An Improved Protocol for the Password Authenticated Association of Ieee 802.15.6 Standard That Alleviates Computational Burden on the Node

The IEEE Std 802.15.6 is an international standard for wireless body area networks (WBANs). It contains many aspects of communications, and also provides security services, since some communications in WBANs can carry sensitive information. In this standard, the password authenticated association is a protocol for two participants to identify each other and establish a new master key based on a pre-shared short password. However, recent research shows that this protocol is vulnerable to several attacks. In this paper, we propose an improved protocol which can resist all of these attacks. Moreover, the improved protocol alleviates computational burden on one side of the two participants, the node, which is usually less powerful compared with the other side, the hub.


Introduction
A wireless body area network (WBAN) is a wireless network of wearable computing devices including implanted devices embedded inside the body or attached on the skin, and accompanied devices which humans can carry by hand, in clothes pockets or in bags [1][2][3][4].WBAN applications [5,6] are growing and becoming more indispensable in people's lives due to the increasing accessability of network service and computing devices.Despite the great progress in networking and computing technology, security is one significant factor that influences users' choice of WBAN applications, since such applications involve a lot of personal information and therefore are vulnerable to security issues.
IEEE Standard (Std) 802.15.6 [7] is an international standard for wireless communication between nodes and hubs in WBANs.It provides strong security for communications that carry sensitive information.In the security services of this standard, the security association procedure activates a pre-shared or generates a new shared master key (MK) between a node and a hub.Several security association protocols suitable for a variety of use cases are provided in this standard.Among these protocols, password authenticated association [8,9] is a protocol for a node and a hub to generate a new shared MK from a pre-shared secret, i.e., the password.However, recent research shows that this protocol is vulnerable to several attacks, such as Man-in-the-Middle and impersonation attacks illustrated in [10], and the off-line dictionary attack and there being a lack of forward secrecy, which are discussed in [11,12].To eliminate these attacks, the authors in [10] also proposes a modified version to this protocol.
In this paper, an improved password authenticated association protocol is proposed.In the rest of this paper, we denote this protocol by the improved protocol, protocol in [10] by the modified protocol and protocol in the IEEE 802.15.6 standard by the standard protocol.Compared with the modified protocol and the standard protocol, the improved protocol eliminates all the above attacks on one hand.Moreover, it alleviates computational burden on the node.Since the node usually has limited computational power compared with the hub, the improved protocol is meaningful in practise.
The remaining part of this paper is organized as follows: Section 1 contains preliminaries and symbols that are useful in this paper.In Section 3, we review the standard protocol and available attacks in literature.In Section 4, the improved protocol is proposed and its security and performance are analyzed in Sections 5 and 6, respectively.Section 7 shows a use case of this improved protocol.Related works are provided in Section 8. Finally, Section 9 concludes this paper.

Elliptic Curve
The IEEE 802.15.6 password authenticated association protocol is based on the Diffie-Hellman key exchange [13] employing the elliptic curve public key cryptography (ECC).An elliptic curve E can be characterized by the following equation [14,15]: where (x, y) is a point on the curve; a and b are coefficients; p is an odd prime; and GF(p) is a prime finite field.For the choices of a suitable elliptic curve, the IEEE Std 802.15.6 suggests using Curve p-256 in FIPS Pub 186-3.Values of a, b, p, the base point G = (G x , G y ) and the order r of G are given in the standard.

Elliptic Curve Diffie-Hellman
Elliptic curve Diffie-Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel [16].Suppose SK A and SK B are private keys of two communicating parties A and B, respectively.SK A and SK B are random integers from the set {1, ..., r − 1}.The corresponding public keys PK A and PK B are computed as follows: where × denotes scalar multiplication of G by an integer.In the ECDH protocol, A and B exchange their public keys and compute (x k , y k ) = SK A × PK B and (x k , y k ) = SK B × PK A , respectively.The shares key is x k , i.e., the X coordinate of the point.

Password Authenticated Key Exchange
The password authenticated association protocol in the IEEE 802.15.6 standard is a variation of password authenticated key exchange (PAKE) [8].A PAKE protocol uses a pre-shared password for an authenticated key establishment.The password is usually short and easy for humans to remember, and is not stored directly in the memory of physical devices for security purpose.Instead, it is input by the users at the beginning of each run of the PAKE protocol.

Symbols
The association protocol is initiated by the node to generate a shared master key with the hub from a pre-shared password between them.We denote the node as the initiator and the hub as the responder.Some other symbols used in this paper are summarized in Table 1.We review the IEEE 802.15.6 password authenticated association protocol, i.e., the standard protocol, and discuss its vulnerabilities in this section.

