iAKA-CIoT: An Improved Authentication and Key Agreement Scheme for Cloud Enabled Internet of Things Using Physical Unclonable Function
Abstract
:1. Introduction
Motivations and Contributions
2. Related Works
3. Preliminaries
3.1. Threat Model
3.2. Physical Unclonable Function
- (1)
- Unclonable: There is no function satisfying , and the probability of duplicating the same result in polynomial time is negligible.
- (2)
- Computable and unpredictable: is easily computed; however, it is infeasible to correctly guess r of the corresponding to c in polynomial time.
3.3. Fuzzy Extractor
- (1)
- Generation function : , where c, a, and h are the input value, return value, and auxiliary string, respectively.
- (2)
- Reproduction function : , where c and h are the noisy input value and auxiliary string, respectively. can recover the correct a from c and helper string h.
4. Review of Bhuarya et al. Scheme
4.1. System Setup Phase
4.2. Registration Phase
- (1)
- chooses the identity and password . It then computes and sends it to the CS via a secure channel.
- (2)
- After receiving , the CS selects a random number and computes a pseudo identity for . Afterwards, the CS computes the cookie , , , , and . The CS computes , , and expiration time , and then stores it with and sends to through a secure channel. If is expired, is updated to and computes a new cookie .
- (3)
- Finally, stores , , with in a memory.
4.3. Login and Authentication Phase
- (1)
- A user inputs their identity and password , and then computes and checks if . If it is valid, chooses a random number , a current timestamp , and computes , , , and . Then, sends the login request to CS.
- (2)
- Upon receiving the login request from , the CS checks the timestamp validity, computes , and finds in the database.
- (3)
- If it exists, the CS calculates , , , , and , and then verifies that is equal to Y. If it is correct, the CS chooses a random number and a current timestamp and calculates , , and . Subsequently, the CS sends the response messages to .
- (4)
- After receiving from CS, calculates , and , and then verifies that and the timestamp is valid. If this is correct, generates the session key and , and then sends the messages to CS.
- (5)
- The CS checks the validity of the timestamp and generates the session key and . Then, the CS verifies that is equal to . If it is, the CS and successfully authenticate each other.
5. Security Weaknesses of Bhuarya et al.’s Scheme
5.1. Impersonation Attack
- (1)
- chooses a random number and a current timestamp , and computes , , , and . Then, sends the login request to CS.
- (2)
- On receiving the login request from , the CS checks the timestamp validity, computes , and finds in the database.
- (3)
- If it exists, the CS computes , , , , and . The CS subsequently verifies that is equal to Y. If it correct, the CS selects a random number and a current timestamp , and computes , , . Afterwards, the CS sends the response messages to .
- (4)
- After receiving from CS, computes , , and , and then verifies that and timestamp is valid. If it is correct, computes the session key and , and then sends the messages to CS.
- (5)
- The CS checks the validity of the timestamp and computes the session key and . Then, the CS verifies that is equal to . If it is, the CS and successfully authenticate each other.
5.2. Man-in-the-Middle Attack
- (1)
- first intercepts the login request of , and then chooses a random number and a current timestamp . computes , , , , and sends the login request to CS.
- (2)
- chooses a random number and computes , , and , where is obtained by the threat model.
- (3)
- intercepts the response messages of the CS, and then computes and . Finally, sends and to the CS and , respectively.
- (4)
- After receiving and , the CS and generates the session key using received messages.
5.3. Correctness of Authentication Mechanism
5.4. Secure Mutual Authentication
6. Proposed Scheme
6.1. System Setup Phase
6.2. Embedded Device Registration Phase
- (1)
- User selects identity , password , challenge , and random number for , and then computes , , and . calculates and using the PUF and fuzzy extractor. Afterwards, computes and sends to the CS via a secure channel.
- (2)
- On receiving the registration request from , the CS chooses a random number for , and then computes and . The CS stores with in a secure database and sends to through a secure channel.
