Next Article in Journal
Fundamentals of an Artificial Intelligence Engine for Human Life: Topological Modelling of the Fundamental Moments and States of Life
Previous Article in Journal
Unsteady Water-Based Ternary Hybrid Nanofluids on Wedges by Bioconvection and Wall Stretching Velocity: Thermal Analysis and Scrutinization of Small and Larger Magnitudes of the Thermal Conductivity of Nanoparticles
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Mathematics
Volume 10
Issue 22
10.3390/math10224310
mathematics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices

by
Da-Zhi Sun
1,* and
Yangguang Tian
2
1
Tianjin Key Laboratory of Advanced Networking (TANK), College of Intelligence and Computing, Tianjin University, Tianjin 300350, China
2
Department of Computer Science, University of Surrey, Surrey GU2 7XH, UK
*
Author to whom correspondence should be addressed.
Mathematics 2022, 10(22), 4310; https://doi.org/10.3390/math10224310
Submission received: 20 October 2022 / Revised: 14 November 2022 / Accepted: 15 November 2022 / Published: 17 November 2022
(This article belongs to the Topic Safe and Secure Autonomous Systems)
Browse Figures
Versions Notes

Abstract

:
Recently, Zerrouki et al. proposed a Physically Unclonable Function (PUF) mutual authentication and session key establishment protocol for IoT (Internet of Things) devices. Zerrouki et al.’s PUF protocol is interesting because it does not require the storage of any sensitive information on the local memory of the IoT device, which avoids many potential attacks, especially side-channel attacks. Therefore, we carefully investigate the security of Zerrouki et al.’s PUF protocol under the leakage assumption of the session key. Our findings are in the following. First, Zerrouki et al.’s PUF protocol fails to provide known-key security. That is, the adversary can impersonate not only the server to cheat the IoT device but also the IoT device to cheat the server when the adversary corrupts a session key between the server and the IoT device. Second, Zerrouki et al.’s PUF protocol suffers from the key-compromise impersonation attack. It means that the adversary can impersonate the IoT device to cheat the server if the adversary discloses the server’s secret key. Third, Zerrouki et al.’s PUF protocol does not support backward secrecy for the session key. That is, the adversary is always able to derive the session key from the previous session key. We also suggest the root cause of these security flaws in Zerrouki et al.’s PUF protocol. As a case study, our cryptanalysis results would promote a security model for more robust and efficient PUF authentication and session key establishment protocol. Moreover, our idea of the key compromise can be used to evaluate other novel PUF protocol designs.

1. Introduction

With the Internet and Web expansion into physical reality, the Internet of Things (IoT) is driving the next wave of innovation in both network models and computational technology. However, compared to traditional networks, IoT-driven networks are more prone to security exploitation due to the huge number of complex, heterogeneous, and interoperable IoT devices [1]. Therefore, more robust security technology is required to prevent the illegal leakage of sensitive data through the theft and hacking of IoT devices. In practice, the authentication and session key establishment protocol aims to secure sessions and support confidential data transmission for IoT devices.
However, the design of the authentication and session key establishment protocol is a daunting task in IoT networks. On the one hand, any security weakness in the protocol allows a compromised IoT device to gain access to the IoT trusted network and conduct unauthorized communication, inject false data, access confidential data, and launch dangerous attacks. On the other hand, it is challenging to deploy traditional authentication protocols because of the processing resource limitation of IoT devices. Hence, there is a desire for strong but lightweight authentication and session key establishment protocol for IoT devices.
A Physically Unclonable Function (PUF) [2] is an irreversible probabilistic function that produces a random bit string. PUF has been widely employed as a security primitive to provide device identification and authentication. There are many application scenarios of PUF. A software license requires a software license key or a product key that is used during the installation of software. This key authorizes a genuine purchase of the software product by the user and verifies the authenticity of the software installation copy. The adversary may attempt to steal the key and hence cracks the copies of the original versions. To defend against such piracy behavior, software companies may resort to using a PUF to generate the key. The PUF also can protect the intellectual property of Field Programmable Gate Array (FPGA) design modules. The identity of a hardware device can be recognized by comparing the PUF response to the registered one to find the misappropriation of hardware device and FPGA design modules.
The silicon PUF [3] eliminates the need to store secret keys in the device memory. This feature makes it a potential alternative to designing more low-cost authentication and session key establishment protocols. Hence, in this paper, we investigate the PUF authentication and session key establishment protocols for IoT devices.

