An Enhanced Two-factor User Authentication ... - Semantic Scholar

Ad Hoc & Sensor Wireless Networks, Vol. 0, pp. 1–11 Reprints available directly from the publisher Photocopying permitted by license only

2010 Old City Publishing, Inc. Published by license under the OCP Science imprint, a member of the Old City Publishing Group.

An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks DAOJING HE1 , YI GAO1 , SAMMY CHAN2 , CHUN CHEN1 AND JIAJUN BU1 1

College of Computer Science, Zhejiang University, Zhejiang, China E-mail: [email protected] 2 Department of Electronic Engineering, City University of Hong Kong, Hong Kong SAR, China Received: July 31, 2009. Accepted: February 22, 2010.

Designing a user authentication protocol for wireless sensor networks is a difficult task because wireless networks are susceptible to attacks and sensor node has limited energy, processing and storage resources. Recently, several authentication schemes have been proposed. This short paper shows some security problems and design weaknesses in those schemes. Furthermore, an enhanced two-factor user authentication protocol is presented. The proposed scheme only uses hash function, and a successful user authentication just requires three message exchanges. Security and performance analyses demonstrate that compared to the well-known authentication schemes, our proposal is more secure and efficient. Keywords: Authentication, sensor networks, hash function.

1 INTRODUCTION Wireless sensor networks (WSNs) are large scale, usually slow moving or static. The nodes (motes) in such networks are designed to sense the environment and collect data. There is obviously great need for accessing the real-time data inside WSNs, where both Gateway (GW) nodes and external parties (users) are able to access directly the real-time data from the sensor nodes. Thus, proper authentication of users must be ensured before allowing 1

165

page 1

2

D. HE et al.

the users to access data. Related works on authentication schemes in WSN application layer include [1–4]. However, we find that this issue has not been addressed adequately in comparison with the network and link layers protocols [5–7] in WSNs. One of the reasons is that these schemes could not resist the insider attack and the related impersonation attack. Here the insider attack is defined as that any manager of the system purposely leaks the secret information leading to serious security weaknesses of an authentication protocol. For example, if a privileged insider of the GW-node, e.g., the administrator, has learned a user’s password, it may try to impersonate the user to access other GW-nodes. Another reason is that these schemes do not possess certain desirable attributes that a practical authentication scheme should have. For example, the GW-node, as a registration and access center, should know the real identities of all users in the authentication phase. Another example is that every user should be allowed to update his/her password freely after being authenticated as a legitimate user. Therefore, in this short paper, we propose a more secure and practical two-factor user authentication protocol. A two-factor authentication is a concept used to describe an authentication mechanism, where more than one factor (e.g., password and smart card) is required to authenticate the communicating party. Since the two-factor authentication scheme in [4] has already addressed the weaknesses of [1–3], our approach is to, using [4] as a basis, develop a new scheme that can resist insider attack, impersonation attack, in addition to the attacks that can be handled by [4]. As a result, the merits of [4] are reserved. For example, only low-cost functions such as one-way hash functions and exclusive-OR operations are used to achieve security. Also, a successful user authentication between user, GWnode, and sensor node just requires three message exchanges. These features are important for the resource-constrained sensor nodes. The remainder of this short paper is organized as follows. In Section II, we first survey and analyze the related work, and discuss their security weaknesses. Section III describes the details of our proposed scheme, which is then analyzed in Section IV. Finally, Section V concludes the paper.

2 RELATED WORK In the literature, some schemes in WSN application layer have been proposed to enhance the security and practicability of authentication [1–3]. We observe that the scheme of [3] is vulnerable to insider attack. More specifically, in the registration phase, a user’s password is revealed to a privileged insider of the GW-node because it is transmitted directly to the GW-node. Very recently, it has been found that all of these schemes have security weaknesses and a novel two-factor authentication scheme has been presented [4]. Compared with the earlier authentication schemes, the scheme of [4] has many advantages. For example, it only uses hash function, and a successful user authentication just

