Back
 JCC  Vol.9 No.3 , March 2021
Security Considerations on Three-Factor Anonymous Authentication Scheme for WSNs
Abstract: Wireless sensor networks (WSNs) are used to monitor various environmental conditions including movement, pollution level, temperature, humidity, and etc. Secure authentication is very important for the success of WSNs. Li et al. proposed a three-factor anonymous authentication scheme in WSNs over Internet of things (IoT). They argued that their authentication scheme achieves more security and functional features, which are required for WSNs over IoT. Especially, they insisted that their user authentication scheme provides security against sensor node impersonation attack, and resists session-specific temporary information attack and various other attacks. However, this paper shows some security weaknesses in Li et al.’s scheme, especially focused on sensor node masquerading attack, known session-specific temporary information attack and deficiency of perfect forward secrecy. Especially, security considerations are very important to the modern IoT based applications. Thereby, the result of this paper could be very helpful for the IoT security researches.

1. Introduction

The Internet of things (IoT) refers to a concept of connected objects and devices of all types over the Internet wired or wireless [1] [2] [3] [4]. In such a dynamic system, devices are interconnected to transmit useful measurement information and control instruction via distributed wireless sensor networks (WSNs). A WSN is a network formed with a large number of sensor nodes where each node is with sensors to detect physical phenomena. Many security solutions were proposed but they could not be applied to WSNs security due to the unique characteristics of WSNs.

Various security schemes were proposed to protect WSNs and IoT [5] - [12]. Das proposed a two-factor user authentication over WSNs using smartcard [5]. Many studies showed some weaknesses of Das’s scheme, which lacks feature of user anonymity, key agreement and mutual authentication. Furthermore, they showed that it suffers from attacks including password guessing, sensor node capture, gateway bypassing and denial-of-service attacks [6] [7] [8] [9] [10]. After those works, Jiang et al. proposed an untraceable user authentication scheme using elliptic curves cryptosystem (ECC) [11]. Recently, Li et al. showed that Jiang et al.’s scheme has functional and security flaws and proposed a three-factor anonymous authentication scheme for WSNs in IoT environments [12]. They provided BAN logic verification with security analysis and argued that their scheme provides security against sensor node impersonation attack, resists session-specific temporary information attack, and various other attacks.

However, we find some common security flaws in Li et al.’s scheme, which are weak against sensor node masquerading attack, suffer from known session-specific temporary information attack and do not provide perfect forward secrecy.

The remaining parts of this paper are as follows: Section 2 introduces fuzzy commitment scheme used in this paper; the review of Li et al.’s scheme in [12] is given in Section 3; Section 4 describes the security considerations on Li et al.’s scheme. Finally, Section 5 concludes the paper.

2. Fuzzy Commitment Scheme

Juels and Wattenberg proposed a fuzzy commitment scheme F(.), which is a cryptographic primitive [13]. F(.) allows an entity to commit a chosen value while keeping it hidden to others in the system with the ability to reveal the committed value later. The committed value is binding thus cannot be changed by either party. Suppose h ( . ) : { 0 , 1 } * { 0 , 1 } n is a secure hash function which can commit a code word c C using an n bit witness y as F ( c , y ) = { α , δ } , where α = h ( c ) and δ = y c . The commitment F ( c , y ) = { α , δ } can be opened using witness y', which is relatively close to y, but no need to be the same as y. To open the commitment using y', the receiver computes c = f ( y δ ) = f ( c ( y y ) ) and checks whether α = h ( c ) . If they are equal, the commitment is successfully open. Otherwise, the witness y' is not valid. This paper uses fuzzy commitment scheme due to the noisy characteristic of biometrics. In this scenario, biometric template can be treated as the witness y, and c can be opened by the input biometric y', which is close to y.

