Time-Assisted Authentication Protocol

Transcription

1 Tme-Asssted Authentcaton Protocol 1 Muhammad Blal Unversty of Scence and Technology, Korea Electroncs and Telecommuncaton Research Insttute, Rep. of Korea mblal@etr.re.kr, engr.mblal@yahoo.com 2 Shn-Gak Kang Electroncs and Telecommuncaton Research Insttute, Rep. of Korea sgkang@etr.re.kr, Abstract Authentcaton s the frst step toward establshng a servce provder and customer (C-P) assocaton. In a moble network envronment, a lghtweght and secure authentcaton protocol s one of the most sgnfcant factors to enhance the degree of servce persstence. Ths work presents a secure and lghtweght keyng and authentcaton protocol sute termed TAP (Tme- Asssted Authentcaton Protocol). TAP mproves the securty of protocols wth the assstance of tme-based encrypton keys and scales down the authentcaton complexty by ssung a reauthentcaton tcket. Whle movng across the network, a moble customer node sends a reauthentcaton tcket to establsh new sessons wth servce-provdng nodes. Consequently, ths reduces the communcaton and computatonal complexty of the authentcaton process. In the keyng protocol sute, a key dstrbutor controls the key generaton arguments and tme factors, whle other partcpants ndependently generate a keychan based on key generaton arguments. We undertake a rgorous securty analyss and prove the securty strength of TAP usng CSP and rank functon analyss. Keywords: authentcaton, key dstrbuton, network securty, CSP, rank functons I. Introducton Newly emergng technologes such as IoT devces, smartphones wth varous sensors, wreless power chargng systems, wearable devces, and smart sensors have brought forth dfferent servces wth new types of servce provder and customer (P-C) assocaton requrements. For any servce provder and customer (P-C) assocaton, authentcaton s the frst step. Typcally, customers seek to obtan servces from an authentcated servce provder, and servce provders are concerned about provdng servces to verfed customers. However, to provde seamless servce n a moble envronment, the servce provder entty should be able to authentcate the moble customer node wth only a mnmum delay tme. Ths mples that the message exchange complexty of the authentcaton process should be low. A sutable authentcaton protocol for such an applcaton should be lghtweght and yet should ensure a proper protocol securty level. Moreover, a secure authentcaton protocol certfes that the communcatng entty s an authorzed entty whch s alve and partcpatng n a protocol run accordng to a defned role. Further, the protocol run follows the correct pre-set sequence of a protocol run, and ths should be acheved over nsecure communcaton channels between the servce provder and customer nodes [1-2].

2 Varous authentcaton protocols have been desgned to meet the requrements of dfferent applcatons, ncludng authentcaton for sensor networks [3], authentcaton for streamng data [4], authentcaton for IoT solutons [5], and authentcaton for ad-hoc networks [6]. The protocols developed thus far can be categores nto the three prmary categores of passwordbased authentcaton [7-8], certfcate-based authentcaton [9-10], and sgnature-based authentcaton protocols [11]. In ths study, we ntroduce a novel, lghtweght, and secure tmeasssted authentcaton protocol sute termed TAP [12]. The TAP protocol sute conssts of keyng and authentcaton protocol sutes. The keyng protocol sute conssts of key agreement and key retreval protocols. Lkewse, the authentcaton protocol conssts of the three protocols of the ntal authentcaton protocol, re-authentcaton protocol 1, and re-authentcaton protocol 2. The ntal authentcaton protocol s a password-based authentcaton protocol, whereas the reauthentcaton protocols are certfcate-based authentcaton protocols where the certfcate s a tme-based tcket ssued for a specfed tme duraton. The well-known authentcaton protocol Kerberos [13] also employs a tcket for authentcaton, though n contrast wth Kerberos, TAP does not requre tme synchronzaton. Moreover, n TAP the tcket verfer can authentcate the customer by tself wthout contactng the tcket-grantng entty. Moreover, a stolen tcket n TAP s of no sgnfcance, whle n the case of Kerberos, an unexpred stolen tcket s useful for an ntruder. In an earler study [14], the author analyzed the Kerberos protocol usng CSP (communcatng sequental processes) and a rank functon analyss and establshed that the protocol s vulnerable to few known attacks, whereas our CSP and rank functon analyss show that TAP s an entrely secure protocol. To ensure secure authentcaton, TAP employs a dstrbuted keychan generaton mechansm and reverses the tme-based usage of the keychan. Unlke TESLA [15], n TAP the keychan s ndependently generated by multple devces and s also used by each devce to drve other encrypton keys. For nstance, durng an nterval when a customer node wants to obtan servce, t acqures an authentcaton tcket encrypted wth the th key, and once t moves across the network, the verfer can verfy the tcket by decryptng the tcket usng the th key. The key dstrbuton and tme-based usage of the keychan are controlled by the man authentcaton entty (ME), whch can be an ndependent authentcaton server or an agent nstalled on a server. Whle movng across the network, a moble customer experences the authentcaton process multple tmes. Wth authentcaton tcket, the overall computatonal and message exchange complexty of the authentcaton process s reduced sgnfcantly. To establsh the overall nfrastructure for servce and authentcaton, each man authentcaton entty (ME) creates a group of servce provder enttes and neghborng man authentcaton enttes (ME). Usng group key encrypton, the man authentcaton entty (ME) broadcasts the tme-based key generaton parameters to all group members. In earler work [16], the author presented and examned several group key management protocols. In ths dscusson, we assume that the man authentcaton entty (ME) has knowledge of the publc keys of all group members; hence, t can share a group key wth new group members usng publc-prvate key semantcs. To determne the securty strength of TAP, we consdered an ntruder as dscussed n earler work

