International Conference on Materials Engineering and Information Technology Applications (MEITA 2015)

Transcription

1 Internatonal Conference on Materals Engneerng and Informaton Technology Applcatons (MEITA 2015) Cryptanalyss of Vadya et al s User Authentcaton Scheme wth Key Agreement n Wreless Sensor Networks L Jpng 1,a, Dng Yaomng 1,b, Xong zenggang 1,c, Lu Shouyn 2,d 1 School of Computer and Informaton Scence, Hube Engneerng Unversty, Xaogan, , Chna 2 College of Physcal scence and Technology, Central Chna Normal Unversty, Wuhan , Chna a emal: oucljp@alyuncom, b emal:xgdym2015@alyuncom, c d emal:sylu@phyccnueducn Keywords: authentcaton, smart card, password, wreless sensor network Abstract User authentcaton n wreless sensor networks (WSN) s crtcal due to ther unattended and even hostle deployment n the feld The open envronment of WSN requres mechansms whch prevent unauthorzed user from accessng the nformaton from WSN Recently, MLDas proposed a two-factor user authentcaton scheme n WSN and clamed that hs scheme s secure aganst dfferent knds of attack However, Khan et al and Vadya et al show that the MLDas s scheme does not provde mutual authentcaton between the gateway node and sensor nodes and s vulnerable to gateway node bypassng attack and prvleged-nsder attack Chen-Shh pont out that Das s scheme cannot resst parallel sesson attack Moreover, they proposed mproved schemes based on Das s user authentcaton scheme Among the three mproved schemes, Vadya et al s scheme s the most secure aganst dfferent knds of attack Though Vadya et al clam that ther scheme s robust to varous attacks, unfortunately, we fnd that ther scheme stll suffers from user mpersonaton attack, forgery attack wth node capture and sensor node mpersonaton attack Introducton Wth the rapd development of mcro-electromechancal systems and wreless communcaton technologes, WSN have drawn ncreasng nterest from both academc and ndustral areas due to ts easy deployment, ubqutous nature and wde range of potental applcatons [1] A WSN conssts of a large number of low-cost, battery or self-powered sensor nodes that are of lmted computaton and communcaton capablty and communcate among themselves and wth the outsde usng a wreless network of ad hoc nature[2] Recently, WSN has been wdely used n many dfferent areas such as mltary applcaton, envronment applcaton, health applcaton, home applcaton and ndustral applcaton [3] In order to mantan relablty and sutablty of deployed WSN, t s mportant that nformaton access s allowed only to regstered/legtmate user In many cases, user queres are ssued by base staton (BS) or gateway nodes (GWN), actng as the nterfaces between WSN and the nternet However, n many securty-crtcal applcatons, such as real-tme traffc control, ndustral process control, healthcare montorng and mltary survellance, external users are generally nterested n accessng real-tme nformaton from partcular sensor nodes drectly or through mult-hop access n WSN Examples are the temporary deployments durng natural dsasters or catastrophes, n battle felds, and n naccessble areas ncludng deep n the forests, deserts, and the lke Snce the data s made avalable to the user on demand, authentcatng user should be ensured before allowng hm/her to access data User authentcaton n resource constraned envronments s one of the major system desgn concerns Snce sensor nodes have lmted resources and computaton capablty, t s desrable for the authentcaton protocol to be smple and effcent, however, t should meet the requred securty level In ths regard, several smartcard-based user authentcaton schemes for WSN have been presented [6, 7, 8, 9] However, though the aforementoned schemes can provde securty aganst some attacks, they stll have some ptfalls In ths paper, we frst revew Vadya etal s two-factor user authentcaton scheme n WSN and then gve cryptanalyss of Vadya etal s 2015 The authors - Publshed by Atlants Press 619

