Next Article in Journal
Cortical Activation in Mental Rotation and the Role of the Corpus Callosum: Observations in Healthy Subjects and Split-Brain Patients
Next Article in Special Issue
A Robust and Anonymous Three-Factor Authentication Scheme Based ECC for Smart Home Environments
Previous Article in Journal
Preliminary Study on the Loss Laws of Bearing Capacity of Tunnel Structure
Previous Article in Special Issue
A Practical Privacy-Preserving Publishing Mechanism Based on Personalized k-Anonymity and Temporal Differential Privacy for Wearable IoT Applications
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT

Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing, Tianjin University, Tianjin 300350, China
Symmetry 2021, 13(10), 1952; https://doi.org/10.3390/sym13101952
Submission received: 15 September 2021 / Revised: 4 October 2021 / Accepted: 12 October 2021 / Published: 16 October 2021

Abstract

:
Vinoth et al. proposed an authenticated key agreement scheme for industrial IoT (Internet of Things) applications. Vinoth et al.’s scheme aimed to protect the remote sensing data of industrial IoT devices under hostile environments. The scheme is interesting because the authorized user is allowed simultaneously to access the multiple IoT sensing devices. Therefore, we carefully analyzed the security and privacy implications of Vinoth et al.’s scheme. Our findings are summarized as follows. One, Vinoth et al.’s scheme failed to defeat user impersonation attacks. Second, Vinoth et al.’s scheme did not prevent IoT sensing device impersonation attacks. Third, Vinoth et al.’s scheme suffered from replay attacks. Fourth, Vinoth et al.’s scheme was vulnerable to desynchronization attacks. Fifth, Vinoth et al.’s scheme could not maintain user privacy. As a case study, our analysis results enlighten researchers and engineers on the design of robust and efficient authenticated key agreement schemes for IoT applications.

1. Introduction

The Internet of Things (IoT) is a fast development in the long and continuing revolution of communications and computing. The IoT has expanded the interconnection of billions of industrial and personal objects through IoT sensing devices, which are typically composed of sensors, actuators, microcontrollers, transceivers, and batteries. IoT sensing devices bound to objects deliver sensor information, act on their environments, and in some cases adapt for the overall management of a larger system, such as a factory [1] or a city [2]. Moreover, these devices always communicate each other and form a remote sensing network. As a typical scenario, Industrial IoT is deployed for achieving intelligent manufacturing because of its advantages in automatic monitoring and efficient control. Under the industrial IoT environment, sensing devices can be remotely accessed and controlled by authorized users. During the process of industrial production, sensing devices collect real-time data. Users obtain this real-time data and then send control commands according to said data.
IoT sensing security [3] is perhaps the most complex and immature area of cybersecurity. The following characteristics hinder secure IoT sensing:
(1) Very large attack surfaces: There is a wide variety of points of vulnerability in IoT sensing systems and a large amount of data that may be compromised.
(2) Widespread deployment: There is ongoing, rapid deployment of IoT arrangements in commercial and industrial environments and, more importantly, in critical infrastructure environments. Most IoT sensing devices are remote and out of control. These deployments are attractive targets for security attacks.
(3) Constrained device resources: IoT sensing devices are typically constrained, with limited memory, processing power, and power supply.
(4) Low cost: IoT sensing devices are always manufactured, purchased, and deployed in the millions. This fact provides great incentive for manufacturers and customers to minimize the cost of these devices.
Motivation of This Paper. In the normal course of things, the user requires simultaneously access to multiple IoT sensing devices for a complex industrial task. Because of serious security and privacy threats, IoT sensing devices, especially remote devices, are required to support mutual authentication and secret key establishment with their users. The authenticated key agreement scheme provides authentication and key establishment services among users and multiple IoT sensing devices. We therefore analyzed the security and privacy of the authenticated key agreement scheme. Our research focused on not only outside but inside attackers, i.e., malicious users and corrupt IoT sensing devices.

1.1. Industrial IoT Sensing Model and Its Authenticated Key Agreement Scheme

In this section, we describe the sensing model and authenticated key agreement scheme studied in this paper.

1.1.1. Industrial IoT Sensing Model

The sensing model is depicted in Figure 1. There are three categories of entities, i.e., gateway nodes (GWNs), users, and industrial IoT sensing devices.
(1) GWN: GWNs interconnect IoT sensing devices with high-level communication networks and perform the necessary translation between the protocols used in communication networks and those used in IoT sensing devices.
(2) Users: The users are allowed to access IoT sensing devices through GWNs. They gain security and privacy services with the help of embedded devices such as smart cards.
(3) IoT sensing devices: IoT sensing devices are utilized to monitor the status of objects and collect the information stored therein. Users can obtain the information collected by these devices in real time.
In our industrial IoT sensing model, we assumed that the users and the IoT sensing devices were untrusted entities. GWNs [4], meanwhile, cannot be compromised and were therefore considered to be fully trusted by the users and the IoT sensing devices. This assumption is reasonable because GWNs are usually placed in secure environments and equipped with tamper-resistant devices.

1.1.2. Authenticated Key Agreement Scheme

To set up a secure sensing network, the GWN initially writes some authentication credentials into IoT sensing devices. The user first registers to the GWN, and both the user and GWN write the authentication credentials into the user’s embedded device. When the registered users want to access the deployed IoT sensing devices, they run an authentication session using their embedded device. During the authentication session, GWN helps the user and the IoT sensing devices authenticate each other and establish a shared secret key for subsequent secure communication. In addition, the users can change their authentication credentials, and the GWN can allow new IoT sensing devices to join the deployed sensing network and revoke existing devices from said network.
However, an attacker may exploit the vulnerabilities in the authenticated key agreement scheme to perform attacks, because the messages of the authentication session are often transmitted through a public channel, and this brings security problems in the industrial IoT environment. It is possible for an inside or outside attacker to impersonate an authorized user to obtain data by accessing sensing devices or to impersonate a legal IoT sensing device to provide fake data. These unsatisfactory security risks could lead to the destruction of industrial activity.

