Next Article in Journal
An Indoor Tags Position Perception Method Based on GWO–MLP Algorithm for RFID Robot
Next Article in Special Issue
Energy-Efficient Blockchain-Enabled Multi-Robot Coordination for Information Gathering: Theory and Experiments
Previous Article in Journal
Unscented Kalman Filter with Joint Decision Scheme for Phase Estimation in Probabilistically Shaped QAM Systems
Previous Article in Special Issue
Malicious Contract Detection for Blockchain Network Using Lightweight Deep Learning Implemented through Explainable AI
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identifier in Metaverse Environment

1
School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Republic of Korea
2
School of Computer Engineering, Keimyung University, Daegu 42601, Republic of Korea
3
School of Electronics Engineering, Kyungpook National University, Daegu 41566, Republic of Korea
*
Author to whom correspondence should be addressed.
Electronics 2023, 12(19), 4073; https://doi.org/10.3390/electronics12194073
Submission received: 4 September 2023 / Revised: 23 September 2023 / Accepted: 26 September 2023 / Published: 28 September 2023
(This article belongs to the Special Issue Security, Privacy, Confidentiality and Trust in Blockchain)

Abstract

:
The metaverse provides a virtual world with many social activities that parallel the real world. As the metaverse attracts more attention, the importance of security and privacy preservation is increasing significantly. In the metaverse, users have the capability to create various avatars, which can be exploited to deceive or threaten others, leading to internal security issues. Additionally, users attempting to access the metaverse are susceptible to various external security threats since they communicate with service providers through public channels. To address these challenges, we propose an authentication scheme using blockchain, a decentralized identifier, and a verifiable credential to enable metaverse users to perform secure identity verification and authentication without disclosing sensitive information to service providers. Furthermore, the proposed approach mitigates privacy concerns associated with the management of personal information by enabling users to prove the necessary identity information independently without relying on service providers. We demonstrate that the proposed scheme is resistant to malicious security attacks and provides privacy preservation by performing security analyses, such as AVISPA simulation, BAN logic, and the real-or-random (ROR) model. We also show that the performance of our proposed scheme is better suited for the metaverse environment by providing greater security and efficiency when compared to competing schemes.

1. Introduction

Various advanced technologies are rapidly evolving and being invented, leading to the emergence of the metaverse concept, which is envisioned as the next iteration of the Internet. Metaverse is a virtual realm that parallels the physical world, where people engage with the metaverse using wearable devices (such as a virtual reality (VR)/augmented reality (AR) devices) and manipulate digital avatars to engage with others. Furthermore, the advancement of cutting-edge communication and networking technologies, including wireless networks and 5G technology, plays an important role in moving the metaverse forward by enabling low-latency, high-speed, and reliable data exchange between devices and the network. In addition, AI technology also contributes to automating the creation of virtual environments and digital items, and extracting valuable insights from the vast amount of data generated within the metaverse [1,2]. Blockchain, serving as a trust infrastructure in decentralized distributed networks, enables individual-centric digital asset transactions for metaverse users, not tied to traditional service providers’ platforms. It can also contribute to achieving the compatibility of individual services held by various virtual spaces (or service providers) within the metaverse [3]. The metaverse is anticipated to bring about great innovation in various aspects of life, including e-commerce, medical, education, entertainment, smart factory and other social services [4,5].
In the metaverse, users can create avatars to represent themselves virtually, and they can access various services through these avatars. However, in the current metaverse application, users possess the freedom to create any avatar to serve as their virtual representation, irrespective of their real-world identity. This characteristic presents avenues for malicious users to fabricate a similar avatar and cause serious security problems, such as identity leakage, theft, and virtual asset fraud during avatar interactions. In addition, issues such as stalking, harassment, and sexual assault can pose a threat to users by manipulating the avatar, as well as the potential privacy threat of using AI technology to monitor users, make inferences about them, or engage in impersonation [6,7,8]. Furthermore, users need to exchange their information and data with third parties to access services offered in various virtual worlds within the metaverse. However, due to the aforementioned characteristics, the identity information of the third parties using the user’s information is often unclear, making interactions for users challenging. Examples include qualifications to provide professional services such as medical or educational services, or adult verification to use certain data. Therefore, it is essential to design an authentication scheme that allow users to safely use services in the metaverse and remain secure from other security threats.
In current metaverse application, users have no direct means to verify the identity of other avatars as malicious or not, so they need help from the metaverse service provider. In the process of tracking these manipulators, the service provider mainly utilizes the manipulator’s account and password as clues to track the manipulator from a specific avatar identity [9]. However, employing password-dependent methods means that any player who knows the account password can successfully gain access, so if a malicious user obtains the password illegally through various means, he/she can log in illegally and manipulate the avatar of a legitimate player. For more secure user identification and assurance on the metaverse, users can provide a lot of personal information to service providers. However, service providers that collect sensitive information, such as users’ voices and motions generated in the metaverse, can abuse this personal information and cause users’ privacy violations and huge losses through advertisements, personal tracking, fraud, illegal use, etc. In addition, the users and platform servers communicate through public channels in metaverse environments. Thus, an external adversary can attempt to eavesdrop and forge messages transmitted over public channels and attempt various security attacks, including masquerade, replay and man-in-the-middle attacks. Therefore, sensitive user information should not be disclosed to external parties and should only be shared with specific stakeholders in specific circumstances.
In this paper, we propose a blockchain-based authentication scheme that utilizes decentralized identifiers and verifiable credentials technology to enhance system security and protect users from various security and privacy threats. Decentralized identifiers and verifiable credentials enable trustworthy identity verification and data exchange without intermediaries. We propose an authentication scheme where users can authenticate not only avatars but also real manipulators during the authentication process required before interactions between avatars, using the users’ decentralized identifiers and verifiable credentials. Additionally, to ensure secure communication and avatar interactions in the metaverse environment, we propose an authentication method using blockchain between users and platform servers and between avatars. In our proposed scheme, the user and service provider establish security communication channels during the login phase through secure authentication and key agreement. Furthermore, we minimize user information exposed to service providers during interactions with other avatars and enhance user privacy protection by allowing only the necessary personal identification information for verification when interacting with different avatars in the metaverse.
Furthermore, in the metaverse, during the consensus process of validating and recording information on the blockchain, security attacks, such as 51% attacks and Sybil attacks, can occur [10,11,12]. These attacks can undermine the trustworthiness of information recorded on the actual blockchain. However, in this paper, the consensus process occurs only once when the user initially creates a unique ID and registers it in the system. Subsequently, during the authentication process, users verify the required record information on the blockchain, and at this point, the blockchain’s consensus process does not occur, minimizing the consensus process. Additionally, this paper assumes the security of the blockchain consensus process and focuses on security threats and privacy issues during the user registration phase and subsequent use of metaverse services.

1.1. Contributions

The main contributions of paper are as follows:
  • In the metaverse environment, users are exposed to threats, such as fraud through fake avatars and the risk of personal information leakage during data transmission through open channels. We propose a secure authentication method for the metaverse environment to ensure security against various threats arising from fake avatars or vulnerabilities in wireless communication channels, and provide forward secrecy, anonymity, and privacy preservation.
  • The proposed scheme utilizes decentralized identifiers and verifiable credentials to enhance user privacy protection. Metaverse users can provide only the necessary identity information to stakeholders without disclosing their information to external parties, thereby safeguarding their personal information.
  • We perform an informal analysis to ensure that the proposed scheme can provide security against various attacks, including impersonation, session key disclosure, replay, man-in-the-middle, and insider attacks. Additionally, we show that the proposed scheme can achieve mutual authentication, perfect forward secrecy, anonymity and privacy preservation.
  • The security of the proposed scheme is analyzed by performing informal and formal analyses, such as Burrows–Abadi–Nikoogadam (BAN) logic, the real-or-random (RoR) model, and the automated validation of internet security protocols and applications (AVISPA) simulation tool. We also compare the performance and security features with the related works to show that the proposed scheme is superior.