3. Three-Factor Anonymous Authentication Scheme

Li et al. proposed a three-factor anonymous authentication scheme based on fingerprint identification for WSNs in IoT environments [12]. Their scheme consists of three entities, user Ui, gateway node GWN and sensor node Sj. GWN is considered as a trusted member and communicates data between Ui and Sj. Initially, GWN needs to setup system parameters. For that, GWN selects an additive group G over a finite field Fp on an elliptic curve, where the generator is a point P and its order is a large prime n. GWN generates a random number x Z n as the private key and calculates the corresponding public key X = xP. Besides, GWN chooses a master secret key KGWN. GWN keeps x and KGWN secretly, and publishes the parameters {E, Fp, P, X, G}. Table 1 shows the notations used in this paper.

3.1. Sensor Registration

Required values could be stored in the memory of sensors in advance before they are deployed in a particular area. GWN selects an identity SIDj for each sensor and computes the secret key K G W N - S = h ( S I D j K G W N ) for SIDj. Then, GWN stores {SIDj,KGWN-S} in the memory of the sensor and deploys these sensors in a particular area to forming a WSN.

3.2. User Registration

When a user Ui hopes to acquire the sensory data of sensor node Sj in the WSN in specific area, he/she needs to register to GWN. The phase is as follow:

l) Ui chooses an identity IDi and a password PWi and generates a nonce ai and calculates R P W i = h ( P W i a i ) . Then Ui imprints the biometric on specific device and gets the biometric information bi. At last, Ui submits the registration request message {IDi, RPWi, bi} to GWN via a secure manner.

Table 1. Notations.

2) When obtaining the registration request, GWN chooses a random codeword c i C for Ui, and calculates F ( c i , b i ) = ( α , δ ) , where α = h ( c i ) and δ = c i b i . Then, GWN calculates A i = h ( I D i R P W i c i ) , B i = h ( I D i K G W N ) h ( R P W i c i ) . After that, GWN stores {α,δ, Ai, Bi, X, f(.)} in a SC, and distributes in to Ui through a secure channel. Finally, GWN stores IDi in its database and deletes other information.

3) When gets the SC, Ui stores ai into it, and the SC contains parameters {α,δ, Ai, Bi, X, f(.), ai}.

3.3. Login and Authentication

When Ui wants to access the sensory data of SIDj, he/she should be authenticated by GWN first, and the following steps should be performed among Ui, GWN and SIDj.

l) Ui inserts SC into a card reader and imprints the biometric b i on a special device. Then SC calculates c i = f ( b i δ ) = f ( c i ( b i b i ) ) and checks h ( c i ) ? = α = h ( c i ) . The session is terminated by SC if they are not equal. Otherwise, Ui passes the biometric verification and inputs IDi and PWi. Ui calculates A i = h ( I D i h ( P W i a i ) c i ) and checks A i ? = A i . The session is rejected by SC if they are not equal. Otherwise, Ui’s password and identity are verified by SC. The SC chooses random numbers ri and s Z n , and calculates M 1 = B i h ( h ( P W i a i ) c i ) , M 2 = s P , M 3 = s X = s x P , M 4 = I D i M 3 , M 5 = M 1 r i , M 6 = h ( I D i r i ) S I D j , and M 7 = h ( M 1 S I D j M 3 r i ) . At last, Ui submits the login request message {M2, M4, M5, M6, M7} to GWN.

2) When receiving the login request, GWN calculates M 3 = x M 2 = x s P , I D i = M 4 M 3 , and checks if I D i is in the database. If not, the request is terminated by GWN. Otherwise, GWN calculates M 1 = h ( I D i K G W N ) , r i = M 5 M 1 , S I D j = M 6 h ( r i I D i ) , M 7 = h ( M 1 S I D j M 3 r i ) , and checks M 7 ? = M 7 . The session is rejected by GWN if they are not equal. Otherwise, GWN generates a random number rg, and calculates K G W N - S = h ( S I D j K G W N ) , M 8 = I D i K G W N - S , M 9 = r g h ( I D i K G W N - S ) , M 1 0 = r g r i and M 11 = h ( I D i S I D j K G W N - S r i r g ) . At last, GWN submits message {M8, M9, M10, M11} to Sj.

