On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions
Graphical Abstract
Introduction
With the rapid development of micro-electromechanical systems and wireless network technologies, wireless sensor networks (WSNs) have attracted increasing attention due to its wide range of applications from battlefield surveillance to civilian applications, e.g., environmental monitoring, real-time traffic control, industrial process control and home automation. As is well known, most large-scale WSNs [1], [2], [3] follow a tiered architecture due to its superiority in increasing the network capacity and scalability, accommodating the node mobility, reducing the management complexity and prolonging the network lifetime. Thus, in this work we mainly focus on the tiered WSNs as well. In many critical applications, external users are generally interested in accessing real-time information from sensor nodes, yet if the data queries are issued by the base station, efficiency, scalability and security may not be ensured over the long communication path between the base station and the sensor nodes [4], [5].
To enable external users to access the real-time data directly from the desired sensor nodes without involving the gateway node (or base station) as demanded, it is of great concern that such critical data is well protected from eavesdropping, malicious modification, unauthorized access, and so on. Accordingly, user authentication constitutes an essential security mechanism for the user to be first authenticated by the sensor nodes before being granted the right to access data. Owing to its simplicity, portability, efficiency and high level of security, smart-card-based password authentication (or the so-called two-factor authentication [6]), as depicted in Fig. 1, has become one of the most promising authentication mechanisms for real-time data access in WSNs.
The past twenty years of research on two-factor authentication has proved that, it is incredibly difficult to get a general-purpose two-factor scheme right [7], [8], [9]. The design of a secure and efficient scheme for WSNs can only be harder. Crucially, the designers are confronted with a paradoxical challenge—“providing lightweight cryptographic algorithms for strong authentication, privacy and other cryptographic services on a speck of dust” [10]. On the one hand, sensor nodes and smart cards are small devices with low computation capability, limited memory capacity and scarce energy resources, it is more desirable to only employ symmetric-key techniques (e.g., hash functions, symmetric encryptions and XOR operations) rather than to use comparatively expensive asymmetric cryptographic operations (e.g., modular exponentiation and Pairing).
On the other hand, WSNs are generally deployed in unattended environments and often perform extremely sensitive tasks (e.g., health-care and battlefield surveillance) and thus, in addition to the traditional security threats, they exhibit a larger attack surface and are prone to more serious (even life-threatening) attacks. Consequently, an admired two-factor authentication scheme for WSNs should be able to guard against various known attacks including these general attacks such as impersonation, replay and offline password guessing, as well as some special attacks in WSNs environments like gateway by-passing and node capture [11]. Besides security, user privacy is also of particular interest. For example, some current projects including GEOSS [12] and NOPP [13] are developing large-scale WSNs to adaptively monitor the earth–ocean–atmosphere system. The sensed data may be of interest to various types of users ranging from individual users to universities, government research centers, and business companies (e.g., GEOSS [12] involves 61 countries, NOPP [13] involves the DARPA, the Department of Homeland Security among others). The activities of these users may be of great sensitiveness to the outsiders and even the users themselves cannot fully trust each other due to diversified interests. Consequently, there is an urgent need for protecting user’s data access privacy, e.g., when she accessed the sensor data, which data types she was interested in, or from which nodes she obtained the data, since the leakage of such information could be exploited against her interest. Generally, there is a growing requirement for protecting user privacy information (e.g., preferences, login history, location, physical condition, personal data [14], [15]) from being leaked and abused, which outlines the needs for designing schemes that can attain user anonymity.
It is worth mentioning that, in the context of user authentication, user anonymity is defined against the public rather than the server, because it is necessary for the latter to be aware of the real identity of each user in order to detect, record and remove the malicious users. Moreover, in many cases the server needs to learn the user identity for accounting, auditing, and/or billing purposes [16]. It also should be noted that, instead of a unique “user anonymity” property, different application scenarios may implement quite varied notions of what it means to be user anonymity [17], [18], such as user identity protection, user un-traceability, anonymous user linkability, k-anonymity and blender anonymity. Interested readers are referred to [19] for more details. As for user authentication, this notion basically means user identity-protection, which ensures that the adversary cannot figure out the target user’s identity from the protocol transcripts.
Comparatively, a more satisfactory property of user anonymity is user un-traceability, which guarantees that the adversary can neither determine who the user is nor tell apart whether two conversations originate from the same (unknown) user [20], [21]. That is, a scheme achieving this advanced property can prevent the adversary from linking multiple instances of communication generated by the same user and from tracing a user’s current location, moving history, etc. Consequently, most schemes (e.g., [11], [20], [22], [23], [24], [25], [26], [27], [28]) that attempt to preserve user privacy aim at fulfilling this stronger notion of user anonymity. Throughout this paper, unless otherwise specified, by “user anonymity” we will always mean “user un-traceability”.
In 2009, Das [11] suggested the first smart-card-based password authentication scheme to provide mutual authentication among the external user, gateway node and the sensor node. Since this scheme only involves symmetric-key operations, it facilitates authorized users to access WSNs via low-powered mobile devices (e.g., PDAs, Smart phones and Laptops). However, shortly after this two-factor authentication scheme was presented, it is found prone to various attacks, such as offline password guessing attack and sensor node compromise attack by Nyang–Lee [29], gateway node by-passing attack by Khan–Alghath [24], impersonation attack and insider attack by He et al. [23] and Chen and Shih [30]. To eliminate these security drawbacks in Das’s scheme, a number of improvements [23], [24], [29], [30], [31] were further proposed. To the designers’ disappointment, these five enhancements still cannot attain the claimed security and have been invariably shown flawed [32], [33], [34], [35].
In 2011, Fan et al. [36] observed that previous two-factor authentication schemes for real-time data access in WSNs have various defects overlooked, and proposed a new privacy-preserving scheme, which involves only lightweight operations, such as one-way hash function and exclusive-OR operations. Hence, it is well-suited to the resource-limited sensor networks and exhibits great potential for practical use. The authors claimed that their scheme is free from various related cryptographic attacks and can preserve user anonymity. Although their scheme has many merits over existing schemes and even has been equipped with a formal security proof, as will be showed in Section 2, it actually cannot support user anonymity and is vulnerable to several practical attacks.
At the meantime with Kumar et al. [25] also noticed that previous schemes either are subject to security defects or short of essential features like mutual authentication and user anonymity. Therefore, they made an attempt to develop a privacy-preserving two-factor authentication framework for WSNs that can withstand all known attacks and support various features. Shortly after this framework was proposed, Jiang et al. [26] pointed out that it cannot resist offline password guessing attack and fails to provide user un-traceability, and to overcome these two drawbacks, an enhancement was suggested. However, it is not difficult to see that Jiang et al.’s scheme [26] is vulnerable to de-synchronization attack – a dishonest (comprised) sensor node can render the victim user’s smart cards completely un-usable by simply altering the last message flow without detection.
In 2012, Das et al. [33] introduced a novel scheme that can support dynamic nodes addition after the initial deployment of nodes in the existing sensor network. To keep efficiency and suitability for being implemented in resource-constrained sensor nodes, this scheme also only involves lightweight operations, such as hash functions and symmetric-key encryption. Yet it was subsequently found prone to a serious design flaw by Turkanovic and Holbl [37], who further proposed an improved version. Unfortunately, Li et al. [38] recently reported that both schemes in [33], [37] are susceptible to a flaw that may easily leak the server’s long-term secret key.
In 2013, Xue et al. [27] described a lightweight temporal-credential-based mutual authentication and key agreement scheme. As with previous schemes [11], [23], [25], [26], [36], this protocol1 also attempts to achieve the property of user anonymity by only involving hash and XOR operations. Xue et al.’s scheme can provide relatively more admired features and comparatively higher security assurance such as friendliness of password update and GWN bypassing attack resilience over existing schemes, yet non-withstanding their long list of security arguments, we will demonstrate that it still cannot achieve its essential goal of user anonymity.
In general, the above unending failure in preserving user anonymity may be largely attributed to (and intrinsically rooted in) the lack of impossibility results in cryptography. Existing results are mainly related to cryptographic primitives and certain proof methods [39]. For example, some impossibility results on using black-box methods for constructing one primitive from another one were reported in [40], [41], [42]. At the protocol level, results are more scarce. In 1989, Impagliazzo and Rudich [43] reported the well-known result that key-exchange protocols are unlikely to be obtained by using only symmetric-key techniques. Based on this work, in 1999 Halevi and Krawczyk [44] proved that only symmetric-key techniques are inadequate for password protocols that resist off-line dictionary attacks. In 2000, Park et al. [45] observed that public-key techniques are highly unavoidable for providing forward secrecy in key establishment protocols. In 2006, Nguyen [46] investigated the relationship between password protocols and other cryptographic primitives, and observed that password-authenticated key exchange and public-key encryption are incomparable under black-box reductions. In 2011, González Muñiz and Laud [39] confirmed that only symmetric-key techniques are insufficient to construct message recognition protocols with perenniality.
Among the aforementioned theoretical studies, Halevi–Krawczyk’s work [44] may be the closest to what we will discuss in the current paper, however, it only deals with one-factor (i.e., the password factor) and mainly from a security perspective. In 2009, Zeng et al. [47] pointed out that three previous two-factor schemes for wireless mobile networks [48], [49], [50] are unlikely to provide anonymity if an attacker, who is also registered as a legitimate user, can extract secret data from her own smart card.2 As far as we know, it is the only work that focuses on user anonymity in two-factor authentication. Nonetheless, it blames the failure of these schemes merely on “structural mistakes”, leaving untouched the foundational rationale underlying the repeated anonymity failure. To the best of our knowledge, little attention has been given to the inherent complexity of designing a two-factor authentication scheme with user anonymity.
There have recently been a number of works (e.g., [24], [25], [26], [27], [29], [30], [35], [36], [51], [52]) that endeavor to construct practical two-factor authentication schemes for WSNs, yet few has succeeded in achieving the “precious” property of user anonymity so far. One common feature of these proposals is that, they attempt to preserve user anonymity by only using symmetric-key cryptographic primitives and relying on the non-tamper-resistance assumption about the smart cards. While their incentive to only employ symmetric-key techniques is quite obvious, the non-tamper-resistance assumption about smart cards deserves special attention. Recent research results have demonstrated that the security parameters stored in common commercial smart cards could be revealed or partially extracted by the state-of-the-art side-channel attacks (e.g., differential power analysis) [53], [54], [55], software attacks (launched on software-supported card, e.g., Java Card) [56] and reverse engineering techniques [57]. However, since performing a side-channel attack needs special instruments and attack platforms, it is likely that only when the card is in the possession of the attacker for a relatively long period can the data be extracted, in other scenarios the data in the card shall remain confidential. This implies that the common non-tamper-resistance assumption made about the smart cards is conditional. As illustrated in Fig. 1 of [7], this conditional non-tamper-resistance assumption about the smart cards has been widely regarded as a basic (also reasonable and prudent) assumption when designing two-factor authentication protocols since 2004.
Naturally, the repeated failure in achieving user anonymity gives rise to an interesting (and foundational) question: Under the conditional non-tamper-resistance assumption of the smart cards, is it possible to construct a privacy-preserving two-factor authentication scheme for WSNs by only employing symmetric cryptographic techniques? Besides the aforementioned two-factor schemes for WSNs, dozens of two-factor authentication schemes for various environments (for some latest ones, see [22], [58], [59], [60], [61], [62], [63], [64], [65], [66], [67]; for a more comprehensive grasp, see those underlined by dash line in Fig. 2 in Section 4.2) also strive to only adopt symmetric-key primitives to reduce the computation overhead while preserving user privacy. It is the main purpose of this paper to demonstrate that, under their non-tamper-resistance assumption of the smart cards, such a strategy is intrinsically infeasible.
Further, as public-key techniques are inherently necessary to achieve user anonymity, another question arises: How can we design a secure and privacy-preserving two-factor authentication protocol with acceptable efficiency?
In this work, we take the first step towards investigating the above two questions and aim to provide definite answers to them. Our contributions lie in the following aspects:
- •
First, we investigate into two representative schemes, namely Fan et al.’s scheme and Xue et al.’s scheme, to reveal the subtleties and challenges in designing privacy-preserving two-factor authentication schemes for WSNs.
- •
Second, on the basis of the work of Halevi–Krawczyk (1999) and Impagliazzo–Rudich (1989), we suggest a formal game-based security model for two-factor authentication and put forward a general principle for achieving user anonymity in such schemes, providing a negative answer to the first question.
- •
Third, though the user anonymity problem is studied in the context of WSNs, we show that our principle can be applied to universal environments, such as the single-server architecture, multi-server environment, global mobility networks, proxy mobile IPv6 networks, satellite networks, mobile clouds and other wireless environments.
- •
Furthermore, we discuss the viable solutions to implementation issues. By borrowing ideas from privacy-preserving schemes for mobile roaming networks and on the basis of experimental results about public-key primitives, we report that appropriate public-key encryption schemes along with a proper padding mechanism would be promising candidates – providing provable security while attaining reasonable efficiency. This serves as an answer to the second question.
The rest of this paper is organized as follows: in Section 2, we investigate Fan et al.’s scheme. Section 3 describes the privacy flaws of Xue et al.’s scheme. Section 4 devotes to the security model and the principle. Viable solutions are discussed in Section 5, and Section 6 concludes the paper.
Section snippets
Cryptanalysis of Fan et al.’s scheme
In 2011, Fan et al. [36] proposed the first denial-of-service (DoS)-resistant and efficient two-factor authentication scheme for WSNs and claimed that their scheme exhibits many merits, such as mutual authentication, user anonymity and local password update, over existing schemes. However, in contrast to their claims, Fan et al.’s scheme is still subject to user anonymity violation attack and other security drawbacks such as vulnerability to smart card security breach attack and insider attack.
Cryptanalysis of Xue et al.’s scheme
While the attackers colluding together can breach the user anonymity of Fan et al.’s scheme [36], a different attacking strategy has to be taken with Xue et al.’s scheme [27] in place.
For completeness, in this section we briefly review the temporal-credential-based two-factor authentication scheme for WSNs proposed by Xue et al. [27] in 2012. Compared with the earlier schemes such as [11], [25], [33], Xue et al.’s scheme enjoys a number of important security and useability properties such as
The public-key principle for two-factor authentication with user anonymity
Since sensor nodes and smart cards are extremely resource-constrained devices with low battery power, low computation capability and limited memory capacity, protocol designers are faced with the hard task of reconciling security, efficiency and functionality requirements, and often must make design decisions which are seemingly well motivated but may have unintended consequences. Without some necessary design principles (guidelines), the designers can only try their best to ensure the protocol
Potential countermeasures
Having proved our principle and demonstrated its universal applicability, we proceed to discuss the corresponding countermeasures. Since symmetric-key techniques are not sufficient to achieve user anonymity (un-traceability), the available choice is obvious – resorting to public-key techniques. Now, the remaining key issue is how to integrate public-key primitives into traditional only symmetric-key based schemes.
Conclusion
In this work, we have focused on a hot but hard topic – privacy-preservation in WSNs. An interesting and important question that remains is, under the conditional non-tamper-resistance assumption of the smart cards, whether it is possible to construct a privacy-preserving two-factor authentication scheme for WSNs by employing only lightweight symmetric cryptographic techniques, as most of the literature has done in the past? Unfortunately, we give a negative answer to this question by
Acknowledgments
The authors are grateful to Prof. Chao-Hsien Chu at Pennsylvania State University for enlightening suggestions and Dr. Daojing He at South China University of Technology for insightful observations. This research was partially supported by the National Natural Science Foundation of China (NSFC) under Grants Nos. 61170263 and 61170282.
Ding Wang received his B.S. Degree in Information Security from Nankai University, Tianjin, China, in 2008. Then he went to Information Engineering University (Zhengzhou) to work toward Information Security Engineering. Now he is pursuing his Ph.D. degree at Peking University, Beijing, China. He has published more than 20 refereed research papers at Elsevier, IEEE and Wiley journals, and conferences such as DBSec 2012, ICICS 2012, ISC 2013, SecureComm 2014 and WCNC 2014. He was awarded the
References (119)
- et al.
Two-factor mutual authentication based on smart cards and passwords
J. Comput. Syst. Sci.
(2008) - et al.
Understanding identity exposure in pervasive computing environments
Pervasive Mobile Comput.
(2012) - et al.
A secure identification and key agreement protocol with user anonymity (SIKA)
Comput. Secur.
(2006) - et al.
Cryptanalysis of a remote user authentication scheme with provable security for mobile client-server environment based on ECC
Inform. Fusion
(2013) - et al.
A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture
J. Comput. Syst. Sci.
(2014) - et al.
A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks
J. Network Comput. Appl.
(2013) - et al.
SE-AKA: a secure and efficient group authentication and key agreement protocol for LTE networks
Comput. Networks
(2013) - et al.
A dynamic password-based user authentication scheme for hierarchical wireless sensor networks
J. Network Comput. Appl.
(2012) - et al.
Attacking smart card systems: theory and practice
Inform. Secur. Tech. Rep.
(2009) - et al.
Side channel analysis attacks using am demodulation on commercial smart cards with seed
J. Syst. Soft.
(2012)
A strong user authentication scheme with smart cards for wireless communications
Comput. Commun.
An enhanced and security dynamic identity based authentication protocol for multi-server architecture using smart cards
J. Network Comput. Appl.
An improved dynamic id-based remote user authentication with key agreement scheme
Comput. Electri. Eng.
Cryptanalysis and security enhancement of a more efficient & secure dynamic id-based remote user authentication scheme’
Comput. Commun.
A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion
Ad Hoc Networks
A secure dynamic id based remote user authentication scheme for multi-server environment
Comput. Stand. & Inter.
Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks
Ad Hoc Networks
Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment
Comput. Stand. Interfaces
A novel smart card and dynamic id based remote user authentication scheme for multi-server environments
Math. Comput. Model.
The tenet architecture for tiered sensor networks
Secure range queries in tiered sensor networks
Two-tiered constrained relay node placement in wireless sensor networks: computational complexity and efficient approximations
IEEE Trans. Mobile Comput.
Least privilege and privilege deprivation: towards tolerating mobile sink compromises in wireless sensor networks
Distributed access control with privacy support in wireless sensor networks
IEEE Trans. Wireless Commun.
Offline dictionary attack on password authentication schemes using smart cards
Security implications in kerberos by the introduction of smart cards
Cryptography on a speck of dust
IEEE Comput.
Two-factor user authentication in wireless sensor networks
IEEE Trans. Wireless Commun.
Cloud-enabled privacy-preserving collaborative learning for mobile sensing
Sat: a security architecture achieving anonymity and traceability in wireless mesh networks
IEEE Trans. Depend. Secur. Comput.
Cpal: a conditional privacy-preserving authentication with access linkability for roaming service
IEEE Internet Things J.
anonymity and privacy: a modular approach
J. Comput. Secur.
Anonymity enhancement on robust and efficient password-authenticated key agreement using smart cards
IEEE Trans. Ind. Electron.
An enhanced two-factor user authentication scheme in wireless sensor networks
Ad Hoc Sensor Wireless Netw.
Cryptanalysis and security improvements of two-factor user authentication in wireless sensor networks
Sensors
Ruasn: a robust user authentication framework for wireless sensor networks
Sensors
Security enhancement of robust user authentication framework for wireless sensor networks
China Commun.
A robust mutual authentication protocol for wireless sensor networks
ETRI J.
A secured authentication protocol for wireless sensor networks using elliptic curves cryptography
Sensors
On the security and improvement of a two-factor user authentication scheme in wireless sensor networks
Pers. Ubiquitous Comput.
An enhanced two-factor user authentication in wireless sensor networks
Telecommun. Syst.
Two-factor mutual authentication with key agreement in wireless sensor networks
Secur. Commun. Netw.
An efficient and dos-resistant user authentication scheme for two-tiered wireless sensor networks
J. Zhejinag Univ.-Sci C
An improved dynamic password-based user authentication scheme for hierarchical wireless sensor networks
Electron. Electr. Eng.
Towards secure and dynamic password based user authentication scheme in hierarchical wireless sensor networks
Int. J. Secur. Appl.
On the (im) possibility of perennial message recognition protocols without public-key cryptography
Cited by (176)
Secure session key pairing and a lightweight key authentication scheme for liable drone services
2023, Cyber Security and ApplicationsA novel two-factor multi-gateway authentication protocol for WSNs
2023, Ad Hoc NetworksAn NTRU-Based Certificateless Aggregate Signature Scheme for Underwater Acoustic Communication
2024, IEEE Internet of Things JournalPrivacy Preserving Algorithm for Spectrum Sensing in Cognitive Vehicle Networks
2024, Chinese Journal of ElectronicsCS-LAKA: A Lightweight Authenticated Key Agreement Protocol With Critical Security Properties for IoT Environments
2023, IEEE Transactions on Services Computing
Ding Wang received his B.S. Degree in Information Security from Nankai University, Tianjin, China, in 2008. Then he went to Information Engineering University (Zhengzhou) to work toward Information Security Engineering. Now he is pursuing his Ph.D. degree at Peking University, Beijing, China. He has published more than 20 refereed research papers at Elsevier, IEEE and Wiley journals, and conferences such as DBSec 2012, ICICS 2012, ISC 2013, SecureComm 2014 and WCNC 2014. He was awarded the Top-Ten Distinguished Graduate Academic Star of the University in 2012. His research interests include cryptography and wireless network security.
Ping Wang received his B.S. degree from University of Electronic Science and Technology of China in 1983, and Ph.D. degree in Computer Science from University of Massachusetts, USA, in 1996. He has served as chief engineer in Open Software Foundation and Lucent Technologies Ltd. Currently, he is a full-time Professor and director of the PKU-PSU Joint Laboratory of Intelligent Computing and Smart Sensing. He served as technique committee co-chairs of RFIDSec’11 Asia. He has wide interests in system security, system software and distributed computing.