Journals & Magazines >IEEE Access >Volume: 7

Hash-Based Conditional Privacy Preserving Authentication and Key Exchange Protocol Suitable for Industrial Internet of Things

The proposed system comprises of a gateway node, set of users and sensor nodes. A unique session key is established between a user's device and the intended sensor node. ...

Abstract:

Wireless sensor networks (WSN) are integral part of Industrial Internet of Things (IIOT), the said networks comprise of elements possessing low power processors. WSNs are...Show More

Metadata

Abstract:

Wireless sensor networks (WSN) are integral part of Industrial Internet of Things (IIOT), the said networks comprise of elements possessing low power processors. WSNs are used for gathering data in the monitoring region, using which vital information about the sensor and the monitoring region can be attained (placement of the sensor node is critical). Moreover, due to open nature of communication channel and resource constrained environment of nodes the privacy, integrity and confidentiality of the data becomes a big issue as we need to ensure that the said data is only accessed by a valid user in the IIOT environment. Many schemes presented various means to overcome the above issue. However, the existing works do have certain vulnerabilities which make its application in the WSNs constrained. The proposed work presents a scheme for achieving above goals in IIOT environment. Moreover, the proposed scheme presents security vulnerabilities and weaknesses in existing schemes and attempts to overcome these issues; the proposed work provides cryptanalysis of Xiong et al. scheme which is based on ECC, the direct consequence of the cryptanalysis directs to design a solution which can overcome the issues. The proposed work provides a robust hash based conditional privacy preserving authentication and probabilistic key exchange protocol which is lightweight and as a result, puts less computation overheads on the entities involved in the region. The proposed work is secure against many known attacks due to difficulty in guessing the credentials. The main motivation is to develop a lightweight scheme which can help exchange information with efficacy. The security of the proposed work is provided using both formal and informal security analysis where formal analysis comprises of AVISPA and Real-or-Random oracle model simulations whereas informal analysis depicts proofs as of how the proposed work withstands many known attacks. Thus, the proposed work is secure against many mali...

The proposed system comprises of a gateway node, set of users and sensor nodes. A unique session key is established between a user's device and the intended sensor node. ...

Published in: IEEE Access ( Volume: 7)

Page(s): 136073 - 136093

Date of Publication: 16 September 2019

Electronic ISSN: 2169-3536

DOI: 10.1109/ACCESS.2019.2941701

Contents

CCBY - IEEE is not the copyright holder of this material. Please follow the instructions via https://creativecommons.org/licenses/by/4.0/ to obtain full-text articles and stipulations in the API documentation.

SECTION I.

Introduction

The rapid growth of micro-electromechanical system and Wireless Sensor Networks (WSNs) is due to heavy application of them in our everyday life in resource constrained and hostile environments (for instance places where wired networks cannot be deployed, such as forests) supporting real-time application in healthcare, military surveillance, wildlife monitoring, intelligent transportation, vehicular tracking and environment control to name few. Thus, the WSNs are integral part of our daily lives [13], [32]. The wireless sensors possess limited communication and computation resources, thus it is vital to ensure that these operations do not result in heavy consumption of sensor’s power resources. The above is because the external users are in interest to access real-time information from the nodes. A WSN is formed with the help of a gateway node and other sensor nodes where each specific sensor node collects a data from a region, and then the attained data is forwarded to the gateway node over the communication channel where the gateway node is presumed to be possessing high computational abilities as to meet the demands. The issue in WSN is to identify the authentic user and grant access to the data, which becomes a key challenge in IIOT environments.

Moreover, protecting the data from malicious access, modifications and eavesdropping is also necessary. To meet the above requirements, it is essential that the user gets authenticated first. The general approach used is that user, gateway and the sensor node get authenticated adhered to which a secure session key will be enabled such that the user and the sensor node can exchange data. To proceed with this, the user sends the authentication message to the gateway adhered to which the gateway initiates the communication with the said sensor which collects the information desired by the user. Now, the gateway receives the information from the sensor node which is then provided to the user. In the real-time access of data sensor, data is collected using a mobile device owned by a valid user. Figure 1 depicts the real-time flow of data between WSNs [1]–[3], [5], [6]. Although the WSN networks are efficient and environment friendly, there exists many security issues in the said network. Privacy and security are major concerns in a WSN networks [1]–[12]. The security requirements for the proposed work were motivated from [1]–[12], [14], [24]–[28], [48]. The following are the security requirements which are essential to ensure security (also a safe exchange environemnt) of the WSN based schemes.

Known Session Specific Temporary Information Attack: The knowledge of temporary session information such as random number or timestamp or any other data should not be sufficient for an adversary to derive the exchanged session key or any other sensitive data (such as pseudonym).
Computational DOS Attack: The execution of the overall process should occupy less computation and communication overheads while ensuring high grade security.
Perfect Forward Secrecy: Every session key must be unique and session key derived from a set of long-term keys of gateway node $GW$ , user $U$ and sensor node $SN$ cannot be compromised if one of the long-term keys (of either gateway node, user or the sensor node) is compromised in the future.
Replay Attack: The gateway node $GW$ , sensor node $SN$ and user $U$ should have the capability to detect the freshness of the message and reject the message which are not fresh. In this attack an adversary tries to impersonate the either of given entity by sending the previous message or replaying the legitimate message from one of the previous sessions in this session.
Impersonation Attack: The adversary should not be able to successfully impersonate the gateway node $GW$ , sensor node $SN$ and user $U$ , in this attack the adversary tries to masquerade the gateway node $GW$ , sensor node $SN$ and user by modifying the authentication message sent by them, this is a serious issue in WSN environment if this is not prevented then the adversary can gain unauthorized access to the network (by impersonating user) or provide falsified data (if gateway node or sensor node impersonation is successful).
De-synchronization Attack: In this attack the pseudonym stored at the gateway node $GW$ and the sensor node $SN$ memory would not be the same, because of an adversary blocks the communication between the parties.
Suppress Replay Attack: The said attack exist due to different clock drift rates (the clocks counting time at different rates) of user’s mobile $U$ , gateway node $GW$ and sensor node $SN$ . The following attack is not noticeable by just checking the freshness of the messages, due to the lag between the clocks (thus the clock synchronization issue exists), it is possible that an adversary replays the message which is treated as fresh by $GW$ or $U$ or $SN$ . The said attack must be detected and eliminated, failure to do so will result in impersonation of the entity.
Identity Compromise Impersonation Attack: In this attack if the identity of either gateway node $GW$ , user $U$ and sensor node $SN$ is compromised or exposed, the knowledge of this should not help an adversary exceed it’s a-priori knowledge to cause disruptions in the system such as impersonation, modification, replay, attaining session key, etc.
Man-in-the-Middle Attack: The active adversary observing the messages in the network should not be able to attain any vital information from traffic analysis or perform malicious attacks.
Un-linkability: In the said attack the adversary should not be able to link two authentication messages coming from the same user $U$ .
Key-offset Attack: In this attack an active adversary can off-set the agreed session key by a value $\sigma $ , which is unknown to both $U$ and $GW$ .
Resist Stolen Device/ Smart Card Attack: In this attack, it is assumed that an adversary is able to corrupt the given device and attain the stored credentials on them, thus the knowledge of attained credentials should not be enough for an adversary to attain useful information to impersonate a valid user $U$ .
Known Key Attack: If a session key of a given session is compromised then, it should be infeasible for an adversary to attain the session key of next session. Thus, an authentication and key exchange protocol must be designed such that it can withstand this attack.

The main contribution of the paper can be delineated as follows.

A novel lightweight conditional privacy preserving authentication and key agreement protocol scheme, where the entities make use of hidden and dynamic modulus as to enhance security. The proposed work is such that exposure of all current session based group key agreement information will not be sufficient to derive future information of modulus or the session key.
A novel scheme where the authentication process is expedited, here the suppress relay is detected. The proposed work makes use of only hash, xor based functions and a sequence number as to expedite the authentication process.
Secure and dynamic probabilistic session key establishment protocol, where the entities make use of dynamic session modulus, thus every entity generates its unique session specific modulus using which they converges on the common session key.
Using pseudonyms of different sensor nodes to communicate, the following is used as to prevent exposure of identity of sensor node. Thus providing anonymity of the sensor node during communication.
Cryptanalyzing Xiong et al. scheme [6] and overcoming the vulnerabilities and weaknesses described in the review (of Xiong et al. scheme) and the related works section (of different schemes).

The section below depicts the related works and several weaknesses the related works possess.

FIGURE 1.

Real-time data flow in WSNs.

Show All

SECTION II.

Related Works

In the recent years, many user authentication protocols have been proposed for WSNs. The schemes can be broadly classified into three categories, scheme deploying symmetric encryption, schemes deploying hash based approaches and scheme depending on public key approaches. Wong et al. [10] proposed a hash based user authentication which motivated towards a lightweight, less complex scheme. The said scheme resulted in fast authentication and met many security properties but the said work is vulnerable to replay attack, forgery attack and stolen-verifier attack, thus making it vulnerable to real-time application in WSNs. Das [11] proposed a two factor authentication scheme using a password authenticated smart cards, although the scheme deployed two factor authentication, but the scheme was vulnerable to mutual authentication, user anonymity, offline password guessing, gateway bypassing and masquerade attack. Gope and Hwang [5] presented a hash based authentication scheme for WSN, the proposed work presented a means via which two entities can agree on a session key using hash functions only, the proposed work promises a practical application in WSNs but the said work is vulnerable to untraceablity, de-synchronization, stolen device attack [6], KSSTI attack (as session key is dependent on the temporary information) and fails to provide sensor anonymity (as sensor identity is exposed), thus making the scheme vulnerable in IIOT environment. However, the proposed work highlighted vulnerabilities in [35]–[37] which motivates to design system overcoming these issues. Shi and Gong [12] proposed an ECC based authentication protocol but Choi et al. [1] depicted that the previous work is vulnerable as it suffered from key share attack and stolen smart card attack. Although Choi et al scheme claims to be secure, but it suffers from many attacks such as absence of user anonymity, untraceability, clock synchronization [6], KSSTI attack (as session key is based on it), cannot withstand sensor node corruption (as user associated credentials will get exposed), suppress replay attack (due to clock synchronization issue) and fails to provide sensor node anonymity as its identity is known to the user in advance, thus making it vulnerable to real-time application in IIOT. Nam et al. [2] presented a authentication protocol depending on ECC which presented a provably secure scheme but the said work is vulnerable as it lacks password change phase, wrong password detection [6], KSSTI attack (as session key is dependent on temporary information), suppress replay attack (due to clock synchronization issue) and fails to provide sensor node anonymity (identity of the sensor node is known), thus making the proposed work vulnerable in IIOT environment. Jiang et al. [3] scheme presents a two factor ECC based authentication two factor authentication scheme for high security but the proposed work is vulnerable as it fails to provide perfect forward secrecy, password change phase [6], KSSTI attack (as session key is dependent on it), suppress replay attack (due to clock synchronization issue), and withstand sensor node corruption (as its corruption can expose user associated credentials), thus making the scheme vulnerable in IIOT environment. Paliwal et al. [4] presented a group key agreement scheme using modular exponentiation, the proposed work is secure against DOS attack but the said work is vulnerable to replay attacks (absence of timestamp or random number), identity of all entities must be known in order to initiate a communication, thus loss of anonymity exists and cannot withstand impersonation thus the proposed work is vulnerable in IIOT environment, the same holds for [29] as it is vulnerable to suppress replay attack, fails to preserve identity of the entities and is vulnerable to KSSTI attack. Recently, Li et al. [6] presented a authentication and group key agreement scheme depending on ECC approach suitable for WSN and IIOT application, the proposed work is vulnerable to many attacks such as DOS Attack, KSSTI attack, impersonation attack (user, sensor node and gateway) and key-offset attack, the vulnerabilities are discussed in next section. The proposed work aims to provide an authentication and key-agreement protocol based on hash functions, the proposed work aims to overcome vulnerabilities of existing schemes such that it can be easily deployed in resource constrained environments. The security proofs, assumptions and practices are followed from [5], [21], [38]–[40] as these are hash based schemes, similar to proposed work.

SECTION III.

Review of Xiong $et ~al$ . Scheme

In this section a briefly review of Xiong et al.’s authentication and key agreement scheme for WSNs in IIOT [6] is presented. The proposed work of Xiong et al. has three phases: Registration Phase, Authentication and Key-Agreement Phase and Password Change Phase. The focus is given on first two phases.

A. Registration Phase

All registrations take place over a secure channel, here both the sensor and user registration takes place. The initial section depicts the registration of the sensor and the later depicts the registration of the user.

1) Sensor Node Registration

For every sensor node $SN$ the gateway node $GW$ appoints a unique identity $SN_{id} $ and calculates a long term secret key $K_{gs} =h(SN_{id} \vert \vert \omega)$ . Once these credentials are generated, the $GW$ stores these credentials in the database and in the $SN$ . The above completes the sensor node $SN$ registration.

2) User Registration

In this phase the user is successfully registered with the gateway node $GW$ so that it can get authenticated and attain secure connection with the sensor node. The following are the steps involved in this phase.