1.2. Related Work

In recent years, many authenticated key agreement schemes [5,6] have been proposed for IoT remote sensing environments, such as industrial IoT, telemedicine, and smart home. We review previous work on four dimensions.
From the user credentials perspective, authenticated key agreement schemes are classified into two categories, i.e., two- and three-factor (multifactor) schemes. In two-factor schemes [7,8,9,10,11,12,13,14,15], the security of the user is protected by both the secret key stored in the smart card and the human-memorizable password, and the user applies the password and the smart card to complete the authentication session. Compared to two-factor schemes, three-factor schemes [4,16,17,18,19,20,21,22] add biometrics to the user credentials; that is, the user must provide the smart card, the password, and biometrics at the same time.
In many privacy applications, the users does not want authentication sessions to be associated with their identity. This means that the user’s identity is disclosed only to an authorized set of GWN and IoT sensing devices during the authentication sessions. Therefore, to preserve user privacy, authenticated key agreement schemes [23,24,25,26,27] thwart attempts to disclose or link users’ identities by exploiting their authentication sessions.
Many researchers have extended authenticated key agreement schemes [28,29,30,31,32,33,34] to multi-gateway IoT environments. These revised schemes provide the user with a single sign under a set of GWNs. That is, when the user is authenticated by a GWN in the set of GWNs, he/she can access all IoT sensing devices governed by the set of GWNs even if the devices in question are not directly managed by the specific GWN that authenticated the user. In addition, the multi-gateway schemes can solve the packet-collision problem due to single GWN mode.
Users often access multiple IoT sensing devices to complete complex tasks. It is inefficient for the user to run a separate authentication session with each IoT sensing device. Moreover, the logical relevance of the authentications and the shared secret keys cannot be guaranteed if the user independently runs several authentication sessions for a task. Hence, some authenticated key agreement schemes [4,35,36] have recently begun to provide authentication and group secret-key establishment between the user and multiple IoT sensing devices in an authentication session.

1.3. Our Contributions

In the IEEE Internet of Things Journal, Vinoth et al. [4] proposed an authenticated key agreement scheme that aimed to protect the remote sensing data of industrial IoT under the hostile environments. We carefully analyzed security and privacy under Vinoth et al.’s scheme. Our results are as follows.
(1) Vinoth et al.’s scheme failed to defeat a user impersonation attack. A legal but malicious user could impersonate IoT sensing devices, other users, and the GWN.
(2) Vinoth et al.’s scheme did not prevent IoT sensing device impersonation attacks. A legal but corrupt IoT sensing device can impersonate users, the GWN, and other IoT sensing devices.
(3) Vinoth et al.’s scheme suffered from replay attacks. Attackers can reuse the previous message in the authentication session to cheat the user and the GWN.
(4) Vinoth et al.’s scheme was vulnerable to desynchronization attacks. In these attacks, an attacker induces an inconsistent internal status between the user and the GWN. This security flaw causes the GWN to deny the service for the user.
(5) Vinoth et al.’s scheme cannot maintain user privacy. User identity is compromised during the run of the authentication session.
As a matter of convenience, in Table 1, we list some notation used throughout our paper.

2. Review of Vinoth et al.’s Authenticated Key Agreement Scheme

2.1. Scheme Description

Vinoth et al.’s scheme is composed of seven phases: the offline sensing device registration phase, the user registration phase, the login phase, the authenticated key agreement phase, the biometrics and password update phase, the dynamically sensing device joining phase, and the sensing device revocation phase. For a self-contained discussion, we review the first four phases, which are related to our discussion. The full technical details of Vinoth et al.’s scheme can be found in [4].

2.1.1. Offline Sensing Device Registration Phase

GWN picks a unique IDSj for Sj, where j = 1, 2, …, n. GWN then chooses a KGWN-Sj and two n-dimensional vectors Vector1 and Vector2 such that KGWN-Sj= Vector1·x0 and KGWN-Sj2 = Vector2·x0, where x0 = φ(GWN). GWN calculates sj = Vector1·xj and fj = Vector2·xj, where xj = φ(Sj) (1 ≤ jn). GWN computes and stores λt, where K GWN - S j = t = 1 n λ t s t and K GWN - S j 2 = t = 1 n λ t f t . GWN selects the pairwise relative positive numbers kj for each Sj (1 ≤ jn). GWN computes Mul = j = 1 n k j and Mulj = Mul/kj and generates a random number Noncej such that Mulj × Noncej ≡ 1 mod kj. GWN computes γ = j = 1 n Var j = j = 1 n Mul j × Nonce j and stores γ. GWN securely sends IDSj, sj, fj, and kj to each Sj (1 ≤ jn), and then Sj stores them. In the end, GWN deletes other messages.

