# An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node

^{1}

^{2}

^{*}

^{†}

## Abstract

**:**

## 1. Introduction

## 2. Preliminaries and Symbols

#### 2.1. Elliptic Curve Public Key Cryptography

#### 2.1.1. Elliptic Curve

#### 2.1.2. Elliptic Curve Diffie–Hellman

#### 2.2. Password Authenticated Key Exchange

#### 2.3. Symbols

## 3. IEEE 802.15.6 Password Authenticated Association Protocol

#### 3.1. Description of the Standard Protocol

#### 3.1.1. Set-Up

- Initiator chooses a random $S{K}_{I}$ and computes the public key $P{K}_{I}=S{K}_{I}\times G$.
- Responder selects its private key $S{K}_{R}$ and computes $P{K}_{R}=S{K}_{R}\times G$.

#### 3.1.2. Master Key Generation

- The initiator computes a password-scrambled public key$$P{K}_{I}^{\prime}=P{K}_{I}-Q\left(PW\right)$$$${M}_{1}=\{R,I,{N}_{I},P{K}_{I}^{\prime}\}$$
- After receiving ${M}_{1}$, the responder sends the identities, a nonce and its public key back to the initiator:$${M}_{2}=\{I,R,{N}_{R},P{K}_{R}\}$$
- The responder recovers $P{K}_{I}$ as follows:$$P{K}_{I}=P{K}_{I}^{\prime}+Q\left(PW\right)$$$$K=S{K}_{I}\times P{K}_{R}=S{K}_{R}\times P{K}_{I}$$$$MA{C}_{3}=CMA{C}_{64}(RM{B}_{128}\left(K\right),I\parallel R\parallel {N}_{I}\parallel {N}_{R})$$$${M}_{3}=\{I,R,{N}_{R},P{K}_{R},MA{C}_{3}\}$$
- The initiator verifies the received $MA{C}_{3}$. If the verification succeeds, the initiator computes a message authentication code$$MA{C}_{4}=CMA{C}_{64}(RM{B}_{128}\left(K\right),R\parallel I\parallel {N}_{R}\parallel {N}_{I})$$$${M}_{4}=\{R,I,{N}_{I},P{K}_{I},MA{C}_{4}\}$$
- The responder verifies $MA{C}_{4}$. If the verification succeed, both parties compute and activate their new master key as follows:$$MK=CMA{C}_{128}(LM{B}_{128}\left(K\right),{N}_{I}\parallel {N}_{R})$$

#### 3.2. Security Problems

- Impersonation attack. In [10] the authors illustrate an initiator impersonation attack and a responder impersonation attack to the standard protocol. At the end of these attacks, the attackers successfully establish a master key with one side of the communicating parties, while the other side thinks it has the shared master key with the true participant.
- Man-in-the-Middle attack. In [10], the authors show that an attacker breaks into the communication between the initiator and the responder and modifies the messages at his/her will. At last, the attacker shares two master keys with the initiator and the responder, respectively, while the initiator and the responder think they have a shared master key. Figure 1 is a time-sequence diagram that illustrates the procedure of man-in-the middle attack against the protocol.
- Off-line dictionary attack. The authors in [11,12] show that a dictionary attacker who eavesdrops messages between the initiator and the responder in a protocol run can obtain $P{K}_{I}^{\prime}$ and $P{K}_{I}$ and compute $Q\left(PW\right)$ from $Q\left(PW\right)=P{K}_{I}-P{K}_{I}^{\prime}$. Then, $Q\left(PW\right)$ can be used as a verifier and the attacker can try probable $PW$s from a dictionary of most probable passwords and check them using $Q\left(PW\right)$.
- Lack of forward secrecy. The author in [11,12] illustrates that if $S{K}_{I}$ has been compromised by an attacker, the attacker can acquire the Diffie–Hellman key K through computing $K=S{K}_{I}\times P{K}_{R}$ and $MK$ from $MK=CMA{C}_{128}(LM{B}_{128}\left(K\right),{N}_{I}\parallel {N}_{R})$ since $P{K}_{R}$, ${N}_{I}$ and ${N}_{R}$ are sent in the form of plaintext.

