1. Introduction
In Internet of Things environment, wireles[s sensor networks (WSNs) act as a bridge, which links the real physical world and impalpable virtual world, and provide the possibility and feasibility to observe and analyze the monitoring objects with a good resolution [1]. Nowadays, WSNs have been widely applied in environment monitoring, disaster alert, healthcare, and military sensing and tracking [2-7]. The WSNs are consisted of a great many scattered sensor nodes (SNs), which are deployed to gather environmental information and transmit it to gateway nodes (GWNs) wirelessly. In WSNs, the GWNs are the most powerful nodes with rich computation and storage resources. However, the SNs are terribly resource-constraint, for example, with insufficient memory capacity, weak computing capability, and limited transmission range. Since WSNs are often randomly scattered in an unattended specific area, an adversary may easily capture a sensor node and extract the secrets from its tamper-prone memory with cost effectiveness. In addition, owing to WSN's open and wireless communication nature, malicious SNs may intercept, replay and even modify the transmitted messages. Moreover, user’s privacy, including user's identity, gender, access time and access habits, is vulnerable to leakage. Therefore, how to ensure the safety and stabilization of WSNs and how to prevent unauthorized disclosure of user's privacy becomes the most important and critical issue.
Generally, users can access the collected data from the GWNs. However, for some emergency scenarios, users hope to obtain environment information timely from some specific SNs instead of from the GWNs. For these cases, the most efficient and feasible method is mutual authentication with session key (SK) negotiation. For confidential and integral data transmission, user and SNs should be mutually authenticated, and a shared SK should be negotiated for subsequent secure data transmission. That is to say, the SNs should have the ability of verifying the user's legitimacy based on the transmitted packets from the user. Meanwhile, the user should also have the ability of verifying the legitimacy of SNs based on the received packets from the SNs. Moreover, SK should be securely negotiated and allocated to the user and the SNs after the mutual authentication has been achieved.
However, it’s so challenging to achieve mutual authentication with SK negotiation due to the SNs' poor power supply, computation ability, communication ability and storage capacity. The conventional schemes are not suitable for WSNs, which is a distributed ad-hoc like networks consisted of a variety of resource-constrained SNs. The most common security mechanism for WSNs is symmetric cryptography [8-9]. These solutions are efficient and simple to implement, however, the same symmetric key for different sessions will make the SNs susceptible to higher risks in unsupervised and unprotected environments [10-11]. Moreover, the solutions are hard to establish a shared secret key beforehand and have nonsupport of non-repudiation. Therefore, some researches focus on public-key cryptography solutions. These solutions do not need to distribute keys in advance and to share pairwise keys. However, these public-key cryptography solutions are too computationally expensive for the resource-constrained SNs if not accelerated by adopting cryptographic hardware. Recently, new trust models have been proposed to secure emergency message dissemination in VANETs, and trust evaluation scheme for federated learning in a digital twin for mobile networks [12-14].
Since a person’s biometrics may vary slightly occasionally [15], high rejection probability will happen in the login phase if conventional bio-hashing technique is adopted [16]. For successful biometric verification in login phase, fuzzy extractor technique [17] is adopted in our efficient secure authentication scheme with session key negotiation (eSAS2KN). Due to the smartcard’s characteristics of convenience and security, and the user’s biometric characteristics of uniqueness, therefore, we aim to design a more lightweight three-factor authentication in terms of password, smartcard and user’s biometrics to achieve mutual authentication and session key negotiation utilizing the lightweight cryptographic primitives such as hash and XOR operations.
The main contributions of our work are five folds. 1) A computing-efficient eSAS2KN is proposed for multi-gateway WSNs, which achieves mutual authentication of user, gateway node, and sensor node, as well as negotiating a session key for timely and direct communications between user and the specific sensor nodes. 2) The anonymous three-factor authentication with session key negotiation scheme not only strengthens the security and privacy of the eSAS2KN, but also decreases the user’s login-rejection probability in the login phase. 3) The session key is both verified in Msg3 when sensor node is authenticated by gateway node, and verified in Msg4 when the gateway node is authenticated by user, respectively, which greatly improves the confidentiality of real-time communications between user and the specific sensor nodes. 4) Informal security analysis, BAN logical verification, ROR-based formal security proof, and AVISPA-based formal security verification are implemented to prove the security of the eSAS2KN; and 5) Computation overhead and communication overhead are compared with those of relevant schemes to show the efficiency of the proposed eSAS2KN.
2. Related Work
For legitimate access of WSNs and ensuring the confidentiality and reliability of the transmitted information, a variety of mutual authentication with SK negotiation schemes, which are supplemented with long-term secret keys stored in smart card (SC), have been developed in the past decades [18–28].
In 2009, Das [18] first proposed an authentication with SK negotiation protocol between user and SNs by using password and smart card (SC) in WSNs. The protocol well suits the environment of WSNs due to its low computation cost. However, Das’s protocol was found not secure against several attacks by several researchers. In 2010, Khan et al. [19] first stated Das’s protocol has no password change operations, and more likely to incur privileged-insider attacks as well as GWNs bypassing attacks. Chen et al. [20] also indicated Das’s protocol failed in mutual authentication of two communication parties, and not immune to parallel session attacks. Meanwhile, He et al. [21] also indicated Das’s protocol easily suffers from impersonation and privileged-insider attacks.
In the following years, several works focus on solving the mutual authentication with session key negotiation in WSNs. In 2011, Yeh et al. [22] indicated several security defects existing in Das’s protocol, and proposed a strengthened authentication scheme with SK negotiation by applying Elliptic Curve Cryptosystem. Nevertheless, several researchers claimed that Yeh et al.’s scheme is time consuming due to scalar multiplications on elliptic curve, and still more likely to incur several attacks. In 2012, several security vulnerabilities such as lack of key negotiation, captured sensor node impersonation (CSNI) attacks, and stolen/lost smart card (SLSC) attacks in both Das’s protocol and its derivatives [19, 20] were indicated by Vaidya et al. [23]. In 2013, Xue et al. [24] put forward a scheme, in which user, GWNs and SNs can mutually authenticate each other by applying temporary credential, hash and XOR operations. The scheme has more security features and high security level with little increase in computation and communication costs, and storage capacity. In 2014, Kim et al. [25] claimed Vaidya et al.’s protocol is more likely to suffer from impersonation attacks and GWNs bypassing attacks. He also proposed an enhanced lightweight authentication scheme with SK negotiation. In 2015, Chang et al. [26] indicated Kim et al.’s protocol is likely to suffer from man-in-the-middle (MITM) attacks, CSNI attacks, SLSC attacks, user’s privacy leakage, and SK violation attacks. To eradicate these security pitfalls, He also devised an improved authentication scheme with SK negotiation by using dynamic identity. In 2016, Park et al. [27] indicated Chang et al.’s protocol is still vulnerable to offline password guessing (OPG) attacks, secure issues in perfect forward, and incorrectness of password change, and also designed an enhanced authentication scheme with SK negotiation. In 2017, Jung et al. [28] claimed Chang et al.’s scheme is vulnerable to OPG attacks, user impersonation attacks, SK compromising attacks. Moreover, the scheme has no SK verification, and has high load on GWNs. To eliminate these security vulnerabilities or defects, He also designed an improved authentication scheme with SK negotiation for WSNs environments.
In recent years, more attentions are paid to this subject. In 2018, Amin et al. [29] proposed a MBS-UAKA protocol for WSNs with multiple base station. The user authentication with key agreement achieves secure communication and authentication. In 2019, Soni et al. [30] designed an improved scheme, which efficiently eliminates both active and passive attacks, used for patient monitoring WSNs. In 2020, Ali et al. [31] proposed a robust scheme for secure communications of WSNs-based healthcare system, which achieves authentication and access control. In 2021, Wu et al. [32] put forward a fresh three-factor authentication scheme for WSNs. In 2022, Dai et al. [33] also put forward a three-factor authentication scheme based on ECC technique for multi-gateway WSNs. In spite of great improvements, these schemes are still insufficiently secure or efficient, and some fail in achieving user anonymity and untraceability. Some cannot achieve lightweight because of their heavy computation costs and communication costs. More seriously, some are vulnerable to SK leakage attacks. Moreover, the biometrics of the same person may slightly vary occasionally [15], therefore, high rejection probability occurs if conventional bio-hashing technique is applied in the design of authentication protocols. In addition, biometric data is vulnerable to a variety of noise in the phase of data acquisition. Worse yet, the regeneration of user’s real biometrics may succeed in cheating GWNs or SNs in common practice.