Step 1:
$U$ freely selects an identity $ID_{U} $ and a password $PW_{U}$ adhered to which it extracts biometric information in the device with fuzzy extractor $Gen(BIO_{U})=(R_{U}, P_{U})$ and $U$ generates a random number $r_{U} $ which is used to calculate $HPW_{U} =h(PW_{U} \vert \vert r_{U})$ . Now, the $U$ submits request $(ID_{U}, HPW_{U}, R_{U})$ to $GW$ over a secure channel.
Step 2:
When the $GW$ receives the said credentials it checks for identity in the database, here if the identity exists then the said request is rejected thus the user must generate new credentials. If the said identity is not existing the $GW$ computes $B_{1} =h(ID_{U} \vert \vert HPW_{U} \vert \vert R_{U})$ , $B_{2} =h(ID_{U} \vert \vert \omega)$ and $B_{3} =h(HPW_{U} \vert \vert R_{U})\oplus B_{2} $ . Now, the $GW$ sends the credentials $(B_{1},B_{3}, X)$ to $U$ over a secure channel.
Step 3:
$U$ stores $(P_{U}, r_{U}, B_{1}, B_{3},X,Gen(.),Rep(.))$ into the mobile device.

B. Authentication and Key-Agreement Phase

To gain access to the sensor data of the sensor node $SN$ with the $SN_{ID}$ , the following steps are involved.

Step 1:
$U\to GW:M_{1} =\{DID_{U}, D_{1}, D_{3}, D_{4} \}$
$U$ on the mobile device provides its authentication credentials $ID_{U}, PW_{U}, BIO_{U}^{\prime } $ . Once the above credentials are provided, the mobile device computes $R_{U} =Rep(BIO_{U}^{\prime }, P_{U})$ , $B_{1}^{\prime } =h(ID_{U} \vert \vert h(PW_{U} \vert \vert r_{U})\vert \vert R_{U})$ and checks if $B_{1}^{\ast } \mathop{=}\limits^{?} B_{1} $ holds. If it does then the mobile device of $U$ generates a random number $a\in Z_{n}^{\ast } $ and computes $B_{2} =B_{3} \oplus h(h(PW_{U} \vert \vert r_{U})\vert \vert R_{U})$ , $D_{1} =aP$ , $D_{2} =aX$ , $DID_{U} =ID_{U} \oplus h(D_{2})$ , $D_{3} =SN_{id} \oplus B_{2} \oplus h(D_{2})$ and $D_{4} = h(B_{2} \vert \vert D_{2} \vert \vert SN_{id})$ . Now, the mobile device sends the message $M_{1} $ to the gateway node for authentication.
Step 2:
$GW\to SN:M_{2} =\{D_{1}, D_{6}, D_{7} \}$
$GW$ computes $D_{2}^{\prime } =xD_{1} $ , $ID_{U}^{\prime } =DID_{U} \oplus h(D_{2}^{\prime })$ and checks if identity is valid. If the identity is valid then the $GW$ computes $B_{2}^{\prime } =h(ID_{U}^{\prime } \vert \vert \omega)$ , $SN_{id}^{\prime } =D_{3} \oplus B_{2}^{\prime } \oplus h(D_{2}^{\prime })$ , $D_{4}^{\prime } =h(B_{2}^{\prime } \vert \vert D_{2}^{\prime } \vert \vert SN_{id}^{\prime })$ and checks if $D_{4}^{\ast } \mathop{=}\limits^{?} D_{4} $ holds. If the above does then the $GW$ computes $D_{5} =h(SN_{id}^{\prime } \vert \vert \omega)$ , $D_{6} =D_{5} \oplus r_{G} $ and $D_{7} =h(D_{1} \vert \vert r_{G} \vert \vert D_{5} \vert \vert SN_{id}^{\prime })$ where $r_{G} $ is a random number generated by the $GW$ . Now, the $GW$ sends the message $M_{2}$ to the sensor node $SN$ .
Step 3:
$SN\to GW:M_{3} =\{D_{8}, D_{9}, D_{10} \}$
$SN$ computes $r_{G}^{\prime } =K_{gs} \oplus D_{6} $ , $D_{7}^{\prime } =h(D_{1} \vert \vert r_{G}^{\prime } \vert \vert K_{gs} \vert \vert SN_{id})$ and checks if $D_{7}^{\ast } \mathop{=}\limits^{?} D_{7} $ holds. If the above condition holds then the $SN$ computes $D_{8} =bP$ , $SK=h(D_{1} \vert \vert D_{8} \vert \vert bD_{1})$ , $D_{9} =h(K_{gs} \vert \vert D_{8} \vert \vert r_{G}^{\prime } \vert \vert SN_{id})$ and $D_{10} =h(SN_{id} \vert \vert SK)$ where $b\in Z_{n}^{\ast }$ . Now, the $SN$ sends the message $M_{3} $ to the sensor node $GW$ .
Step 4:
$GW\to U:M_{4} =\{D_{8}, D_{10}, D_{11} \}$
$GW$ computes ($D_{9} =h(D_{5} \vert \vert D_{8} \vert \vert r_{G} \vert \vert SN_{id}^{\prime })$ ) and checks if $D_{9}^{\ast } \mathop{=}\limits^{?} D_{9}$ holds. If the above holds, the $GW$ computes $D_{11} =h(ID_{U}^{\prime } \vert \vert D_{1} \vert \vert D_{8} \vert \vert B_{2}^{\prime })$ and sends the message $M_{4}$ to the mobile device of the user.
Step 5:
The mobile device computes
$(D_{11} =h(ID_{U}^{\prime } \vert \vert D_{1} \vert \vert D_{8} \vert \vert B_{2}^{\prime }))$ and checks if $D_{11}^{\ast } \mathop{=}\limits^{?} D_{11} $ holds. If, the above holds then the mobile device computes the session key $SK^{\prime }=h(D_{1} \vert \vert D_{8} \vert \vert aD_{8})$ , $D_{10}^{\prime } =h(SN_{id} \vert \vert SK^{\prime })$ and checks $(D_{10} =h(SN_{id} \vert \vert SK))$ if $D_{10}^{\ast } \mathop{=}\limits^{?} D_{10} $ holds. If it does then the session key is accepted.

SECTION IV.

Security Weakness and Design Flaws in Xiong $et~al$ . Scheme

In this section various security vulnerabilities in the Xiong et al. scheme is presented. These attacks prove that the said scheme is vulnerable. Before proceeding with the attack, several security assumptions are made, using [1]–[14], [20], [21], [23]–[27]. Following are the assumptions.

Definition 1:

All the system messages (except registration) are transmitted via an unreliable channel; thus, an adversary can delete, modify, append, intercept or replay any message. However, an adversary is not able to attain any information which is taking place via secure channel.

Definition 2:

The length of the long term key and the random number is so long that the adversary is not able to guess the long term key or any random number used in the system.

Definition 3:

The adversary can corrupt any honest entity and attain the pre-shared secret information used by the entity or by the group of entities. Moreover, the adversary can be a valid registered entity in the system, thus can attain all shared information in advance.

Definition 4:

The adversary has unbounded storage space which helps the adversary store several messages.

Definition 5:

The adversary has access to all sensor identities in the said system.

A. DOS Attack

The attack focuses on making the resources of the system unavailable temporarily or permanently to the hosts connected over a network. In the Xiong et al. scheme the said system is vulnerable to Gateway Node DOS attack and Sensor Node DOS attack [5], [31].

1) Gateway Node DOS Attack

The Xiong et al. scheme is vulnerable to Gateway DOS attack; the following are the steps an active adversary can make to perform the said attack.

Step 1:
The adversary can capture the authentication message $M_{1}$ from different users $U$ and prevent these messages to reach the destination at distinctive time intervals. The adversary proceeds by bundles all of these messages together.
Step 2:
Once sufficient number of messages are bundled, the adversary now sends these messages ($M_{1}$ from different users) to the gateway node $GW$ and $GW$ will accept these messages as fresh due to fresh random number.
Step 3:
The gateway node $GW$ proceeds further by authenticating these messages which will hold as valid, as these were valid authentication messages (as stated in [44] that server must check recently received nonce from client to check that they are not replayed. And in the above case, the message has never reached the gateway node before, thus the above messages will be accepted as fresh).
Step 4:
The gateway node $GW$ will now generate authentication message which will be directed to the sensor node, thus as a result, the $GW$ will have to generate multiple authentication message based on the message $M_{1}$ it has attained. Thus, as a result DOS will take place due to excessive requests which needs to be processed.

Thus, processing these bundled requests can result in slower processing of valid requests by $GW$ and if the requests are high then it can result in DOS attack.

2) Sensor Node DOS Attack

The Xiong et al. scheme is vulnerable to Sensor Node DOS attack; the following are the steps an active adversary can make to perform the said attack.

Step 1:
The adversary can capture the authentication message $M_{2} $ from different Gateway node $GW$ and prevent these messages to reach the destination at distinctive time intervals. Now, the adversary bundles all of these messages together.
Step 2:
Once all the messages are bundled, the adversary now sends these messages ($M_{2}$ for different sensors) to the sensor node $SN$ with a specific sensor identity $SN_{id} $ and sensor node $SN$ will accept these messages as fresh due to fresh random number.
Step 3:
The sensor node $SN$ proceeds further by authenticating these messages which will hold for some and $SN$ will reject other as invalid. The above is because only few were valid authentication messages and now the $SN$ proceed by generating the session key for valid requests.
Step 4:
The sensor node $SN$ will repeat the above process for all the requests, and since the nonce on all will be fresh, the sensor node will accept it and perform above steps for all such requests.

In above case if very high numbers of messages are bundled then there is a good probability that the sent message is indeed intended for the sensor node $SN_{j} $ . In either case since the sensor nodes are of low computation power, the node will fail if there is relatively high number of valid requests to process. Thus, the above attack is more disrupting as using this an active adversary can disrupt the entire system as the adversary can fail the nodes in the system (by forwarding bundled messages to a particular node or all of the node). It is because the request needs to be processed by the sensor node, a session key is to be computed, an authentication message is to be generated, and if such requests are high then the sensor node will eventual become vulnerable to DOS attack.

B. Identity Compromise Impersonation Attack

It is possible that an adversary may attain knowledge of identity of the user via some wicked means (such as Dumpster Diving, social engineering, pretext, vishing, phishing or other means) [22]. These attacks are done using the $LowCorrupt_{SN} ()/LowCorrupt_{U} ()$ query (depicted in formal verification analysis in security analysis section). The above can help an active adversary perform user impersonation and key-offset attack.

1) Attaining Secret Parameters (When Identity is Exposed) and Performing User Impersonation Attack

In the proposed Xiong et al. scheme if user identity is attained by some wicked means then the adversary can impersonate the valid user $U$ . The following are the steps the adversary can use to attain the user credentials and perform impersonation.

Step 1:
The adversary captures a valid authentication message $M_{1} =\{DID_{U}, D_{1}, D_{3}, D_{4} \}$ , fetches $DID_{U} $ and computes $DID_{U} \oplus ID_{U} =h(D_{2})$ . Once the value of $h(D_{2})$ is attained then the adversary fetches $D_{3} $ and computes$D_{3} \oplus SN_{ID} \oplus h(D_{2})=B_{2} $ (as assumed previously that an adversary can attain information about the sensor node identities). It can be inferred that the value of $B_{2} $ is not verified; the adversary needs to generate multiple authentication messages based on $SN_{id} $ information, and then once the message is authenticated by the gateway node. The adversary accepts the derived information as valid.
Step 2:
To validate the attained credentials the adversary generates a random number $u$ and using the published parameters $\{E,G,n,P,X\}$ computes $D_{1} =uP$ , $D_{2} =uX$ , $DID_{U} =ID_{U} \oplus h(D_{2})$ , $D_{3} =SN_{id} \oplus B_{2} \oplus h(D_{2})$ , $D_{4} =h(B_{2} \vert \vert h(D_{2})\vert \vert SN_{id})$ . The above process will be repeated till a request is accepted as valid (by the gateway node).

The above is feasible as in the system there are only limited sensor identities; the adversary can brute force the identities of $SN_{id} $ and based on it attain finite combinations of $B_{2} $ .

Further the adversary can impersonate the valid user $U$ at any given time from this point further (as valid $B_{2} $ credential is attained). Thus, the proposed work of Xiong et al. is vulnerable to identity compromise attack. Moreover, using this the adversary can also attain access to many resources concurrently, for which the adversary in step 2 replaces identity of the given sensor node $SN$ with other sensor node identities and then forward the messages to the gateway node $GW$ which will accept all requests as valid and inevitably the user will attain the session key for accessing all the sensor nodes.

2) Key-Offset Attack

The previous knowledge can help perform key-offset attack [30]. The following are the steps the active adversary can take to proceed with a key-offset attack.

