On the Security of a Lightweight and Secure Access Authentication Scheme for Both UE and mMTC Devices in 5G Networks

Abstract

The Internet of Things (IoT) and 5G networks play important roles in the latest systems for managing and monitoring various types of data. These 5G based IoT environments collect various data in real-time using micro-sensors as IoT things devices and sends the collected data to a server for further processing. In this scenario, a secure authentication and key agreement scheme is needed to ensure privacy when exchanging data between IoT nodes and the server. Recently, Cao et al. in “LSAA: A lightweight and secure access authentication scheme for both UE and mMTC devices in 5G networks” presented a new authentication scheme to protect user privacy. They contend that their scheme not only prevents various protocol attacks, but also achieves mutual authentication, session key security, unlinkability, and perfect forward/backward secrecy. This paper demonstrates critical security weaknesses of their scheme using informal and formal (mathemati) analysis: it does not prevent a single point of failure and impersonation attacks. Further, their proposed scheme does not achieve mutual authentication and correctness of security assumptions, and we perform simulation analysis using a formal verification tool to its security flaws. To ensure attack resilience, we put forward some solutions that can assist constructing more secure and efficient access authentication scheme for 5G networks.

1. Introduction

The radical development of the Internet of Things (IoT) and 5G networks in the present day has made security a demanding requirement for providing various services such as smart-healthcare, smart-home, smart-industries, etc., securely. Many IoT things devices are deployed in IoT environments to make it easy to manage and process huge real-time data to provide convenient services to the users of the 5G network. It is for this reason that 5G and IoT technology have an important role in the life of human beings because it helps in managing real-time data and to improve the quality of life of people [1]. In this situation, the exchange of data must be secure and reliable, made available only to the legitimate entities while keeping them away from the reach of malicious adversaries. IoT and mobile devices generally store secret parameters during the registration phase and then use it to authenticate among legal entities. If these devices are compromised, it can cause serious security problems because the devices have collected various data related with users such as voice, health, location, finance, etc. [2]. Therefore, research for privacy-preserving scheme is needed to ensure user and data privacy, which consider the possibility that user devices are compromised.

The results of several research works have been proposed for ensuring user privacy in IoT [3,4,5,6,7,8]. In 2016, to enhance user privacy for IoT, Park et al. proposed three factor based authentication scheme using elliptic curve cryptosystem (ECC) [3]. However, in 2017, Moon et al. [4] and Wang et al. [5] demonstrated that Park et al.’s scheme does not prevent impersonation and offilne dictionary attacks, and then they proposed a enhanced authentication and key agreement scheme to ensure secure communications in IoT environments. We et al. [6] also proposed a provable and secure user authentication scheme to resolve the common challenges and ensure the essential security properties of IoT. In 2018, Wazid et al. [7] proposed a secure user authentication with key agreement scheme for generic IoT networks. In 2019, Adavoudi-Jolfaei et al. [8] presented a lightweight three factor authentication scheme for providing access control between different groups. However, all the above-mentioned research works still have security weaknesses and do not consider the practical IoT environments.

Recently, Cao et al. [9] proposed a lightweight and secure access authentication scheme to guarantee security and privacy in 5G based IoT environments. However, this paper points out that Cao et al.’s scheme is not secure against a single point of failure and impersonation attacks. Since the secret parameters are stored as plaintext in devices, an adversary can, not only obtain public parameters but also easily get secret parameters stored in physical devices in their threat model. To resolve these security flaws, several studies [10,11,12] indicated that storing the secret parameters as plaintext is a major security weakness and it must be masked using a hash function and XOR operation. Further, we suggest a possible solution to ensure attack resilience.

The remainder of this paper is organized as follows. First, we present a review and cryptanalysis of Cao et al.’s scheme in Section 2 and Section 3. Afterward, we present a solution to ensure attack resilience and improved security in Section 4. Finally, we present a conclusion of this paper in Section 5.

1.1. Motivation and Contribution

The main purpose of this paper is to demonstrate the major security weaknesses of the LSAA scheme proposed by Cao in et al. [9]. In their scheme, an adversary can easily impersonate a legitimate user and generate a session key among entities. Therefore, we note that Cao et al.’s scheme is not secure against some attacks using informal and formal (mathematical) security analysis and does not meet essential security requirements in their threat model. We also perform the formal verification analysis using automated validation of internet security protocols and applications (AVISPA) [13] to demonstrate its security flaws, and is unsuitable for deployment in a public network. Further, we propose a solution for resolving these security weaknesses and to improve the overall security level.

1.2. Threat Model

In Cao et al.’s scheme, they adopt the Dolev-Yao (DY) threat model [14] to evaluate the security of the protocols. According to this model, an adversary can intercept, eavesdrop, insert, delete, and modify all messages transmitted between the communicating entities including user equipment (UE), machine-type communication (MTC) devices, and serving network (SN) because they communicate over a public (insecure) channel. The key generation center (KGC) is a fully trusted entity because it generates and manages the secret key for UEs and MTC devices (MDs). However, UEs and MDs are not physically protected and an adversary can obtain the data in the memory of UEs and MDs using power analysis attack [10,15,16].