Set-Up
The initiator and the responder set up their private and public key as follows: 1.
Initiator chooses a random SK I and computes the public key PK I = SK I × G.

2.
Responder selects its private key SK R and computes PK R = SK R × G.

Master Key Generation
The initiator and the responder execute the following steps to generate a shared master key.

1.
The initiator computes a password-scrambled public key and sends it to the responder along with a nonce N I and the identities I and R: After receiving M 1 , the responder sends the identities, a nonce and its public key back to the initiator: The responder recovers PK I as follows: The initiator and the responder compute the Diffie-Hellman key, respectively, through The responder computes a message authentication code and then sends the initiator The initiator verifies the received MAC 3 .If the verification succeeds, the initiator computes a message authentication code and sends the responder The responder verifies MAC 4 .If the verification succeed, both parties compute and activate their new master key as follows:

Security Problems
The standard protocol uses the password to hide the public key of the initiator through PK I = PK I − Q(PW) in the first step, so that only the responder can recover PK I from PK I = PK I + Q(PW).However, the protocol reveals PK I in M 4 of step 4, which means an eavesdropper who intercepts M 4 can acquire Q(PW).In this case, the password is no longer secret in the following runs of the protocol.This is the reason for the vulnerabilities of the standard protocol.Security problems and attacks to this standard protocol in literature are summarized as follows: 1.
Impersonation attack.In [10] the authors illustrate an initiator impersonation attack and a responder impersonation attack to the standard protocol.At the end of these attacks, the attackers successfully establish a master key with one side of the communicating parties, while the other side thinks it has the shared master key with the true participant.

2.
Man-in-the-Middle attack.In [10], the authors show that an attacker breaks into the communication between the initiator and the responder and modifies the messages at his/her will.At last, the attacker shares two master keys with the initiator and the responder, respectively, while the initiator and the responder think they have a shared master key. Figure 1 is a time-sequence diagram that illustrates the procedure of man-in-the middle attack against the protocol.

3.
Off-line dictionary attack.The authors in [11,12] show that a dictionary attacker who eavesdrops messages between the initiator and the responder in a protocol run can obtain PK I and PK I and compute Q(PW) from Q(PW) = PK I − PK I .Then, Q(PW) can be used as a verifier and the attacker can try probable PWs from a dictionary of most probable passwords and check them using Q(PW).

4.
Lack of forward secrecy.The author in [11,12] illustrates that if SK I has been compromised by an attacker, the attacker can acquire the Diffie-Hellman key

The Modified Protocol
The authors in [10] propose a modified protocol to the standard protocol.Specifically, the modified protocol is similar to the standard one except that it does not send PK I in the clear in M 4 .This modification solves most security problems as we mentioned in Section 3.2, but it still fails to provide forward secrecy.We will compare security and performance of the two protocols with those of our new proposed protocol later in this paper.

The Improved Protocol
The improved protocol assumes that PK and SK can be reused in each round of protocol.This assumption is reasonable since, in the improved protocol, the temporary Diffie-Hellman key K is derived from two random values chosen by the initiator and the responder, respectively, rather than their public and private keys.The improved protocol is described in detail as follows.

1.
The initiator chooses a random value R I and computes and Then, the initiator sends message M 1 to the responder.
The responder chooses a random value R R and computes and Then, the responder sends message M 2 to the initiator The responder recovers PK I as follows: The initiator computes the Diffie-Hellman key through The responder computes K as follows With the K, the responder computes a message authentication code and then sends the initiator The initiator verifies the received MAC 3 .If the verification succeeds, the initiator computes a message authentication code and sends the responder The responder verifies MAC 4 .If the verification succeeds, both parties compute and activate their new master key as follows:

Security Analysis
In Section 3.2, we listed all the attacks to the standard protocol, and in this section, we will prove the security of the improved protocol under all of these attacks.

Impersonation Attack
Proposition 1. Suppose the initiator and the responder have shared a password PW secretly, and an attacker is not able to impersonate the initiator to establish the master key MK with the responder.
Proof.Assume A I is an attacker who attempts to impersonate the initiator and establish MK with the responder.A I attacks the protocol as follows: 1.
A I initializes the protocol with the responder by sending the first message M A1 as follows: where U A = R A + SK A and R A and N A are random values generated by A I .2.
After receiving M A1 , the responder chooses a random value R R and computes Then, the responder replies A I with M 2 : The responder recovers PK I and computes Then, the responder computes MAC 3 = CMAC 64 (RMB 128 (K), I R N A N R ) and sends the following message M 3 to A I : At this step, A I needs to send the responder with MAC A4 , which should be equivalent with CMAC 64 (RMB 128 (K), R I N R N A ) so that it can pass the verification at the beginning of the next step.
In step 4, in order to compute a valid MAC A4 , A I has to calculate However, without any of PK I and R R , A I has no choice but to guess such a MAC A4 .The probability of guessing a valid MAC A4 is 1  2 64 .Alternatively, in the first piece of message M A1 , the adversary A I can send a U I intercepted in previous protocol runs instead of U A .In this case, K computed by the responder in step 3 equals It is still infeasible for A I to compute the K since R R and R I are unknown to A I .
From the above analysis, now we can draw the conclusion that the probability for A I successfully impersonating the initiator and establishing a master key with the responder is 1  2 64 , which is a minor value in a life circle of a normal node in WBAN applications.Proposition 2. Suppose the initiator and the responder have shared a password PW secretly, and an attacker is not able to impersonate the responder to establish the master key MK with the initiator.
Proof.Assume A R is an attacker who intends to impersonate the responder and establish MK with the initiator.A R attacks the protocol as follows: 1.
The initiator sends A R with M 1 , which is the same with the step 1 in the improved protocol: After receiving M 1 , A R replies the initiator with M A2 : , where SK A is the private key of A R and R A and N A are random values generated by A R .

3.
At this step, A R needs to send the initiator with MAC A3 involved in M A3 , so that it can pass the verification at the beginning of the next step.
The MAC A3 is checked to be valid only if it equals CMAC 64 (RMB128(K), I R N I N A ).In order to generate a valid MAC A3 , A R can compute the CMAC output by inputting K, I, R, N I , N A or guess the 64-bit result.To compute the CMAC output, A R has to calculate K that equals the K calculated by the initiator through K = (T A − PK A ) × R I = G × R A × R I .However, since R I is unknown to A R , it is infeasible for A R to acquire a valid K. Therefore, the adversary can only guess a valid MAC A3 with a successful probability at 1  2 64 .Otherwise, the protocol will stop at the beginning of step 4 and the attack will fail.
From Propositions 1 and 2, we can see impersonation attacks fail no matter if the attacker impersonates the initiator or the responder.

Man-in-the-Middle Attack
Proposition 3. Suppose the initiator and the responder have successfully shared a password PW, a Man-in-the-Middle attacker is not able to complete the improved protocol between the initiator and the responder without being detected.
Proof.Suppose A is a Man-in-the-Middle attacker between the initiator and the responder.A participants the improve protocol as follows: 1.The initiator sends A with M 1 which is the same with M 1 in the improved protocol:

2.
A replaces M 1 with M 1A and sends it to the responder: 3. The responder replies A with M 2 which is the same with M 2 in the improved protocol:

A sends M A2 to the initiator:
M A2 = {R, I, T A , PK A , N A }.
5. At this step, the Diffie-Hellman key K I A between A and the initiator and K RA between A and the responder are determined.Specifically, the initiator calculates

and the responder calculates
The responder computes MAC 3 = CMAC 64 (RMB 128 (K RA ), I R N A N R ) and sends A with M 3 : A should send the initiator with where MAC A3 = CMAC 64 (RMB 128 (K I A ), I R N I N A ) 7. The initiator verifies MAC A3 .

A should send the responder with
where MAC A4 = CMAC 64 (RMB 128 (K RA ), I R N A N R ). 9. The responder verifies MAC A4 .
Since A does not have any of R I , R R , PK I , it is infeasible for A to compute K I A and K RA , and therefore A can not compute correct MAC A3 in step 3 A and MAC A4 in step 4 A .Without valid MAC A3 and MAC A4 , the initiator will stop the protocol at the beginning of step 4, and the responder will stop at the beginning of step 5, which means A fails to establish an MK either with the initiator or the responder.

Off-Line Dictionary Attack
Proposition 4. Suppose the initiator and the responder have successfully shared a password PW, and a passive eavesdropper who records one or more sessions of the improved protocol cannot eliminate a significant number of possible passwords.
Proof.In the improved protocol, values that are sent in the clear include I, R, U I , PK I , N I , T R , PK R , N R , MAC 3 and MAC 4 .In order to carry out an off-line dictionary attack, the adversary needs to acquire information that can help him to check possible passwords from a dictionary.Among all of these values sent in the clear, PW has a relationship only with PK I through the equation PK I = PK I − Q(PW).PK I is kept secretly in the protocol, and PK I = SK I × G, where SK I is a random integer.Therefore, PK I is a random value and is unknown to the adversary.The equation of PK I = PK I − Q(PW) and the value of PK I do not give more information of PW to the attacker.Based on this acquired knowledge, the attacker is unable to eliminate possible passwords.
According to Proposition 4, an off-line dictionary attack to the improved protocol is infeasible.