- (3)
- After receiving from the CS, computes and , and stores in memory.
6.3. Authentication and Key Agreement Phase
- (1)
- User inputs the identity with password to , and then computes , , , , , , , and . checks whether . If it is correct, chooses a random number and a current timestamp ; otherwise, it aborts the connection. computes , , and , and then sends to the CS.
- (2)
- On receiving the login request from , the CS checks the timestamp validity and finds using from a secure database. The CS computes , and , and then verifies that is equal to .
- (3)
- If it is equal, the CS generates computes a random number and a current timestamp ; otherwise, aborts the connection. The CS calculates , , the session key , and . After that, the CS sends the response messages to .
- (4)
- After receiving from the CS, checks timestamp validity and computes , , the session key , and . Then, checks whether . If it is verified, generates a current timestamp and computes . sends the verification messages to the CS.
- (5)
- On receiving to , the CS computes and checks its validity. If it is verified, the CS and successfully authenticate each other.
7. Security Analysis
7.1. Formal Security Analysis Using ROR Model
- Participants: Let and be the instance and of the ED and CS, respectively.
- Accepted state: After completing the message exchanging process, the oracle transfers a this state. Let the current session identifier be of should all the messages be arranged in order.
- Partnering: When and have the same and the accepted state, and each oracle completes the AKA, partners ( and ) are defined.
- Freshness: To carry out the formal proof, and as instances are deemed fresh if the session key between the ED and CS is presently not revealed to adversary A.
- Attacker: Under our enhanced threat model Section 3.1, A can completely control the public network and send the ROR queries shown in Table 2 to destroy the SKS.
- Semantic Security: A tries to find a correct session key from a random number utilizing the ROR queries. If A correctly guesses a bit c, A wins this game and breaks the semantic security of the scheme. Let be the advantage in breaking the session key of scheme , where is the event of the winning game by A.
- Random oracle: All participant entities can use a random oracle as a collision resistant one-way hash function .
- Game : A first tosses the coin c and obtains its result at the beginning of this game. Its winning advantage is:
- Game : Under this game, Attacker A performs an eavesdropping attack using the query. A first intercepts the transmitted messages , , and to break the SKS. Then, A executes the query to guess whether the output of the query is equal to or any arbitrary number. However, the winning probability of does not increase because A does not compute the session key without breaking the ECDLP and ECDDHP. Thus, we obtain:
- Game : Attacker A performs an active attack using and queries. A attempts to guess the correct message digest collision to mislead a participant entity using several queries. However, in our scheme, all transmitted messages are secured because A does not break the oracle in polynomial time. Moreover, A cannot compute the correct messages without the pseudo-identity , secret value , and tamper-proof value . Thus, according to the birthday paradox [29],
- Game : Attacker A performs a final attack and can obtain stored in the memory of using . However, A does not compute the valid login request messages without knowing , where and . Since A does not know , , and , A cannot correctly guess using . Moreover, is only generated by the secure PUF function with a fuzzy extractor, which is defined in Section 3.2, and A does not distinguish between the PUF values and those of the noise without help of fuzzy extractor because the guessing probability of fuzzy extractor values and is approximately and , respectively. Therefore, from the PUF simulation and Zipf’s law on passwords [30],
7.2. Informal Security Analysis
7.2.1. Impersonation Attack
7.2.2. Man-in-the-Middle Attack and Replay Attack
7.2.3. Physical Capture Attack
7.2.4. Offline Password Guessing Attack
7.2.5. Secure Mutual Authentication and Anonymity
7.2.6. Denial-of-Service Attack
7.3. Simulation Analysis Using AVISPA Tool
7.3.1. HLPSL Specifications
7.3.2. Simulation Results
8. Comparative Analysis
8.1. Security Property
8.2. Computation, Communication and Storage Costs
9. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Statista: Internet of Things (IoT) and Non-IoT Active Device Connections Worldwide from 2010 to 2025. Available online: https://www.statista.com/statistics/1101442/iot-number-of-connected-devices-worldwide/ (accessed on 6 May 2022).