2. Review of Cao et al.’s Scheme

This section succinctly reviews Cao et al.’s [9] scheme and discusses the threat model that can be used to perform cryptanalysis of their scheme. This scheme consists of four phases: system setup, registration, authentication and key agreement between UE and SN, and group access authentication and key agreement between massive MDs and SN. The notations used in this paper are presented in Table 1.

Table 1. Notation used in this paper.

Notation	Description
$H_{1,2}$	Secure one-way hash function, $H_1$, $H_2$:${\{1,0\}}^{*}\to Z_p^{*}$
UE	A user equiment
MD	A machine-type communication (MTC) device,
SN	A serving network
KGC	A key generation center
$K_{sn,ue,md}$	Parameters for SNs, UEs and MDs, respectively
$I{D}_I$	A I’s real idenity
$GID$	A identity of MTC group
$s_j$	A $S{N}_j$’s master key
$\{u_i,K_{u{e}_i}\}$	$U{E}_i$’s master key and secret parameters
$\{m_i,K_{m{d}_i}\}$	Each $M{D}_i$’s master key and secret parameters
$\{m_g,K_{m{d}_g}\}$	MTC group’s master key and secret parameters
$EN{C}_x$	The encrypted value with $K_x$
$MA{C}_i$	The message authentication code
$\left|\right|$	A concatenation operation

2.1. System Setup Phase

This phase is performed by KGC to setup the system parameters. The KGC generates a large prime number p and three variables ($K_{s}n$, $K_{u}e$, and $K_{md}$${\in }_R(-\infty ,+\infty )$) for registered MDs, UEs, and SNs, where $a{\in }_R(-\infty ,+\infty )$ indicates that a is uniformly random and selected from the range $(-\infty ,+\infty )$. Then, KGC selects one-way hash functions $H_1$ and $H_2$ and broadcasts public parameters including $p,K_{sn},K_{ue},K_{md},H_1$, and $H_2$.

2.2. Registration Phase

In this phase, SN and UE register themselves with the KGC via a secure channel to access the system. SN and UE share the secret parameters with KGC during this phase. A detailed explanation of the process is presented as follows.

2.3. SN Registration

This process is performed by the KGC through a secure channel.

(1)

$S{N}_j$ securely sends a unique identity $I{D}_{S{N}_j}$ to KGC.

(2)

After receiving $I{D}_{S{N}_j}$, the KGC generates a master key $s_j$ for $S{N}_j$ and computes $T_{s_j}= (K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p using Chebyshev polynomials. Then, KGC securely sends $s_j$ to $S{N}_j$ and broadcasts $S{N}_j$’s public key $T_{s_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p and the unique identity $I{D}_{S{N}_j}$.

2.4. Device Registration

2.4.1. UE Registration

(1)

The KGC generates a master key $u_i$ for $U{E}_i$ and a variable $K_{{ue}_i}$${\in }_R(-\infty ,+\infty )$, computes $T_{u_i}(K_{{ue}_i}\left|\right|I{D}_{U{E}_j})$ mod p, and then securely issues the smartcard (SC) to $U{E}_i$ including $I{D}_{U{E}_i}$, $T_{u_i}(K_{{ue}_i}\left|\right|I{D}_{U{E}_j})$ mod p, and $u_i$. These values are secretly shared between $U{E}_i$ and the KGC.

(2)

The KGC computes $H_1(T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|I{D}_{U{E}_i})$ and sends it to $S{N}_j$ for $U{E}_i$.

(3)

Finally, $S{N}_j$ stores $H_1(T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|I{D}_{U{E}_i})$ into a database for all registered UEs.

2.4.2. MD Registration

(1)

The KGC chooses MTC group leader $M{D}_n$, a master key $m_g$, a variable $K_{{md}_g}{\in }_R(-\infty ,+\infty )$, and then generates a master key $m_i$, a variable $K_{{md}_i}{\in }_R(-\infty ,+\infty )$ for MTC group member $M{D}_i$.

(2)

The KGC computes $T_{m_g}=(K_{{md}_g}\left|\right|GID)$ mod p and $T_{m_i}=(K_{{md}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p using Chebyshev polynomials. The KGC securely issues SC to $M{D}_i$ including the unique $M{D}_i$’s identity $I{D}_{M{D}_i}$, the group identity GID, the shared secret $T_{m_g}= (K_{{md}_g}\left|\right|GID)$ mod p and $T_{m_i}= (K_{{md}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p between $M{D}_i$ and KGC.

(3)

Finally, the KGC computes $H_1(T_{m_g}(K_{m{d}_g}\left|\right|GID)$ mod $p\left|\right|GID)$ and $H_1(T_{m_i}(K_{m{d}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod $p\left|\right|GID\left|\right|I{D}_{M{D}_i})$, and send it to $S{N}_j$. Then $S{N}_j$ stores it into a database for MTC groups.