2.1.2. User Registration Phase

Step 1: U chooses a unique IDU and a PW, imprints the B, and computes (BK, τ) = Gen(B). U generates a random 128-bit number a, calculates TPW = h(IDUPWBK)⊕a, and securely sends the message <IDU, TPW> to GWN.
Step 2: When receiving <IDU, TPW>, GWN randomly generates a 1024-bit KGWN and a 128-bit TIDU, and then computes KGWN-U = h(IDUKGWN), A = KGWN-UTPW, and C = IDGWNTPW. GWN stores TIDU, IDU, and KGWN-U in its database. Finally, GWN writes {TIDU, A, C, h()} into a smart card and securely sends the card to U.
Step 3: When receiving the card, U computes RPW = h(IDUPWBK), A’ = ATPWRPW, D = ah(IDUBK), C’ = CTPWh(IDUBK), and Vh(RPWAah(IDUBK)) mod ω, where ω is the medium integer [37,38,39]. Finally, U rewrites {TIDU, A’, C’, D, V, Gen(), Rep(), h(), τ, ω} into the card.

2.1.3. Login Phase

Step 1: U inserts the smart card into the card reader, and then further inputs the IDU and PW and imprints the B. The smart card reconstructs BK = Rep(B, τ) and computes RPW = h(IDUPWBK), a = Dh(IDUBK), and A = A’⊕a. The smart card further checks whether Vh(RPWAah(IDUBK)) mod ω. If not, the smart card terminates the login request.
Step 2: The smart card generates rU and obtains current TS1. The smart card computes IDGWN = C’⊕h(IDUBK), M1 = A’⊕RPWrU, and M2 = h(TIDUM1IDGWNrUTS1). In the end, the smart card sends the message <TIDU, M1, M2, TS1> to GWN.

2.1.4. Authenticated Key Agreement Phase

Step 1: After receiving <TIDU, M1, M2, TS1>, GWN obtains the current TS1and checks the freshness of the login request by verifying whether |TS1TS1| ≤ ΔTS. If not, GWN terminates this session. GWN searches its database by using the keyword TIDU and retrieves IDU and KGWN-U. GWN calculates rU = M1KGWN-U and checks whether M2 = h(TIDUM1IDGWNrUTS1). If not, GWN terminates this session. GWN generates rGWN (rGWN ≤ min{kj}, j = 1, 2, …, n) and obtains the current TS2. GWN computes M3 = rGWN × γ, M4 = ErGWN(IDU, IDGWN, rU, rGWNKGWN-U), and M5 = h(IDUIDGWNrUM3KGWN-UTS2). Finally, GWN broadcasts the message <M3, M4, M5, TS2> to all Sjs.
Step 2: When receiving <M3, M4, M5, TS2>, each Sj obtains current TS2’ and checks the freshness of the message by verifying whether |TS2TS2’| ≤ ΔTS. If not, Sj terminates this session. Sj computes rGWNM3 mod kj and (IDU, IDGWN, rU, rGWNKGWN-U) = DrGWN(M4), and further checks whether M5 = h(IDUIDGWNrUM3rGWNKGWN-UrGWNTS2). If not, Sj terminates this session. Sj computes M6 = ErGWN(IDSj, sj, fj) and obtains current TS3. Sj returns the message <M6, TS3> to GWN.
Step 3: When receiving <M6, TS3>, GWN obtains current TS3’ and checks the freshness of the message by verifying whether |TS3TS3’| ≤ ΔTS. If not, GWN terminates the session. GWN computes (IDSj, sj, fj) = DrGWN(M6) from each Sj. GWN calculates θ 1 = t = 1 n λ t s t and θ 2 = t = 1 n λ t f t and checks whether θ 1 2 = θ 2 . If not, GWN terminates this session. GWN views θ1 as KGWN-Sj and computes M7 = h(KGWN-SjrGWN), M8 = M7 × γ, and M9 = h(M7M8). Moreover, GWN generates a new temporary identity TIDUnew, obtains the current TS4, and computes M10 = EKGWN-U(rGWN, rU, M7), M11 = h(IDUKGWN-UTS4)⊕TIDUnew, and M12 = h(M10M7rU). In the end, GWN broadcasts the message <M8, M9> to all Sjs and sends the message <M10, M11, M12, TS4> to U.
Step 4: When receiving <M8, M9>, each Sj calculates M7M8 mod kj and checks whether M9 = h(M7M8). If not, Sj terminates this session. Sj computes KU-Sj= h(IDUIDGWNrGWNrUM7KGWN-U) and M13 = h(KU-SjIDGWNIDU), and then sends the message <M13> to U.
Step 5: When receiving <M10, M11, M12, TS4>, U obtains the current TS4’ and checks the freshness of the message by verifying whether |TS4TS4’| ≤ ΔTS. If not, U terminates this session. U computes (rGWN, rU, M7) = DKGWN-U(M10). Then, U checks whether the decrypted rUis equal to the local rU and M12 = h(M10M7rU). If any one of them is unequal, U terminates this session. U calculates KU-Sj= h(IDUIDGWNrGWNrUM7KGWN-U). Furthermore, when receiving <M13> from each Sj, U checks whether M13 = h(KU-SjIDGWNIDU). If not, U terminates this session. U computes TIDUnew = h(IDUKGWN-UTS4)⊕M11 and replaces TIDU with TIDUnew.
Figure 2 shows the process of Vinoth et al.’s login phase and authenticated key agreement phase.

2.2. Vinoth et al.’s Security Assumption

Vinoth et al. claimed that their scheme was secure under the Canetti–Krawczyk threat model [40], which assumes that an attacker can eavesdrop on, intercept, modify, forge, and delete messages transmitted between any two entities over the public channel. An attacker can also impersonate users, IoT sensing devices, and the GWN to receive and send the messages. Furthermore, the attacker has the capability to expose some secrets of the users and the IoT sensing devices. More importantly, the attacker can be an insider, i.e., a user or an IoT sensing device, because users and sensing devices are untrusted entities. Under the Canetti–Krawczyk threat model, we discuss five types of attacks on Vinoth et al.’s scheme.