1.2. Organization

The organization of the paper is as follows. Section 2 reviews the existing authentication scheme applicable to the metaverse environment. Section 3 introduces relevant preliminaries. Section 4 presents a proposed system model and adversary model. The details of the proposed authentication scheme are depicted in Section 5. Section 6 analyzes the security of the proposed scheme in informal and formal proofs, and Section 7 analyzes the computation and communication costs of the proposed scheme and related works. Finally, we summarize the conclusion and the future works in Section 8.

2. Related Work

With the emergence of metaverse platforms (e.g., roblox and minecraft) and the increasing number of applications that utilize the metaverse, the security of the metaverse environment is discussed in several studies [13,14,15]. According to the paper proposed by Vu et al. [13], in the virtual world, users may find themselves in a situation where they are required to present identity information in order to obtain certain services and activities. They argued that not only are authentication mechanisms required to ensure that metaverse users can access the platform with appropriate identities but IoT devices in the metaverse infrastructure (e.g., sensors and UAVs) also need effective mechanisms for authentication during operation. They asserted that blockchain technology can address metaverse security and privacy issues, including identity and authentication management. Patwe and Mane [14] argued the necessity of designing a secure authentication mechanism because impersonation, server spoofing, mutual authentication threats, and replay attacks can occur in the metaverse environment. And they proposed a blockchain-based architecture for avatar and user authentication in consideration of the decentralized nature of the metaverse. However, to date, there are no proposed specific system models and mutual authentication schemes for metaverse environments.
In the metaverse environment, where users use virtual services from the service provider’s server using wearable devices, such as VR and AR, some mutual authentication methods for the IoT environment can be applied. Panda and Chattopadhyay [16] proposed an elliptic curve cryptography-based mutual authentication protocol to ensure secure communication between IoT devices and cloud servers. They argue that the proposed scheme is secure against various security threats (including impersonation attack, replay attack, etc.) by performing an informal analysis and using the AVISPA simulation tool. However, they did not consider the device-hijacking attack scenario. In the metaverse, there is a risk of maliciously capturing and tampering with a user’s XR device to extract sensitive information or impersonate a legitimate user to gain access to the system. Li et al. [17] proposed a mutual authentication scheme based on blockchain for users and servers. Li et al.’s scheme solves the problem of SPoF that occurs in the centralized authentication structure by proposing a blockchain-based decentralized authentication scheme. They claimed that their scheme is secure against impersonation and man-in-the-middle attacks, and that it also provides perfect forward secrecy. However, security features such as insider attacks and anonymity are not covered. These schemes can be applied to authentication between a user’s device and a service provider’s server. However, it is difficult to apply these schemes to the authentication mechanism required for interactions between avatars in the metaverse environment. Ryu et al. [18] proposed an authentication scheme that can ensure secure communication in a metaverse environment and transparently manage user identification data using blockchain technology. They designed the necessary mutual authentication methods to provide secure communication between platform servers and users as well as secure interactions between avatars. However, users who manipulate avatars in the metaverse need to prove their real-world information (e.g., age, gender, occupation and account) to other avatars in specific situations. Ryu et al.’s avatar authentication scheme can expose a lot of personal information of users to metaverse service providers. If personal information is exposed, it is possible to track the avatar’s user, or to impersonate a legitimate user by using a camouflage avatar.
Therefore, there is a need for research on authentication methods that can provide secure communication and privacy protection for users while considering the characteristics of the metaverse. We propose an authentication and key agreement scheme to enable metaverse users to securely utilize services from service providers. Furthermore, within the platform, we propose a secure authentication scheme between avatars that allows users to protect their privacy during avatar interactions without relying on the service provider.

3. Preliminaries

This section briefly introduces a fuzzy extractor, decentralized identifier (DID) and verifiable credential (VC).

3.1. Fuzzy Extractor

The fuzzy extractor [19] is widely acknowledged for confirming biometric validation. A biometric key can be constructed using a biometric outline, such as irises, facial features, and fingerprints. The characteristics of the fuzzy extractor are defined by the following two algorithms, including a probabilistic algorithm G e n ( · ) , and a deterministic algorithm R e p ( · ) :
  • G e n ( B I O ) = ( r , δ ) : The user’s biometric information B I O is accepted as an input parameter to the algorithm. Then, the secret value r is output along with the public reproduction parameter δ .
  • R e p ( B I O , δ ) = ( r ) : The algorithm accepts a noisy user biometric B I O from the user, controlling the noise using the public reproduction parameter δ . Then, R e p reproduces the original biometric secret value r.

3.2. Decentralized Identifier and Verifiable Credential

The decentralized identifier [20] is a concept designed to uniquely identify the digital identities of users and entities within a distributed network. It allows users to manage and verify their identities in a decentralized manner, without relying on central identity verification authorities. Users can confirm or show their DID ownership by employing cryptographic methods, such as digital signatures. DIDs are stored in conjunction with blockchains, ensuring their immutability and security. The features and operation of DIDs in the proposed scheme are as follows:
1. 
Decentralized identifier creation: Users or entities generate DIDs. DIDs are unique and can be created by users themselves, not centralized authentication authorities.
2. 
Integration with blockchain: DIDs are stored in conjunction with a blockchain. This ensures that DIDs are stored in a distributed registry, making duplication or alteration difficult.
3. 
Digital identity verification: To log in to digital services or applications using their DID, users create a signature using their private key.
4. 
Distributed identity management: Users manage their DIDs and identity information in a distributed network. This information is stored on the blockchain, ensuring immutability, and users share it only when necessary.
A verifiable credential [21] is a concept and technology used to represent and verify personal identities and permissions in the digital realm. Verifiable credentials serve as an alternative to centralized identity verification systems, allowing individuals to manage and share identity information (credentials) issued by identity authorities. The features and operation of VCs in the proposed scheme are as follows:
1. 
Creation of VCs: Users process their identity-related data to generate VCs. These VCs include the user’s identity information and the user’s signature using the elliptic curve-based signature algorithm.
2. 
Issuer of VCs: VCs are created by the party or institution that issues the information. The issuer verifies the source of the information and signs the VC to ensure its integrity.
3. 
Storage and transmission of VCs: VCs are stored in a digital format, and users share them only when necessary. VCs are securely transmitted and stored, often in encrypted form.
4. 
Verification of VCs: When presenting VCs to a verifier, the verifier uses the issuer’s public key to verify the signature of the VC and validate the accuracy of the information. This confirms the authenticity of the VC.
5. 
Selective sharing of VCs: Users can share only the necessary information through VCs, enhancing personal data protection. They provide minimal information to third parties and perform required identity verification.