2.5. Authentication and Key Agreement Phase between UE and SN

This phase is mutual authentication and key agreement process between UE and SN, which is performed through a public channel. A detailed description of the process is presented as follows.

(1)

$U{E}_i$ pre-computes $T_{U_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p and $T_{u_i}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod p. Then, $U{E}_i$ generates $x_i$ and computes $T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $K_1=T_{x_i}(T_{S_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $K_2=T_{u_i}(T_{S_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $MA{C}_1=H_1(K_2,$$I{D}_{U{E}_i},I{D}_{S{N}_j},T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|T_{u_i}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$. $U{E}_i$ encrypts $E_1=EN{K}_{K_1}(I{D}_{U{E}_i}\left|\right|T_{U_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p\left|\right|T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|T_{u_i}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod $p)$ by the secret parameter $K_1$ and sends the access request including $\{I{D}_{S{N}_j},T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,E_1,MA{C}_1$} to $S{N}_j$.

(2)

After receiving the access request, $S{N}_j$ computes $K_1^{\prime }=T_{s_j}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p and decrypt $E_1=I{D}_{U{E}_i},T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod p, $T_{u_i}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod p. $S{N}_j$ checks whether $I{D}_{U{E}_i}$ exist in a database, If it exist, $S{N}_j$ verifies that $H_1(T_{u_i}(K_{u{e}_i}\left|\right|I{D}_{U{E}_i})$ mod $p\left|\right|I{D}_{U{E}_i})$ is correct.

(3)

$S{N}_j$ computes $K_2^{\prime }=T_{s_j}(T_{u_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p and verifies that $MA{C}_1$ is correct. If $MA{C}_1$ is correct, $S{N}_j$ generates $y_i$ and computes $T_{y_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $T_{s_j}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod p, $K_3=$$T_{s_j}(T_{u_i}$$\left(K_{ue}\right|\left|I{D}_{U{E}_i}\right)$ mod $p)$ mod $p)$, $MA{C}_2$$=H_1(K_3,I{D}_{U{E}_i},I{D}_{S{N}_j},$$T_{y_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$.

(4)

$S{N}_j$ computes the session key $S{K}_{ij}=H_2(T_{y_i}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod $p\left|\right|K_1^{\prime }\left|\right|K_2^{\prime }\left|\right|K_3\left|\right|I{D}_{U{E}_i}\left|\right|I{D}_{S{N}_j})$ and sends authentication request encrypted with $K_1^{\prime }$ including $\{EN{C}_{K_1^{\prime }}(T_{y_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,T_{s_j}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod $p,MA{C}_2\left)\right\}$.

(5)

On receiving the authentication request, $U{E}_i$ decrypt $EN{C}_{K_1^{\prime }}$ and get the $\left\{\right(T_{y_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,T_{s_j}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod $p,MA{C}_2\left)\right\}$. Then, $U{E}_i$ computes $K_2^{\prime }=T_{u_i}(T_{s_j}(K_{ue}\left|\right|I{D}_{U{E}_i})$ mod $p)$ mod p and verify that $MA{C}_2$ is correct. If it is correct, $U{E}_i$ computes the session key $S{K}_{ij}^{\prime }=H_2(T_{y_i}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod $p\left|\right|K_1\left|\right|K_2\left|\right|K_3^{\prime }\left|\right|I{D}_{U{E}_i}\left|\right|I{D}_{S{N}_j})$, $MA{C}_3=H_1(S{K}_{ij}^{\prime }\left|\right|I{D}_{U{E}_i}\left|\right|I{D}_{S{N}_j}\left|\right|T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $T_{y_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ and sends $MA{C}_3$ to $S{N}_j$

(6)

Finally, $S{N}_j$ verifies that $MA{C}_3$ is correct. If it is correct, $U{E}_i$ and $S{N}_j$ authenticate and correctly establish the session key each other.

2.6. Group Access Authentication and Key Agreement Phase between Massive MDs and SN

This phase refers to the group access authentication and key agreement process between MDs and SN, which is performed through a public channel. The MTC group leader $M{D}_n$ aggregates the group member $M{D}_i$’s data and sends it to SN to authenticate between group members and SN. A detailed description of the process is presented as follows.

(1)

The MTC device $M{D}_i$ precompute $T_{m_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $T_{m_i}(K_{md}\left|\right|GID)$ mod p, $K_{M_{2i}}=(T_{m_i}(T_{s_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $K_{G1}=T_{m_g}(T_{s_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p.

(2)

$M{D}_i$ selects $x_i,z_i$ and computes $K_{M_{1i}}=T_{x_i}(T_{s_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $MA{C}_1=H_1(K_{M_{1i}}\left|\right|K_{M_{2i}}\left|\right|K_{G_1}\left|\right|GID\left|\right|I{D}_{M{D}_i}\left|\right|I{D}_{S{N}_j}\left|\right|$$T_{m_i}(K_{m{d}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p, $T_{m_g}(K_{m{d}_g}\left|\right|GID)$ mod $p\left|\right|$$T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p$\left|\right|z_i)$. Then, $M{D}_i$ encrypts $E_{1i}=EN{C}_{K_{M_{1i}}}(I{D}_{M{D}_i}\left|\right|T_{m_i}(K_{m{d}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod $p\left|\right|T_{m_i}(K_{md}\left|\right|GID)$ mod $p\left|\right|T_{m_i}(K_{sn}\left|\right|I{D}_{S{N}_j}$ mod $p\left|\right|z_i)$ by the secret parameter $K_{M_{1i}}$ and sends the access request $\{I{D}_{S{N}_j},T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $E_{1i},MA{C}_{1i}\}$ to $M{D}_n$.

(3)

After receiving the access request from $M{D}_i$, $M{D}_n$ computes $MA{C}_1={\oplus }_{i=1}^{n}MA{C}_{1i}$ and ${\oplus }_{i=1}^n{E}_{1n}=$$EN{C}_{K_{M_{1n}}}(GID$$\left|\right|I{D}_{M{D}_n}\left|\right|T_{m_n}$$\left(K_{m{d}_n}\right|\left|GID\right||I{D}_{M{D}_n}$ mod $p\left|\right|T_{m_g}$$\left(K_{mg}\right|\left|GID\right)$ mod $p\left|\right|T_{m_n}$$\left(K_{md}\right|\left|GID\right)$ mod $p\left|\right|T_{m_n}$$\left(K_{sn}\right||I{D}_{S{N}_j}$ mod $p\left|\right|T_{m_g}$$(T_{m_g}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p\left|\right|T_{m_g}$$\left(K_{md}\right|\left|GID\right)$ mod $p\left|\right|z_n$), where ${\oplus }_{i=1}^n$ is function of the aggregating access request for group members, and sends the aggregation request $\{I{D}_{S{N}_j}$, ${\oplus }_{i=1}^n{T}_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, ${\oplus }_{i=1}^n{E}_{1i}$, $MA{C}_1$ to $S{N}_j$.

(4)

On receiving the aggregation request from $M{D}_n$, $S{N}_j$ computes $K_{M_{1i}}^{\prime }=T_{s_j}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, decrypts $E_{1i}$ and obtains $I{D}_{M{D}_i},GID,T_{m_i}(K_{m{d}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p and $z_i$. Then, $S{N}_j$ checks whether $I{D}_{M{D}_i}$ and GID are exist in a database, If they exist, $S{N}_j$ verifies that $H_1(T_{m_g}(K_{m{d}_g}\left|\right|GID)$ mod $p\left|\right|I{D}_{M{D}_i})$ and $H_1(T_{m_i}(K_{m{d}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod $p\left|\right|GID\left|\right|I{D}_{M{D}_i})$ are correct.

(5)

$S{N}_j$ computes $K_{2i}^{\prime }=T_{s_j}(T_{m_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $K_{G1}^{\prime }=T_{s_j}(T_{m_g}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p and verifies that $MA{C}_1$ is correct. If $MA{C}_1$ is correct, $S{N}_j$ generates $y_j$ and computes $T_{y_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $T_{s_j}(K_{md}\left|\right|GID)$ mod p, $K_{G2}=$$T_{s_j}(T_{m_g}$$\left(K_{md}\right|\left|GID\right)$ mod $p)$ mod $p)$, $K_{M_{3i}}=$$T_{s_j}(T_{m_i}$$\left(K_{md}\right|\left|GID\right)$ mod $p)$ mod $p)$.

(6)

$S{N}_j$ computes $Z={\prod }_{i=1}^n{z}_i$, $Z_i=Z/z_i$, $y_i=Z_i^{-1}$ using Chinese remainder theorem (CRT). Then, $S{N}_j$ get $S=({\sum }_{i=1}^n$$H_2(K_{M_{1i}}^{\prime },K_{M_{3i}},K_{G2},I{D}_{M{D}_i},I{D}_{S{N}_j}),y_i,Z_i)$ mod Z. Then, $S{N}_j$ computes the session key $S{K}_{ij}=$$H_2(T_{y_j}(T_{X_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $K_{M_{1i}}^{\prime }$, $K_{M_{2i}}^{\prime }$, $K_{M_{3i}}$, $K_{G1}^{\prime }$, $K_{G2}$, $I{D}_{M{D}_i}$, $GID$, $I{D}_{S{N}_j})$ and sends the group authentication request $\{EN{C}_{K_{G1}^{\prime }}(T_{y_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,T_{s_j}(K_{md}\left|\right|GID)$ mod $p,S\}$ to $M{D}_i$.

(7)

$M{D}_i$ decrypts $EN{C}_{K_{G1}^{\prime }}(T_{y_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, computes $K_{G2}^{\prime }=T_{m_g}(T_{s_j}(K_{kmd}\left|\right|GID)$ mod $p)$ mod p and $K_{M_{3i}}^{\prime }=T_{m_i}(T_{s_j}(K_{kmd}\left|\right|GID)$ mod $p)$ mod p, and verifies $H_2(K_{M_{1i}},K_{M_{3i}}^{\prime },K_{G2}^{\prime },I{D}_{M{D}_i},I{D}_{S{N}_j})\stackrel{?}{=}S$ mod $z_i$.

(8)

If it is correct, $M{D}_i$ computes $S{K}_{ij}^{\prime }=H_2(T_{x_i}(T_{y_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod p, $K_{M_{1i}}$, $K_{M_{2i}}$, $K_{M_{3i}}^{\prime }$, $K_{G1}$, $K_{G2}^{\prime }$, $I{D}_{M{D}_i},GID,I{D}_{S{N}_j})$, $MA{C}_{3i}=H_1$$(S{K}_{ij}^{\prime },I{D}_{M{D}_i},GID,I{D}_{S{N}_j}$, $T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p, $T_{y_j}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod p and sends $MA{C}_{3i}$ to $M{D}_n$.

(9)

On receiving the $MA{C}_{3i}$ from the group members, $M{D}_n$ computes $MA{C}_3={\prod }_{i=1}^{n}MA{C}_{3i}$ and sends it to $S{N}_j$.

(10)

Finally, $S{N}_j$ checks correctness of $MA{C}_3$ and authenticates with $M{D}_i$.

3. Security Weaknesses of Cao et al.’s Scheme

In this section, we demonstrate that Cao et al.’s scheme is vulnerable to MD and UE impersonation attacks as well as a single point of failure. Further, we also show that Cao et al.’s scheme does not achieve secure mutual authentication and session key security, which is a necessary security requirement for authentication and key agreement scheme.

3.1. Formal Security Analysis

We prove that Cao et al.’s scheme does not achieve the session key security using Real-or-Random (ROR) model [17] which is broadly accepted formal proof [18,19,20]. We first present the basic concept of ROR model, and then perform the formal security analysis through this proof.

• Participants  We denote ${\Pi }_{UE}^{ins{t}_1}$ and ${\Pi }_{SN}^{ins{t}_2}$ as the instance $ins{t}_1$ and $ins{t}_2$ of UE and SN, respectively.
• Accepted state  After exchanging the last messages, the oracle ${\Pi }^{i}nst$ moves to an accepted state. When all the messages are concatenated in order, a current session identifier $csid$ of ${\Pi }^{inst}$ is defined.
• Partnering  When ${\Pi }_{UE}^{ins{t}_1}$ and ${\Pi }_{SN}^{ins{t}_2}$ are in the shared same $sid$ and the accepted state, and then complete mutual authentication and key agreement, ${\Pi }_{UED}^{ins{t}_1}$ and ${\Pi }_{SN}^{ins{t}_2}$ are defined as partners.
• Freshness  To perform the ROR proof, the instances (${\Pi }_{UE}^{ins{t}_1}$, ${\Pi }_{SN}^{ins{t}_2}$) are considered fresh if the session key between UE and SN is not compromised to attacker A at present.
• Attacker  Under the threat model of Cao et al. [9], an A has a complete control over the communication network. A also access to the queries presented in Table 2 to break the security of Cao et al.’s scheme.
  Table 2. Queries and descriptions.

  Queries	Descriptions
  $Execute({\Pi }_{UE}^{ins{t}_1},$${\Pi }_{SN}^{ins{t}_2})$	This query is an eavesdropping attack that A can control the exchanged messages over the public network.
  $CorruptUE\left({\Pi }_{UE}^{ins{t}_1}\right)$	This query is device stolen attacks that A can retrieve the data stored in device $U{E}_i$ using this query.
  $Send$$({\Pi }^{inst},Msg)$	This query is an attack that A can send a message and obtain a response from the oracle $P^{inst}$.
  $Test\left({\Pi }^{inst}\right)$	This query is an attack to guess the probabilistic result for an unbiased coin c. When the $P^{inst}$ and A establish the session key $SK$ which is fresh, A sends this query. If its result is $c=0$ or $c=1$, A get a random number or the $SK$, respectively. Otherwise, $Tset$ query returns the NULL $(\perp )$.

• Semantic Security  Under the this model, A attempt to find an instance’s correct session key from a random nonce. A has to utilize the ROR queries, and then guesses a bit c. When A correctly find a bit c, A win the game ans destroy the semantic security of protocol. We define that $Win$ is event of winning the game by A and $Ad{v}_P=|2Pr\left[Win\right]-1|$ is advantage in breaking the session key of Cao et al.’s scheme P.
• Random Oracle  In Cao et al.’s scheme, all participants can utilize a random oracle which is a one-way hash function H.

Here, we prove that Cao et al.’s scheme does not achieve the session key security by the following Definition 1 and Theorem 1.

Definition 1.

Chaotic Map-based Discrete Logarithm Problem (CMDLP): Given x and y, it is computationally hard to find integer i such that $T_i\left(x\right)=y($mod $p)$.