1.1. Related Work

Delvaux et al. [4] reviewed 19 early PUF entity authentication protocols in chronological order: from the original PUF proposal (2001) to the more complicated noise bifurcation and system PUF proposals (2014). Gope and Sikdar [5] presented current progress and open challenges in designing PUF authentication and session key establishment protocols for IoT devices. According to the different PUF assumptions, we can briefly classify the PUF protocols for IoT devices into three categories, which are as follows:
  • Ideal PUF construction. The ideal PUF protocol provides a baseline for the design of PUF protocols and is useful for supporting authentication and session key establishment. The ideal PUF protocols [6,7] always generate a secret stable PUF response at runtime under controlled operating conditions.
  • Noisy-based PUF construction with Fuzzy Extractor (FE)/reverse FE. One of the limitations of PUFs is their sensitivity to the environmental noise incurred by ambient and operating conditions. The response of a PUF to the same challenge may be changed due to the current conditions, for example, temperature and voltage levels. FEs [8,9] were proposed as a solution to this problem. Due to the complex and time-consuming nature of FEs, reverse FEs [10,11] were developed for the fast implementation of secure sketches and FEs. Many researchers proposed the PUF authentication and session key establishment protocols using FE or reverse FE. Some PUF protocols aim to provide additional security and privacy functions. Guan et al. [12] proposed a PUF identity authentication protocol that employs the unique identification information generated by both the PUF and passwords set by users. Aman et al. [13] presented a PUF protocol, which requires the exchange of only two messages between the server and the IoT device. Mostafa et al. [14] designed a lightweight mutual two-factor authentication mechanism. Idriss et al. [15] demonstrated a lightweight PUF-based protocol that uses secret pattern recognition to offer mutual authentication and authenticated secret message exchange for constrained devices. An et al. [16] proposed a lightweight anonymous authentication protocol that does not require the storage of a large number of Challenge–Response Pairs (CRPs). Wang et al. [17] proposed a PUF protocol that introduces the supplementary sub-protocol to enhance resistance to the desynchronization attack. Zerrouki et al. [18] proposed a mutual authentication and a session key establishment protocol for IoT devices based on Silicon PUFs using Arbiter chips. Other PUF protocols emphasize the design for special application scenarios. Gope and Sikdar [19] proposed a novel privacy-aware authenticated key agreement scheme for secure smart grid communication. Kaveh et al. [20] designed a two-way physically secure signcryption scheme for secure smart grid communication. Yanambaka et al. [21] presented a device authentication scheme that uses PUFs and is suitable for the Internet-of-Medical-Things (IoMT). Shao et al. [22] proposed an anonymous PUF authentication protocol for Wireless Medical Sensor Networks (WMSNs) by using PUFs, FE, cryptographic one-way hash functions, and bitwise XOR operations. Alkatheiri et al. [23] designed a PUF authentication protocol for an Unmanned Aerial Vehicle (UAV)-based multi-agent system robust. Yu et al. [24] designed a PUF authentication protocol for the Internet of Drones (IoD) to guarantee reliable and useful services in smart city environments. Zheng et al. [25] demonstrated a lightweight PUF-based mutual authentication and key exchange protocol for Peer-to-Peer (P2P) IoT applications.
  • Training PUF model-based construction. Machine Learning (ML) modeling attacks [26] have emerged as the primary security issue for PUF protocols. In such attacks, the ML algorithm collects and analyzes the data from a PUF and uses them to create a model for the PUF. Therefore, we require ML-attack-resilience-based PUF authentication and session key establishment protocols. Majzoobi et al. [27] proposed a Slender PUF protocol that does not follow the classic paradigm of exposing the full PUF responses. They demonstrated that the Slender PUF protocol could be resilient against known ML modeling attacks if carefully designed. Huang et al. [28] proposed a lightweight mutual authentication protocol based on configurable tristate PUFs that can resist ML modeling attacks. However, these protocol-level approaches are not scalable, meaning that they are unsuitable for most IoT environments.
Concerning the security strength, training PUF model-based construction possibly achieves strong authentication and session key, compared with ideal PUF construction and noisy-based PUF construction with FE/reverse FE. In view of implementation concerns, noisy-based PUF construction with FE/reverse FE is more robust than ideal PUF construction and training PUF model-based construction.

1.2. Our Contributions

Zerrouki et al.’s PUF protocol [18] is interesting because it does not require the storage of any sensitive information on the local memory of the IoT device, which avoids many potential attacks, especially side-channel attacks. Moreover, using the Verifpal tool, the security of Zerrouki et al.’s PUF protocol is evaluated by the formal method. In addition, Zerrouki et al. performed a comparison of the PUF protocols and discussed the advantages and efficiency of Zerrouki et al.’s PUF protocol. The reader is referred to [18] for these full technique details.
Therefore, in this paper, we carefully study the security of Zerrouki et al.’s PUF protocol. Our results are as follows:
  • Zerrouki et al.’s PUF protocol fails to provide known-key security. That is, when an adversary knows a previous session key of Zerrouki et al.’s PUF protocol, they can impersonate not only the IoT device to cheat the server but also the server to cheat the IoT device.
  • Zerrouki et al.’s PUF protocol suffers from key-compromise impersonation attacks. This means that an adversary can impersonate an IoT device to cheat the server when the adversary captures the secrets of the server of the corresponding IoT device.
  • Zerrouki et al.’s PUF protocol does not support backward secrecy for the session key. We demonstrate that once an adversary finds the current session key between the IoT device and the server, the adversary can continuously derive all their subsequent session keys from it.
Table 1 summarizes the notations and cryptographic functions used throughout the paper.

2. Supported Security Mechanisms

2.1. PUF

A PUF is a security primitive that exploits physicality randomness in PUF-based devices. An example is silicon PUFs, which are a sub-class of PUFs. Because of manufacturing differences, an integrated circuit (IC) maintains unique physical characteristics. That is, the output of each IC will be unique for the given input. Hence, a silicon PUF is designed by extracting the unique output that is called the response from an input that is called the challenge. Here, a challenge and its corresponding response form a so-called CRP. As shown in Figure 1, it is impossible for PUFs to output the same response when the different challenges are inputted, and the different PUFs output the same response when the same challenge is inputted. Zerrouki et al. [18] divided the silicon PUF into three major classes: memory-based PUFs, delay-based PUFs, and analog–electronic PUFs.
The device embedded in the IC uses its silicon PUF for security applications, such as cryptographic key generation and authentication. Depending on the number of CRPs, silicon PUFs have two categories: weak PUFs and strong PUFs. A weak PUF is capable of generating a small number of CRPs and, therefore, is applied to derive cryptographic keys. Comparatively, a strong PUF provides a very large number of CRPs and is more suitable for authentication protocols.

2.2. Fuzzy Extractor

Intrinsically, the noises in the IC environments affect the reliability of the silicon PUF. When the same challenge is input into the PUF, the noises may cause errors in one or more response bits of the PUF and result in an incorrect response that differs from the original generated one. Therefore, in practice, cryptographic applications do not directly make use of the responses of the PUF.
As a coding technique, the FE can extract uniform random strings from noisy and non-uniform random data. Hence, the FE can eliminate the response noises of the PUF and achieve error correction for the responses of the PUF. As shown in Figure 2, the FE consists of a pair of algorithms, i.e., generation (Gen) and reproduction (Rep). Gen takes the initial response W as the input, and the outputs are uniform random string R, and the cryptographic key and a non-secret string P are the public helper data. To reproduce the uniform random string, the Rep algorithm takes two inputs: noisy response W’ and public helper data P. The reproduction process can succeed in recovering the uniform random string R when W and W’ are very close [29].

3. Zerrouki et al.’s Models of PUF Protocol

Many systems are related to IoT to some extent, such as Smartphone-assisted systems [30,31] for wearable devices, Blockchain-based systems [32,33,34,35] for multi-WSN (Wireless Sensor Networks), privacy-preserving verifiable data sharing, and smart city applications. We can compare them with Zerrouki et al.’s system and protocol. First, wearable devices, multi-WSN, and smart city applications systems dedicate to special network architectures. Comparatively, Zerrouki et al.’s system focuses on a general client–server network architecture. Second, Blockchain-based systems need to employ Blockchain techniques, and Zerrouki et al.’s system makes use of PUF. Third, PUF mutual authentication and session key establishment protocols may be embedded into those systems when the authentication service and the confidentiality service are necessary.

