic hash functions. Note that for a given plaintext message P and encryption key K, {P} K denotes the symmetric/public-key encryption. The associative “·” operator is always used for concatenation purpose.
AN US
6.3. Specifying the Protocol
• SUMMARY: This section represents that whether the tested protocol is safe, unsafe, or whether the analysis is inconclusive.
M
• DETAILS: This is a section, which either explains under what condition the tested protocol is declared safe, or what conditions have been used for finding an attack, or finally why the analysis was inconclusive.
PT
ED
• PROTOCOL, GOAL and BACKEND: These are the sections denote the name of the protocol, the goal of the analysis and the name of the back-end used, respectively.
CE
• Finally, after some comments and statistics, the trace of an attack (if any) is also printed in the standard Alice-Bob format.
AC
Some basic types supported in HLPSL are discussed below for better understanding of the specifications of various roles described in Section 6.3 [47]: • agent: It is used for a principal name. The intruder is always assumed to have the special identifier i. • public key: It is for agents’ public keys in a publickey cryptosystem. For example, given a public (respectively private) key PK, its inverse private (respectively public) key is obtained by inv PK. • symmetric key: It is for the keys for a symmetrickey cryptosystem. 20
In this section, we provide the descriptions of the specifications of various roles in HLPSL for our scheme. Three basic roles for a user Ui , the GWN and an accessed sensor node S j are implemented in HLPS L. Apart from these roles, we need to specify the roles for the session, goal and environment in HLPS L. We have implemented our scheme for the formal security verification during the registration phase including the user and sensor node registration phases, login phase and authentication and key agreement phase. We discuss the details for the role of the initiator as shown in Figure 5. Ui first receives the start signal, changes its state from 0 to 1, which is maintained by the variable State. Ui then sends the registration request message {DIDi , RPWi } to the GWN through a secure channel during the user registration phase with the help of S END( ) operation.The type declaration channel(dy) means that the channel is for the Dolev-Yao threat model [41]. The declaration secret() indicates that the < IDi , PWi > are only known to the user Ui . In transition 2, the Ui receives the smart card containing the information {Yi , T IDi , IDHGWN } securely from the GWN with the help of RECV( ) operation securely and changes its state from 1 to 3. During the login phase, Ui generates a random number Ri0 and timestamp T 10 using new() operation. As a login request message Ui sends {T IDi , IDS N j , D1 , D2 , T 1 } to the accessed home gateway node HGWN through an insecure channel. By the declaration witness(Ui, HGWN, user gateway ri, Ri0 ) mean that Ui has freshly generated the random number Ri and a timestamp T 1 for HGWN and the declaration request(Ui, HGWN, user gateway ri, Ri0 )) indicates that HGWN authenticates the Ui . Moreover, the declaration secret(Ri0 , sub2, Ui, HGWN, S N j) tells
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
21
Figure 6: Role specification in HLPSL for the GWN
CR IP T
%Send smartcard information securely /\Sran':=new() /\Pj':= H(IDsnj.Sran')/\secret({Pj', Sran'},sub5,{HGWN,SNj})
M
2. State = 1 /\ RECV({Yi.IDgwnh.TIDi}_SK1)=|> % Ui receives
%%%%%%%%%%% Role for GWN %%%%%%%%%%%%%%%%%%%% role gateway(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by HGWN def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, PSj, Sran : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc : hash_func const user_gateway_ri, gateway_snode_rk, snode_gateway_rj, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id init State := 0 transition % Receives registration request message from user 1. State = 0 /\ RECV({DIDi.RPWi}_SK1) =|> State' := 1 /\ TIDi':=new() /\ Ki':= H(DIDi.TIDi'.Xk) /\ Yi':= xor(Ki', RPWi) /\ secret({Xk}, sub3,{HGWN}) /\ secret({DIDi}, sub4,{HGWN,Ui}) /\ SEND({Yi'.IDgwnh.TIDi'}_SK1)
AN US
% symmetric key between Ui and GWN SK1 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by Ui def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, Sran, SKi : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc : hash_func const user_gateway_ri, gateway_snode_rk, snode_gateway_rj, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id init State := 0 transition % Start User registration phase % Ui sends < DIDi, RPWi > to GWN via a secure channel 1. State = 0 /\ RECV(start) =|> State' := 1 /\ R' :=new() /\ DIDi':= H(IDi.R') /\ RPWi':=H(PWi.R'.IDi) /\ SEND({DIDi'. RPWi'}_SK1) % Send registration request to the HGWN /\ secret({IDi,PWi},sub1,Ui)
3. State = 2 /\ RECV(D9'.D10'.D11'.T4)=|> State' := 3 /\ Rk':=xor(D9,H(Ki.DIDi.Ri)) /\ Rj':=xor(D10, H(Ki.Rk.DIDi.Ri)) /\ D11':=H(Ki.DIDi.Rj.T1.Rk.T4.Ri) /\ SKi':= H(DIDi.Ri.Rj.Rk.IDsnj) end role
2. State = 1 /\ RECV(IDsnj.PSj') =|> State' := 2 /\ Pj':= xor(PSj',Sran) % Receive Login message from user 3. State= 2 /\ RECV(TIDi.IDsnj.D1.D2.T1)=|> State':=3 /\ Rk':=new() /\ T3':= new() /\ D3':=xor(H(Pj.T3.IDsnj.TIDi),Rk') /\ D4':= xor(Ri,H(Pj.TIDi.Rk'.T3')) /\ D5':=xor(DIDi, H(Pj.Ri .Rk'.T3')) /\ D6':= H(IDsnj.Ri.DIDi.Pj.Rk'.T3')
ED
% send message to the snode node /\ SEND(TIDi.D3'.D4'.D5'.D6'.T3') /\secret({Rk'}, sub6, {Ui,HGWN,SNj}) /\ request(HGWN,SNj,gateway_snode_rk,Rk')
PT
4. State=3 /\RECV(D7.D8.T5)=|> State':=4 /\ T6':= new() /\Rj':= xor(D7,H(Pj.Rk.T5)) /\ D9':= xor(Rk,H(Ki.DIDi.Ri)) /\ D10':= xor(Rj, H(Ki.Rk.DIDi.Ri)) /\ D11':= H(Ki.DIDi.Rj.T1.Rk.T4.Ri) % send message to the user /\ SEND(D9'.D10'.D11'.T4) end role
CE
Figure 5: Role specification in HLPSL for the user Ui
AC
that the random number Ri’ is only known to the < Ui, HGWN, S N j >. During the authentication and key agreement phase, Ui waits for the acknowledgment message {D90 .D100 .D100 .T 7} via a public channel and changes its state from 3 to 5. Finally, Ui accepts the legitimacy of S N j by checking the timestamp T 7 generated by S N j . The Ui computes the session S Ki0 := H(DIDi.Ri.R j.Rk.IDS N j and uses it for the future communications over the public channel. In Figure 6, we have presented the role for the home gateway node HGWN in HLPS L language. Initially, HGWN receives registration message {DIDi , RPWi }