Step 1:
The adversary as before attains the values of $B_{2}$ , $SN_{id} $ adhered to this the adversary captures the authentication message $M_{4} =\{D_{8}, D_{10}, D_{11} \}$ (Initially computes $DID_{U} \oplus ID_{U} =h(D_{2})$ ).
Step 2:
Once the said credentials are captured then the adversary generates a random number $k$ and computes $D_{8}^{Malicious} =kP$ , $SK=h(D_{1} \vert \vert D_{8}^{Malicious} \vert \vert kD_{1})$ , $D_{10}^{Malicious} =h(SN_{id} \vert \vert SK)$ (computes $SN_{ID} =D_{3} \oplus B_{2} \oplus h(D_{2})$ and checks if the sensor identity exists in the system. If a valid credentials are attained then the given session corresponds to the user whose credentials are known, else the adversary picks a different session) and $D_{11}^{Malicious} =h(ID_{U}^{\prime } \vert \vert D_{1} \vert \vert D_{8}^{Malicious} \vert \vert B_{2}^{\prime })$ . The adversary now sends the message $M_{4}^{Malicious} =\{D_{8}^{Malicious},D_{10}^{Malicious}, D_{11}^{Malicious} \}$ to the mobile device of the user.
Step 3:
The mobile device now computes and checks if $D_{11}^{\ast } \mathop{=}\limits^{?} D_{11} $ holds. Now, the mobile device computes the session key $SK^{\prime }=h(D_{1} \vert \vert D_{8}^{Malicious} \vert \vert aD_{8}^{Malicious})$ and checks if $D_{10}^{\ast } \mathop{=}\limits^{?} D_{10} $ holds. Thus, at this point the session key is offset because of $k$ .

C. Known Session Specific Temporary Information Attack (KSSTI Attack)

The said attack makes the scheme highly vulnerable; the consequence of this attack produces vulnerabilities such as impersonation (user, gateway node and sensor node) attaining the session key and Modification attack [23], [30]. In this attack only session specific information such as nonce, timestamp, etc. are exposed, whereas the long term secrets are kept still unknown to the adversary.

1) User Impersonation

If the adversary is able to attain the session specific information ‘$a$ ’ then the said adversary can impersonate the user $U$ . The following are the steps involved.

Step 1:
The adversary fetches the message $M_{1} =\{DID_{U},D_{1}, D_{3}, D_{4} \}$ and computes $D_{2} =aX$ (where the public parameters are $\{E,G,n,P,X\}$ ). Once the user attains the said credentials, the adversary computes $DID_{U} \oplus h(D_{2})=ID_{U}$ , $D_{3} \oplus SN_{ID} \oplus h(D_{2})= B_{2} $ adhered to which the adversary fetches the sensor identity from set of identities to attain the value of $B_{2}^{\ast } $ and checks if $D_{4}^{\ast } \mathop{=}\limits^{?} D_{4} $ holds. If, the above condition holds then the adversary can be certain that the sensor identity $SN_{id} $ is valid.
Step 2:
The adversary to gain access to any particular sensor node can generate authentication messages from this point as the value of $\{ID_{U}, B_{2}, SN_{id} \}$ is known to the adversary. Thus, the adversary for any sensor node $SN$ can generate authentication message $M_{1} =\{DID_{U}, D_{1}, D_{3}, D_{4} \}$ .

2) Gateway Node Impersonation and Sensor DOS Attack

If the adversary is able to attain the session specific information ‘$r_{G}$ ’ then the said adversary can impersonate the gateway node $GW$ . The following are the steps involved.

Step 1:
The adversary fetches the message $M_{2} =\{D_{1}, D_{6},D_{7} \}$ and computes $D_{6} \oplus r_{G} =D_{5} $ to attain the long term key $K_{gs} $ . Now, to attain the correct identity of the destination sensor node $SN$ , the adversary fetches the sensor identities and checks if $D_{7}^{\ast } \mathop{=}\limits^{?} D_{7}$ holds. If the said condition fails, then the adversary fetches another identity till the condition is met.
Step 2:
Once the long term key is attained then the adversary can impersonate the gateway node for this the adversary generates $M_{2}^{Malicious} =\{D_{1}, D_{6}^{Malicious}, D_{7}^{Malicious} \}$ where $D_{6}^{Malicious} =_{}D_{5} \oplus r_{G}^{Malicious}$ and $D_{7}^{Malicious} =h(D_{1} \vert \vert r_{G}^{Malicious} \vert \vert D_{5} \vert \vert {SN_{id}}^{\prime })$ . Once the above credentials are generated then the adversary can send the message to sensor node $SN$ .

From this point onwards, the adversary can impersonate as a gateway for the sensor node

$SN$

whose identity is

$SN_{id} $

. Moreover, since the adversary is in possession of long term key

$K_{gs} $

and sensor identity

$SN_{id}$

the adversary can perform denial of service attack. Following are the steps.

Step 1:
The adversary generates multiple $M_{2}^{Malicious} =\{D_{1}^{Malicious}, D_{6}^{Malicious}, D_{7}^{Malicious} \}$ messages Where $D_{1}^{Malicious} =AP$ (here $A$ is a random number), $D_{6}^{Malicious} =D_{5} \oplus B$ (here $B$ is a random number) and $D_{7}^{Malicious} =h(D_{1} \vert \vert B\vert \vert D_{5} \vert \vert SN_{id}^{\prime })$ . Once the message is generated it is sent to the said sensor node for validation.
Step 2:
The sensor node verifies the attained credentials of message $M_{2}^{Malicious} $ as before, and generates the authentication message $M_{3} $ and since the number of requests will be high, it will ultimately result in DOS attack.

3) Sensor Node Impersonation and Key-Offset Attack

If the adversary is able to attain the session specific information ‘$r_{G} $ ’ then the said adversary can impersonate the sensor node $SN$ . The following are the steps involved.

Step 1:
The step is similar to that of gateway node impersonation, the adversary attains the credentials similar to the step1 (as depicted in gateway node impersonation) adhered to which the adversary produces fraudulent message $M_{3}^{Malicious} =\{D_{8}^{Malicious}, D_{9}^{Malicious}, D_{\vphantom {D_{j}}10}^{Malicious} \}$ and sends it to the gateway node $GW$ where $D_{8}^{Malicious} =CP, SK=h(D_{1} \vert \vert D_{8}^{Malicious} \vert \vert CD_{1})$ (here $C$ is a random number), $D_{9}^{Malicious} =h(K_{gs} \vert \vert D_{8}^{Malicious} \vert \vert r_{G}^{\prime } \vert \vert SN_{id})$ and $D_{10}^{Malicious} =h(SN_{id}\vert \vert SK)$ .
Step 2:
The gateway node $GW$ validates the message by checking if $D_{9}^{\ast } \mathop{=}\limits^{?} D_{9}^{Malicious} $ holds, if it doesn’t then the request is rejected; if it does then the $GW$ generates the authentication message $M_{4} =\{D_{8}^{Malicious}, D_{10}^{Malicious}, D_{11} \}$ and sends it to the user $U$ where $D_{11} =h(ID_{U} ^{\prime }\vert \vert D_{1} \vert \vert D_{8} \vert \vert B_{2}^{\prime })$ .
Step 3:
The mobile device of user $U$ checks if $D_{11}^{\ast } \mathop{=}\limits^{?} D_{11} $ holds, if it does then it computes $SK=h(D_{1} \vert \vert D_{8} \vert \vert aD_{8})$ and checks if $D_{10}^{\ast } \mathop{=}\limits^{?} D_{10} $ holds and now the session key has been established between the adversary and the mobile device of the user.

The same approach can be used to perform key-offset attack as the knowledge of all sensor node credentials is exposed. The following are the steps an adversary will take to perform key-offset attack.

Step 1:
The adversary captures the message $M_{2} =\{D_{1},D_{6}, D_{7} \}$ and stores the value $D_{1}$ and derives the value of $r_{G}^{\prime } =D_{6} \oplus K_{gs} $ . Whereas, the adversary captures the authentication message $M_{3} =\{D_{8},D_{9}, D_{10} \}$ and deletes it from the network.
Step 2:
Once the said credentials are discarded then the adversary generates a random number $k$ and computes $D_{8}^{Malicious} =kP$ , $SK=h(D_{1} \vert \vert D_{8}^{Malicious} \vert \vert kD_{1})$ , $D_{9}^{Malicious} =h(K_{gs} \vert \vert D_{8}^{Malicious} \vert \vert r_{G}^{\prime } \vert \vert SN_{id})$ and $D_{10}^{Malicious} =h(SN_{id} \vert \vert SK)$ . The adversary now sends the message $M_{3}^{Malicious} =\{D_{8}^{Malicious}, D_{9}^{Malicious},D_{10}^{Malicious} \}$ to the gateway node.
Step 3:
The gateway node validates the credentials by checking if $D_{9}^{\ast } \mathop{=}\limits^{?} D_{9}^{Malicious} $ holds and then the scheme proceeds as before. Thus, the session key has been offset by $k$ without any detection.

4) Attaining the Session Key

Here, if the adversary is given access to either of the ephemeral ‘$a$ ’ or ‘$b$ ’ then the said adversary will be able to attain the session key as the resultant session key is $SK=h(D_{1} \vert \vert D_{8} \vert \vert aD_{8})$ , $SK=h(D_{1} \vert \vert D_{8} \vert \vert bD_{1})$ (as $aD_{8} =abP=bD_{1} =baP $ ) where $D_{1} $ , $D_{8} $ are exchanged using the messages $M_{1}, M_{3} $ respectively. Thus, the knowledge of session specific temporary information can help converge on the session key.

SECTION V.

Proposed Scheme

In the proposed scheme there are three phases: Registration Phase, Authentication and Key-Agreement Phase and Password Change Phase.

A. Registration Phase

In this phase both the sensor node and the user is registered so that secure communication can take place in the system.

1) Sensor Node Registration

In this phase sensor node $SN$ is registered, for which the gateway node $GW$ generates a unique identity $SN_{id} $ , a sequence number $Seq_{SN} $ , a unique public identifier $PublicIdentifier_{SN} $ and a long term key $K_{gs} =h(SN_{id} \vert \vert Nonce_{GWR} \vert \vert Timestamp_{GW}^{Reg} \vert \vert K)$ where $Nonce_{GWR} $ is the random number, $Timestamp_{GW}^{Reg} $ is the time at which the key is generated and the $K$ is the long term key of gateway $GW$ . Now, the said credentials are forwarded to the sensor node $SN$ over the secure channel and stored by gateway node. Here, if any other sensor node is to be added to the network then the same process is repeated.

2) User Registration

In this phase the user $U$ is registered, for which following are the steps involved.

Step 1:
The user $U$ selects a unique identity $ID_{U} $ , a password $Pwd$ , a random number $Nonce_{U} $ and the current timestamp $Timestamp_{U} $ . Now, the $U$ computes $PublicIdentifier_{U} =h(ID_{U} \oplus Timestamp_{U} \oplus Nonce_{U})$ , $HPwd=h(Pwd\vert \vert Nonce_{U} \vert \vert Timestamp_{U})$ and sends the credentials $\{ID_{U}, PublicIdentifier_{U}, HPwd\}$ to the gateway node $GW$ .
Step 2:
The gateway node $GW$ checks if the $ID_{U} $ exist if it does then the request is rejected. If the above condition fails then the $GW$ computes $GW_{1} =h(K\vert \vert ID_{U})\oplus Nonce_{GW} $ , $GW_{2} =HPwd\oplus Ke y_{U} $ and $GW_{3} =h(ID_{U} \vert \vert Key_{U} \vert \vert HPwd\vert \vert GW_{1})$ where $Nonce_{GW} $ is a random number (selected by $GW$ ), $Key_{U} $ is a random key assigned for the user. Now, the $GW$ a random sequence number $(Seq_{Num})$ and sends the credentials $\{PublicIdentifier_{U}, GW_{1}, GW_{2}, GW_{3},Seq_{Num}, H(.)$ , $Mod_{Set} \}$ to the $U$ over a secure channel and stores the said info.
Step 3:
Now, $U$ stores the random number $Nonce_{U} $ and the timestamp $Timestamp_{U} $ in the set and stores $\{PublicIdentifier_{U}$ , $GW_{1}$ , $GW_{2}$ , $GW_{3}$ , $Nonce_{U}$ , $Seq_{Num}$ , $Timestamp_{U}, H(.),Mod_{Set} \}$ on the mobile device.

B. Authentication and Key-Agreement Phase

In this phase the user $U$ desires to access the sensor data whose public identifier $PublicIdentifier_{SN} $ the following are the steps involved in this phase.

Step 1:
$U\to GW:M_{1} = \{PublicIdentifier_{U}$ , $H_{\alpha 1}$ , $H_{\alpha 2}$ , $Timestamp_{U}^{1}, PublicIdentifier_{SN} \}$
The user $U$ provides authentication credentials $ID_{U} $ and $Pwd$ adhered to which the mobile device computes $HPwd^{\ast }=h(Pwd^{\ast }\vert \vert Nonce_{U} \vert \vert Timestamp_{U})$ (by fetching the random number $Nonce_{U} $ and timestamp $Timestamp_{U} $ from the device), $GW_{2} \oplus HPwd^{\ast }=Key_{U}^{\ast } $ and checks the validity of the input credentials by verifying if $h(ID_{U}^{\ast } \vert \vert Key_{U}^{\ast } \vert \vert HPwd^{\ast }\vert \vert GW_{1})^{\ast }\mathop{=}\limits^{?} GW_{3} $ holds. If the above condition fails then the request is rejected. However, if the condition does hold then the mobile device generates a random number $Nonce_{U}^{1} $ , fetches the current timestamp $Timestamp_{U}^{1} $ and computes $H_{\alpha 1} =h(Nonce_{U}^{1}~\vert \vert ~GW_{2} ~\vert \vert ~Key_{U} ~\vert \vert ~ PublicIdentifier_{U} \vert \vert Timestamp_{U}^{1} \vert \vert ~PublicIdentifier_{SN})\oplus Seq_{Num} $ , $H_{\alpha 2} =H(PublicIdentifier_{U} \vert \vert ~GW_{1}~\vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ID_{U} ~\vert \vert ~ Timestamp_{U}^{1} ~\vert \vert ~HPwd)~\oplus Nonce_{U}^{1} $ . Now, the mobile device computes three session specific modulus $h_{1} =h(Nonce_{U}^{1} \vert \vert ID_{U} \vert \vert Key_{U})$ , $h_{2} =h(ID_{U} \vert \vert Seq_{Num} \vert \vert HPwd)$ , $h_{3} =h(Timestamp_{U}^{1} \vert \vert Seq_{Num} \vert \vert ~PublicIdentifier_{U} ~\vert \vert ~ ID_{U} ~\vert \vert ~ Nonce_{U}^{1})$ adhered to which it checks if the computed Modulus lie within the specified $Mod_{Set} $ range, if it doesn’t then the authentication message is generated again till the values satisfy. Once, the above credentials are generated then the said credentials are forwarded to the gateway node $GW$ .
Step 2:
$GW\to U:M_{2} =\{PublicIdentifier_{U}$ , $H_{\alpha 3}$ , $H_{\alpha 4}$ , $H_{\alpha 5}, Timestamp_{GW}, A,B\} ~GW\to SN:M_{3} =\{PublicIdentifier_{SN}$ , $H_{\alpha 6}$ , $H_{\alpha 7}$ , $H_{\alpha 8}$ , $Timestamp_{GW}$ , $A_{SN}$ , $B_{SN} \}$
The gateway node $GW$ fetches the timestamp and checks if $Timestamp_{x} -Timestamp_{U}^{1} \le \Delta T$ holds, if it does then the $GW$ fetches the credentials associated with $PublicIdentifier_{U} $ . Once the said credentials are fetched then the $GW$ proceeds by computing $H_{\alpha 2} \oplus H(PublicIdentifier_{U}^{\ast }~\vert \vert ~ GW_{1} \vert \vert PublicIdentifier_{SN} \vert \vert ID_{U} \vert \vert ~Timestamp_{U}^{1\ast }~\vert \vert ~ HPwd)=Nonce_{U}^{1\ast }$ and to verifies the attained credentials, the $GW$ checks if $H_{\alpha 1}^{\ast } \mathop{=}\limits^{?} H_{\alpha 1} $ holds. If the above holds then the user is authenticated and the request is legitimate. Now, the $GW$ generates the session specific modulus $h_{1}, h_{2},h_{3} $ respectively, adhered to which the $GW$ generates the session key and the authentication message for user and the sensor node $SN$ whose public identifier is $PublicIdentifier_{SN} $ , so that they can attain the common session key. For generating the credentials, $GW$ generates a random number $Nonce_{GW1} $ for $SN$ and computes $h_{4} =h(Nonce_{GW1} \vert \vert ID_{SN} \vert \vert Nonce_{SN} \vert \vert Key_{SN})$ , $h_{5} =h(ID_{SN} \vert \vert Seq_{SN} \vert \vert Nonce_{GW1})$ , $h_{6} =h(Timestamp_{GW} \vert \vert Seq_{SN} \vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ID_{SN} ~\vert \vert ~ Nonce_{GW1})$ and checks if $Mod_{Set} $ condition is satisfied. If the previous condition is satisfied then the $GW$ has a total of six session specific modulus. Now, the $GW$ produces the session key for which the $GW$ generates two random number $A$ , $B$ of arbitrary lengths such that $Key_{Session} = [\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}] \bmod (h_{3})$ , similarly since the session key is attained the $GW$ now selects a random number $A_{SN} $ and computes the value of $B_{SN}$ as $[\{B_{SN} \bmod (h_{5})\}]\bmod (h_{6})=[Key_{Session} \cdot ~\cdot \{A_{SN} \bmod (h_{4})\}^{-1}\bmod (h_{6})]\bmod (h_{6})$ (here the session key by the $GW$ has been computed as $Key_{Session} =[\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}]\bmod (h_{3})$ and since the $GW$ has access to $h_{4} $ , $h_{5}$ , $h_{6} $ and $A_{SN} \bmod (h_{4})$ the $GW$ must now generate the value of $B_{SN} $ such that the computed session key equals $Key_{Session} =[\{A_{SN} \bmod (h_{4})\}\cdot \cdot \{B_{SN} \bmod (h_{5})\}]\bmod (h_{6}))$ . Once, all the ephemerals are generated then the $GW$ generates $M_{2} =\{PublicIdentifier_{U} ~,H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, Timestamp_{GW}, A,B\}$ where $H_{\alpha 3} =h(PublicIdentifier_{U} ~\vert \vert ~ Timestamp_{GW} ~\vert \vert ~ NewSeq_{Num} ~\vert \vert ~ ~Nonce_{G} ~\vert \vert ~ Timestamp_{U}^{1})\oplus NewPublicIdentifier_{U}$ (here $NewPublicIdentifier_{U} =h(Timestamp_{GW} ~\vert \vert ~ ID_{U} ~\vert \vert ~ Nonce_{GW} ~ \vert \vert ~Key_{v1} ~\vert \vert ~ Nonce_{U}^{1} ~\vert \vert ~ Timestamp_{U}^{1})$ ), $H_{\alpha 4} =h(Timestamp_{U}^{1} ~\vert \vert ~Timestamp_{GW} ~\vert \vert ~B~\vert \vert ~ Nonce_{U}^{1} ~\vert \vert ~ PublicIdentifier_{U} ~\vert \vert ~ Key_{v1})\oplus ~Nonce_{G} \oplus Nonce_{U}^{1} $ , $H_{\alpha 5} =h(Nonce_{U}^{1} ~\vert \vert ~ ID_{U} ~\vert \vert ~ A~\vert \vert ~PublicIdentifier_{U} ~\vert \vert ~ NewPublicIdentifier_{U} \vert \vert B \vert \vert Timestamp_{GW}~\vert \vert ~ Timestamp_{U}^{1})\oplus NewSeq_{Num} $ and $M_{3} =\{PublicIdentifier_{SN}$ , $H_{\alpha 6},H_{\alpha 7}, H_{\alpha 8}, Timestamp_{GW}, A_{SN}, B_{SN} \}$ where, $H_{\alpha 6} =h(Nonce_{GW1} ~\vert \vert ~ Key_{SN} ~\vert \vert ~ B_{SN}~\vert \vert ~ Timestamp_{GW} ~\vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ NewSeq_{SNNum})\oplus Seq_{SN} $ , $H_{\alpha 7} =h(PublicIdentifier_{SN} ~\vert \vert ~ ID_{SN} ~\vert \vert ~ Timestamp_{GW}~\vert \vert ~ A_{SN})\oplus ~Nonce_{GW1} $ , and $H_{\alpha 8} =Seq_{SN} \oplus h(Key_{SN} \oplus Seq_{SN})\oplus NewSeq_{SNNum} $ . Now the message $M_{2}$ , $M_{3}$ is sent to the user and the sensor node respectively.
Step 3:
The mobile device when receiving the message $M_{2} $ checks if $Timestamp_{x} -Timestamp_{GW} \le \Delta T$ holds. If the above holds then the mobile device computes $H_{\alpha 4} \oplus ~Nonce_{U}^{1} \oplus h(Timestamp_{U}^{1} ~\vert \vert ~ Timestamp_{GW}^{\ast } ~\vert \vert ~ B^{\ast }~\vert \vert ~ Nonce_{U}^{1} \vert \vert ~PublicIdentifier_{U} ~\vert \vert ~ Key_{v1})=Nonce_{G}^{\ast }$ , $NewPublicIdentifier_{U}^{\ast } =h(Timestamp_{GW}^{\ast }~\vert \vert ~ ID_{U} ~\vert \vert ~ Nonce_{GW}^{\ast }~\vert \vert ~ Key_{v1} ~\vert \vert ~ Nonce_{U}^{1} \vert \vert ~Timestamp_{U}^{1})$ , $H_{\alpha 5} \oplus h(Nonce_{U}^{1} ~\vert \vert ~ ID_{U} ~\vert \vert A^{\ast }\vert \vert ~ PublicIdentifier_{U} ~\vert \vert ~ NewPublicIdentifier_{U}^{\ast } ~\vert \vert ~ B^{\ast }~\vert \vert ~ Timestamp_{GW}^{\ast } \vert \vert ~Timestamp_{U}^{1}) =NewSeq_{Num}^{\ast } $ and checks if $H_{\alpha 3}^{\ast } \mathop{=}\limits^{?} H_{\alpha 3} $ holds. If it does then the attained credentials are correct and the mobile device computes the session key as $Key_{Session} =[\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}]\bmod (h_{3})$ adhered to which the sequence number and new pseudonym is updated.
Step 4:
The sensor node $SN$ when receiving the message $M_{3} $ checks if $Timestamp_{x} -Timestamp_{GW} \le \Delta T$ holds. If the above holds then the $SN$ computes $H_{\alpha 7} \oplus h(PublicIdentifier_{SN} \vert \vert ID_{SN} \vert \vert Timestamp_{GW} ^{\ast }\vert \vert A_{SN}^{\ast })=Nonce_{GW1}^{\ast }$ , $H_{\alpha 8} \oplus h(Key_{SN} \oplus Seq_{SN})\oplus Seq_{SN} =NewSeq_{SNNum}^{\ast }$ and validates it by checking if $H_{\alpha 6}^{\ast } \mathop{=}\limits^{?} H_{\alpha 6} $ holds. If above holds then the sensor node computes $h_{4}$ , $h_{5}$ , $h_{6}$ and $Key_{Session} =[\{A_{SN} \bmod (h_{4})\}\cdot \{B_{SN} \bmod (h_{5})\}]\bmod (h_{6})$ adhere-d to which it updates the sequence number.
Consider a small example, let us assume that the values of $\{h_{1},h_{2}, h_{3}, h_{4}, h_{5}, h_{6} \}$ are $\{h_{1} =79,h_{2} =102$ , $,h_{3} =550,h_{4} =997,h_{5} =99,h_{6} =571\}$ and now the $GW$ needs to generate a pair $(A,B)$ such that a session key is attained and both the entities are able to attain a new session key. Here, $GW$ on basis of $Mod_{Set} $ parameter generates $(A,B,h_{4},h_{5}, h_{6})$ pair (here $\{h_{1}, h_{2}, h_{3} \}$ is computed by the $GW)$ such that a session key is attained. For instance now the $GW$ must select the value of $(A,B),(A_{SN}, B_{SN})$ such that $[A\bmod (79)\ast B\bmod (102)]\bmod (550)=[A_{SN} \bmod (997)\ast B_{SN} \bmod (99)]\bmod (571)$ , now assuming that $GW$ chooses the value randomly. thus value of $\{A=466,B=495,A_{SN} =449\}$ . The $GW$ after computing the value of $\{B_{SN} \}$ will get $\{B_{SN} =13\}$ (the process used is similar to what was initially defined in step 2), when $GW$ computes $127=[466\bmod (79)\ast 495\bmod (102)]\bmod (550)=[449\bmod (997)\ast 13\bmod (99)]\bmod (571)$ and since the pair converge to the same output, thus $GW$ sends them to both the entities. Thus both the entities will be able to converge to same output. If the above condition doesn’t hold then the $GW$ generates new pair of $\{A_{SN}, B_{SN} \}$ alone or generates a new session key or requests the user to provide new modulus based credentials and a new $\{A_{SN}, B_{SN} \}$ pair till the condition is met. In the proposed key exchange part, the novelty exists in the fact that although the two different entities are communicating on different modulus bases, they end up converging on the same session key. The use of more than one modulus has been motivated by the standardized digital signature algorithm [41] (which was motivated from the ElGamal scheme [42]) and Elgamal scheme [42] which produces probabilistic scheme. Thus given a message collision of results which can return same value is attained, but finding it is infeasible to do in polynomial time. Motivated by previous schemes the security of the proposed work is further enhanced by making use of three session specific modulus, where these modulus values are hidden, thus making it infeasible for an adversary to computationally attain the session key. Moreover, it can be evident from the proposed scheme that given a session key and modulus it is feasible to produce $A$ or $A_{SN} $ and attain the value of $B$ , $B_{SN}$ such that same session key is attained (by both the entities) but finding other pairs is infeasible by an entity who has no information about the modulus (even if the adversary desires to attain the pair, the adversary must brute force across different ephemeral pairs to attain a successful one). Thus, given a session key, only a valid entity can generate many ephemeral pairs as to converge on the same session key. To best of knowledge, the proposed work is the only probabilistic hash modulus based key agreement protocol.
Step 5:
Both the mobile device and the sensor node send the hello message to the gateway node by using appropriate pseudonym and credentials (comprising data encrypted using the exchanged session key, where the data is the pseudonym, timestamp and the sequence numbers which were communicated earlier) when the first comm-unication is initiated. Thus, confirming the credibility of the session key, if either entity fails to send the message, the said session is terminated by the $GW$ .