- Statista: Forecast End-User Spending on IoT Solutions Worldwide from 2017 to 2025. Available online: https://www.statista.com/statistics/976313/global-iot-market-size/ (accessed on 26 May 2022).
- Dizdarević, J.; Carpio, F.; Jukan, A.; Masip-Bruin, X. A survey of communication protocols for internet of things and related challenges of fog and cloud computing integration. ACM Comput. Surv. (CSUR) 2019, 51, 1–29. [Google Scholar] [CrossRef]
- Islam, S.H.; Biswas, G. Dynamic ID-based remote user mutual authentication scheme with smartcard using elliptic curve cryptography. J. Electron. (China) 2014, 31, 473–488. [Google Scholar] [CrossRef]
- Sarvabhatla, M.; Vorugunti, C.S. A secure and robust dynamic ID-based mutual authentication scheme with smart card using elliptic curve cryptography. In Proceedings of the 2015 Seventh International Workshop on Signal Design and its Applications in Communications (IWSDA), Bengaluru, India, 14–18 September 2015. [Google Scholar]
- Kumari, S.; Karuppiah, M.; Das, A.K.; Li, X.; Wu, F.; Kumar, N. A secure authentication scheme based on elliptic curve cryptography for IoT and cloud servers. J. Supercomput. 2017, 74, 6428–6453. [Google Scholar] [CrossRef]
- Chaudhry, S.A.; Naqvi, H.; Mahmood, K.; Ahmad, H.F.; Khan, M.K. An improved remote user authentication scheme using elliptic curve cryptography. Wirel. Pers. Commun. 2017, 96, 5355–5373. [Google Scholar] [CrossRef]
- Chang, C.-C.; Wu, H.-L.; Sun, C.-Y. Notes on “Secure authentication scheme for IoT and cloud servers”. Pervasive Mob. Comput. 2017, 38, 275–278. [Google Scholar] [CrossRef]
- Mo, J.; Hu, Z.; Chen, H.; Shen, W. An efficient and provably secure anonymous user authentication and key Agreement for mobile cloud computing. Wirel. Commun. Mob. Comput. 2019, 2019, 4520685. [Google Scholar] [CrossRef]
- Karuppiah, M.; Das, A.K.; Li, X.; Kumari, S.; Wu, F.; Chaudhry, S.A.; Niranchana, R. Secure a remote user mutual authentication scheme with key agreements for the cloud environment. Mob. Netw. Appl. 2019, 24, 1046–1062. [Google Scholar] [CrossRef]
- Bhuarya, P.; Chandrakar, P.; Ail, R.; Sharaff, A. An enhanced authentication scheme for Internet of Things and cloud based on elliptic curve cryptography. Int. J. Commun. Syst. 2019, 34, e4834. [Google Scholar] [CrossRef]
- Wallrabenstein, J.R. Practical and secure IoT device authentication using physical unclonable functions. In Proceedings of the 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud), Vienna, Austria, 22–24 August 2016. [Google Scholar]
- Qureshi, M.A.; Munir, A. PUF-RAKE: A PUF-based robust and lightweight authentication and key establishment protocol. IEEE Trans. Dependable Secur. Comput. 2022, 4, 2457–2475. [Google Scholar] [CrossRef]
- Wang, W.; Chen, Q.; Yin, Z.; Srivastava, G.; Gadekallu, T.R.; Alsolami, F.; Su, C. Blockchain and PUF-based lightweight authentication protocol for wireless medical sensor networks. IEEE Internet Things J. 2022, 9, 8883–8891. [Google Scholar] [CrossRef]
- Yu, S.; Park, Y. A robust authentication protocol for wireless medical sensor networks using blockchain and physically unclonable functions. IEEE Internet Things J. 2022. to be published. [Google Scholar] [CrossRef]
- Huang, B.; Khan, M.K.; Wu, L.; Muhaya, F.T.B.; He, D. An efficient remote user authentication with key agreement scheme using elliptic curve cryptography. Wirel. Pers. Commun. 2015, 85, 225–240. [Google Scholar] [CrossRef]
- Jiang, Q.; Ma, J.; Li, G.; Li, X. Improvement of robust smart-card-based password authentication scheme. Int. J. Commun. Syst. 2015, 28, 383–393. [Google Scholar] [CrossRef]
- AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://people.irisa.fr/Thomas.Genet/span/ (accessed on 8 April 2022).