3. User Impersonation Attack

We showed that Vinoth et al.’s scheme was vulnerable to user impersonation attacks. That is, a legal but malicious user could impersonate IoT sensing devices, any other user, and the GWN in the deployed network. We assume that Ua is a legal but malicious user in Vinoth et al.’s scheme and maintains the identity IDUa, temporary identity TIDUa, and long-term secret key KGWN-Ua shared with GWN.

3.1. Impersonation of IoT Sensing Devices

To impersonate a target Sj, Ua first initiates his/her authentication session with GWN. In Steps 2 and 3 of the authenticated key agreement phase, Ua eavesdrops on GWN’s message <M6, TS3> from Sj and Sj’s <M8, M9> from GWN. When Ua receives the message <M10, M11, M12, TS4> in Step 3 of the authenticated key agreement phase, Ua computes (rGWN, rU, M7) = DKGWN-Ua(M10). Now, Ua is able to compute (IDSj, sj, fj) = DrGWN(M6) and derive γ by evaluating M8/M7.
Figure 3 illustrates that Ua impersonates Sj using γ, IDSj, sj, and fj and cheats the GWN and any other U during an authentication session. In Step 2 of the authenticated key agreement phase, Ua uses M3/γ instead of M3 mod kj to recover rGWN. In Step 4 of the authenticated key agreement phase, Ua uses M8/γ instead of M8 mod kj to recover M7. Other operations of Ua and Sj are exactly the same. After the authentication session, U shares KU-Sj = h(IDUIDGWNrGWNrUM7KGWN-U) with Ua instead of Sj and updates a new temporary identity TIDUnew.

3.2. Impersonation of Other Users

Assume that any other user U runs the login phase and authenticated key agreement phase. In Step 1 and Step 3 of the authenticated key agreement phase, Ua eavesdrops on Sj’s message <M3, M4, M5, TS2> from GWN and U’s message <M10, M11, M12, TS4> from GWN. From Section 3.1, we know that Ua obtains GWN’s γ. Hence, Ua computes rGWN = M3/γ and (IDU, IDGWN, rU, rGWNKGWN-U) = DrGWN(M4). Since Ua has U’s IDU and KGWN-U, Ua can further compute U’s new temporary identity TIDUnew by computing h(IDUKGWN-UTS4)⊕M11. Now, Ua can exploit U’s IDU, KGWN-U, and TIDUnew to impersonate U in a new authentication session.

3.3. Impersonation of GWN

Ua can impersonate GWN to cheat U and Sj. First, Ua obtains IDU, KGWN-U, IDGWN, and γ as described in Section 3.2. Figure 4 shows how Ua impersonates GWN. In Step 3 of the authenticated key agreement phase, Ua neither decrypts M6, retrieves KGWN-Sj, nor computes M7 = h(KGWN-SjrGWN). Instead, Ua directly replaces M7 with his/her random RN. Note that both U and Sj should authenticate each other and share KU-Sj = h(IDUIDGWNrGWNrURNKGWN-U), because they do not check the validity of M7.

3.4. Further Disscussion

In every authentication session of Vinoth et al.’s scheme, the GWN uses its long-term secret key γ to secure its short-term secret key rGWN for each user and each IoT sensing device. However, any user can directly recover γ after an authentication session. Hence, the user derives all the secrets of other users, the GWN, and IoT sensing devices and implements the impersonation attacks. To defeat a user’s impersonation attack, γ cannot be disclosed to users.
User impersonation attacks are a serious threat under industrial IoT environments. Malicious users may impersonate other, honest users to collect sensitive industrial data or set dangerous processing instructions. By impersonating IoT sensing devices, malicious users can provide fake industrial data to other users. If malicious users employ impersonation of the GWN, they can manipulate a secure connection between the target user and IoT sensing devices. That is, malicious users can decide which IoT sensing devices can be connected to the target user.

4. IoT Sensing Device Impersonation Attacks

We showed that Vinoth et al.’s scheme was vulnerable to IoT sensing device impersonation attacks. That is, any legal but corrupt sensing device could impersonate users, the GWN, and any other IoT sensing devices in the deployed network. We assumed that Sj is a legal but corrupt IoT sensing device.

4.1. Impersonation of Users

To obtain TIDU, Sjeavesdrops on GWN’s message <TIDU, M1, M2, TS1> during Step 2 of the login phase. Sjfurther obtains U’s IDU, IDGWN, and KGWN-U in Step 2 of the authenticated key agreement phase. However, Sj does not return the message <M6, TS3> to GWN. In this situation, both U and GWN terminate this session and therefore fail to update TIDU. Alternatively, Sj returns the message <M6, TS3> to GWN in Step 2 of the authenticated key agreement phase and further eavesdrops on U’s message <M10, M11, M12, TS4> during Step 3 of the authenticated key agreement phase. At this time, Sj further obtains TIDnew by computing h(IDUKGWN-UTS4)⊕M13. Now, Sj knows all of U’s secrets. As shown in Figure 5, Sj can start a new authentication session and perform the following steps to impersonate U:
(1) In Step 2 of login phase, Sjuses KGWN-U, TIDU, and IDGWN to generate M1 and M2.
(2) In Step 5 of authenticated key agreement phase, Sjdoes exactly the same as U.
At the end of the authentication session, Sm (1 ≤ mjn) authenticates Sj as U and shares KU-Sj = h(IDUIDGWNrGWNrUM7KGWN-U) with Sj.