165

page 2

SECURE USER AUTHENTICATION

3

requires three message exchanges. Moreover, it enjoys important security attributes such as impersonation attack resilience, free from password/verifier table, and guessing attack resilience, etc. Overall, its realization is simple and reliable. Therefore, this protocol exhibits great application potential in WSNs. However, we find that this scheme is still vulnerable to the insider attack and the derived impersonation attack. Besides, this scheme has the weakness that the GW-node is not able to reveal the identities of users in the authentication phase. In addition, the password updating function is not provided. Therefore, the scheme in [4] cannot be deployed for the real world applications without further development. In the following, a brief review and analysis of the scheme of [4] is given, which provides the background information of our proposed scheme. 2.1 Review of the Scheme in [4] WSNs are deployed in a confined area, which could be divided into different zones. Authorized users can access WSNs using their mobile devices (e.g., notebook PC, PDA and smart phone). Before issuing any queries to or accessing data from sensor nodes, a user needs to register with the GW-node of the network. Upon successful registration, the user can submit queries to the WSN at any time within a predefined period. The operation of the scheme in [4] can be divided into two phases: registration phase and authentication phase. 2.1.1 Registration Phase In this phase, a user, say Ui , submits its identity IDi and password PWi to the GW-node for registration in a secure manner. Upon receiving the regis
tration request, the GW-node computes Ni = h(IDi
PWi ) h(K). Here K is a symmetric key known to GW-node only, and
is bit-wise concatenation operator. Then the GW-node personalizes a smart card with the parameters h(. ), IDi , Ni , h(PWi ) and xa , where h(. ) is a cryptographically secure hash function. Here, xa is a secret parameter generated securely by the GW-node and stored in some designated sensor nodes before deploying the nodes in the field, which are responsible to exchange data with users. The GW-node now sends the personalized smart card to Ui in a secure manner. Note that xa is not known to the user, as it is generated and stored in the user’s smart card securely by the GW-node. 2.1.2 Authentication phase This phase is invoked when Ui wants to perform some queries to or access data from the network. The phase is further divided into login and verification phases. Login Phase: Ui inserts his/her smart card to a terminal, and enters IDi and PWi . The smart card validates IDi and PWi with the stored ones in it.

165

page 3

4

D. HE et al.

If the keyed IDi and PWi are correct, the smart card performs the following steps:
Step-L1) Compute DIDi = h(IDi
PWi ) h(xa
T ). Here T is the current timestamp of Ui ’s system while DIDi is the dynamic login identity of Ui . Step-L2) Compute Ci = h(Ni
xa
T ). Then send < DIDi , Ci , T > to the GW-node. Verification Phase: Upon receiving the login request < DIDi , Ci , T > at time T ∗ , the GW-node authenticates the Ui by the following steps: Step-V1) Validate T . If T ∗ − T ≤T then the GW-node proceeds to next step, else abort, where T denotes the expected time interval for the transmission delay. Step-V2) Compute h(IDi
PWi )∗ = DIDi ⊕h(xa
T ) and Ci∗ = h((h(IDi
PWi )∗ ⊕h(K))
xa
T ). Step-V3) If Ci∗ = Ci , the GW-node accepts the login request; else rejects it. The next two steps (i.e., Step-V4 and Step-V5) for GW-node communicating with sensor nodes are same as that of our proposed scheme and will be described in Section III.B. 2.2 Security weaknesses The scheme in [4] is simple and efficient. However, it has three weaknesses as explained in the following. Vulnerable to an insider attack In general, there is more than one GW-node deployed in WSNs, such as multigateway clustered sensor network. This assumption is reasonable, because most future large-scale WSNs will follow a two-tier architecture [e.g., 8–10]. The lower tier comprises a number of resource-constrained sensor nodes, while the upper tier contains fewer relatively resource-rich master nodes (i.e., GW-nodes). In the real world, it is likely that a user uses the same password to access several GW-nodes for his/her convenience. In the registration phase of the scheme [4], Ui ’s password PW i will be revealed to the GW-node because it is transmitted directly to the GW-node. Then, the privileged insider of the GW-node can try to use it to impersonate Ui to access other GW-nodes. Therefore the scheme in [4] cannot withstand the insider attack. Although it is also possible that all the privileged insiders of the GW-node are trusted and Ui does not use the same password to access several GW-nodes, the designers and the users of the scheme should be aware of such a potential weakness. Indeed the insider attack at a registering authority (e.g., GW-node, register center, server, mobile system) of authentication protocols is possible and has been investigated by many researchers [e.g., 11–16, 19]. For example, the authors in [13] give one exemplary insider attack as follows. In the registration phase,

165

page 4

SECURE USER AUTHENTICATION

5

since a user registers to a server by submitting its password, its password will be revealed to the insider of the server. In addition, the authors in [15] give another exemplary insider attack. More specifically, in the registration phase, a user’s password will be revealed to a privileged insider of register center because it is transmitted directly to the registration center. In their improved password authentication schemes, the user’s password is not exposed to others including the registration center and the servers. Vulnerable to an impersonation attack This attack is derived from the insider attack discussed above. A privileged insider of the GW-node can obtain a user Ui ’s identity IDi and password PWi , as the message < IDi , PWi > is transmitted directly to the GW-node. Obviously, the insider can impersonate the user to enter < IDi , PWi > to the stolen smart card and then access data from the network. Design weakness In fact, the GW-node, as a registration and access center, should know the real identities of all users in the authentication phase. There are many real needs for the GW-node to be aware of the real identities of all users. For example, in many cases, the GW-node needs to know the real identity of every user in order to detect, record and then remove the malicious users. However, we observe that, in [4], the GW-node cannot know the real identity of any user in the authentication phase. Although h(IDi
PWi )∗ can be obtained by computing h(IDi
PWi )∗ = DIDi ⊕h(xa
T ), the GW-node cannot get the real identity of any user because no password/verifier table is kept. 3 OUR PROPOSED PROTOCOL In this section, we propose an enhanced scheme based on [4], which keeps the merits of the original protocol and can withstand the security weaknesses described in previous section. In addition, we observe that another drawback of the original scheme [4] is that an user cannot securely and freely change its password. To remedy this design drawback, the password updating phase has been added. There are three phases in our enhanced scheme: the registration phase, the authentication phase and the password updating phase. 3.1 Registration phase This phase is invoked whenever the user, say Ui , wants to register with the WSN. It selects an arbitrary number b and computes h(b⊕PWi ). Here the length of b is sufficiently large, e.g. 512 bits. That is, b is a high-entropy random number. Here h(. ) used throughout the proposed protocol is a collision free one-way hash function such as SHA-1 [17]. Therefore, the bit length of the output of the hash function is 160. Then it submits its identity IDi

165

page 5

6

D. HE et al.

and h(b⊕PWi ) to the GW-node for registration in a secure channel. Upon receiving the registration request, the GW-node computes Ti = h(IDi
J), Vi = Ti ⊕h(IDi
h(b⊕PWi )), Hi = h(Ti ), Ni = h(IDi )⊕h(K). Here both K and J are two secret parameters, which are held only by GW-node, and
is bitwise concatenation operator. Then the GW-node personalizes a smart card with the parameters Vi , Hi , h(. ), Ni and xa , where h(. ) is a cryptographically secure hash function. Here, xa is a secret parameter generated securely by the GW-node and stored in some designated sensor nodes before deploying the nodes in the field, who are responsible to exchange data with users. Note that the lengths of b, K, J and xa are sufficiently large, e.g., 512 bits. That is, they are high-entropy random numbers. The GW-node now sends the personalized smart card to the Ui in a secure channel. Subsequently, Ui enters b into its smart card. Thus, Ui ’s smart card contains Vi , Hi , h(. ), Ni , b and xa . Note that xa is not known to the user, as it is generated and stored in the user’s smart card securely by the GW-node. 3.2 Authentication phase This phase is invoked when Ui wants to perform some queries to or access data from the network. The phase is further divided into login and verification phases.

