Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT

: Vinoth et al . proposed an authenticated key agreement scheme for industrial IoT (Inter-net of Things) applications. Vinoth et al.’s scheme aimed to protect the remote sensing data of industrial IoT devices under hostile environments. The scheme is interesting because the authorized user is allowed simultaneously to access the multiple IoT sensing devices. Therefore, we carefully analyzed the security and privacy implications of Vinoth et al.’s scheme. Our findings are summa-rized as follows. One, Vinoth et al.’s scheme failed to defeat user impersonation attacks. Second, Vinoth et al.’s scheme did not prevent IoT sensing device impersonation attacks. Third, Vinoth et al.’s scheme suffered from replay attacks. Fourth, Vinoth et al.’s scheme was vulnerable to desynchronization attacks. Fifth, Vinoth et al.’s scheme could not maintain user privacy. As a case study, our analysis results enlighten researchers and engineers on the design of robust and efficient authenticated key agreement schemes for IoT applications.


Introduction
The Internet of Things (IoT) is a fast development in the long and continuing revolution of communications and computing. The IoT has expanded the interconnection of billions of industrial and personal objects through IoT sensing devices, which are typically composed of sensors, actuators, microcontrollers, transceivers, and batteries. IoT sensing devices bound to objects deliver sensor information, act on their environments, and in some cases adapt for the overall management of a larger system, such as a factory [1] or a city [2]. Moreover, these devices always communicate each other and form a remote sensing network. As a typical scenario, Industrial IoT is deployed for achieving intelligent manufacturing because of its advantages in automatic monitoring and efficient control. Under the industrial IoT environment, sensing devices can be remotely accessed and controlled by authorized users. During the process of industrial production, sensing devices collect real-time data. Users obtain this real-time data and then send control commands according to said data.
IoT sensing security [3] is perhaps the most complex and immature area of cybersecurity. The following characteristics hinder secure IoT sensing: (1) Very large attack surfaces: There is a wide variety of points of vulnerability in IoT sensing systems and a large amount of data that may be compromised.
(2) Widespread deployment: There is ongoing, rapid deployment of IoT arrangements in commercial and industrial environments and, more importantly, in critical infrastructure environments. Most IoT sensing devices are remote and out of control. These deployments are attractive targets for security attacks.
(3) Constrained device resources: IoT sensing devices are typically constrained, with limited memory, processing power, and power supply.
(4) Low cost: IoT sensing devices are always manufactured, purchased, and deployed in the millions. This fact provides great incentive for manufacturers and customers to minimize the cost of these devices.
Motivation of This Paper. In the normal course of things, the user requires simultaneously access to multiple IoT sensing devices for a complex industrial task. Because of serious security and privacy threats, IoT sensing devices, especially remote devices, are required to support mutual authentication and secret key establishment with their users. The authenticated key agreement scheme provides authentication and key establishment services among users and multiple IoT sensing devices. We therefore analyzed the security and privacy of the authenticated key agreement scheme. Our research focused on not only outside but inside attackers, i.e., malicious users and corrupt IoT sensing devices.

Industrial IoT Sensing Model and Its Authenticated Key Agreement Scheme
In this section, we describe the sensing model and authenticated key agreement scheme studied in this paper.

Industrial IoT Sensing Model
The sensing model is depicted in Figure 1. There are three categories of entities, i.e., gateway nodes (GWNs), users, and industrial IoT sensing devices.
(1) GWN: GWNs interconnect IoT sensing devices with high-level communication networks and perform the necessary translation between the protocols used in communication networks and those used in IoT sensing devices.
(2) Users: The users are allowed to access IoT sensing devices through GWNs. They gain security and privacy services with the help of embedded devices such as smart cards.
(3) IoT sensing devices: IoT sensing devices are utilized to monitor the status of objects and collect the information stored therein. Users can obtain the information collected by these devices in real time.
In our industrial IoT sensing model, we assumed that the users and the IoT sensing devices were untrusted entities. GWNs [4], meanwhile, cannot be compromised and were therefore considered to be fully trusted by the users and the IoT sensing devices. This assumption is reasonable because GWNs are usually placed in secure environments and equipped with tamper-resistant devices.