In the proposed scheme, every exchanged info-rmation plays a very crucial role, for instance the role of random number generated by the $U(Nonce_{U}^{1})$ is to ensure that a dynamic modulus satisfying the $Mod_{Set} $ condition is attained (same implication is towards the random number generated by $GW$ i.e $Nonce_{GW1}, Nonce_{SN}$ ). The role of timestamps i.e $Timestamp_{U}^{1}, Timestamp_{GW} $ (generated by $U$ , $GW$ ) is to ensure that the replay attack is detected. Furthermore the role of sequence numbers $Seq_{Num} $ , $Seq_{SN} $ (for $U$ , $SN$ ) is to detect suppress replay attack (as stated in [43], [44], it should be noted that non-synchronization leaves the door open to clock attacks. If the sender’s clock is ahead of that of a receiving node, an attacker may suppress the postdated message and replay it later, when the timestamp in the message becomes valid according to the receiver’s clock. Re-synchronization of the sender’s faulty clock does not parry this suppress-replay attack). The suppress replay can be easily detected using the exchanged sequence number as after every communication a new sequence number is exchanged with the entities i.e $NewSeq_{Num}, NewSeq_{SNNum}$ (for $U$ , $SN$ ) thus, even if the previous authentication message is suppress replayed, the same will be detected as the information of new sequence number will not be present on the message, thus any of the three entity can detect suppress replay in the proposed work (detailed view on this is provided in informal security analysis section).

C. Password Change Phase

In this phase the user decides to change the password enabled on the device. The following are the steps involved in this phase.

Step 1:
The user $U$ provides authentication credentials $ID_{U}$ and $Pwd$ adhered to which the mobile device computes $HPwd^{\ast }=h(Pwd^{\ast }\vert \vert Nonce_{U} \vert \vert Timestamp_{U})$ (by fetching the random number $Nonce_{U} $ and timestamp $Timestamp_{U} $ from the device), $GW_{2} \oplus HPwd^{\ast }=Key_{U}^{\ast }$ and checks the validity of the input credentials by verifying if $h(ID_{U}^{\ast } \vert \vert Key_{U}^{\ast } \vert \vert HPwd^{\ast } \vert \vert GW_{1})^{\ast }\mathop{=}\limits^{?} GW_{3} $ holds. If the above condition fails then the request is rejected. However, if the condition does hold then the $U$ provides new password credentials $Pwd_{New}$ which is updated on the storage by computing $HPwd=h(Pwd_{New} \vert \vert Nonce_{U} \vert \vert Timestamp_{\delta })$ (where $Timestamp_{\delta } $ is the fresh timestamp generated by the mobile device), $GW_{2}^{New} =HPwd_{New} \oplus Key_{U} $ , $GW_{3}^{New} = h(ID_{U} \vert \vert Key_{U} \vert \vert HPwd_{New} \vert \vert GW_{1})$ . Thus, the previous authen-tication credentials are now updated with new authen-tication credentials. Now, the $U$ generates an authentication message so that the gateway node $GW$ can update the said credentials, the $M_{4} =\{PublicIdentifier_{U}, H_{\alpha }, H_{\beta }, Timestamp_{\delta } \}$ where $H_{\alpha } =h(Pwd\vert \vert HPwd\vert \vert ID_{U} \vert \vert Timestamp_{U} \vert \vert Seq_{Num})\oplus HPwd_{New} $ and $H_{\beta } =h(HPwd_{New} \vert \vert ~Timestamp_{\delta } \vert \vert Seq_{Num})$ . Now, the $U$ sends the message $M_{4} =\{PublicIdentifier_{U}, H_{\alpha } $ , $H_{\beta },Timestamp_{\delta } \}$ to the $GW$ .
Step 2:
The $GW$ computes $H_{\alpha } \oplus H(Pwd ~\vert \vert ~ HPwd\vert \vert ID_{U} \vert \vert ~Timestamp_{U}^{\ast } \vert \vert Seq_{Num})=HPwd_{New}^{\ast } $ and checks if $H_{\beta }^{\ast } \mathop{=}\limits^{?} H_{\beta } $ holds. If above holds then the password is updated else the request is rejected. Thus, the change of password enhances security (similar to [8], [15]), and makes it less vulnerable than [21], where there is no provision to change in password.

SECTION VI.

Security Analysis

In this section, an analysis is provided so that it is evident to the readers as of how the proposed scheme is secure against and it resists various wicked attacks.

A. Authentication Proof Using BAN Logic

BAN logic is used for examining the security of any authentication protocol. The aim is to ensure that successful authentication is taking place. The logic defined in [7], [15]–[18] is used to provide security proof of the protocol. For proving the depicted goals in later part, approach similar to that of [7], [15] is used. Following are the set of rules of interest.

Message Meaning Rule: $R_{1} :\frac {P\vert \equiv P \mathrel {\mathop {\longleftrightarrow }\limits ^{K}}Q,P\triangleleft \{X\}_{K}}{P\vert \equiv Q\vert \sim X}$
Nonce Verification Rule: $R_{2} :\frac {P\vert \equiv \# (X),P\vert \equiv Q\vert \sim X}{P\vert \equiv Q\vert \equiv X}$
Jurisdiction Rule: $R_{3} :\frac {P\vert \equiv Q\Rightarrow X,P\vert \equiv Q\vert \equiv X}{P\vert \equiv X}$
Freshness Rule: $R_{4} :\frac {P\vert \equiv \# (X)}{P\vert \equiv \# (X,Y)}$
Belief Rule: $R_{5} :\frac {P\vert \equiv (X,Y)}{P\vert \equiv (X)}$
Seeing Rule: $R_{6} :\frac {P\triangleleft (X,Y)}{P\triangleleft (X)}$
ER1 or Hash Verification Rule ([15]): $R_{7} :\frac {P\vert \equiv Q \mathrel {\mathop {\longleftrightarrow }\limits ^{K}} P,P\triangleleft f(X,Y)}{P\vert \equiv Q\vert \sim X}$
Session Key Rule: $R_{8} :\frac {P\vert \equiv \# (X),P\vert \equiv Q\vert \equiv X}{P\vert \equiv P \mathrel {\mathop {\longleftrightarrow }\limits ^{K}} Q}$

Now, the beliefs within the protocol are highlighted adhered to which proof is provided. Initial assumptions (beliefs) are,

\begin{equation*} \hspace {-2pc}U \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{~~PublicIdenitfier_{U}, Key_{V1}, GW_{1}, GW_{2}, GW_{3}, Seq_{Num}, ID_{U}, HPwd}}GW\end{equation*} View Source or \begin{equation*} \hspace {-2pc}GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{~~PublicIdenitfier_{U}, Key_{V1}, GW_{1}, GW_{2}, GW_{3}, Seq_{Num}, ID_{U}, HPwd}} U\end{equation*} View Source
$GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{PublicIdenitfier_{SN}, ID_{SN}, Seq_{SN}, Key_{SN}}} SN$ or $SN \mathrel {\mathop {\!\!\! \leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{~~PublicIdenitfier_{SN}, ID_{SN}, Seq_{SN}, Key_{SN}}} GWGW\vert \equiv U\Rightarrow {GW}$
$Gw \vert \equiv GW\Rightarrow (H_{\alpha 1}, H_{\alpha 2}, Nonce_{U}, h_{1}, h_{2}, h_{3})$
$U\vert \equiv GW\Rightarrow (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, Nonce_{GW}, NewSeq_{Num}$ , $NewPublicIdentifier_{U}, A,B)$
$SN\vert \!\equiv \! GW\!\Rightarrow \! (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8}, Nonce_{GW1}, NewSeq_{Num}, A_{SN}, B_{SN})$
$U\vert \equiv \# (Timestamp_{GW}$ , $Nonce_{G}$ , $NewSeq_{Num}$ , $NewPublicIdentifier_{U}$ , $A$ , $B)$
$GW\vert \equiv \# (Timestamp_{U}^{1}, Nonce_{U}^{1})$
$SN\vert \equiv \# (Timestamp_{GW}, Nonce_{GW}, NewSeq_{SNNum}, A_{SN}, B_{SN})$

The goals to be achieved are:

$GW\vert \equiv \# (H_{\alpha 1}, H_{\alpha 2})$
$GW\vert \equiv (Seq_{Num})$
$GW\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Nonce_{U}^{1}}} GW$
$GW\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{h_{1}, h_{2}, h_{3}}} GW$
$U\vert \equiv \# (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, A,B)$
$U\vert \equiv GW\vert \equiv (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, A,B)$
$U\vert \equiv (NewSeq_{Num}, NewPublicIdentifier_{U})$
$U\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\!\!\!-\!\!\!\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{NewSeq_{Num}, NewPublicIdentifier_{U}}}U$
$GW\vert \equiv GW \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}}U$
$U\vert \equiv GW \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}}U$
$U\vert \equiv GW\vert \equiv GW \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}}U$
$GW\vert \equiv U\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}}GW$
$SN\vert \equiv \# (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8})$
$SN\vert \equiv SN \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{h_{4}, h_{5}, h_{6}}}GW$
$SN\vert \equiv NewSeq_{SNNum} $
$SN\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}, NewSeq_{SNNum}}}SN$
$SN\vert \equiv GW\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}, NewSeq_{SNNum}}}SN$

Now, the message is represented in the idealized form, thus the result is

$GW\triangleleft M_{1} :PublicIdentifier_{U}$

$H_{\alpha 1}, H_{\alpha 2}$

$Timestamp_{U}^{1}$

$ PublicIdentifier_{SN} $

$U\triangleleft M_{2} :PublicIdentifier_{U}$

$H_{\alpha 3}$

$H_{\alpha 4}$

$H_{\alpha 5}$

$Timestamp_{GW}, A,B~ SN\triangleleft PublicIdentifier_{SN}$

$H_{\alpha 6},H_{\alpha 7}$

$H_{\alpha 8}$

$Timestamp_{GW}, A_{SN}, B_{SN} $

. The following are the steps used to attain the above goals.

Using the message $M_{1} $ , rule $R_{6} $ we get $GW\triangleleft (H_{\alpha 1}, H_{\alpha 2})$ .
Using previous result from the step A, belief 1 and rule $R_{7} $ we get $GW\vert \equiv U\vert \sim (H_{\alpha 1}, H_{\alpha 2})$ .
With result of step A, belief 7 and rule $R_{4} $ we get $GW\vert \equiv \# (H_{\alpha 1}, H_{\alpha 2})$ .
With the result of step B, C and rule $R_{2} $ we get $GW\vert \equiv U\vert \equiv (H_{\alpha 1}, H_{\alpha 2})$ .
With the result of step D, belief 3 and rule $R_{3} $ we get $GW\vert \equiv (H_{\alpha 1}, H_{\alpha 2})$ .
Using the message $M_{1} $ , with the result of step E and rule $R_{5} $ we get $GW\vert \equiv (Seq_{Num})\left({\frac {GW\vert \equiv (Seq_{Num}, H_{\alpha 1})}{GW\vert \equiv (Seq_{Num})}}\right)$ .
Using the result of step C, D and rule $R_{8} $ we get $GW\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Nonce_{U}^{1}}}GW$ .
Using the result of step C, D and rule$R_{8} $ we get $GW\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{h_{1}, h_{2}, h_{3}, A,B}} GW$ .
Using the result of step C, D and rule$R_{8} $ we get $GW\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}} U$ .
Using the message $M_{2} $ , rule $R_{6} $ we get $U\triangleleft (H_{\alpha 3}$ , $H_{\alpha 4}$ , $H_{\alpha 5}$ , $A$ , $B)$ .
With the result of the step J, belief 1 and rule $R_{7} $ we get $U\vert \equiv GW\vert \sim (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, A,B)$ .
With the result of the step J, belief 6 and rule $R_{4} $ we get $U\vert \equiv \# (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, A,B)$ .
With the result of the step J, K and rule $R_{2} $ we get $U\vert \equiv GW\vert \equiv (H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}, A,B)$ .
Using the result of step M, belief 4 and rule $R_{3} $ we get $U\vert \equiv (NewSeq_{Num}, NewPublicIdentifier_{U}, A,B)$ .
With the result of step L, M and rule $R_{8} $ we get $U\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!\!\!\!-\!\!\!-\!\!\!-\!\!\!\!\!\!-\!\!\!\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{NewSeq_{Num}, NewPublicIdentifier_{U}, A,B}} U$ .
With the result of step L, M and rule $R_{8} $ we get $U\vert \equiv GW \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}} U$ .
Using the result of step O, belief 4 and rule $R_{2} $ (similar to [7]) we get $U\vert \equiv GW\vert \equiv GW \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}} U$ .
Using the result if step I, belief 3 and rule $R_{2} $ (similar to [7]) we get $GW\vert \equiv U\vert \equiv U \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}}} GW$ .
Using the message $M_{3} $ , rule $R_{6} $ we get $SN\triangleleft (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8}, A_{SN}, B_{SN})$ .
Using previous result from the step S, belief 2 and rule $R_{7} $ we get $SN\vert \equiv GW\vert \sim (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8}, A_{SN}, B_{SN})$ .
Using the result from step S, belief 8 and rule $R_{4} $ we get $SN\vert \equiv \# (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8}, A_{SN}, B_{SN})$ .
Using the result T, U and rule $R_{2} $ we get $SN\vert \equiv GW\vert \equiv (H_{\alpha 6}, H_{\alpha 7}, H_{\alpha 8}, A_{SN}, B_{SN})$ .
Using the result of step V and rule $R_{5} $ we get $SN\vert \equiv NewSeq_{SNNum} $ .
Using the result of step U, V and rule $R_{8} $ we get $SN\vert \equiv SN \mathrel {\mathop {\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{h_{4}, h_{5}, h_{6}}} GW$ .
Using the result of step U, V and rule $R_{8} $ we get $SN\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}, NewSeq_{SNNum}}} SN$ .
Using the result Y, belief 5 and rule and rule $R_{2} $ (similar to [7]) we get $SN\vert \equiv GW\vert \equiv GW \mathrel {\mathop {\!\!\!\leftarrow \!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!-\!\!\!\rightarrow }\limits ^{Key_{Session}, NewSeq_{SNNum}}}SN$ .

B. Formal Verification Using Real-or-Random Oracle Model and AVISPA

In this paper Real-Or-Random Oracle model is used to prove the semantic security of the scheme [9], [20], [21], [34], a design of a security model is very beneficial as it helps us in delivering of robust security goals, the said model has following components which are of interest:

Participants: The participants are the user ($U$ ), senor node ($SN$ ) and the Gateway node ($GW$ ) where the communication is taking place between one of the subset of $U (U_{i} \subseteq U)$ , $SNSN_{j} \subseteq SN$ and a $GW$ , each of the user from the subset must communicate keeping the abilities of adversary in check. Consider $\prod \nolimits _{V_{i}}^{u}, \prod \nolimits _{SN_{j}}^{v}, \prod \nolimits _{TA}^{w} $ be the three instances u, v of the subset user ‘u’, sensor node ‘v’ and a gateway node ‘w’. The above are defined as an oracle.
Accepted State: A given instance say $\prod ^{u}$ will be in an accepted state if it has received the last expected message from the protocol. The session IDs are defined by concatenating every exchanged message (sent and received) by the given instance $\prod ^{u}$ in the right order.
Partnering: Two instances $\prod ^{u},\prod ^{v},\prod ^{w}$ are said to be partners of each other if they satisfy all of the below conditions in parallel. (1) The three instances $\prod ^{u},\prod ^{v},\prod ^{w}$ are in the Accepted State, (2) The three instances $\prod ^{u},\prod ^{v},\prod ^{w}$ are in possession of the same session ID and are mutually authenticated and (3) The three instances $\prod ^{u},\prod ^{v},\prod ^{w}$ are mutual partners of each other.
Adversary: The adversary has various abilities which it might use to disrupt the scheme and perform wicked attacks. The adversary can play both active and passive attacks, the passive attack is where the adversary is observing the communication flow across two instances $\prod ^{u},\prod ^{v}$ while active attack is where the adversary takes an active part in the communication, the adversary can perform various attacks such as modification, forging, masquerade, etc. The following are the queries which define various adversarial abilities. (1) $Exec\left({\prod ^{u},\prod ^{v}}\right)$ : It is a passive attack where the adversary is able to capture various messages which are passed through the channel and the goal of the adversary here is to attain useful information to attain useful information from the communication, thus it can be viewed as a basic eavesdropping. (2) $SND\left({\prod ^{u},Msg_{\alpha } }\right),SND\left({\prod ^{v},Msg_{\beta } }\right)$ : It is an active attack where an adversary tries to impersonate an honest user $U_{i} \subseteq U$ or the sensor node $SN_{j} \subseteq SN$ by sending fraudulent message $Msg_{\alpha } /Msg_{\beta } $ and it receives a reply/response from $GW$ , in this attack an adversary usually takes a message from the previously exchanged sessions and tries to tamper with the message or replay (or suppress replay) the same message again, in hope it gets accepted. (3) $Corrupt_{U} \left({\prod ^{u}}\right)$ : It is an attack where the adversary is able to attain all the credentials from the mobile Unit of the user $U$ , the said will be used by an adversary to gain secret information about either the password or the keys so that the adversary can impersonate the User $U_{i} \subseteq U$ . (4) $LowCorrupt_{SN} \left({\prod ^{v}}\right)/LowCorrupt_{U} \left({\prod ^{u}}\right)$ : It is an attack where the adversary can gain information of either the long term key or the identity of the sensor node or user, but not both. (5) $Test\left({\prod ^{u}}\right)$ : The said query is used to model the sematic security of the session key, the above query executed for a session then the said query returns the session key to the adversary or a random string length equivalent to the size of the actual key, the output is based on the initial assumption of bit ‘b’ made by an adversary, for instance if the bit ‘b’ is guessed correctly then the said query returns the session key. If the previous assumption is wrong then a random string of same length is returned; thus it can be said that the sematic security of the session key depends on the adversary ability to guess the bit ‘b’.

Theorem 1:

In the proposed scheme, the advantage of an adversary $Adv_{p}^{KAU2SN}$ for breaking the semantic security of session key can be concluded as $Adv_{p}^{KAU2SN}\le \frac {q_{h} ^{2}}{\vert H\vert }+\frac {2q_{send}}{\vert D\vert }$ or $Adv_{p}^{KAU2SN}\le \frac {2q_{h}^{2}}{\vert H\vert }$ , where $q_{h}, q_{send}, \vert H\vert, \vert D\vert $ are the number of hash queries, number of send queries, space of secure one-way hash function and the size of password dictionary respectively.

Proof:

For proving the semantic security of the session key the proof is distributed across different games, through succession of each game the ability of the adversary is increasing and the advantage $Adv_{p}^{KAU2SN}$ the adversary $A$ throughout these games can be attained by taking the differences between them. Define a game as $G_{i} ^{KAU2SN}$ which means that the $\text{i}^{\mathrm {th}}$ game is being played by the adversary $A$ to break the semantic security of the proposed scheme and to attain the group session key.

Game0:
$G_{0}^{KAU2SN}$ is a real attack in the random oracle model, where an adversary $A$ guesses the bit ‘b’ before beginning of the games. According to definition \begin{equation*} Adv_{p}^{KAU2SN}=\vert 2\Pr [succ_{0} ]-1\vert\tag{1}\end{equation*} View Source where $succ$ defines an event where the adversary$A$ is successful in breaking the semantic security of the proposed key agreement protocol.
Game1:
$G_{1}^{KAU2SN}$ is a passive attack where the adversary is eavesdropping on the public channel where the communication is taking place between the user and the gateway, thus in this game an adversary launches $Exec()$ query and based on the witnessed communication any attained information from the said communication, the adversary executes $Test()$ query and then decides whether the output is the actual session key or a random number. It can be easily concluded that even when above two queries are provoked, the adversary will not be successful in breaking the semantic security of the proposed scheme as $Key_{Session} =[\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}]\bmod (h_{3})$ , $Key_{Session} =[\{A_{SN} \bmod (h_{4})\}\cdot \{B_{SN} \bmod (h_{5})\}]\bmod (h_{6})$ and the info-rmation about the $Key_{Session}$ is not present on any of the exchanged message $\{M_{1}, M_{2}, M_{3} \}$ whereas the information about the Modulus crumbs $(\{Nonce_{U}^{1}$ , $ID_{U} $ , $Key_{U} $ , $Seq_{Num} $ , $HPwd$ , $Timestamp_{U}^{1}$ , $PublicIdentifier_{U} \}$ , $\{Nonce_{GW1} $ , $ID_{SN} $ , $Nonce_{SN} $ , $Key_{SN}$ , $Timestamp_{GW}, Seq_{SN}, PublicIdentifier_{SN} \})$ present on message $\{M_{1}, M_{2}, M_{3} \}$ will be enough for an adversary to generate the value of modulus $h_{1}$ , $h_{2}$ , $h_{3}$ or $h_{4}$ , $h_{5}$ , $h_{6}$ , but the adversary will not be able to do so because the adversary needs to find multiple collisions to converge and attain the session modulus values. In the above game if the key space is large then no information can be archived by the adversary using the above game, hence it can be concluded that \begin{equation*} \Pr [succ_{0} ]-\Pr [succ_{1} ]=0\tag{2}\end{equation*} View Source
Game2:
$G_{2}^{KAU2SN}$ is an active attack, where an adversary $A$ is taking an active part in the communication it is where an adversary has an access to $SND()$ query, thus an adversary is sending a query and is attaining a response in return from the $TA$ . In this game the adversary procures an access to both $SND()$ query and an oracle $H_{Oracle} $ , thus an adversary $A$ queries hash oracle to find a successful collision to produce fraudulent messages which will be accepted and in turn result in successful authentication of the adversary $A$ . In the proposed scheme, the message $M_{1} $ comprising $\{H_{\alpha 1},H_{\alpha 2} \}$ (where $H_{\alpha 1} =h(Nonce_{U}^{1} ~\vert \vert ~GW_{2}~ \vert \vert ~Key_{U} ~\vert \vert ~ PublicIdentifier_{U} ~\vert \vert ~ Timestamp_{U}^{1} \vert \vert PublicIdentifier_{SN})\oplus Seq_{Num}$ and $H_{\alpha 2} =H(PublicIdentifier_{U} ~\vert \vert ~GW_{1} ~\vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ ID_{U} ~\vert \vert ~Timestamp_{U}^{1} \vert \vert HPwd)\oplus Nonce_{U}^{1})$ is bounded by a Public identifier (which is changed after every session) and a timestamp, same holds for $M_{3} $ (because of new sequence number $NewSeq_{SNNum} $ on every message) comprising of $\{H_{\alpha 6} $ , $H_{\alpha 7} $ , $H_{\alpha 8} \}$ (where $H_{\alpha 6} =h(Nonce_{GW1} ~\vert \vert ~ Key_{SN} ~\vert \vert ~ B_{SN} ~\vert \vert ~Timestamp_{GW} ~\vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ NewSeq_{SNNum})\oplus Seq_{SN} $ , $H_{\alpha 7} =h(PublicIdentifier_{SN} ~\vert \vert ~ID_{SN} ~\vert \vert Timestamp_{GW} \vert \vert ~A_{SN})\oplus ~Nonce_{GW1} $ , and $H_{\alpha 8} =Seq_{SN} \oplus h(Key_{SN} \oplus Seq_{SN})\oplus NewSeq_{SNNum})$ . Thus it can be conclude that there will be no successful collisions in the $SND()$ query due to presence of fresh timestamp, sequence number and a public identifier for every session. Thus conclusion associated with hash function from birthday paradox is to be used in order to prove the advantage of an adversary to break the semantic security of the proposed key agreement protocol. According to birthday paradox, the success of finding a collision is $\frac {q_{h}^{2}}{2\vert H\vert }$ .\begin{equation*} \vert \Pr [Succ_{1} ]-\Pr [Succ_{2} ]\vert \le \frac {q_{h}^{2}}{2\vert H\vert }\tag{3}\end{equation*} View Source
Game3:
$G_{3}^{KAU2SN}$ is an attempt made by an adversary to derive secret values present on the on-board unit ($OBU$ ), so that the adversary can be successful in performing various wicked attacks. In this game an adversary is given an access to the $Corrupt_{U} ()$ query, thus the adversary is now in possession of $\{PublicIdentifier_{U}, GW_{1}, GW_{2}, GW_{3}, Nonce_{U}, Seq_{Num}$ , $Timestamp_{U}, H(.),Mod_{Set} \}$ but to successfully attain the exchanged session key credentials, an adversary must rely on a successful dictionary attack to attain useful information and use the $OBU$ .\begin{equation*} \vert \Pr [Succ_{2} ]-\Pr [Succ_{3} ]\vert \le \frac {q_{send}}{\vert D\vert }\tag{4}\end{equation*} View Source Moreover, the adversary can perform $LowCorrupt_{SN} ()$ to attain the credential of either the long term key $Key_{SN} $ or the identity $ID_{SN}$ . In either case the adversary must find collision in message $M_{3}$ in either $H_{\alpha 6} $ or $H_{\alpha 7} $ to attain the other parameter.\begin{equation*} \vert \Pr [Succ_{2} ]-\Pr [Succ_{3} ]\vert \le \frac {q_{h}^{2}}{2\vert H\vert }\tag{5}\end{equation*} View Source
Game4:
$G_{4}^{KAU2SN}$ is a continuation of $G_{3}^{KAU2SN}$ where final attempt is made, here all of the above queries can be utilized by an adversary $A$ to break the semantic security of the proposed group key agreement protocol to attain the session key. If even now the adversary is unable to break the semantic security and attain the session key, thus the adversaries attempt to disrupt the scheme lies in a guess.\begin{equation*} \Pr [Succ_{3} ]=\frac {1}{2}\tag{6}\end{equation*} View Source The result of step (6) can be utilized to conclude to the desired result specified earlier. Utilizing the triangular inequality it can be concluded \begin{align*} \vert \Pr [succ_{1} ]-\Pr [succ_{3} ]\vert\le&\vert \Pr [succ_{1} ]-\Pr [succ_{2} ]\vert \\&+\,\vert \Pr [succ_{2} ]-\Pr [succ_{3} ]\vert \\\le&\frac {q_{h} ^{2}}{2\vert H\vert }+\frac {q_{send}}{\vert D\vert }\tag{7}\end{align*} View Source Since, the value of $\Pr [Succ_{3} ]=\frac {1}{2}$ thus $\vert \Pr [succ_{1} ]-\frac {1}{2}\vert \le \frac {q_{h}^{2}}{2\vert H\vert }+\frac {q_{send}}{\vert D\vert }$ , using this result and the result of (1), (2)$2\left[{\Pr [succ_{0} ]-\frac {1}{2}}\right]\le 2\left[{\frac {q_{h}^{2}}{2\vert H\vert }+\frac {q_{send}}{\vert D\vert }}\right]$ and thus resulting in (8) can be attained \begin{equation*} Adv_{p}^{KAU2SN}\le \frac {q_{h}^{2}}{\vert H\vert }+\frac {2q_{send} }{\vert D\vert }\tag{8}\end{equation*} View Source Hence, it can be concluded that if the given hash space and the relative size of dictionary is large then it is infeasible for an adversary to break the semantic security and attain the session key. Moreover, if the $LowCorrupt_{SN} ()$ approach is used then the result is $Adv_{p}^{KAU2SN}\le \frac {2q_{h}^{2}}{\vphantom {D_{j}}\vert H\vert }$ . Thus, depending on the size of dictionary either approach can be used.

Theorem 2:

The proposed system provides conditional security when mobile device is lost or stolen. The advantage of the adversary is given by $Adv_{A}^{Break}\le \frac {q_{h}^{2}}{2\vert H\vert }+\frac {q_{send}}{\vert D\vert }$ .

Proof:

To demonstrate this, a game $G_{j}^{Brk}$ is played where the adversary is given access to $Exec()$ , $SND()$ and $Corrupt_{U} ()$ query. Thus an adversary has an access to $\{PublicIdentifier_{U}, GW_{1}, GW_{2}, GW_{3}, Nonce_{U}, Seq_{Num}$ , $Timestamp_{U}, H(.),Mod_{Set} \}$ . Here, the adversary for gaining the information about the identity and hashed password needs to find collisions in the hash function used in $GW_{3} $ and then for finding the correct password a successful dictionary attack or collision needs to be found, thus in best case $Adv_{A}^{Break}\le \frac {q_{h}^{2}}{2\vert H\vert }+\frac {q_{send}}{\vert D\vert }$ .

The table 3 depicts the simulation results in OFMC backend in AVISPA (a formal security verification tool). AVISPA is a simulation tool for security verification which justifies the security of the authentication schemes. It is also a software which is of type role related, where each participants acts as a role [7], [19], [33]. The AVISPA is written in HLPSL which is a High Level Protocol Specification Language which is then translated into IF which is an Intermediate Format lower level language can directly read by AVISPA”s back end. AVISPA has four back ends, namely, (i) OFMC (On – the – fly – Model – Checker, (ii) Constraint Logic Based Attack Searcher, (iii) SATMAC – SAT based Model Checker and Tree Automata based on Automatic Approximations. Table 3 depicts the simulation in AVISPA.

TABLE 1 Symbols and Description

TABLE 2 Authentication and Key-Agreement Protocol

TABLE 3 Simulation Result in OFMC Backend

C. Informal Security Analysis

In this section informal security analysis is presented as to prove security of the proposed work against specified attack. The attack is mentioned adhered to which a description is provided which proves as of how the proposed work is secure against the specified attack.

1) Modification Attack

In this attack an adversary tries to modify the sent data so that the valid entities in the system accept these changes, the adversary in this attack can either impersonation a valid entity in the system or make malicious changes. In the proposed work, if the adversary manipulates the credentials on $M_{1} $ the same can be detected as the hash on either changed credential will be detected. For instance if the adversary manipulates the credentials of $H_{\alpha 2} $ then the hash credentials on $H_{\alpha 1} $ will not hold, as $H_{\alpha 1}^{\ast } \mathop{=}\limits^{?} H_{\alpha 1} $ will not hold, thus the modification can be detected on $M_{1} $ . In case of message $M_{2}$ if the adversary manipulates either of $H_{\alpha 3}, H_{\alpha 4}, H_{\alpha 5}$ then the confirmation will not hold of $H_{\alpha 3} $ (on message $M_{2})$ . Moreover, if there are any changes on the message $M_{3}$ then $H_{\alpha 6}^{\ast } \mathop{=}\limits^{?} H_{\alpha 6} $ will not hold. Thus, in the proposed work, modifications can be detected.

2) Replay and Suppress Replay Attack

In this attack the adversary tries to impersonate the valid entity by replaying the honest authentication message generated by either $U$ , $GW$ or $SN$ . To proceed with the said attack, the adversary captures the authentication message and replays it in the next session or replays it within the $\Delta T$ frame (so that the same message gets accepted as valid). In the proposed work, every message $M_{1}$ , $M_{2}$ , $M_{3}$ comprises of a timestamp $Timestamp_{U}^{1} $ , $Timestamp_{GW}$ which will be used to prevent against the replays of the message $M_{1}$ , $M_{2}$ , $M_{3}$ but it will not be sufficient for withstanding suppress replay attack. To withstand suppress replay attack the proposed work employs sequence number $Seq_{Num}$ to withstand suppress replay attack of the message $M_{1}$ , $M_{2}$ as after the exchange of the message $M_{2}$ new sequence number will be updated $NewSeq_{Num} $ (to prevent suppress replay of either message as previous sequence number $Seq_{Num}$ becomes invalid) and to prevent suppress replay of the message $M_{3} $ , a sequence number $Seq_{SN}$ and a new sequence number $NewSeq_{SNNum}$ is used. Thus, the proposed work can withstand replay and suppress replay attack.

3) Known Session Specific Temporary Information Attack

In this attack, the session specific information such as $Nonce_{U}^{1} $ , $Nonce_{G} $ , $Nonce_{GW1} $ , $Timestamp_{U}^{1} $ , $Timestamp_{GW} $ , $A$ , $B$ , $A_{SN} $ , $B_{SN} $ , $NewSeq_{Num} $ and $NewSeq_{SNNum} $ are made available to the adversary. Here using the attained information the adversary cannot attain the session key as $h_{1} =h(Nonce_{U}^{1} \vert \vert ID_{U} \vert \vert Key_{U})$ , $h_{2} =h(ID_{U} \vert \vert Seq_{Num} \vert \vert HPwd)$ , $h_{3} =h(Timestamp_{U}^{1} \vert \vert Seq_{Num} \vert \vert PublicIdentifier_{U} \vert \vert ID_{U} \vert \vert Nonce_{U}^{1})$ and the information of $\{ID_{U}, Key_{U}, Seq_{Num}, HPwd\}$ is not available to the adversary. Moreover, since the information of $\{ID_{SN}, Key_{SN}, Seq_{SN} \}$ is not available the adversary using $A_{SN}$ and $B_{SN}$ will not be able to attain the session key. In the proposed work, since all of the above information$\{ID_{U}, Key_{U},Seq_{Num}, HPwd\}$ and $\{ID_{SN}, Key_{SN}, Seq_{SN} \}$ is unavailable to an adversary the adversary cannot perform any other malicious attacks.

4) Impersonation Attack

In the proposed work impersonation of entities $U$ and $GW$ is protected as to impersonate the either entity the adversary must generate $M_{1} = \{PublicIdentifier_{U}, ~H_{\alpha 1}, ~H_{\alpha 2}$ , $Timestamp_{U}^{1}, ~PublicIdentifier_{SN} \}$ and $M_{2} = \{PublicIdentifier_{U}, ~H_{\alpha 3}, ~H_{\alpha 4}, ~H_{\alpha 5},~Timestamp_{GW}, ~A,~B\}$ where $H_{\alpha 1} = h(Nonce_{U}^{1} ~\vert \vert ~GW_{2} ~\vert \vert ~Key_{U} ~\vert \vert ~PublicIdentifier_{U}~\vert \vert ~Timestamp_{U}^{1} ~\vert \vert ~PublicIdentifier_{SN})\oplus Seq_{Num}$ , $H_{\alpha 2} = H(PublicIdentifier_{U} ~\vert \vert ~GW_{1} ~\vert \vert ~PublicIdentifier_{SN} ~\vert \vert ~ID_{U} ~\vert \vert ~Timestamp_{U}^{1} ~\vert \vert ~HPwd)\oplus Nonce_{U}^{1} $ and $H_{\alpha 3} = h~(PublicIdentifier_{U} ~\vert \vert ~Timestamp_{GW} ~\vert \vert ~NewSeq_{Num}~\vert \vert ~Nonce_{G} ~\vert \vert ~Timestamp_{U}^{1})\oplus NewPublicIdentifier_{U} $ (here $NewPublicIdentifier_{U} =h(Timestamp_{GW}~\vert \vert ~ID_{U} ~\vert \vert ~Nonce_{GW} ~\vert \vert ~Key_{v1} ~\vert \vert ~Nonce_{U}^{1} ~\vert \vert ~Timestamp_{U}^{1})$ ), $H_{\alpha 4} =h(Timestamp_{U}^{1} \vert \vert ~Timestamp_{GW} ~\vert \vert ~B ~\vert \vert ~Nonce_{U}^{1} ~\vert \vert ~PublicIdentifier_{U} ~\vert \vert ~ Key_{v1})\oplus ~Nonce_{G} \oplus Nonce_{U}^{1} $ , $H_{\alpha 5} = h(Nonce_{U}^{1}~\vert \vert ~ID_{U} ~\vert \vert ~A~\vert \vert ~PublicIdentifier_{U} ~\vert \vert ~NewPublicIdentifier_{U} \vert \vert B \vert \vert ~Timestamp_{GW}~\vert \vert ~Timestamp_{U}^{1}) \oplus NewSeq_{Num} $ . Since the adversary cannot generate either authentication message thus the proposed work is secure against impersonation attack.

5) DOS Attack

This attack focuses on making the resources of the system unavailable temporarily or permanently to the hosts connected to the network over the internet. In the proposed work, since every message is bounded by a timestamp $Timestamp_{U}^{1} $ , $Timestamp_{GW} $ and a sequence number $Seq_{Num} $ (sequence number for the user used to expedite the authentication process) and $Seq_{SN}$ (sequence number for the sensor node used to expedite the authentication process) respectively. Thus, if the message is replayed or suppress replayed then the entities $U$ , $GW$ , $SN$ will reject the messages and since the scheme is based on hash function the requests will be processed efficient manner. Thus, the proposed work can withstand DOS attack.

6) Identity Compromise Impersonation Attack

In the proposed work if the identity of sensor node $SN$ or the user $U$ is compromised then the proposed work is secure as the to impersonate the sensor node $SN$ credentials $\{ID_{SN}, Key_{SN}, Seq_{SN} \}$ are required and to impersonate the user $U$ credentials $\{ID_{U}, Key_{U}, Seq_{Num}, HPwd\}$ are required and since the above credentials other than $ID_{SN} $ or $ID_{U} $ are unavailable thus the proposed work is secure against the identity compromise impersonation attack.

7) Perfect Forward Secrecy

The knowledge of current session key $Key_{Session} $ will not provide sufficient information to derive future keys as in the proposed work since the session specific information such as $Nonce_{U}^{1} $ , $Nonce_{G} $ , $Nonce_{GW1} $ , $Timestamp_{U}^{1} $ , $Timestamp_{GW} $ , $A$ , $B$ , $A_{SN} $ , $B_{SN} $ , $NewSeq_{Num} $ and $NewSeq_{SNNum}$ are different for every session. Thus, the resultant $h_{1}$ , $h_{2} $ , $h_{3}$ , $h_{4}$ , $h_{5}$ and $h_{6} $ are different for every session, thus the resultant session key $Key_{Session}$ will be different thus the proposed work provides perfect forward secrecy.

8) Mobile Loss Attack

In the proposed work if the mobile device is lost, then the active adversary can attain the stored credentials $\{PublicIdentifier_{U}, GW_{1}, GW_{2}, GW_{3}, Nonce_{U}, Seq_{Num}$ , $Timestamp_{U}, H(.),Mod_{Set} \}$ but since the adversary has no information about the user identity $ID_{U} $ and a password $Pwd$ thus the proposed work is secure as the wrong attempts are logged in the proposed system. Thus, the proposed work is secure against the mobile loss attack.

9) Known Key Attack

In the proposed work, if a session key $Key_{Session} $ is exposed then also the proposed work is secure as the session key is dependent on new session modulus $h_{1}$ , $h_{2}$ , $h_{3}$ , $h_{4}$ , $h_{5}$ , $h_{6}$ and ephemerals $A$ , $B,A_{SN}$ , $B_{SN} $ respectively. Since the value will be constantly changing, thus the adversary cannot predict the session key due to random session modulus and session specific ephemerals used to attain a given session key for protecting the exchanged data.

10) Unlinkability

In the proposed work, the pseudonym $PublicIdentifier_{U} $ changes every session. Thus, a random pseudonym is used for every communication as a result, the adversary will not be able to link two authentication message from the same user $U$ . Moreover, in the proposed work there is a presence of a sequence number $Seq_{SN} $ and $NewSeq_{SNNum}$ for the message generated for sensor node $SN$ , thus the two messages from the gateway node $GW$ cannot be linked together. Thus the proposed work provides unlinkability.

11) Anonymity

In the proposed work since for every communication from the user $U$ side there is a presence of new pseudonym $NewPublicIdentifier_{U} =h(Timestamp_{GW} \vert \vert ID_{U} \vert \vert Nonce_{GW} \vert \vert ~Key_{v1} \vert \vert Nonce_{U}^{1} \vert \vert Timestamp_{U}^{1})$ which will be used as a pseudonym $PublicIdentifier_{U}$ for the next session. Thus, the proposed work provides anonymity.

12) Man in the Middle Attack

In the proposed work, since any anomaly caused by the adversary (such as modifications, replays, etc.) on the message will be detected, thus the role of the adversary is limited to just observing the message.

SECTION VII.

Performance Analysis

In this section a tangible comparison of the proposed work is done with the existing scheme. The comparison of the proposed scheme is done in terms of execution time and communication overhead, and security features.

