Wireless Personal Communications

Download PDF
2 downloads 0 Views 2MB Size Report
Comment
Wireless Personal Communications ... and Computer Science. Corresponding Author's Secondary. Institution: ... due to the use of asymmetric encryption [2,3].
Wireless Personal Communications Notes on "A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks" --Manuscript Draft-Manuscript Number:

WIRE-D-13-00374R1

Full Title:

Notes on "A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks"

Article Type:

Manuscript

Keywords:

Wireless Sensor Network; mutual authentication; temporal credential; key agreement; smart card

Corresponding Author:

Muhamed Turkanović, BSc University of Maribor, Faculty of Electrical Engineering and Computer Science Maribor, Maribor SLOVENIA

Corresponding Author Secondary Information: Corresponding Author's Institution:

University of Maribor, Faculty of Electrical Engineering and Computer Science

Corresponding Author's Secondary Institution: First Author:

Muhamed Turkanović, BSc

First Author Secondary Information: Order of Authors:

Muhamed Turkanović, BSc Marko Hölbl, PhD

Order of Authors Secondary Information: Abstract:

Xue et al. recently proposed an innovative mutual authentication and key agreement scheme for wireless sensor networks based on temporal credential using smart cards. However, in this paper we demonstrate that their scheme is vulnerable to password guessing attacks, node capture attacks and denial-of-service attacks. Furthermore we show that their scheme has some inconsistencies which make it less secure and more computationally costly than originally presented.

Powered by Editorial Manager® and ProduXion Manager® from Aries Systems Corporation

*Manuscript Click here to download Manuscript: WIRE-D-13-00374-R1 .docx Click here to view linked References

Notes on “A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks” Muhamed Turkanović*, Marko Hölbl University of Maribor, Faculty of Electrical Engineering and Computer Science, Maribor, Slovenia

Abstract Xue et al. recently proposed an innovative mutual authentication and key agreement scheme for wireless sensor networks based on temporal credential using smart cards. However, in this paper we demonstrate that their scheme is vulnerable to password guessing attacks, node capture attacks and denial-of-service attacks. Furthermore we show that their scheme has some inconsistencies which make it less secure and more computationally costly than originally presented. Keywords: wireless sensor network, mutual authentication, temporal credential, key agreement, smart card

1. Introduction User authentication is essential for the security of a Wireless Sensor Network (WSN). Since the network can be deployed in a hostile environment and data in the network can be crucially important, the user needs to be authenticated before being allowed to access the data. A user can access data from a gateway-node ( ) or directly from a specific sensor node ( ), whereby mutual authentication is very important in order to avoid spoofing and masquerading attacks. Recently Xue et al. [1] presented a new key agreement scheme with mutual authentication for WSN based on temporal credential. Their scheme is innovative in a way that it offers relatively high security level and uses only hash and XOR computations, thus has low computational cost. In comparison, other similar schemes offer nearly the same security level, but have higher computational cost due to the use of asymmetric encryption [2,3]. Other similar schemes like Xue et al.’s use only hash and XOR computation and thus have lower computation cost, but offer lower security level than Xue et al.’s scheme [4-6]. Xue et al.’s scheme provides security features likes mutual authentication, password and identity protection, key agreement and resilience to stolen smart card attack, gateway node bypassing attack, replay attack, insider and masquerade attack. Unfortunately, as we will show shortly, we found that Xue et al.’s scheme suffers from offline password guessing attacks, node capture attacks and denial-of-service attacks and has some inconsistencies, making the scheme more computationally costly and with lower security level as originally presumed. In this paper we aim to identify the vulnerabilities and inconsistencies of Xue et al.’s scheme. The rest of the paper is organized as follows. Section 2 reviews Xue et al.’s scheme. Section 3 and 4 describe the vulnerabilities and inconsistencies of their scheme. Finally we conclude the paper in Section 5. 2. Review of Xue et al.’s scheme In this section, for the purpose of better understanding, we briefly review Xue et al.’s scheme. A detailed overview of the scheme is depicted in Figure 1. The notations used in the scheme are summarized in Table 1. Xue et al.’s scheme consists of three phases; the registration phase, the login phase, and the authentication and key agreement phase. The registration phase is divided into usergateway node ( ) registration phase and sensor node-gateway node ( ) registration phase. Table 1 Important notations used in Xue et al.’s scheme. Private parameter known only to Protected pseudonym of Key sharing randomly chosen by