#### 3.3. The Modified Protocol

## 4. The Improved Protocol

- The initiator chooses a random value ${R}_{I}$ and computes$${U}_{I}={R}_{I}+S{K}_{I}$$$$P{K}_{I}^{\prime}=P{K}_{I}-Q\left(PW\right)$$$${M}_{1}=\{I,R,{U}_{I},P{K}_{I}^{\prime},{N}_{I}\}$$
- The responder chooses a random value ${R}_{R}$ and computes$${U}_{R}={R}_{R}+S{K}_{R}$$$${T}_{R}={U}_{R}\times G$$$${M}_{2}=\{R,I,{T}_{R},P{K}_{R},{N}_{R}\}$$
- The responder recovers $P{K}_{I}$ as follows:$$P{K}_{I}=P{K}_{I}^{\prime}+Q\left(PW\right)$$$$K=({T}_{R}-P{K}_{R})\times {R}_{I}=G\times {R}_{R}\times {R}_{I}$$$$K=({U}_{I}\times G-P{K}_{I})\times {R}_{R}=G\times {R}_{R}\times {R}_{I}$$$$MA{C}_{3}=CMA{C}_{64}(RM{B}_{128}\left(K\right),I\parallel R\parallel {N}_{I}\parallel {N}_{R})$$$${M}_{3}=\{I,R,{N}_{R},P{K}_{R},MA{C}_{3}\}$$
- The initiator verifies the received $MA{C}_{3}$. If the verification succeeds, the initiator computes a message authentication code$$MA{C}_{4}=CMA{C}_{64}(RM{B}_{128}\left(K\right),R\parallel I\parallel {N}_{R}\parallel {N}_{I})$$$${M}_{4}=\{R,I,{N}_{I},MA{C}_{4}\}$$
- The responder verifies $MA{C}_{4}$. If the verification succeeds, both parties compute and activate their new master key as follows:$$MK=CMA{C}_{128}(LM{B}_{128}\left(K\right),{N}_{I}\parallel {N}_{R})$$

## 5. Security Analysis

#### 5.1. Impersonation Attack

**Proposition**

**1.**

**Proof.**

- ${A}_{I}$ initializes the protocol with the responder by sending the first message ${M}_{A1}$ as follows:$${M}_{A1}=\{I,R,{U}_{A},P{K}_{I}^{\prime},{N}_{A}\}$$
- After receiving ${M}_{A1}$, the responder chooses a random value ${R}_{R}$ and computes ${U}_{R}={R}_{R}+S{K}_{R}$ and ${T}_{R}={U}_{R}\times G$. Then, the responder replies ${A}_{I}$ with ${M}_{2}$:$${M}_{2}=\{R,I,{T}_{R},P{K}_{R},{N}_{R}\}$$
- The responder recovers $P{K}_{I}$ and computes $K=({U}_{A}\times G-P{K}_{I})\times {R}_{R}$. Then, the responder computes $MA{C}_{3}=CMA{C}_{64}(RM{B}_{128}\left(K\right),I\parallel R\parallel {N}_{A}\parallel {N}_{R})$ and sends the following message ${M}_{3}$ to ${A}_{I}$:$${M}_{3}=\{I,R,{N}_{R},P{K}_{R},MA{C}_{3}\}$$
- At this step, ${A}_{I}$ needs to send the responder with $MA{C}_{A4}$, which should be equivalent with $CMA{C}_{64}(RM{B}_{128}\left(K\right),R\parallel I\parallel {N}_{R}\parallel {N}_{A})$ so that it can pass the verification at the beginning of the next step.

**Proposition**

**2.**

**Proof.**

- The initiator sends ${A}_{R}$ with ${M}_{1}$, which is the same with the step 1 in the improved protocol:$${M}_{1}=\{I,R,{U}_{I},P{K}_{I}^{\prime},{N}_{I}\}$$
- After receiving ${M}_{1}$, ${A}_{R}$ replies the initiator with ${M}_{A2}$:$${M}_{A2}=\{R,I,{T}_{A},P{K}_{A},{N}_{A},\}$$
- At this step, ${A}_{R}$ needs to send the initiator with $MA{C}_{A3}$ involved in ${M}_{A3}$, so that it can pass the verification at the beginning of the next step.

#### 5.2. Man-in-the-Middle Attack

**Proposition**

**3.**

**Proof.**

- The initiator sends A with ${M}_{1}$ which is the same with ${M}_{1}$ in the improved protocol:$${M}_{1}=\{I,R,{U}_{I},P{K}_{I}^{\prime},{N}_{I}\}.$$
- A replaces ${M}_{1}$ with ${M}_{1A}$ and sends it to the responder:$${M}_{A1}=\{I,R,{U}_{A},P{K}_{I}^{\prime},{N}_{A}\}.$$
- The responder replies A with ${M}_{2}$ which is the same with ${M}_{2}$ in the improved protocol:$${M}_{2}=\{R,I,{T}_{R},P{K}_{R},{N}_{R}\}.$$
- A sends ${M}_{A2}$ to the initiator:$${M}_{A2}=\{R,I,{T}_{A},P{K}_{A},{N}_{A}\}.$$
- At this step, the Diffie–Hellman key ${K}_{IA}$ between A and the initiator and ${K}_{RA}$ between A and the responder are determined. Specifically, the initiator calculates ${K}_{IA}=({T}_{A}-P{K}_{A})\times {R}_{I}=G\times {R}_{A}\times {R}_{I}$, and the responder calculates ${K}_{RA}=({U}_{A}\times G-P{K}_{I})\times {R}_{R}=({R}_{A}\times G+P{K}_{A}-P{K}_{I})\times {R}_{R}$.The responder computes $MA{C}_{3}=CMA{C}_{64}(RM{B}_{128}\left({K}_{RA}\right),I\parallel R\parallel {N}_{A}\parallel {N}_{R})$ and sends A with ${M}_{3}$:$${M}_{3}=\{I,R,{N}_{R},P{K}_{R},MA{C}_{3}\}$$
- A should send the initiator with$${M}_{A3}=\{I,R,{N}_{A},P{K}_{A},MA{C}_{A3}\}.$$
- The initiator verifies $MA{C}_{A3}$.
- A should send the responder with$${M}_{A4}=\{R,I,{N}_{A},MA{C}_{A4}\},$$
- The responder verifies $MA{C}_{A4}.$

#### 5.3. Off-Line Dictionary Attack

**Proposition**

**4.**

**Proof.**

#### 5.4. Forward Secrecy

**Proposition**

**5.**

**Proof.**

## 6. Performance

#### 6.1. Evaluation

#### 6.2. Experiments

## 7. Use Case

#### 7.1. Smart Lock System

**Master Key Generation.**The lock and the phone secretly input the short password and then execute our improved protocol. After this stage, a relatively long master key is shared by the lock and the phone.**Session Key Generation.**With the master key, the lock and the phone execute the session key generation protocol (such protocols are available in literature) to generate their session key for this round of communication.**Secure Communication.**The newly generated session key is used for this round of communication between the phone and the lock. We describe the steps as:- (1)
- The phone computes$$MAC=HMAC(sessionkey,P\parallel L\parallel Request\parallel Counter)$$
- (2)
- The lock verifies the $MAC$. If the verification succeeds, the lock executes the request to lock or unlock; otherwise, it does not execute the request or responds with a failure message.

#### 7.2. Analysis

## 8. Related Works

#### 8.1. Comparison

#### 8.2. Password-Based Two-Party Key Exchange

#### 8.2.1. Encrypted Key Exchange Using Diffie–Hellman

#### 8.2.2. RSA-Based Protocols

#### 8.2.3. Protocols Using a Server Public Key

## 9. Conclusions

## Acknowledgments

## Author Contributions

## Conflicts of Interest

## Abbreviations

WBAN | Multidisciplinary Digital Publishing Institute |

PTK | Pairwise Temporal Key |

MAC | Message Authentication Code |

EKE | Encrypted Key Exchange |

SNAPI | Secure Network Authentication with Password Information |

CMAC | Cypher-based message authentication code |

SRAM | Static Random Access Memory |

EEPROM | Electrically Erasable Programmable Read-Only Memory |

SHA | Secure Hash Algorithm |

## References

- Huang, X.; Chen, B.; Markham, A.; Wang, Q.; Yan, Z.; Roscoe, A.W. Human interactive secure key and identity exchange protocols in body sensor networks. Inf. Sec.
**2013**, 7, 30–38. [Google Scholar] [CrossRef] - Huang, X.; Wang, Q.; Chen, B.; Markham, A.; Jäntti, R.; Roscoe, A.W.F. Body sensor network key distribution using human interactive channels. In Proceedings of the 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies, Barcelona, Spain, 26–29 October 2011.
- Ullah, S.; Higgins, H.; Braem, B.; Latre, B.; Blondia, C.; Moerman, I.; Saleem, S.; Rahman, Z.; Kwak, K.S. A comprehensive survey of wireless body area networks. J. Med. Syst.
**2012**, 36, 1065–1094. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Movassaghi, S.; Abolhasan, M.; Lipman, J.; Smith, D.; Jamalipour, A. Wireless body area networks: A survey. IEEE Commun. Surv. Tutor.
**2014**, 16, 1658–1686. [Google Scholar] [CrossRef] - Abdmeziem, M.R.; Tandjaoui, D. An end-to-end secure key management protocol for e-health applications. Comput. Electr. Eng.
**2015**, 44, 184–197. [Google Scholar] [CrossRef] - Jovanov, E. Wireless technology and system integration in body area networks for m-health applications. In Proceedings of the 27th Annual International Conference of the Engineering in Medicine and Biology Society, Shanghai, China, 1–4 September 2005; pp. 7158–7160.
- IEEE Standards. IEEE Standard for Local and Metropolitan Area Networks-Part 15.6: Wireless Body Area Networks. 2012. Available online: http://standards.ieee.org/about/get/802/802.15.html (accessed on 29 February 2012).
- Boyd, C.; Mathuria, A. Protocols for Authentication and Key Establishment; Springer Science & Business Media: Berlin, Germany, 2013. [Google Scholar]
- Abdalla, M. Password-based authenticated key exchange: An overview. In Provable Security; Springer: Berlin, Germany, 2014; pp. 1–9. [Google Scholar]
- Huang, X.; Liu, D.; Zhang, J. An improved IEEE 802.15.6 password authenticated association protocol. In Proceedings of the 4th IEEE/CIC International Conference on Communications in China (ICCC 2015), Shenzhen, China, 2–4 November 2015.
- Toorani, M. Security analysis of the IEEE 802.15.6 standard. Int. J. Commun. Syst.
**2016**. [Google Scholar] [CrossRef] - Toorani, M. On vulnerabilities of the security association in the IEEE 802.15. 6 standard. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2015; pp. 245–260. [Google Scholar]
- Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory
**1976**, 22, 644–654. [Google Scholar] [CrossRef] - Koblitz, N. Elliptic curve cryptosystems. Math. Comput.
**1987**, 48, 203–209. [Google Scholar] [CrossRef] - Miller, V. Use of elliptic curves in cryptography. In Advances in Cryptology, CRYPTO85 Proceedings; Springer: Berlin/Heidelberg, Germany, 1986; pp. 417–426. [Google Scholar]
- Barker, E.; Chen, L.; Roginsky, A.; Smid, M. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography; Technical Report; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2012. [Google Scholar]
- Bellovin, S.M.; Merritt, M. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, 4–6 May 1992; pp. 72–84.
- MacKenzie, P.; Patel, S.; Swaminathan, R. Password authenticated key exchange based on RSA. In Advances in Cryptology-Asiacrypt 2000; Springer: Berlin/Heidelberg, Germany, 2000; pp. 599–613. [Google Scholar]
- Gong, L.; Lomas, M.; Needham, R.M.; Saltzer, J.H. Protecting poorly chosen secrets from guessing attacks. IEEE J. Sel. Areas Commun.
**1993**, 11, 648–656. [Google Scholar] [CrossRef] - Gong, L. Optimal authentication protocols resistant to password guessing attacks. In Proceedings of the 8th IEEE Computer Security Foundations Workshop, County Kerry, Ireland, 13–15 June 1995; pp. 24–29.
- Kwon, T.; Song, J. Efficient and secure password-based authentication protocols against guessing attacks. Comput. Commun.
**1998**, 21, 853–861. [Google Scholar] [CrossRef] - Halevi, S.; Krawczyk, H. Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Sec. (TISSEC)
**1999**, 2, 230–268. [Google Scholar] [CrossRef]

Symbol | Meaning |
---|---|

I | identity of the initiator (i.e., the node) |

R | identity of the responder (i.e., the hub) |

A | identity of an adversary |

$PW$ | the pre-shared password |

K | the temple Diffie–Hellman key used for computing CMAC |

$MK$ | the master key to be generated |

∥ | concatenation of bit strings |

$S{K}_{I},P{K}_{I}$ | private and public keys of the initiator |

$S{K}_{R},P{K}_{R}$ | private and public keys of the responder |

$S{K}_{A},P{K}_{A}$ | private and public keys of the adversary |

${N}_{I}$ | a nonce generated by the initiator |

${N}_{R}$ | a nonce generated by the responder |

${N}_{A}$ | a nonce generated by the adversary |

$Q\left(x\right)$ | a function that maps a positive integer x to a point on the elliptic curve |

G | base point in the elliptic curve |

× | scalar multiplication |

$RM{B}_{n}\left(x\right)$ | the n rightmost bits of x |

$LM{B}_{n}\left(x\right)$ | the n leftmost bits of x |

Protocol | Computation Cost | Computation Cost | Total Computation | Communication |
---|---|---|---|---|

on Node | the Hub | Cost | Cost | |

improved protocol | $\mathcal{S}+2\mathcal{H}$ | $3\mathcal{S}+2\mathcal{H}$ | $4\mathcal{S}+4\mathcal{H}$ | $4\mathcal{M}$ |

modified protocol | $2\mathcal{S}+2\mathcal{H}$ | $2\mathcal{S}+2\mathcal{H}$ | $4\mathcal{S}+4\mathcal{H}$ | $4\mathcal{M}$ |

standard protocol | $2\mathcal{S}+2\mathcal{H}$ | $2\mathcal{S}+2\mathcal{H}$ | $4\mathcal{S}+4\mathcal{H}$ | $4\mathcal{M}$ |

Micro Controller | 16 MHz, 8 bit (ATmega328) |

SRAM | 2 KB |

EEPROM | 1 KB |

Flash memory | 32 KB (bootloader 0.5 K) |

Algorithm | Length of Keys (Bits) | Runtime (ms) |
---|---|---|

ECC key generation | – | 48 |

SHA-256 | 512 | 3 |

**Table 5.**Comparison of security (“√” denotes the protocol resist the attack or possess the security feature, and “×” denotes the the protocol does not resist the attack or does not possess the security feature).

Attacks/Security Feature | Improved Protocol | Modified Protocol | Standard Protocol |
---|---|---|---|

Impersonation attack | √ | √ | × |

Man-in-the-Middle attack | √ | √ | × |

Off-line dictionary attack | √ | √ | × |

Forward secrecy | √ | × | × |

© 2016 by the authors; licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC-BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Zhang, J.; Huang, X.; Craig, P.; Marshall, A.; Liu, D.
An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node. *Symmetry* **2016**, *8*, 131.
https://doi.org/10.3390/sym8110131

**AMA Style**

Zhang J, Huang X, Craig P, Marshall A, Liu D.
An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node. *Symmetry*. 2016; 8(11):131.
https://doi.org/10.3390/sym8110131

**Chicago/Turabian Style**

Zhang, Jie, Xin Huang, Paul Craig, Alan Marshall, and Dawei Liu.
2016. "An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node" *Symmetry* 8, no. 11: 131.
https://doi.org/10.3390/sym8110131