Login Phase Ui inserts its smart card to a terminal, and keys IDi and PWi . Then the smart card computes Ti = Vi ⊕h(IDi
h(b⊕PWi )) and Hi∗ = h(Ti ). Subsequently, the smart card checks whether Hi∗ and Hi is equal or not. If yes, the legitimacy of the user can be assured and proceeds to the next step. Otherwise, rejects the login request. Step-L1) Generate nonce Mi and compute DIDi = IDi ⊕h(xa
T
Mi ). Here T is the current timestamp of the Ui ’s system. Step-L2) Compute Ci = h(Ni
xa
T ). Then send < DIDi , Ci , T , Mi > to the GW-node. Verification Phase Upon receiving the login request < DIDi , Ci , T , Mi > at time T ∗ , the GWnode authenticates the Ui by the following steps: Step-V1) Validate T . If T ∗ − T ≤T then the GW-node proceeds to next step, else abort, where T denotes the expected time interval for the transmission delay. Step-V2) Obtain the user’s real identity IDi by computing IDi = DIDi ⊕h(xa
T
Mi ). Verify the format of IDi . If the format is not valid,

165

page 6

SECURE USER AUTHENTICATION

7

the GW-node terminates the connection. Otherwise, compute Ci∗ = h((h(IDi )⊕h(K))
xa
T ). Step-V3) If Ci∗ = Ci , the GW-node accepts the login request; else rejects it. 

Step-V4) GW-node now sends a message < DIDi , Ai , T > to some nearest sensor node, say Sn , over an open channel to respond the query/data what   the Ui is looking for, where Ai = h(DIDi
Sn
xa
T ), and T is the current timestamp of GW-node. Here, Ai is used to ensure the sensor node that the  message < DIDi , Ai , T > has come from the legitimate GW-node, because Ai is generated with secret parameter xa which is known to both sensor and GW nodes.  Step-V5) Sn first validates T as in Step-V1. Then Sn computes  h(DIDi
Sn
xa
T ) and checks whether it equals Ai . If these two checks pass correctly then Sn responds to Ui ’s query. 3.3 Password updating phase This phase is invoked whenever Ui requests to change its password, and is described in the following: (1) Insert its smart card to a terminal, and keys IDi and PWi . Then the smart card computes Ti = Vi ⊕h(IDi
h(b⊕PWi )) and Hi∗ = h(Ti ). Subsequently, the smart card checks whether Hi∗ and Hi are equal or not. If yes, the legitimacy of the user can be assured and proceeds to the next step. Otherwise, the smart card rejects the password updating request by displaying a "password updating failure" to Ui . (2) Enter its new password PWnew . Ui selects a random number bnew and computes h(bnew ⊕PWnew ). Then Ui calculates Vi∗ = Vi ⊕h (IDi
h(b⊕PWi ))⊕h(IDi
h(bnew ⊕PWnew )) and replaces Vi with Vi∗ . Finally, Ui ’s smart card contains {Vi∗ , Hi , h(. ), Ni , bnew }. 4 SECURITY AND PERFORMANCE ANALYSES In this section, the security and performance of the proposed protocol are analyzed. 4.1 Security Analysis The proposed scheme is an enhancement of [4], which keeps the merits of the original scheme. For example, the proposed protocol is free from password/verifier table. Thus, it can resist stolen-verifier attack. And it can resist guessing attack, since user password is not transmitted simply as hash of the password. In addition, the timestamp is also used to prevent from the replay attack. For more information about these three kinds of attacks, the reader is referred to [4]. Furthermore, the proposed scheme can overcome the security