A. Communication Cost, Storage Cost and Execution Time

In this section the total computation cost and communication cost is presented. For communication cost of different protocols, the sensor node’s identity, gateway’s identity, output of hash function, random number are all taken as 160 bits. The length of user’s identity, pseudonym and timestamps are respectively 80 bits, 80 bits and 32 bits. The length of the modular exponentiation output is 1024 bits. The subgroup G of ECC is 160 bits, and the size of element in G is 320 bits. The block size of symmetric cryptography is 128 bits. The approach used is similar to [6], [9]. Fig 2 depicts the overall cost. The communication costs of different schemes are taken from [4], [6]. In the proposed work the exchanged messages are $M_{1} = \{PublicIdentifier_{U}, ~H_{\alpha 1}, ~H_{\alpha 2}, ~Timestamp_{U}^{1},~PublicIdentifier_{SN} \}$ , $M_{2} = \{PublicIdentifier_{U}, ~H_{\alpha 3},~H_{\alpha 4},~H_{\alpha 5}, ~Timestamp_{GW}, ~ A,~B\}$ and $M_{3} =\{PublicIdentifier_{SN},~H_{\alpha 6}, ~H_{\alpha 7}, ~H_{\alpha 8}, ~Timestamp_{GW}, ~A_{SN}, ~B_{SN} \}$ where in message 1 the pseudo-nym $PublicIdentifier_{U} $ is dependent on hash output, thus it is 160 bits, for $H_{\alpha 1}, H_{\alpha 2} $ the value is 160 each as they are hash outputs, for timestamp the communication overhead is 32 bits and for $PublicIdentifier_{SN} $ the overhead is 80 bits. Thus, for $M_{1}$ the communication overhead is 592 bits. Similarly for other messages 2, 3 the communication overhead is 160 X1 + 160 X1 + 160 X1 + 160 X1 + 32 X1 + 160 X1 + 160 X1 = 992 bits (for message 2) and 80 X1 + 160 X1 + 160 X1 + 160 X1 + 32 X1 + 160 X1 + 160 X1 = 912 bits (for message 3). Thus, the total communication cost of the proposed scheme is 2496 bits. Furthermore, it can be evident that the overall exchanged messages of schemes are 4n, 4n, 3n, 3n, 4n, 4n and 3n. Now, the overall cost associated with the registration phase and the storage of these credentials on the storage device is communicated. The approach used is similar to that of [7], [45]. Using the similar sizes depicted earlier, it can be concluded the overall costs associated with the registration and storage cost on the storage device.

FIGURE 2.

Total communication cost of different scheme.

Show All

The approach used is similar to that of [7], [45]. Using the similar sizes depicted earlier, it can be concluded the overall costs associated with the registration and storage cost on the storage device. For [1] the exchanged messages are $\{ID_{U}, \overline {pw_{U}} \}$ , $\{A_{U}, B_{U}, W_{U}, h(.)\}$ . But the stored credentials on the mobile device are $\{A_{U}, B_{U}, W_{U}, b_{U},h(.)\}$ where the values $A_{U}, B_{U}, W_{U} $ comprise of 160 bits each as they correspond to hashed out, it is further assumed that the information with regards to the hash function used is also 160 bits, thus the resulting stored value on the mobile device is 800 bits. In case of [2] the exchanged messages are $\{ID_{U} \}$ , $\{SID_{UR}, X,ID_{GW}, G,P, \Gamma, \Delta, L,H,F\}$ and the stored credential on the smart card are replaced with $TID_{UR} $ , thus the overall storage cost is 1760 bits as the $TID_{UR} $ comprises of hashed output which results is 160 bits, $X$ results in 320 bits as it is an element in group $G$ , the value associated with algorithms or groups is assumed to be 160 bits, thus the resulting cost becomes $160~\mathrm {X} 8 = 1280$ bits, thus the total storage cost results in 1760 bits. For scheme in [3] the overall storage cost is 640 bits, the above is because the exchanged message is $\{ID_{i}, TS_{i}, VI_{i}, TPW_{i}, A\}$ and then the gateway node stores the credentials $\{H(.),PID_{i}, TE_{i}, PTC_{i} \}$ into the smart card, thus the overall storage cost is 640 bits. For scheme in [4] the overall storage cost is associated with storing the exponentiation credentials related to identity thus, the user sends $\{(g^{x})=(id)\}$ to the gateway and the user stores the value of $g$ , $x$ and $g^{x}$ , thus the stored values will be 1344 bits as the value of $g$ , $x$ will be 160 bits each and $g^{x}$ will result in 1024 bits, thus the total storage cost will be 1344 bits. In [5] the exchanged messages are $ID_{U} $ , $\{K_{ug}, (SID_{U}, K_{em}),Ts_{ug}, h(.)\}$ and once the user attains the later message, it generates its new password and updates the credentials on the smart card as $\{K_{ug}^{\ast }, f_{U}^{\ast }, (SID^{\ast },K_{em}^{\ast }), Ts_{ug}, h(.)\}$ . Thus, the stored credentials amount to 960 bits as all of the updated credentials are dependent on the hash output, and the random number $Ts_{ug}$ corresponds to 160 bits, thus the total stored credential value is 960 bits. For [6] the exchanged messages during registration are $\{ID_{U}, HPW_{U}, R_{U} \}$ , $\{B_{1}, B_{2}, B_{3} \}$ and once the above credentials are attained then the user stores the parameters $\{P_{U}, r_{U}, B_{1}, B_{3}, X,Gen(.),Rep(.)\}$ into the mobile device, thus the overall storage cost is 960 bits, as the value of $B_{1}$ , $B_{3}$ is dependent on hash output they contribute to 160 bits each, the value of $P_{U}$ , $r_{U}$ is derived from a fuzzy extractor, thus they contribute to 320 bits. The $X$ is a subgroup of $G$ thus occupy 160 bits, and the two functions also correspond to 160 bits each, thus the total storage cost associated with [6] is 1120 bits. In the proposed work, the messages which are exchanged during the registration phase are $\{ID_{U}$ , $PublicIdentifier_{U}$ , $HPwd\}$ ,$\{PublicIdentifier_{U}, ~GW_{1}, ~GW_{2}, ~GW_{3},~Seq_{Num}, ~H(.)$ , $Mod_{Set} \}$ while the credentials stored on the mobile device are $\{PublicIdentifier_{U}, GW_{1}, GW_{2},GW_{3}, Nonce_{U}, Seq_{Num}$ , $Timestamp_{U},H(.),Mod_{Set} \}$ and the overall communication cost is 1232 bits, the above is because the initial pseudonym accounts for 80 bits, the $GW$ values each correspond to 160 bits as these are hash based outputs, the $Nonce_{U}, Seq_{Num} $ are the random numbers which accounts for 160 bits each, whereas timestamp is 32 bits and the hash function and the modulus condition parameter is 160 bits each, thus in total it is 1232 bits. The cost of different Cryptographic operations are taken from [7], [8] and [47] according to which execution time of different operations are Elliptical Curve multiplication $T_{m}=0.442$ ms, Symmetric Key Encryption/Decryption $T_{E/D} = 0.1303$ ms, Hash Operation $T_{h} =0.0001$ ms, Modular Exponentiation $T_{Exp} =0.522$ ms, Multiplication $T_{mul} = 0.015$ ms and Modular Inverse $T_{Inv} = 0.174$ ms. The cost of different schemes are taken from [1]–[6]. Figure 3 depicts execution time of various schemes, which is derived from table 4. The proposed work is secure against Privileged-insider-attack, the same can be proved using the approach delineated in [5], [39]. For the proposed work, the computation cost is $32T_{h} +4T_{mul} +1T_{inv} $ , the said is because, the computation cost of getting authenticated is $3T_{h} $ while generation of authentication credentials in message $M_{1} $ and validation of message $M_{2}$ will take $11T_{h}$ (as the user must initially get authenticated adhered to which generate $H_{\alpha 1}$ , $H_{\alpha 2}$ , $h_{1}$ , $h_{2}$ , $h_{3} $ and validate $H_{\alpha 4}, H_{\alpha 5} $ adhered to which compute new pseudonym associated with the user). Once the user associated credentials are authenticated then the mobile computes the session key by performing a multiplication and attaining $\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}$ adhered to which the mobile device computes the session key $Key_{Session} =[\{A\bmod (h_{1})\}\cdot \{B\bmod (h_{2})\}]\bmod (h_{3})$ . Thus, the resulting computation above becomes $11T_{h} +1T_{mul} $ , in case of sensor node, the sensor node attains $M_{3} =\{PublicIdentifier_{SN}, ~H_{\alpha 6}, ~H_{\alpha 7},~H_{\alpha 8}, ~Timestamp_{GW}, ~A_{SN},~B_{SN} \}$ which the sensor node authenticates by validating the hash based credentials, thus it computes 3 hashes adhered to which it generates session specific modulus $h_{4}$ , $h_{5}$ , $h_{6}$ for which the sensor node must compute 3 hashes, thus for authenticating and attaining the modulus, the sensor node must compute a total of 6 hashes. Once, the above credentials are computed the sensor node must then compute session key by performing $\{A_{SN} \bmod (h_{4})\}\cdot \{B_{SN} \bmod (h_{5})\}$ adhered to which the sensor node computes the session key $Key_{Session} =[\{A_{SN} \bmod (h_{4})\}\cdot \{B_{SN} \bmod (h_{5})\}]\bmod (h_{6})$ . Thus, the total computation cost is $6T_{h} +1T_{mul} $ . For gateway node, the computation cost is summation of costs of generation of authentication credentials associated with user and sensor node as well as the modulus values associated with these entities and also generation of ephemerals $A$ , $B$ , $A_{SN}$ , $B_{SN}$ , thus the total computation cost becomes $15T_{h} +2T_{mul} +1T_{inv} $ (as the gateway node must also compute one inverse to attain the value of $B_{SN}$ ). In the proposed work, the total computation cost is $32T_{h} +4T_{mul} +1T_{inv}$ (using the execution parameters defined above, the total time as 0.2372 ms).

TABLE 4 Execution Cost

TABLE 5 Communications Cost

TABLE 6 Comparison of Various Security Feature

FIGURE 3.

Total execution time of different scheme.

Show All

B. Comparison of Various Security Feature

The table above summarizes different attacks and depicts the vulnerabilities of different schemes. In this section several security features are provided, the term “YES” implies that the proposed scheme can withstand the said attack. While “NO” states that the said work does not satisfy the given feature. The proposed work has been motivated by [5], [38]–[40] where hash based lightweight scheme has been proposed, thus the proposed work utilizing these credentials has been developed. The proposed scheme brings more reliability due to enhanced security features. Moreover, the proposed work is secure against Privileged-insider-attack this can be proved using the approach depicted in [5], [39].

SECTION VIII.

Conclusion

In this paper, a lightweight authentication and key agreement protocol for WSN in IIOT environment is proposed, where the proposed work resulted in fast authentication and unpredictable pseudonym update phase. The security of the proposed work is proved using Real-or-Random oracle model, AVISPA, BAN logic and informal security analysis. Moreover, the cryptanalysis of a ECC based authentication and key agreement scheme was presented as a result, new security goals were scoped; a new scheme overcoming vulnerabilities. The proposed work overcomes vulnerabilities present in the existing schemes and provides a new means to exchange session key faster. The rapid growth in IOT technology will lead to heavy applications in healthcare, intelligent transport systems and industrial fields where security and privacy are the major concerns. The proposed work, presents an approach which can make it useful for above applications.

References is not available for this document.

Hash-Based Conditional Privacy Preserving Authentication and Key Exchange Protocol Suitable for Industrial Internet of Things

Alerts

Abstract:

Metadata

Abstract:

Introduction

Related Works

Review of Xiong $et ~al$ . Scheme

A. Registration Phase

1) Sensor Node Registration

2) User Registration

Step 1:

Step 2:

Step 3:

B. Authentication and Key-Agreement Phase

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

Security Weakness and Design Flaws in Xiong $et~al$ . Scheme

Definition 1:

Definition 2:

Definition 3:

Definition 4:

Definition 5:

A. DOS Attack

1) Gateway Node DOS Attack

Step 1:

Step 2:

Step 3:

Step 4:

2) Sensor Node DOS Attack

Step 1:

Step 2:

Step 3:

Step 4:

B. Identity Compromise Impersonation Attack

1) Attaining Secret Parameters (When Identity is Exposed) and Performing User Impersonation Attack

Step 1:

Step 2:

2) Key-Offset Attack

Step 1:

Step 2:

Step 3:

C. Known Session Specific Temporary Information Attack (KSSTI Attack)

1) User Impersonation

Step 1:

Step 2:

2) Gateway Node Impersonation and Sensor DOS Attack

Step 1:

Step 2:

Step 1:

Step 2:

3) Sensor Node Impersonation and Key-Offset Attack

Step 1:

Step 2:

Step 3:

Step 1:

Step 2:

Step 3:

4) Attaining the Session Key

Proposed Scheme

A. Registration Phase

1) Sensor Node Registration

2) User Registration

Step 1:

Step 2:

Step 3:

B. Authentication and Key-Agreement Phase

Step 1:

Step 2:

Step 3:

Step 4:

Step 5:

C. Password Change Phase

Step 1:

Step 2:

Security Analysis

A. Authentication Proof Using BAN Logic