and

Temporal credential issued by

to

and

Expiration time of user’s temporal credential Shared session key between

and

Timestamps Concatenation operations Hash operation XOR operations

*

Corresponding author. Tel: +386-40-303-874. Email addresses: [email protected] (M. Turkanović), [email protected] (M. Hölbl).

Fig. 1. Xue et al.'s scheme.

2.1. User - Gateway node part of the registration phase Prior to the registration phase it is assumed that the shares identities and hashed passwords with every user . This is done by a system administrator, who stores the mentioned values into the memory of the which acts like a base station for the network. The purpose of the registration phase for the user is to get a personalized smart card which can later be used to authenticate and access the data from the network. For the user to get a personalized smart card and thus accomplish the registration phase, following steps are needed. First of all, the user uses his/her current timestamp and password to compute . After having the computed , the user sends it in an open and public network to the alongside with its identity and the previously used timestamp . If an eavesdropper would intercept this message between the user and the gateway, he would know the identity of the user , but not his/her password , since it is hidden inside the pre-computed by a hash function, thus meaning that it is computationally infeasible to extract the from . However, later in the security analysis we will show that an attack at this point is possible if the adversary is highly skilled. After receiving , the firstly checks for a possible replay attack by using the timestamp and checks whether , whereby is ’s current timestamp, and is an allowed time interval for a transmission delay (e.g. 5min). If verification does not hold, the stops with the registration phase and sends a reject message to the user , thus preventing a replay attack. In contrary if the verification holds, the proceeds with its part of the registration phase by finding its copy of ’s hashed password with the help of ’s identity , which was sent previously. As aforementioned, the is pre-configured with and of every user . After having found its copy of ’s hashed password, the than uses it alongside with the received timestamp in order to compute its own version of the . At this point, the checks if the received and the computed are equal . If not, the user used an incorrect or and is marked as invalid, hence the stops the registration process and sends a reject message to the . If in contrary, the verification holds, the user is verified as a legitimate one and the proceeds with the registration phase. Using user’s identity and , the computes , whereby is the expiration time of the temporal credential. Furthermore, the computes the temporal credential , using , the previously computed and , which is a private and secure parameter known only to the . After having the , the now computes the protected version of it ⨁ , by XOR-ing it with ’s hashed password. Finally, having computed all the necessary values, the can complete the registration phase by personalizing ’s smart card with the following parameters ( ) . The user can now use the in order to securely login and authenticate with the network. 2.2. Sensor node - Gateway node part of the registration phase Prior to the registration phase it is assumed that the shares identities and hashed passwords with every sensor node . Moreover it is assumed that each sensor node is pre-configured with its and a random password . The purpose of the registration phase for the sensor node is to gain the temporal credential and store it into its memory. The is later on used in the authentication phase to verify the user and the . For a sensor node to accomplish the registration phase, following steps are needed. Similar to the registration process of the user , the sensor node starts the registration process by computing , whereby is the current timestamp of the and is its hashed password. Having computed the first parameter , the sensor node sends a message containing to the over an open and public network. After receiving the initial registration message from the , in order to avoid a replay attack, the firstly checks whether . is the ’s current timestamp, is the received timestamp from the , and is the allowed time interval for a transmission delay. After having checked for a replay attack, the uses the received identity of the to search for its copy of ’s hashed password . Having found the hashed password ( ) for the appropriate sensor node , the uses it in order to compute its own version of . It then uses the received and the previously computed and checks whether in order to verify the legitimacy of the sensor node . If the verification does not hold, the stops the registration process and sends a reject message to the , hence the has sent invalid credentials. If in contrary the verification holds, the acknowledges that the sensor node is a legitimate one and proceeds with the registration process. Using the identity of the sensor node , the further computes the temporal credential ( ), whereby is a private parameter known only to the . Since the temporal credential has to be sent to the sensor node for the purpose of later verification processes in the authentication phase, it cannot be insecurely sent over an open and public network. In order to avoid a possible eavesdropper the computes a masked version of the temporal credential ⨁ , using the current timestamp , ’s hashed password and the temporal credential . After computing , the then sends it alongside with the current timestamp to the sensor node over an open and public network. Having received the parameters and from the , the sensor node firstly checks whether , to avoid a replay attack. If the verification does not hold, sensor node stops the registration process and sends a reject message to the , thus avoids a possible replay

attack. If in contrary the verification holds, the can continue with the finalization of the registration process. To finalize the registration phase, the sensor node needs to save the temporal credential into its memory. In order to do it, the firstly needs to extract and compute it from the received parameter . Using its hashed password , and the received parameter and , the sensor node computes ⨁ . Finally, after having computed the temporal credential , the sensor node stores it into its memory and thus finalizes the registration phase. 2.3. Login and authentication phase The aim of the authentication and key agreement phase is to enable a separate generation of a shared private session key between the user and sensor node , which can then be used to safely encrypt the communication between them. Moreover the aim is to accomplish mutual authentication between all parties (i.e. ), which is necessary to avoid spoofing and masquerading attacks. To initialize the login and authentication phase, the user must first login. In order to do so, the inserts his smart card into a terminal or card reader and inputs his identity and password . The terminal then validates the credentials by comparing them with those stored inside the smart card ( ) . If correct, the smart card then begins with the preparation for the authentication phase. In order to do so, the smart card firstly computes the temporal credential by using the parameters stored in the memory. It then computes additional parameters which will later be used by the and the to mutually authenticate and complete the key agreement. The SC uses the previously computed , user’s identity and the current timestamp in order to compute the first parameter . The parameter is used to mask the identity of the user . The second parameter is computed for the purpose of authenticating the user . Lastly, the smart card chooses a random key , which will be used as part of shared session key between the user and sensor node . Before the smart card, i.e. the user can send the key to the over the public and unsecure network it has to protect it. In order to do so, the smart card computes the third parameter ⨁ , by using the key , the temporal credential , the current timestamp and a binary number “000”. The binary number “000” is used in order to distinguish from the parameter with the from the parameter . After having computed all necessary parameter the smart card sends a authentication message to the with the following parameters . After receiving the authentication message from the user’s smart card, in order to avoid a replay attack, the firstly checks whether , using its own timestamp and the received timestamp from the message . If the verification does not hold, the aborts the authentication phase and sends a reject message to the user . If in contrary the verification does hold, the proceeds with the authentication process and begins with computing the identity of the user since it was not sent in the authentication message. In order to do so, the computes its own version of user’s identity ⨁ depending on the parameters previously received , , , and those stored in its own memory . Having computed the identity of the user, the then uses it alongside with the received parameter in order to compute its own version of . Furthermore, after having computed the parameter , the computes its own version of the by using its own secret parameter and again the received . Finally, after having its own version of , the can now compute its own version of which is then used to authenticate and proof the validity of user . In order to compute ⨁ , the uses the previously computed and alongside with the received . At this point the can authenticate the user by checking whether and , whereby and are the received parameters, and and are the computed ones. If the verification holds, the user is successfully authenticated and marked as valid, whereby in contrary the user is not validated and the authentication process stops and the sends a reject message to the user . Having validated the user , the has now to prepare for the secret shared key agreement between the user and the sensor node of its network. Moreover, in order to avoid any masquerading attacks, the has to mutually authenticate with the sensor node before continuing with the authentication and key agreement phase. To enable the key agreement phase, the has to send user’s key to a sensor node. Since the key was not sent to it, the has to compute it by using the received parameter , which was computed by the user in order to protect the from an eavesdropper. Using the previously computed , the received timestamp and already mentioned , the computes ⨁ . Having successfully computed ’s key , the now chooses a sensor node from its network and its identity . After choosing the appropriate sensor node , the has to compute the temporal credential of , which was already saved in the memory of the during the registration phase. The computation of the is necessary since it a mutual secret information between the and the and it will be used as a masking key. After having computed , the computes , using the received masked identity and the previously computed identity of the user , and the current timestamp . Furthermore, the computes , using the new timestamp , and the previously computed parameters and . The parameters and will later be used by the sensor node to authenticate the . Having previously computed user’s key in order to send it the , the has to mask it prior to sending it to the over the public and unsecure network. In order to achieve that, the computes ⨁ , using the key , the and . At this point, the

sends an authentication message containing following parameters to the previously chosen sensor node . It is now the job of the sensor node to authenticate the and the user , and continue with the key agreement phase. After receiving the authentication message from the , in order to avoid a replay attack the firstly checks whether , by using its own current timestamp and the received one . If the verification does not hold, the stops the authentication process and sends a reject message to the . If in contrary the verification holds, the starts with the authentication process by computing its own version of user’s identity ⨁ , by using its own version of , and the received parameters , and . Having computed ’s identity , the sensor node can now compute ( ), by using its own version of and the received timestamp . At this point, the can authenticate the and the user by checking whether , whereby is the received version and the previously computed version of the parameter. If the verification does not hold, the stops with the authentication process and sends a reject message to the . If in contrary the verification holds, the has successfully validated the and the . After successfully authenticating both parties, the can continue with the key agreement phase. In order to do so, the has firstly to compute user’s secret key ⨁ , by using the received masked key , the timestamp and its own version of . By successfully computing , the sensor node is now in possession of ’s secret key , without actually receiving it directly at any point of the authentication phase. After having ’s secret key , which is one part of the secret session key, the randomly chooses its own secret key which will later present the second part of the secret session key. In order to finish the authentication and key agreement phase, the has to send its own secret key to the and again authenticate with both and to avoid any masquerading attacks. For this purpose, the firstly computes , using its secret key , its current timestamp , and the previously computed or received parameters . Furthermore, the computes ⨁ , using its own secret key , the previously computed user’s key and the new timestamp . The parameter is used in order to protect and mask the secret key , and for enabling both the and the to authenticate . Having computed and , the sends a message to the and the containing following parameters . After sending the message, the finished with its role in the authentication and key agreement phase and thus finally computes the secret session key ⨁ , which is a combination of its own secret key and the one from the user . After receiving the message from the , both and in order to avoid a replay attack firstly check whether . If the verification does not hold, they stop the authentication process and send a reject message to the . If in contrary the verification holds, both compute ’s secret key ⨁ , using the received parameters and , and the ’s secret key . Having successfully computed , they can use it to compute and check whether . If the verification holds, both and have validated , whereby the can use the previously computed secret key and separately compute the secret session key ⨁ . By successfully computing the secret session key , the authentication and key agreement phase is finished. The secret session key can now be used for encrypting the communication between the user and a specific sensor node from the WSN.

3. Security Analysis and comments of Xue et al.’s scheme In this section we highlight the vulnerabilities of Xue et al.’s scheme. The possible attacks are described as follows. 3.1. Offline password guessing attack In this chapter we will demonstrate that although Xue et al.’s scheme is secure against smart card breach attack, insider attack and sends masked passwords over public network, a successful offline password guessing attack could be launched by using these attack methods. In a password guessing attack an adversary tries to impersonate a user by iteratively guessing his password or some other login credential. In an online version of the password guessing attack, an adversary tries to guess a password by logging to a server. This version of the attack is less powerful than the offline version since the adversary is limited by maximum allowed login attempts, whereby no such limitations exist in the offline version. In the offline version an adversary gets in the possession of some passwordrelated data of a user (e.g. hashed password) and thus iteratively tries to guess a password and verify its hashed version with the intercepted one [7,8]. In this version of the password guessing attack, the adversary is only limited with the processing power of its own machine, meaning there exists no other lock to stop him/her from trying to guess the password, since the attack is done locally on the adversary’s machine. Because hardware is getting ever more powerful according to Moore’s Law, the adversaries can use such enhanced power for more guessing attempts per second. There are two offline password guessing attack methods, i.e. brute force attack and dictionary attack [9,10]. According to [11] an adversary can guess passwords at the rate of 1 billion guesses per second, or more precisely he/she can guess a five-character password in only 10 seconds. The guessing time grows exponentially in a relation to a password with more than five characters. Using such methods, adversaries can usually break any password with seven or less

characters in a feasible and acceptable time [11]. For passwords with more characters, the dictionary attack comes in place, since it uses a huge library of words to compare them with the secret hashed password. According to [12], studies showed that 20-50% of passwords were broken using such attacks with dictionary sizes of 2 20-230. The adversary could get in the possession of the password related message using numerous methods, e.g. by intercepting an encrypted login request message sent over insecure public network, by stealing user’s smart card and disclosing the data from it (i.e. smart card breach attack), by being a privileged server user with access to the password table (i.e. insider attack), etc. Although Xue et al.’s scheme is secure against smart card breach attack, insider attack and sends masked passwords over public network, we can demonstrate that an adversary can use some aforementioned methods to successfully run an offline password guessing attack. In the userpart of registration phase, the user in order to accomplish the registration, firstly computes , using his current timestamp and his hashed password . He then sends a registration message to the over an insecure channel (e.g. public network). The message contains the following parameters . Let us assume an adversary intercepts the user’s registration message (Fig. 1). Since the message contains both the timestamp and the pre-computed parameter , the adversary can derive an perform an offline password guessing attack. He can check the guessed password by comparing . If the verification holds, he guessed the correct password . Having the valid password, the adversary needs only the smart card to successfully impersonate a valid user . Also in the registration phase of Xue et al.’s scheme, the personalizes a smart card for a user containing following parameters ( ) . Let us assume an adversary can get in possession of a smart card and knows a way to breach it e.g. using power analysis attack [13,14]. He is afterwards able to read the secret parameters from the smart card. Since the adversary can extract the double-hashed password ( ), he can use it to perform an offline password guessing attack to reveal the valid password, thus enabling him to successfully impersonate a valid user . Moreover in Xue et al.’s scheme the gate-way node stores identity and hashed password for every registered user . Let us assume some privileged but malicious network user has full access to the . The adversary can than target a specific user , already knowing his identity , to find his hashed password and construct an offline password guessing attack to reveal the real user’s password. After having the user’s password, the attacker can try to impersonate the user .

Figure 1: Illustration of the Offline Password Guessing Attack.

3.2. Node capture attack A node capture attack is a WSN-specific physical type of an attack. This is an attack where an adversary captures a legitimate node from the network and extracts some private information from it, and uses it to target the entire network. The adversary could also use the captured node to run a sybil attack [15], node replication attack [16], DoS attack [17], etc. Since node capture attack can lead to numerous other types of attack, whereby causing serious problems to the WSN, the attack is also classified as hazardous [18] and should not be neglected. In Xue et al.'s scheme a resilience against node capture attack was not found, since an adversary could capture a node and no mechanism exists to detect it. The adversary cannot gain any specific security and private information from the captured node to use it against the user or the GWN, but since no mechanism for detection exists, the adversary could use the capture node to impersonate a valid sensor node and sent malicious and false data to the user, thereby cause damage. The adversary could also use this captured node for other aforementioned types of attacks (e.g. Sybil, replication, DoS) (Fig. 2).

Figure 2 : Illustration of the Node Capture Attack.

A detailed description of a node capture attack in Xue et al.'s scheme is as follows. Before deployment each sensor node is preconfigured with an identity and a hashed password . During the part of the registration phase, the sensor node computes its temporal credential and stores it in its memory. Let us assume an attacker captures a sensor node . When a user wants to access the data from the network and starts the authentication process, the sends an authentication message { } to the captured sensor node . The captured sensor node then computes and and sends an authentication message { } to and user . Both, unaware about the theft, can compute and verify that , thus allowing the user to read possible malicious data from a captured node. Xue et al.’s scheme does not provide any solution resp. countermeasure for such a possible event, thus making the scheme vulnerable to node capture attack. 3.3. Denial-of-service (DoS) attack Although WSN has energy limitations and thus require lightweight protocols, security should not be neglected. A lot of research [19,17,20,21] was done that shows the potential threats of the DoS attack in WSNs, thus adding the resilience against these attacks to the basic requirements of the network. A DoS attack can be launched on different layers (e.g., physical, link, network) with different types of attacks (e.g. jamming, collision, exhaustion, black holes, etc.). The main requirement for a DoS attack to be considered successful is that the network's capacity to perform its expected function is being disturbed. Since nodes in a WSN are energy constrained, a powerful DoS attack could be deadly for the whole network. Considering that some WSN are used for monitoring the health of humans or to detect chemical attacks, a real-life damage should be considered. In Xue et al.'s scheme, no security mechanism was presented to mitigate DoS attacks. Moreover, the authors have not discussed any security mechanism or specific method to mitigate this type of attack. As an example, an adversary could launch a DoS attack by targeting the gate-way node and thus successfully saturate it with requests (jamming), so that any other legitimate request would end up non-responded (Fig. 3). The attack could be initiated by firstly capturing a node as aforementioned in the previous section.

Figure 3 : Illustration of the DoS attack in WSN.

4. Discussion of inconsistencies of Xue et al.’s scheme In this section we highlight some inconsistencies of Xue et al.’s scheme. The following comments show that the scheme in this form is infeasible for implementation and thus is more computationally costly as originally presented. Since the imperfections are easily avoided, as we will show below, we conclude that these are mainly inconsistencies which are consequently connected and easily overlooked. The descriptions of the inconsistencies are as follow: (i) At the beginning of the authentication phase the user randomly selects . Using the current timestamp and the parameters stored in the smart card ( ), the user further computes , ⨁ and ⨁ The user then sends to the . Since and are parameters that are pre-computed by the user, is the current timestamp and is a parameter stored in the smart card, the only parameter which is unknown to the user is . A clear illustration of the inconsistency is in Table 2. Not only that is unknown to the user, it is also sent along with others to the . We can determine that this is an imperfection in Xue et al.’s scheme. is according to Xue et al. a protected pseudonym of a user. The computation of was done in the registration phase by and used to compute the temporal credential . Moreover was never saved into user's smart card, hence only which was computed with the help of and thus . Since the computation of consists of hashing the concatenation of and , which are parameters both known to the user, we conclude that this is more an inconsistency of Xue et al.’s scheme. Considering that is needed for further computation the user would need to compute it before sending the authentication message to the , thereby adding one additional hash computation to the scheme.

Table 2 Illustration of the inconsistency (i) in the Login and Authentication phase of Xue et al.’s scheme. Steps User Action Data Knows 0 ( )

Comments These are the parameters stored in the smart card of the user and already known before the login and authentication phase begins.

1

Computation

Computed using known parameters.

2

Computation

is the current timestamp. known parameters.

3

Computation

Computed using known parameters.

4

Computation

5

Computation

6

Sending

-

computed using

Choosing random key. ⨁

Computed using known parameters. Authentication message with unknown parameter .

(ii) Further in the authentication phase, the user sends the login message to the . The uses its private security parameter and the parameters and from the login message to compute user’s identity ⨁ . Moreover the computes its own version of using the previously computed user’s identity. Using , the further computes its own version of user’s temporal credential . After having and , the can then compute ⨁ and compare it with the from the user’s login message, along with the comparison of . The verification is done to confirm that user is a legitimate user. The inconsistencies in the process are described as follow. If verifies to confirm user’s legitimacy, then the verification is unnecessary. If removed, it would spare one hash computation , hence the sent version of the parameter would be used instead. Moreover the verification is unnecessary since is computed using the newly computed user’s identity ⨁ , which in contrary is computed with the help of the sent parameter . Furthermore, additional improvement could be achieved if instead of parameter , the temporal credential would be sent by the user. After the receives the login message from the user, it firstly computes user’s identity ⨁ , whereby the hash computation is actually , thus ⨁ equals ⨁ . If instead of parameter , would be sent by the user, the computation of user’s identity would be

⨁ , thus one hash computation less. Considering that would not need to compute and computations less.

would already be sent in the login message, the , thus this results in two hash

(iii) Xue et al. claim their scheme, in the authentication and key agreement phase, has a computational cost of 22 hash operations, seven hash operations done by the user, ten by the and five by the sensor node. An overview of the scheme in detail showed that the scheme needs 26 hash operations, seven of which are performed by the user, thirteen by the , and six by the sensor node. An overview of the hash computations is depicted in Table 3. Table 3 Hash computations of Xue et al.’s scheme. User

Nr.

GWN

⨁ ⨁

Nr.



1 2

1

1

1



1



Nr.



1

(

) ⨁

1

1

1

1 1

2



1

Sensor Node

2

1



1



1

TOTAL

6

1 1



1



1 1

TOTAL

7

TOTAL

26

TOTAL

13

(iv) Xue et al.'s scheme is based on the temporal credential , whereby the gate-way node computes and issues it to the user in a smart card at the registration phase and uses it later in the authentication phase. In the registration phase, the computes and by using the expiration time of the temporal credential, which is set by the . The further computes ⨁ and stores the parameters onto the user's smart card. The expiration time of the temporal credential is further used in the authentication and user validation process, but the scheme never checks if the expiration time has passed, thus making the temporal credential a non-temporal variable. In the paper’s section on password updating, the authors state that determines 's updating time and that password changing causes the re-issuing of the temporal credential. Since no expiration time validation is found, we can observe that this is an imperfection of Xue et al.'s scheme. 5.

Performance comparison

This section presents a performance cost comparison between Xue et al.’s original scheme and the one which would implement the suggestions we presented earlier. In Table 4 we present the performance comparison in an organized manner.

Table 4 Performance cost comparison. Cost of the login + authentication phase

Cost of the login + authentication phase

Cost of the login + authentication phase

User

GWN

Sensor node

Original Xue et al.’s scheme

8

13

6

Proposed improvements

8

10

6

Authentication scheme

- computation cost of a hash operation

The comparison is based on the suggestions we presented in Section 4 (ii). If instead of parameter , would be sent by the user during the login message, the computation of user’s identity on the ’s side would be ⨁ instead of ⨁ , thus one hash computation less. Considering that parameter would already be sent in the login message, the would not need to compute and , thus this results in two more hash computations less, as it is evident from the comparison table.

6.

Conclusion

In this paper we have demonstrated that Xue et al.’s temporal-credential based mutual authentication and key agreement scheme has security flaws and inconsistencies. We presented an offline password guessing attack, node capture attack and denial-of-service attack on the scheme and highlighted that the scheme in its current form contains imperfections which make it more computationally costly than presented.

Acknowledgments The authors are grateful to all referees for important and helpful remarks, advice and suggestions concerning the content of the paper.

References 1. Xue, K., Ma, C., Hong, P., & Ding, R. (2012). A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. Journal of Network and Computer Applications, 36(1), 316–323, doi:10.1016/j.jnca.2012.05.010. 2. Yeh, H.-L., Chen, T.-H., Liu, P.-C., Kim, T.-H., & Wei, H.-W. (2011). A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography. Sensors, 11(5), 4767-4779. 3. Das, A., Kumar, Sharma, P., Chatterjee, S., & Sing, J., Kanta (2012). A dynamic password-based user authentication scheme for hierarchical wireless sensor networks. Journal of Network and Computer Applications, 35(5), 1646–1656, doi:10.1016/j.jnca.2012.03.011. 4. Khan, M. K., & Alghathbar, K. (2010). Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’. Sensors, 10(3), 2450-2459. 5. Das, M. L. (2009). Two-factor user authentication in wireless sensor networks. Wireless Communications, IEEE Transactions on, 8(3), 1086-1090, doi:10.1109/twc.2008.080128. 6. Chen, T.-H., & Shih, W.-K. (2010). A Robust Mutual Authentication Protocol for Wireless Sensor Networks (Vol. 32, Vol. 5). Taejon, COREE, REPUBLIQUE DE: Electronics and Telecommunications Research Institute. 7. Xiang, T., Wong, K. W., & Liao, X. F. (2008). Cryptanalysis of a password authentication scheme over insecure networks. Journal of Computer and System Sciences, 74(5), 657-661, doi:DOI 10.1016/j.jcss.2007.05.001. 8. He, D., Wu, S., & Chen, J. (2012). Note on ‘Design of improved password authentication and update scheme based on elliptic curve cryptography’. Mathematical and Computer Modelling, 55(3–4), 1661-1664, doi:http://dx.doi.org/10.1016/j.mcm.2011.10.079. 9. Knudsen, L., & Robshaw, M. B. (2011). Brute Force Attacks. In The Block Cipher Companion (pp. 95-108, Information Security and Cryptography): Springer Berlin Heidelberg. 10. Adams, C. (2011). Dictionary Attack. In H. A. van Tilborg, & S. Jajodia (Eds.), Encyclopedia of Cryptography and Security (pp. 332-332): Springer US. 11. Graham, R. (2009). How Hackers Will Crack Your Password. http://www.darkreading.com/hacked-off/how-hackers-will-crackyour-password/227700892. Accessed 2013-09-11 2013. 12. Bonneau, J. (2012). The science of guessing: analyzing an anonymized corpus of 70 million passwords. Paper presented at the 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 13. Messerges, T. S., Dabbish, E. A., & Sloan, R. H. (2002). Examining smart-card security under the threat of power analysis attacks. Ieee Transactions on Computers, 51(5), 541-552. 14. Kocher, P. C., Jaffe, J., & Jun, B. (1999). Differential Power Analysis. Paper presented at the Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, 15. Newsome, J., Shi, E., Song, D., & Perrig, A. (2004). The sybil attack in sensor networks: analysis & defenses. Paper presented at the Proceedings of the 3rd international symposium on Information processing in sensor networks, Berkeley, California, USA, 16. Zhu, W. T., Zhou, J., Deng, R. H., & Bao, F. (2012). Detecting node replication attacks in wireless sensor networks: A survey. Journal of Network and Computer Applications, 35(3), 1022-1034, doi:http://dx.doi.org/10.1016/j.jnca.2012.01.002. 17. Wood, A., & Stankovic, J. A. (2002). Denial of service in sensor networks. Computer, 35(10), 54-62, doi:10.1109/mc.2002.1039518. 18. Yussoff, Y. M., Hashim, H., Rosli, R., & Baba, M. D. (2012). A Review of Physical Attacks and Trusted Platforms in Wireless Sensor Networks. Procedia Engineering, 41(0), 580-587, doi:http://dx.doi.org/10.1016/j.proeng.2012.07.215. 19. Nanda, R., & Krishna, P. V. (2011). Mitigating denial of service attacks in hierarchical wireless sensor networks. Network Security, 2011(10), 14-18, doi:http://dx.doi.org/10.1016/S1353-4858(11)70107-6. 20. Zhang, Y.-y., Li, X.-z., & Liu, Y.-a. (2012). The detection and defence of DoS attack for wireless sensor network. The Journal of China Universities of Posts and Telecommunications, 19, Supplement 2(0), 52-56, doi:http://dx.doi.org/10.1016/S10058885(11)60444-5.

21. Raymond, D. R., & Midkiff, S. F. (2008). Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses. Pervasive Computing, IEEE, 7(1), 74-81, doi:10.1109/mprv.2008.6.

*author's picture & biography Click here to download author's picture & biography: Biographical Sketch.docx

Muhamed Turkanović received his B.Sc. degree in Computer Science and Informatics from the University of Maribor in 2011. He is currently pursuing his Ph.D. degree in Computer Science and Informatics from the University of Maribor. His current research interests include cryptography, information security, network security and wireless sensor networks.

Marko Hölbl received his Ph.D. degree in Computer Science and Informatics from the University of Maribor in 2009. His first degree is Bachelor of Science (Bs.C.) in Computer Science and Informatics, received from University of Maribor in 2004. He is currently an assistant professor for Information Technology at the Faculty of Electrical Engineering and Computer Science, University of Maribor. His research interests include cryptography, network security, web security, smart cards and mobile communications security.