Authenticated Key Agreement Scheme
To set up a secure sensing network, the GWN initially writes some authentication credentials into IoT sensing devices. The user first registers to the GWN, and both the user and GWN write the authentication credentials into the user's embedded device. When the registered users want to access the deployed IoT sensing devices, they run an authentication session using their embedded device. During the authentication session, GWN helps the user and the IoT sensing devices authenticate each other and establish a shared secret key for subsequent secure communication. In addition, the users can change their authentication credentials, and the GWN can allow new IoT sensing devices to join the deployed sensing network and revoke existing devices from said network.
However, an attacker may exploit the vulnerabilities in the authenticated key agreement scheme to perform attacks, because the messages of the authentication session are often transmitted through a public channel, and this brings security problems in the indusial IoT environment. It is possible for an inside or outside attacker to impersonate an authorized user to obtain data by accessing sensing devices or to impersonate a legal IoT sensing device to provide fake data. These unsatisfactory security risks could lead to the destruction of industrial activity.

Related Work
In recent years, many authenticated key agreement schemes [5,6] have been proposed for IoT remote sensing environments, such as industrial IoT, telemedicine, and smart home. We review previous work on four dimensions.
From the user credentials perspective, authenticated key agreement schemes are classified into two categories, i.e., two-and three-factor (multifactor) schemes. In two-factor schemes [7][8][9][10][11][12][13][14][15], the security of the user is protected by both the secret key stored in the smart card and the human-memorizable password, and the user applies the password and the smart card to complete the authentication session. Compared to two-factor schemes, three-factor schemes [4,[16][17][18][19][20][21][22] add biometrics to the user credentials; that is, the user must provide the smart card, the password, and biometrics at the same time.
In many privacy applications, the users does not want authentication sessions to be associated with their identity. This means that the user's identity is disclosed only to an authorized set of GWN and IoT sensing devices during the authentication sessions. Therefore, to preserve user privacy, authenticated key agreement schemes [23][24][25][26][27] thwart attempts to disclose or link users' identities by exploiting their authentication sessions.
Many researchers have extended authenticated key agreement schemes [28][29][30][31][32][33][34] to multi-gateway IoT environments. These revised schemes provide the user with a single sign under a set of GWNs. That is, when the user is authenticated by a GWN in the set of GWNs, he/she can access all IoT sensing devices governed by the set of GWNs even if the devices in question are not directly managed by the specific GWN that authenticated the user. In addition, the multigateway schemes can solve the packet-collision problem due to single GWN mode.
Users often access multiple IoT sensing devices to complete complex tasks. It is inefficient for the user to run a separate authentication session with each IoT sensing device. Moreover, the logical relevance of the authentications and the shared secret keys cannot be guaranteed if the user independently runs several authentication sessions for a task. Hence, some authenticated key agreement schemes [4,[35][36] have recently begun to provide authentication and group secret-key establishment between the user and multiple IoT sensing devices in an authentication session.

Our Contributions
In the IEEE Internet of Things Journal, Vinoth et al. [4] proposed an authenticated key agreement scheme that aimed to protect the remote sensing data of industrial IoT under the hostile environments. We carefully analyzed security and privacy under Vinoth et al.'s scheme. Our results are as follows.
(1) Vinoth et al.'s scheme failed to defeat a user impersonation attack. A legal but malicious user could impersonate IoT sensing devices, other users, and the GWN.
(2) Vinoth et al.'s scheme did not prevent IoT sensing device impersonation attacks. A legal but corrupt IoT sensing device can impersonate users, the GWN, and other IoT sensing devices.
(3) Vinoth et al.'s scheme suffered from replay attacks. Attackers can reuse the previous message in the authentication session to cheat the user and GWN.
(4) Vinoth et al.'s scheme was vulnerable to desynchronization attacks. In these attacks, an attacker induces an inconsistent internal status between the user and GWN. This security flaw causes the GWN to deny the service for the user.
(5) Vinoth et al.'s scheme cannot maintain user privacy. User identity is compromised during the run of the authentication session.
As a matter of convenience, in Table 1, we list some notation used throughout our paper.