3.1. System Model

To design the PUF protocol, Zerrouki et al.’s system model describes the network architecture and its network component’s requirements. As shown in Figure 3, Zerrouki et al.’s system model has two types of entities: the IoT devices and the server. The IoT devices could equip various sensors. After a session of the PUF protocol, both the IoT device and the server authenticate each other and establish a session key for the subsequent secure communication. Certainly, the server needs secretly to store the security parameters of the IoT devices during the enrollment phase. Zerrouki et al.’s system model further assumes that:
  • IoT devices are resource-constrained; that is, IoT devices merely have limited capabilities of computation, memory, communication, and energy.
  • Each IoT device is equipped with an IC consisting of a PUF, which can provide the unique CRPs for the IoT device’s security applications.
  • The server has not the limitation of processing resources. This means that the server can carry out hardware/software network security solutions such as intrusion detection systems/intrusion prevention systems, firewalls, and anti-denial of service systems.

3.2. Security Model

In Zerrouki et al.’s security model, IoT devices are untrustworthy because they lack physical or hardware/software protection and are even deployed in public and hostile spaces. Meanwhile, the adversary can eavesdrop on the exchanged messages and alter them during the session of the PUF protocol. More importantly, an adversary may capture IoT devices and obtain critical secrets from their local memory. However, the adversary cannot exploit a PUF to simulate another one due to PUF’s unique physical characteristics. In addition, the communication between the IoT device microcontroller and its PUF component is through a secure channel.
Zerrouki et al.’s security model treats the server as the trusted party. In addition, the server and the IoT device should execute the enrollment phase in a secure environment.

4. Zerrouki et al.’s PUF Mutual Authentication and Session Key Establishment Protocol

Zerrouki et al.’s PUF protocol consists of three modules, i.e., the enrollment phase, the authentication phase, and the session key establishment phase. Their protocol employs both the PUF and the FE to secure the IoT devices and the trusted server. The IoT device registers to the server during the enrollment phase. After that, the IoT device and the server authenticate each other and secretly share a session key via the run of the authentication phase and the session key establishment phase.

4.1. Enrollment Phase

When a new IoT device A wants to be a member of the trusted network, both IoT device A and the server firstly enter into the enrollment phase. After successful registration, IoT device A becomes a legal member of the trusted network and never seeks the server’s permission to enroll. Figure 4 illustrates the enrollment phase. The detailed steps are as follows.
Step 1. IoT device A sends the message {IDA, Regreq}.
Step 2. Upon receiving {IDA, Regreq}, the server randomly generates CA,i and sends the message {IDA, CA,i} back to the IoT device A.
Step 3. Upon receiving {IDA, CA,i}, IoT device A computes RA,i by PUFA(CA,i). Then, IoT device A sends the message {IDA, CA,i, RA,i} to the server.
Step 4. Upon receiving {IDA, CA,i, RA,i}, the server extracts KA,i and PA,i by using Gen(RA,i), where (KA,i, PA,i) = Gen(RA,i). Then, the server hashes IDA and KA,i using h and further stores IDA, h(IDA), CA,i, h(KA,i), and PA,i on its secure local database. In the end, the server informs IoT device A about the completion of the registration process.

4.2. Authentication Phase

During the authentication phase, the IoT device uses the CRP of the PUF as a fingerprint to prove its identity to the server. Hence, the IoT device does not store any secret information and therefore avoids physical attacks. They perform the following steps:
Step 1: IoT device A finds the current TS1 and calculates h(IDA) and h(IDA, TS1). Then, IoT device A sends the message {h(IDA), Authreq, TS1, h(IDA, TS1)} to the server.
Step 2: Upon receiving {h(IDA), Authreq, TS1, h(IDA, TS1)}, the server executes the following operations.
Step 2.1: The server searches the existence of the received h(IDA) in its secure local database and retrieves IDA, h(IDA), CA,i, h(KA,i), and PA,i. If the finding fails, the server rejects the authentication request.
Step 2.2: The server calculates h(IDA, TS1) and further verifies whether the calculated h(IDA, TS1) is equal to the received one. If the comparison fails, the server rejects the authentication request.
Step 2.3: The server finds the current TS2 and calculates h(h(IDA), CA,i, PA,i, h(KA,i), TS2). Then, the server sends message {CA,i, PA,i, TS2, h(h(IDA), CA,i, PA,i, h(KA,i), TS2)} to the IoT device A.
Step 3: Upon receiving {CA,i, PA,i, TS2, h(h(IDA), CA,i, PA,i, h(KA,i), TS2)}, IoT device A executes the following operations.
Step 3.1: IoT device A uses its PUF to generate R’A,i = PUFA(CA,i). Since R’A,i is noisy, IoT device A reproduces KA,i by using Rep(R’A,i, PA,i). IoT device A calculates h(h(IDA), CA,i, PA,i, h(KA,i), TS2) and verifies whether the calculated h(h(IDA), CA,i, PA,i, h(KA,i), TS2) is equal to the received one. If the comparison fails, IoT device A terminates the session. Otherwise, IoT device A authenticates the server.
Step 3.2: IoT device A computes CA,i+1 = h(CA,i‖KA,i) and RA,i+1 = PUFA(CA,i+1), and then finds the current TS3, calculates h(h(IDA), TS3, h(KA,i), RA,i+1), and encrypts RA,i+1 using the key h(KA,i). IoT device A sends the message {TS3, h(h(IDA), TS3, h(KA,i), RA,i+1), (RA,i+1)h(KA,i)} to the server.
Step 4: Upon receiving {TS3, h(h(IDA), TS3, KA,i, RA,i+1), (RA,i+1)h(KA,i)}, the server decrypts (RA,i+1)h(KA,i) by the key h(KA,i) and further computes its h(h(IDA), TS3, h(KA,i), RA,i+1). The server verifies whether the calculated h(h(IDA), TS3, h(KA,i), RA,i+1) is equal to the received one. If the comparison fails, the server terminates the session. Otherwise, the server authenticates the IoT device A.
Note that in [18], Zerrouki et al.’s PUF protocol demands that IoT device A computes h(h(IDA), TS3, KA,i, RA,i+1) in Step 3.2 and the server verifies it in Step 4. However, it is incorrect because the server does not know KA,i during the authentication phase and cannot verify h(h(IDA), TS3, KA,i, RA,i+1). Hence, h(KA,i) should replace KA,i in Step 3.2 and Step 4.