To overcome these defects in biometric data acquisition, we resort to fuzzy extractor method [17, 34–36] to generate a random string with uniform distribution and a public parameter according to its input biometrics within a given error tolerance. Therefore, we are greatly inspired to design the eSAS2KN by utilizing the fuzzy extractor, smartcard, lightweight operations such as hash function, and bitwise exclusive-or computation for multi-gateway WSNs. The novelty of eSAS2KN lies in four folds. 1) Mutual authentications are achieved between any two of a user, a GWN, and a SN, and an SK between a user and the specific SN is negotiated for their timely, direct and subsequent secure communications; 2) User’s anonymity and privacy protection are achieved; 3) Session key establishment and verification are incorporated into the authentication phases, which strengthens the communication confidentiality between user and the specific SN, and 4) The user’s login-rejection probability is decreased in the login phase.
3. Network Model and Threat Model
For clearly elaborate the proposed eSAS2KN, we first present network model, and then the threat model in this section.
3.1 Network Model
In the eSAS2KN, there are K gateway nodes (GWNs), each of which severs J sensor nodes (SNs) scattered in the vicinity of GWNk, as shown in Fig. 1. The resource-constrained SNs in the specific area are used to harvest the desired environment information. Each GWN is deployed in the center of J SNs to aggregate the collected environment information and forward it to the specific user Ui. The Ui in the vicinity of GWNk and the sensor node Sj can obtain the environment information from the specific GWNk or directly from the specific Sj for real-time applications. In addition, all the users, GWNs and SNs are synchronized with the same clock.
Fig. 1. Network model of eSAS2KN
3.2 Threat Model
In eSAS2KN, all the SNs are assumed to be untrustworthy, however, all the GWNs are trustworthy and cannot be compromised. The DY model [37] is employed to evaluate the security of eSAS2KN. Under this threat model, any node can launch communications with the other via public (insecure) channels. Any adversary has the ability to intercept the transmitted messages, alter or even delete the message contents, and inject bogus messages via public channels. Moreover, the secrets stored in the memory of a legitimate user’s SC can be extracted through power analysis [38–41]. However, the secrets stored in the memory of any GWN cannot be extracted through power analysis.
In the eSAS2KN, CK model is also utilized to analyze and evaluate the security of key-exchange protocols [42,43]. Under this threat model, any adversary has the ability to send messages, compromise secrets including the SK, secret key, and session state. As a result, temporary session secrets, SK and long-term private keys may be leaked in the phase of key exchange, which will directly threaten the other previous and/or future session keys [44].
4. The eSAS2KN Scheme
In the eSAS2KN, mutual authentication is achieved among Ui, GWNk and Sj. In addition, an SK is negotiated between Ui and Sj under the coordination of GWNk after mutual authentication. With the computed SK, Ui and Sj can achieve timely, direct and secure communications without the GWNk′s intervention. The main notations and their corresponding descriptions are listed in Table 1.
Table 1. Notations and corresponding description
4.1 Registration Phase
The registration phase of eSAS2KN consists of two parts. One is for user registration, the other for sensor node registration, which is shown in Fig. 2.
4.1.1 User Registration
For registration, Ui transmits a request message to the nearest GWNk through a secure channel. Succeeded in verifying the Ui′s identity, the GWNk issues an Si to Ui. The user registration process is described in the following steps, which are illustrated in the left part of Fig. 2.
Fig. 2. Registration process of eSAS2KN.
UR1: Ui selects his IDi and PWi, then imprints his BIOi on a biometric sensor.
UR2: Ui generates a nonce RNi, then computes PIDi = h(IDi║RNi).
UR3: Ui computes Gen(BIOi) = (σi, τi), HPWi = h(PWi║σi), and then sends the message <PIDi, HPWi> to the GWNk for registration.
UR4: The GWNk stores HPWi in its memory and calculates HIDi = h(PIDi║K), XSi = h(HIDi║K), Ai = h(HPWi║XSi)⊕HIDi, Bi = h(PIDi║XSi) and Ci = XSi ⊕h(IDSi║HPWi), and then writes (IDSi, HIDi, h(·), Ai, Bi, Ci) to the memory of SCi, and finally issues SCi to Ui via a secure channel.
UR5: Ui calculates Di = h(PWi)⊕RNi, then writes Di and τi into the SCi.
4.1.2 Sensor Node Registration
For sensor node registration, Sj first sends its hashed identity PIDj to the nearest GWNk. On receiving the registration request from Sj, the GWNk stores PIDj in its memory, calculates HIDj, Aj and Bj, and then sends them to Sj in secure means. After receiving the parameters HIDj, Aj and Bj, the Sj writes them to its memory. The detailed registration phase of sensor node is presented in the following steps, which are illustrated in the right part of Fig. 2.
SR1: Sj chooses SIDj as its identity, generates a random nonce RNj, and calculates PIDj = h(SIDj║RNj), then sends PIDj to GWNk for registration through a secure channel.
SR2: GWNk stores PIDj in its memory, calculates HIDj = h(PIDj║K), XSj = h(HIDj║K), Aj = h(XSj║RNk)⊕HIDj, Bj = XSj⊕h(PIDj), and then sends <HIDj, Aj, Bj> to Sj through a secure channel.
SR3: Sj stores the parameters(HIDj, Aj, Bj) in its memory.
4.2 Login and Authentication Phase
This phase is used to achieve mutual authentication and session key negotiation between Ui and Sj with the coordination of GWNk. The detailed process of login, authentication, and session key negotiation is illustrated in the following steps, which are shown in Fig. 3.
Fig. 3. Login and authentication process of eSAS2KN
LA1: Ui puts SCi on a card reader, types in its IDi and PWi, then imprints his BIO*i through a biometric sensor. (BIO*i means that the input biometrics are slightly different from the original BIOi)
LA2: SCi computes σ*i = Rep(BIO*i, τi) provided that HD(BIOi, BIO*i) < t, HPW*i = h(PWi║σ*i), RNi = Di⊕h(PWi), PIDi = h(IDi║RNi), XS*i = Ci⊕h(IDSi║HPW*i) and B*i = h(PIDi║XS*i).
LA3: SCi verifies B*i = ? Bi. If not satisfied, SCi terminates the login, authentication, and session key phase; otherwise, SCi calculates ki = h(XSi║T(1)i, DIDi = h(HPWi║XSi)⊕ki, and MUi,Gk = h(Ai║XSi║T(1)i), where Gk refers to GWNk for short.
LA4: Ui transmits the message Msg1:<DIDi, HIDi, MUi,Gk,T(1)i> to the GWNk as a login request.
LA5: Upon receiving the login request, GWNk checks |T(1)Gk - T(1)i|≤ΔT. If not satisfied, the login, authentication, and session key negotiation process stop; otherwise, goes to the next step.
LA6: GWNk calculates XSi = h(HIDi║K), ki = h(XSi║T(1)i), Ai = DIDi ⊕ ki ⊕ HIDi, and M*Ui,Gk = h(Ai║XSi║T(1)i), then verifies M*Ui,Gk = ? MUi,Gk. If does not hold, the login, authentication, and session key negotiation process stop; otherwise, goes to the next step.
LA7: GWNk generates a nonce RNk, gets PIDj and K from its memory, and then computes HIDj = h(PIDj║K), XSj = h(HIDj⊕K), Mj = h(XSj║RNk)║⊕HIDi, Nj = h(PIDj║XSj)⊕HIDj, and MGk,Sj = h(HIDi║Mj║Nj║T(2)Gk), and finally transmits the message Msg2:<HIDi, PIDj, MGk,Sj, T(2)Gk > to Sj.
LA8: On receiving Msg2 fromGWNk, Sj checks |T(1)j - T(2)Gk|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, Sj computes Mj = Aj⊕HIDj⊕HIDi, XSj = Bj⊕h(PIDj), Nj = h(PIDj║XSj)⊕HIDj, and M*Gk,Sj = h(HIDi║Mj║Nj║T(2)Gk).
LA9: Sj verifies M*Gk,Sj = ?MGk,Sj. If not satisfied, the login and authentication process stops; otherwise, Sj calculates SKj = h(HIDi║Mj║Nj║T(2)j), and MSj,Gk = h(HIDj║HIDi║SKj║Mj║Nj║T(2)j), then transmits the message Msg3 :<MSj,Gk, HIDi, T(2)j> to GWNk.
LA10: On receiving Msg3 ,GWNk checks |T(3)Gk - T(2)j|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, GWNk calculates HIDj = h(PIDj║K), XSj = h(HIDj║K), Mj = h(XSj║RNk)⊕HIDi, Nj = h(PIDj║XSj)⊕HIDj, SKj = h(HIDi║Mj║Nj║T(2)j), M*Sj,Gk = h(HIDj║HIDi║SKj║Mj║Nj║T(2)j).