with the help of RECV( ) operation from the Ui securely. After that, HGWN generates a temporary identity and computes the smartcard parameters and finally, sends the registration reply message {Yi , T IDi , IDHGWN } with the help of S END( ) operation securely to the Ui . After that, HGWN generates a random number S ran with the help of the new() operation and computes a secret parameter P j which is shared between the gateway and sensor nodes. The declaration secret(P j0 , S ran0 , sub5, HGWN, S N j) indicates 21
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
22
Figure 7: Role specification in HLPSL for the sensor S j
% Start sensor node Registration 1. State = 0 /\ RECV(start) =|> State' := 1 /\ PSj':=xor(Pj,Sran) /\ SEND(IDsnj.PSj') % Send registration message to HGWN 2. State = 1 /\ RECV(TIDi.D3.D4.D5.D6.T3 ) =|>
M
% Receive message from HGWN State' := 2 /\ Rj':=new() /\ T3':=new() /\ Rk':= xor(H(Pj.T3'.IDsnj.TIDi),D3) /\ Ri':=xor(D4,H(Pj.TIDi.Rk'.T3')) /\DIDi':= xor(D5,H(Pj.Ri'.Rk'.T3')) /\ D7':=xor(Rj',H(Pj.Rk.T3')) /\ D8':= H(Pj.Rj'.T3'.Rk.TIDi.Ri.T3) /\ SEND(D7'.D8'.T3')
ED
% Send message to the HGWN /\ secret({Rj'},sub7,{Ui,HGWN,SNj}) /\ witness(SNj,Ui,snode_user_rj,Rj') /\ request(SNj,HGWN,snode_gateway_rj,Rj')
PT
end role
CR IP T
init State := 0 transition
role environment() def= const ui, snj, hgwn: agent, sk1, sk2 : symmetric_key, h : hash_func, idi,pwi,didi,rpwi,tidi,idgwnh,idsnj,yi,vi,ci, ki, r,ri,rj,rk, t1,t2,t3,t4,t5,t6,t7,xk,pj,psj, sran: text, d1, d2,d3,d4,d5,d6,d7,d8, d9,d10,d11: message, user_gateway,gateway_snode,snode_user, sub1, sub2,sub3,sub4,sub5,sub6,sub7: protocol_id % Represents Intruder Knowledge intruder_knowledge = {ui, snj, hgwn, h,yi,idgwnh,idsnj,vi, ci,tidi,d1,d2,t1,d3,d4,d5,d6,t3,d7,d8,t5,d9,d10,d11,t4} composition session(ui, snj, hgwn, sk1, sk2, h)/\ session(i, snj, hgwn, sk1, sk2, h) /\ session(ui, i, hgwn, sk1, sk2,h) /\ session(ui, snj, i, sk1, sk2,h) end role goal
AN US
%%%%%%%%%%% Role for snode node Sj %%%%%%%%%%%%%% role snode(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func, SEND, RECV: channel(dy)) played_by SNj def= local State : nat, IDi, PWi, DIDi, RPWi, TIDi, IDgwnh, IDsnj, Yi,Vi, Ci, Ki, R, Ri,Rj,Rk, T1,T2,T3,T4,T5, T6, T7, Xk, Pj, PSj, Sran, SKi : text, D1, D2,D3,D4,D5,D6,D7,D8, D9,D10,D11: message, Inc: hash_func const user_gateway_ri, snode_gateway_rj, gateway_snode_rk, snode_user_rj, sub1, sub2, sub3, sub4, sub5, sub6, sub7: protocol_id
role session(Ui, SNj, HGWN : agent, % symmetric key between Ui and GWN SK1 : symmetric_key, % symmetric key between snode node and GWN SK2 : symmetric_key, % H is hash function H : hash_func) def= local SI, SJ, RI, RJ, TI,TJ,PI, PJ : channel (dy) composition user(Ui, SNj, HGWN, SK1, H, SI, RI) /\ gateway(Ui, SNj, HGWN, SK1, SK2, H, SJ, RJ) /\ snode(Ui, SNj, HGWN, SK1, SK2, H, TI, TJ) end role
% Verifies authentication of the random numbers used authentication_on user_gateway_ri authentication_on gateway_snode_rk % authentication_on gateway_user_rk authentication_on snode_user_rj authentication_on snode_gateway_rj
CE
% user_gateway_ri, gateway_snode_rk, snode_user_rj end goal environment()
Figure 8: Role specification in HLPSL for the session and environment
AC
that the secret parameters (P j0 , S ran0 ) are shared between HGWN and SNj. During the sensor node registration phase, HGWN first receives {IDsn j.Ps j0 } with the help of the RECV() operation and then further computes P j0 := xor(PS j0 , S ran) and stores P j0 in its memory of the corresponding IDsn j. In transition 3, HGWN receives the message {T IDi.IDsn j.D1.D2.T 1} as a login request with
% Verifies secrecy of the confidential information secrecy_of sub1 secrecy_of sub2 secrecy_of sub3 secrecy_of sub4 secrecy_of sub5 secrecy_of sub6 secrecy_of sub7
the help of RECV( ) operation from the Ui over the public channel and then generates a random number Rk0 and timestamp T 20 with the help of the new() operation. After that, the HGWN sends the message {T IDi.D3.D4.D5.D6.T 20 } to the SNj with the help of the S END( ) operation over the public channel.The declaration secret(Rk0 , sub6, Ui, HGWN, S N j) tells that the pa22
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
rameter Rk0 is only known to the < Ui, HGWN, S N j > and the request(HGWN, S N j, hgateway snode rk, Rk0 ) indicates that the SNj authenticates HGWN. In transition 4, HGWN receives the message {D7.D8.T 3} as a request with the help of RECV( ) operation from the S N j over the public channel and then generates a timestamp T 4 and sends the message {D9.D10.D11.T 40 } to the Ui with the help of the S END( ) operation over the public channel. In Figure.7, we have presented the role of the sensor node S N j in HLPS L language. Initially, the S N j computes PS j0 := xor(P j, S ran) and then sends the message {IDsn j.PS j0 } to HGWN with the help of the S END( ) operation over the public channel. Then, the SNj receives the message {T IDi.D3.D4.D5.D6.T 20 } with the help of RECV( ) operation from the HGWN over the public channel and then generates a random number R j0 and timestamp T 30 with the help of the new() operation. After that, the S N j sends the message {D70 .D80 .T 30 } to HGWN. The declaration secret(R j0 , sub7, Ui, HGWN, S N j) indicates that the random number R j is only known to the entities of the system. Moreover, the declaration witness(S N j, Ui, snode user r j, R j0 ) tells that the S N j generates R j0 freshly for the Ui. In Figure.8, we have presented the roles for the session, goal and the environment in HLPS L language. In the session segment, all the basic roles including the roles for the Ui, HGWN and the (S N j)are instanced with concrete arguments. The environment section contains the global constant and composition of one or more session and the intruder knowledge is also given. It may be noted that we have provided all the public parameters including all the transmitted messages between the entities involved. The current version() of HLPS L supports the standard authentication and secrecy goals. In our implementation, the following secrecy goals and authentications are verified.
23
AN US
CR IP T
6. The secrecy of sub6 represents that the secret parameters < Rk > is shared among < Ui, HGWN, S N j >. 7. The secrecy of sub7 represents that the secret parameters < R j > are shared between < Ui, HGWN, S N j >. 8. The authentication on user gateway ri represents that the (Ui) generates a random number (ri) and if the (HGWN) receives it through message securely, the (HGWN) then authenticates the (Ui). 9. The authentication on snode gateway r j represents that the (SNj) generates a random number (rj) and if the (HGWN) receives it through message securely, the (HGWN) then authenticates the (SNj). 10. The authentication on gateway snode rk represents that the (HGWN) generates a random number (rk) and if the (S N j) receives it through message securely, the (S N j) then authenticates the (HGWN).
CE
PT
ED
M
6.4. Simulation Results We have simulated our proposed authentication scheme for the Case-1 under the OFMC and CL-AtSe backends using the Security Protocol ANimator for AVISPA (SPAN) [47]. The following verifications are executed in our scheme ([49]): • Executability check on non-trivial HLPSL specifications: Due to some modeling mistakes, it may be possible that the protocol model cannot execute to completion. As a result, it may be possible that the AVISPA backends cannot find an attack, if the protocol model cannot reach to a state where that attack can happen. An executability test is thus extremely essential [48]. Our implementation shows that the protocol description is well matched with the designed goals as specified in Figures 5-8 for the executability test. • Replay attack check: For the replay attack checking, the OFMC and CL-AtSe backends verify whether the legitimate agents can execute the specified protocol for the Case-1 by performing a search of a passive intruder. These back-ends provide the intruder the knowledge of some normal sessions between the legitimate agents. The test results reported in Figures.9a, indicate that our proposed authentication protocol for Case-1 is secure against the replay attack.
AC
1. The secrecy o f sub1 represents that the user confidential parameters < IDi, Pwi > are kept secret to only (Ui). 2. The secrecy of sub2 represents that the random number Ri is only known to < Ui, HGWN, S N j >. 3. The secrecy of sub3 indicates that the secret key Xgwnh of the home gateway node is kept secret to only (HGWN). 4. The secrecy of sub4 indicates that the parameter DIDi is only known to < Ui, HGWN, S N j >. 5. The secrecy of sub5 represents that the secret parameters < P j, S ran > are shared between < HGWN, S N j >.
• Dolev-Yao model check: Finally, for the Dolev-Yao model checking, the OFMC and CL-AtSe backends verifies if there is any man-in-the-middle attack possible by an intruder (i). Under OFMC, 216 23
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
nodes are visited and the depth is 6plies, where the search time is 3.13 seconds. Under CL-AtSe, the translation and computation times are 0.18 seconds and 0.00 seconds, respectively. The results reported in Figure.9, clearly show that our proposed authentication protocol for Case-1 fulfills the design properties and is secure under these backends.
property of the cryptographic one-way hash function. Therefore, our proposed protocol can resist privileged insider attack. 7.3. Session key computation attack Both the sender and receiver agree upon a common secret session key using which they can exchange their information securely over a public channel, after the mutual authentication of the sender and receiver is verified. Hence, the session key of the protocol should be protected by strong security protection to resist any attack by the attacker. In our proposed protocol, once the mutual authentication is established, the session key for Case-1 or Case-2 will be considered. Our session key relies on the secret parameters < DIDi , ri , r j , rh , IDS N j > for Case-1 and < T IDi , ri , r j , r f , IDS N j > for Case-2. In both the cases, these parameters are used in computing a hash value. Due to the non-invertible property of the cryptographic one-way hash function, the attacker cannot gain the advantage over the session key without knowing the secret parameters in any of the cases.
CR IP T
Note: We have simulated our proposed authentication scheme for the Case-1 under the OFMC and CLAtSe backends using the Security Protocol ANimator for AVISPA (SPAN), Case-2 can also be simulated similar to the Case-1. 7. Informal security analysis of our proposed scheme
AN US
7.1. Replay attack
24
In the replay attack, the attacker captures the previously transmitted messages and use them during the protocol execution to make the received entity believe that the transmitted message is from legal entity and fresh. In order to justify our protocol resist replay attack, we assume that the attacker has captured the previous executed messages of the protocol and later tries to transmit the same message to the targeted entity. The protocol rejects the attacker’s message due to invalid transmission time delay, as the protocol uses the systems timestamp and checks the transmission time delay. However, such type of scenarios suffer from clock synchronization problem. So, assume that the protocol strictly maintains global clock for synchronizing the timestamp. Hence, our proposed protocol can resist replay attack.
PT
ED
M
7.4. Gateway node impersonate attack
7.2. Privileged insider attack
AC
CE
Practically, it is assumed that the remote server is trusted. So, the server provides confidentiality to the users credentials, where leakage of any confidential parameters of the user is not permitted. But, it is observed that due to the presence of an insider, systems can get hacked. Therefore, the user’s information such as identity and password should be kept secret such that the insider of the remote server cannot gain control over the user’s information. In our proposed protocol, during the user’s registration phase, instead of the original identity and password we have transmitted the masked identity DIDi = h(IDi ku) and password RPWi = h(PWi krkIDi ) to the home gateway node. Hence, extracting the user’s password or identity by the insider of the remote server is computationally infeasible due to the non-invertible
Attacker extracts, the parameters from the transmitted message M2 =< T IDi , D3 , D4 , D5 , D6 , T 3 > over the public channel where, D3 = h(P j kT 2 kT r kIDS N j kT IDi )⊕ rh , D4 = h(P j kT IDi krh kT 2 ) ⊕ ri , D5 = h(P j kri krh kT 2 ) ⊕ DIDi , D6 = h(IDS N j kri kDIDi kT r kP j krh kT 2 ) after that attacker guesses the parameters < D03 , D04 , D05 , D06 , T 2 > and transmit to S N j . However the computation of D3 , D4 , D5 , D6 relies on the secret parameters < DIDi , P j , T r , rh , ri > respectively. It can be notable that attacker cannot extract these secret parameters from the protocol description due to non-invertible cryptographic one way hash function property. As the P j is high entropy shared secret key parameter between the HGWN and S N j . The attacker cannot guess it in polynomial time. Therefore our proposed protocol can resist Gateway node impersonation attack. 7.5. User impersonate attack
It is practical that the attacker traps the login message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > of a legal user during the execution of the protocol, where D1 = h(Ki kDIDi kIDS N j ) ⊕ ri , D2 = h(DIDi kri kT IDi kKi kT 1 kIDS N j ). After that the attacker tries to generate another valid message which will be authenticated by HGWN. In order to do so, the attacker has to compute valid D1 , D2 . As the attacker cannot compute < Ki >, without the knowledge of 24
ACCEPTED MANUSCRIPT
25
CR IP T
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
(b) The result of the analysis using CL-AtSe backend
AN US
(a) The result of the analysis using OFMC backend
Figure 9: Simulation result for Case-1.