Theorem 1.

Suppose that A is an adversary running in a polynomial time t against LASS and $Ad{v}_P^A$ is the advantage of A in breaking the session key security of Cao et al.’s scheme. Then,

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{P}}^A\ge \frac{q_h^2}{\left|Hash\right|}+2Ad{v}^{CMDLP}\left(t\right),\end{array}$$

(1)

where $q_h$, $Hash$, and $Ad{v}^{CMDLP}\left(t\right)$ denote the number of $Hash$ queries, $Hash$ is a one-way hash function H, and $Ad{v}^{CMDLP}\left(t\right)$ is the breaking advantage of CMDLP by A, respectively.

We define the following games $G_i(i=0,1,2)$ with the event $Suc{c}_i$ in which A wins the game $G_i$. The formal proofs using ROR model are below:

• Game $G_0$: This game is a direct attack by A against the protocol. The c is first randomly selected at the beginning of this game and its winning advantage is:

  $$Ad{v}_{\mathcal{P}}^A=|2.Pr\left[Suc{c}_0\right]-1|$$

  (2)
• Game $G_1$: This game is an eavesdropping attack by A which A can control the all the exchanged messages using $Execute({\Pi }_{UE}^{ins{t}_1},$${\Pi }_{SN}^{ins{t}_2})$ query. After that, A executes the $Test\left({\Pi }^t\right)$ query to find whether its output is a correct $SK$ or a random value. In Cao et al.’s scheme, UE and SN exchange the session key $SK$ which is computed by $S{K}_{ij}=H_2(T_{y_i}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod $p\left|\right|K_1^{\prime }\left|\right|K_2^{\prime }\left|\right|K_3\left|\right|I{D}_{U{E}_i}\left|\right|I{D}_{S{N}_j})$ and $S{K}_{ij}^{\prime }=H_2(T_{y_i}(T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p)$ mod $p\left|\right|K_1\left|\right|K_2\left|\right|K_3^{\prime }\left|\right|I{D}_{U{E}_i}\left|\right|I{D}_{S{N}_j})$. If A want to correctly guess it, A must break the difficulty of solving CMDLP. However, A should get the temporary private key of UE and SN from the $SK$. It is computationally hard to find the temporary private key because the $SK$’s security is based on the difficulty of solving CMDLP. Thus, $G_0$ and $G_1$ are indistinguishable. Then,

  $$Pr\left[Suc{c}_1\right]=Pr\left[Suc{c}_0\right]$$

  (3)
• Game $G_2$: Finally, A performs the final attack and tries to impersonate the legal UE and SN using $Send({\Pi }^{inst},Msg)$, $CorruptUE\left({\Pi }_{UE}^{ins{t}_1}\right)$ and some $Hash$ queries. A execute the $CorruptUE\left({\Pi }_{UE}^{ins{t}_1}\right)$ query, and then extract the values $u_i$ and $s_j$ stored in the memory of UE and SN. A successfully break the session key security using the obtained private key because A can properly proceed the authentication and key agreement phase without solving the CMDLP. Therefore, $G_1$ and $G_2$ are distinguishable. Then,

  $$\begin{array}{c}\hfill |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right|\ge \frac{q_h^2}{2\left|Hash\right|}\end{array}$$

  (4)

After finishing all the games ($G_0,G_1,G_2)$, A tries to correctly find the c using $Test$ query. Therefore,

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{P},G_2}^A=\frac{1}{2}\end{array}$$

(5)

We can obtain the following result using the Equations (2), (3) and (5).

$$\begin{array}{ccc}\hfill \frac{1}{2}.Ad{v}_{\mathcal{P}}^A& =& |Pr\left[Suc{c}_0\right]-\frac{1}{2}|\hfill \\ & =& |Pr\left[Suc{c}_1\right]-\frac{1}{2}|\hfill \\ & =& |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|\hfill \end{array}$$

(6)

After that, we can obtain the following result with (4), (5) and (6):

$$\begin{array}{ccc}\hfill |Pr\left[Suc{c}_1\right]-Pr\left[Suc{c}_2\right]|& \ge & \frac{q_h^2}{2\left|Hash\right|}+Ad{v}_{\mathcal{P}}^{CMDLP}\left(t\right)\hfill \end{array}$$

(7)

Then, we obtain the final result by multiplying 2 both sides of (7):

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{P}}^A\ge \frac{q_h^2}{\left|Hash\right|}+2Ad{v}^{CMDLP}\left(t\right)\end{array}$$

(8)

Finally, we can remove the probability $2Ad{v}^{CMDLP}\left(t\right)$ in Equation (8) because we break the session key security without solving the CMDLP. Therefore, we prove that Cao et al.’s scheme does not achieves the session key security using this formal proof.

3.2. Informal Security Analysis

We demonstrate that Cao et al.’s scheme does not resist impersonation attacks and single point of failure, and also does not ensure secure mutual authentication using informal analysis.

3.2.1. UE Impersonation Attack

During UE registration phase, the UE receives SC $=\{I{D}_{U{E}_i}$, $T_{u_i}(K_{{ue}_i}\left|\right|I{D}_{U{E}_j})$ mod p, $u_i\}$ from KGC. According to Section 1.2, Cao et al. present the threat model and analyze security of the proposed scheme using their threat model. However, if a malicious attacker A compromise the UE and extracts the data stored in the UE’s memory, A can successfully generate the access request $\{I{D}_{S{N}_j},T_{x_i}(K_{sn}\left|\right|I{D}_{S{N}_j})$ mod $p,E_1,MA{C}_1$} and the response message $\left\{MA{C}_3\right\}$ because the secret data of the UE’s memory is directly stored without employing any cryptographic method. Further, A can also generate the session key $S{K}_{ij}$. Therefore, their scheme is vulnerable to UE impersonation attacks and a detailed description of the processed involved in this attack is shown in Figure 1.

Figure 1. UE impersonation attack in Cao et al.’s scheme.

3.2.2. MD Impersonation Attack

In the MTC device (MD) registration phase, the MD received SC = $\{I{D}_{M{D}_i},GID,$$T_{m_g}= (K_{{md}_g}\left|\right|GID)$ mod p, $T_{m_i}= (K_{{md}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p} from KGC, where $I{D}_{M{D}_i}$, GID, $T_{m_g}= (K_{{md}_g}\left|\right|GID)$ mod p, $T_{m_i}= (K_{{md}_i}\left|\right|GID\left|\right|I{D}_{M{D}_i})$ mod p are the unique $M{D}_i$’s identity, the group identity GID, the shared secret between $M{D}_i$ and KGC, respectively. When an adversary A obtains the $M{D}_i$ and extracts these secret parameters, A can not only access the serving network but also generate the session key between $M{D}_i$ and $S{N}_j$. Hence, Cao et al.’s scheme does not prevent MD impersonation attack and for a detailed description of the processes involved in this phase, please refer to [9].

3.2.3. Secure Mutual Authentication

According to Section 3.2.1 and Section 3.2.2, an adversary A can easily access the system proposed by Cao et al.’s scheme and authenticate among entities. Additionally, A can generate the session key between UE/SN and MTD devices/SN. Thus, their scheme does not achieve secure mutual authentication.

3.2.4. Single Point of Failure

In Cao et al.’s scheme, the MTC group leader $M{D}_n$ collects the access request of the group member $M{D}_i$ and aggregates it. Afterward, $M{D}_n$ sends the aggregation messages of an access request to serving network $S{N}_j$. However, if $M{D}_n$ node is compromised, off-line or break down, the access request of massive MTC nodes cannot be delivered to $S{N}_j$. It limits the security and the performance of the proposed system. Therefore, Cao et al.’s scheme does not offer resistance against a single point of failure attack because the massive MTC nodes cannot be able to access the service when $M{D}_n$ does not work.

3.2.5. Correctness of Security Assumption

Cao et al. presented a threat model to analyze the security of the scheme, and then claimed that their scheme is secure against various attacks on the presented threat model. However, we demonstrate that Cao et al.’s scheme is vulnerable to the above-mentioned attacks using their threat model and that they did not consider all potential attacks. Thus, we suggest a solution to alleviate the said security flaws in Section 4.

3.3. Simulation Analysis Using AVISPA Tool

This section perform the formal simulation analyis uisng AVISPA tool which is a widely-accepted validation tool for proving security of cryptographic protocols [13,21]. AVISPA verifies that cryptograhpic protocols is secure against replay and man-in-the-middle attacks. It uses a high-level protocols specification language (HLPSL) [22] to construct the security features of the protocols. There are four back-ends models [23]: “constraint logic-based attack searcher (CL-AtSE)”, “on the fly model checker (OFMC)”, “SAT-based model checker (SATMC)”, and “tree automata based on protocol analyzer (TA4SP)”. The constructed HLPSL code is converted to a intermediate format (IF) using a translator “HLPSL2IF”, and then it is utilized for four back-ends to prove security. Finally, the output presents results of security analysis. This process is presented in Figure 2 and the detailed description of HLPLS can be found in [21,22].

Figure 2. The Process of AVISPA Simulation.

3.3.1. HLPLS Specifications

Before the beginning of simulation proof, all the phases of Cao et al.’s scheme are defined through the HLPLS. We then have tested it under two scenarios (UE-SN and MD-SN), considering UE-SN and MD-SN authentication phases.

Scenario 1. UE-SN Authentication: In scenario 1, there are three basic roles (SN, UE, KGC) and the HLPSL descriptions of each role are shown in Figure 3, Figure 4 and Figure 5, respectively. The session and environment are defind in Figure 6.

Figure 3. Scenario 1: HLPSL description of SN role.

Figure 4. Scenario 1: HLPSL description of UE role.

Figure 5. Scenario 1: HLPSL description of KGC role.