3 [17] wth certan extra capabltes. For nstance, the ntruder s capable of operatng on all communcaton channels between the customer and servce provder entty. Moreover, the ntruder can redrect, spoof, replay or block messages, and has ntally known nformaton; e.g., t knows the IDs of all users and servce provder enttes. It can ntercept, record, and generate a message from known nformaton. Gven the presence of such an ntruder, we dscuss the strength of TAP aganst some known attacks and nstances of ntercepted credentals, such as mpersonaton of a customer node, mpersonaton of a servce provder entty, and a replay attack. We further analyze TAP usng CSP and rank functon analyss. The remander of the paper s organzed as follows: Secton II gves a bref system overvew and dscusses the proposed strategy n partcular. In Secton III, we revew the strength of TAP aganst several known attacks and cases of ntercepted credentals. Next, the formal analyss of TAP usng CSP and rank functon analyss s presented n Secton IV. Then, n Secton V, we compare the securty and performance of the TAP protocol sute wth those of prevous methods work n the lterature. Fnally, we provde concludng remarks n Secton VI. II. Analytcal Model and Proposed Scheme The TAP system s not lmted to a partcular network type or applcaton; t s sutable for sensor networks, moble networks, and clent-server applcatons, among others. For the dscusson and analyss, we consder that the TAP system conssts of the three maor enttes of the man authentcaton entty (ME), the servce provder entty (P), and the customer node (C). The man authentcaton entty (ME) knows the publc keys of all servce provder enttes (P) and customer nodes (C). It authentcates and ssues a tme-based tcket (T k ) for re-authentcaton. It also authentcates any newly onng servce provder entty ( P). Durng the authentcaton process of P, the ME sends the customer node s requrement profle for an effcent and optmzed P C relatonshp. In addton, the ME controls the key dstrbuton and derves varous keys from the keychan. All MEs are connected va secure lnks and share publc keys wth all of ther neghbors. The servce provder entty (P) authentcates C upon recevng a vald authentcaton tcket (T k ) and starts provdng servces based upon the user profle. Upon the recept of the ntal authentcaton request, P forwards the message to ME. In some applcatons, P has two separate areas of operaton: the servce-delvery area ( A s ) and the communcaton area (A c ). P may authentcate or forward a request to ME whle C s n A s, and t may provde servces once t enters A c. The customer node (C) can on or leave the system dynamcally and can move across the network. Ether C ons the network or swtches from one servce provder (P) to another. In both cases, C s responsble for ntatng the authentcaton procedure. Notatons: ME = The th man authentcaton entty. P = The th servce provder entty. C = The th customer node.

4 A B = A s assocated wth B such that B s n controllng authorty. P ME represents that th servce provder entty s assocated wth th ME. G =Group of all assocated enttes of th ME. G o = Group of all non-assocated enttes of th ME who knows the K G. K 0 =The tme-based key generated at 0th nterval known as commtment key. K =The tme-based key generated at th nterval by ME. K C = The secret publc key of th Customer, t s publcally known to the MEs only. K ME s the publc key of ME, K P s the publc key of P and K C s the publc key of C. K G =A group key generated by ME. K S = A C P sesson key generated at th nterval. K p k = A partal key of C k used to generate C C sesson key. K, = A C C sesson key generated from partal keys. E B (m)=encryptng message m wth key K B. E ME (m) represents the encrypton of m' usng K ME. V 0 =The ndex value for nterval 0. T k = The kth Tcket generated at th nterval. Z(A) = An ntruder Z mpersonatng entty A. N = th nonce n a TAP message exchange. Fgure 1. System archtecture The overall system archtecture s shown n Fgure 1. Each ME creates a group whch conssts of neghbor MEs and assocated servce provder enttes. The ME shares a symmetrc group key K G wth all group members. For nstance, n Fgure 1 ME 2 creates a group consstng of ME 1, ME 3, and assocated servce provders (P 1 P k ). The group formaton and group key K G management processes can be done as per system constrants and requrements. In ths dscusson, we assume that ME knows the publc keys of all group members; consequently, t can share group key K G wth new group members usng publc-prvate key encrypton. The group key s a ratonal choce gven the assumpton that group members are not synchronzed wth regard to tme. In a stable synchronzed dstrbuted system, the group key K G can be replaced by the tme-based key K, where K should be the fnal key n the keychan. The TAP

5 scheme conssts of two protocol sutes, the keyng protocol sute and the authentcaton protocol sute, whch are dscussed below n subsectons A and B, respectvely B. Keyng Protocol: As n TESLA [15], TAP also generates a keychan usng an rreversble functon. However, n TESLA keys are used to authentcate a broadcastng entty; n TAP the keys are used to derve several other keys, such as a tcket encrypton key, a C P sesson key, and partal sesson key generators whch provde securty to the authentcaton system overall. Moreover, n TESLA [15], the keychan s generated n the broadcastng entty, whereas n TAP all members of G generate and share the same chan of key generators of length L. The group leader (ME ) shares the key generaton nformaton (Key MSG ) wth group members when they on the group. After the expraton of T d (at a vald tme for commtment key) ME broadcast Key MSG to all members of G ; Key MSG s encrypted wth K G or n the case of a tme-synchronzed system s encrypted wth K l (the fnal key n the keychan). The key generaton nformaton (Key MSG ) s used to generate a commtment key (K 0 ); afterward, all group members ndependently generate the chan of key generators. The group leader ME controls the procedure of commtment key generaton and all related characterstcs. The key generaton nformaton Key MSG = lookup(i, O) T d T c N 0 L MODE conssts of several peces of nformaton. I and O are ndex and offset values, respectvely, whch are used to select a predefned value from the secret TABLE. T d s the vald tme duraton for commtment key K 0, T C s the tme on ME when t was broadcastng Key MSG, N o s a nonce and MODE s the key retreval mode (dscussed n subsecton b). Note that T d s dvded nto L number of ntervals; t also determnes the keychan length. a) Key Generaton and Dstrbuton: The tme frame shown n Fgure 3-(a) s composed of three perods: the tme requred for key generaton ( T G ), the tme needed for key dstrbuton ( T Ds ), and the vald tme for the commtment key (T d ). All G members follow the subsequent steps: (1) run a functon g (shown n Fgure 3-(b)) to generate the commtment key generator G 0 = g(lookup(i, O), T d, N 0 ). (2) An rreversble functon F takes G 0 as nput argument and generates a chan of key generators of length L, {F(G 0 ) = G 1, F(G 1 ) = G 2 F(G l 1 ) = G l ; -e F(G k ) = G k+. (3) Usng another rreversble functon f (shown n Fgure 3(c)) all members of G generate an ndex value and keychan, f(g 0 ) = (K 0 V 0 ), f(g 1 ) = (K 1 V 1 ) f(g l ) = (K l V l ) V K ; where, V = {V 0, V 1,. V l } and K = {K 0, K 1,.. K l }. These keys are used for tcket encrypton; for nstance, the th key (K ) s used to encrypt tckets (T k ) ssued durng the th tme nterval. Keys are dsclosed n reverse order such the ntruder cannot generate future keys, whereas the ndexng vector (V) serves n an ndexng role to retreve the tcket encrypton key. For nstance, f V

6 corresponds to the th nterval, the key s retreved as F(G 0 ) = G f(g ) = (K, V ). (4) ME broadcasts Key MSG for the next chan to all group members usng K G or K l. Steps 1-3 are performed n T G and step 4 s executed durng T Ds. In addton to the tme-based keys (for tcket encrypton), ME also generates a unque C P sesson key K S = H(K H(K C k )) for verfed C k and P. Moreover, the valdty tme for K S k s gven as T R = l L. Fgure 2. Tme-based keys generaton and admsson wth reference to tme passage. Fgure 3. (a) Tme frame. (b) Structure of functon g H(lookup(I, O) T d N 0 ). (c) Structure of functon f H(G ) N 0 H() N 0 ). b) The Retreval Modes For The Tcket Encrypton Key: The authentcaton tcket conssts of two segments: the customer nformaton segment and the key retreval nformaton segment respectvely encrypted wth the tme-based key K l and group key K G. The key retreval procedure depends on the structure of the tcket, whch s determned by the system requrements and constrants. We propose three dfferent key retreval modes, as presented below. E (C k K s V Profle H head ) E G (C k V H(G ) H(K C k )) Mode-1 E (C k K s V Profle H head ) E G (C k (T t ) H(G ) H(K C k )) Mode-2

7 E (C k K s V Profle H head ) E G (C k V H head Vector Hash H(K C k )) Mode-3 The second half of T k depends on the mode and conssts of tme-based key retreval nformaton; once the tme-based key s retreved, t s then employed to decrypt and verfy the frst half of T k. In mode-01, ME adds the ndex value (V ) n the key retreval nformaton segment. The tcket verfer compares the appended value wthn the locally generated vector (V). A match at the th place ndcates that the tcket s generated by ME at the th nterval and can be decrypted by key K. In mode-02, ME nserts the tcket ssung tme T t nto the key retreval nformaton segment. The verfers can search for the value of the ndex wthn the followng range: [ T c T t T d ε L updated, T c T t T d + ε L updated ] Where, T c s the current tme of the verfer clock and ε s the tme drft. Intally, the value of ε s calculated as ε 0 = T c T c. Upon each successful retreval of K k, the value of ε s updated as shown below. ε updated = w 0 ε prevous + w 1 ε current In ths equaton, w 0 = 1 T c +T t T d and w 1 = T c +T t T d In mode-03, all G members ndependently generate a bnary hash tree whose leaf nodes are ndexng values taken from ndex vector (V). ME adds the ndex value (V ) and log 2 V number of hash values n key retreval nformaton segment; these hash values are selected nodes of the hash tree. Lkewse, the verfer can reconstruct the hash tree wth the total log 2 V number of hash operatons, whch gves the complexty of O(log). After the reconstructon of the tree and confrmaton of the head node, the verfer retreves the ndex value by runnng the followng smple search algorthm. Owng to the appended hash values, the ndex search complexty s reduced to O (1). Search algorthm: Start from head node and go down Ignore the appended values and follow reconstructed node. Do untl level log 2 V 1 Now, fnally select the appended value whch s the ndex value The mode 3 s sutable f the keychan s very long. C. Authentcaton Protocol Sute: A customer node C s authentcated n three dfferent ways. When t ons the system, t goes through a password-based authentcaton procedure termed the ntal authentcaton protocol. Hereafter, when C moves across the network, t s re-authentcated by a certfcate-based authentcaton procedure known as a re-authentcaton protocol, where a certfcate s a tmebased tcket ssued by ME durng the ntal authentcaton protocol run.

8 a) Intal Authentcaton Protocol: After every th nterval, P broadcasts ME s publc key. A newly onng C may receve multple broadcast messages; however, C contnues wth the frst P, and the protocol proceeds as follows: Fgure 4. Message exchange for the ntal authentcaton protocol. M1. P broadcast ME s publc key. M2. In the onng request C sends N 0 encrypted wth ME s publc key to P. If C s already regstered wth ME, the nonce N 0 can be replaced wth the hash value of the password. M3. P forwards the request to ME. ME retreves the profle from the database; f C s authorzed for the requested servces, ME retreves C 's secret key and sends the message M4. M4. ME sends M4 to P composed of tcket T k, the ndex value, and N 1 (challenge for C ) all encrypted wth K G ntended for P and u 0 = E C (P N N 1 T k T R K s ) ntended for C. P retreves the customer profle and sesson key K s from the tcket T k. M5. P forwards u 0 to C. After challenge verfcaton, C accepts T k. a. P C : u 0 Lmted f the servce provder entty cannot fulfll the servce requested due to resource lmtatons, t sends a message 'Lmted'. C may contnue or connect to another servce provder entty wth the allotted tcket. M6. After challenge confrmaton, P starts provdng servces; otherwse, P halts the servce and announces T k as an nvald tcket. b) Re-Authentcaton Protocol-1: When an authentcated C moves from P k P such that {P k, P } G, the protocol proceeds as follows.

9 Fgure 5. Message exchange for re-authentcaton protocol-1. M1. C sends Swtch Req = E S (C N 0 ) T k h(me ) to P. P decrypts the tcket, retreves the customer profle, and confrms whether C s authorzed for the further servce. a. Note that f P receves multple dentcal Swtch Req messages from C, t ndcates the exstence of a malcous user. M2. P sends a challenge response along wth a new challenge for C encrypted wth the C P sesson key. M3. After challenge confrmaton, P starts provdng servces; otherwse, P halts the servce and announces T k as an nvald tcket. c) Re-Authentcaton Protocol-2: When an authentcated C moves from P k P such that P G k o, the protocol proceeds as follows. Fgure 6. Message exchange for re- authentcaton protocol-2. M1. C sends Swtch Req = E S (C N 0 ) T k h(me ) to P. The P decrypts the second half of T k ; f the request s not from C, then P dscards the request; otherwse, P forwards t to ME. M2. ME decrypts the tcket, retreves the customer profle, and confrms whether C s authorzed for the further servce. If C s elgble for further servces, ME generates K s = h(k c V ) and proceeds as descrbed below. Otherwse, ME gnores the request and C may ntate the ntal authentcaton protocol. If C sends multple M1 messages, P gnores the messages, and C s marked as a malcous user. M3. ME sends M3 to P composed of new tcket T k, the ndex value V, and N 1 (challenge for C ) encrypted wth K G ntended for P and u 0 new = E C (T k T R K s N 1 N P ) ntended for C. P retreves the customer profle and sesson key K s from the new tcket T k. M4. P forwards u 0 to C. After challenge verfcaton, C accepts the T k. M5. After challenge confrmaton, P starts provdng servces; otherwse, P halts the servce and announces T k as an nvald tcket. If C G k o G k,the P gnores the request, and C ntates the ntal authentcaton protocol.