ED
M
H < IDi , PWi > and secret parameters < ri , XGWN >. However, it is infeasible to guess the trapped message in a polynomial time by the attacker due to unknown parameter in D1 , D2 . During the execution of the Case2 of the protocol, the attacker traps the message M7 =< T IDi , IDS N j , A3 , L4 , T 2 > which is transmitted over the public/open channel, where A3 = h(KiF kT IDi kIDS N j ) ⊕ ri and L4 = h(T IDi kri kKiF kT 2 kIDS N j ). It is clear that the attacker cannot compute another valid A3 , L4 paramH . It may eters without the knowledge of KiF , Ki , ri , XGWN be noted that the attacker cannot guess the secret key of the home/foreign gateway nodes within polynomial time due to its high entropy property. Therefore, it is also infeasible that the attacker cannot make and guess another valid message within polynomial time.
or exact user id and password at the same time, as it is computationally infeasible to guess the two parameters at a time and also, due to the non-invertible one-way hash function property. Hence, the attacker in no where to update the password of the user Ui . Therefore, the proposed scheme is free from the stolen smart card attack.
PT
7.7. Sensor node spoofing attack In order to masquerade as a legitimate sensor node S N j and to cheat the users, the attacker needs to compute the response message {M3 }, where M3 =< D7 , D8 , T 3 > and A7 and L6 are computed with the secret keys of Ui , S N j and HGWN in Case-1. As the attacker does not have the knowledge of the secret keys of the involved parties. Therefore, attacker cannot spoof the sensor node in Case-1. Further, the response message {M9 }, where M9 =< A6 , L6 , T 3 > and A6 is computed using the sensor node secret key r j and L6 is computed with the secret keys of Ui , S N j and FGWN in Case-2. As the attacker does not have the knowledge of the secret keys of the involved parties. Therefore, it is computationally infeasible to extract the secret credentials from the non-invertible cryptographic one-way hash function. Therefore, our scheme can resist sensor node spoofing attack.
AC
CE
7.6. Stolen-smart card attack, off-line identity guessing attack and off-line password guessing attack We suppose that the user Ui0 s smart card was stolen by an attacker, then the attacker can extract the information stored on the smart card {Yi , IDGWNh , T IDi , h(·), Vi , Ci } by using the method of power analysis [44, 43], where Vi = h(IDi ⊕ PWi ⊕ u), Ci = u ⊕ H(Bi ) and Yi = Ki ⊕ h(PWi kukIDi ). In order to compute the smartcard stored information, the attacker needs to know Bi , u, IDi , PWi , where this information is known only to the user. However, the biometric key Bi cannot be stolen and both user IDi and PWi are unknown to the attacker and both are well protected by the one way hash function . So, the attacker has no way to guess
7.8. Anonymity and unlinkability As shown above in section 7.6, it is clear from our proposed scheme that an attacker has noway to obtain 25
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
26
or guess the identity IDi of the user Ui as it is protected by the non-invertible cryptographic one way hash function. The use of pseudo identity make the system anonymous, however, lake of dynamic identity mechanism arises linkability problem [21]. The proposed scheme have some limitation over its advantage.
asks for a new password and initiate password change. The smartcard allows the user to update the password without any interaction with the GWN or sensor node S j . This shows that our proposed scheme has efficiency to detect incorrect input and low computation in updating the password.
7.9. Denial-of-service attack In the proposed scheme, we have three possibility where a registered user could encounter denial-ofservice, however, the proposed scheme is efficient to resist denial-of-service attack in all scenario as follows:
7.11. Mutual authentication
CR IP T
It means that each entities of the network should authenticate each other in order to verify legitimacy. During execution of the protocol, the gateway node authenticates the user based on the login message, and similarly sensor node authenticates gateway node and user. Finally, the user authenticates sensor node and gateway node. It has been observed that the protocol negotiates session key only after performing the mutual authentication between the entities involved.
AN US
• In first situation when user inputs incorrect credentials (identity or password) unknowingly during login phase, however, the smart card can correctly verify the login credentials using the condi? tion Vi = h(IDi ⊕ PWi ⊕ u). This ensures that only with the correct input of user credentials a login message will be executed. Thus, there will not be occurrence of denial-of-service scenario for a valid user in login attempt.
7.12. Session key agreement
PT
ED
M
• Adversary may also try to engage sensors by replaying the messages so that valid user login attempt may deny or delayed, however, the transmitted messages M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 > (in Case-1) and M8 =< T IDi , A4 , A5 , L5 , T 3 > (in Case -2) includes the timestamp. The sensors verify the freshness of timestamp before professing the requests. This shows that a sensor can efficiently encounter the fake request in the proposed scheme, which shows the security of proposed scheme against denial of service attack.
AC
CE
Authenticated key agreement (AKA) schemes can only add additionally protection to the scheme by implying timestamps or other primitives to defend against DoS attack. However, an adversary can also mount an application layer DoS attack. It is a form of DoS attack, where attackers target the application layer of the open systems interconnection (OSI) model. The attack over-exercises specific functions or features of a website with the intention to disable those functions or features. This application-layer attack is different from an entire network attack.
The main aim of the key agreement protocol is to negotiate session key so that each entities can communicate securely. The proposed protocol computes session key S K between the user, gateway and sensor node on the success of mutual authentication. Therefore, the proposed scheme supports authenticated session key agreement. In our proposed scheme a user and sensor agree on a common session key S K = h(DIDi kri kr j krh kIDS N j ) in Case-1 and S K = h(T IDi kri kr j kr f kIDS N j ) in Case2 of the authentication phase. Both the user and the sensor node contribute session secrets in S K, i.e. the user chooses temporal secret ri , sensor chooses r j and gateway contributes rh in Case-1 or r f in Case-2. If an adversary A need to gain control over the session key S K, A need the values ri , r j , rh , r f , which are protected with the secret keys during transmission. Thus, only authorized parties will be able to retrieve the temporal secrets. We have already assumed the gateway node is the trusted authority. Thus, our scheme ensures that only the legitimate parties can compute the session key S K.
7.13. Secure message transmission between home and foreign gateway node
7.10. Efficient password change phase In our proposed scheme, the smart card first verifies the login credentials to validate the legitimacy of the user Ui . Once the verification in the correctness of the identity and the password is verified. The smartcard 26
In the proposed protocol, HGWN transmits a broadcast message < IDS N j , T IDi , IDGWNh , L1 > to the rest of the gateway nodes called as foreign gateway node (FGWN). After that, the FGWN transmits M5 =< A1 , IDGWNF , L2 , T IDi > to HGWN over public networks, where A1 = h(T IDi kS ran kIDGWNF ) ⊕ KiF and L2 = h(T IDi kIDGWNF kKiF kIDS N j ). It may be
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
noted that the attacker cannot gain the needful secret information from the transmitted message M5 =< A1 , IDGWNF , L2 , T IDi > as the computed parameters are secured with the non-invertible cryptographic one-way hash function. It is also noticeable that the attacker cannot extract any confidential parameter without the knowledge of KiF . Therefore, it is our claim that the proposed protocol provides strong security protection on the transmitted message between the home and foreign gateway nodes.
27
sensor node does not reveal any information about other sensor nodes and the user in order to compromise any other secure communication between the users and the non-compromised sensor nodes in the WSNs network. This shows that our scheme is secure against node capture attack. 7.16. Efficient sensor node addition phase facility
CR IP T
It may also happen that the new sensor node is required in the WS N s environment on demand at any time. In order to provide such type facility, we have presented an efficient dynamic node deployment phase in the proposed protocol. Therefore, the S A can efficiently include new sensor node on the target region after executing dynamic node deployment phase.
7.14. Many logged-in users with the same login-id attack As shown in [11], our proposed scheme also can withstand the many logged-in users with the same loginid attack, which is as follows: For a legal user it is very much essential to have his/her own smartcard SC, then only he/she will be able to login into the system. So, even if two or more users have the same login credentials < IDi , PWi > they will not be successful in login into the system as it requires the legal user’s biometric key, which only a legal user can have and the biometric key cannot be stolen. Therefore, our claim is that the proposed protocol can resist many logged-in users with same login-id attack.
AN US
8. Performance comparison with related schemes
M
7.15. Resilience against node capture attack
In this section, we compare the performance and functionality features of our proposed scheme with the related existing authentication schemes proposed for the WSNs. This evaluation gives an insight into the effectiveness of the proposed scheme.
AC
CE
PT
ED
Node capturing attack means that using retrieved information from compromise sensor node to mount attacks in WSNs environment. Adversary tries to retrieve information about other sensor nodes, and the users in order to compromise any other secure communication between the users and the non-compromised sensor nodes in the WSNs network. Suppose that an attacker captures a sensor node, say S j randomly in the network from which a legal user Ui is accessing the real-time data from S j . The attacker can easily compromise all the secret information including the captured node’s master key and session key shared with the user Ui , as sensor nodes are not equipped with tamper resistant hardware. In the Case-1, the secure session key between the user Ui and the sensor node S j is generated as S K = h(DIDi kri kr j krh kIDS N j ), where DIDi = h(IDi kr) = D5 ⊕ h(P j kri krh kT 2 ) and P j = h(IDS N j ⊕ S ran ). Each established session key between the user and the sensor node is distinct throughout the WSNs network and computing as it is computationally infeasible to guess the three parameters ri , r j , rh at a time from the transmitted message, due to the non-invertible one-way hash function property. And similarly, this can also be shown for the Case-2. It is clear that a captured
8.1. Comparison of security features In Table 2, we have discussed the security attributes of proposed scheme with related schemes [29, 30, 51, 11, 31, 19, 15, 32, 16, 17, 50, 36]. It is noted that most of the discussed schemes in Table 2 do not resist password guessing attack. Moreover, user anonymity, impersonation attack, server spoofing attack, sensor node capturing attack, proper mutual authentication are also alarming in existing schemes. In addition, the discussed schemes in table 2 are failed to resist stolen smartcard attack. On the other hand, our scheme protects anonymity and supports the security attributes mentioned in the Table2. Shifted the tables[3,4] to adjust in this page 8.2. Communication overhead comparison
In Table 3 , we have compared the communication overheads required during the login and authentication phases between our scheme and other schemes. We assume that the output of the one-way hash function h(·) is 160 bits (20 bytes), if we use SHA-1 hashing algorithm [52]. Further, we assume that each timestamp, random nonce/random number, identity of user/sensor node is 152 bits in length (19 bytes). In addition, for Yeh et al.’s scheme [51] and Turkanovic–Holbl’s 27
ACCEPTED MANUSCRIPT
28
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32 Table 4: Computation overhead comparison during the login and authentication phases
Vaidya [29] Chen and Shin [30] Yeh et al. [51] Das et al. [31] Turkanovic–Holbl [11] Xue et al. [19] Vaidya et al.[32] Deebak [15] Turkanovic et al. [16] Farash et al.[17] Das et al.[50] Case-1 Das et al.[50] Case-2 Amin and Biswas [36] Case-1 Amin and Biswas [36] Case-2 Proposed scheme case-1 Proposed scheme case-2
Table 2: Comparison of security features
[30]
√ √ √
× × √
× √ × √
× × √
× × √
× × × × √
× √
× ×
√
[51]
[11]
√ √
√ √
× × √
× × √
× √
× √
× √
× √ √ √ √ √
× × × ×
[31]
[19]
× × × × × × × × √
× × × × × √
√ × √ √
× × √ √ √ √ √
[15]
[32]
√ √ √ √ √ √ √ √ √ √ √ √ √
√ × × √ × √ √ √ × √ √
[16]
[17]
[36]
× √
× √
× √
× × × √
× × × × × × √
× × × √
× × √ √ √
√ √ √ √
× ×
× √
Total
Time(ms)
2T h 2T h 3T h + 2T ECC − − 6T h 2T h 5T h 5T h 7T h 3T h + 1T E/D 4T h + 1T E/D 5T h 5T h 6T h 5T h
6T h 4T h 1T h + 2T ECC 5T h + 1T E/D 4T h + 1T E/D 10T h 6T h 9T h 7T h 11T h 9T h + 1T E/D 10T h + 2T E/D 7T h 8T h 10T h 14T h
13T h 13T h 8T h + 8T ECC 10T h + 5T E/D 7T h + 5T E/D 29T h 12T h 26T h 19T h 32T h 17T h + 4T E/D 19T h + 5T E/D 20T h 20T h 29T h 35T h
0.0052 0.0044 58.8264 0.6555 0.6543 0.0116 0.0048 0.0104 0.0076 0.0128 0.528 0.6591 0.0080 0.0080 0.0116 0.0140
[50]
Ours
√ √ √ √ √ √ √ √ √ √ √ √ √
√ √ √ √ √ √ √ √ √ √ √ √ √
Scheme
M
[29]
User
Table 3: Communication overhead comparison during the login and authentication phases
√ × √ √ × √ √
ED
Security attributes S1 S2 S3 S4 S5 S6 S7 S8 S9 S 10 S 11 S 12 S 13
Sensor node
CR IP T
Base station/ gateway node 5T h 5T h 4T h + 4T ECC 5T h + 4T E/D 3T h + 4T E/D 13T h 4T h 12T h 7T h 14T h 5T h + 2T E/D 5T h + 2T E/D 8T h 7T h 13T h 16T h
AN US
Scheme
CE
PT
√ Note: = preserved; × = not preserved. S 1 : whether resists password guessing attack or not; S 2 : whether protects privileged-insider attack or not; S 3 : whether provides user anonymity or not; S 4 : whether resilient against stolen smart card attack or not; S 5 : whether secure against impersonation attack or not; S 6 : whether protects replay attack or not; S 7 : whether provides proper mutual authentication or not; S 8 : whether provides two-factor security or not; S 9 : whether session key agreement is provided or not; S 10 : Provides efficient password change phase; S 11 : Server Spoofing attack; S 12 : Sensor node capturing attack; S 13 : Many logged-in users attack;
scheme [11], we assume that the acknowledgment message requires 160 bits (20 bytes). In our scheme, during the login phase, the login request message M1 =< T IDi , IDS N j , D1 , D2 , T 1 > requires 97 bytes. During the authentication and key agreement phase in Case1, the messages M2 =< T IDi , D3 , D4 , D5 , D6 , T 2 >, M3 =< D7 , D8 , T 3 > and M4 =< D9 , D10 , D11 , T 4 > require 118 bytes, 59 bytes and 79 bytes, respectively. As a result, during the login and authentication phases in our scheme for Case-1, the total communication overhead becomes (97 + 118 + 59 + 79) = 353 bytes. During the authentication and key agreement phase in Case-
Vaidya [29] Chen and Shin [30] Yeh et al. [51] Turkanovic–Holbl [11] Das et al. [31] Xue et al. [19] Vaidya et al.[32] Deebak [15] Turkanovic et al. [16] Farash et al. [17] Das et al.[50] Case-1 Das et al.[50] Case-2 Amin and Biswas [36] Case-1 Amin and Biswas [36] Case-2 Proposed scheme case-1 Proposed scheme case-2
Total number of messages 5 4 4 4 4 6 5 4 4 4 3 6 4 8 4 7
Total number of bytes 197 bytes 235 bytes 252 bytes 352 bytes 372 bytes 413 bytes 296 bytes 315 bytes 489 bytes 434 bytes 391 bytes 673 bytes 373 bytes 642 bytes 353 bytes 547 bytes
AC
2, the messages between HGWN-FGWN, M5 ,M6 =< A2 , L3 , IDS N j >, M7 =< T IDi , IDS N j , A3 , L4 , T 2 >, M8 =< T IDi , A4 , A5 , L5 , T 3 >, M9 =< A6 , L6 , T 4 > and M10 =< A7 , A8 , L7 , T 5 > require 78 bytes, 59 bytes, 97 bytes, 98 bytes, 59 bytes and 79 bytes, respectively. As a result, during the login and authentication phases in our scheme for Case-2, the total communication overhead becomes (77+78+59+97+98+59+79) = 547 bytes. On the other hand, the communication overheads required during the login and authentication phases for Vaidya et al.’s scheme [29], Chen-Shin’s 28
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
scheme [30], Yeh et al.’s scheme [51], TurkanovicHolbi’s scheme[11], Das et al.’s scheme [31], Xue et al.’s scheme [19],Vaidya et al.[32], Deebak [15], Turkanovic et al.’s scheme[16], Farash et al.’s[17], Das et al.[50] Case-1 and Case-2, and Amin and Biswas’s scheme [36] are 197 bytes, 235 bytes, 252 bytes, 352 bytes, 372 bytes, 413 bytes, 296 bytes, 315 bytes, 489 bytes, 434 bytes, Case-1 (391 bytes) and Case-2 (673 bytes), and Case-1 (373 bytes) and Case-2 (642 bytes), respectively. Note that our scheme (Case-1) performs better than Das et al.’s scheme [31], Xue et al.’s scheme [19], Turkanovic et al.’s scheme [16], Farash et al.’s[17],Das et al.[50], and Amin and Biswas’s scheme[36]. However, our scheme requires more communication overhead as compared to that for other schemes mentioned in Table 3. It is justified because our scheme offers better security and functionality features as compared to those for other schemes as shown in Table 2.
29
AN US
CR IP T
It is clear from the Table 2 that proposed scheme satisfy more number of security attributes as compare to the existing schemes, but it requires computation of more hash functions in Case-2 as compare to other discussed schemes. The proposed scheme has higher computation overhead as compare to other lightweight authentication schemes in Case -2 (0.0140 ms) as discussed in Table 4, but it is efficient then Yeh et al. (58.8264 ms), Das et al. (0.6555 ms), TurkanovicHolbl (0.6543 ms), and Das et al. Case-1 (0.528 ms) and Case-2 (0.6591 ms) . Additionally, our proposed scheme has little higher computation overhead in Case1 (0.0116 ms) as compared to Amin and Biswas (0.0080 ms), Vaidya et al. (0.0048 ms), Deebak (0.0104 ms), Turkanovic et al. (0.0076 ms), Chen and Shin (0.0044 ms), and Vaidya (0.0052 ms), but has higher security features, also our proposed scheme is more efficient compare to Yeh et al., Das et al., Farash et al., Turkanovic-Holbl, and Das [50]. Moreover, due to the computational efficiency of one-way hash function, the proposed scheme is also a lightweight authentication scheme. This conclude that the proposed scheme is a lightweight authentication scheme for WSNs with higher security features.
AC
CE
PT
ED
M
8.3. Computational overhead comparison In WSNs, energy is a constraint and thus, the user authentication protocol must be light-weight in terms of computation. Our protocol only used the hash function, which is a light-weight function compared to other operations, including symmetric key encryption/decryption and public key cryptographic functions. We use the execution timings for various cryptographic operations presented in the literature [53]. To evaluate the execution timings of cryptographic operations, experiment is performed using MIRACL C/C++ Library and the system used 32-bit Windows 7 operating systems, Visual C++ 2008 Software. The running time of symmetric key encryption/decryption AES-128, elliptic curve point multiplication over the finite prime field F p , and SHA-1 hash function are T E/D ≈ 0.1303 ms, T ECC ≈ 7.3529 ms, and T h ≈ 0.0004 ms, respectively. Finally, in Table 4, we have compared the computational overhead between our scheme and other schemes during the login and authentication phases. In our scheme, during the login phase the computational overhead for a user Ui is 6T h , whereas in authentication phase the computational overheads for Case-1 are 13T h , 6T h and 4T h for HGWN, S N j and Ui , respectively. In Case-2, HGWN − FGWN, S N j and Ui computational overheads are 16T h , 5T h and 8T h , respectively. Moreover, the proposed scheme requires the computation of XOR operations and string concatenation. As computation cost of XOR and concatenation operations is comparably negligible to hash function, thus we have not included the computation cost of XOR and concatenation operations in the computation overhead analysis.
29
9. Conclusion
In this paper, we have analyzed the security pitfalls of recently proposed Amin-Biswas’s lightweight authentication and key agreement protocol. We have identified that Amin-Biswas’s scheme failed to resist server spoofing attack, stolen smart card attack, password guessing attack, impersonation attack, and identity guessing attack. In order to ensure the secure communication in WSNs, we have proposed an enhanced user authentication and key agreement protocol for WSNs using biohashing. Biohashing has significant functional advantages over solely biometrics, such as highly clear separation of imposter populations and genuine, and zero equal error rate level. Our proposed protocol efficiently supports for the dynamic node addition features and user friendly password change. Using the BAN-logic, we have shown that the proposed protocol ensures mutual authentication. The performance of the proposed scheme is also compared with related schemes. The proposed scheme has also some limitations along with its applicability to WSN’s environment, namely, lack of dynamic identity mechanism due to involve nonpublic key primitives and evaluation of test-bed and simulation in real-world environment. However, the use of pseudonym instead of user identity makes the communication anonymous. Additionally, we have simu-
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
[13] S. A. Chaudhry, M. S. Farash, H. Naqvi, S. H. Islam, T. Shon, A robust and efficient privacy aware handover authentication scheme for wireless networks, Wireless Personal Communications (2015) 1–25. [14] S. A. Chaudhry, K. Mahmood, H. Naqvi, M. K. Khan, An improved and secure biometric authentication scheme for telecare medicine information systems based on elliptic curve cryptography, Journal of Medical Systems 39 (11) (2015) 1–12. [15] B. D. Deebak, Secure and efficient mutual adaptive user authentication scheme for heterogeneous wireless sensor networks using multimedia client–server systems, Wireless Personal Communications, 87 (3) (2016) 1013–1035. [16] M. Turkanovi´c, B. Brumen, M. H¨olbl, A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion, Ad Hoc Networks 20 (2014) 96–112. [17] M. S. Farash, M. Turkanovi´c, S. Kumari, M. H¨olbl, An efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the internet of things environment, Ad Hoc Networks. [18] K. Xue, P. Hong, C. Ma, A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture, Journal of Computer and System Sciences 80 (1) (2014) 195–206. [19] K. Xue, C. Ma, P. Hong, R. Ding, A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, Journal of Network and Computer Applications 36 (1) (2013) 316–323. [20] H. Tu, N. Kumar, D. He, J. Kim, C. Lee, An efficient passwordbased three-party authenticated multiple key exchange protocol for wireless mobile networks, The Journal of Supercomputing 70 (1) (2014) 224–235. [21] D. Wang, P. Wang, On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions, Computer Networks 73 (2014) 41 – 57. [22] D. Wang, N. Wang, P. Wang, S. Qing, Preserving privacy for free: efficient and provably secure two-factor authentication scheme with user anonymity, Information Sciences 321 (2015) 162–178. [23] K. H. Wong, Y. Zheng, J. Cao, S. Wang, A dynamic user authentication scheme for wireless sensor networks, in: IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, Vol. 1, pp. 244-251, 2006. doi: 10.1109/SUTC.2006.1636182 [24] M. L. Das, Two-factor user authentication in wireless sensor networks, IEEE Transactions on Wireless Communications, 8 (3) (2009) 1086–1090. [25] H.-F. Huang, Y.-F. Chang, C.-H. Liu, Enhancement of twofactor user authentication in wireless sensor networks, in: Sixth International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), IEEE, pp. 27–30, 2010. [26] D. Nyang, M.-K. Lee, Improvement of das’s two-factor authentication protocol in wireless sensor networks., IACR Cryptology ePrint Archive 2009 (2009) 631. [27] D. He, Y. Gao, S. Chan, C. Chen, J. Bu, An enhanced twofactor user authentication scheme in wireless sensor networks., Ad Hoc & Sensor Wireless Networks 10 (4) (2010) 361–371. [28] M. K. Khan, K. Alghathbar, Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks, Sensors 10 (3) (2010) 2450–2459. [29] B. Vaidya, D. Makrakis, H. T. Mouftah, Improved two-factor user authentication in wireless sensor networks, in: IEEE 6th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), IEEE, 2010, pp.
CR IP T
lated the proposed protocol for formal security verification using the AVISPA tool, and the simulation results shown that the proposed protocol is safe. Through the informal security analysis, we have shown that the proposed protocol satisfies known security attributes for authentication protocols. Moreover, the proposed protocol is required only the computation of hash functions to achieve mutual authentication. Computational efficiency of proposed protocol presents its lightweight attribute. This makes the proposed scheme more appropriate for WSNs environment. Acknowledgment
AN US
The authors would like to acknowledge the many helpful suggestions of the anonymous reviewers and the editor. References
AC
CE
PT
ED
M
[1] M. Tubaishat, S. Madria, Sensor networks: an overview, Potentials, IEEE 22 (2) (2003) 20–23. [2] J. Yick, B. Mukherjee, D. Ghosal, Wireless sensor network survey, Computer networks 52 (12) (2008) 2292–2330. [3] S. Kumari, M. K. Khan, M. Atiquzzaman, User authentication schemes for wireless sensor networks: A review, Ad Hoc Networks 27 (2015) 159–194. [4] D. He, N. Kumar, N. Chilamkurti, A secure temporal-credentialbased mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks, Information Sciences 321 (2015) 263 – 277. [5] D. Wang, C. G. Ma, D. L. Gu, Z. S. Cui, Cryptanalysis of two dynamic id-based remote user authentication schemes for multiserver architecture, In: International Conference on Network and System Security, (2012) 462–475. [6] D. Wang, P. Wang, On the usability of two-factor authentication, In Proceedings of the 10th International Conference on Security and Privacy in Communication Networks (SecureComm 2014), pp. 141-150. [7] J. Qi, J. Ma, F. Wei, On the Security of a Privacy-Aware Authentication Scheme for Distributed Mobile Cloud Computing Services, IEEE Systems Journal (2016) 1–4, doi: 10.1109/JSYST.2016.2574719 [8] D. He, D. Wang, Robust biometrics-based authentication scheme for multiserver environment, IEEE Systems Journal 9 (3) (2015) 816–823. [9] D. Wang, P. Wang, Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks, Ad Hoc Networks 20 (2014) 1–15. [10] D. Wang, D. He, P. Wang, C.-H. Chu, Anonymous two-factor authentication in distributed systems: certain goals are beyond attainment, IEEE Transactions on Dependable and Secure Computing 12 (4) (2015) 428–442. [11] M. Turkanovic, M. Holbl, An improved dynamic passwordbased user authentication scheme for hierarchical wireless sensor networks, Elektronika ir Elektrotechnika 19 (6) (2013) 109– 116. [12] S. A. Chaudhry, H. Naqvi, M. Sher, M. S. Farash, M. U. Hassan, An improved and provably secure privacy preserving authentication protocol for sip, Peer-to-Peer Networking and Applications (2015) 1–15.
30
30
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
[50]
[51] [52]
AC
CE
PT
ED
M
AN US
[53]
Transactions on Information Forensics and Security (2015) 1– 14DOI: 10.1109/TIFS.2015.2439964. A. K. Das, A. K. Sutrala, S. Kumari, V. Odelu, M. Wazid, and X. Li, “An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks,” Security and Communication Networks, 2016. H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, H.-W. Wei, A secured authentication protocol for wireless sensor networks using elliptic curves cryptography, Sensors 11 (5) (2011) 4767–4779. Secure hash standard, fIPS PUB 180-1, National Institute of Standards and Technology (NIST), U.S. Department of Commerce, April 1995. http://csrc.nist.gov/publications/fips/fi ps180-2/fips180-2.pdf. F. Wu, L. Xu, S. Kumari, X. Li, An improved and anonymous two-factor authentication protocol for health-care applications with wireless medical sensor networks, Multimedia Systems (2015) 1–11.
CR IP T
600–606. [30] T.-H. Chen, W.-K. Shih, A robust mutual authentication protocol for wireless sensor networks, Etri Journal 32 (5) (2010) 704–712. [31] A. K. Das, P. Sharma, S. Chatterjee, J. K. Sing, A dynamic password-based user authentication scheme for hierarchical wireless sensor networks, Journal of Network and Computer Applications 35 (5) (2012) 1646–1656. [32] B. Vaidya, D. Makrakis, H. Mouftah, Two-factor mutual authentication with key agreement in wireless sensor networks, Security and Communication Networks. [33] S. Xu, X. Wang, A new user authentication scheme for hierarchical wireless sensor networks, International Review on Computers and Software 8 (1) (2013) 197–203. [34] C.-T. Li, C.-Y. Weng, C.-C. Lee, An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks, Sensors 13 (8) (2013) 9589–9603. [35] M. Turkanovi´c, M. H¨olbl, Notes on a temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks, Wireless personal communications 77 (2) (2014) 907–922. [36] R. Amin, G. Biswas, A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks, Ad Hoc Networks 36 (2016) 58–80. [37] L. Nanni, A. Lumini, Random subspace for an improved biohashing for face authentication, Pattern Recognition Letters 29 (3) (2008) 295–300. [38] L. Nanni, S. Brahnam, A. Lumini, Biohashing applied to orientation-based minutia descriptor for secure fingerprint authentication system, Electronics letters 47 (15) (2011) 851–853. [39] A. T. B. Jin, D. N. C. Ling, A. Goh, Biohashing: two factor authentication featuring fingerprint data and tokenised random number, Pattern recognition 37 (11) (2004) 2245–2255. [40] W. H. Yang, S. P. Shieh, Password authentication schemes with smart cards, Computers & Security 18 (8) (1999) 727–733. [41] D. Dolev, A. C. Yao, On the security of public key protocols, IEEE Transactions on Information Theory 29 (2) (1983) 198– 208. [42] T. Eisenbarth, T. Kasper, A. Moradi, C. Paar, M. Salmasizadeh, M. Shalmani, T. Manzuri, On the power of power analysis in the real world: A complete break of the keeloq code hopping scheme, in: Advances in Cryptology - CRYPTO 2008, Vol. 5157 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2008, pp. 203–220. [43] T. S. Messerges, E. A. Dabbish, R. H. Sloan, Examining smartcard security under the threat of power analysis attacks, IEEE Transactions on Computers 51 (5) (2002) 541–552. [44] P. Kocher, J. Jaffe, B. Jun, Differential power analysis, in: Proceedings of Advances in Cryptology - CRYPTO’99, LNCS, Vol. 1666, 1999, pp. 388–397. [45] S. Mrdovic, B. Perunicic, Kerckhoffs’ principle for intrusion detection, in: Telecommunications Network Strategy and Planning Symposium, 2008. Networks 2008. The 13th International, IEEE, 2008, pp. 1–8. [46] M. Burrows, M. Abadi, R. Needham, A logic of authentication, ACM Transactions on Computer Systems 8 (1) (1990) 18–36. [47] AVISPA, Automated Validation of Internet Security Protocols and Applications, http://www.avispa-project.org/. Accessed on January 2015. [48] D. von Oheimb, The high-level protocol specification language hlpsl developed in the eu project avispa, in: Proceedings of APPSEM 2005 Workshop, 2005. [49] V. Odelu, A. Das, A. Goswami, A secure biometrics-based multi-server authentication protocol using smart cards, IEEE
31
31
ACCEPTED MANUSCRIPT
Jangirala et al. / Ad Hoc Networks xx (2016) 1–32
Biography
32
CR IP T
sistant Professor in the Department of Mathematics, the LNM Institute of Information Technology, Jaipur, India. His research interests include digital rights management system, access control in cloud, cryptographic protocols.
ED
M
AN US
Jangirala Srinivas completed his Bachelor of Science in 2003 from Kakatiya University, India. He has received Master of Science degree from Kakatiya University in 2008. He has received Master of Technology degree from IIT Kharagpur in 2011. Currently, he is pursuing his Ph.D in the Department of Mathematics, IIT Kharagpur. His research interests include authentication protocols, information security, digital rights management and cloud computing.
AC
CE
PT
Sourav Mukhopadhyay completed his B.Sc (Honours in Mathematics) in 1997 from University of Calcutta, India. He has done M.Stat (in statistics) and M.Tech (in computer science) from Indian Statistical Institute, India, in 1999 and 2001 respectively. He received his Ph.D. degree in the area of Cryptology (Computer Science) from Indian Statistical Institute, India in 2007. Currently, he is an Assistant Professor at IIT, Kharagpur. His research and teaching interests include network security, cryptology, mathematics, statistics and computer science. He has published more than 60 papers in international journals and conferences in these areas.
Dheerendra Mishra completed his Bachelor of Science and Master of Science degrees from Jiwaji University, India in 2003 and 2005, respectively. He received Ph.D. from the Indian Institute of Technology, Kharagpur, India, in 2014. Currently, he is working as an As32