Scheme Description
Vinoth et al.'s scheme is composed of seven phases: the offline sensing device registration phase, the user registration phase, the login phase, the authenticated key agreement phase, the biometrics and password update phase, the dynamically sensing device joining phase, and the sensing device revocation phase. For a self-contained discussion, we review the first four phases, which are related to our discussion. The full technical details of Vinoth et al.'s scheme can be found in [4]. and stores γ. GWN securely sends IDS j , sj, fj, and kj to each Sj (1≤j≤n), and then Sj stores them. In the end, GWN deletes other messages.

User Registration Phase
Step 1: U chooses a unique IDU and a PW, imprints the B, and computes (BK, τ) = Gen(B). U generates a random 128-bit number a, calculates TPW = h(IDU‖PW‖BK)⊕a, and securely sends the message <IDU, TPW> to GWN.

Login Phase
Step 1: U inserts the smart card into the card reader, and then further inputs the IDU and PW and imprints the B. The smart card reconstructs BK = Rep(B, τ) and computes RPW = h(IDU‖PW‖BK), a = D⊕h(IDU‖BK), and A = A'⊕a. The smart card further checks whether V ≡ h(RPW‖A‖a‖h(IDU‖BK)) mod ω. If not, the smart card terminates the login request.

Vinoth et al.'s Security Assumption
Vinoth et al. claimed that their scheme was secure under the Canetti-Krawczyk threat model [40], which assumes that an attacker can eavesdrop on, intercept, modify, forge, and delete messages transmitted between any two entities over the public channel. An attacker can also impersonate users, IoT sensing devices, and the GWN to receive and send the messages. Furthermore, the attacker has the capability to expose some secrets of the users and the IoT sensing devices. More importantly, the attacker can be an insider, i.e., a user or an IoT sensing device, because users and sensing devices are untrusted entities. Under the Canetti-Krawczyk threat model, we discuss five types of attacks on Vinoth et al.'s scheme.

User Impersonation Attack
We showed that Vinoth et al.'s scheme was vulnerable to user impersonation attacks. That is, a legal but malicious user could impersonate IoT sensing devices, any other user, and the GWN in the deployed network. We assume that Ua is a legal but malicious user in Vinoth et al.'s scheme and maintains the identity IDU a , temporary identity TIDU a , and long-term secret key KGWN-U a shared with GWN.

Impersonation of IoT Sensing Devices
To impersonate a target Sj, Ua first initiates his/her uthentication session with GWN. In Steps 2 and 3 of the authenticated key agreement phase, Ua eavesdrops on GWN's message <M6, TS3> from Sj and Sj's <M8, M9> from GWN. When Ua receives the message <M10, M11, M12, TS4> in Step 3 of the authenticated key agreement phase, Ua computes (rGWN, rU, M7) = DK GWN-Ua (M10). Now, Ua is able to compute (IDS j , sj, fj) = Dr GWN (M6) and derive γ by evaluating M8/M7. Figure 3 illustrates that Ua impersonates Sj using γ, IDS j , sj, and fj and cheats the GWN and any other U during an authentication session. In Step 2 of the authenticated key agreement phase, Ua uses M3/γ instead of M3 mod kj to recover rGWN. In Step 4 of the authenticated key agreement phase, Ua uses M8/γ instead of M8 mod kj to recover M7. Other operations of Ua and Sj are exactly the same. After the authentication session, U shares KU-S j =h(IDU‖ IDGWN‖rGWN‖rU‖M7‖KGWN-U) with Ua instead of Sj and updates a new temporary identity TIDU new .

Impersonation of Other Users
Assume that any other user U runs the login phase and authenticated key agreement phase. In

Impersonation of GWN
Ua can impersonate GWN to cheat U and Sj. First, Ua obtains IDU, KGWN-U, IDGWN, and γ as described in subsection 3.2. Figure 4 shows how Ua impersonates GWN. In Step 3 of the authenticated key agreement phase, Ua neither decrypts M6, retrieves KGWN-S j , nor computes M7 = h (KGWN-S j ‖rGWN). Instead, Ua directly replaces M7 with his/her random RN.
Note that both U and Sj should authenticate each other and share KU-S j = h(IDU‖IDGWN‖rGWN‖rU‖RN‖KGWN-U), because they do not check the validity of M7.