4.2. Impersonation of GWN

Moreover, in Step 2 of the authenticated key agreement phase, Sj can use kj to compute rGWNM3 mod kj. Hence, Sjcan further derive GWN’s γ by computing M3/rGWN. Now, Sj can exploit TIDU, IDU, KGWN-U, IDGWN, and γ to impersonate GWN. As shown in Figure 6, the fake GWN impersonated by Sj omits M6, generates its own RN, and then replaces M7 with RN. Both U and Sj believe that RN is a legal M7 because they do not check the validity of M7. Finally, both U and Sm authenticate each other and share KU-Sj = h(IDUIDGWNrGWNrURNKGWN-U).

4.3. Impersonation of Other IoT Sensing Devices

If Sj wants to impersonate any other IoT sensing device Sm(1 ≤ mjn), Sj first eavesdrops on Sm’s message <M6, TS3> during Step 2 of the authenticated key agreement phase and computes (IDSm, sm, fm) = DrGWN(M6).
As shown in Figure 7, Sj can impersonate Sm using IDSm, sm, fm, and kj in a new authentication session. In Step 2 of the authenticated key agreement phase, Sj recovers rGWN by computing M3 mod kj. Then, Sj uses IDSm, sm, fm to fabricate Sm’s M6. In Step 4 of the authenticated key agreement phase, Sj calculates M7 by computing M8 mod kj. At the end of the new authentication session, U believes that Sj is Sm and shares KU-Sj = h(IDUIDGWNrGWNrUM7KGWN-U) with Sj.

4.4. Further Disscussion

A legal but corrupt Sj can derive U’s TIDU, IDU, and KGWN-U; GWN’s IDGWN and γ; and another IoT sensing device Sm’s IDSm, sm, and fm from the public messages of the authentication session. Hence, Sj successfully impersonates U, GWN, and Sm by exploiting those secret parameters. To defeat the proposed attacks, Vinoth et al.’s scheme should avoid disclosing the secret parameters of other entities to Sj.
Industrial IoT sensing devices are perhaps exposed to hostile environments. An attacker may hijack and compromise industrial IoT sensing devices by physical means or Trojan horses. Once the attackers control an industrial IoT sensing device, they can subvert the industrial IoT sensing system just like the malicious user described in Section 3.4.

5. Replay Attack

As shown in Figure 2, we found that Sj’s TS3 in the message <M6, TS3> was not protected by any cryptographic mechanism. Based on this observation of Vinoth et al.’s scheme, an outside attacker can eavesdrop on a valid message <M6, TS3> in a normal run of the authenticated key agreement phase. Then, the attacker reuses M6 and attaches the current timestamp TS3* to impersonate Sj. Figure 8 describes this replay attack on Vinoth et al.’s scheme. After the replay attack, GWN believes that the attacker is Sj, although the attacker does not know any secret of Sj. Meanwhile, U does not authenticate the attacker as Sj. Note that GWN actually finishes its session in Step 3 of the authenticated key agreement phase and updates U’s temporary identity. As a result, GWN updates the old TIDU to a new TIDUnew, but U still keeps the old TIDU. This means that U cannot log into the deployed network anymore, because during Step 1 of the authenticated key agreement phase, GWN fails to retrieve IDU and KGWN-U according to U’s old TIDU. For the industrial IoT sensing system, the legal user faces denial of service once the attacker implements the replay attack.
To fix this vulnerability, we suggest that TS3 should be protected by the cryptographic mechanism. For example, Sjcould compute M6 = ErGWN(IDSj, sj, fj, TS3) instead of M6 = ErGWN(IDSj, sj, fj) in Step 2 of the authenticated key agreement phase.

6. Desynchronization Attack

In Vinoth et al.’s scheme, U and GWN keep the same TIDU to authenticate each other. Hence, as shown in Figure 9, an outside attacker can block the message <M10, M11, M12, TS4> in Step 3 of the authenticated key agreement phase and instead send the message <M10, RN, M12, TS4*> to U. Here, TS4* is the attacker’s current timestamp. During Step 5 of the authenticated key agreement phase, U confirms the freshness of TS4* in the fabricated message <M10, RN, M12, TS4*>, decrypts rU from M10, and successfully verifies rU and M12. U also computes KU-Sj = h(IDUIDGWNrGWNrUM7KGWN-U) and verifies M13. Then, U further updates TIDU to TIDUnew = h(IDUKGWN-UTS4*)⊕RN. The TIDUnew computed by U is not equal to the TIDUnew generated by GWN during Step 3 of the authenticated key agreement phase. This causes the failure to authenticate in the subsequent runs of Vinoth et al.’s scheme, though U, GWN, and Sjare all legal and honest.
The attacker randomly changes M11 because Vinoth et al.’s scheme does not check the authenticity of M11. To overcome the desynchronization attack, our suggestion is to apply the message authentication code algorithm for M11. Where industrial IoT sensing applications are concerned, this desynchronization attack has the same negative impact as the replay attack discussed in Section 5.