4.3. Session Key Establishment Phase

IoT device A and the server use h(KA,i) as the session key. The server generates (KA,i+1, PA,i+1) = Gen(RA,i+1), calculates CA,i+1 = h(CA,i‖h(KA,i)), and hashes KA,i+1 to achieve h(KA,i+1). Then, the server updates the stored CA,i, h(KA,i), and PA,i of IoT device A to the new computed CA,i+1, h(KA,i+1), and PA,i+1 for the next session.
We need to point out that Zerrouki et al.’s PUF protocol [18] does not require checking the freshness of TS1, TS2, and TS3. This is not correct. We add them in Figure 5, which depicts the process of the authentication and session key establishment between IoT device A and the server.

5. Known-Key Security of Zerrouki et al.’s PUF Protocol

The server and the IoT device should secretly produce a new random session key after the run of a PUF mutual authentication and session key establishment protocol. These session keys are desirable in order to limit the amount of data available for cryptanalytic attacks, for example, ciphertexts generated using a session key in the encryption application. That is to say that the session keys aim to limit exposure in the event of session key leakage. The known-key security demands that a sound protocol should still achieve its security goal in the face of an adversary who has learned some previous session keys [36,37]. The known-key security is necessary for PUF mutual authentication and session key establishment protocol. In practice, an adversary can hijack the session of the protocol to reveal the obsolete session key. One hijacking approach is that the adversary may persuade the victim’s IoT device to install malicious protocol execution software, which leaks the secrets during the IoT device’s protocol run. An alternative approach to obtain session keys is to use social engineering. The adversary directly demands that the IoT device outputs the session key because they want to use the session key to decrypt some encrypted messages. The IoT device may provide the session key when the adversary is granted access to these encrypted messages.
We know that the session key in Zerrouki et al.’s PUF protocol is h(KA,i). Hence, to evaluate the known-key security, we assume that the adversary knows h(KA,i) in Zerrouki et al.’s PUF protocol.

5.1. Impersonating Server Attack

Figure 6 describes our impersonating server attack on Zerrouki et al.’s PUF protocol. When IoT device A wants to start a new session, the adversary, who takes the role of server, communicates with IoT device A as follows:
(1)
In Step 1 of the authentication phase, IoT device A sends the message {h(IDA), Authreq, TS1, h(IDA, TS1)} to the adversary.
(2)
Upon receiving the message, the adversary finds their current TSa2, calculates h(h(IDA), CA,i, PA,i, h(KA,i), TSa2), and sends the message {CA,i, PA,i, TSa2, h(h(IDA), CA,i, PA,i, h(KA,i), TSa2)} to IoT device A in Step 2.3 of the authentication phase. We know that the adversary is able to calculate this h(h(IDA), CA,i, PA,i, h(KA,i), TSa2), because in the previous session, the IoT device A’s values h(IDA), CA,i, and PA,i were transmitted over the insecure channel, and the adversary can eavesdrop on them.
(3)
According to Step 3.1 of the authentication phase, IoT device A successfully checks the validity of TSa2. Then, IoT device A should compute R’A,i = PUFA(CA,i) and then recover KA,i by using Rep(R’A,i, PA,i). Moreover, IoT device A can confirm that the calculated h(h(IDA), CA,i, PA,i, h(KA,i), TSa2) is equal to the receiving h(h(IDA), CA,i, PA,i, h(KA,i), TSa2), because these two values are computed using the fully same inputs of h and h is the deterministic hash function. As a result, IoT device A should authenticate the adversary as the server.
(4)
In Step 3.2 of the authentication phase, IoT device A generates and sends the message {TS3, h(h(IDA), TS3, h(KA,i), RA,i+1), (RA,i+1)h(KA,i)} to the adversary.
(5)
Upon receiving the message, the adversary obtains RA,i+1 during Step 4 of the authentication phase because he/she knew h(KA,i) and can encrypt (RA,i+1)h(KA,i) using h(KA,i).
(6)
In the session key establishment phase, the adversary also is able to generate CA,i+1, PA,i+1, and h(KA,i+1) because he/she knew CA,i, KA,i, and RA,i+1 and h and Gen are public functions. Now, the adversary has CA,i+1, PA,i+1, and h(KA,i+1) to impersonate the server in the next session.
Mathematics 10 04310 g006 550
Figure 6. Impersonating server attack.
Figure 6. Impersonating server attack.
Mathematics 10 04310 g006
According to the above, we conclude that IoT device A mistakenly believes the adversary is the server at the end of the session. At the same time, IoT device A and the adversary share the session key, i.e., h(KA,i).
Further discussion. On the other hand, IoT device A and the server should still authenticate each other using Zerrouki et al.’s PUF protocol, even if the adversary exploits our impersonating server attack. The reason is that the server updated the parameters CA,i+1, h(KA,i+1), and PA,i+1 during the previous session key establishment phase and should believe that these parameters are valid for IoT device A. Therefore, both IoT device A and the server are uneasy about recognizing the adversary when the impersonating server attack happens in Zerrouki et al.’s PUF system.
One related problem is that the adversary must distinguish the targeted IoT device A from other IoT devices when there are multiple IoT devices attempting to establish sessions with the real server over insecure channels. In this case, the adversary can eavesdrop on each IoT device’s {h(IDA), Authreq, TS1, h(IDA, TS1)} during Step 1 of the authentication phase in Zerrouki et al.’s PUF protocol. The adversary verifies whether the receiving h(IDA) is equal to their local h(IDA). If they are equal, then the adversary continuously implements the above impersonating server attack; otherwise, the adversary allows it to communicate with the real server. Another related problem is that Zerrouki et al.’s PUF system always has trusted IoT devices and untrusted IoT devices at the same time. It is necessary to tell a trusted IoT device from its rogue counterpart. The adversary can identify the targeted IoT device A if they further verify h(h(IDA), TS3, h(KA,i), RA,i+1) during (5) of the above impersonating server attack. We know other untrusted IoT devices cannot generate h(h(IDA), TS3, h(KA,i), RA,i+1) because they do not have correct h(KA,i). However, the adversary cannot figure other trusted IoT devices out if they do not corrupt their corresponding secrets.