4. System Model

Our proposed secure and privacy-preserving authentication scheme using a decentralized identifier in the metaverse environment is composed of four entities, including certificate authority, service provider, user, and blockchain. We depict the proposed system model in Figure 1, and describe each entity as give below.
  • Certificate authority ( C A ): C A serves as a fully trusted entity that initializes and publishes system parameters. C A receives the user’s decentralized identifier and personal information, which require verification. Then, C A verifies both and issues a credential to the user proving the user’s personal information (occupation, age, etc.). The credential values must be authenticated between the users/avatars in the metaverse environment.
  • Service provider ( S P ): S P s offer services that enable users to engage in various activities in virtual spaces, such as education, gaming, healthcare, and more. The user first registers on the S P using the decentralized identifier. If a user attempts to access the S P , S P verifies the correct identity of the user. In addition, the S P is responsible for forwarding request and response messages that occur in its own virtual space during the avatar authentication phase.
  • User: The user creates his/her own decentralized identifier on the blockchain. The user sends his/her decentralized identifier and personal information to C A to receive credentials to prove their personal information. Then, the user registers with the S P to participate in the metaverse environment. At this time, the user transmits only minimal information to register with the S P , and no other personal information is transmitted. The user can interact with other users by using avatars created in the virtual world, such as exchanging information with other users for various purposes. The user uses DID, public key, and verifiable credentials in the virtual space to mutually authenticate with other users’ avatars to achieve secure interaction between avatars and avatars.
  • Blockchain: In the proposed authentication scheme, we adopt the public blockchain, which is a fully decentralized infrastructure. In the public blockchain network, every node can easily join blockchain networks without the need for a trusted authority. All blockchain members can read the ledger and upload transitions to the blockchain. To ensure that all entities participating in the system agree on a single source of truth, the public blockchain adopts proof-based consensus algorithms, including proof of work and proof of stake. In our system, the blockchain is adopted to store the information required for authentication, and it does not contain any other information other than DID documents. In the proposed scheme, we assume that the consensus process of the blockchain operates correctly and reliably.
The process flows of the proposed scheme are described as follows:
  • User setup phase: The user generates their own decentralized identifier. The C A issues a verifiable credential to the user that proves the user’s personal information.
  • User registration phase: The user registers with the S P using his/her own decentralized identifier. The S P verifies that the user’s decentralized identifier is valid, and then the user’s avatar is generated in virtual space.
  • Login phase: When the user attempts to access the S P , the user and S P authenticate each other. If the mutual authentication between the user and S P is completed and the session key is agreed upon, the user and S P establish a secure communication channel through the session key.
  • Avatar authentication phase: In the virtual space, the user can interact with other avatars. For secure avatar-to-avatar interactions, the user provides verifiable credentials, proving the personal information needed to perform the avatar authentication phase.

4.1. Adversary Model

The adversary can have the following capabilities based on the Dolev–Yao (DY) threat model. The Dolev–Yao threat model [22] is widely employed in the analysis of protocol security [23,24,25]. The capabilities of an adversary are defined as follows:
  • An adversary can eavesdrop, intercept, modify, expunge, and forge the transmitted messages through a public channel.
  • An adversary can conjecture about either the identity or the password of a legitimate user, but it is incapable of conjecturing about both simultaneously.
  • An adversary can physically seize the user’s XR devices and infer sensitive data through power analysis attacks [26,27,28].
  • An adversary can attempt to launch various attacks, including impersonation, replay attacks, and man-in-the-middle attacks.
  • An adversary can be an insider in the S P .
For this work, we also adopt a more stringent adversary model, known as the “Canetti–Krawczyk (CK) model” [29]. In the CK model, the adversary not only has all the capabilities of the DY model but the adversary can obtain ephemeral session states and long-term values (including secret keys) by performing a session-hijacking attack. The adversary also creates a replica avatar in the metaverse environment to deceive others.

5. Proposed Scheme

This section presents the proposed secure and privacy-preserving authentication scheme using a decentralized identifier for the metaverse. The proposed scheme includes the initialization, user setup, registration, login, and avatar authentication phases. Table 1 describes the symbols used in the scheme.

5.1. Initialization Phase

First, C A initializes the system parameters. C A generates large prime numbers p , q , an additive group G, elliptic curve E C p over F p , a generator P, one-way hash functions H · , and a secret key s k C A , and it computes a public key P K C A corresponding to s k C A . After that, C A publishes the system parameters p a r = { p , q , G , E C p , P , P K C A , h ( · ) } to the network.

5.2. User Setup

The user generates their own decentralized identifier. C A issues a verifiable credential to the user that proves the user’s personal information. This phase is performed over a secure channel. Figure 2 shows the user setup phase and detailed processes steps are as follows.
  • US-1: User U i inputs a unique I D j , password s k j and biometric information B I O i . Then, U i selects a random number s k i Z q as a private key and computes G e n ( B I O i ) = { r i , δ i } , H P W i = h ( I D i | | P W i | | r i ) , P K i = s k i · P . Then, U i generates the U i ’s own D I D i that indicates the location of the DID document D o c i = { D I D i , P K i } on the blockchain.
  • US-2:  U i requests C A to issue a credential by sending D I D i , personal information i n f o i . C A checks a U i ’s personal information and D I D i , and issues a verifiable credential V C i = { D I D i , D I D C A , c l a i m , S i g C A ( c l a i m ) , E x p i } that vouches for U i ’s personal information, such as occupation, age, etc. Then, C A sends V C i to U i . After checking V C i , U i computes H V C i = ( V C i ) h ( r i | | I D i | | H P W i ) and stores { D I D i , H V C i , δ i } in the device.

5.3. User Registration Phase

User U i registers with S P using his/her own decentralized identifier. S P verifies that the user’s decentralized identifier is valid, and then the user’s avatar is generated in virtual space. This phase is performed over a secure channel. Figure 3 shows the user registration phase and detailed processes steps are as follows.
  • UR-1:  U i inputs a identity I D i , password P W i , and imprints a biomatic information B I O i . Then, U i computes { r i } = R e p ( B I O i , δ i ) , H P W i = h ( I D i | | P W i | | r i ) , a i = h ( s k i · P K s p ) , R E G i = h ( D I D i | | H P W i | | a i ) , and send { D I D i , H P W i , R E G i } to S P .
  • UR-2:  S P checks the validity of D I D i and retrieves P K i from the blockchain. If it is valid, S P computes a i = h ( s k s p · P K i ) , R E G i = h ( D I D i | | H P W i | | a i ) and verifies R E G i = ? R E G i . If the equation is correct, S P selects a random nonce b i Z q and calculates B i = h ( b i | | R I D i | | s k s p ) , R I D i = h ( D I D i | | H P W i | | s k s p ) . After that, S P dispatches { R I D i , B i } to U i and stores { R I D i , D I D i , B i } in a secure database.
  • UR-3:  U i computes H R I D i = R I D i h ( I D i | | H P W i | | r i ) , H B i = B i h ( H P W i | | r i | | I D i ) , A i = h ( R I D i | | B i | | r i | | H P W i ) and stores { H R I D i , H B i , A i } in U i ’s XR devices.

5.4. Login Phase

When the user U i attempts to access the S P , the user and S P authenticate each other. If mutual authentication between the user and S P is completed and the session key is established, the user and S P communicate using the session key to guarantee secure communication. Figure 4 presents the login phase and the detailed processes of this phase are as follows.
  • LA-1: User U i first enters I D i , P W i , and B I O i . Then, U i computes { r i } = R e p ( B I O i , δ i ) , H P W i = h ( I D i | | P W i | | r i , R I D i = H R I D i h ( I D i | | H P W i | | r i ) , V C i = H V C i h ( r i | | I D i | | H P W i ) , B i = H B i h ( H P W i | | r i | | I D i ) , A i = h ( R I D i | | B i | | r i | | H P W i ) , and checks the A i = A i . If the equation is correct, U i selects a random nonce X i and a current timestamp T 1 , and computes M S 1 = ( D I D i | | X i ) h ( R I D i | | B i | | T 1 ) , M S 2 = h ( R I D i | | X i | | B i | | D I D i | | T 1 ) . After that, U i sends { R I D i , M S 1 , M S 2 , T 1 } to S P .
  • LA-2:  S P generates a current timestamp T 2 and checks the freshness of the timestamp. Next, S P retrieves { B i } from the database using R I D i , and calculates ( D I D i | | X i ) = M S 1 h ( R I D i | | B i | | T 1 ) , M S 2 = h ( R I D i | | X i | | B i | | D I D i | | T 1 ) . S P checks the M S 2 = ? M S 2 , and selects a random nonce Y s p Z q and calculates R I D n e w = h ( D I D i | | Y s p | | B i ) , M S 3 = ( Y S P | | R I D n e w ) h ( X i | | D I D i | | B i ) , S K U S P = h ( X i | | Y S P | | B i | | D I D i ) , M S 4 = h ( X i | | Y S P | | R I D i | | R I D n e w | | S K U S P | | T 2 ) . After that, S P transmits { M S 3 , M S 4 , T 2 } to U i .
  • LA-3: After reception of the messages, U i checks the freshness of T 2 and computes ( Y s p | | R I D n e w ) = M S 3 h ( X i | | D I D i | | B i ) , S K U S P = h ( X i | | Y s p | | B i | | D I D i ) , M S 4 = h ( X i | | Y s p | | R I D i | | R I D n e w | | S K U S P | | T 2 ) . Then, U i checks the validity of M S 4 = ? M S 4 , calculates H R I D i = R I D n e w h ( I D i | | H P W i | | r i ) , and updates H R I D i with H R I D i .

5.5. Avatar Authentication Phase

In the virtual space, user U i can interact with other avatars U j . For secure avatar-to-avatar interactions, the user provides the verifiable credentials proving the personal information to perform the avatar authentication phase. Figure 5 shows the avatar authentication phase and the detailed steps are as follows.
  • AA-1:  U i first sends a request including D I D i to U j . After reception of the request, U j retrieves { P K i } using D I D i , and selects a random nonce n j and a current timestamp T 4 . Next, U j computes N j = n j · P , A U T 1 = n j · P K j , M S 5 = ( V C j ) · h ( D I D i | | D I D j | | A U T 1 | | T 4 ) , M S 6 = h ( V C j | | D I D j | | A U T 1 | | T 4 ) , and sends { D I D j , M S 5 , M S 6 , N j , T 4 } to U i .
  • AA-2: After receiving the message { D I D j , M S 5 , M S 6 , N j , T 4 } , U i checks the validity of T 4 , and retrieves { P K j } from the blockchain using D I D j . Then, U i computes A U T 1 = N j · s k i , ( V C j ) = M S 5 · h ( D I D i | | D I D j | | A U T 1 | | T 4 ) , M S 6 = h ( V C j | | D I D j | | A U T 1 | | T 4 ) and verifies the equation M S 6 = ? M S 6 and the signature S i g C A ( c l a i m ) of the V C j . Next, U i selects a random nonce m i and calculates M i = m i · P , A U T 2 = m i · P K j , M S 7 = ( V C i ) · h ( D I D i | | D I D j | | A U T 2 | | T 5 ) , M S 8 = h ( V C i | | D I D i | | A U T 2 | | h ( A U T 1 | | A U T 2 ) | | T 5 ) . And U i transmits { M S 7 , M S 8 , M i , T 5 } to U j .
  • AA-3: Upon reception of message { M S 7 , M S 8 , M i , T 5 } , U j checks the freshness of T 5 and computes A U T 2 = M i · s k j , ( V C i ) = M S 7 · h ( D I D i | | D I D j | | A U T 2 | | T 5 ) , M S 8 = h ( V C i | | D I D i | | A U T 2 | | h ( A U T 1 | | A U T 2 ) | | T 4 ) . Finally, U j checks that M S 8 = ? M S 8 is correct and verifies V C i ’s signature S i g C A ( c l a i m ) .

6. Security Analysis

In this section, we show the resilience of the proposed system against malicious security attacks through an informal analysis and AVISPA simulation. We also utilize BAN logic [30,31], which is a widely accepted formal security analysis, to prove that the proposed scheme is guaranteed for secure mutual authentication. Subsequently, we prove the session key secrecy utilizing the real-or-random (ROR) model.

6.1. Informal Security Analysis

We perform informal security analysis to demonstrate how the proposed protocol fulfills some of the security requirements, such as impersonation, replay, perfect forward secrecy, session key disclosure attacks, mutual authentication, etc.

6.1.1. Stolen XR Device Attack

Under the assumptions in Section 4.1, an adversary A d v can seize the user’s XR device and extract the stored parameters { D I D i , H V C i , δ i , H R I D i , H B i , A i } to obtain sensitive information V C i , B i . However, all the stored sensitive information are masked with hash, XOR operations utilizing identity I D i , password P W i , and biometric information B I O i so that the A d v cannot obtain sensitive information. Thus, the proposed scheme is secure against stolen XR device attacks.

6.1.2. Offline Password-Guessing Attack

The A d v attempts to guess the user’s password P W i using extracted values from the U i ’s XR device and intercepts the transmitted messages on public channels. However, it is impracticable for A d v to guess P W i without knowledge of the real identity I D i and response value r i . P W i is constructed as H P W i = h ( I D i | | P W i | | r i ) , where r i is the response value from a fuzzy extractor with bio-information as the input. Therefore, our scheme is resistant to offline password-guessing attacks.

6.1.3. Impersonation Attack

A d v can create fake login messages { R I D i , M S 1 , M S 2 , T 1 } and { M S 3 , M S 4 , T 2 } to impersonate legitimate user U i and gain unauthorized access to the metaverse environment supported by S P . However, A d v cannot forge the request message and compute the session key S K U S P because it is infeasible for A d v to obtain B i and random nonces X i and Y s p , where B i , X i , and Y s p are masked and B i is shared by U i and the S P only. Therefore, the proposed protocol prevents impersonation attacks.

6.1.4. Avatar Impersonation Attack

In the metaverse, A d v creates a fake avatar in an attempt to impersonate a legitimate user U i ’s avatar. A d v should be required to prove ownership of the legitimate U i ’s decentralized identifier D I D i and present verifiable credential V C i to others. However, A d v cannot impersonate the legitimate user of the avatar because A d v cannot obtain the private key corresponding to D I D i and it is difficult to extract V C i , which is masked with the real identity I D i and password P W i . Furthermore, since the user can easily create a new DID, if a problem occurs with the existing DID, the user can obtain a new DID and VC and discard the existing DID. Therefore, the proposed scheme prevents an avatar impersonation attack.

6.1.5. Session Key Disclosure Attack

In the proposed scheme, A d v should obtain the secret value B i and the random nonces X i and Y s p to compute a common session key. However, it is infeasible for A d v to compute a valid session key S K U S P because U i ’s secret value B i is masked with the real identity I D i , password P W i , and biomatic information B I O i . In addition, random nonces X i and Y s p are masked with B i and D I D i . A d v also cannot decrypt M 1 without U i ’s private key r U s e r . Therefore, the session key S K U S P = h ( X i | | Y S P | | B i | | D I D i ) disclosure attacks are computationally infeasible in the proposed protocol.

6.1.6. Perfect Forward Secrecy

Even if the long-term secret keys s k i and s k s p are compromised, A d v does not obtain the previous session key S K U S P = h ( X i | | Y S P | | B i | | D I D i ) . Since D I D i and B i are not revealed in messages transmitted on public channels, and random nonces X i and Y s p are refreshed every session, A d v cannot obtain the previous session key. Therefore, the proposed protocol guarantees perfect forward secrecy. Furthermore, if the secret key is compromised, the user can easily invalidate the existing DID associated with that key and create a new DID with a corresponding key pair. Subsequently, by re-registering with the system, the user can obtain a new VC from the C A .

6.1.7. Replay Attack and MITM Attack

A d v attempts replay and man-in-the-middle (MITM) attacks using previously transmitted messages. However, all the transmitted messages include the current timestamps T x are refreshed with each session, and U i and S P check the freshness of all transmitted messages. In addition, R I D i is also updated every session. If the received messages are invalid, the receiver terminates the current session. Therefore, the proposed protocol prevents replay and MITM attacks.

6.1.8. Insider Attack

According to Section 4.1, an internal A d v attempts to impersonate U i ’s avatar using a fake avatar and intercepted messages D I D i , { D I D j , M S 5 , M S 6 , N j , T 4 } and { M S 7 , M S 8 , M i , T 5 } . However, it is infeasible for A d v to calculate A U T 1 = N j · P K j = N j · s k i , A U T 2 = m i · P K j = M i · s k j without the private keys s k i , s k j and random nonces n j and m i . Thus, A d v cannot obtain verifiable credential V C without A U T 1 , A U T 2 . Therefore, A d v cannot disguise itself as another legitimate user in the metaverse without private key s k i and V C i corresponding to D I D i .

6.1.9. Ephemeral Secret Leakage Attack

According to Section 4.1, A d v can obtain the ephemeral secret values, such as X i and Y s p . Then, the adversary can attempt to calculate the session key S K U S P . However, A d v cannot calculate S K U S P without B i and D I D i . Therefore, the proposed protocol has resistance to the ephemeral key leakage attack.

6.1.10. Mutual Authentication

Section 6.1.3 and Section 6.1.5 demonstrate that A d v cannot impersonate U i and obtain the session key. In the login phase, U i and S P verify all transmitted messages. When S P receives the login request message { R I D i , M S 1 , M S 2 , T 1 } from U i , S P verifies M S 2 = ? M S 2 . If valid, S P authenticates U i . When U i receives response messages { M S 3 , M S 4 , T 2 } from S P , U i verifies the equation M S 4 = ? M S 4 . If valid, U i authenticates S P . Consequently, all entities are mutually authenticated so that the proposed system provides secure mutual authentication.

6.1.11. Anonymity

If A d v intercepts, modifies, and deletes the transmitted messages, it can execute Section 6.1.1 to extract U i ’s real identity.However, it is impossible for A d v to obtain real identity I D i . The user’s I D i is comprised of R I D i = h ( D I D i | | H P W i | | s k s p ) by using hash and XOR functions. Therefore, the proposed protocol ensures the anonymity of U i .

6.1.12. Privacy-Preservation

In the proposed scheme, U i ’s identity and sensitive personal information are managed by the user, and it is provided only to other relevant parties when access to specific services and data is required. The S P can only check some of U i ’s information as a requirement to access the metaverse environment, and U i ’s other information cannot be viewed without user consent. Therefore, the proposed scheme guarantees the privacy preservation of the user.

6.1.13. Untraceability

Nontraceability ensures that an external A d v cannot track the legitimate user U i . Because all messages are dynamic and unique using temporary identities R I D x , random nonces X i and Y j , and timestamps T x in each session, where each parameters are updated every session in the login phase, the proposed scheme provides untraceability for U i .

6.1.14. Denial-of-Service (DoS) Attack

The A d v attempts to create a number of login request messages and transmit them to the S P to paralyze the network. However, since the S P checks the R I D i and T i , which are updated each session, the A d v cannot create new valid messages. Even if the A d v attempts to resend past messages, S P considers them invalid and terminates the connection. Therefore, the proposed scheme ensures safety against DoS attacks.

6.2. Security Analysis Using BAN Logic

Over the BAN logic analysis, we prove that the proposed scheme guarantees secure mutual authentication between the user U i and S P . We also define the rules, goals, idealized forms, and assumptions for performing BAN logic analysis. Table 2 introduces the BAN logic notations.

BAN Logic Rules

The BAN logic rules are as follows:
  • Message meaning rule:
    α | α K β , α X K α β X
  • Nonce verification rule:
    α # ( X ) , α β | X α β X
  • Jurisdiction rule:
    α β X , α β X α | X
  • Freshness rule:
    α | # ( X ) α | # X , Y
  • Belief rule:
    α | X , Y α | X .

6.3. Goals

We present the following security goals to show that the proposed system guarantees a secure mutual authentication.
Goal 1: 
U s e r ( U s e r S K S P )
Goal 2: 
U s e r S P ( U s e r S K S P )
Goal 3: 
S P ( U s e r S K S P )
Goal 4: 
S P U s e r ( U s e r S K S P )

6.3.1. Idealized Forms

The idealized forms are the following:
Msg1: 
U s e r S P : ( R I D i , M S 1 , M S 2 , T 2 ) B i
Msg2: 
S P U s e r : ( M S 3 , M S 4 , T 2 ) B i

6.3.2. Assumptions

We define the following initial assumptions for the BAN logic proof.
A 1 : 
S P # ( T 1 )
A 2 : 
U s e r # ( T 2 )
A 3 : 
U s e r ( S P B i U s e r )
A 4 : 
S P ( U s e r B i S P )
A 5 : 
S P # ( X i )
A 6 : 
U s e r # ( Y s p )
A 7 : 
U s e r S P ( U s e r S K S P )
A 8 : 
S P U s e r ( U s e r S K S P )

6.3.3. Proof Using BAN Logic

The detailed steps of the BAN logic proof are as follows:
Step 1: 
From M s g 1 ,
S 1 : S P ( R I D i , M S 1 , M S 2 , T 2 ) B i
Step 2: 
Upon the message meaning rule with S 1 and A 4 ,
S 2 : S P U s e r ( R I D i , M S 1 , M S 2 , T 2 )
Step 3: 
Using the freshness rule with A 1 ,
S 3 : S P # ( R I D i , M S 1 , M S 2 , T 2 )
Step 4: 
Using the nonce verification rule with S 2 and S 3 ,
S 4 : S P U s e r ( R I D i , M S 1 , M S 2 , T 2 )
Step 5: 
Since the session key S K U S P = h ( X i | | Y S P | | B i | | D I D i ) , from S 4 and A 5 ,
S 5 : S P U s e r ( U s e r S K S P ) ( Goal 4 )
Step 6: 
Upon the jurisdiction rule with S 6 and A 8 ,
S 6 : S P ( U s e r S K S P ) ( Goal 3 )
Step 7: 
Using the M s g 2 ,
S 7 : U s e r ( b 1 , I D S P , T 2 ) a 1
Step 8: 
From the message meaning rule with S 8 and A 3 ,
S 8 : U s e r S P ( b 1 , I D S P , T 2 ) a 1
Step 9: 
Using the freshness rule with A 2 ,
S 9 : U s e r # ( b 1 , I D S P , T 2 ) a 1
Step 10: 
Upon the nonce verification rule with S 9 and S 10 ,
S 10 : U s e r S P ( b 1 , I D S P , T 2 ) a 1
Step 11: 
Since the session key S K U S P = h ( X i | | Y S P | | B i | | D I D i ) , from S 11 and A 6 ,
S 11 : U s e r S P ( U s e r S K S P ) ( Goal 2 )
Step 12: 
Utilizing the jurisdiction rule with S 13 and A 7 ,
S 12 : U s e r ( U s e r S K S P ) ( Goal 1 )
Therefore, the proposed protocol achieves secure mutual authentication between the user and SP.

6.4. ROR Model

The ROR model, which is based on probabilistic game theory, is widely used to analyze the semantic security of an authenticated key agreement [32,33,34]. Using the ROR model, we demonstrate that our proposed scheme ensures session key security against a malicious adversary within probabilistic polynomial time. We first present the fundamentals of the ROR model in Table 3. We follow this by proving the session key security of our proposed scheme.
In the ROR model, adversary A interacts with the t -th instance of an executing participant, P t . Then, we define P U t and P S P t as the participants of t-th U i and t-th S P . In the ROR model, the adversary can execute E x e c u t e , S e n d , R e v e a l , T e s t , and C o r r u p t to consider different queries presuming actual security attacks. The descriptions of each query are introduced in Table 3. Furthermore, a query of the collision-resistant one-way hash function is denoted as H a s h .
Theorem 1. 
Before proving the session key security of the proposed scheme, we define q h a s h and q s e n d as the number of H a s h and S e n d queries, and | H a s h | as the range space of the hash function. C and s denote Zipf’s parameters [35], and l B is the number of bits in the biometric secret key r i . When adversary A obtains the session key in polynomial time, the adversary A breaches the semantic security of the proposed scheme, and its advantage is represented by A d v A ( t ) . A d v A ( t ) is estimated by
A d v A ( t ) q h a s h 2 | H a s h | + 2 m a x { C · q s e n d s , q s e n d 2 l B } .
Proof. 
We consider the following games G i , i = [ 0 , 3 ] , and assume that P r [ S u c c G i ] is A ’s advantage of winning the game G i . The detailed descriptions of each game are discussed as follows. □
  • Game 0:  G 0 presents the A ’s real attacks against our proposed scheme in the ROR model. A selects the bit c at the starting of G 0 . A d v A ( t ) is as follows.
    A d v A ( t ) = | 2 P r [ S u c c G 0 ] 1 | .
  • Game 1:  G 1 is modeled such that A implements an eavesdropping attack. In this game, A executes the E x e c u t e ( · ) query to steal the communicated messages { R I D i , M S 1 , M S 2 , T 1 } and { M S 3 , M S 4 , T 2 } between U i and S P . At the end of this game, A executes R e v e a l and T e s t queries to check whether the derived session key S K U S P is an actual or random key. A needs the long-term secret values (such as the private keys s k i and s k s p ), and the short-term secret values (such as the random nonces X i and Y s p ) to extract the S K U S P . However, it is impracticable for A to obtain these secret values, even if A obtains all communicated messages. As shown, the eavesdropping messages { R I D i M S 1 , M S 2 , T 1 } and { M S 3 , M S 4 , T 2 } do not increase the probability of a winning game G 1 . Therefore, because games G 1 and G 0 are indistinguishable, we obtain
    P r [ S u c c G 1 ] = P r [ S u c c G 0 ] .
  • Game 2:  G 2 is modeled as an active attack. In this game, A executes the S e n d and H a s h queries to guess the hash collision. However, all exchanged messages are protected using the one-way hash function h ( · ) and consist of secret credentials and random numbers. Moreover, it is difficult for A d v to derive secret credentials and a random nonce because it is a computationally infeasible problem depending on the properties of h ( · ) . So, using the birthday paradox, we obtain the following inequality:
    | P r [ S u c c G 1 ] P r [ S u c c G 2 ] | q h a s h 2 2 | H a s h | .
  • Game 3:  G 3 is modeled such that an active attack is implemented by A . In this game, A executes the C o r r u p t ( P V t , P E P t ) query to extract the secret values { D I D i , H V C i , δ i , H R I D i , H B i , A i } from the user’s XR devices. Subsequently, to derive credential V P i and U i ’s secret key s k i , A must guess the unknown password P W i through operating the S e n d query. However, it is computationally infeasible for A to guess the password P W i through the S e n d query without V i ’s identity I D i and secret nonce x i . In the absence of password-guessing attacks, games G 2 and G 3 are identical. The probability of A winning the game G 4 using Zip’s law is
    [ P r [ S u c c G 3 ] P r [ S u c c G 4 ] ] m a x { C · q s e n d s , q s e n d 2 l B } .
After all of the games are executed, A conjectures the correct bit c. Hence, we obtain
P r [ S u c c G 3 ] = 1 2 .
Considering Equations (2) and (3), we obtain
1 2 A d v A ( t ) = | P r [ S u c c G 0 ] 1 2 | = | P r [ S u c c G 1 ] 1 2 | .
Then, we consider Equations (4) and (5) and obtain the following inequality:
1 2 A d v A ( t ) = | P r [ S u c c G 1 ] P r [ S u c c G 4 ] | q h a s h 2 2 | H a s h | + m a x { C · q s e n d s , q s e n d 2 l B } .
Consequently, the stipulated result A d v A ( t ) is presented by multiplying both sides of Equation (8):
A d v A ( t ) q h a s h 2 | H a s h | + 2 m a x { C · q s e n d s , q s e n d 2 l B } .

6.5. Avispa Simulation Tool

AVISPA is a well-known security simulation tool that analyzes the protocols’ ability to resist replay and MITM attacks [36,37,38]. The AVISPA tool employs the high-level protocols specifications language (HLPSL) for outlining the actions of each participant. Afterword, the HLPSL code of the protocol is converted into the intermediate format (IF) through the HLPSL2IF translator. Then, IF data are input to implement AVISPA on one of four backends, such as “the CL-based attack searcher (CL-AtSe)”, “the on-the-fly-model checker (OFMC)”, “the tree Automata-based protocol analyzer (TA4SP)”, and “the SAT-based model checker (SATMC)”. When IF data are passed through the selected backend, the simulation result is output following the output format (OF). In this paper, we perform AVISPA simulations of the proposed scheme using OFMC and the CL-AtSe backend, which provide the XOR operation. In OF, if the SUMMARY segment indicates SAFE, it means that the analyzed scheme is resistant to replay and MITM attacks.
Figure 6 describe the user’s role in HLPSL code form. The other parties (service provider and certificate authority) are also coded in a format similar to Figure 6. Figure 7 indicates the goals and environment of the proposed protocol and the role of the session. Figure 8 presents the AVISAP simulation result of the proposed protocol using CL-AtSe and OFMC. The results under the CL-AtSe and OFMC backends show that the proposed protocol is safe. Therefore, the proposed protocol can be resilient against man-in-the-middle and replay attacks.

7. Performance Analysis

We analyze the detailed comparative analysis of the proposed scheme with related schemes [16,17,18] in terms of the computation costs and the communication costs.

7.1. Analysis of Computation Cost

We compare the computation costs of the proposed scheme with the related schemes [16,17,18]. In this paper, we follow the execution time of the cryptographic operation measured by [39] using 2048 MB of RAM, Intel Pentium Dual CPU E2200 2.20 GHz, and the Ubuntu 12.04.1 LTS 32bit operating system. The cyclic group G 1 is a subgroup of E ( F q ) : y 2 = x 3 + x , and G 2 is a subgroup of F q 2 . The group order of G1 is 160 bits, and the order of the base field is 512 bits. Depending on [39,40,41], we assume that the computation costs of ‘a one-way hash function’, ‘biohasing function’, ‘elliptic curve point addition’, ‘elliptic curve scalar point multiplication’, ‘bilinear pairing’, ‘random nonce generation’, and ‘fuzzy extraction’ are T H 0.0023 ms, T B H 0.01 ms [40], T E A 0.0288 ms, T E M 2.226 ms, T P 5.811 ms, T R 0.539 ms, T F 2.68 ms [41], respectively. We estimate the computation costs of the proposed scheme and related schemes and compare them. The comparison results are shown in Table 4. Because the proposed technique is designed based on XOR and Hash while minimizing the use of ECC, it shows much lower computation costs than the other existing schemes.

7.2. Analysis of Communication Cost

We assume that the bit sizes of the identity, hash output, random nonce, timestamp, and elliptic curve point are 160, 160, 160, 32, and 320, respectively. We present the comparison of the proposed scheme and existing schemes in Table 5. Under the results of the communication cost comparison, the proposed scheme provides a more efficient computation cost compared with the other existing schemes.

7.3. Security and Functionality Comparison

In terms of security and functionality features, we compare the proposed scheme with other related schemes [16,17,18]. The security features of the proposed scheme and related schemes are presented in Table 6.
The results of our performance and security feature comparisons with related works indicate that our proposed scheme is more efficient in terms of computation and communication costs and satisfies a higher number of security requirements compared to existing schemes. Therefore, the proposed protocol can provide users with a secure service in the metaverse environment and is a lightweight protocol that takes into account the resource constraints of XR devices.

8. Conclusions

In this paper, we propose a secure authentication scheme for metaverse environments to provide a secure avatar interactions and prevent against various security attacks. In our scheme, users can utilize DID and VC to prove their identity to other avatars in the metaverse without revealing irrelevant personal information to service providers. Furthermore, the proposed scheme provides a secure communication channel against various attacks through secure authentication and key agreement between the user and service provider. The proposed scheme is resistant to various security attacks (including stolen XR devices, offline password guessing, user and avatar impersonation, etc.) by performing the ROR oracle security analyses, the well-known AVISPA simulation, and BAN logic analyses. Next, the proposed scheme provides lower computation and communication costs than other related schemes for the metaverse environment by the comparison of computation costs and communication costs. Therefore, the proposed scheme can be applied to practical metaverse environments to provide high security and privacy preservation. In the future, we intend to research authentication protocols for a secure and trusted metaverse environment, taking into consideration potential security issues that may arise in the blockchain.

Author Contributions

Conceptualization, M.K.; formal analysis, M.K. and S.S.; methodology, M.K. and Y.P. (Yohan Park); software M.K. and J.O.; validation, M.K., Y.P. (Yohan Park) and Y.P. (Youngho Park); writing—original draft, M.K.; writing—review and editing, J.K. and Y.P. (Youngho Park); supervision, Y.P. (Youngho Park). All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by the National Research Foundation of Korea (NRF) funded by the Ministry of Education under grant 2020R1I1A3058605.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Xu, M.; Ng, W.C.; Lim, W.Y.B.; Kang, J.; Xiong, Z.; Niyato, D.; Yang, Q.; Shen, X.; Miao, C. A full dive into realizing the edge-enabled metaverse: Visions, enabling technologies, and challenges. IEEE Commun. Surv. Tutor. 2023, 25, 656–700. [Google Scholar] [CrossRef]
  2. Yang, Q.; Zhao, Y.; Huang, H.; Xiong, Z.; Kang, J.; Zheng, Z. Fusing blockchain and AI with metaverse: A survey. IEEE Open J. Comput. Soc. 2022, 3, 122–136. [Google Scholar] [CrossRef]
  3. Huynh-The, T.; Gadekallu, T.R.; Wang, W.; Yenduri, G.; Ranaweera, P.; Pham, Q.V.; Costa, D.B.; Liyanage, M. Blockchain for the metaverse: A review. Futur. Gener. Comp. Syst. 2023, 143, 401–419. [Google Scholar] [CrossRef]
  4. Bansal, G.; Rajgopal, K.; Chamola, V.; Xiong, Z.; Niyato, D. Healthcare in metaverse: A survey on current metaverse applications in healthcare. IEEE Access 2022, 10, 119914–119946. [Google Scholar] [CrossRef]
  5. Park, S.; Kim, Y. A metaverse: Taxonomy, components, applications, and open challenges. IEEE Access 2022, 10, 4209–4251. [Google Scholar] [CrossRef]
  6. A Researcher’s Avatar was Sexually Assaulted on a Metaverse Platform Owned by Meta, Making Her the Latest Victim of Sexual Abuse on Meta’s Platforms, Watchdog Says. Available online: https://www.businessinsider.com/researcher-claims-her-avatar-was-raped-on-metas-metaverse-platform-2022-5 (accessed on 20 September 2023).
  7. Wang, Y.; Su, Z.; Zhang, N.; Xing, R.; Liu, D.; Luan, T.H.; Shen, X. A survey on metaverse: Fundamentals, security, and privacy. IEEE Commun. Surv. Tutor. 2023, 25, 319–352. [Google Scholar] [CrossRef]
  8. Falchuck, B.; Loeb, S.; Neff, R. The social metaverse: Battle for privacy. IEEE Technol. Soc. Mag. 2018, 37, 52–61. [Google Scholar] [CrossRef]
  9. Li, Y.; Cheng, Y.; Meng, W.; Li, Y.; Deng, R.H. Designing leakage-resilient password entry on head-mounted smart wearable glass devices. IEEE Trans. Inf. Forensic Secur. 2020, 16, 307–321. [Google Scholar] [CrossRef]
  10. Sayeed, S.; Pitropakis, N.; Buchanan, W.J.; Markakis, E.; Papatsaroucha, D.; Politis, I. TRUSTEE: Towards the creation of secure, trustworthy and privacy-preserving framework. In Proceedings of the 18th International Conference on Availability, Reliability and Security, Benevento, Italy, 29 August–1 September 2023; pp. 1–10. [Google Scholar]
  11. Tu, S.; Yu, H.; Badshah, A.; Waqas, M.; Halim, Z.; Ahmad, I. Secure internet of vehicles (IoV) with decentralized consensus blockchain mechanism. IEEE Trans. Veh. Technol. 2023, 72, 11227–11236. [Google Scholar] [CrossRef]
  12. Sayeed, S.; Marco-Gisbert, H. Assessing blockchain consensus and security mechanisms against the 51% attack. IEEE Commun. Surv. Tutor. 2019, 9, 1788. [Google Scholar] [CrossRef]
  13. Truong, V.T.; Le, L.; Niyato, D. Blockchain meets metaverse and digital asset management: A comprehensive survey. IEEE Access 2023, 11, 26258–26288. [Google Scholar] [CrossRef]
  14. Patwe, S.; Mane, S. Blockchain enabled architecture for secure authentication in the metaverse environment. In Proceedings of the 2023 IEEE 8th International Conference for Convergence in Technology (I2CT), Lonavla, India, 7–9 April 2023; pp. 1–8. [Google Scholar]
  15. Huang, Y.; Li, Y.J.; Cai, Z. Security and privacy in metaverse: A comprehensive survey. Big Data Min. Anal. 2023, 6, 234–247. [Google Scholar] [CrossRef]
  16. Panda, P.K.; Chattopadhyay, S. A secure mutual authentication protocol for IoT environment. J. Reliable Intell. Environ. 2020, 6, 79–94. [Google Scholar] [CrossRef]
  17. Li, Y.; Xu, M.; Xu, G. Blockchain-based mutual authentication protocol without CA. J. Supercomput. 2022, 78, 17261–17283. [Google Scholar] [CrossRef]
  18. Ryu, J.; Son, S.; Lee, J.; Park, Y.; Park, Y. Design of secure mutual authentication scheme for metaverse environments using blockchain. IEEE Access 2022, 10, 98944–98958. [Google Scholar] [CrossRef]
  19. Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 523–540. [Google Scholar]
  20. Decentralized Identifiers (DIDs) v1.0 Core Architecture, Data Model, and Representations. Available online: https://www.w3.org/TR/did-core/ (accessed on 22 August 2023).
  21. Verifiable Credentials Data Model 1.1. Available online: https://www.w3.org/TR/vc-data-model/ (accessed on 22 August 2023).
  22. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  23. Masud, M.; Gaba, G.S.; Choudhary, K.; Hossain, M.S.; Alhamid, M.F.; Muhammad, G. Lightweight and anonymity-preserving user authentication scheme for IoT-based healthcare. IEEE Internet Things J. 2022, 9, 2649–2656. [Google Scholar] [CrossRef]
  24. Kim, M.; Lee, J.; Oh, J.; Kwon, D.; Park, K.; Park, Y.; Park, K.H. A secure batch authentication scheme for multiaccess edge computing in 5G-enabled intelligent transportation system. IEEE Access 2022, 10, 96224–96238. [Google Scholar] [CrossRef]
  25. Bhattacharya, M.; Roy, S.; Chattopadhyay, S.; Das, A.K.; Jamal, S.S. ASPA-MOSN: An efficient user authentication scheme for phishing attack detection in mobile online social networks. IEEE Syst. J. 2023, 17, 234–245. [Google Scholar] [CrossRef]
  26. Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Proceedings of the Annual International Cryptology Conference (CRYPTO), Santa Barbara, CA, USA, 15–19 August 1999; pp. 388–397. [Google Scholar]
  27. Son, S.; Kwon, D.; Lee, S.; Jeon, Y.; Das, A.K.; Park, Y. Design of secure and lightweight authentication scheme for UAV-enabled intelligent transportation systems using blockchain and PUF. IEEE Access 2023, 11, 60240–60253. [Google Scholar] [CrossRef]
  28. Kim, M.; Lee, J.; Park, K.; Park, Y.; Park, K.H.; Park, Y. Design of secure decentralized car-sharing system using blockchain. IEEE Access 2021, 9, 54796–54810. [Google Scholar] [CrossRef]
  29. Canetti, R.; Krawczyk, H. Universally composable notions of key exchange and secure channels. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, 28 April–2 May 2002; pp. 337–351. [Google Scholar]
  30. Soni, P.; Pardhan, J.; Pal, A.K.; Islam, S.K.H. Cybersecurity attack-resilience authentication mechanism for intelligent healthcare system. IEEE Trans. Ind. Inform. 2023, 19, 830–840. [Google Scholar] [CrossRef]
  31. Oh, J.; Yu, S.; Lee, J.; Son, S.; Kim, M.; Park, Y. A secure and lightweight authentication protocol for IoT-based smart homes. Sensors 2021, 21, 1488. [Google Scholar] [CrossRef] [PubMed]
  32. Hosseinzadeh, M.; Ahmed, O.H.; Ahmed, S.H.; Trinh, C.; Bagheri, N.; Kumari, S.; Lansky, J.; Huynh, B. An enhanced authentication protocol for RFID systems. IEEE Access 2020, 8, 126977–126987. [Google Scholar] [CrossRef]
  33. Lee, J.; Kim, G.; Das, A.K.; Park, Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng. 2021, 8, 2412–2425. [Google Scholar] [CrossRef]
  34. Chen, C.M.; Chen, Z.; Kumari, S.; Lin, M.C. LAP-IoHT: A lightweight authentication protocol for the internet of health things. Sensors 2022, 22, 5401. [Google Scholar] [CrossRef]
  35. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
  36. AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 22 August 2023).
  37. SPAN: A Security Protocol Animator for AVISPA. Available online: https://people.irisa.fr/Thomas.Genet/span/ (accessed on 22 August 2023).
  38. Yu, S.; Lee, J.; Park, Y.; Park, Y.; Lee, S.; Chung, B. A secure and efficient three-factor authentication protocol in global mobility networks. Appl. Sci. 2020, 10, 3565. [Google Scholar] [CrossRef]
  39. Kilinc, H.H.; Yanik, T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor. 2013, 16, 1005–1023. [Google Scholar] [CrossRef]
  40. Ravanbakhsh, N.; Nazari, M. An efficient improvement remote user mutual authentication and session key agreement scheme for E-health care systems. Multimed. Tools Appl. 2018, 77, 55–88. [Google Scholar] [CrossRef]
  41. Gope, P.; Sikdar, B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J. 2019, 6, 580–589. [Google Scholar] [CrossRef]
Figure 1. The proposed system model.
Figure 1. The proposed system model.
Electronics 12 04073 g001
Figure 2. User setup phase of the proposed scheme.
Figure 2. User setup phase of the proposed scheme.
Electronics 12 04073 g002
Figure 3. User registration phase of the proposed scheme.
Figure 3. User registration phase of the proposed scheme.
Electronics 12 04073 g003
Figure 4. Login phase of the proposed scheme.
Figure 4. Login phase of the proposed scheme.
Electronics 12 04073 g004
Figure 5. Avatar authentication phase of the proposed scheme.
Figure 5. Avatar authentication phase of the proposed scheme.
Electronics 12 04073 g005
Figure 6. Role of user.
Figure 6. Role of user.
Electronics 12 04073 g006
Figure 7. Role of session, environment, and goal.
Figure 7. Role of session, environment, and goal.
Electronics 12 04073 g007
Figure 8. Result of AVISPA simulation.
Figure 8. Result of AVISPA simulation.
Electronics 12 04073 g008
Table 1. Symbols and their meanings.
Table 1. Symbols and their meanings.
SymbolDescription
U i i-th user
S P The service provider
C A A certificate authority
I D i , P W i Identity and password of U i
s k x , P K x Secret key and public key of entity x
D I D x Decentralized identity of entity x
H ( · ) Hash function
TTimestamp
α i , β x , x x , a x Random nonces
XOR operation
| | Concatenation operation
Table 2. Notations for BAN logic.
Table 2. Notations for BAN logic.
NotationDescription
α | X α  believes statement X
#XStatement X is fresh
α X α  sees statement X
α X α  controls statement X
α | X α once said X
{ X } K X is encrypted under key K
< X > Y Formula X is combined with formula Y
α K β α and β may use shared key K to communicate
β K β has K as a public key
S K Session key used in the current session
Table 3. Various queries and descriptions.
Table 3. Various queries and descriptions.
QueryDescription
E x e c u t e ( P U t , P S P t ) A using this query to tap the communication messages transmitted between P U t and P S P t .
S e n d ( P t , M ) A sends a messages to the P t and receives a response messages from P t .
R e v e a l ( P t ) A gets a current session key between P t and its partner.
T e s t ( P t ) A guesses the probabilistic outcome for a flipped unbiased coin C. If the session key is fresh, A receives C = 0 . If the session key is not fresh, A receives C 0 . Otherwise, A obtains null value (⊥).
C o r r u p t ( P U t ) This query presumes an active attack. A extracts secret values stored in the XR devices by executing a power analysis.
Table 4. Computation costs for authentication scheme: a comparative summary.
Table 4. Computation costs for authentication scheme: a comparative summary.
SchemesUserService Provider
Panda and Chattopadhyay [16] 5 T E M + T E A + 6 T H 36.7759 ms 5 T E M + 2 T E A + 3 T H 36.7837 ms
Li et al. [17] 7 T E M + 5 T H 51.4723 ms 2 T P + 6 T E M + T E A + 5 T H 88.2458 ms
Ryu et al. [18] 4 T E M + T E A + 8 T H + 2 T B H 29.4438 ms 5 T E M + T E A + 5 T H 36.7755 ms
The proposed scheme T R + T F + 11 T H 3.2443 ms T R + 6 T H 0.5528 ms
Table 5. Communication costs for each scheme: a comparative summary.
Table 5. Communication costs for each scheme: a comparative summary.
SchemesCosts
  Panda and Chattopadhyay  [16]  1440 bits
  Li et al. [17]  1888 bits
  Ryu et al. [18]  1344 bits
  Our scheme  1024 bits
Table 6. A comparison of security and functionality features.
Table 6. A comparison of security and functionality features.
Panda and Chattopadhyay  [16]Li et al. [17]Ryu et al. [18]Our Scheme
  Stolen IoT devices(XR) attack
  Offline password guessing attack
  Impersonation attack
  Avatar impersonation attack
  Session key disclosure attack
  Perfect forward secrecy
  Replay attack
  MITM attack
  Insider attack
  Ephemeral secret leakage attack×
  Mutual authentication×
  Anonymity×
  Privacy-preservation×
  Untraceability×
  Denial-of-Service (DoS) Attack××
: scheme is secure or provides functionality feature; ×: scheme is insecure and does not provide functionality feature; −: cannot be considered.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Kim, M.; Oh, J.; Son, S.; Park, Y.; Kim, J.; Park, Y. Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identifier in Metaverse Environment. Electronics 2023, 12, 4073. https://doi.org/10.3390/electronics12194073

AMA Style

Kim M, Oh J, Son S, Park Y, Kim J, Park Y. Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identifier in Metaverse Environment. Electronics. 2023; 12(19):4073. https://doi.org/10.3390/electronics12194073

Chicago/Turabian Style

Kim, Myeonghyun, Jihyeon Oh, Seunghwan Son, Yohan Park, Jungjoon Kim, and Youngho Park. 2023. "Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identifier in Metaverse Environment" Electronics 12, no. 19: 4073. https://doi.org/10.3390/electronics12194073

APA Style

Kim, M., Oh, J., Son, S., Park, Y., Kim, J., & Park, Y. (2023). Secure and Privacy-Preserving Authentication Scheme Using Decentralized Identifier in Metaverse Environment. Electronics, 12(19), 4073. https://doi.org/10.3390/electronics12194073

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop