Next Article in Journal
Analytical and 3D Numerical Study of Multilayer Shielding Effectiveness for Board Level Shielding Optimization
Next Article in Special Issue
Detection of Hello Flood Attacks Using Fuzzy-Based Energy-Efficient Clustering Algorithm for Wireless Sensor Networks
Previous Article in Journal
A 5.42~6.28 GHz Type-II PLL with Dead-Zone Programmability and Charge Pump Mismatch Trimming
Previous Article in Special Issue
Parallelly Running and Privacy-Preserving k-Nearest Neighbor Classification in Outsourced Cloud Computing Environments
 
 
Article
Peer-Review Record

Physical Unclonable Function and Machine Learning Based Group Authentication and Data Masking for In-Hospital Segments

Electronics 2022, 11(24), 4155; https://doi.org/10.3390/electronics11244155
by Pintu Kumar Sadhu 1,*, Venkata P. Yanambaka 2 and Ahmed Abdelgawad 1
Reviewer 1: Anonymous
Reviewer 3:
Reviewer 4: Anonymous
Electronics 2022, 11(24), 4155; https://doi.org/10.3390/electronics11244155
Submission received: 31 October 2022 / Revised: 1 December 2022 / Accepted: 12 December 2022 / Published: 13 December 2022

Round 1

Reviewer 1 Report

I am very glad that PUFs are being more and more attractive in various aspects of live and here is an article about security based on PUF in Internet of Medical Things.  

The description that the authors offer in the paper is on very general level so even non security specialists could understand the subject (the Introduction for example). I am not deciding if this is good or bad (it is for editors to decide if such general level of the description is proper for the journal), however, the article lacks deeper understanding of used tools and many times there are statements which are not true or too far fetched because of simplification. Here are examples of such simplifications:

Line 90 – “PUF is a combination of logic gates to produce a secret key.” This is simply not true. There are several ways of retrieving PUFs – logic gates are just a small part of methods used in the field.

Section 1.3 and Figure 5 – the “Machine Learning” looks as a simple neural network model without the description of particular architecture and the way it was chosen for the particular purpose.

Section 5.1 – I have no idea what was proven in 5.1.

Section 5.2.2 – there are a few dozen of known side-channel attacks, which the authors seem not to understand at all. Simple power current analysis or EM analysis can break a wearable device. The statement “So, the framework is able to avoid side channel attacks.” is absolutely false (not to mention there was no research conducted to prove this point).

Section 5.2.3 – Vulnerability to modeling attacks is not the feature of the system, but the feature of particular PUF mechanism. Protecting the interface is not the solution, it is just hiding the problem.

However, my major concern goes to the use of controlled PUFs and machine learning which should give the advantage of not keeping PUF keys on the server side. There is no proper description of how section 3.2 enrollment was done. What was exactly done in the training of MC_model? What is exactly the result of such training? What is the security of such model and how was it measure (section 5.1 is not proving that)? When one considers strong PUFs as the main security mechanism, the spaces of C and R vectors must deliver proper asymmetric security in order to be used in a cryptographic protocol. Here we don’t know much about such process (only a general description was provided). Another major issue goes to the fact how controlled PUFs were done (and not described here). If it was done as described in [45], then again: what exactly is ML model block doing? We do not agree on security by obscurity! Even if ML model is as good as perfect hash function, you have 2 things (‘PID’ and ‘Time’) that an attacker can be guessing, therefore there is a new vulnerability that was not properly investigated. For that matter a random Challenge would be much better than a challenge which space was limited by certain values of ‘PID’ and ‘Time’.

Another less crucial but important issues:

The authors seem to know about modeling attacks (lines 135-136) and yet they choose an arbiter PUF as the main security mechanism (line 381), which is extremely vulnerable to modelling attack.

I do not appreciate the superiority of computation costs presented in section 2.1, since the major workload is to be made in the enrollment phase, where a huge number of CRPs must be generated (line 389-390). For example, you could have much better performance, if you used random one-time CRPs – you just need to generate enough of them beforehand (which costs the most).

There is no information how the authors delt (in the test implementation) with the  reliability/correctness from which arbiter PUFs suffers a lot.

In conclusion, I do not think that this paper is scientific enough for the journal of MDPI Electronics. It may be a good idea to share the concept on a conference and discuss it with colleagues in various aspects of security.

Author Response

Dear Concern,

Thank you for your valuable feedback. We have improved the manuscript based on your comments. Please check the attachment.

Regards,

Pintu

Author Response File: Author Response.pdf

Reviewer 2 Report

In this paper, the proposed method cab authenticate many devices by use of a single message. As same message is going to server also resulting efficiency in processing. The algorithms are well-defined. The obtained results have shown that 99.54% accuracy for identifying the group of devices. Results section has defended the uniqueness. One unique contribution is the proposed framework is lightweight and  the communication cost is required is very low in comparisons with other works. Section V has done the security analysis as needed. In future work blockchain incorporation are proposed, very good idea. Also for mobile device using group key agreement in future is going to give more flexibility to use.

Author Response

Dear Concern,

Thank you for your valuable feedback. We have improved the manuscript based on your comments. Please check the attachment.

Regards,

Pintu

Author Response File: Author Response.pdf

Reviewer 3 Report

The topic is important and recent. This research is well written and organized. However there are some concerns which should be addressed by the authors.

-          Title paper: It is long and the number of words should be reduced. Also, acronyms should be removed from the search title to make it clearer such as PUF.

-          Related Work Section: Major contributions should be conveyed to the introduction. Authors should provide a clear critique of all references included to clarify the science gap. Moreover, there is some recent research that provides lightweight mechanisms to support authentication procedures and securely store patient data in the repository which can be useful in this section and comparison. such as

o    de-Marcos, L., Martínez-Herráiz, J. J., Junquera-Sánchez, J., Cilleruelo, C., & Pages-Arévalo, C. (2021). Comparing Machine Learning Classifiers for Continuous Authentication on Mobile Devices by Keystroke Dynamics. Electronics, 10(14), 1622.

o    Al-Zubaidie, M., Zhang, Z., & Zhang, J. (2019). RAMHU: A new robust lightweight scheme for mutual users authentication in healthcare applications. Security and Communication Networks, 2019.

-          Explanation is not clear in the subtitle "Forward Secrecy"

-          English Writing: This article needs moderate proofreading. There are some of grammatical, spelling and typos mistakes. Some paragraphs are very long and should be broken down into smaller paragraphs. The authors must thoroughly scrutinize the article.

-          List of References: The number of references is sufficient, up-to-date and relevant to the research topic. The references should follow Electronics-MDPI Journal style. For example, some search names in the reference list begin an uppercase letter for each word (such as [1], [2] ... etc.) and others use only an uppercase letter in the first word (such as [7], [8] … etc.), authors should standardize style. Authors must accurately check all references list to remove all problems.

 

 

Author Response

Dear Concern,

Thank you for your valuable feedback. We have improved the manuscript based on your comments. Please check the attachment.

Regards,

Pintu

Author Response File: Author Response.pdf

Reviewer 4 Report

The introduction is organized with redundant subsections. It is recommended to replace each subsection with a paragraph and explain how those subsections are intertwined with the subject of the article.

The authors listed related works in Section 2. It is recommended to analyze the characteristics and cons & pros of each study rather than listing the methodologies. Making a table would be helpful.

The authors are recommended to describe the motivation of the study clearly.

The authors also listed the contributions of the proposed frame at the end of Section 2. It should be scientific and/or acamedimic contributions, not the features/characteristics of the proposed method.

The authors mentioned that the edge router is not a limited resources device in the proposed frame, but typically the edge computing device has limited resources in comparison with the cloud server.

The authors assume that the stored challenges in the ER will be updated periodically. That doesn't seem practical.

It is recommended to describe how to collect CRPs.

Author Response

Dear Concern,

Thank you for your valuable feedback. We have improved the manuscript based on your comments. Please check the attachment.

Regards,

Pintu

Author Response File: Author Response.pdf

Round 2

Reviewer 4 Report

The manuscript was revised based on the comments.

Author Response

Dear Concern,

Thank you for your time and support to improve our manuscript. We have gone through the whole manuscript to make minor grammatical corrections to improve it. 

Regards,

Pintu 

Back to TopTop