LA11: GWNk verifies M*Sj,Gk = ?MSj,Gk. If not satisfied, the authentication process stops; otherwise, GWNk gets HPWi and K from its memory and computes XSi = h(HIDi║K), Pi = h(HPWi║XSi)⊕RNkand MGk,Ui = h(HIDi║Pi║SKj║Mj║Nj║T(4)Gk), then transmits the message Msg4:<MGk,Ui, HIDi, Pi, XSj, Nj, T(2)j, T(4)Gk> to Ui.
LA12: On receiving Msg4, Ui checks |T(2)i - T(4)Gk|≤ΔT. If not satisfied, the login and authentication process stops; otherwise, Ui computes RNk = Pi⊕Ai⊕HIDi, Mj = h(XSj║RNk)⊕HIDi, SKj = h(HIDi⊕Mj⊕Nj⊕T(2)j) and M*Gk,Ui = h(HIDi⊕Pi⊕SKj⊕Mj⊕Nj⊕T(4)Gk).
LA13: Ui verifies M*Gk,Ui = ?MGk,Ui. If not satisfied, the login and authentication process stop; otherwise, Ui computes SKi = h(HIDi║Mj║Nj║T(2)j). Now, mutual authentications among Ui, GWNk and Sj are achieved, and session keys SKj and SKi are computed from Sj and Ui, respectively.
4.3 Password and Biometrics Updating Phase
For security consideration, a legitimate user hopes to alter his/her current password to a new one, and/or to change the current memory-stored biometric template to a new one. To this end, the eSAS2KN provides password and biometrics updating function. The detailed password and biometrics updating process is described as the following steps, which are illustrated in Fig. 4.
Fig. 4. Password and biometrics updating process of eSAS2KN.
U1: Ui puts SCd on a card reader, types in the currently used IDi and PWi, and imprints his BIO*i.
U2: SCi computes σ*i = Rep(BIO*i, τi), HPW*i = h(PWi║σ*i), RNi = Di⊕h(PWi), PIDi = h(IDi║RNi), XS*i = Ci⊕h(IDSi║HPW*i) and B*i = h(PIDi║XS*i).
U3: SCi verifies B*i = ?Bi. If unsuccessful, the password and biometrics updating process stops; otherwise, the next step proceeds.
U4: Ui imprints its new biometrics BIOnewi and/or input a new password PWnewi, then SCi computes σnewi = Rep(BIOnewi, τi), HPWnewi = h(PWnewi║σnewi), RNnewi = Di⊕h(PWnewi), PIDnewi = h(IDi║RNnewi), XSnewi = Ci⊕h(IDSi║HPWnewi), Anewi = h(HPWnewi║XSnewi)⊕HIDi, Bnewi = h(PIDnewi║XSnewi), Cnewi = XSnewi⊕h(IDSi║HPWnewi), Dnewi = h(PWnewi)⊕RNnewi, and HIDnewi = Anewi⊕h(HPWnewi║XSnewi).
U5: SCi/Ui replaces the current Ai, Bi, Ci, Di and HIDi with the newly computed Anewi, Bnewi, Cnewi, Dnewi, and HIDnewi, respectively. Finally, the parameters (IDSi, HIDnewi, h(·), Anewi, Bnewi, Cnewi, Dnewi, τi) are stored in SCi.
5. Security Analysis
To evaluate the scheme’s security, we give detailed informal security analysis, formal security proof, as well as formal security verification of eSAS2KN.
5.1 Informal Security Analysis
User Anonymity: In eSAS2KN, an attacker \(\begin{align}\mathcal{A}\end{align}\) cannot obtain IDi even though he/she obtains HIDi from the extracted parameters (IDSi, HIDi, h(·), Ai, Bi, Ci, Di, τi) by power analysis attack [38-41] from the memory of SLSC or from the intercepted messages Msg1, Msg2, Msg3 and/or Msg4. Since the secret K is only possessed by the trusted GWNk, \(\begin{align}\mathcal{A}\end{align}\)cannot obtain it. Without K, \(\begin{align}\mathcal{A}\end{align}\) cannot guess PIDi from HIDi = h(PIDi║K). Without RNi and PIDi, \(\begin{align}\mathcal{A}\end{align}\) cannot guess IDi from PIDi = h(IDi║RNi). Therefore, the proposed eSAS2KN has the feature of user anonymity.
Man-in-the-Middle Attack (MITM): If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat GWNk through forging/altering the transmitted Msg1, he/she must obtain a legitimate user’s SCi, IDi ,PWi and BIOi. WithoutBIOi, \(\begin{align}\mathcal{A}\end{align}\) cannot compute Ui's biometric secret σi according to σ*i = Rep(BIO*i, τi). Without Ui's password PWi and smartcard SCi, \(\begin{align}\mathcal{A}\end{align}\) cannot compute the nonce RNi according to RNi = Di⊕h(PWi). Without password PWi and biometric secret σi, \(\begin{align}\mathcal{A}\end{align}\) cannot compute Ui's hash password HPW*i according to HPW*i = h(PWi║σ*i). Without HPW*i and SCi, \(\begin{align}\mathcal{A}\end{align}\) cannot compute XS*i according to XS*i = Ci⊕h(IDSi║HPW*i). If \(\begin{align}\mathcal{A}\end{align}\) cannot obtain XSi and HPWi, he/she will not compute DIDi and MUi,Gk according to DIDi = h(HPWi║Si)⊕h(XSi║T(1)i) and MUi,Gk = h(Ai║XSi║T(1)i), respectively. Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot forge Msg1:<DIDi, HIDi, MUi,Gk, T(1)i> to cheat GWNk.
If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat Ui through forging/altering the transmitted Msg4 , he/she must obtainPIDj and secret K. However, all the GWNs are trustworthy and cannot be compromised, so \(\begin{align}\mathcal{A}\end{align}\) cannot extract PIDj and K from the memory of GWNk. Without PIDj and K, \(\begin{align}\mathcal{A}\end{align}\) cannot compute HIDj according to HIDj = h(PIDj║K) and XSj according to, XSj = h(HIDj║K) respectively. Without HIDj and XSj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute Mj and Nj according to Mj = h(XSj║RNk)⊕HIDi and Nj = h(PIDj║XSj)⊕HIDj, respectively. Without Mj and Nj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute MGk,Ui according to MGk,Ui = h(HIDi║Pi║SKj║Mj║Nj║T(4)Gk), let alone to forge Msg4:<MGk,Ui, HIDi, Pi, XSj, Nj,T(2)j, T(4)Gk> to cheat Ui.
If \(\begin{align}\mathcal{A}\end{align}\) wants to launch MITM attacks to cheat Sj through forging/altering the transmitted Msg2, he/she must obtain PIDj and the secret K. However, PIDj and K are stored in the memory of the trusted GWNk. Without PIDj and K, \(\begin{align}\mathcal{A}\end{align}\) cannot computes Mj and Nj according to Mj = h(XSj║RNk)⊕HIDi and Nj = h(PIDj║XSj)⊕HIDj, respectively. Without Mj and Nj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute MGk,Sj = h(HIDi║Mj║Nj║T(2)Gk), let alone to forge Msg2<HIDi, PIDj, MGk,Sj, T(2)Gk> to cheat Sj.
If \(\begin{align}\mathcal{A}\end{align}\) wants to launch a MITM attack to cheat GWNk through forging/altering the transmitted Msg3 , he/she must obtain Mj and Nj to compute SKj = h(HIDi║Mj║Nj║T(2)j). However, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain Mj and Nj, which has been analyzed above. Without SKj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute MSj,Gk according to MSj,Gk = h(HIDj║HIDi║SKj║Mj║Nj║T(2)j). Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot forge Msg3: <MSj,Gk, HIDi, T(2)j> to cheat GWNk.
Based on the above analysis, it can be concluded that MITM attacks are resisted in eSAS2KN.
Mutual Authentication with Key Agreement: In the eSAS2KN, Ui is authenticated by GWNk through verifying Msg1: <DIDi, HIDi, MUi,Gk, T(1)i> by checking M*Ui,Gk = ?Mui,Gk. Similarly, Sj is authenticated by GWNk through verifying Msg3:<MSj,Gk, HIDi, T(2)j> by checking M*Sj,Gk = ?MSj,Gk. In addition, GWNk is authenticated by Ui through verifying Msg4:<MGk,Ui, HIDi, Pi, XSj, Nj, T(2)j, T(4)Gk> by checking M*Gk,Ui = ?MGk,Ui. Likewise, GWNk is authenticated by Sj through verifying Msg2: <HIDi, PIDj, MGk,Sj, T(2)Gk> by checking M*Gk,Sj = ?MGk,Sj. Moreover, SKj and SKi can be computed at Sj and Ui ends, respectively, for their subsequent secure communications. In view of the above analysis, it can be concluded that the proposed eSAS2KN has the feature of mutual authentication and achievement of SK negotiation.
Withstands Replay Attack: In the eSAS2KN, all the sent or received messages are labelled with the sender's current timestamps, such as T(1)i, T(1)G and T(1)j. It is impossible for A to login to GWNk, and to tamper the intercepted messages to cheat Sj or Ui as legal GWNk, or to cheat GWNk as a legal Sj or Ui. Therefore, the proposed eSAS2KN has the feature of withstanding replay attacks.
Withstands SLSC Attack: In the eSAS2KN, even if \(\begin{align}\mathcal{A}\end{align}\) succeeds in extracting the parameters (IDSi, HIDi, h(·), Ai, Bi, Ci, Di, τi) stored in the stolen or lost SCi through power analysis attack [38-41], he/she still has no chance to launch malicious attacks. If \(\begin{align}\mathcal{A}\end{align}\) wants to guess the user's IDi according to PIDi = h(IDi║RNi), he/she must obtain the secret K and h(PWi) in advance. If \(\begin{align}\mathcal{A}\end{align}\) has the secret K, he/she can guess PIDi according to HIDi = h(PIDi║K) with the extracted HIDi from the stolen or lost SCi. If \(\begin{align}\mathcal{A}\end{align}\) has h(PWi), he/she can computes RNi according to RNi = Di⊕h(PWi) with the extracted Di from the stolen or lost SCi. However, due to the trustworthiness of GWNk, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain the secret K. Without knowing the random nonce RNi, \(\begin{align}\mathcal{A}\end{align}\) cannot compute h(PWi) according to h(PWi) = Di⊕RNi). Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot guess the user's IDi according to PIDi = h(IDi║RNi). Not knowing IDi, \(\begin{align}\mathcal{A}\end{align}\) cannot imitate a legitimate user to cheat Sj or GWNk. Therefore, the proposed eSAS2KN has the feature of withstanding SLSC attacks.
Withstands OPG Attack: In the eSAS2KN, if \(\begin{align}\mathcal{A}\end{align}\) hopes to guess offline the correct PWi according to HPWi = h(PWi║σi), he/she has to obtain HPWi and a legitimate user's biometric secret key σi. However, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain HPWi and σi. The HPWi cannot be extracted because it is stored in the memory of GWNk, which is a trustworthy node. In addition, without a legitimate user's BIOi, \(\begin{align}\mathcal{A}\end{align}\) will unachievably compute σi according to Gen(BIOi) = (σi, τi). Therefore, the proposed eSAS2KN has the feature of withstanding OPG attacks.
Withstands CSNI Attack: In the eSAS2KN, if Sj is compromised by a malicious \(\begin{align}\mathcal{A}\end{align}\), the parameters (HIDj, Aj, Bj) stored in Sj's memory are all known to \(\begin{align}\mathcal{A}\end{align}\). However, \(\begin{align}\mathcal{A}\end{align}\) cannot compute the secret information of both Ui and GWNk. Suppose that SKi = h(HIDi║Mj║Nj║T(2)j) is computed by Ui in the current session. However, the old or the future session keys will not be known to \(\begin{align}\mathcal{A}\end{align}\). When the comprised Sj receives the request <HIDi, PIDj, MGk,Sj, T(2)Gk> from GWNk, \(\begin{align}\mathcal{A}\end{align}\) can retrieve Mj, XSj, Nj. However, these parameters have no relation to Ui. Therefore, \(\begin{align}\mathcal{A}\end{align}\) will not be able to impersonate Ui in the future. Although \(\begin{align}\mathcal{A}\end{align}\) can successfully retrieve XSj from GWNk's request to the compromised Sj, \(\begin{align}\mathcal{A}\end{align}\) cannot derive the GWNk's secret K according to XSj = h(HIDj║K). Without K, \(\begin{align}\mathcal{A}\end{align}\) will not be able to impersonate the GWNk. Therefore, the proposed eSAS2KN has the feature of withstanding CSNI attacks.
Withstands GWNs Bypassing Attack: In the eSAS2KN, even if \(\begin{align}\mathcal{A}\end{align}\) captures a legal user's SCi and succeeds in extracting the parameters (IDSi, HIDi, h(·), Ai, Bi, Ci, Di, τi) stored in the memory of SCi, he/she cannot cheat Sj by impersonating GWNk. Since \(\begin{align}\mathcal{A}\end{align}\) cannot obtain PIDj and the secret K, which is owned only by the trusted GWNk, he/she cannot compute HIDj according to HIDj = h(PIDj║K), let alone XSj. Without XSj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute Mj and Nj. Without Mj and Nj, \(\begin{align}\mathcal{A}\end{align}\) will fail to compute MGk,Sj according to MGk,Sj = h(HIDi║Mj║Nj║T(2)Gk), let alone forges a valid message <HIDi, PIDj, MGk,Sj, T(2)G> to cheat Sj. Therefore, the proposed eSAS2KN has the feature of withstanding GWNs bypassing attacks.
Provides Password Verification Process: In the eSAS2KN, given the possibility of incorrect password input, we adopt password verification process by verifying B*i = ? Bi at the beginning of login process. In addition, given the fact that a person's biometrics may be slightly different from the original one once in a while [15], therefore, we resort to fuzzy extractor technique instead of conventional bio-hashing techniques to decrease Ui's high rejection rate in the login phase of eSAS2KN. Therefore, the two methods contribute greatly to the robustness of eSAS2KN.
Provides Session Key Verification Process: In the eSAS2KN, Sj computes MSj,Gk according to MSj,Gk = h(HIDj║HIDi║SKj║Mj║Nj║T(2)j) with the computed session key SKj, and then transmits Msg3: <MSj,Gk, HIDi, T(2)j > to GWNk. Since the session key SKj is concatenated in MSj,Gk of Msg3 , from the perspective of GWNk, the verification of SKj and authentication of Sj are both achieved by verifying M*Sj,Gk = ?MSj,Gk. In the same way, GWNk computes MGk,Ui = h(HIDi║Pi║SKj║Mj║Nj║T(4)Gk) with the computed session key SKj, and then transmits Msg4: <MGk,Ui, HIDi, Pi, XSj, Nj, T(2)j, T(4)Gk> to Ui. Since SKj is also concatenated in MGk,Ui, from the perspective of Ui, the verification of SKj and authentication of GWNk are both achieved by verifying M*Gk,Ui? = MGk,Ui. Therefore, the eSAS2KN has the security feature of providing SK verification.
Withstands Privileged-insider Attack: In the eSAS2KN, IDi and PWi sent to GWNk for registration are both in encrypted forms with PIDi = h(IDi║RNi) and HPWi = h(PWi║σi), respectively. A privileged insider attacker cannot identify the registered user's IDi and PWi. Therefore, the proposed eSAS2KN has the feature of withstanding privileged-insider attacks.
Provides Session Key Security: In the eSAS2KN, \(\begin{align}\mathcal{A}\end{align}\) cannot calculate SKi and SKj. To calculate SKi/SKj according to SKi/SKj = h(HIDi║Mj║Nj║T(2)j), \(\begin{align}\mathcal{A}\end{align}\) must compute Mj and Nj. However, RNk is random nonce generated by GWNk, which is known only to the trusted GWNk, \(\begin{align}\mathcal{A}\end{align}\) cannot obtain it. Moreover, due to the trustworthiness of GWNk, \(\begin{align}\mathcal{A}\end{align}\) cannot extract PIDj from the memory of GWNk. Therefore, without RNk and PIDj, \(\begin{align}\mathcal{A}\end{align}\) cannot compute Mj and Nj according to Mj = h(XSj║RNk)⊕HIDi and Nj = h(PIDj║XSj)⊕HIDj, respectively. Therefore, \(\begin{align}\mathcal{A}\end{align}\) cannot compute SKi/SKj from both Ui and Sj ends. This means that the proposed eSAS2KN has the security feature of providing SK security.
5.2 Formal Security Proof and Verification
In the following subsections, BAN logic-based verification, ROR model-based formal security proof, and AVISPA-based formal security verification are presented in detail to show the security of the proposed eSAS2KN.
5.2.1 Logical Verification
In this subsection, the well-known BAN logic, regarded as a distinguished tool to give logical verification of cryptographic protocols, is used to prove the legitimacy of SK, which is computed at both Ui and Sj ends.
Basic Notations
• U ◁ C : C is received by U.
• U |≡ C : C is believed by U.
• #(C) : C is fresh.
• U ∣~ C : C is once sent by U.