165

page 7

8

D. HE et al.

weaknesses that the scheme of [4] falls for. The advantages of the proposed scheme are explained as follows. Proposition: Our proposed approach can withstand the insider attack and the impersonation attack. Proof : By our proposed scheme, Ui registers to the GW-node by presenting h(b⊕PWi ) instead of PWi , the insider of the GW-node cannot directly obtain PWi . Moreover, as b is a high-entropy random number and not revealed to the GW-node, the insider of the GW-node cannot get PWi by performing an off-line guessing attack on h(b⊕PWi ). Besides, our proposal does not maintain any password/verifier table either. Thus, our scheme can resist the insider attack. Obviously, because the insider cannot get PWi , the impersonation attack cannot be launched. For insider attack, some researchers have developed various defense approaches. For example, the authors of [18] suggest that in the registration phase, a user submits the hashed value of its password to the server instead of its password. However, with the hashed value of a user’s password, a privileged insider of the server can correctly obtain the user’s password by performing an off-line password guessing attack. In addition, the authors of [14] suggest that although a user submits his/her password to the remote system during the registration process, he/she can change his/her password by invoking the password change phase after registration. Obviously, once a privileged insider of the remote system has obtained a user’s password, he/she can change the user’s password by invoking the password change phase before the legitimate user does that. In this situation, their approach is not sufficient. According to the above analyses, our approach to handle the insider attack is more secure and efficient than that of [14, 18]. Proposition: Our scheme can obtain an user’s real identity. Proof : As described above, the GW-node obtains the users real identity IDi by computing IDi = DIDi ⊕h(xa
T
Mi ). Note that it is assumed that extraction of parameter from the smart card and nodes is quite difficult. As described in [4], although it happens by the side channel attacks [16], some smart card manufacturers take into account the risk of these attacks and provide countermeasure to defer the reverse engineering attempt. Thus, the adversary including users cannot get {xa , h(. )} stored in smart card and nodes. 4.2 Performance Analysis In this section, we use the computation cost (the computation time of different cryptographic operations, denoted by T ) and communication cost (denoted by C) as the metrics to evaluate the performance of the proposed protocol. Some notations are further defined as follows: Th : the time of performing a one-way hash function h(. ). Tpu : the time of performing a public-key computation. Tpr : the time of performing a private-key computation.

165

page 8

SECURE USER AUTHENTICATION

9

Cug : the delay time for the communication between a user and the GWnode. Cgs : the delay time for the communication between the GW-node and a sensor node. Csu : the delay time for the communication between a sensor node and a user. Note: XOR operation requires very few computations, thus its computation cost is neglected here. Table I shows the overall cost of the proposed scheme and the related work [1, 3, 4]. The total cost is the sum of computation and communication costs for the two main phases (i.e., the registration phase and the authentication phase). Note that in the proposed scheme and the related work [1, 3, 4], no senor node participates in the registration phase, thus the cost on sensor nodes is zero. Computation cost: The computation cost for user registration is a onetime job for certain period of time. However, the computation cost for user authentication is of prime concern, as this is required as and when a user wants to login to the WSN. As shown in Table 1, the computational cost of our protocol is well-suited to the resource-limited sensor node, as the sensor node requires only 1 hash operation, whereas the sensor node in [3] requires 3 hash operation. The computational cost of the scheme in [1] is high in comparison with ours and the schemes [3, 4], as the scheme in [1] requires RSA operation which is computationally expensive. Compared with the scheme in [4], the number of hash operation for GW-node and user is just increased by one in our scheme, respectively. As mentioned in [4], GW-node and user usually have enough computational resource. Therefore, our scheme is also practical for real world applications in enhancing the security over wireless communications. Communication cost: As the scheme in [4], a successful user authentication in our protocol requires three message exchanges among user, GW-node and sensor node. However, the schemes in [1] and [3] require four and two exchanges, respectively. Although the scheme in [1] requires less number of message exchanges, the message size of both schemes in [1] and [3] are larger

Registration

Authentication

User

GW-node

User

GW-node

Sensor node

The scheme in [1]

Tpu + Tpr

Tpr

2Tpr + Th + Csu

–

2Tpu + Th + Csu

The scheme in [3]

Cug

3Th + Cug + Cgs

Csu

Th + Cgs

3Th + Cgs + Csu

The scheme in [4]

Cug

3Th + Cug

4Th + Cug

4Th + Cgs

Th + Csu

Ours

Th + Cug

5Th + Cug

5Th + Cug

5Th + Cgs

Th + Csu

TABLE 1 Cost of the proposed protocol and the related work

165

page 9

10

D. HE et al.

than that of our protocol. Moreover, as mentioned above, the scheme in [1] is computationally expensive for the resource poor environment. According to the above analyses, it is clear that our protocol is not only simple and efficient but also more secure.

5 CONCLUSION In this short paper, we have analyzed the security weaknesses in a two-factor user authentication protocol for wireless sensor networks. The analysis has shown that the security issues in that scheme can be solved in a very simple way, which is our proposal in this short paper.

ACKNOWLEDGEMENTS This work was supported by National Basic Research Program of China (973 Program) under grant No. 2006CB303000 and a grant from the Research Grants Council of the Hong Kong SAR, China [Project No. CityU 111208].

REFERENCES [1] Watro R., Kong D., Cuti S., Gardiner C., Lynn C., and Kruus P. (2004). TinyPK: securing sensor networks with public key technology. in Proc. ACM Workshop Security of Ad Hoc Sensor Networks, pp. 59–64. [2] Benenson Z., Gartner F., and Kesdogan D. (2004). User authentication in sensor networks. in Proc. Workshop Sensor Networks, Lecture Notes Informatics Proceedings Informatik. [3] Wong K., Zheng Y., Cao J., and Wang S. (2006). A dynamic user authentication scheme for wireless sensor networks. in Proc. IEEE International Conf. Sensor Networks, Ubiquitous, Trustworthy Computing,, pp. 244–251. [4] Das M. (2009). Two-factor user authentication in wireless sensor networks. IEEE Transactions on Wireless Communications, vol. 8, no. 3, pp. 1086–1090. [5] Perrig A., Szewczyk R., Wen V., Culler D., and Tygar J. (2002). SPINS: security protocols for sensor networks. Wireless Networks, vol. 8, no. 5, pp. 521–534. [6] Sastry N., and Wagner D. (2004). Security considerations for IEEE 802.15.4 networks. in Proc. ACM Workshop Wireless Security, pp. 32–42. [7] Karlof C., Sastry N., and Wagner D. (2004). TinySec: a link layer security architecture for wireless sensor networks. in Proc. International Conf. Embedded Networked Sensor Syst., pp. 162–175. [8] Shi J., Zhang R., and Zhang Y. (2009). Secure range queries in tiered sensor networks. in IEEE INFOCOM’2009. [9] Gnawali O., Jang K., Paek J., Vieira M., Govindan R., Greenstein B., Joki A., Estrin D., and Kohler E. (2006). The tenet architecture for tiered sensor networks. in ACM SenSys’06, pp. 153–166. [10] Zhang R., Shi J., and Zhang Y. (2009). Secure multidimensional range queries in sensor networks. in Proc. of the ACM International Symposium on Mobile Ad Hoc Networking and Computing (MobiHoc’2009).

165

page 10

SECURE USER AUTHENTICATION

11

[11] LiaoY., and Wang S. (2009). A secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, vol. 31, no. 1, pp. 24–29. [12] Ku W., Chen S. (2005). Cryptanalysis of a flexible remote user authentication scheme using smart cards. ACM Operating Systems Review, vol. 39, no. 1, pp. 90–96. [13] Ku W., Chen S. (2004). Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards. IEEE Transactions on Consumer Electronics, vol. 50, no. 1, pp. 204–207. [14] Das M., Saxena A., Gulati V., Phatak D. (2006). A novel remote user authentication scheme using bilinear pairings. Computers & Security, vol. 25, no. 3, pp. 184–189. [15] Hsiang H., and Shih W. (2009). Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment. Computer Standards & Interfaces, doi:10.1016j.csi.2008.11.002 [16] Messerges T., Dabbish E., and Sloan R. (2002). Examining smart-card security under the threat of power analysis attacks. IEEE Transactions on Computer, vol. 51, no. 5, pp. 541–552. [17] National Institute of Standards and Technology, U.S. Department of Commerce. (2002). Secure Hash Standard. U.S. Federal Information Processing Standard Publication 180–2. [18] Lee C., Hwang M., andYang W. (2002). A flexible remote user authentication scheme using smart cards. ACM Operating Systems Review, vol. 36, no. 3, pp. 46–52. [19] He D., Ma M., Zhang Y., Chen C., and Bu J. (2010). A strong user authentication scheme with smart cards for wireless communications. Computer Communications. doi:10.1016/j.comcom.2010.02.031.

165

page 11