Comments on “A Multi-factor User Authentication and Key Agreement Protocol Based on Bilinear Pairing for the Internet of Things”

Abstract

The Internet of Things (IoT) introduces a novel model for the future internet that aims to offer communication between numerous interactive objects via heterogeneous networks. The concept of IoT is that everything within the global network is interconnected and accessible. Although, the increasing use of IoT offers a lot of benefits but it also entails different privacy and security encounters which needs to be considered. One of the major security concerns is authentication of the user, which means that if a user wants to access IoT node then the user and IoT node must authenticate each other. Therefore, to ensure the security of the IoT paradigm, a number of multi-factor user authentication schemes have been proposed by many researchers. Very recently, Nikravan-Reza (Wirel Pers Commun, 2019. https://doi.org/10.1007/s11277-019-06869-y) proposed multi-factor user authentication and key agreement protocol for IoT environments. In their scheme, firstly the gateway authenticates the legitimacy of the user and then the user is authenticated by IoT node. In this comments paper, we reviewed their scheme and noticed that their scheme fails to withstand user and IoT node impersonation attacks. Moreover, their scheme does not offer security features that they have claimed in their paper. Since their scheme is vulnerable to various considerable security attacks, so it is not suitable for practical implementation.

1 Problem Statement

This comment is about “A Multi-factor User Authentication and Key Agreement Protocol Based on Bilinear Pairing for the Internet of Things”, presented by Nikravan-Reza [1]. In this section, we cryptanalyse their scheme and highlight that their scheme is vulnerable to user and node impersonation attacks. Furthermore, we worried about storage and computation burden on gateway node side because Nikravan-Reza stores some values in database of gateway node. Hence, it is necessary to reduce the computation overhead for efficient communication, which will result in reduction of storage cost. The common notations used in this paper are listed in Table 1.

Table 1 Common used notations

1.1 User Impersonation

The GW stores \(\{MID_{u}, Y_{u},FQ_{u},PQ_{u}\}\) in its database during user registration process. Since all these parameters are used in the generation of request message. Therefore, using these parameters an adversary \({{\mathcal {A}}}_{adv}\) can easily masquerade to a legitimate user via stolen verifier attack. In order to impersonate as a legitimate user the adversary performs these steps as follow:

• Step 1 Assume that \({{\mathcal {A}}}_{adv}\) extracts the parameters \(\{C_{1},e_{gw},r,x,params\}\) and \(\{H_{4}(B_{u}),K_{u}\}\) from permanent and temporary memory of user’s smart device. After revealing these parameters from memory and \(\{MID_{u}, Y_{u},FQ_{u},PQ_{u}\}\) from database, the adversary can send a valid request message to GW.

• Step 2 First of all the \({{\mathcal {A}}}_{adv}\) randomly selects \(N^{{{\mathcal {A}}}_{adv}}_{u}\), \(d^{{{\mathcal {A}}}_{adv}}\) and computes: \(e^{{{\mathcal {A}}}_{adv}}_{u}=d^{{{\mathcal {A}}}_{adv}}P\), \(g^{{{\mathcal {A}}}_{adv}}_{u}=d^{{{\mathcal {A}}}_{adv}}FQ_{GW}\), \(CID^{{{''\mathcal {A}}}_{adv}}_{u}=MID^{*}_{u} \oplus H_{4}(e^{{{\mathcal {A}}}_{adv}}_{u} \Vert g^{{{\mathcal {A}}}_{adv}}_{u})\), \(msg^{{{\mathcal {A}}}_{adv}}_{1}=T_{0} \Vert N^{{{\mathcal {A}}}_{adv}}_{u} \Vert MID^{*}_{u} \Vert Y^{*}_{u} \Vert IDN_{j}\), \(C^{{{\mathcal {A}}}_{adv}}_{1}= Signcrypt(msg^{{{\mathcal {A}}}_{adv}}_{1}, PQ_{GW}, FQ_{GW}, H_{4}(H_{1}(B^{\ast}_{u})) )\)

• Step 3 After the above calculation \({{\mathcal {A}}}_{adv}\) sends the request message \(\{CID^{{{''\mathcal {A}}}_{adv}}_{u}, C^{{{\mathcal {A}}}_{adv}}_{1}, e^{{{\mathcal {A}}}_{adv}}_{u} \}\) to GW.

• Step 4 Upon receiving request message

  \(\{CID^{{{''\mathcal {A}}}_{adv}}_{u}, C^{{{\mathcal {A}}}_{adv}}_{1}, e^{{{\mathcal {A}}}_{adv}}_{u} \}\), the GW first calculates \(g_{u}=\alpha _{GW}.e_{u}\), \(l=H_{4}(e_{u}\Vert g_{u})\), \(MID''_{u}=CID^{''\mathcal{A}_{adv}}_{u} \oplus l\). Then GW retrieves \(FQ_{u}\) using \(MID''\) and calculates: \(msg_{1}=Unsigncrypt(C_{1},PS_{GW},FS_{GW},FQ_{u})\), \(msg_{1}=T_{o}\Vert N_{u}\Vert MID^{*}\Vert Y^{*}\Vert IDN_{j}\). If \(MID^{*}_{u} {\mathop {=}\limits ^{?}} MID''_{u}\) holds true value, the GW sends

  \(\{CID^{''}_{GW}, C_{2}, TU_{GW}\}\) to the IoT Node via public channel.

• Step 5 On receiving message \(<CID''_{GW},C_{2},TU_{GW}>\) from GW, the Node performs some necessary calculations. Finally the Node sends message \(<CIDN''_{j},FQ_{j},C_{3}>\) to user.

• Step 6 Once the adversary receives \(<CIDN''_{j},FQ_{j},C_{3}>\) against \(\{CID^{{{''\mathcal {A}}}_{adv}}_{u}, C^{{{\mathcal {A}}}_{adv}}_{1}, e^{{{\mathcal {A}}}_{adv}}_{u} \}\) from Node, it means that \({{\mathcal {A}}}_{adv}\) has successfully authenticated by GW and Node. Afterwards, the \({{\mathcal {A}}}_{adv}\) calculates \(SK=H_{4}(N^{{{\mathcal {A}}}_{adv}}_{u}\Vert N_{n}\Vert l\Vert T_{0}\Vert T_{2})\) and shares with Node.

• Step 7 Hence, the \({{\mathcal {A}}}_{adv}\) has successfully shared SK with the Node and impersonated on behalf of legitimate user.

1.2 Node Impersonation

The GW stores \(J, IDN_{j},FQ_{j},PQ_{j}\) in database during Node registration process. Moreover, the Node uses all these parameters in the generation of request message. Therefore, an \({{\mathcal {A}}}_{adv}\) can easily masquerade as a legal Node. In order to impersonate as a legal Node the \({{\mathcal {A}}}_{adv}\) has to follow these steps:

• Step 1 Suppose an \({{\mathcal {A}}}_{adv}\) extracts parameters

  \(PS_{j},PQ_{j},FQ_{j},FS_{j},params\) stores in Node’s memory and puts them back into the Node. Later he embeds them in a malicious node so that he can send message on the behalf of legal Node.

• Step 2 Upon receiving the message

  \(CID''_{GW},C_{2},TU_{GW}\) from GW, \({{\mathcal {A}}}_{adv}\) firstly selects \(N^{{{\mathcal {A}}}_{adv}}_{n}\) randomly and computes:

  \(msg^{{{\mathcal {A}}}_{adv}}_{3}=T_{0}\Vert T_{2}\Vert N_{u}\Vert N^{{{\mathcal {A}}}_{adv}}_{n}\Vert MID^{*}_{u}\Vert IDN_{j}\), \(C^{\mathcal{A}_{adv}}_{3}=Signcrypt(msg^{{{\mathcal {A}}}_{adv}}_{3},PQ_{u},FQ_{u},SN_{j})\), \(CIDN^{''}_{j}= IDN_{j} \oplus l\).

• Step 3 Afterwards, \({{\mathcal {A}}}_{adv}\) sends message \(\{CID''_{j}, FQ_{j}, C^{\mathcal{A}_{adv}}_{3}\}\) to user.

• Step 4 Upon receiving the message \(\{CID''_{j}, FQ_{j}, C^{\mathcal{A}_{adv}}_{3}\}\), the user first calculates:

  \(msg_{3}=Unsigncrypt(C^{\mathcal{A}_{adv}}_{3},PS_{u},FS_{u},FQ_{j})\), \(msg_{3}=T_{0}\Vert T_{2}\Vert N_{u}\Vert N^{{{\mathcal {A}}}_{adv}}_{n}\Vert MID^{*}_{u}\Vert IDN_{j}\), \(IDN''_{j}=CIDN''_{j} \oplus l\). Afterwards the user verifies \(IDN_{j}{\mathop {=}\limits ^{?}}IDN''_{j}\). If it holds true value the user agrees on common shared session key with Node.

• Step 5 Hence, the \({{\mathcal {A}}}_{adv}\) can successfully impersonate on the behalf of legitimate Node and established session by sharing SK with user. Therefore, this scheme is vulnerable to Node impersonation attack.

2 Conclusion

This comment is about “A Multi-factor User Authentication and Key Agreement Protocol Based on Bilinear Pairing for the Internet of Things”, proposed by Nikravan-Reza [1]. In this comment, we have mentioned out attacks in Nikravan-Reza’s protocol. It is illustrated that their protocol has susceptibilities including user impersonation and node impersonation attacks.