• \(\begin{align}U \stackrel{K}{\longleftrightarrow} S\end{align}\) : U and S share the secret keyK.
• U |C : U has jurisdiction over C.
• (C, M) : C or M is a part of (C, M).
• {C}K : C is encrypted with K.
Logic Rules
• R1 (Message-meaning rule): \(\begin{align}\frac{U \mid \equiv U \stackrel{K}{\leftrightarrow} S, U \triangleleft\{C\}_{K}}{U|S| \sim C}\end{align}\), If U believes he shares a secret key K with S, and receives an encrypted C with K, then he believes C is once sent by S.
• R2 (Nonce-verification rule): \(\begin{align}\frac{U|\equiv \#(C), U| \equiv S \mid \sim C}{U|\equiv S| \equiv C}\end{align}\), If U believes C is fresh, and believes S once sent C, then U believes S believe C.
• R3 (Believe rule): \(\begin{align}\frac{U|\equiv C, \; U| \equiv M }{U| \equiv \#(C, M)}\end{align}\), if U believes C andM, then he believes (C, M).
• R4 (Freshness rule): \(\begin{align}\frac{U|\equiv \# (C)} {U| \equiv \#(C, M)}\end{align}\), if U believes C is fresh, then he believes the freshness of (C, M).
Goals
In the following logic verification process, we aim at achieving the following four goals.
• Goal 1: \(\begin{align}U_{i} \mid \equiv\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)
• Goal 2: \(\begin{align}S_{j} \mid \equiv\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)
• Goal 3: \(\begin{align}U_{i} \mid \equiv S_{j} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)
• Goal 4: \(\begin{align}S_{j} \mid \equiv U_{i} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\)
Assumptions
To well analyze the eSAS2KN, the listed assumptions are considered in the proof process.
• A1: GWNk|≡#(T(1)i)
• A2: Sj|≡#(T(2)Gk)
• A3: GWNk|≡#(T(2)j)
• A4: Ui|≡#(T(4)Gk)
• A5: \(\begin{align}GWN_{k} \mid \equiv \left(GWN_{k} \stackrel{PID_{j}} {\longleftrightarrow} S_{j}\right)\end{align}\)
• A6: \(\begin{align}S_{j} \mid \equiv \left(S_{j} \stackrel{PID_{j}} {\longleftrightarrow} GWN_{k}\right)\end{align}\)
• A7: \(\begin{align}U_{i} \mid \equiv \left(U_{i} \stackrel{HPW_{i}} {\longleftrightarrow} GWN_{k}\right)\end{align}\)
• A8: \(\begin{align}GWN_{k} \mid \equiv \left(GWN_{k} \stackrel{HPW_{i}} {\longleftrightarrow} U_{i}\right)\end{align}\)
• A9: \(\begin{align}U_{i}\left|\equiv S_{j}\right| \Rightarrow\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S j\right)\end{align}\)
• A10: \(\begin{align}S_{j}\left|\equiv U_{i}\right| \Rightarrow\left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S j\right)\end{align}\)
Ideal Forms Conversion
Before logic verification, all transmitted messages are transformed to ideal forms as follows.
• Msg1: Ui→GWNk : {HIDi, K, Ti(1)}HWPi
• Msg2: GWNk→Sj : {HIDi, Mj, Nj, T(2)Gk}PIDj
• Msg3: Sj→GWNk : {HIDi, K, Mj, Nj, T(2)j}PIDj
• Msg4: GWNk→Ui : {HIDi, Mj, Nj, T(2)j, K, T(4)Gk}HPWi
Logical Verification of eSAS2KN
To well describe the verification process, predefined information, including four rules, ten assumptions and four messages are used as follows.
• According to Mgs1, V1 is derived as V1: GWNk ◁ {HIDi, K, T(1)i}HPWi
• According to A8 and R1, V2 is derived as V2: GWNk |≡ U|~ (HIDi, K, T(1)i)
• According to A1 and R3, V3 is derived as V3: GWNk |≡ #(HIDi, K, T(1)i)
• According to V2, V3 and R2, V4 is derived as V4: GWNk |≡ Ui|≡ (HIDi, K, T(1)i)
• According to Msg2, V5 is derived as V5: Sj ◁ {HIDi, Mj, Nj, T(2)Gk}PIDj
• According to A6 and R1, V6 is derived as V6: Sj |≡ GWNk|~ (HIDi, Mj, Nj, T(2)Gk)
• According to A2 and R3, V7 is derived as V7: Sj |≡ #(HIDi, Mj, Nj, K, T(2)Gk)
• According to V6, V7 and R2, V8 is derived as V8: Sj |≡ GWNk |≡ (HIDi, Mj, Nj, T(2)Gk)
• According to Msg3, V9: is derived as V9: GWNk ◁ {HIDi, K, Mj, Nj, T(2)j}PIDj
• According to A5 and R1, V10 is derived as V10: GWNk|≡ Sj|~ (HIDi, K, Mj, Nj, T(2)j)
• According to A3 and R3, V11 is derived as V11: GWNk|≡ #(HIDi, K, Mj, Nj, T(2)j)
• According to V10, V11 and R2, V12 is derived as V12: GWNk |≡ Sj|≡ (HIDi, K, Mj, Nj, T(2)j)
• According to Msg4 , V13 is derived as V13: Ui ◁ {HIDi, Mj, Nj, K, T(2)j, T(4)Gk}HPWi
• According to A7 and R1, V14 is derived as V14: Ui|≡ GWNk |~ (HIDi, Mj, Nj, K, T(2)j, T(4)Gk)
• According to A4 and R3, V15 is derived as V15: Ui|≡#(HIDi, Mj, Nj, K, T(2)j, T(4)Gk)
• According to V14, V15 and R2, V16 is derived as follows V16: Ui|≡GWNk|≡(HIDi, Mj, Nj, K, T(2)j)
• According to V12, V16 and SKi/SKj = h(HIDi║Mj║Nj║T(2)j), V17 is derived as follows.
V17: \(\begin{align}U_{i} \mid \equiv S_{j} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal3)
• According to V8, V4 and SKi/SKj = h(HIDi║Mj║Nj║T(2)j), V18 is derived as follows.
V18: \(\begin{align}S_{j} \mid \equiv U_{i} \mid \equiv \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal4)
• According to A9, V17 and R4, V19 is derived as follows.
V19: \(\begin{align}U_{i} \mid \equiv U_{i} \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal1)
• According to A10, V18 and R4, V20 is derived as follows.
V20: \(\begin{align}S_{j} \mid \equiv U_{i} \left(U_{i} \stackrel{S K_{i} / S K_{j}}{\longleftrightarrow} S_{j}\right)\end{align}\) (Goal2)
It can be clearly drawn from the above demonstrations that Ui, GWNk and Sj are mutually authenticated, and SK is negotiated and shared between Ui and Sj.
5.2.2 Formal Security Proof
To demonstrate the SK security of eSAS2KN, we implement formal security proof by applying Real-Or-Random (ROR) model. The definition of ROR model is presented as follows.
Participants:Let IIuUi, IIsSj and IIgGWNk be the instances of Ui, Sj and GWNk, respectively.
Acceptedstate: On receiving the last anticipated message, instance IIt transits to the accepted state. When all the messages received and sent by IIt are concatenated in order, it will represent session identification for the current session.
Partnering: Instances IIt1 and IIt2 are deemed as partner to each other if 1) IIt1 and IIt2 are both in accepted state; 2) IIt1 and IIt2 are mutually authenticated by each other and share the same session identification; and 3) IIt1 and IIt2 are mutual partners of each other.
Freshness: IIuUi and IIsSj are deemed as freshness if SK computed from Ui and Sj ends is kept from disclosure to \(\begin{align}\mathcal{A}\end{align}\) by using the Reveal queries Reveal(IIu) and Reveal(IIs).
Adversary: In ROR model, DY threat model is employed for formal security proof. \(\begin{align}\mathcal{A}\end{align}\) has the ability to full control over all the communications. That is to say, \(\begin{align}\mathcal{A}\end{align}\) can intercept, alter, delete and inject forged information through the following queries.
Execute(IIu/IIs, IIg) is used to model a passive intercepting attack, in which \(\begin{align}\mathcal{A}\end{align}\) can read the transmitted messages between the legitimate Ui/Sj and GWNk.
Reveal(IIu) is used to model the current SK generated by IIu and its partner IIs is disclosed to \(\begin{align}\mathcal{A}\end{align}\). If \(\begin{align}\mathcal{A}\end{align}\) cannot reveal SK between IIu and IIs using the query Reveal(IIu), then SK is secure.
Send(IIu/IIs/IIg, Msg) is used to models an active attack, in which Msg can be sent to the participant IIu/IIs/IIg by \(\begin{align}\mathcal{A}\end{align}\).