Further Disscussion
In every authentication session of Vinoth et al.'s scheme, the GWN uses its long-term secret key γ to secure its short-term secret key rGWN for each user and each IoT sensing device. However, any user can directly recover γ after an authentication session. Hence, the user derives all the secrets of other users, the GWN, and IoT sensing devices and implements the impersonation attacks. To defeat a user's impersonation attack, γ cannot be disclosed to users.
User impersonation attacks are a serious threat under industrial IoT environments. Malicious users may impersonate other, honest users to collect sensitive industrial data or set dangerous processing instructions. By impersonating IoT sensing devices, malicious users can provide fake industrial data to other users. If malicious users employ impersonation of the GWN, they can manipulate a secure connection between the target user and IoT sensing devices. That is, malicious users can decide which IoT sensing devices can be connected to the target user.

IoT Sensing Device Impersonation Attacks.
We showed that Vinoth et al.'s scheme was vulnerable to IoT sensing device impersonation attacks. That is, any legal but corrupt sensing device could impersonate users, the GWN, and any other IoT sensing devices in the deployed network. We assumed that Sj was a legal but corrupt IoT sensing device.

Impersonation of Users
To obtain TIDU, Sj eavesdrops on GWN's message <TIDU, M1, M2, TS1> during Step 2 of the login phase. Sj further obtains U's IDU, IDGWN, and KGWN-U in Step 2 of the authenticated key agreement phase. However, Sj does not return the message <M6, TS3> to GWN. In this situation, both U and GWN terminate this session and therefore fail to update TIDU. Alternatively, Sj returns the message <M6, TS3> to GWN in Step 2 of the authenticated key agreement phase and further eavesdrops on U's message <M10, M11, M12, TS4> during Step 3 of the authenticated key agreement phase. At this time, Sj further obtains TID new by computing h (IDU‖KGWN-U‖TS4)⊕M13. Now, Sj knows all of U's secrets. As shown in Figure 5, Sj can start a new authentication session and perform the following steps to impersonate U: (1) In Step 2 of login phase, Sj uses KGWN-U, TIDU, and IDGWN to generate M1 and M2.
(2) In Step 5 of authenticated key agreement phase, Sj does exactly the same as U.

Moreover, in
Step 2 of the authenticated key agreement phase, Sj can use kj to compute rGWN≡M3 mod kj. Hence, Sj can further derive GWN's γ by computing M3/rGWN. Now, Sj can exploit TIDU, IDU, KGWN-U, IDGWN, and γ to impersonate GWN. As shown in Figure 6, the fake GWN impersonated by Sj omits M6, generates its own RN, and then replaces M7 with RN. Both U and Sj believe that RN is a legal M7 because they do not check the validity of M7. Finally, both U and Sm authenticate each other and share KU-S j = h(IDU‖IDGWN‖rGWN‖rU‖RN‖KGWN-U).

Impersonation of Other IoT Sensing Devices
If Sj wants to impersonate any other IoT sensing device Sm (1 ≤ m ≠ j ≤ n), Sj first eavesdrops on Sm's message <M6, TS3> during Step 2 of the authenticated key agreement phase and computes (IDS m , sm, fm) = Dr GWN (M6). Figure 7, Sj can impersonate Sm using IDS m , sm, fm, and kj in a new authentication session. In Step 2 of the authenticated key agreement phase, Sj recovers rGWN by computing M3 mod kj. Then, Sj uses IDS m , sm, fm to fabricate Sm's M6. In Step 4 of the authenticated key agreement phase, Sj calculates M7 by computing M8 mod kj. At the end of the new authentication session, U believes that Sj is Sm and shares KU-S j = h(IDU‖IDGWN‖ rGWN‖rU‖M7‖KGWN-U) with Sj.

Further Disscussion
A legal but corrupt Sj can derive U's TIDU, IDU, and KGWN-U; GWN's IDGWN and γ; and another IoT sensing device Sm's IDS m , sm, and fm from the public messages of the authentication session. Hence, Sj successfully impersonates U, GWN, and Sm by exploiting those secret parameters. To defeat the proposed attacks, Vinoth et al.'s scheme should avoid disclosing the secret parameters of other entities to Sj.
Industrial IoT sensing devices are perhaps exposed to hostile environments. An attacker may hijack and compromise industrial IoT sensing devices by physical means or Trojan horses. Once the attackers control an industrial IoT sensing device, they can subvert the industrial IoT sensing system just like the malicious user described in subsection 3.4.