10 d) Specal Cases: Customer-Customer (C C ) Mutual Authentcaton: Here, we assume that two customer nodes ( C and C ) want to communcate drectly. To authentcate each other, C and C exchange messages composed of respectve tckets and partal keys whch are encrypted wth the respectve C P sesson keys. C C : E s (C N 0 K p ) T k. C C : E s (C N N 1 K p ) T k. To decrypt the authentcaton message, both C and C forward t to ther assocated servce provder enttes. After the frst message exchange, there are three possble scenaros concernng the C P assocaton. The customer-customer mutual authentcaton protocol proceeds dfferently for each scenaro, as dscussed below. 1- If {C, C } P, the respectve servce provder entty (P ) decrypts the messages and retreves the partal keys for assocated customers; P sends the partal key along wth a challenge response to C and C. After challenge verfcaton, both C and C generate a C C sesson key K, = H(K p N 1 K p N 0 ) for further communcaton. 2- If {P, P } G and C P and C P, the respectve servce provder enttes decrypt the message and retreve the partal key for assocated customers. P and P send the partal key along wth a challenge response to C and C, respectvely. After the challenge verfcaton step, both C and C generate a C C sesson key K, = H(K p N 1 K p N 0 ) for further communcaton. 3- If {P, P } G 0, C P, and C P, the ndvdual servce provders forward the message to the respectve MEs to retreve the partal keys. After recevng the response from the respectve ME s, P and P send the partal key along wth a challenge response to C and C, respectvely. After challenge verfcaton, both C and C generate a C C sesson key K, = H(K p N 1 K p N 0 ) for further communcaton. Delayed or lost response for a onng/swtch request: As dscussed earler, multple dentcal onng/swtch requests from the same C ndcate the exstence of an ntruder. The ncluson of the prevous nonce prevents the stuaton of msnterpretaton between a lost request and a replay attack. a. C P : E ME (C N 0 N 0 ). b. C P : E s (C N 0 N 0 ) T k Swtch Req. For re-authentcaton protocol-2, f C does not obtan a response for a swtch request, t ndcates that an ntruder has forged h(me ), and P s unable to proceed. Hence, P gnores the request and C sends an ntal authentcaton request along wth nonce sent n the prevous request. The ncluson of the prevous nonce prevents the stuaton of msunderstandng between a lost request and a replay attack.. a. C P : E ME (C N 0 N 0 T k Alert).

11 III. Strength aganst several known attacks To verfy the securty of TAP, we ntroduce an ntruder Z nto the system, as dscussed n earler work [17]. The ntruder s capable of controllng all communcaton channels (send and receve); t can redrect, spoof, replay or block messages and has ntally known nformaton, such as the IDs of all users. In the presence of such an ntruder, we explore the strength of TAP aganst certan known attacks, n ths case the replay, parallel sesson, and bndng attacks. A. Impersonatng C Let us consder an ntruder Z(C ) who ntercepts and records the messages from C and can communcate wth P. Durng the ntal authentcaton process, f Z(C ) mpersonates C wthout nterceptng orgnal messages from C, at M3 the presence of the ntruder s detected, as ME receves multple on requests from the same C such that the requests come from multple or sngle nstances of P wth multple requests per P, thus ndcatng the presence of an ntruder. In the gven scenaro, ME sends an alert message appended wth M4; addtonally, each M4 ncludes a dfferent N 1 challenge nonce for each request forwardng P ( ME P : u 0 E G (V N 1 T k ) Alert ). Smlarly, even f Z(C ) mpersonates and successfully ntercepts all messages from C, t stll fals to send M6 wthout knowng the C P sesson key and the prvate key of C. In re-authentcaton protocol-1 and protocol-2, f Z(C ) mpersonates and successfully ntercepts all the messages from C, wthout knowng the C P sesson key, Z(C ) fals to send a vald M3 n protocol-1 and an authentc M5 n protocol- 2. The falure of M3/M5 ndcates the presence of a malcous user. Lkewse, n mutual authentcaton protocol for customers, an ntruder cannot acqure partal keys wthout knowng the C P sesson keys. B. Impersonatng P Let us consder an ntruder Z(P ) who can ntercept and record messages from P and can communcate wth C. If Z(P ) mpersonates P and successfully ntercepts all messages from P, t brngs a mnor delay, and C ntates another authentcaton process. Moreover, Z(P ) s unable to obtan T k wthout knowng the prvate key of C and cannot obtan K G wthout knowng the prvate key of P. Smlarly, n re-authentcaton protocol-1 and protocol-2, f Z(P ) mpersonates and successfully ntercepts all messages from P, Z(P ) s stll unable to obtan T k wthout knowng the C P sesson key. C. Replay or Multplcty Attack To nvestgate the strength of TAP aganst a replay or multplcty attack, as ntroduce the ntruder Z(C ), as dscussed above, and launch a replay attack aganst ntal and reauthentcaton protocols.

12 a) Replay attack on the Intal Authentcaton Protocol In the {Z(C ), C } ME case, the ntruder Z(C ) can replay a few messages n the ntal authentcaton protocol run; however, t fals to complete the protocol run, and the presence of the ntruder s detected after few messages are exchanged. Fgure 7. An example of replay attack on TAP ntal authentcaton protocol. M2 : Intruder Z(C ) ntercepts M2 and replays the message towards P. M3 : ME receves smlar multple on requests from P and P, whch s a concevable ndcaton of a malcous user. ME wll send M4 and M4 to P and P, respectvely. Both messages consst of an alert sgnal and two dfferent challenges. M6 : The ntruder fals to complete the attack, as the expected reply s E s (C N 1 + 1), and P notfes ME of the exstence of an ntruder. b) Replay attack on Re-Authentcaton Protocol-1 In the case of {P, P } ME, the ntruder Z(C ) can replay a few messages n re-authentcaton protocol-1; however, t fals to complete the protocol run and the presence of the ntruder s thus detected after a few messages are exchanged. Fgure 8. An example of replay attack on TAP re-authentcaton protocol-1.