5.2. Impersonating IoT Device Attack

Note that Zerrouki et al.’s security model assumes that IoT devices are untrustworthy. Hence, IoT device A may disclose its IDA to the adversary. Moreover, we need to point out that (RA,i+1)h(KA,i) was generated by IoT device A in the previous session and further sent over an insecure channel in Step 3.2 of the authentication phase. Therefore, the adversary can eavesdrop on (RA,i+1)h(KA,i) during the previous session of IoT device A and decrypt (RA,i+1)h(KA,i) using h(KA,i). The adversary can generate (KA,i+1, PA,i+1) = Gen(RA,i+1) and calculate h(KA,i+1). Then, the adversary sets RA,i = RA,i+1 and h(KA,i) = h(KA,i+1). At the same time, the server should replace CA,i, PA,i, and h(KA,i) by CA,i+1, PA,i+1, and h(KA,i+1) in the session key establishment phase of the previous session.
Figure 7 depicts our impersonating IoT device attack on Zerrouki et al.’s PUF protocol. When the adversary wants to personate the IoT device A, the adversary starts a session with the server as follows:
(1)
In Step 1 of the authentication phase, the adversary finds their current TSa1 and calculates h(IDA) and h(IDA, TSa1). The adversary then transmits the message {h(IDA), Authreq, TSa1, h(IDA, TSa1)} to the server.
(2)
Upon receiving the message, the server performs the following operations according to Step 2 of the authentication phase. (1) The server confirms the validity of TSa1. (2) The server uses h(IDA) to search the record IDA, h(IDA), CA,i, h(KA,i), and PA,i in its secure local database and then calculates h(IDA, TSa1) and successfully checks the calculated h(IDA, TSa1) is equal to the received h(IDA, TSa1). (3) The server further finds its current TS2, computes h(h(IDA), CA,i, PA,i, h(KA,i), TS2), and transmits the message {CA,i, PA,i, TS2, h(h(IDA), CA,i, PA,i, h(KA,i), TS2)} to the adversary.
(3)
In Step 3.1 of the authentication phase, the adversary omits all operations of IoT device A.
(4)
In Step 3.2 of the authentication phase, the adversary encrypts their RA,i using the key h(KA,i), find their current TSa3, and calculates h(h(IDA), TSa3, h(KA,i), RA,i). Additionally, then, the adversary sends the message {TSa3, h(h(IDA), TSa3, h(KA,i), RA,i), (RA,i)h(KA,i)} to the server.
(5)
Upon receiving the message, the server confirms the validity of TSa3. Then, the server uses its key h(KA,i) to decrypt (RA,i)h(KA,i) and further computes h(h(IDA), TSa3, h(KA,i), RA,i). The server should successfully check that the calculated h(h(IDA), TS3, KA,i, RA,i) is equal to the received h(h(IDA), TSa3, h(KA,i), RA,i). As a result, the server authenticates the adversary as IoT device A.
(6)
In the session key establishment phase, the server should continue to compute CA,i+1 = h(CA,i‖h(KA,i)), generate (KA,i, PA,i) = Gen(RA,i), and hash KA,i using h. Additionally, the server updates old CA,i, PA,i, and h(KA,i) to new CA,i+1, PA,i, and h(KA,i) for the next session. Note that in Zerrouki et al.’s PUF protocol, the server requires the calculation of CA,i+1 = h(CA,i‖KA,i). However, the server does not store KA,i in its secure local database. Hence, the server should use h(CA,i‖h(KA,i)) instead of h(CA,i‖KA,i) to compute CA,i+1.
Mathematics 10 04310 g007 550
Figure 7. Impersonating IoT device attack.
Figure 7. Impersonating IoT device attack.
Mathematics 10 04310 g007
After impersonating the IoT device attack, we know that the server mistakenly believes the adversary is IoT device A at the end of the session. At the same time, both the server and the adversary share the session key, i.e., h(KA,i).
Further discussion. In the subsequent session, IoT device A and the server will fail to authenticate each other because IoT device A will use the server’s CA,i and PA,i to recover R’A,i and KA,i in Step 3.1 of the authentication phase. However, PA,i is an error helper data for RA,i because the server applies RA,i but not RA,i+1 to generate the helper data PA,i+1 in the adversary’s session. This means that our impersonating IoT device attack leads to Denial of Service (DoS). Comparatively, the adversary still can personate IoT device A to cheat the server in the subsequent sessions because he/she directly uses the correct session key h(KA,i) to perform the impersonating IoT device attack, and the server does not check the correctness of the received RA,i and RA,i+1.

6. Key-Compromise Impersonation

Key-compromise impersonation [36,37] is a desirable security attribute for mutual authentication and session key establishment protocols. Considering that the server’s secret keys are disclosed, clearly, an adversary that knows these secret keys can impersonate the server since these secret keys precisely identify the server. However, it may be desirable in some circumstances that this loss does not enable the adversary to impersonate other IoT devices on the server.
In Zerrouki et al.’s PUF protocol, the server maintains the record IDA, h(IDA), CA,i, h(KA,i), and PA,i for IoT device A on its secure local database. When we assume that the adversary obtains IDA, h(IDA), CA,i, h(KA,i), and PA,i for IoT device A, it is easy to see that the adversary can impersonate IoT device A on the server. The impersonating IoT device attack described in Section 5.2 is a practical way to realize key-compromise impersonation. As a result, we claim that Zerrouki et al.’s PUF protocol fails to achieve the security of key-compromise impersonation.