2 scheme Cryptanalyss shows that Vadya etal s scheme stll suffers from some attacks such as legtmate user mpersonaton attack, forgery attack wth node capture and sensor node mpersonaton attack Related works In the past years, many user authentcaton schemes have been proposed for WSN In 2006, Wong etal[4] proposed a password-based dynamc user authentcaton scheme, whch has a lght computaton load as t requres only one-way has functon and excusve-or operatons In 2007, Tseng etal[5] dentfed some securty flaws n the Wong etal s scheme, ncludng vulnerablty to replay and forgery attacks, easy revelaton of passwords by any of the sensor nodes, and ncapablty of the users to freely change ther passwords To overcome these problems, they proposed an mproved scheme wth better effcency In 2009, Das[6] proposed a two-factor user authentcaton protocol for WSN usng only a one-way hash functon He clamed that the scheme can resst many logged n users wth the same logn dentty, stolen-verfer, password guessng, mpersonaton, and replay threats However, n 2010, Khan and alghathbar[7] ponted out several securty flaws n Das s scheme Accordng to Khan and Alghathbar, Das s scheme cannot provde user wth the ablty to change/update ther passwords, does not use mutual authentcaton between GWN and sensor node, and s vulnerable to GWN bypassng attack and prvleged nsder attack In the same year, Chen and Shh[8] ponted out that Das s scheme not only cannot provde mutual authentcaton but also cannot resst parallel sesson attack Based on Das s scheme, they proposed a mutual authentcaton scheme whch can resst attacks of mpersonaton, replayng and parallel sesson In 2012, Vadya etal [9] gave cryptanalyss of the abovementoned schemes[6,7,8] To overcome ther securty shortcomngs, Vadya et al proposed a user authentcaton scheme wth key agreement for WSN Vadya et al clams that ther scheme s robust to varous attacks, however, we fnds that ther scheme cannot resst user mpersonaton attack, forgery attack wth node capture and sensor node mpersonaton attack Cryptanalyss of Vadya etal s scheme Table 1 Notaton used n the paper Symbol Descrpton UD User SN Sensor node GWN Gateway node ID x Identty, -user, s-sensor node DID Dynamc user dentty PW Password chosen by user S n Sensor node dentty K Secret key known to GWN only x s Secret value generated by GWN and stored securely n desgnated SN h() One way hash functon v x Random nonce; -user, s-sensor node XOR operaton Bt-wse concentraton operaton =? Verfcaton operaton K s Sesson key f( xk, ) Pseudo-random functon of varable wth key k Tx, T Current tmestamp; x=1,2, or,, T Expected tme nterval for transmsson key In ths secton, we provde a cryptanalyss of Vadya et al s scheme The notaton used throughout the paper s shown n table1 Though Vadya eta s scheme overcomes the stolen smart card attack caused by sde attacks (ncludng dfferental power analyss) and nvasve attacks [10, 620

3 11, 12], t stll cannot resst user mpersonaton attack, forgery attack wth node capture and sensor node mpersonaton attack User mpersonaton attack In order to perform some query to or access data from the WSN, the adversary must regster n the GWN frst and can be authentcated by the GWN n the later operaton In Vadya etal s scheme, the adversary can easly regster n the GWN, and then he/she can access the nformaton of WSN mpersonatng a legtmate user The regstraton and logn phases can be performed as followng operatons If an adversary hopes to regster n the GWN, he can select an dentty IDa and password PWa randomly and sends regstraton request to{ IDa, γ a} GWN as followng Select IDa and PW a, compute γ a = h( PWa ), and then send { IDa, γ a} On recevng regstraton request, GWN wll do the followng operatons Compute ha = hid ( a γa xs ) hk ( ), aa = h( γa xs ) and βa = xs h( IDs γa Wrte{ IDs, IDa, h( ), ha, aa, βa} to a smart card and then send the smart card to the adversary securely When the adversary want to perform some query to or access data from the WSN, he/she nserts hs/her smart card nto the termnal and nputs IDa and PW a Then the smart card performs the followng operatons Compute γ a = h( PWa ), xs = βa h( IDs γa ),and aa = h( γa xs Verfy aa =? aa Obvously, the equaton a a =? aa holds, the smart card then generates a random nonce v a,and then computes DIDa = h( IDa γ a xs ) hx ( s va T), εa = h( ha xs v T), ϕ a = va xs The adversary sends a logn request message{ DIDa, εa, ϕa, T} Upon recevng the logn request message, the GWN performs the followng operatons Verfy ( T T) T If t does not hold, the followng operaton s aborted Otherwse, compute v a = ϕ a x s, χ a = DIDa h( xs va T ) and ε a = h(( χa hk ( )) xs va T) Verfy ε a =? εa Obvously, the above equaton holds, and then the adversary s authentcated by the GWN Wth the help of GWN, a key agreement s completed between the adversary and SN Snce the adversary s authentcated by the GWN and a key agreement between the adversary and SN, the adversary can obtan desred nformaton from both GWN and desgnated SN So Vadya et al s scheme cannot resst user mpersonaton attack Forgery attack wth node capture It s assumed that wth node capture attack, the adversary has extracted nformaton{ x s } from the sensor node When the GWN sends the message{ DID, σ, T1 } to some sensor node S n, the adversary can eavesdrop on the message and can derve the user s dynamc dentty DID Then the adversary performs the followng operatons Verfy ( T T) T, If t holds, then contnue the followng process 1 Compute s a = h( DID Sn xs T1 ) wth the derved nformaton{ DID, x s} Verfy σ a =? σ Obvously, the equaton holds, and then next operaton contnues Choose random nonce v s and compute µ a = s a vs, ω a = h( µ a xs T2 ) andκ = v s x s Send the message{ κ, ω a, T 2} On recevng the message{ κ, ω a, T 2} from the adversary, GWN carres the followng operatons 621

4 Verfy ( T T ) T 2, f t holds, GWN contnue the followng operatons Compute v s = κ x s, µ a = sa vs and ω a h µ a xs T2 Verfy ω a =? ω a = ( Obvously, the above equaton holds, so the adversary s authentcated by the GWN So, the adversary can mpersonate a regstered/legtmate user Sensor node mpersonaton attack In the authentcaton and key agreement phase of Vadya etal s scheme, f a sensor node s captured, the secret { x s } wll be dsclosed If an attacker eavesdrops on the message{ DID, σ, T1 } sent from GWN to SN, he/she wll mpersonate a legtmate sensor node to be authentcated by both GWN and the legtmate user Besdes, a successful key agreement wll be completed between the UD and SN The detaled operatons can be fnshed as followng Attacker compromses a SN and retreves the secret{ x s } Attacker eavesdrops on the message{ DID, σ, T1 } and chooses a random nonce v s Attacker computesκ = v s x s and µ = s v s, and thenω = h( µ xs T2 Attacker sends the message{ κ, ω, T2} On recevng the message{ κ, ω, T2}, the GWN performs the followng operatons Verfy ( T T ) T 2, f t holds, GWN contnue the followng process Compute v s = κ x s, µ = s vsand then ω ( = h µ xs T2 Verfy ω =? ω Obvously, the equaton ω =? ωholds, and then the attacker wll be authentcated by the GWN The GWN contnues the followng process Computeψ= h( DID s ε x s T 3) and ρ = µ xs Send the message{ κ, ρ, ψ, T3} to UD On recevng the message{ κ, ρ, ψ, T3}, the UD performs the followng operatons v Verfy ( T T3 ) T, f t holds, UD contnues the followng operatons Compute v s = κ x s (where x s can be derved xs= β h( IDs γ ) by usng the smart card) Compute µ = ρ xsands = µ vs, and then ψ = h( DID s ε xs T3 Verfy ψ =? ψ Obvously, the equaton ψ? = ψ holds, and the GWN s authentcated by the UD Then the UD computes Sk= f (( DID vs), xs) Based on the above-mentoned operatons, a key agreement can be completed between the UD and the attacker The attacker can mpersonate a legtmate sensor node and provde the legtmate user wth malcous or fake data Concluson In ths paper, we frst revew user authentcaton scheme n the related works, and then gve cryptanalyss of Vadya etal s scheme Through detal analyss, we pont out that Vadya etal s scheme stll suffers from user mpersonaton attack, forgery attack wth node capture and sensor node mpersonaton attack In the future work, we wll propose an mproved scheme wth effcency to overcome the ptfalls of Vadya etal s scheme 622

5 Acknowledgement Ths work s founded by Natural Scence Foundaton of Hube Provnce of Chna (No2014CFB577) and partally supported by Natonal Natural Scence Foundaton of Chna (No ) and Hube Provncal Department of Educaton Outstandng Youth Scentfc Innovaton Team Support Foundaton (NoT The authors also gratefully thanks for the helpful and suggestons of revewers References [1] CYChong, and SKumar, Sensor Networks: evoluton, opportuntes and challenges[c], Proceedngs of IEEE 2003, 91(8), pp [2] Callaway, EH Wreless Sensor Networks, Archtectures and protocols [M]; Auerbach Publcatons, Taylor &Francs Group: Boca Raton, FL, USA, 2003 [3] Ian FAkyldz and Mehmet Can Vuran, Wreless Sensor Networks[M], Markono Prnt Meda Pte Ltd, Sngapore, 2011 [4] Wong KH, Zheng Y, Cao J, Wang S, A Dynamc User Authentcaton Scheme for Wreless Sensor Networks[C], n Proc of the IEEE SUTC 06, Vol1, Jun2006, pp [5] Tseng HR, Jan RH, Yang W, An Improved Dynamc User Authentcaton Scheme for Wreless Sensor Networks[C], n Proc of GLOBALCOM 07, Nov 2007, pp [6] MLDas, Two-Factor User Authentcaton n Wreless Sensor Networks [J], IEEE Trans Comm 2009, 8, pp [7] MKKhan and K Alghathbar, Cryptanalyss and Securty Improvements of Two-Factor User Authentcaton n Wreless Sensor Networks [J], Sensors 2010, 10(3), pp [8] Chen TH, Shh WK A Robust Mutual Authentcaton Protocol for Wreless Sensor Networks [J], ETRI Journal, Oct 2010, 32(5), pp [9] Vadya B, Makraks D, Mouftah H, Two-Factor Mutual Authentcaton Wth Key Agreement n Wreless Sensor Networks[J], Securty and Communcaton Networks,Apr 2012, DOI: /sec517 [10] Ku, WC, Chen, SM, Weaknesses and Improvements of an Effcent Password Based Remote User Authentcaton Scheme Usng Smart Cards [J] IEEE Trans Cons Elec2004, 50, pp [11] Markantonaks K, Tunstall M, Hancke GP, Askoxylaks I, Mayes KE, Attackng Smart Card System: Theory and Practce[J], Informaton Securty Techncal Report, May, 2009, 14(2), pp46-56 [12] TSMessages, EADabbsh, RHSloan, Examnng Smart-Card Securty under the Threat of Power Analyss Attacks[J], IEEE Tran On Computers, 2002, Vol51, No5, pp [13] PKocher, JJaffe, BJun, Dfferental Power Analyss[C], In Advances n Cryptology- CRYPTO 99, Santa Barbara, Calforna, USA, 1999, Sprnger, PP