13 M1 : The ntruder replays the message to deceve P wth a message seemngly sent by C and encrypted wth K s. M3 : The ntruder fals to complete the attack, as the expected reply s E s (C N 1 + 1), and P notfes ME of the exstence of an ntruder. c) Replay attack n Re-Authentcaton Protocol-2 In the case of {Z(C ), C } ME, the attack follows a message sequence smlar to that of the ntal authentcaton case and provdes the same concluson; at M3, ME detects the threat, and at M5 the correspondng P dentfes the ntruder. However, f {C } ME and Z(C ) ME k such that {ME, ME k } G, meanng that the ntruder ntercepts the messages and uses t to become authentcated by another ME by explotng the fact that the ME s do not nteract throughout the procedure. Ths attack s carred out as follows: Fgure 9. An example of replay attack on TAP re-authentcaton protocol-2. M1 : The ntruder replays the message to deceve P wth a message seemngly sent by C and encrypted wth K s. M3/M3 : ME or ME k cannot detect an ntruder. M5 : The ntruder fals to complete the attack, as the expected reply s E s (C N 1 + 1), and P notfes ME of the exstence of an ntruder D. TAP falure under gven condtons Let s Next, we consder a certan exceptonal condton whch enables an ntruder to launch a successful attack. C1. Z(C ) s n P coverage area. C2. C s not n the range of any legtmate P. C3. Z(P ) can communcate wth C pretendng to be a legtmate servce provder. C4. Z(C ) and Z(P ) can communcate drectly wth neglgble tme delay. C5. All four condtons should hold together. Under the gven condtons, the ntruder can act as a man n mddle, replay messages, and run a parallel sesson of the protocol wth bndng attack abltes. The ntruder replays the message

14 whch t receves from ts partner, who runs a parallel sesson wth a legtmate counterpart. However, even under the gven condtons, the ntruder cannot re-authentcate. The attack on the ntal authentcaton wll proceed as follows: Fgure 10. An example of a successful attack on TAP under gven condtons. E. Remarks on TAP securty In TAP, f a legtmate counter entty s an actve partcpant n the system, the mpersonatng C or P s detectable and dentfable; ths mples that replay, bndng, and parallel sesson attacks are not successful attacks aganst TAP. However, under hghly exceptonal condtons, a man n the mddle, who can replay the messages and run a parallel sesson of the protocol wth the capablty of a bndng attack, can launch a successful attack. In a system where these condtons are lkely to occur, t s recommended to take certan measures to authentcate the dentty of the broadcastng servce provder entty (P ). To prevent DDoS attacks, the group on and ntal authentcaton procedures nclude a puzzle n M1 and proceed f the requestng entty provdes a vald soluton [18,19]. VII. Formal analyss of TAP usng CSP and RANK functon analyss Communcatng Sequental Processes (CSP) refer a form of algebra whch descrbes and analyzes a system whch conssts of communcatng processes [20]. TAP authentcaton procedures can be defned as events of CSP processes, and through the rank functon analyss method [21-23], we can verfy the securty of TAP. CSP Notatons: A P: Process P performs an event A on ts nterface. After performng event A process P may or may not change ts state. P Q: P Choce Q s a choce operator, t provdes a process who behaves as P or Q. P R Q: P and Q run n parallel and synchronzed on event P.

15 P R STOP: Restrct process P on event set R. P Q: P and Q are the nterleavng processes, and run n parallel wthout event synchronzaton. It s a specal case of the parallel process, where an event set of synchronzaton s an empty set. P Q = P <> Q. S m: Set of messages S can generate message m. traces(p): All possble event traces of process P. tr traces(p): A trace sequence tr belongs to traces(p) f P performs events of tr n the same sequence. tr C: The set of messages n trace sequence tr collected at channel C. tr A: Maxmal subsequence of trace sequence tr who's elements are taken from event set A. P sat S tr traces(p) S. If the trace tr s one of the traces of process P such that trace tr predcated by the event/message S, mples that process P satsfes the event/message set S. Such statement s trace specfcaton (TS). CP d : Set of d s of all C and P. n m: n s suffcent nformaton to trust that m s correct/true nformaton. A. Modelng the TAP network n CSP We consder the system NET, whch s defned by the legtmate user processes of TAP n conuncton wth the ntruder process Z. NET = (User C (N 0 ) User P User ME ) [send, receve] User Z (S) Where, User C (N 0 ), User P and User ME represent the legtmate nterleavng processes of C, P and ME, respectvely, whch are runnng n parallel and whch are synchronzed to ntruder Z at the [send, receve] event set. Ths gves the ntruder the capabltes dscussed below. a) Modelng Intruder Z n CSP Let us defne a CSP model for ntruder process Z as dscussed n an earler study [17] wth certan extra capabltes. The ntruder s capable of controllng all communcaton channels (send and receve) and can redrect, spoof, replay or block messages. It also has the ntally known nformaton INIT, e.g., the IDs of all users. When a legtmate user sends a message to another legtmate user, Z can ntercept and record each message; these ntercepted messages are addtonal nformaton wth regard to the current nformaton (S) of Z -e S {m}. User z (S) = send. A. B. m Z(S {m}) S m receve. A. B. m Z(S) Let us also suppose the exstence of legtmate users A and B. Intruder Z can deceve A by

16 sendng a message m, ntercepted or generated from current nformaton S ( S m ), and pretendng to be user B. b) Modelng TAP Authentcaton Procedures n CSP The actvtes of C, P and ME n TAP can be defned as CSP processes. In addton to the actvaton of TAP authentcaton, the CSP processes also generate two sgnals, conf and Auth: conf. A. B. n m : Based upon nformaton n, partcpant A s confdent that shared nformaton m s trusted nformaton between A and B. Auth. B. A. m: B authentcates A based upon trusted nformaton m and B agrees that A was prevously runnng the protocol and performed the correspondng sgnal conf. The CSP processes for the TAP ntal authentcaton protocol: User C = P receve. C. P. K ME send. C. P. E ME (C N 0 ) receve. C. P. u 0 conf. C. P. N 0 N 1 send. C. P. E s (C N 1 + 1) STOP The CSP processes for TAP re-authentcaton protocol-1: User C = P send. C. P. E s (C N 0 ) T k receve. C. P. E s (P N 1 N 0 + 1) conf. C. P. N 0 N 1 send. C. P. E s (C N 1 + 1) STOP The CSP processes for TAP re-authentcaton protocol-2: User C = P send. C. P. E s (C N 0 ) T k h(me ) receve. C. P. u 0 conf. C. P. N 0 N 1 send. C. P. E s (C N 1 + 1) STOP User P = send. P. C. K ME receve. P. C. E ME (C N 0 ) send. P. ME. E ME (C N 0 ) receve. ME. P. u 0 send. P. C. u 0 receve. P. C. E s (C N 1 + 1) Auth. P. C. N 1 STOP Where the actvtes of ME are common for all of the TAP protocols. User ME = receve. ME. P. (C N 0 ) send. ME. P. u 0 E G (V N 1 T k ) STOP User P = receve. P. C. E s (C N 0 ) T k send. P. C. E s (P N 1 N 0 + 1) receve. P. C. E s (C N 1 + 1) Auth. P. C. N 1 STOP User P = receve. P. C. E s (C N 0 ) T k h(me ) send. P. ME. E s (C N 0 ) T k h(me ) receve. ME. P. u 0 send. P. C. u 0 receve. P. C. E s (C N 1 + 1) Auth. P. C. N 1 STOP B. Rank Functon Analyss To prove the overall securty of TAP, we use a proof strategy whch verfes that all authentcaton protocols satsfy the rank theorem, whch mples that TAP s a secure protocol. The entre process s dscussed n detal n subsequent sub-sectons. a) Proof strategy Accordng to the protocol semantcs, the sgnal conf. A. b. m must follow a sgnal Auth. A. B. m, whch mples the followng authentcaton property (AP1): NET Sat conf. C. P. (N 0 N 1 ) precedes Auth. P. C N 1

17 To prove that NET should meet AP1, Schneder [22] specfes a smple strategy: for NET to satsfy AP1, NET must establsh that Auth. P. C N 1 cannot be generated n NET f an occurrence of conf. C. P. N 0 N 1 s prevented. Ths proof strategy mples the followng trace specfcaton (TS1): NET conf. C. P. N 1 STOP Sat tr Auth. P. C N 1 =< > b) Rank Functon Rank functon ( ρ : M Num ) maps the messages to a number, where M s the set of all messages and sgnal generated messages (S m) appearng n the protocol run. ρ(m) > 0 f the dsclosure of m s safe (.e., f NET mantans a secure state) and ρ(m) 0 f the dsclosure of m s unsafe (.e., f NET enters a compromsng state). For a process P to mantan a postve ρ, t should not transmt ρ(m) 0 untl and unless P has already receved (m) 0. Such a process mantans the followng trace specfcaton (TS2). P mantans ρ tr trace(p) ρ(tr receve) > 0 ρ(tr send) > 0 If a process mantans TS2, t never ntroduces ρ(m) 0; hence, a protocol s proved to be secure f all processes mantan TS2. c) Rank Theorem and Suffcent Condton Rank Theorem: If, for event sets R and T, ρ satsfyng P1) m INIT ρ(m) > 0 P2) S M, m M ( m S ρ(m ) > 0) S m ρ(m) > 0 P3) t Tρ(t) 0 P4) (User R stop sat mantan ρ) for each user then, NET sat R Precedes T. The proof of theorem s presented n earler work [20]. The four propertes of the rank functon prevent an exchange of non-postve messages n the system NET R STOP, whch s synchronzed wth STOP upon event set R. In TAP, R = conf. A. B. m and T = Auth. A. B. m, whch mples that the occurrence of sgnal conf wll stop the process NET. Earler, we dscussed wth regard to the proof strategy that TAP s secure f t satsfes TS1. If the rank functon of TAP holds all propertes of the rank theorem, ths mples that all of the processes mantan TS2, and NET satsfes TS1. Ths condton s suffcent to prove that TAP s a secure authentcaton protocol. d) Rank Analyss for TAP ntal Authentcaton Here, we defne the rank functon for the ntal authentcaton. As dscussed earler, f an ntruder mpersonates C or P, the system NET mantans a secure state; hence, ρ(cp d ) > 0. All nonce nstances are non-postve such that ρ(n) 0 ; hence, the nonce must be sent out encrypted wth a secure key (K represents the set of all secure keys);.e., ρ(e k (N)) > 0. As descrbed n TS1, NET s restrcted upon conf. A. B. m, and any message or sgnal after the conf sgnal s marked as non-postve.

18 ρ(k) = { 1 f K = K ME 0 otherwse 0 f m = receve. P. C. E s (C_ N 1 + 1)Or ρ(m) = { m = send. C. P. E s (C N 1 + 1) 1 otherwse ρ(cp d ) > 0 ρ(e k (N)) > 0 ρ(athu) 0 ρ(n) 0 At ths stage, we can verfy the securty of the TAP ntal authentcaton usng the rank theorem propertes. P1) m INIT ρ(m) > 0: The fundamental knowledge of the ntruder INIT ncludes CP d and K ME, whch have postve rank values, hence satsfyng P1. P2) S M, m M ( m S ρ(m ) > 0) S m ρ(m) > 0 : Ths property verfes whether a set of postve rank messages can generate a non-postve rank message. All nonpostve rank messages are encrypted wth the non-postve encrypton key K s. The ntruder cannot acqure K s wthout knowng the non-postve key K c, the non-postve nonce N 0, and the non-postve nonce N 1 ; hence, ths condton satsfes P2. P3) t Tρ(t) 0: The event set T s the Auth. A. B. m sgnal, and under the gven restrcton we have ρ(athu. A. B. m) 0, hence satsfyng P3. P4) (User R stop sat mantan ρ) for each user Ths property states that all users CP d should mantan a postve state when restrcted wth regard to event set R = conf. A. B. m. We confrm f the processes User C and User P satsfy P4 User C Conf. C. P. N 1 STOP = P receve. C. P. k ME send. C. P. E ME (C N 0 ) receve. C. P. u 0 f P = P N = N 0 N 1 STOP else fp = P N N 0 Intate wth resend mode Hence, the protocol mantans a postve ρ under the gven restrcton, and t satsfes P4. It s concluded that the TAP ntal authentcaton protocol s secure, and we further check reauthentcaton protocol-1 and protocol-2. e) Rank Analyss for TAP Re-Authentcaton Rank functon for TAP re-authentcaton protocols 1 and 2 are smlar to the rank functon for ntal authentcaton (because all the conventons of ntal authentcaton hold true for reauthentcaton protocol 1 and 2), except tcket, whch s encrypted wth non-postve keys, hence we have ρ(t k ) >0. From CSP of TAP re-authentcaton, we notce that message and sgnal pattern after conf. A. b. m s smlar to the ntal authentcaton protocol. Hence, TAP satsfes the rank propertes for re-authentcaton protocol 1 and 2 as well. It concludes that TAP s a secure authentcaton protocol.

19 Clams Weak Agreement Agreement Nonnectve Nonnectve Agreement TABLE II AUTHENTICATION PROPERTIES COMPARISON B. Vayda et. al [24] I. Chang et. al [25] L Xehua [26] H. Ln et. al [27] TAP TAP Not Restrcted Restrcted Not Restrcted Restrcted Not Restrcted Restrcted Not Restrcted Restrcted Not Restrcted Restrcted U GW S U GW S U GW S U GW S UE MME HSS UE MME HSS U S U S C P ME C P ME N Y N N Y N Y Y N Y Y N N N N N Y N N N N Y Y Y Y Y Y Y N Y N N Y N Y Y N Y Y N N N N N Y N N N N Y N Y Y Y Y Y N Y N N Y N Y Y N Y Y N N N N N Y N N N N Y N N N Y Y Y Ths artcle has been accepted for publcaton n a future ssue of Internatonal Journal of VIII. Securty and Performance Comparson A. Securty Comparson In ths secton, we compare TAP wth exstng authentcaton schemes [24-27]. The TAP protocol s not lmted to a partcular network type or applcaton scenaro; thus, we compare TAP wth a sensor network [24-25], LTE [26] and clent-server applcatons [27]. In the prevous sectons, we examned the strength of TAP wth a rgorous analyss. For further confrmaton of the strength of the TAP protocol, we mplemented TAP and several well-known prevously proposed schemes [24-27] n an automated securty protocol analyss tool, Scyther [28]. The Scyther tool verfes protocol clams aganst possble attacks n the presence of an ntruder, as dscussed n Secton V- B. The clams are events whch descrbe the am and securty propertes of the authentcaton protocol, as defned below [1-2]. Alveness: Ths clam nfers that at the end of a protocol run, the partcpants are guaranteed that all partcpants were runnng the protocol. Weak Agreement: Ths clam presumes that at the end of the protocol run, protocol ntator s confdent that the protocol responder has been runnng the protocol, though superfcally. Non-nectve Agreement: Ths clam nfers that at the end of a protocol run, the protocol ntator s confdent that the protocol responder has been runnng the Parameter TABLE I SCYTHER PARAMETER SETTINGS Type Number of Runs 1~100 Matchng Type Fnd all Type Flaws Search prunng Fnd All Attacks Number of pattern per clam 100 Alveness N Y N N Y N Y Y N Y Y N N N N N Y N N Y N Y Y Y Y Y Y Y

20 protocol accordng to a defned role and partcpants are agreed upon a data set shared durng the protocol run. Non-nectve Synchronzaton: Ths clam nfers that at the end of a protocol run, all partcpants are confdent that all other partcpants exactly followed ther roles n the protocol and exchanged messages n the ntended order. In Scyther the protocols are modeled as an exchange of messages among the partcpants performng specfc roles ; for nstance, the customer node performs the role of the ntator, the servce provder performs the role of the responder, and the ME performs the role of a server. We mplemented and tested TAP and the proposed methods of Vayda et al. [24], Chang et al. [25], Xehua [26], and Ln et al. [27] through the clams mentoned above wth the parameter settngs gven n Table I. The protocols are tested under Restrcted and Not Restrcted condtons. Under the Restrcted condtons, honest partcpants usng the protocol are restrcted and can thus run only one nstance of the protocol. These results are shown n Table II. It s clear that our protocol qualfes all of the protocol clams, and no attacks were noted under the restrcted condton. Conversely, t fals to fulfll a few clams when partcpants are permtted to run multple nstances. However, our protocol outperforms those n the earler works [24-27], and t s secure n a large number of systems and scenaros. In contrast, the earler methods [24-27] are susceptble to several attacks and fal to fulfll the maorty of authentcaton clams. B. Performance Comparson The results of the performance comparson are presented n Table III, where we compare the effcency of the TAP authentcaton protocol sute n terms of the computatonal cost, message complexty and tme synchronzaton requrements aganst the authentcaton schemes dscussed above [24-27]. The computatonal cost s estmated to be the sum of the overall number of modular exponentatons (e) and the hash (h) and XOR (x) operatons. To compute the computatonal cost of one of the earler methods [26], we assumed that the cost of TABLE III PERFORMANCE COMPARISON OF TAP WITH PREVIOUS WORK Scheme Comp. Complexty Message Complexty Tme Syn. B. Vayda et. al [24] 8H+4X (6+k)U Y I. Chang et. al [25] 25H+1X (2+5)U Y L Xehua [26] 12H+2X 8U N H. Ln et. 13H+12X+2 al [27] E (2+3)U Y TAP (IA) 3H 5U N TAP (RA- 1) 1H 3U N TAP (RA- 2) 4H 4U N E=Modular exponentaton, H = hash operaton, X=XOR operaton, U = uncast message functons f3, f4, and s10 n the SE-EPS vector generaton algorthm were dentcal to one hash operaton. Regardng the computatonal cost, the TAP protocol sute greatly outperforms all of the schemes. Referrng to the modular exponentaton, the approach presented by Ln et al. [27] s the most expensve scheme, followed by those of Chang et al. [25], Xehua [26] and Vayda et

21 al. [24]. For the sake of smplcty, we gnore the computatonal cost of the XOR operaton. Fgure 11 shows the computatonal cost of TAP compared to the approaches of Vayda et al. [24], Chang et al. [25] and Xehua [26] for a moble customer node movng across the network and experencng the authentcaton process. Fgure 12 shows the message complexty of TAP compared to these earler schemes [24-27] for a moble customer node movng across the network and experencng the authentcaton process multple tmes. The message complexty s presented for the method of Vayda et al. [24], calculated wth the assumpton that k=3, meanng that at the tme of onng there are fve potental nodes whch can process the logn request sent by a user. In the bestcase scenaro, when a customer experences re-authentcaton protocol 1 the, TAP message complexty s the lowest. However, the message complexty of the approach by Ln et al. [27] s slghtly better than the message complexty of TAP n the worst-case scenaro. Moreover, unlke the methods of Vayda et al. [24], Chang et al. [25] and Ln et al. [27], TAP and the approach by Xehua [26] do not requre tme synchronzaton among the partcpatng enttes. Fgure 12. Message Complexty comparson of TAP wth prevous works. Fgure 11. Computatonal cost comparson of TAP wth prevous works. IX. Concluson In ths paper, we proposed a novel key dstrbuton and authentcaton protocol (TAP) for dynamc and moble network applcatons. TAP enhances the level of protocol securty wth the assstance of tme-based encrypton keys and scales down the authentcaton complexty by ssung an authentcaton tcket. A securty analyss conducted here shows that TAP s secure aganst known attacks. A formal analyss usng CSP and rank functon analyss further confrms the strength of the TAP protocol. We also compared the securty and performance of TAP wth a

22 sensor network [24-25], LTE [26] and wth the Clent Server Applcaton approach [27]. The fnal results show that TAP s secure and desrable for an mmense range of network applcatons. ACKNOWLEDGEMENT Ths work was supported by Insttute for Informaton &communcatons Technology Promoton (IITP) grant funded by the Korea government (MSIP). (No. R , Standardzaton of Wreless Power Transfer Technology and Servce)] References [1] G. Lowe. A Herarchy of Authentcaton Specfcatons. In proceedngs. 10th Computer Securty Foundatons Workshop. June 1997 [2] C. Cremers, S. Mauw, E.P. De Vnk. Inectve synchronzaton: An extenson of the authentcaton herarchy. Theoretcal Computer Scence, vol. 367, no. 1-2, November 2006 [3] S. Msra, S. Goswam, C. Tanea and A. Mukheree. Desgn and mplementaton analyss of a publc key nfrastructure-enabled securty framework for ZgBee sensor networks. Int. J. Commun. Syst., November 2014, DOI: /dac.2893 [4] Phlppe Golle and Nagendra Modadugu. Authentcatng Streamed Data n the Presence of Random Packet Loss. avalable at Feb, 2008 [5] K. T. Nguyen, M. Laurent, N. Oualha. Survey on secure communcaton protocols for the Internet of Thngs. Ad Hoc Networks, vol. 32, September 2015 [6] N. Komnnos, D. D. Vergados and C. Doulgers. Multfold node authentcaton n moble ad hoc networks. Int. J. Commun. Syst., March 2007, DOI: /dac.882 [7] M. S. Farash1, M. A. Attar and Saru Kumar. Cryptanalyss and mprovement of a threeparty password-based authentcated key exchange protocol wth user anonymty usng extended chaotc maps. Int. J. Commun. Syst. (2014), DOI: /dac.2912 [8] J. We, X. Hu and W. Lu. wo-factor authentcaton scheme usng attrbute and password. Int. J. Commun. Syst. (2014), DOI: /dac.2915 [9] W. Wen, T. Sato, and F. Mzoguch. Securty of Publc Key Certfcate Based Authentcaton Protocols. Chapter, Publc Key Cryptography, Volume 1751, Lecture Notes n Computer Scence, pp , DOI: / _14 [10] A. Kukec, S. Groš and V. Glavnc. Implementaton of Certfcate Based Authentcaton n IKEv2 Protocol. 29th Internatonal Conference on Informaton Technology Interfaces, June 2007 [11] R. Anderson, F. Bergadano, B. Crspo, J.Lee, C. Manfavas and R. Needham. A New Famly of Authentcaton Protocols. ACM SIGOPS Operatng Systems Revew, Volume 32, Number 4, October 1998 [12] Blal, M.; Kang SG. Tme-Asssted Authentcaton Protocol (Under revew for US patent, Pendng App No. 15/348,480) [13] C. Neuman, S. Hartman and K. Raeburn. The Kerberos Network Authentcaton Servce (V5). [RFC4120], July 2005

23 [14] Yoney Krsal and Orhan Gemkonakl. Analysng the Kerberos Tmed Authentcaton Protocol Usng CSP-Rank Functons. Chapter, Global Securty, Safety, and Sustanablty, Volume 45, pp [15] Adran Perrg, Ran Canett, J. D. Tygar anddawn Song. The TESLA Broadcast Authentcaton Protocol. Avalable at f, 2002 [16] S. Rafael and D. Hutchson. A Survey of Key Management for Secure Group Communcaton, ACM Computng Surveys. Vol. 35, No. 3, September 2003 [17] D. Dolev and A. C. Yao. On the Securty of Publc Key Protocols. IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. IT-29, NO. 2, MARCH 1983 [18] Ar Juels and John Branard. Clent Puzzles: A Cryptographc Countermeasure Aganst Connecton Depleton Attacks. In Conference Proceedngs of Network and Dstrbuted System Securty Symposum, NDSS 1999, USA [19] Ncholas A. Fraser, Douglas J. Kelly, Rchard A. Ranes, Rusty O. Baldwn, and Barry E. Mulln. Usng Clent Puzzles to Mtgate Dstrbuted Denal of Servce Attacks n the Tor Anonymous Routng Envronment. In Conference Proceedngs, IEEE Internatonal Conference on Communcatons, June 2007 [20] P.Y.A. Ryan, S.A. Schneder, M.H. Goldsmth, G. Lowe and A.W. Roscoe. The Modellng and Analyss of Securty Protocols: the CSP Approach. Book, ISBN: , 2000 [21] S. Shakh and V. Bush. Analysng the Woo-Lam Protocol Usng CSP and Rank Functons. Journal of Research and Practce n Informaton Technology, Vol. 38, No. 1, February 2006 [22] S. Schneder. Securty Propertes and CSP. Proceedngs of IEEE Symposum on Securty and Prvacy, May 1996 [23] S. Schneder. Verfyng Authentcaton Protocols n CSP. IEEE Transactons on Software Engneerng, Vol. 24, No. 9, September 1998 [24] B. Vadya, J. J. Rodrgues and J. Hyuk Park. User authentcaton schemes wth pseudonymty for ubqutous sensor network n NGN. Int. J. Commun. Syst. 2010, DOI: /dac.1097 [25] I. Chang, T. Lee, T. Ln 3 and C. Lu. Enhanced Two-Factor Authentcaton and Key Agreement Usng Dynamc Identtes n Wreless Sensor Networks. Sensors, 2015, DOI: /s [26] L. Xehua, W. Yongun. Securty Enhanced Authentcaton and Key Agreement Protocol for LTE/SAE Network. Internatonal Conference on Wreless Communcatons, Networkng and Moble Computng (WCOM), 2011, Wuhan [27] H. Ln. Effcent moble dynamc ID authentcaton and key agreement scheme wthout trusted servers. Int. J. Commun. Syst. (2014), DOI: /dac.2818 [28] Cas J.F. Cremers.The Scyther Tool: Verfcaton, Falsfcaton, and Analyss of Securty Protocols. Chapter Computer Aded Verfcaton, Volume 5123, seres Lecture Notes n Computer Scence, pp , DOI: / _38