Figure 6. Scenario 1: HLPSL description of session and environment.

Scenario 2. MD-SN Authentication: In scenario 2, there are four basic roles (SN, MD${}_i$, MD${}_n$, KGC) and the HLPSL descriptions of each role are shown in Figure 7, Figure 8, Figure 9 and Figure 10, respectively. The session and environment are defined in Figure 11.

Figure 7. Scenario 2: HLPSL description of SN role.

Figure 8. Scenario 2: HLPSL description of MD${}_i$ role.

Figure 9. Scenario 2: HLPSL description of MD${}_n$ role.

Figure 10. Scenario 2: HLPSL description of KGC role.

Figure 11. Scenario 2: HLPSL description of session and environment.

3.3.2. Simulation Results

To demonstrate that Cao et al.’s scheme is not secure against replay and man-in-the-middle attacks, we simulated the OMFC and CL-AtSe using the pre-defined HLPLS of scenario 1 and 2.

Simulation Result of Scenario 1: Under the OFMC back-ends, the search depth is 3 when 3 nodes have been searched in 0.8 s. Under the CL-AtSe, the translation time is 0.05 s and 2 states are analyzed.

Simulation Result of Scenario 2: Under the OFMC back-ends, the search depth is 3 when 3 nodes have been searched in 0.2 s. Under the CL-AtSe, the translation time is 0.02 s and 2 states are analyzed.

Figure 12 and Figure 13 and present the results of OFMC and CL-AtSe back-ends, which presents “UNSAFE”. Therefore, the scenario 1 and 2 are not secure against replay and man-in-the-middle attacks.

Figure 12. Simulation result of Scenario 1.

Figure 13. Simulation result of Scenario 2.

4. Security Fixes

In Cao et al.’s scheme [9], the major security issues is that the secret parameters are stored in a smartcard (SC) or memory of devices without applying any cryptographic method. An adversary can easily extract and obtain the secret parameters using power analysis because of this problem. It makes the scheme vulnerable to a single point of failure, UE impersonation, MD impersonation attacks, inability to achieve secure mutual authentication and to exhibit a wrong threat model. These major security issues are discussed in Section 3.

In the last decades, several authentication and key agreement protocols have been designed to ensure user and data privacy. These protocols store the secret parameters in the memory of devices such as UE, micro-sensor, smartcard, etc., which use it to authenticate and establish the session key between entities. Like other studies, Cao et al. proposed the LSAA scheme using the same approach. However, according to Cao et al.’s threat model, we assume that an adversary can easily compromise the physical IoT devices and extract the sensitive data stored in the memory of the devices. Although Cao et al. realized that an adversary can easily compromise IoT devices, they did not consider these problems in the design of their proposed protocol.

Herein, we suggest the necessary guidelines to mitigate the security weaknesses of the Cao et al.’s scheme.

Fix 1.

In the registration phase of Cao et al.’s scheme, the KGC should not issue the secret parameters as plaintext to prevent stolen device attacks. The UE and MD should store the secret parameters in encrypted form using XOR operation and a hash function.

Fix 2.

The LSAA scheme adopts the two-factor authentication technique using smartcard and secret parameters. However, the LSAA scheme does not verify whether UE and MD are from a legitimate entity that has the same security as the one-factor authentication scheme. Thus, the UE and MD need to ensure that the user is a legitimate user using a password or biometrics to improve the security level. We suggest the three-factor authentication with biometrics using a fuzzy extractor [24]

Fix 3.

In the Cao et al.’s scheme, the KGC selects only one MTC group leader per group and this leads to a single point of failure attack. The KGC recodes the group leader list and related parameters in a blockchain to ensure that all members can freely access the leader of other groups. This prevents the issue of a single point of failure attack because the group members can freely access other group leaders when there is a problem with its group leader.

In these suggested solutions, the UE, and MD impersonation attacks can be mitigated and we do not assert that our suggested solutions are perfect against the above-mentioned security issues. However, it will definitely improve the security of the system and increase the attack complexity for an adversary.

Cao et al. did well by designing a novel group access authentication scheme in 5G networks. However, they would have looked at their scheme from various angles. Bringing improvements in a field of study is a difference in the individual approaches of researchers. Surely, this paper will bring about awareness of the need to design a secure and efficient authentication scheme for IoT environments.

5. Conclusions

This paper refers to “LSAA: A lightweight and secure access authentication scheme for both UE and mMTC devices in 5G networks”. We demonstrated that Cao et al.’s scheme is vulnerable to single point of failure and impersonation attacks, does not provide secure mutual authentication, and does not meet the security requirement of their proposed threat model. Moreover, we prove that their scheme does not achieve the session key security using formal (mathematics) analysis, and perform the simulation test using AVISPA tool to demonstrate their security weakneeses. The above-mentioned security flaws make Cao et al. scheme inappropriate and impractical to utilize. Thus, we suggested ways of improving the security level which can lead to a more secure and efficient scheme for 5G based IoT environments.