Comments on “Biometrics-Based Privacy-Preserving User Authentication Scheme for Cloud-Based Industrial Internet of Things Deployment”

Very recently, Das et al. (IEEE Internet of Things Journal, pp. 4900–4913, 5(6), DOI: 10.1109/JIOT.2018.2877690, 2018) presented a biometric-based solution for security and privacy in Industrial Internet of Things architecture. Das et al. claimed that their protocol is secure against known attacks. However, this comment shows that their protocol is defenseless against stolen verifier, stolen smart device, and traceability attacks. The attacker having access to public parameters and any of the verifier and parameters stored in smart device can easily expose the session key shared among the user and the smart device. Moreover, their protocol fails to provide perfect forward secrecy. Finally, this article also provides some necessary guidelines on attack resilience for the authentication schemes based on merely the symmetric key primitives, which are overlooked by Das et al.

[1]  Kim-Kwang Raymond Choo,et al.  A Provably-Secure Cross-Domain Handshake Scheme with Symptoms-Matching for Mobile Healthcare Social Network , 2018, IEEE Transactions on Dependable and Secure Computing.

[2]  Xiang Cao,et al.  Breaking a remote user authentication scheme for multi-server architecture , 2006, IEEE Communications Letters.

[3]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[4]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[5]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[6]  Chien-Ming Chen,et al.  Stolen-Verifier Attack on Two New Strong-Password Authentication Protocols , 2002 .

[7]  Athanasios V. Vasilakos,et al.  Biometrics-Based Privacy-Preserving User Authentication Scheme for Cloud-Based Industrial Internet of Things Deployment , 2018, IEEE Internet of Things Journal.

[8]  Liping Zhang,et al.  Privacy Protection for E-Health Systems by Means of Dynamic Authentication and Three-Factor Key Agreement , 2018, IEEE Transactions on Industrial Electronics.

[9]  Ping Wang,et al.  Two Birds with One Stone: Two-Factor Authentication with Security Beyond Conventional Bound , 2018, IEEE Transactions on Dependable and Secure Computing.

[10]  Christof Paar,et al.  On the Power of Power Analysis in the Real World: A Complete Break of the KeeLoqCode Hopping Scheme , 2008, CRYPTO.