CorruptSN(IIsSj) is used to model an active captured sensor node attack, in which the secret credentials, HIDj, Aj and Bj stored in the memory of Sj, are known to \(\begin{align}\mathcal{A}\end{align}\).
CorruptSC(IIu) is used to model an active stolen or lost smartcard attack, in which the information (IDSi, HIDi, h(·), Ai, Bi, Ci, Di, τi) stored in the SCi's memory is known to \(\begin{align}\mathcal{A}\end{align}\).
Test(IIu/IIs) is used to model the semantic security of SK between Ui and Sj adhering to the ROR model’s indistinguishability style. An impartial coin c needs to be throwed ahead of starting experiment. If \(\begin{align}\mathcal{A}\end{align}\) executes this query and the generated SK is of freshness, then the instance IIu/IIs returns an SK when c = 1 or a random number when c = 0. For other cases, the query returns a null value.
Semantic security of SK : In the ROR model, \(\begin{align}\mathcal{A}\end{align}\) makes as many as Test queries to either IIuUi or IIsSj as necessary to distinguish the instance IIuUi's or IIsSj's real SK from a random key. The output of Test queries must be consistent or uniform to random bit c. Once completing the game, \(\begin{align}\mathcal{A}\end{align}\) returns a guessed bit c' and wins the game (denoted as Succ) if c' = c. The gained advantage of \(\begin{align}\mathcal{A}\end{align}\) to break the semantic security of eSAS2KN is defined as AdveSAS KNA = |2Pr[Succ]-1|. The proposed eSAS2KN is secure if AdveSAS2KNA≤ v, for the run time t and sufficiently small value v > 0.
Random oracle : The one-way cryptographic hash function h(·) is used to model the random oracle, say \(\begin{align}\mathcal{H}\end{align}\), which can be accessed by all communicating parties and \(\begin{align}\mathcal{A}\end{align}\).
Theorem 1 : Let \(\begin{align}\mathcal{A}\end{align}\) be an adversary running in a polynomial time t against eSAS2KN in the ROR model, then, \(\begin{align}A d v_{\mathcal{A}}^{e S A S 2 K N}(t) \leq \frac{q_{h}^{2}}{|\mathcal{H}|}+\frac{q_{\text {send }}}{2^{l-1}|\mathcal{P D}|}\end{align}\), where qh, |\(\begin{align}\mathcal{H}\end{align}\)|, qsend, |PD| and l denote the number of hash queries, the range space of h(·), the number of send queries, the size of uniformly distributed password dictionary, and the number of bits present in σi, respectively.
Proof: To demonstrate the Theorem 1, we define five games, Gi (i=0, 1, ⋯, 4) in sequence. Let Succi be the event that the bit c of the throwed impartial coin in Gi is successfully guessed by \(\begin{align}\mathcal{A}\end{align}\). The five games are defined as below in details.
Game G0: G0 represents an actual attack in the ROR model launched by \(\begin{align}\mathcal{A}\end{align}\) against eSAS2KN scheme, in which \(\begin{align}\mathcal{A}\end{align}\) selects a bit c in advance at the beginning of the game G0. Therefore, \(\begin{align}\mathcal{A}'s\end{align}\) advantage is obtained
AdveSAS2KNA(t) = |2Pr[Succ0]-1| (1)
Game G1 : G1 denotes an intercepting attack launched by \(\begin{align}\mathcal{A}\end{align}\) through running Execute(IIu/IIs,IIg) to obtain the messages Msg1 <DIDi, HIDi, MUi,Gk, T(1)i>, Msg2:<HIDi, PIDj, MGk,Sj, T(2)Gk>, Msg3: <MSj,Gk, HIDi, T(2)j>. The output of Test(IIu/IIs) is examined whether the SK between Ui and Sj is a key or a random number. In the eSAS2KN, the SK is computed according to SKi/j = h(HIDi║Mj║Nj║T(2)j) and the intercepted messages do not reveal the secret parameters Mj and Nj since \(\begin{align}\mathcal{A}\end{align}\) cannot obtain the random nonce RNk. Therefore, the probability of \(\begin{align}\mathcal{A}'s\end{align}\)'s winning G1 by the eavesdropping attack is not increased, and equal to that of winning G0 as below.
Pr[Succ1] = Pr[Succ0] (2)
Game G2 : G2 denotes an active attack launched by \(\begin{align}\mathcal{A}\end{align}\) through running Send (IIu/IIs/IIg, Msg) and hash queries aiming to trick a legal instance into accepting an illegal message. To create hash collisions, \(\begin{align}\mathcal{A}\end{align}\) can make any number of hash queries. However, the current timestamps are attached with all the transmitted messages. Therefore, it is infeasible for \(\begin{align}\mathcal{A}\end{align}\) find hash collision occurrence in a polynomial time through running send and hash queries. By using birthday paradox theory to find hash collision, the following result is obtained.
\(\begin{align}\left|\operatorname{Pr}\left[\operatorname{Succ}_{1}\right]-\operatorname{Pr}\left[\operatorname{Succ}_{2}\right]\right| \leq \frac{q_{h}^{2}}{2|\mathcal{H}|}\end{align}\) (3)
Game G3: In G3, \(\begin{align}\mathcal{A}\end{align}\) launches an active attack by executing CorruptSC(IIu) and extracts all the secret credentials, i.e., (IDSi, HIDi, h(·), Ai, Bi, Ci, Di, τi), stored in the memory of the stolen or lost SCi. By using dictionary attack, \(\begin{align}\mathcal{A}\end{align}\) can guess PWi according to the information extracted from SCi. Due to the use of fuzzy extractor, which is used to compute HPWi = h(PWi|σi) by extracting Ui's biometric secret key σi, it allows for the retrieval of at most l nearly random bits. Therefore, the probability of \(\begin{align}\mathcal{A}\end{align}\) guessing σi ∈ {0,1}l i is 1/2l approximately. Due to the number limitation of permitted wrong password entries, we can obtain the following result.
\(\begin{align}\left|\operatorname{Pr}\left[\operatorname{Succ}_{2}\right]-\operatorname{Pr}\left[\operatorname{Succ}_{3}\right]\right| \leq \frac{q_{\text {send }}}{2^{l}|\mathcal{P D}|}\end{align}\) (4)
Game G4 : In G4, \(\begin{align}\mathcal{A}\end{align}\) launches a sensor node capture attack by executing CorruptSN(IIsSj) S and extracts all the secret credentials {HIDj,Aj,Bj}, which are stored in the memory of Sj. However, all the extracted secret credentials by using CorruptSN(IIsSj) queries have no help in deriving the session key SKi/j because the derivation of HIDi needs Ui's identity IDi, the random nonce RNi generated by Ui, and GWNk's long-time secret K. In addition, the derivation of Mj needs the random nonce RNk generated by GWNk. Therefore, the probability of \(\begin{align}\mathcal{A}'s\end{align}\) winning G4 by executing CorruptSN(IIsSj) queries is not increased, and equal to that of winning G3 as below.
Pr[Succ3] = Pr[Succ4] (5)
In order to break the semantic security of the proposed eSAS2KN, \(\begin{align}\mathcal{A}\end{align}\) tries to run all the oracle queries. However, \(\begin{align}\mathcal{A}\end{align}\) can only guess the bit c at last for winning the game after Test(IIu/IIs) query. Therefore, the following result is obtained.
\(\begin{align}P_r[Succ_{4}]=\frac{1}{2}\end{align}\) (6)
According to equations (1), (2) and (6), the following result is obtained.
\(\begin{align}\frac{1}{2} A d v_{\mathcal{A}}^{S A S 2 K N}(t)=\left|\operatorname{Pr}\left[S u c c_{0}\right]-1 / 2\right|=\mid \operatorname{Pr}\left[S u c c_{1}\right]-\operatorname{Pr}\left[S u c c_{4} \mid\right.\end{align}\) (7)
By using triangular inequality, the following result can be obtained.
|Pr[Succ1] - Pr[Succ4]| ≤ |Pr[Succ1] - Pr[Succ2]| + |Pr[Succ2] - Pr[Succ4]| ≤ |Pr[Succ1] - Pr[Succ2]| + |Pr[Succ2] - Pr[Succ3] + |Pr[Succ3] - Pr[Succ4]| (8)
According to equations (7), (3), (4) and (5), the result can be derived as follows.
\(\begin{align}A d v_{\mathcal{A}}^{e S A S 2 K N}(t) \leq \frac{q_{h}^{2}}{|\mathcal{H}|}+\frac{q_{\text {send }}}{2^{l-1}|\mathcal{P D}|}\end{align}\) (9)
5.2.3 Formal Security Verification
In this subsection, we implement formal security verification by using AVISPA, which is a widely used common tool to automatically verify the security of Internet protocols [45-47]. In the AVISPA, a user can select different verification techniques to check the security of the same security protocol [48].
The tool employs a role-based formal language, called High-Level Protocol Specification Language (HLPSL) to specify some protocols and their possessed security properties. In addition, the tool is a modular and expressive language and can run On-the-fly Model-Checker (OFMC), Constraint-Logic-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), and Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP) to conduct a large number of most advanced automatic analysis techniques.
To conduct eSAS2KN's formal security verification, we describe the scheme by utilizing the role-oriented HLPSL. In [49-50], some specifications involved in AVISPA and HLPSL are addressed in detail. For simulation, we firstly describe the roles of different objects in HLPSL. The basic roles of Ui ,GWNk and Sj are shown in Fig. 5, Fig. 6 and Fig. 7, respectively. The mandatory roles of session, goal and environment are shown in Fig. 8. Then, we simulate eSAS2KN in an animator, called SPAN, for the tool AVISPA. With the consideration of no supporting XOR operations for SATMC and TA4SP back-ends in SPAN [51], therefore, we simulate eSAS2KN's security merely by employing the OFMC and CL-AtSe back-ends. The simulation results in Fig. 9 demonstrate the proposed eSAS2KN is safe.
Fig. 5. Basic role of Ui in HLPSL.
Fig. 6. Basic role of GWNk in HLPSL.
Fig. 7. Basic role of Sj in HLPSL.
Fig. 8. Roles of session, goal and environment in HLPSL.
Fig. 9. Simulation results of eSAS2KN under OFMC and CL-AtSe backends.
6. Security and Performance Comparison
In this section, security and performance comparisons are conducted with some related protocols in the light of security features, computation costs, and communication costs.
6.1 Security features
The comparison in terms of security feature is conducted with some related protocols, which is illustrated in Table 2. The comparison shows that the high security of our protocol over other related schemes and can be applied in practical applications.
Table 2. Comparison of security features.
6.2 Computation costs
For clear analysis and description of each protocol's computation costs, we give the following denotations. TH denotes the time to run the one-way hash operation, TX to conduct XOR operation, TE to conduct an ECC point multiplication operation, TF to conduct a fuzzy extractor operation, TB to conduct Bio-Hash operation, and to run symmetric-key encryption or decryption. According to the experiment results in [52-54], TH, TE, TF, TB and TS are 0.0005s, 0.063075s, 0.063075s, 0.063075s and 0.0087s, respectively. The bitwise XOR operation is so lightweight and its computing time can be negligible, therefore, we do not consider them in the final approximate total computation costs. The computation costs in the login phase, authentication and key negotiation phase, and final approximate total computation costs of different schemes are shown in Table 3.
Table 3. Computation costs comparison with related protocols.
From the Table 3, we can clearly conclude that our protocol performs much better efficiency than Jung [28], Das [35], Maurya [36], Amin [29], Soni [30], Ali [31] and Dai [33] et. al.’s protocols. Even though our protocol has slightly more computing time than Wu [32], it is yet admissible because eSAS2KN provides much more security features than Wu [32] et. al.’s protocol.
6.3 Communication Costs
For clear analysis and comparison of communication costs of different schemes, the lengths of identity, password, random number/string, error tolerance threshold, request, response, symmetric encryption/decryption, probabilistic generation function and deterministic reproduction function for fuzzy extractor are assumed to be 128 bits, the lengths of credential and timestamps are 32 bits, and the lengths of hash function, bio-hash function, as well as ECC encryption/decryption operation are 160 bits. The communication costs in the login phase, authentication and key negotiation phase, as well as the total communication costs in bits of different schemes are summarized in Table 4.
Table 4. Communication costs comparison with related protocols.
From the Table 4, we can clearly conclude that our protocol has much better communication efficiency than Amin [29], Soni [30], Wu [32] and Dai [33] et al.'s protocols. Although eSAS2KN provides less communication efficiency than Jung [28], Das [35], Maurya [36] and Ali [31], it yet provides much more security and functionality features, which is presented in Table 2.
7. Conclusions
In this paper, we developed a scheme (eSAS2KN) that enables lightweight mutual authentication as well as session key establishment. Due to the adoption of fuzzy extractor technique, user’s high rejection probability can be avoided in the login phase. Informal security analysis, BAN logic verification, formal security proof and verification demonstrate that the proposed eSAS2KN is safe. More importantly, the eSAS2KN is developed with only lightweight hash operations and XOR operations, which make it more lightweight and more efficient. Performance comparison with the competitive schemes shows that the eSAS2KN is more suitable for real-time communications between users and sensor node for multi-gateway WSNs, and can easily be implemented for a practical application.
참고문헌
- K.-A. Shim, "A survey of public-key cryptographic primitives in wireless sensor networks," IEEE Communications Surveys and Tutorials, vol. 18, no. 1, pp. 577-601, Jul. 2016. https://doi.org/10.1109/COMST.2015.2459691
- F. A. Silva, "Industrial Wireless Sensor Networks: Applications, Protocols, and Standards," IEEE Industrial Electronics Magazine, vol. 8, no. 4, pp. 67-68, Dec. 2014. https://doi.org/10.1109/MIE.2014.2361239
- H. Xie, Z. Yan, Z. Yao et. al., "Data collection for security measurement in wireless sensor networks: a survey," IEEE Internet of Things Journal, vol. 6, no. 2, pp. 2205-2224, Apr. 2019.
- P. Rawat, K. D. Singh, "Wireless sensor networks: a survey on recent developments and potential synergies," Journal of Supercomputing, vol. 68, pp.1-48, Apr. 2014. https://doi.org/10.1007/s11227-013-1021-9
- D. He, S. Chan, S. Tang, "A novel and lightweight system to secure wireless medical sensor networks," IEEE Journal of Biomedical and Health Informatics, vol. 18, no. 1, pp. 316-326, Jan. 2014. https://doi.org/10.1109/JBHI.2013.2268897
- P. Gope, T. Hwang, "Bsn-care: A secure IoT-based modern healthcare system using body sensor network," IEEE Sensors Journal, vol. 16, no. 5, pp. 1368-1376, Mar. 2016.
- X. Li, J. Niu, S. Kumari, J. Liao, W. Liang, M. K. Khan, "A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity," Security and Communication Networks, vol. 9, no. 15, pp. 2643-2655, Feb. 2016.
- M. S. Yousefpoor, H. Barati, "Dynamic key management algorithms in wireless sensor networks: A survey," Computer Communications, vol. 134, pp.52-69, Jan. 2019. https://doi.org/10.1016/j.comcom.2018.11.005
- M. Wazid, A. K. Das et. al., "Authenticated key management protocol for cloud-assisted body area sensor networks," Journal of Network and Computer Applications, vol. 123, pp. 112-126, Dec. 2018. https://doi.org/10.1016/j.jnca.2018.09.008
- S. Athmani, A. Bilami et. al., "Edak: An efficient dynamic authentication and key management mechanism for heterogeneous WSNs," Future Generation Computer Systems, vol. 92, pp. 789-799, Mar. 2019. https://doi.org/10.1016/j.future.2017.10.026
- S.-H. Seo, J. Won et. al., "Effective key management in dynamic wireless sensor networks," IEEE Transactions on Information Forensics and Security, vol. 10, no. 2, pp. 371-383, Feb. 2015. https://doi.org/10.1109/TIFS.2014.2375555
- Z. Liu, J. Wen, J. Ma, et. al., "TCEMD: A trust cascading-based emergency message dissemination model in VANETs," IEEE Internet of Things Journal, vol. 7, no. 5, pp. 4028-4048, May 2020.
- Z. Liu, F. Huang, J. Weng et. al., "BTMPP: Balancing trust management and privacy preservation for emergency message dissemination in vehicular networks," IEEE Internet of Things Journal, vol. 8, no. 7, pp. 5386-5407, Apr. 2021.
- J. Guo, Z. Liu, S. Tian et. al., "TFL-DT: A trust evaluation scheme for federated learning in digital twin for mobile networks," IEEE Journal on Selected Areas in Communications, vol. 41, no.11, pp. 3548-3560, Nov. 2023.
- A. K. Das, "Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards," IET Information Security, vol. 5, no. 3, pp. 145-151, Apr. 2011. https://doi.org/10.1049/iet-ifs.2010.0125
- C.-C. Chang, N.-T. Nguyen, "An untraceable biometric-based multi-server authenticated key agreement protocol with revocation," Wireless Personal Communications, vol. 90, pp. 1695-1715, Jun. 2016.
- Y. Dodis, R. Ostrovsky, L. Reyzin, et. al., "Fuzzy extractors: How to generate strong keys from biometrics and other noisy data," SIAM journal on computing, vol. 38, no. 1, pp. 97-139, 2008. https://doi.org/10.1137/060651380
- M. L. Das, "Two-factor user authentication in wireless sensor networks," IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp.1086-1090, Mar. 2009.
- M. K. Khan, K. Alghathbar, "Cryptanalysis and security improvements of 'two-factor user authentication in wireless sensor networks'," Sensors, vol. 10, no. 3, pp. 2450-2459, Mar. 2010.
- T.-H.Chen, W.-K.Shih, "A robust mutual authentication protocol for wireless sensor networks," ETRI Journal, vol. 32, no. 5, pp. 704-712, Oct. 2010. https://doi.org/10.4218/etrij.10.1510.0134
- D. He, Y. Gao, et. al., "An enhanced two-factor user authentication scheme in wireless sensor networks," Ad-Hoc and Sensor Wireless Networks, vol. 10, no. 4, pp. 343-359, 2010.
- Yeh H.-L., Chen T.-H., Liu P.-C., et. al., "A secured authentication protocol for wireless sensor networks using elliptic curves cryptography," Sensors, vol. 11, no. 5, pp. 4767-4779, May 2011.
- B. Vaidya, D. Makrakis, H. Mouftah, "Two-factor mutual authentication with key agreement in wireless sensor networks," Security and Communication Networks, vol. 9, no. 2, pp. 171-183, Jan. 2016. https://doi.org/10.1002/sec.517
- K. Xue, C. Ma, P. Hong, R. Ding, "A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks," Journal of Network and Computer Applications, vol. 36, no. 1, pp. 316-323, Jan. 2013. https://doi.org/10.1016/j.jnca.2012.05.010
- J. Kim, D. Lee et. al., "Security analysis and improvements of two-factor mutual authentication with key agreement in wireless sensor networks," Sensors, vol. 14, no. 4, pp. 6443-6462, Apr. 2014.
- I.-P. Chang, T.-F. Lee et. al., "Enhanced two-factor authentication and key agreement using dynamic identities in wireless sensor networks," Sensors, vol. 15, no. 12, pp. 29841-29854, Nov. 2015.
- Y. Park, Y. Park, "Three-factor user authentication and key agreement using elliptic curve cryptosystem in wireless sensor networks," Sensors, vol. 16, no. 12, Dec. 2016.
- J. Jung, J. Moon et. al., "Efficient and security enhanced anonymous authentication with key agreement scheme in wireless sensor networks," Sensors, vol. 17, no. 3, pp. 644, Mar. 2017.
- R. Amin, S. H. Islam, G. Biswas, M. S. Obaidat, "A robust mutual authentication protocol for WSN with multiple base-stations," Ad Hoc Networks, vol. 75-76, pp. 1-18, Jun. 2018. https://doi.org/10.1016/j.adhoc.2018.03.007
- P. Soni, A. K. Pal, S. H. Islam, "An improved three-factor authentication scheme for patient monitoring using WSN in remote health-care system," Computer Methods and Programs in Biomedicine, vol. 182, pp. 105054, Dec. 2019.
- Z. Ali, A. Ghani et. al., "A robust authentication and access control protocol for securing wireless healthcare sensor networks," Journal of Information Security and Applications, vol. 52, pp.102502, Jun. 2020.
- F. Wu, X. Li et. al., "A novel three-factor authentication protocol for wireless sensor networks with IoT notion," IEEE Systems Journal, vol. 15, no. 1, pp. 1120-1129, Mar. 2021.
- C. Dai, Z. Xu, "A secure three-factor authentication scheme for multi gateway wireless sensor networks based on elliptic curve cryptography," Ad Hoc Networks, vol. 127, pp. 102768, Mar. 2022.
- D. He, N. Kumar et.al., "Enhanced three-factor security protocol for consumer USB mass storage devices," IEEE Transactions on Consumer Electronics, vol. 60, no. 1, pp. 30-37, Feb. 2014. https://doi.org/10.1109/TCE.2014.6780922
- A. K. Das, "A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor," International Journal of Communication Systems, vol. 30, no.1, pp. e2933, Jan. 2017.
- A. K. Maurya, V. N. Sastry, "Fuzzy extractor and elliptic curve based efficient user authentication protocol for wireless sensor networks and internet of things," Information, vol. 8, no. 4, pp. 136, Oct. 2017.
- D. Dolev, A. Yao, "On the security of public key protocols," IEEE Transactions on Information Theory, vol. 29, no. 2, pp.198-208, Mar. 1983. https://doi.org/10.1109/TIT.1983.1056650
- J. Lin, W. Yu et. al., "A survey on internet of things: architecture, enabling technologies, security and privacy, and applications," IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1125-1142, Oct. 2017.
- Q. Yang, P. Gasti et. al., "On inferring browsing activity on smartphones via SUB power analysis side-channel," IEEE Transactions on Information Forensics and Security, vol. 12, no. 5, pp. 1056-1066, May 2017.
- S. R. Shanmugham, S. Paramasivam, "Survey on power analysis attacks and its impact on intelligent sensor networks," IET Wireless Sensor Systems, vol. 8, no. 6, pp. 295-304, Dec. 2018. https://doi.org/10.1049/iet-wss.2018.5157
- R. Lumbiarres-Lopez, M. Lopez-Garc'ia, E. Canto-Navarro, "Hardware architecture implemented on FPGA for protecting cryptographic keys against side-channel attacks," IEEE Transactions on Dependable and Secure Computing, vol. 15, vol. 5, pp. 898-905, Oct. 2018. https://doi.org/10.1109/TDSC.2016.2610966
- R. Canetti, H. Krawczyk, "Analysis of key-exchange protocols and their use for building secure channels," Presented at Eurocrypt 2001.[Online]. Available: https://eprint.iacr.org/2001/040
- R. Canetti, H. Krawczyk, "Universally Composable Notions of Key Exchange and Secure Channels," in Proc. of EUROCRYPT 2002: Advances in Cryptology - EUROCRYPT 2002, pp. 337-351, Apri. 2002.
- V. Odelu, A. K. Das et. al., "Provably secure authenticated key agreement scheme for smart grid," IEEE Transactions on Smart Grid, vol. 9, no. 3, pp. 1900-1910, May 2018.
- M. Wazid, A. K. Das et. al., "Secure authentication scheme for medicine anti-counterfeiting system in IoT environment," IEEE Internet of Things Journal, vol. 4, no. 5, pp. 1634-1646, Oct. 2017.
- S. Chatterjee, S. Roy et. al., "Secure biometric-based authentication scheme using chebyshev chaotic map for multi-server environment," IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 5, pp. 824-839, Oct. 2018. https://doi.org/10.1109/TDSC.2016.2616876
- V. Odelu, A. K. Das, A. Goswami, "A secure biometrics-based multi-server authentication protocol using smart cards," IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp.1953-1966, Sep. 2015.
- A. K. Das, "A secure and effective user authentication and privacy preserving protocol with smart cards for wireless communications," Networking Science, vol. 2, pp.12-27, May 2013. https://doi.org/10.1007/s13119-012-0009-8
- A security protocol animator for AVISPA, [Online]. Available: https://people.irisa.fr/Thomas.Genet/span/, Accessed on: 2023, August 17.
- A. Armando, D. Basin, Y. Boichut, et al., "The AVISPA tool for the automated validation of internet security protocols and applications," in Proc. of 17th Int. conf. on computer aided verification (CAV2005), Edinburgh, Scotland, Jul. pp. 6-10, 2005.
- A. K. Das, M. Wazid, N. Kumar, M. K. Khan, K.-K. R. Choo, Y. Park, "Design of secure and lightweight authentication protocol for wearable devices environment," IEEE Journal of Biomedical and Health Informatics, vol. 22, no. 4, pp. 1310-1322, Jul. 2018.
- D. He, N. Kumar et. al., "Enhanced three-factor security protocol for consumer USB mass storage devices," IEEE Transactions on Consumer Electronics, vol. 60, no. 1, pp. 30-37, Feb. 2014. https://doi.org/10.1109/TCE.2014.6780922
- CT Li, MS Hwang, YP Chu, "A secure and efficient communication scheme with authenticated key establishment and privacy preserving for vehicular ad hoc networks," Computer Communications, vol. 31, no. 12, pp. 2803-2814, Jul. 2008.
- W. Li, Q. Wen et. al., "An efficient and secure mobile payment protocol for restricted connectivity scenarios in vehicular ad hoc network," Computer Communications, vol. 35, no. 2, pp. 188-195, Jan. 2012. https://doi.org/10.1016/j.comcom.2011.09.003