- Dolev, D.; Yao, A.C. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
- Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smartcard security under the threat of power analysis attacks. IEEE Trans. Comput. 2002, 51, 541–552. [Google Scholar] [CrossRef] [Green Version]
- Eisenbarth, T.; Kasper, T.; Moradi, A.; Paar, C.; Salmasizadeh, M.; Shalmani, M.T.M. On the power of power analysis in the real world: A complete break of the KEELOQ code-hopping scheme. In Advances in Cryptology—CRYPTO; Springer: Berlin/Heidelberg, Germany, 2008. [Google Scholar]
- Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology—CRYPTO; Springer: Berlin/Heidelberg, Germany, 1999. [Google Scholar]
- Dodis, Y.; Ostrovsky, R.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM J. Comput. 2008, 38, 97–139. [Google Scholar] [CrossRef] [Green Version]
- Delvaux, J.; Gu, D.; Schellekens, D.; Verbauwhede, I. Helper data algorithms for PUF-based key generation: Overview and analysis. IEEE Trans. Comput.-Aided Des. Integr. Circuits Syst. 2015, 34, 889–902. [Google Scholar] [CrossRef] [Green Version]
- Abdalla, M.; Fouque, P.; Pointcheval, D. Password-based authenticated key exchange in a three-party setting. In Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005. [Google Scholar]
- Yu, S.; Lee, J.; Park, K.; Das, A.K.; Park, Y. IoV-SMAP: Secure and efficient message authentication protocol for IoV in a smart city environment. IEEE Access 2020, 8, 167875–167886. [Google Scholar] [CrossRef]
- Park, K.; Lee, J.; Das, A.K.; Park, Y. BPPS:Blockchain-enabled privacy-preserving scheme for demand response management in smart grid environments. IEEE Trans. Dependable Secur. Comput. 2022. Early Acess. [Google Scholar] [CrossRef]
- Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1346–1358. [Google Scholar] [CrossRef]
- Boyko, V.; Mackenzie, P.; Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques Advances in Cryptology (EUROCRYPT), Bruges, Belgium, 14–18 May 2000. [Google Scholar]
- Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s Law in Passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
- Park, K.; Noh, S.; Lee, H.; Das, A.K.; Kim, M.; Park, Y.; Wazid, M. LAKS-NVT: Provably secure and lightweight authentication and key agreement scheme without verification table in medical Internet of Things. IEEE Access 2020, 8, 119387–119404. [Google Scholar] [CrossRef]
- Von Oheimb, D. The high-level protocol specification language, HLPSL developed in the EU project avispa. In Proceedings of the APPSEM 2005 Workshop, Tallinn, Finland, 13–15 September 2005. [Google Scholar]
- Vigano, L. Automated Security Protocol Analysis with the AVISPA Tool. Electron. Notes Theor. Comput. Sci. 2006, 155, 61–68. [Google Scholar] [CrossRef] [Green Version]
- Xu, M.; Wang, D.; Wang, Q.; Jia, Q. Understanding security failures of anonymous authentication schemes for cloud environments. J. Syst. Archit. 2021, 118, 102206–102215. [Google Scholar] [CrossRef]
Notation | Description |
---|---|
Embedded device | |
CS | Cloud server |
Identity of | |
Pseudo identity of | |
Identity of the CS | |
Master secret key of the CS | |
A shared secret value between the CS and | |
A session key between the CS and | |
Random number chosen by entities | |
⊕ | Bit-wise XOR function |
One-way hash function | |
A concatenation operation |
Queries | Descriptions |
---|---|
A can perform an eavesdropping attack using this query under the threat model | |
A can perform device stolen attacks using it to retrieve the data stored in . | |
A can send messages and receive its response from the oracle using it. | |
Under this query, A guesses the probabilistic result for an unbiased coin c. When the freshness of the session key is established by and A, A guesses by sending a query to the oracle. If or , A obtain an arbitrary number or the correct , respectively; otherwise, obtains the NULL . |
Properties | [6] | [10] | [16] | [17] | [11] | [13] | [14] | Ours |
---|---|---|---|---|---|---|---|---|
× | × | × | × | × | √ | √ | √ | |
× | × | × | × | × | √ | × | √ | |
√ | × | × | √ | √ | N/A | √ | √ | |
× | √ | √ | √ | √ | √ | √ | √ | |
× | × | × | × | × | √ | × | √ | |
√ | √ | √ | × | √ | × | × | √ | |
× | √ | × | × | × | √ | × | √ | |
√ | × | × | × | √ | × | √ | √ |
Scheme | Login Procedure | Authentication Procedure | Total Costs |
---|---|---|---|
Kumari et al. [6] | ms | ||
Karuppiah et al. [10] | ms | ||
Huang et al. [16] | ms | ||
Jiang et al. [17] | ms | ||
Bhuarya et al. [11] | ms | ||
Qureshi and Munir [13] | ms | ||
Wang et al. [14] | ms | ||
Ours | ms |
Scheme | Handshake | Total Costs |
---|---|---|
Kumari et al. [6] | 3 | 1760 bits |
Karuppiah et al. [10] | 2 | 2848 bits |
Huang et al. [16] | 3 | 1600 bits |
Jiang et al. [17] | 2 | 1984 bits |
Bhuarya et al. [11] | 3 | 1760 bits |
Qureshi and Munir [13] | 7 | 2400 bits |
Wang et al. [14] | 5 | 3200 bits |
Ours | 3 | 1760 bits |
Scheme | Total Costs |
---|---|
Kumari et al. [6] | 480 bits |
Karuppiah et al. [10] | 3712 bits |
Huang et al. [16] | 320 bits |
Jiang et al. [17] | 640 bits |
Bhuarya et al. [11] | 640 bits |
Qureshi and Munir [13] | 800 bits |
Wang et al. [14] | 960 bits |
Ours | 960 bits |
Operation | Max. Time (ms) | Min. Time (ms) | Average Time (ms) |
---|---|---|---|
2.920 | 2.766 | 2.848 | |
0.142 | 0.022 | 0.051 | |
4.649 | 1.746 | 3.146 | |
0.021 | 0.011 | 0.012 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Park, K.; Park, Y. iAKA-CIoT: An Improved Authentication and Key Agreement Scheme for Cloud Enabled Internet of Things Using Physical Unclonable Function. Sensors 2022, 22, 6264. https://doi.org/10.3390/s22166264
Park K, Park Y. iAKA-CIoT: An Improved Authentication and Key Agreement Scheme for Cloud Enabled Internet of Things Using Physical Unclonable Function. Sensors. 2022; 22(16):6264. https://doi.org/10.3390/s22166264
Chicago/Turabian StylePark, Kisung, and Youngho Park. 2022. "iAKA-CIoT: An Improved Authentication and Key Agreement Scheme for Cloud Enabled Internet of Things Using Physical Unclonable Function" Sensors 22, no. 16: 6264. https://doi.org/10.3390/s22166264
APA StylePark, K., & Park, Y. (2022). iAKA-CIoT: An Improved Authentication and Key Agreement Scheme for Cloud Enabled Internet of Things Using Physical Unclonable Function. Sensors, 22(16), 6264. https://doi.org/10.3390/s22166264