7. Backward Secrecy of Zerrouki et al.’s PUF Protocol

Backward secrecy [38] guarantees that a passive adversary who knows a contiguous subset of session keys cannot discover future session keys. To corrupt the backward secrecy of mutual authentication and session key establishment protocol, the adversary always exploits the fact that the sessions have a certain relevance.
In Zerrouki et al.’s PUF protocol, we assume that an adversary knows h(KA,i), which will be used in the next session between IoT device A and the server. Whenever IoT device A and the server run the next session, the adversary can eavesdrop on the message {TS3, h(h(IDA), TS3, KA,i, RA,i+1), (RA,i+1)h(KA,i)} in Step 3.2 of the authentication phase. Then, the adversary decrypts (RA,i+1)h(KA,i) by using their h(KA,i). The adversary further generates (KA,i+1, PA,i+1) = Gen(RA,i+1) and hashes KA,i+1 to find the next session key h(KA,i+1). This tracking process of the session keys can always continue as long as IoT device A and the server run the sessions. Hence, we demonstrate that Zerrouki et al.’s PUF protocol fails to provide backward secrecy for the session key.

8. Verification Experiment of Our Attacks

Scyther [39] is a tool for the automatic verification of security protocols. Scyther can verify protocols with unlimited sessions and random numbers. Scyther had been used to analyze Internet Key Exchange (IKE) protocol suites and ISO/IEC 9798 authentication protocol series. We use Scyther to confirm our attacks on Zerrouki et al.’s PUF protocol. Known-key security, key-compromise impersonation, and backward secrecy of Zerrouki et al.’s PUF protocol all depend on the assumption of the obsolete session key leakage. We, therefore, write it into the protocol description of Zerrouki et al.’s PUF protocol in Scyther. For Zerrouki et al.’s PUF protocol, Figure 8 shows that the Noninjective synchronization (Nisynch) and Noninjective agreement (Niagree) properties are not satisfied, and the session key, i.e., h(KA,i), is proved to be insecure. According to the verification of Zerrouki et al.’s PUF protocol, we conclude that the authentication and key establishment process between the IoT device and the server is insecure and suffers from attacks within bound.

9. Conclusions and Future Works

In Zerrouki et al.’s PUF protocol, we find that both the IoT device and the server do not maintain any long-term secret key. In detail, the server stores the record IDA, h(IDA), CA,i, h(KA,i), and PA,i for each IoT device A in its secure local database, and the IoT device merely keeps its IDA. Hence, the session key generation for the next session fully relies on the session key in the current session. This means that Zerrouki et al.’s PUF protocol is insecure when the adversary only compromises one session key. Our finding of the security flaws of Zerrouki et al.’s PUF protocol can be defeated if the IoT device and the server share a long-term secret key and properly apply it to generate each session key. However, it violates Zerrouki et al.’s design requirement for the PUF protocol; that is, the IoT device does not store any secrets to prevent physical attacks. This solution, therefore, is deemed imperfect.
It is still a challenge to design PUF authentication and session key establishment protocols for IoT devices. As a future work, it would be interesting to evaluate the security goals of PUF authentication and session key establishment and present its formal security definitions under the PUF communication model. Our cryptanalysis results of Zerrouki et al.’s PUF protocol provide a reference for the security definitions. Another future work is to propose the PUF authentication and session key establishment protocol, which not only satisfies the formal security definitions but also achieves high-performance efficiency.

Author Contributions

Conceptualization, D.-Z.S.; methodology, D.-Z.S.; validation, D.-Z.S. and Y.T.; formal analysis, D.-Z.S.; investigation, D.-Z.S.; writing—original draft preparation, D.-Z.S. and Y.T.; writing—review and editing, D.-Z.S. and Y.T.; supervision, D.-Z.S.; funding acquisition, D.-Z.S. All authors have read and agreed to the published version of the manuscript.

Funding

The work of Da-Zhi Sun was supported in part by the National Natural Science Foundation of China under Grant No. 61872264. The APC was funded by the National Natural Science Foundation of China under Grant No. 61872264.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Acknowledgments