Replay Attack
As shown in Figure 2, we found that Sj's TS3 in the message <M6, TS3> was not protected by any cryptographic mechanism. Based on this observation of Vinoth et al.'s scheme, an outside attacker can eavesdrop on a valid message <M6, TS3> in a normal run of the authenticated key agreement phase. Then, the attacker reuses M6 and attaches the current timestamp TS3* to impersonate Sj. Figure 8 describes this replay attack on Vinoth et al.'s scheme. After the replay attack, GWN believes that the attacker is Sj, although the attacker does not know any secret of Sj. Meanwhile, U does not authenticate the attacker as Sj. Note that GWN actually finishes its session in Step 3 of the authenticated key agreement phase and updates U's temporary identity. As a result, GWN updates the old TIDU to a new TIDU new , but U still keeps the old TIDU. This means that U cannot log into the deployed network anymore, because during Step 1 of the authenticated key agreement phase, GWN fails to retrieve IDU and KGWN-U according to U's old TIDU. For the industrial IoT sensing system, the legal user faces denial of service once the attacker implements the replay attack.
To fix this vulnerability, we suggest that TS3 should be protected by the cryptographic mechanism. For example, Sj could compute M6 = Er GWN (IDS j , sj, fj, TS3) instead of M6 = Er GWN (IDS j , sj, fj) in Step 2 of the authenticated key agreement phase. To overcome the desynchronization attack, our suggestion is to apply the message authentication code algorithm for M11. Where industrial IoT sensing applications are concerned, this desynchronization attack has the same negative impact as the replay attack discussed in Section 5.

Weakness of User Privacy
In the authenticated key agreement scheme, user privacy guarantees that the attacker cannot derive the user's identity from the transmitted messages of the authentication sessions. This is called user anonymity. Moreover, the attacker also fails to link two different authentication sessions to the same user. This is called untraceability. User privacy is a concern in industrial IoT sensing applications, as users' private data can be leaked and misused if a factory deployed with IoT sensing devices is subjected to cyberattacks. For example, users' presence or absence at the industrial control room can be revealed simply by observing authentication sessions.
Vinoth et al. claimed that their scheme supported both user anonymity and untraceability because it employed the temporal TIDU to hide U's long-term IDU. Furthermore, the symmetric encryption algorithm and cryptographic hash function were utilized to protect U's IDU. In subsection 3.2, we show that Ua can attain any other target user U's IDU, KGWN

Conclusions and Future Work
In Vinoth et al.'s scheme, the user and multiple IoT sensing devices negotiate a secret session key via a group key, i.e., rGWN. This novel design improves the efficiency of Vinoth et al.'s scheme. It is a desirable feature of the IoT sensing applications. Hence, we study Vinoth et al.'s scheme in aspects of security and privacy. Although Vinoth et al.'s scheme proved secure under the Canetti-Krawczyk threat model [40], we still revealed several serious security and privacy vulnerabilities in the scheme. In addition, Vinoth et al.'s scheme employs random numbers such as rU and rGWN and timestamps such as TS1, TS2, TS3, and TS4 at the same time. It is widely known that random numbers and timestamp are both used to defeat reply attacks and ensure the freshness of the message. From the perspective of applications, the use of both random numbers and timestamps increases the complexity of the authentication system and brings greater security risk. Therefore, it would be best to adopt only one of them in an authenticated key agreement scheme.
It is still a challenge to design a robust and efficient authenticated key agreement scheme for IoT sensing applications. One avenue for future work is to formulate a communication model appropriate for defining authentication and key agreement goals and present the definitions of security and privacy under the communication model. The results of our analysis of Vinoth et al.'s scheme can provide a reference for these definitions. Another avenue for future work is to develop an authenticated key agreement scheme that not only satisfies our formal definitions but also achieves high efficiency. In [41], Bellare and Rogaway proposed a security definition, a protocol, and a proof for secure session key distribution with the trust three-party case. One feasible idea is to extend Bellare and Rogaway's definition and protocol for IoT sensing models. We expect that this will require a great deal of research work to accomplish.

Data Availability Statement:
No new data were created or analyzed in this study. Data sharing is not applicable to this article.