7. Weakness of User Privacy

In the authenticated key agreement scheme, user privacy guarantees that the attacker cannot derive the user’s identity from the transmitted messages of the authentication sessions. This is called user anonymity. Moreover, the attacker also fails to link two different authentication sessions to the same user. This is called untraceability. User privacy is a concern in industrial IoT sensing applications, as users’ private data can be leaked and misused if a factory deployed with IoT sensing devices is subjected to cyberattacks. For example, users’ presence or absence at the industrial control room can be revealed simply by observing authentication sessions.
Vinoth et al. claimed that their scheme supported both user anonymity and untraceability because it employed the temporal TIDU to hide U’s long-term IDU. Furthermore, the symmetric encryption algorithm and cryptographic hash function were utilized to protect U’s IDU. In Section 3.2, we show that Ua can attain any other target user U’s IDU, KGWN-U, and TIDUnew. Hence, when Ua finds TIDUnew in the message <TIDU, M1, M2, TS1> during Step 2 of the login phase, Ua knows that U is running a session. Then, Ua can eavesdrop on the message <M10, M11, M12, TS4> in Step 3 of the authenticated key agreement phase and synchronously update U’s new temporal TIDUnew by computing h(IDUKGWN-UTS4)⊕M11. As a result, Ua can track any U all the time. Sj also can track any target user U. Sj first derives U’s TIDU, IDU, and KGWN-U as discussed in Section 4.1. Then, Sj uses TIDU to identify U, eavesdrops on the message <M10, M11, M12, TS4> during Step 3 of the authenticated key agreement phase and updates TIDU just like U. In conclusion, Vinoth et al.’s scheme fails to provide the user privacy protection.
Vinoth et al.’s scheme suffers from weak user privacy because it is vulnerable to user and IoT sensing device impersonation attacks. Vinoth et al.’s scheme could provide better user privacy if both user and IoT sensing device impersonation attacks are repaired correctly.

8. Conclusions and Future Work

In Vinoth et al.’s scheme, the user and multiple IoT sensing devices negotiate a secret session key via a group key, i.e., rGWN. This novel design improves the efficiency of Vinoth et al.’s scheme. It is a desirable feature of the IoT sensing applications. Hence, we study Vinoth et al.’s scheme in aspects of security and privacy. Although Vinoth et al.’s scheme proved secure under the Canetti–Krawczyk threat model [40], we still revealed several serious security and privacy vulnerabilities in the scheme. In addition, Vinoth et al.’s scheme employs random numbers such as rU and rGWN and timestamps such as TS1, TS2, TS3, and TS4 at the same time. It is widely known that random numbers and timestamps are both used to defeat reply attacks and ensure the freshness of the message. From the perspective of applications, the use of both random numbers and timestamps increases the complexity of the authentication system and brings greater security risk. Therefore, it would be best to adopt only one of them in an authenticated key agreement scheme.
It is still a challenge to design a robust and efficient authenticated key agreement scheme for IoT sensing applications. One avenue for future work is to formulate a communication model appropriate for defining authentication and key agreement goals and present the definitions of security and privacy under the communication model. The results of our analysis of Vinoth et al.’s scheme can provide a reference for these definitions. Another avenue for future work is to develop an authenticated key agreement scheme that not only satisfies our formal definitions but also achieves high efficiency. In [41], Bellare and Rogaway proposed a security definition, a protocol, and a proof for secure session key distribution with the trust three-party case. One feasible idea is to extend Bellare and Rogaway’s definition and protocol for IoT sensing models. We expect that this will require a great deal of research work to accomplish.

Funding

The work of Da-Zhi Sun was supported in part by the National Natural Science Foundation of China under Grant No. 61872264. The APC was funded by the National Natural Science Foundation of China under Grant No. 61872264.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Acknowledgments

The author would like to thank the editor and the reviewers for their valuable suggestions and comments.

Conflicts of Interest

The author declares no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; or in the decision to publish the results.

References

  1. Hirman, M.; Benesova, A.; Sima, K.; Steiner, F.; Tupa, J. Design, fabrication and risk assessment of IoT unit for products manufactured in industry 4.0 factory. Procedia Manuf. 2020, 51, 1178–1183. [Google Scholar] [CrossRef]
  2. Macioszek, E.; Kurek, A. Extracting road traffic volume in the city before and during COVID-19 through video remote sensing. Remote Sens. 2021, 13, 2329. [Google Scholar] [CrossRef]
  3. Hassija, V.; Chamola, V.; Saxena, V.; Jain, D.; Goyal, P.; Sikdar, B. A survey on IoT security: Application areas, security threats, and solution architectures. IEEE Access 2019, 7, 82721–82743. [Google Scholar] [CrossRef]
  4. Vinoth, R.; Deborah, L.J.; Vijayakumar, P.; Kumar, N. Secure multifactor authenticated key agreement scheme for industrial IoT. IEEE Internet Things J. 2021, 8, 288–296. [Google Scholar] [CrossRef]
  5. Kumari, S.; Khan, M.K.; Atiquzzaman, M. User authentication schemes for wireless sensor networks: A review. Ad Hoc Netw. 2015, 27, 159–194. [Google Scholar] [CrossRef]
  6. Singh, D.; Kumar, B.; Singh, S.; Chand, S. Evaluating authentication schemes for real-time data in wireless sensor network. Wirel. Pers. Commun. 2020, 114, 629–655. [Google Scholar] [CrossRef]
  7. Sun, D.Z.; Li, J.X.; Feng, Z.Y.; Cao, Z.F.; Xu, G.Q. On the security and improvement of a two-factor user authentication scheme in wireless sensor networks. Pers. Ubiquitous Comput. 2013, 17, 895–905. [Google Scholar] [CrossRef]
  8. Wang, D.; Wang, P. Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks. Ad Hoc Netw. 2014, 20, 1–15. [Google Scholar] [CrossRef]
  9. Jiang, Q.; Ma, J.; Lu, X.; Tian, Y.L. An efficient two-factor user authentication scheme with unlinkability for wireless sensor networks. Peer-Peer Netw. Appl. 2015, 8, 1070–1081. [Google Scholar] [CrossRef]
  10. Wei, F.; Zhang, R.; Shen, J. A Provably Secure Two-Factor Authenticated Key Exchange Protocol for Wireless Sensor Networks Based on Authenticated Encryption. In Lecture Notes on Data Engineering and Communications Technologies, Proceedings of the 11th International Conference on Advances on Broad-Band Wireless Computing, Communication and Applications (BWCCA 2016), Asan, Korea, 5–7 November 2016; Barolli, L., Xhafa, F., Yim, K., Eds.; Springer: Cham, Switzerland, 2017; Volume 2, pp. 849–855. [Google Scholar]
  11. Wu, F.; Xu, L.L.; Kumari, S.; Li, X. A new and secure authentication scheme for wireless sensor networks with formal proof. Peer-Peer Netw. Appl. 2017, 10, 16–30. [Google Scholar] [CrossRef]
  12. Wu, F.; Li, X.; Sangaiah, A.K.; Xu, L.L.; Kumari, S.; Wu, L.X.; Shen, J. A lightweight and robust two-factor authentication scheme for personalized healthcare systems using wireless medical sensor networks. Future Gener. Comput. Syst. 2018, 82, 727–737. [Google Scholar] [CrossRef]
  13. Chandrakar, P. A secure remote user authentication protocol for healthcare monitoring using wireless medical sensor networks. Int. J. Ambient Comput. Intell. 2019, 10, 6. [Google Scholar] [CrossRef] [Green Version]
  14. Kaur, D.; Kumar, D. Cryptanalysis and improvement of a two-factor user authentication scheme for smart home. J. Inf. Secur. Appl. 2021, 58, 102787. [Google Scholar]
  15. Qi, M.P.; Chen, J.H. Secure authenticated key exchange for WSNs in IoT applications. J. Supercomput. 2021. [Google Scholar] [CrossRef]
  16. Das, A.K. An efficient and novel three-factor user authentication scheme for large-scale heterogeneous wireless sensor networks. Int. J. Commun. Netw. Distrib. Syst. 2015, 15, 22–60. [Google Scholar] [CrossRef]
  17. Das, A.K. A secure and robust temporal credential-based three-factor user authentication scheme for wireless sensor networks. Peer-Peer Netw. Appl. 2016, 9, 223–244. [Google Scholar] [CrossRef]
  18. Wang, C.Y.; Xu, G.A.; Sun, J. An enhanced three-factor user authentication scheme using elliptic curve cryptosystem for wireless sensor networks. Sensors 2017, 17, 2946. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  19. Wu, F.; Xu, L.L.; Kumari, S.; Li, X. An improved and provably secure three-factor user authentication scheme for wireless sensor networks. Peer-Peer Netw. Appl. 2018, 11, 1–20. [Google Scholar] [CrossRef]
  20. Shin, S.; Kwon, T. A lightweight three-factor authentication and key agreement scheme in wireless sensor networks for smart homes. Sensors 2019, 19, 2012. [Google Scholar] [CrossRef] [Green Version]
  21. Luo, H.G.; Wen, G.J.; Su, J. Lightweight three factor scheme for real-time data access in wireless sensor networks. Wirel. Netw. 2020, 26, 955–970. [Google Scholar] [CrossRef]
  22. Jabbari, A.; Mohasef, J.B. Improvement of a user authentication scheme for wireless sensor networks based on internet of things security. Wirel. Pers. Commun. 2021, 116, 2565–2591. [Google Scholar] [CrossRef]
  23. Jiang, Q.; Kumar, N.; Ma, J.F.; Shen, J.; He, D.B.; Chilamkurti, N. A privacy-aware two-factor authentication protocol based on elliptic curve cryptography for wireless sensor networks. Int. J. Netw. Manag. 2017, 27, e1937. [Google Scholar] [CrossRef]
  24. Adavoudi-Jolfaei, A.; Ashouri-Talouki, M.; Aghili, S.F. Lightweight and anonymous three-factor authentication and access control scheme for real-time applications in wireless sensor networks. Peer-Peer Netw. Appl. 2019, 12, 43–59. [Google Scholar] [CrossRef]
  25. Lu, Y.R.; Xu, G.Q.; Li, L.X.; Yang, Y.X. Anonymous three-factor authenticated key agreement for wireless sensor networks. Wirel. Netw. 2019, 25, 1461–1475. [Google Scholar] [CrossRef]
  26. Sadri, M.J.; Asaar, M.R. A lightweight anonymous two-factor authentication protocol for wireless sensor networks in internet of vehicles. Int. J. Commun. Syst. 2020, 33, e4511. [Google Scholar] [CrossRef]
  27. Far, H.A.N.; Bayat, M.; Das, A.K.; Fotouhi, M.; Pournaghi, S.M.; Doostari, M.A. LAPTAS: Lightweight anonymous privacy-preserving three-factor authentication scheme for WSN-based IIoT. Wirel. Netw. 2021, 27, 1389–1412. [Google Scholar]
  28. Das, A.K.; Sutrala, A.K.; Kumari, S.; Odelu, V.; Wazid, M.; Li, X. An efficient multi-gateway-based three-factor user authentication and key agreement scheme in hierarchical wireless sensor networks. Secur. Commun. Netw. 2016, 9, 2070–2092. [Google Scholar] [CrossRef] [Green Version]
  29. Amin, R.; Biswas, G.P. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw. 2016, 36, 58–80. [Google Scholar] [CrossRef]
  30. Wu, F.; Xu, L.L.; Kumari, S.; Li, X.; Shen, J.; Choo, K.K.R.; Wazid, M.; Das, A.K. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment. J. Netw. Comput. Appl. 2017, 89, 72–85. [Google Scholar] [CrossRef]
  31. Sutrala, A.K.; Das, A.K.; Reddy, A.G.; Vasilakos, A.V.; Rodrigues, J.J.P.C. On the design of secure user authenticated key management scheme for multigateway-based wireless sensor networks using ECC. Int. J. Commun. Syst. 2018, 31, e3514. [Google Scholar] [CrossRef]
  32. Guo, H.; Gao, Y.; Xu, T.G.; Zhang, X.Y.; Ye, J.F. A secure and efficient three-factor multi-gateway authentication protocol for wireless sensor networks. Ad Hoc Netw. 2019, 95, 101965. [Google Scholar] [CrossRef]
  33. Lee, J.; Yu, S.; Park, K.; Park, Y.; Park, Y. Secure three-factor authentication protocol for multi-gateway IoT environments. Sensors 2019, 19, 2358. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  34. Xu, L.L.; Wu, F. A lightweight authentication scheme for multi-gateway wireless sensor networks under IoT conception. Arab. J. Sci. Eng. 2019, 44, 3977–3993. [Google Scholar] [CrossRef]
  35. Wang, D.; Hong, S.H.; Wang, Q.X. Revisiting a multifactor authentication scheme in industrial IoT. Secur. Commun. Netw. 2021, 2021, 9995832. [Google Scholar] [CrossRef]
  36. Vinoth, R.; Deborah, L.J. An efficient key agreement and authentication protocol for secure communication in industrial IoT applications. J. Ambient Intell. Humaniz. Comput. 2021. [Google Scholar] [CrossRef]
  37. Gupta, M.; Chaudhari, N.S. Anonymous two factor authentication protocol for roaming service in global mobility network with security beyond traditional limit. Ad Hoc Netw. 2019, 84, 56–67. [Google Scholar] [CrossRef]
  38. Wang, F.F.; Xu, G.A.; Gu, L.Z. A secure and efficient ECC based anonymous authentication protocol. Secur. Commun. Netw. 2019, 2019, 4656281. [Google Scholar] [CrossRef]
  39. Jiang, Q.; Zhang, N.; Ni, J.B.; Ma, J.F.; Ma, X.D.; Choo, K.K.R. Unified biometric privacy preserving three-factor authentication and key agreement for cloud-assisted autonomous vehicles. IEEE Trans. Veh. Technol. 2020, 69, 9390–9401. [Google Scholar] [CrossRef]
  40. Canetti, R.; Krawczyk, H. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2001), Innsbruck, Austria, 6–10 May 2001; Pfitzmann, B., Ed.; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045, pp. 453–474. [Google Scholar]
  41. Bellare, M.; Rogaway, P. Provably Secure Session Key Distribution—The Three Party Case. In Proceedings of the 27th ACM Symposium on the Theory of Computing (STOC’95), Las Vegas, NV, USA, 29 May–1 June 1995; ACM: New York, NY, USA, 1995; pp. 57–66. [Google Scholar]
Figure 1. Industrial IoT sensing model.
Figure 1. Industrial IoT sensing model.
Symmetry 13 01952 g001
Figure 2. Vinoth et al.’s login phase and authenticated key agreement phase.
Figure 2. Vinoth et al.’s login phase and authenticated key agreement phase.
Symmetry 13 01952 g002
Figure 3. User impersonation attack on IoT sensing devices.
Figure 3. User impersonation attack on IoT sensing devices.
Symmetry 13 01952 g003
Figure 4. User impersonation attack on the GWN.
Figure 4. User impersonation attack on the GWN.
Symmetry 13 01952 g004
Figure 5. IoT sensing device impersonation attack on a user.
Figure 5. IoT sensing device impersonation attack on a user.
Symmetry 13 01952 g005
Figure 6. IoT sensing device impersonation attack on the GWN.
Figure 6. IoT sensing device impersonation attack on the GWN.
Symmetry 13 01952 g006
Figure 7. IoT sensing device impersonation attack on another IoT sensing device.
Figure 7. IoT sensing device impersonation attack on another IoT sensing device.
Symmetry 13 01952 g007
Figure 8. Replay attack.
Figure 8. Replay attack.
Symmetry 13 01952 g008
Figure 9. Desynchronization attack.
Figure 9. Desynchronization attack.
Symmetry 13 01952 g009
Table 1. Description of notations.
Table 1. Description of notations.
TermDefinition
GWN, UGateway node and user
Sjjth IoT sensing device
IDGWN, IDU, IDSjGWN’s, U’s, and Sj’s identities
TIDUU’s temporary identity for user anonymity
γ, KGWNGWN’s long-term secret keys
KGWN-ULong-term secret key shared by GWN and U
PWU’s password
B, BK, τU’s biometrics, biometrics key, and public reproduction parameter
sj, fj, kjSj’s secret parameters
KGWN-SjSecret key shared by GWN and Sj
KU-SjSecret session key shared by U and Sj
rGWN, rU, RNRandom numbers
TS1, TS2, TS3, TS4,TS1′, TS2′, TS3′, TS4Timestamps
ΔTSMaximum transmission delay
φ()Vinoth et al.’s access structure function [4]
Gen()/Rep()Generation algorithm/reproduction algorithm using biometrics fuzzy extractor
h()Cryptographic hash function
EK()/DK()Encryption algorithm/decryption algorithm using secret key K
modCongruent
⊕, ‖Bitwise exclusive-or and concatenation
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Sun, D.-Z. Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT. Symmetry 2021, 13, 1952. https://doi.org/10.3390/sym13101952

AMA Style

Sun D-Z. Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT. Symmetry. 2021; 13(10):1952. https://doi.org/10.3390/sym13101952

Chicago/Turabian Style

Sun, Da-Zhi. 2021. "Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT" Symmetry 13, no. 10: 1952. https://doi.org/10.3390/sym13101952

APA Style

Sun, D. -Z. (2021). Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT. Symmetry, 13(10), 1952. https://doi.org/10.3390/sym13101952

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop