Elsevier

Computer Networks

Volume 73, 14 November 2014, Pages 41-57
Computer Networks

On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions

https://doi.org/10.1016/j.comnet.2014.07.010Get rights and content

Highlights

  • We demonstrate privacy breaches into two password authentication schemes for WSNs.

  • Public-key techniques are indispensible to achieve user untraceability.

  • Our principle is applicable to two-factor authentication for universal environments.

  • We discuss the viable solutions to practical realization of user anonymity.

  • Experimental timings of related public-key operations on small devices are reported.

Abstract

Anonymity is among the important properties of two-factor authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.’s scheme and Xue et al.’s scheme, and demonstrate the major challenges in designing a scheme with user anonymity.

Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi–Krawczyk (1999) [44] and Impagliazzo–Rudich (1989) [43], we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a two-factor authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to two-factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving two-factor authentication schemes.

Introduction

With the rapid development of micro-electromechanical systems and wireless network technologies, wireless sensor networks (WSNs) have attracted increasing attention due to its wide range of applications from battlefield surveillance to civilian applications, e.g., environmental monitoring, real-time traffic control, industrial process control and home automation. As is well known, most large-scale WSNs [1], [2], [3] follow a tiered architecture due to its superiority in increasing the network capacity and scalability, accommodating the node mobility, reducing the management complexity and prolonging the network lifetime. Thus, in this work we mainly focus on the tiered WSNs as well. In many critical applications, external users are generally interested in accessing real-time information from sensor nodes, yet if the data queries are issued by the base station, efficiency, scalability and security may not be ensured over the long communication path between the base station and the sensor nodes [4], [5].

To enable external users to access the real-time data directly from the desired sensor nodes without involving the gateway node (or base station) as demanded, it is of great concern that such critical data is well protected from eavesdropping, malicious modification, unauthorized access, and so on. Accordingly, user authentication constitutes an essential security mechanism for the user to be first authenticated by the sensor nodes before being granted the right to access data. Owing to its simplicity, portability, efficiency and high level of security, smart-card-based password authentication (or the so-called two-factor authentication [6]), as depicted in Fig. 1, has become one of the most promising authentication mechanisms for real-time data access in WSNs.

The past twenty years of research on two-factor authentication has proved that, it is incredibly difficult to get a general-purpose two-factor scheme right [7], [8], [9]. The design of a secure and efficient scheme for WSNs can only be harder. Crucially, the designers are confronted with a paradoxical challenge—“providing lightweight cryptographic algorithms for strong authentication, privacy and other cryptographic services on a speck of dust” [10]. On the one hand, sensor nodes and smart cards are small devices with low computation capability, limited memory capacity and scarce energy resources, it is more desirable to only employ symmetric-key techniques (e.g., hash functions, symmetric encryptions and XOR operations) rather than to use comparatively expensive asymmetric cryptographic operations (e.g., modular exponentiation and Pairing).

On the other hand, WSNs are generally deployed in unattended environments and often perform extremely sensitive tasks (e.g., health-care and battlefield surveillance) and thus, in addition to the traditional security threats, they exhibit a larger attack surface and are prone to more serious (even life-threatening) attacks. Consequently, an admired two-factor authentication scheme for WSNs should be able to guard against various known attacks including these general attacks such as impersonation, replay and offline password guessing, as well as some special attacks in WSNs environments like gateway by-passing and node capture [11]. Besides security, user privacy is also of particular interest. For example, some current projects including GEOSS [12] and NOPP [13] are developing large-scale WSNs to adaptively monitor the earth–ocean–atmosphere system. The sensed data may be of interest to various types of users ranging from individual users to universities, government research centers, and business companies (e.g., GEOSS [12] involves 61 countries, NOPP [13] involves the DARPA, the Department of Homeland Security among others). The activities of these users may be of great sensitiveness to the outsiders and even the users themselves cannot fully trust each other due to diversified interests. Consequently, there is an urgent need for protecting user’s data access privacy, e.g., when she accessed the sensor data, which data types she was interested in, or from which nodes she obtained the data, since the leakage of such information could be exploited against her interest. Generally, there is a growing requirement for protecting user privacy information (e.g., preferences, login history, location, physical condition, personal data [14], [15]) from being leaked and abused, which outlines the needs for designing schemes that can attain user anonymity.

It is worth mentioning that, in the context of user authentication, user anonymity is defined against the public rather than the server, because it is necessary for the latter to be aware of the real identity of each user in order to detect, record and remove the malicious users. Moreover, in many cases the server needs to learn the user identity for accounting, auditing, and/or billing purposes [16]. It also should be noted that, instead of a unique “user anonymity” property, different application scenarios may implement quite varied notions of what it means to be user anonymity [17], [18], such as user identity protection, user un-traceability, anonymous user linkability, k-anonymity and blender anonymity. Interested readers are referred to [19] for more details. As for user authentication, this notion basically means user identity-protection, which ensures that the adversary cannot figure out the target user’s identity from the protocol transcripts.

Comparatively, a more satisfactory property of user anonymity is user un-traceability, which guarantees that the adversary can neither determine who the user is nor tell apart whether two conversations originate from the same (unknown) user [20], [21]. That is, a scheme achieving this advanced property can prevent the adversary from linking multiple instances of communication generated by the same user and from tracing a user’s current location, moving history, etc. Consequently, most schemes (e.g., [11], [20], [22], [23], [24], [25], [26], [27], [28]) that attempt to preserve user privacy aim at fulfilling this stronger notion of user anonymity. Throughout this paper, unless otherwise specified, by “user anonymity” we will always mean “user un-traceability”.

In 2009, Das [11] suggested the first smart-card-based password authentication scheme to provide mutual authentication among the external user, gateway node and the sensor node. Since this scheme only involves symmetric-key operations, it facilitates authorized users to access WSNs via low-powered mobile devices (e.g., PDAs, Smart phones and Laptops). However, shortly after this two-factor authentication scheme was presented, it is found prone to various attacks, such as offline password guessing attack and sensor node compromise attack by Nyang–Lee [29], gateway node by-passing attack by Khan–Alghath [24], impersonation attack and insider attack by He et al. [23] and Chen and Shih [30]. To eliminate these security drawbacks in Das’s scheme, a number of improvements [23], [24], [29], [30], [31] were further proposed. To the designers’ disappointment, these five enhancements still cannot attain the claimed security and have been invariably shown flawed [32], [33], [34], [35].

In 2011, Fan et al. [36] observed that previous two-factor authentication schemes for real-time data access in WSNs have various defects overlooked, and proposed a new privacy-preserving scheme, which involves only lightweight operations, such as one-way hash function and exclusive-OR operations. Hence, it is well-suited to the resource-limited sensor networks and exhibits great potential for practical use. The authors claimed that their scheme is free from various related cryptographic attacks and can preserve user anonymity. Although their scheme has many merits over existing schemes and even has been equipped with a formal security proof, as will be showed in Section 2, it actually cannot support user anonymity and is vulnerable to several practical attacks.

At the meantime with Kumar et al. [25] also noticed that previous schemes either are subject to security defects or short of essential features like mutual authentication and user anonymity. Therefore, they made an attempt to develop a privacy-preserving two-factor authentication framework for WSNs that can withstand all known attacks and support various features. Shortly after this framework was proposed, Jiang et al. [26] pointed out that it cannot resist offline password guessing attack and fails to provide user un-traceability, and to overcome these two drawbacks, an enhancement was suggested. However, it is not difficult to see that Jiang et al.’s scheme [26] is vulnerable to de-synchronization attack – a dishonest (comprised) sensor node can render the victim user’s smart cards completely un-usable by simply altering the last message flow without detection.

In 2012, Das et al. [33] introduced a novel scheme that can support dynamic nodes addition after the initial deployment of nodes in the existing sensor network. To keep efficiency and suitability for being implemented in resource-constrained sensor nodes, this scheme also only involves lightweight operations, such as hash functions and symmetric-key encryption. Yet it was subsequently found prone to a serious design flaw by Turkanovic and Holbl [37], who further proposed an improved version. Unfortunately, Li et al. [38] recently reported that both schemes in [33], [37] are susceptible to a flaw that may easily leak the server’s long-term secret key.

In 2013, Xue et al. [27] described a lightweight temporal-credential-based mutual authentication and key agreement scheme. As with previous schemes [11], [23], [25], [26], [36], this protocol1 also attempts to achieve the property of user anonymity by only involving hash and XOR operations. Xue et al.’s scheme can provide relatively more admired features and comparatively higher security assurance such as friendliness of password update and GWN bypassing attack resilience over existing schemes, yet non-withstanding their long list of security arguments, we will demonstrate that it still cannot achieve its essential goal of user anonymity.

In general, the above unending failure in preserving user anonymity may be largely attributed to (and intrinsically rooted in) the lack of impossibility results in cryptography. Existing results are mainly related to cryptographic primitives and certain proof methods [39]. For example, some impossibility results on using black-box methods for constructing one primitive from another one were reported in [40], [41], [42]. At the protocol level, results are more scarce. In 1989, Impagliazzo and Rudich [43] reported the well-known result that key-exchange protocols are unlikely to be obtained by using only symmetric-key techniques. Based on this work, in 1999 Halevi and Krawczyk [44] proved that only symmetric-key techniques are inadequate for password protocols that resist off-line dictionary attacks. In 2000, Park et al. [45] observed that public-key techniques are highly unavoidable for providing forward secrecy in key establishment protocols. In 2006, Nguyen [46] investigated the relationship between password protocols and other cryptographic primitives, and observed that password-authenticated key exchange and public-key encryption are incomparable under black-box reductions. In 2011, González Muñiz and Laud [39] confirmed that only symmetric-key techniques are insufficient to construct message recognition protocols with perenniality.

Among the aforementioned theoretical studies, Halevi–Krawczyk’s work [44] may be the closest to what we will discuss in the current paper, however, it only deals with one-factor (i.e., the password factor) and mainly from a security perspective. In 2009, Zeng et al. [47] pointed out that three previous two-factor schemes for wireless mobile networks [48], [49], [50] are unlikely to provide anonymity if an attacker, who is also registered as a legitimate user, can extract secret data from her own smart card.2 As far as we know, it is the only work that focuses on user anonymity in two-factor authentication. Nonetheless, it blames the failure of these schemes merely on “structural mistakes”, leaving untouched the foundational rationale underlying the repeated anonymity failure. To the best of our knowledge, little attention has been given to the inherent complexity of designing a two-factor authentication scheme with user anonymity.

There have recently been a number of works (e.g., [24], [25], [26], [27], [29], [30], [35], [36], [51], [52]) that endeavor to construct practical two-factor authentication schemes for WSNs, yet few has succeeded in achieving the “precious” property of user anonymity so far. One common feature of these proposals is that, they attempt to preserve user anonymity by only using symmetric-key cryptographic primitives and relying on the non-tamper-resistance assumption about the smart cards. While their incentive to only employ symmetric-key techniques is quite obvious, the non-tamper-resistance assumption about smart cards deserves special attention. Recent research results have demonstrated that the security parameters stored in common commercial smart cards could be revealed or partially extracted by the state-of-the-art side-channel attacks (e.g., differential power analysis) [53], [54], [55], software attacks (launched on software-supported card, e.g., Java Card) [56] and reverse engineering techniques [57]. However, since performing a side-channel attack needs special instruments and attack platforms, it is likely that only when the card is in the possession of the attacker for a relatively long period can the data be extracted, in other scenarios the data in the card shall remain confidential. This implies that the common non-tamper-resistance assumption made about the smart cards is conditional. As illustrated in Fig. 1 of [7], this conditional non-tamper-resistance assumption about the smart cards has been widely regarded as a basic (also reasonable and prudent) assumption when designing two-factor authentication protocols since 2004.

Naturally, the repeated failure in achieving user anonymity gives rise to an interesting (and foundational) question: Under the conditional non-tamper-resistance assumption of the smart cards, is it possible to construct a privacy-preserving two-factor authentication scheme for WSNs by only employing symmetric cryptographic techniques? Besides the aforementioned two-factor schemes for WSNs, dozens of two-factor authentication schemes for various environments (for some latest ones, see [22], [58], [59], [60], [61], [62], [63], [64], [65], [66], [67]; for a more comprehensive grasp, see those underlined by dash line in Fig. 2 in Section 4.2) also strive to only adopt symmetric-key primitives to reduce the computation overhead while preserving user privacy. It is the main purpose of this paper to demonstrate that, under their non-tamper-resistance assumption of the smart cards, such a strategy is intrinsically infeasible.

Further, as public-key techniques are inherently necessary to achieve user anonymity, another question arises: How can we design a secure and privacy-preserving two-factor authentication protocol with acceptable efficiency?

In this work, we take the first step towards investigating the above two questions and aim to provide definite answers to them. Our contributions lie in the following aspects:

  • First, we investigate into two representative schemes, namely Fan et al.’s scheme and Xue et al.’s scheme, to reveal the subtleties and challenges in designing privacy-preserving two-factor authentication schemes for WSNs.

  • Second, on the basis of the work of Halevi–Krawczyk (1999) and Impagliazzo–Rudich (1989), we suggest a formal game-based security model for two-factor authentication and put forward a general principle for achieving user anonymity in such schemes, providing a negative answer to the first question.

  • Third, though the user anonymity problem is studied in the context of WSNs, we show that our principle can be applied to universal environments, such as the single-server architecture, multi-server environment, global mobility networks, proxy mobile IPv6 networks, satellite networks, mobile clouds and other wireless environments.

  • Furthermore, we discuss the viable solutions to implementation issues. By borrowing ideas from privacy-preserving schemes for mobile roaming networks and on the basis of experimental results about public-key primitives, we report that appropriate public-key encryption schemes along with a proper padding mechanism would be promising candidates – providing provable security while attaining reasonable efficiency. This serves as an answer to the second question.

The rest of this paper is organized as follows: in Section 2, we investigate Fan et al.’s scheme. Section 3 describes the privacy flaws of Xue et al.’s scheme. Section 4 devotes to the security model and the principle. Viable solutions are discussed in Section 5, and Section 6 concludes the paper.

Section snippets

Cryptanalysis of Fan et al.’s scheme

In 2011, Fan et al. [36] proposed the first denial-of-service (DoS)-resistant and efficient two-factor authentication scheme for WSNs and claimed that their scheme exhibits many merits, such as mutual authentication, user anonymity and local password update, over existing schemes. However, in contrast to their claims, Fan et al.’s scheme is still subject to user anonymity violation attack and other security drawbacks such as vulnerability to smart card security breach attack and insider attack.

Cryptanalysis of Xue et al.’s scheme

While the attackers colluding together can breach the user anonymity of Fan et al.’s scheme [36], a different attacking strategy has to be taken with Xue et al.’s scheme [27] in place.

For completeness, in this section we briefly review the temporal-credential-based two-factor authentication scheme for WSNs proposed by Xue et al. [27] in 2012. Compared with the earlier schemes such as [11], [25], [33], Xue et al.’s scheme enjoys a number of important security and useability properties such as

The public-key principle for two-factor authentication with user anonymity

Since sensor nodes and smart cards are extremely resource-constrained devices with low battery power, low computation capability and limited memory capacity, protocol designers are faced with the hard task of reconciling security, efficiency and functionality requirements, and often must make design decisions which are seemingly well motivated but may have unintended consequences. Without some necessary design principles (guidelines), the designers can only try their best to ensure the protocol

Potential countermeasures

Having proved our principle and demonstrated its universal applicability, we proceed to discuss the corresponding countermeasures. Since symmetric-key techniques are not sufficient to achieve user anonymity (un-traceability), the available choice is obvious – resorting to public-key techniques. Now, the remaining key issue is how to integrate public-key primitives into traditional only symmetric-key based schemes.

Conclusion

In this work, we have focused on a hot but hard topic – privacy-preservation in WSNs. An interesting and important question that remains is, under the conditional non-tamper-resistance assumption of the smart cards, whether it is possible to construct a privacy-preserving two-factor authentication scheme for WSNs by employing only lightweight symmetric cryptographic techniques, as most of the literature has done in the past? Unfortunately, we give a negative answer to this question by

Acknowledgments

The authors are grateful to Prof. Chao-Hsien Chu at Pennsylvania State University for enlightening suggestions and Dr. Daojing He at South China University of Technology for insightful observations. This research was partially supported by the National Natural Science Foundation of China (NSFC) under Grants Nos. 61170263 and 61170282.

Ding Wang received his B.S. Degree in Information Security from Nankai University, Tianjin, China, in 2008. Then he went to Information Engineering University (Zhengzhou) to work toward Information Security Engineering. Now he is pursuing his Ph.D. degree at Peking University, Beijing, China. He has published more than 20 refereed research papers at Elsevier, IEEE and Wiley journals, and conferences such as DBSec 2012, ICICS 2012, ISC 2013, SecureComm 2014 and WCNC 2014. He was awarded the

References (119)

  • D. He et al.

    A strong user authentication scheme with smart cards for wireless communications

    Comput. Commun.

    (2011)
  • X. Li et al.

    An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards

    J. Network Comput. Appl.

    (2012)
  • F. Wen et al.

    An improved dynamic id-based remote user authentication with key agreement scheme

    Comput. Electri. Eng.

    (2012)
  • M. Khan et al.

    Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme’

    Comput. Commun.

    (2011)
  • M. Turkanović et al.

    A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion

    Ad Hoc Networks

    (2014)
  • Y.-P. Liao et al.

    A secure dynamic id based remote user authentication scheme for multi-server environment

    Comput. Stand. & Inter.

    (2009)
  • D. Wang et al.

    Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks

    Ad Hoc Networks

    (2014)
  • H.-C. Hsiang et al.

    Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment

    Comput. Stand. Interfaces

    (2009)
  • X. Li et al.

    A novel smart card and dynamic id based remote user authentication scheme for multi-server environments

    Math. Comput. Model.

    (2013)
  • O. Gnawali et al.

    The tenet architecture for tiered sensor networks

  • J. Shi et al.

    Secure range queries in tiered sensor networks

  • D. Yang et al.

    Two-tiered constrained relay node placement in wireless sensor networks: computational complexity and efficient approximations

    IEEE Trans. Mobile Comput.

    (2012)
  • W. Zhang et al.

    Least privilege and privilege deprivation: towards tolerating mobile sink compromises in wireless sensor networks

  • D. He et al.

    Distributed access control with privacy support in wireless sensor networks

    IEEE Trans. Wireless Commun.

    (2011)
  • D. Wang et al.

    Offline dictionary attack on password authentication schemes using smart cards

  • S.J. Murdoch, S. Drimer, R. Anderson, M. Bond, Chip and PIN is broken, in: Proc. IEEE Security&Privacy 2010, IEEE...
  • N. Mavrogiannopoulos et al.

    Security implications in kerberos by the introduction of smart cards

  • J.-P. Kaps et al.

    Cryptography on a speck of dust

    IEEE Comput.

    (2007)
  • M.L. Das

    Two-factor user authentication in wireless sensor networks

    IEEE Trans. Wireless Commun.

    (2009)
  • Taking the Pulse of the Planet: Epas Remote Sensing Information Gateway....
  • The National Oceanographic Partnership Program (nopp)....
  • B. Liu et al.

    Cloud-enabled privacy-preserving collaborative learning for mobile sensing

  • J. Sun et al.

    Sat: a security architecture achieving anonymity and traceability in wireless mesh networks

    IEEE Trans. Depend. Secur. Comput.

    (2011)
  • C. Lai et al.

    Cpal: a conditional privacy-preserving authentication with access linkability for roaming service

    IEEE Internet Things J.

    (2014)
  • D. Hughes et al.

    anonymity and privacy: a modular approach

    J. Comput. Secur.

    (2004)
  • X. Li et al.

    Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards

    IEEE Trans. Ind. Electron.

    (2010)
  • D. He et al.

    An enhanced two-factor user authentication scheme in wireless sensor networks

    Ad Hoc Sensor Wireless Netw.

    (2010)
  • M. Khan et al.

    Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks

    Sensors

    (2010)
  • P. Kumar et al.

    Ruasn: a robust user authentication framework for wireless sensor networks

    Sensors

    (2011)
  • Q. Jiang et al.

    Security enhancement of robust user authentication framework for wireless sensor networks

    China Commun.

    (2012)
  • D. Nyang, M. Lee, Improvement of Das’s Two-Factor Authentication Protocol in Wireless Sensor Networks, Cryptology...
  • T. Chen et al.

    A robust mutual authentication protocol for wireless sensor networks

    ETRI J.

    (2010)
  • H. Yeh et al.

    A secured authentication protocol for wireless sensor networks using elliptic curves cryptography

    Sensors

    (2011)
  • D. Sun et al.

    On the security and improvement of a two-factor user authentication scheme in wireless sensor networks

    Pers. Ubiquitous Comput.

    (2013)
  • J.-J. Yuan

    An enhanced two-factor user authentication in wireless sensor networks

    Telecommun. Syst.

    (2014)
  • B. Vaidya et al.

    Two-factor mutual authentication with key agreement in wireless sensor networks

    Secur. Commun. Netw.

    (2012)
  • R. Fan et al.

    An efficient and dos-resistant user authentication scheme for two-tiered wireless sensor networks

    J. Zhejinag Univ.-Sci C

    (2011)
  • M. Turkanovic et al.

    An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks

    Electron. Electr. Eng.

    (2013)
  • C.-T. Li et al.

    Towards secure and dynamic password based user authentication scheme in hierarchical wireless sensor networks

    Int. J. Secur. Appl.

    (2013)
  • M. González Muñiz et al.

    On the (im) possibility of perennial message recognition protocols without public-key cryptography

  • Cited by (176)

    View all citing articles on Scopus

    Ding Wang received his B.S. Degree in Information Security from Nankai University, Tianjin, China, in 2008. Then he went to Information Engineering University (Zhengzhou) to work toward Information Security Engineering. Now he is pursuing his Ph.D. degree at Peking University, Beijing, China. He has published more than 20 refereed research papers at Elsevier, IEEE and Wiley journals, and conferences such as DBSec 2012, ICICS 2012, ISC 2013, SecureComm 2014 and WCNC 2014. He was awarded the Top-Ten Distinguished Graduate Academic Star of the University in 2012. His research interests include cryptography and wireless network security.

    Ping Wang received his B.S. degree from University of Electronic Science and Technology of China in 1983, and Ph.D. degree in Computer Science from University of Massachusetts, USA, in 1996. He has served as chief engineer in Open Software Foundation and Lucent Technologies Ltd. Currently, he is a full-time Professor and director of the PKU-PSU Joint Laboratory of Intelligent Computing and Smart Sensing. He served as technique committee co-chairs of RFIDSec’11 Asia. He has wide interests in system security, system software and distributed computing.

    View full text