Forward Secrecy
Proposition 5. Suppose the initiator and the responder have successfully shared a password PW, and compromise of the long-term secret keys of a set of principals does not compromise the MKs established in previous runs of the improved protocol involving those principals.
Proof.The principals of this protocols are the initiator and the responder, and the long-term secret keys of these principals are the private keys SK I and SK R , the password PW and the public key PK I that is masked during transmission.Assume the adversary A compromises these long-term secrets of the initiator and the responder, and then (s)he has SK I , SK R , PW and PK I .In order to calculate an MK established in a previous run, A needs to compute MK from the formula MK = CMAC 128 (LMB 128 (K), N I N R ), where K is a necessary input in that run.Note that A can not use these values to run the protocol with the principals, since, in this case, the MK does not belong to a previous run but is established in the current run.Therefore, A has to compute All three of the formulas require at least one of R I and R R .However, R I and R R are random values chosen by the initiator and the responder, respectively, in each run of the protocol, which means that these values change in every protocol run and are kept unknown to A. Without any of R I and R R , A fails to compromise the MK, although (s)he compromises all the long-term secret keys and values.
From Proposition 5, we can see the improved protocol provides forward secrecy.

Performance
In order to observe the performance of the improved protocol, we evaluate the computation and communication cost theoretically.In addition, we also test the performance through a set of experiments.

Evaluation
The overall burden of the protocol contains three parts: communication cost, computation cost on the node and computation cost on the hub.For the communication cost, we count all of the pieces of messages transmitted between the node and the hub within a run of the protocol.In order to evaluate the computation cost, we count the number of cryptographic algorithm CMAC and scalar multiplication of an element from the ecliptic curve by an integer, since other operations such as addition and subtraction require minor computation cost.
Denote the cost of transmitting a piece of message by M, the cost of executing one CMAC algorithm by H, and the cost of executing the operation of scalar multiplication one time by S, and we compare the evaluated cost of the improved protocol with the modified protocol and the standard protocol in Table 2.
From Table 2, we can see that the improved protocol reduces computation cost on the node, while overall computation and communication cost does not increase.One time-consuming operation S is done by the hub on behalf of the node.Since the hub is more powerful compared with the node, the improved protocol is more affordable for WBAN applications.

Experiments
The improved protocol contains the algorithm of CMAC and ECC key-generation (generating a private key and using scalar multiplication to compute the public key).We test the runtime of these algorithms on the node through a set of experiments.In the experiments, we use Arduino Uno as the node, SHA-256 as the CMAC algorithms and the ATECC108A crypto chip from Atmel to execute the ECC key-generation.The elliptic curve is curve p-256 in Federal Information Processing Standards (FIPS) Pub 186-3.Description of the node is listed in Table 3, and the results are summarized in Table 4. From Table 4, we can see that the run-time of executing these algorithms is affordable for the node, which means that the improved protocol is suitable for WBAN applications.

Use Case
As described before, our improved protocol reduced the computational burden on one side of communication.This is a significant strength for some applications in wireless sensor networks.Here, we describe a smart lock system that uses our improved protocol to generate a master key.The specific system and the usage of the improved protocol are described as follows.

Smart Lock System
As is shown in Figure 2, the smart lock system consists of a lock which is a physical host embedded with a computational device, and a phone which has installed a smart lock application.The aim of this system is using this phone application to securely lock or unlock the lock.Obviously, the computationally limited lock is the initiator and the relatively powerful phone is the responder.The smart lock system includes the following three phases, and our protocol is involved in the first phase.

1.
Master Key Generation.The lock and the phone secretly input the short password and then execute our improved protocol.After this stage, a relatively long master key is shared by the lock and the phone.

2.
Session Key Generation.With the master key, the lock and the phone execute the session key generation protocol (such protocols are available in literature) to generate their session key for this round of communication.

3.
Secure Communication.The newly generated session key is used for this round of communication between the phone and the lock.We describe the steps as: (1) The phone computes MAC = HMAC(sessionkey, P L Request Counter) and sends the request (LOCK/UNLOCK) with the MAC to the lock.Here, P and L denote the identity of the phone and the lock, and Counter denotes the value of counter.(2) The lock verifies the MAC.If the verification succeeds, the lock executes the request to lock or unlock; otherwise, it does not execute the request or responds with a failure message.