The authors would like to thank the editors and the reviewers for their valuable suggestions and comments.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Yaqoob, I.; Ahmed, E.; Hashem, I.A.T.; Ahmed, A.I.A.; Gani, A.; Imran, M.; Guizani, M. Internet of things architecture: Recent advances, taxonomy, requirements, and open challenges. IEEE Wirel. Commun. 2017, 24, 10–16. [Google Scholar] [CrossRef]
  2. Joshi, S.; Mohanty, S.P.; Kougianos, E. Everything you wanted to know about PUFs. IEEE Potentials 2017, 36, 38–46. [Google Scholar] [CrossRef]
  3. Lim, D.; Lee, J.W.; Gassend, B.; Suh, G.E.; van Dijk, M.; Devadas, S. Extracting secret keys from integrated circuits. IEEE Trans. Very Large Scale Integr. VLSI Syst. 2005, 13, 1200–1205. [Google Scholar]
  4. Delvaux, J.; Peeters, R.; Gu, D.; Verbauwhede, I. A survey on lightweight entity authentication with strong PUFs. ACM Comput. Surv. 2015, 48, 26. [Google Scholar] [CrossRef] [Green Version]
  5. Gope, P.; Sikdar, B. A comparative study of design paradigms for PUF-based security protocols for IoT devices: Current progress, challenges, and future expectation. Computer 2021, 54, 36–46. [Google Scholar] [CrossRef]
  6. McGrath, T.; Bagci, I.; Wang, Z.; Roedig, U.; Young, R. A PUF taxonomy. Appl. Phys. Rev. 2019, 6, 011303. [Google Scholar] [CrossRef] [Green Version]
  7. Gope, P.; Lee, J.; Quek, T. Lightweight and practical anonymous authentication protocol for RFID systems using physically unclonable functions. IEEE Trans. Inf. Forensic Secur. 2018, 13, 2831–2843. [Google Scholar] [CrossRef]
  8. Nguyen, P.H.; Sahoo, D.P.; Jin, C.L.; Mahmood, K.; Rührmair, U.; van Dijk, M. The interpose PUF: Secure PUF design against state-of-the-art machine learning attacks. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2019, 2019, 243–290. [Google Scholar] [CrossRef]
  9. Wisiol, N.; Mühl, C.; Pirnay, N.; Nguyen, P.H.; Margraf, M.; Seifert, J.P.; van Dijk, M.; Rührmair, U. Splitting the interpose PUF: A novel modeling attack strategy. IACR Trans. Cryptogr. Hardw. Embed. Syst. 2020, 2020, 97–120. [Google Scholar] [CrossRef]
  10. van Herrewege, A.; Katzenbeisser, S.; Maes, R.; Peeters, R.; Sadeghi, A.R.; Verbauwhede, I.; Wachsmann, C. Reverse Fuzzy Extractors: Enabling Lightweight Mutual Authentication for PUF-Enabled RFIDs. In Proceedings of the 16th International Conference on Financial Cryptography and Data Security (FC 2012), Kralendijk, The Netherlands, 27 February–2 March 2012; Keromytis, A.D., Ed.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, Germany, 2012; Volume 7397, pp. 374–389. [Google Scholar]
  11. Schaller, A.; Stanko, T.; Škorić, B.; Katzenbeisser, S. Eliminating leakage in reverse fuzzy extractors. IEEE Trans. Inf. Forensic Secur. 2018, 13, 954–964. [Google Scholar] [CrossRef] [Green Version]
  12. Guan, Z.Y.; Liu, H.; Qin, Y.Y. Physical unclonable functions for IoT device authentication. J. Commun. Inf. Netw. 2019, 4, 44–54. [Google Scholar] [CrossRef]
  13. Aman, M.N.; Chaudhry, S.A.; Al-Turjman, F. Rapidauth: Fast Authentication for Sustainable IoT. In Proceedings of the International Conference on Forthcoming Networks and Sustainability in the IoT Era (FoNeS-IoT 2020), Virtual Event, 1–2 October 2020; Ever, E., Al-Turjman, F., Eds.; Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer: Cham, Switzerland, 2020; Volume 353, pp. 82–95. [Google Scholar]
  14. Mostafa, A.; Lee, S.J.; Peker, Y.K. Physical unclonable function and hashing are all you need to mutually authenticate IoT devices. Sensors 2020, 20, 4361. [Google Scholar] [CrossRef] [PubMed]
  15. Idriss, T.A.; Idriss, H.A.; Bayoumi, M.A. A lightweight PUF-based authentication protocol using secret pattern recognition for constrained IoT devices. IEEE Access 2021, 9, 80546–80558. [Google Scholar] [CrossRef]
  16. An, Y.; Zhang, Y.; Cao, W.; Tong, Z.; He, Z. A lightweight and practical anonymous authentication protocol based on bit-self-test PUF. Electronics 2022, 11, 772. [Google Scholar] [CrossRef]
  17. Wang, H.; Meng, J.; Du, X.; Cao, T.; Xie, Y. Lightweight and anonymous mutual authentication protocol for edge IoT nodes with physical unclonable function. Secur. Commun. Netw. 2022, 2022, 1203691. [Google Scholar] [CrossRef]
  18. Zerrouki, F.; Ouchani, S.; Bouarfa, H. PUF-based mutual authentication and session key establishment protocol for IoT devices. J. Ambient Intell. Humaniz. Comput. 2022. early access. [Google Scholar]
  19. Gope, P.; Sikdar, B. Privacy-aware authenticated key agreement scheme for secure smart grid communication. IEEE Trans. Smart Grid 2018, 10, 3953–3962. [Google Scholar] [CrossRef]
  20. Kaveh, M.; Aghapour, S.; Martin, D.; Mosavi, M.R. A Secure Lightweight Signcryption Scheme for Smart Grid Communications Using Reliable Physically Unclonable Function. In Proceedings of the 2020 IEEE International Conference on Environment and Electrical Engineering and 2020 IEEE Industrial and Commercial Power Systems Europe (EEEIC/I&CPS Europe), Madrid, Spain, 9–12 June 2020; IEEE: Danvers, MA, USA, 2020; pp. 1–6. [Google Scholar]
  21. Yanambaka, V.P.; Mohanty, S.P.; Kougianos, E.; Puthal, D. Pmsec: Physical unclonable function-based robust and lightweight authentication in the internet of medical things. IEEE Trans. Consum. Electron. 2019, 65, 388–397. [Google Scholar] [CrossRef]
  22. Shao, X.; Guo, Y.J.; Guo, Y.M. A PUF-based anonymous authentication protocol for wireless medical sensor networks. Wirel. Netw. 2022. early access. [Google Scholar] [CrossRef]
  23. Alkatheiri, M.S.; Saleem, S.; Alqarni, M.A.; Aseeri, A.O.; Chauhdary, S.H.; Zhuang, Y. A lightweight authentication scheme for a network of unmanned aerial vehicles (UAVs) by using physical unclonable functions. Electronics 2022, 11, 2921. [Google Scholar] [CrossRef]
  24. Yu, S.; Das, A.K.; Park, Y.; Lorenz, P. SLAP-IoD: Secure and lightweight authentication protocol using physical unclonable functions for internet of drones in smart city environments. IEEE Trans. Veh. Technol. 2022, 71, 10374–10388. [Google Scholar] [CrossRef]
  25. Zheng, Y.; Liu, W.; Gu, C.; Chang, C.H. PUF-based mutual authentication and key-exchange protocol for peer-to-peer IoT applications. IEEE Trans. Dependable Secur. Comput. 2022. early access. [Google Scholar] [CrossRef]