3) When receiving the message, Sj calculates I D i = M 8 K G W N - S , r g = h ( I D i K G W N - S ) M 9 , r i = r g M 1 0 , M 11 = h ( I D i S I D j K G W N - S r i r g ) , and checks M 11 ? = M 11 . The session is rejected by Sj if the equation is not true. Otherwise, Sj generates a random number rj, and calculates M 12 = r j K G W N - S , S K j = h ( I D i S I D j r i r g r j ) , M 13 = h ( K G W N - S S K j r j ) .Finally, Sj responses the message {M12, M13} to GWN.

4) After getting the message from Sj, GWN calculates r j = M 12 K G W N - S , S K G W N = h ( I D i S I D j r i r g r j ) , M 13 = h ( K G W N - S S K G W N r j ) , and checks M 13 ? = M 13 . The session is rejected if they are not equal. Otherwise, GWN calculates M 14 = M 1 r g , M 15 = r i r j and M 16 = h ( I D i S K G W N r g r j ) . Finally, GWN submits the message {M14, M15, M16} to Ui.

5) When receiving messages from GWN, Ui calculates r g = M 14 M 1 , r j = M 15 r i , S K i = h ( I D i S I D j r i r g r j ) , M 16 = h ( I D i S K i r g r j ) , and checks M 16 ? = M 16 . The session is rejected if they are not equal. Otherwise, the authentication process is completed.

Finally, Ui can access the sensory data of Sj via GWN, and a session key SKi = SKGWN = SKj is shared among Ui, GWN and Sj. The conceptual phase is shown in Figure 1.

Figure 1. Login and authentication of Li et al.’s scheme.

3.4. Password Change

When Ui wants to update the password, he/she inserts SC into a reader, and imprints the biometric information b i on a special device. Then, SC calculates c i = f ( δ b i ) = f ( c i ( b i b i ) ) , and checks h ( c i ) ? = α = h ( c i ) . The session is rejected by SC if the equation is not true. Otherwise, Ui passes the biometric verification and inputs IDi and PWi. Uicalculate A i = h ( I D i h ( P W i a i ) c i ) and checks A i ? = A i . If they are not equal, the request is declined by SC. Otherwise, a new password P W i is allowed to be input. SC calculates A i = h ( I D i h ( P W i a i ) c i ) and B i = B i h ( h ( P W i a i ) c i ) h ( h ( P W i a i ) c i ) . Finally, SC updates Ai and Bi with A i and B i , respectively.

4. Security Consideration on Li et al.’s Scheme

In this section, security weaknesses of Li et al.’s scheme are analyzed based on a threat model.

4.1. Threat Model

A threat model is an imperative module of the research of an authentication scheme. The threat model is a process for enhancing security by classifying vulnerabilities and objectives, and then defining preventive measures of threats to the system. In this work, a threat is a potential malicious attack from an adversary that can cause damage to the assets. We base the threat model on the following assumptions, which is based on Dolev and Yao threat model [14].

· Any IoT device may be corrupted and turned into a device controlled by the adversary. We refer this as a malicious device. We assume that all cryptographic keys of the malicious device are known to the adversary.

· An adversary is able to eavesdrop all the communications between the entities involved in the communication chancel over a public channel.

· An adversary has the potential to modify a message, delete, redirect and resend the eavesdropped transmitted messages.

· An adversary can be a legal user or an outsider in any system.

· An adversary can guess low entropy secret and identity individually easily but guessing two secret parameters is computationally infeasible in polynomial time.

· It is assumed that the protocol used in the authenticated key agreement system is known to the attacker.

· We assume that cryptosystems should be secure even if everything about the system, except the session key, is public knowledge.

Furthermore, we add more assumptions to Delev and Yao model that are for the proper cryptanalysis of Li et al.’s scheme as follows:

· An adversary can extract the information from smartcard or any device by examining power consumption and leaked information [15] [16].

· An adversary can steal the database from GWN, which works as a verification table of IDi.

4.2. Sensor Node Impersonation Attack

When an attacker collects any session’s C2 message for the login and authentication betweenGWN to Sj and gets the IDi database in GWN, he/she can masquerade as GWN to Ui or Sj to GWN. For the attack, the attacker could select any I D i in the database and compute K G W N - S = M 8 I D i , r g = h ( I D i K G W N - S ) M 9 , r i = r g M 1 0 , M 11 = h ( I D i S I D j K G W N - S r i r g ) , and checks M 11 ? = M 11 . The attacker chooses the next candidate I D i and applies validation of it again. Otherwise, the attacker’s guess of I D i is the correct identifier of Ui. Furthermore, the attacker acquires the important long-term secret key between GWN and Sj correctly, which is K G W N - S .

So, the attacker could impersonate as Sj after the success of the reply message formation as follows. 1) The attacker generates a random number rj, and computes M 12 = r j K G W N - S , S K j = h ( I D i S I D j r i r g r j ) , M 13 = h ( K G W N - S S K j r j ) . Finally, the attacker responses the message {M12, M13} to GWN. 2) GWN cannot figure out that the message is from the attacker. So, GWN authenticates the attacker’s message. Therefore, the attacker can be authenticated to GWN with forming the session key S K j = h ( I D i S I D j r i r g r j ) , which is the same to Ui and GWN’s session key.

4.3. Known Session-Specific Temporary Information Attack

For a user authentication scheme with key agreement, if the session key is secure even though the session-specific temporary information, such as random numbers generated by system entities for the session key, is compromised, the authentication scheme can be called secure against to known session-specific temporary information attack [17]. In Li et al.’s scheme, the session key, where and are temporary keys, is generated by Ui, GWN and Sj, respectively. Any adversary with IDi can calculate the session key SK. Therefore, Li et al.’s scheme is vulnerable to known session-specific temporary information attack.

4.4. Deficiency of Perfect Forward Secrecy

Perfect forward secrecy is a required feature for the key agreement scheme, which gives assurances the session key is not compromised even if the long-term secret key of the server is compromised. But Li et al.’s scheme does not achieve perfect forward secrecy.

In Li et al.’s scheme, the attacker can compute all the session keys among Ui, GWN and Sj if the attacker knows one of long-term keys as follows. 1) The attacker gets {M8, M9, M10, M11} and {M12, M13} in the previous communication between GWN and Sj. 2) The attacker knows one of long-term secret KGWN-S of Sj and could derive I D i = M 8 K G W N - S , r g = h ( I D i K G W N - S ) M 9 , r i = r g M 1 0 and r j = M 12 K G W N - S . So, the attacker can compute S K j = h ( I D i S I D j r i r g r j ) . Therefore, Li et al.’s scheme does not provide perfect forward secrecy.

5. Conclusion

In this paper, we present a cryptanalysis of Li et al.’s three-factor anonymous authentication scheme for WSNs in IoT environments. We have shown that an attacker can easily disturb the secrecy of Li et al.’s scheme by performing sensor node masquerading attack. Furthermore, it is vulnerable to known session-specific temporary information attack and has deficiency of perfect forward secrecy. Security is one of the most significant challenges for the success of IoT. IoT faces various challenges including active device monitoring, improper device updates, lack of efficient and robust security protocols and user unawareness. Thereby, IoT research should be done not just focused on the technological developments but also considering IoT security and privacy concerns.

Acknowledgements

The results in this paper are the parts of Mr. Beaton Ofesi Denice Kapito’s Master degree thesis. This work was supported by Basic Science Research program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education (NRF-2017R1D1A1B04032598).

Cite this paper: Kim, H. , Kapito, B. (2021) Security Considerations on Three-Factor Anonymous Authentication Scheme for WSNs. Journal of Computer and Communications, 9, 1-9. doi: 10.4236/jcc.2021.93001.
References

[1]   Tawalbeh, L., Muheidat, F., Tawalbeh, M. and Quwaider, M. (2020) IoT Privacy and Security: Challenges and Solutions. Applied Sciences, 10, 4102.
https://doi.org/10.3390/app10124102

[2]   Jurcut, A., Niculcea, T., Ranaweera, P. and Le-Khac, N. (2020) Security Considerations for Internet of Things: A Survey. SN Computer Science, 1, 193.
https://doi.org/10.1007/s42979-020-00201-3

[3]   Kim, H. (2019) Research Issues on Data Centric Security and Privacy Model for Intelligent Internet of Things Based Healthcare. ICSES Transactions on Computer Networks and Communications, 5, 1-3.

[4]   Kim, H. (2017) Data Centric Security and Privacy Research Issues for Intelligent Internet of Things. ICSES Interdisciplinary Transactions on Cloud Computing, IoT, and Big Data, 1, 1-2.

[5]   Das, M.L. (2009) Two-Factor User Authentication in Wireless Sensor Networks. IEEE Transactions on Wireless Communications, 8, 1086-1090.
https://doi.org/10.1109/TWC.2008.080128

[6]   He, D., Gao, Y., Chan, S., Chen, C. and Bu, J. (2010) An Enhanced Two-Factor User Authentication Scheme in Wireless Sensor Networks. Ad-Hoc Sensor Wireless Networks, 10, 361-371.

[7]   Khan, M.K. and Alghathbar, K. (2010) Cryptanalysis and Security Improvements of Two-Factor User Authentication in Wireless Sensor Networks. Sensors, 10, 2450-2459.
https://doi.org/10.3390/s100302450

[8]   Yeh, H.L., Chen, T.H., Liu, P.C., Kim, T.H. and Wei, H.W. (2011) A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography. Sensors, 11, 4767-4779.
https://doi.org/10.3390/s110504767

[9]   Kim, H. and Lee, S.W. (2009) Enhanced Novel Access Control Protocol over Wireless Sensor Networks. IEEE Transactions on Consumer Electronics, 55, 492-498.
https://doi.org/10.1109/TCE.2009.5174412

[10]   Kim, H. (2014) Freshness-Preserving Non-Interactive Hierarchical Key Agreement Protocol over WHMS. Sensors, 14, 23742-23757.
https://doi.org/10.3390/s141223742

[11]   Jiang, Q., Ma, J., Wei, F., Tian, Y., Shen, J. and Yang, Y. (2016) An Untraceable Temporal-Credential-Based Two-Factor Authentication Scheme Using ECC for Wireless Sensor Networks. Journal of Network and Computer Applications, 76, 37-48.
https://doi.org/10.1016/j.jnca.2016.10.001

[12]   Li, X., Niu, J., Kumari, S., Wu, F., Sangaiah, A.K. and Choo, K.R. (2018) A Three-Factor Anonymous Authentication Scheme for Wireless Sensor Networks in Internet of Things Environments. Journal of Network and Computer Applications, 103, 194-204.
https://doi.org/10.1016/j.jnca.2017.07.001

[13]   Juels, A. and Wattenberg, M. (1999) A Fuzzy Commitment Scheme. Proceedings 6th ACM Conference Computer and Communications Security, Singapore, 2-4 November 1999, 28-36.
https://doi.org/10.1145/319709.319714

[14]   Dolev, D. and Yao, A.C. (1983) On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29, 198-208.
https://doi.org/10.1109/TIT.1983.1056650

[15]   Kocher, P., Jaffe, J. and Jun, B. (1999) Differential Power Analysis. Lecture Notes in Computer Science, 1666, 388-397.
https://doi.org/10.1007/3-540-48405-1_25

[16]   Messerges, T.S., Dabbish, E.A. and Sloan, R.H. (2002) Examining Smart-Card Security under the Threat of Power Analysis Attack. IEEE Transactions on Computers, 51, 541-552.
https://doi.org/10.1109/TC.2002.1004593

[17]   Cheng, Z., Nistazakis, M., Comley, R. and Vasiu, L. (2005) On the Indistinguishability-Based Security Model of Key Agreement Protocols-Simple Cases. Cryptology ePrint Archive, Report 2005/129.

 
 
Top