Analysis
The smart lock system is secure since the session key is kept secretly by the two participants.An adversary can not request the system to lock or unlock because they can not compute the correct MAC without the session key.Therefore, the security of the session key is significant for the security of the whole system.Our improved protocol provides secure generation for the master key, which, in turn, guarantees the security of the session key.
Additionally, the device embedded in the lock is a less powerful device compared with a normal cell phone.Our password-based authenticated association protocol in the first phase reduces the computational cost of the lock, which makes the smart lock system more practicable.

Comparison
In Section 6.1, we compared the cost of the improved protocol with other related protocols in Table 2.The comparison in terms of security of these protocols is listed in Table 5, where √ means being secure under the corresponding attacks or providing the corresponding security feature, while × means being insecure or not providing.Several password-based authenticated key exchange protocols have been proposed.In this subsection, we compare our improved protocol with three kinds of two-party key exchange protocols that are based on passwords.

Encrypted Key Exchange Using Diffie-Hellman
Diffie-Hellman-based Encrypted Key Exchange (EKE) protocols transmit the public keys encrypted using the password.The original protocol is proposed by Bellovin and Merritt in [17].Variants and extensions of this protocol have been proposed.Such protocols are proved to be secure in the random-oracle model.However, in practice, attacks against these protocols exist since the two parties are not able to verify the integrity of the received messages.If an attacker maliciously modifies the message, the two participants will generate different keys while they are not aware.
The IEEE Std password authenticate association protocol and our improved protocol are developed from these kinds of protocols.As in the IEEE std protocol and our improved protocol Hash-based Message Authenticated Code (HMAC) is used for verifying the integrity of messages transmitted between the two parties, the above attacks against the original Diffie-Hellman-based EKE protocols are eliminated.

RSA-Based Protocols
Rivest-Shamir-Adleman (RSA)-Based Protocols use the RSA algorithm as the basis of the password authentication key exchange scheme.In [18], MacKenzie proposed a variant of RSA based open key exchange protocol called SNAPI (Secure Network Authentication with Password Information).
Verification for the integrity of transmitted messages is involved in this protocol.However, this protocol is not suitable for wireless sensor networks since sensors are usually not powerful enough to run the RSA algorithm.8.2.3.Protocols Using a Server Public Key Some password-based authenticated key exchange protocols use a server public key in addition to the pre-shared password.Such protocols include the Gong-Lomas-Needham-Saltzer (GLNS) compact protocol proposed by Gong et al. in [19], Gong's Optimal GLNS nonce-based protocol in [20], Kwon-Song Protocol in [21] and Halevi-Krawczyk Protocol in [22].However, all four of the protocols used public key encryption, which is too high in computational cost for sensor devices.Moreover, the former two protocols need the participation of a server.

Conclusions
In low-power, low-complexity wireless sensor network applications such as WBANs, the communications security requirements mainly include authentication between participants, as well as confidentiality and integrity of transmitted messages.Mechanisms that aim to satisfy these requirements usually need a secret key to be held by participants.Therefore, key establishment and management are significant for security services in communications networks.The password authenticated association protocol is a scheme for the participants to generate a master key from a pre-shared password.
Considering the asymmetric power of the two participants in WBANs, we propose an improved password authenticated association protocol that reduces the computational cost on the less powerful participant of communication.The improved protocol can resist both impersonation attacks and Man-in-the-Middle attacks.A master key between the node and the hub will be established securely and efficiently through this protocol, and, afterwards, this is used for pairwise temporal key (PTK) creation, and the PTK is the key used in encryption and decryption process to provide authentication, confidentiality and integrity for communication.
The improved protocol requires one scalar multiplication and two HMAC computations on the nodes (i.e., the initiator).Since the computational costs of these algorithms are acceptable to devices with limited power in WBANs, the improved protocol is suitable for applications in WBANs.

and
MK from MK = CMAC 128 (LMB 128 (K), N I N R ) since PK R , N I and N R are sent in the form of plaintext.

Figure 1 .
Figure 1.The sequence diagram of Man-in-the-Middle attack.

Table 1 .
Symbols and definitions.

Table 2 .
Evaluation of performance.

Table 3 .
Details of the node (implemented on Arduino Uno).

Table 4 .
Run-time of involved cryptographic algorithms on the node.

Table 5 .
Comparison of security (" √" denotes the protocol resist the attack or possess the security feature, and "×" denotes the the protocol does not resist the attack or does not possess the security feature).