  26. Maes, R. Physically Unclonable Functions: Constructions, Properties and Applications, 1st ed.; Springer: Berlin/Heidelberg, Germany, 2013. [Google Scholar]
  27. Majzoobi, M.; Rostami, M.; Koushanfar, F.; Wallach, D.S.; Devadas, S. Slender PUF protocol: A lightweight, robust, secure authentication by substring matching. In Proceedings of the 2012 IEEE Symposium on Security and Privacy Workshops (SP 2012), San Francisco, CA, USA, 24–25 May 2012; IEEE Computer Society: New York, NY, USA, 2012; pp. 33–44. [Google Scholar]
  28. Huang, K.; Lin, C.; Liu, Y. A Secure Lightweight RFID Mutual Authentication Protocol without Explicit Challenge-Response Pairs. In Proceedings of the Second EAI International Conference on Applied Cryptography in Computer and Communications (AC3 2022), Virtual Event, 14–15 May 2022; Lin, J.Q., Tang, Q., Eds.; Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. Springer: Cham, Switzerland, 2022; Volume 448, pp. 79–107. [Google Scholar]
  29. Zerrouki, F.; Ouchani, S.; Bouarfa, H. A Generation and Recovery Framework for Silicon PUFs Based Cryptographic Key. In Proceedings of the International Conference on Model and Data Engineering: Advances in Model and Data Engineering in the Digitalization Era (MEDI 2021), Tallinn, Estonia, 21–23 June 2021; Bellatreche, L., Chernishev, G., Corral, A., Ouchani, S., Vain, J., Eds.; Communications in Computer and Information Science. Springer: Cham, Switzerland, 2021; Volume 1481, pp. 121–137. [Google Scholar]
  30. Sun, D.Z.; Huai, J.P.; Sun, J.Z.; Zhang, J.W.; Feng, Z.Y. A new design of wearable token system for mobile device security. IEEE Trans. Consum. Electron. 2008, 54, 1784–1789. [Google Scholar] [CrossRef]
  31. Li, J.W.; Peng, Z.; Gao, S.; Xiao, B.; Chan, H. Smartphone-assisted energy efficient data communication for wearable devices. Comput. Commun. 2017, 105, 33–43. [Google Scholar] [CrossRef]
  32. Cui, Z.H.; Xue, F.; Zhang, S.Q.; Cai, X.J.; Cao, Y.; Zhang, W.S.; Chen, J.J. A Hybrid blockchain-based identity authentication scheme for multi-WSN. IEEE Trans. Serv. Comput. 2020, 13, 241–251. [Google Scholar] [CrossRef]
  33. Peng, Z.; Huang, J.B.; Wang, H.X.; Wang, S.H.; Chu, X.W.; Zhang, X.Z.; Chen, L.; Huang, X.; Fu, X.Y.; Guo, Y.K.; et al. BU-Trace: A Permissionless Mobile System for Privacy-Preserving Intelligent Contact Tracing. In Proceedings of the International Conference on Database Systems for Advanced Applications (DASFAA 2021), Taipei, Taiwan, 11–14 April 2021; Jensen, C.S., Lim, E.P., Yang, D.N., Chang, C.H., Xu, J.L., Peng, W.C., Huang, J.W., Shen, C.Y., Eds.; Lecture Notes in Computer Science. Springer: Cham, Switzerland, 2021; Volume 12680, pp. 381–397. [Google Scholar]
  34. Li, Z.Y.; Wang, H.M.; Liu, J.; Xian, M. Implementing a sidechain-based asynchronous DPKI. Front. Comput. Sci. 2022, 16, 161812. [Google Scholar] [CrossRef]
  35. Wang, C.F.; Dai, X.H.; Xiao, J.; Li, C.C.; Wen, M.; Zhou, B.B.; Jin, H. Demystifying Ethereum account diversity: Observations, models and analysis. Front. Comput. Sci. 2022, 16, 164505. [Google Scholar] [CrossRef]
  36. Diffie, W.; van Oorschot, P.; Wiener, M. Authentication and authenticated key exchanges. Des. Codes Cryptogr. 1992, 2, 107–125. [Google Scholar] [CrossRef]
  37. Blake-Wilson, S.; Menezes, A. Authenticated Diffe-Hellman Key Agreement Protocols. In Proceedings of the International Workshop on Selected Areas in Cryptography (SAC’ 98), Kingston, ON, Canada, 17–18 August 1998; Tavares, S., Meijer, H., Eds.; Lecture Notes in Computer Science. Springer: Berlin/Heidelberg, 1998; Volume 1556, pp. 339–361. [Google Scholar]
  38. Wu, C.C.; Lee, W.B.; Tsaur, W.J. A secure authentication scheme with anonymity for wireless communications. IEEE Commun. Lett. 2008, 12, 722–723. [Google Scholar]
  39. Scyther. Available online: https://people.cispa.io/cas.cremers/scyther/install-generic.html (accessed on 10 November 2022).
Mathematics 10 04310 g001 550
Figure 1. Challenge-response behavior of the silicon PUF.
Figure 1. Challenge-response behavior of the silicon PUF.
Mathematics 10 04310 g001
Mathematics 10 04310 g002 550
Figure 2. Fuzzy extractor.
Figure 2. Fuzzy extractor.
Mathematics 10 04310 g002
Mathematics 10 04310 g003 550
Figure 3. Zerrouki et al.’s system model.
Figure 3. Zerrouki et al.’s system model.
Mathematics 10 04310 g003
Mathematics 10 04310 g004 550
Figure 4. Enrollment phase.
Figure 4. Enrollment phase.
Mathematics 10 04310 g004
Mathematics 10 04310 g005 550
Figure 5. Mutual authentication and key update phase.
Figure 5. Mutual authentication and key update phase.
Mathematics 10 04310 g005
Mathematics 10 04310 g008 550
Figure 8. Scyther outputs for Zerrouki et al.’s PUF protocol.
Figure 8. Scyther outputs for Zerrouki et al.’s PUF protocol.
Mathematics 10 04310 g008
Table
Table 1. Used Notation.
Table 1. Used Notation.
NotationsDescriptions
IDAThe identity of an IoT device A
RegreqRegistration request
AuthreqAuthentication request
CA,i/CA,i+1The ith/i+1st challenge of the IoT device A
RA,i/RA,i+1Response to the challenge CA,i/CA,i+1
R’A,iA noisy response of CA,i
KA,i/KA,i+1Extracted key from RA,i/RA,i+1
PA,i/PA,i+1Helper data of RA,i/RA,i+1
TS1, TS2, TS3, TSa1, TSa2, TSa3Timestamps
PUF, PUF1, PUF2, PUF3, PUFnThe PUF instances
PUFAThe PUF of an IoT device A
GenGeneration procedure of FE
RepReproduction procedure of FE
hCryptographic one-way hash function
()KEncryption function using the secret key K
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Sun, D.-Z.; Tian, Y. Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices. Mathematics 2022, 10, 4310. https://doi.org/10.3390/math10224310

AMA Style

Sun D-Z, Tian Y. Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices. Mathematics. 2022; 10(22):4310. https://doi.org/10.3390/math10224310

Chicago/Turabian Style

Sun, Da-Zhi, and Yangguang Tian. 2022. "Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices" Mathematics 10, no. 22: 4310. https://doi.org/10.3390/math10224310

APA Style

Sun, D. -Z., & Tian, Y. (2022). Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices. Mathematics, 10(22), 4310. https://doi.org/10.3390/math10224310

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop