On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions

Display Omitted We demonstrate privacy breaches into two password authentication schemes for WSNs.Public-key techniques are indispensible to achieve user untraceability.Our principle is applicable to two-factor authentication for universal environments.We discuss the viable solutions to practical realization of user anonymity.Experimental timings of related public-key operations on small devices are reported. Anonymity is among the important properties of two-factor authentication schemes for wireless sensor networks (WSNs) to preserve user privacy. Though impressive efforts have been devoted to designing schemes with user anonymity by only using lightweight symmetric-key primitives such as hash functions and block ciphers, to the best of our knowledge none has succeeded so far. In this work, we take an initial step to shed light on the rationale underlying this prominent issue. Firstly, we scrutinize two previously-thought sound schemes, namely Fan et al.'s scheme and Xue et al.'s scheme, and demonstrate the major challenges in designing a scheme with user anonymity.Secondly, using these two foremost schemes as case studies and on the basis of the work of Halevi-Krawczyk (1999) 44 and Impagliazzo-Rudich (1989) 43, we put forward a general principle: Public-key techniques are intrinsically indispensable to construct a two-factor authentication scheme that can support user anonymity. Furthermore, we discuss the practical solutions to realize user anonymity. Remarkably, our principle can be applied to two-factor schemes for universal environments besides WSNs, such as the Internet, global mobility networks and mobile clouds. We believe that our work contributes to a better understanding of the inherent complexity in achieving user privacy, and will establish a groundwork for developing more secure and efficient privacy-preserving two-factor authentication schemes.

[1]  Mun-Kyu Lee,et al.  Improvement of Das's Two-Factor Authentication Protocol in Wireless Sensor Networks , 2009, IACR Cryptol. ePrint Arch..

[2]  Chunguang Ma,et al.  Cryptanalysis of Two Dynamic ID-Based Remote User Authentication Schemes for Multi-server Architecture , 2012, NSS.

[3]  Peilin Hong,et al.  A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture , 2012, J. Comput. Syst. Sci..

[4]  Marko Hölbl,et al.  A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion , 2014, Ad Hoc Networks.

[5]  Mike Bond,et al.  2010 IEEE Symposium on Security and Privacy Chip and PIN is Broken , 2022 .

[6]  Marko Hölbl,et al.  An Improved Dynamic Password-based User Authentication Scheme for Hierarchical Wireless Sensor Networks , 2013 .

[7]  Peeter Laud,et al.  On the (im)possibility of perennial message recognition protocols without public-key cryptography , 2011, SAC.

[8]  Robert H. Sloan,et al.  Examining Smart-Card Security under the Threat of Power Analysis Attacks , 2002, IEEE Trans. Computers.

[9]  Donghoon Lee,et al.  Security Analysis and Improvements of Two-Factor Mutual Authentication with Key Agreement in Wireless Sensor Networks , 2014, Sensors.

[10]  Chunguang Ma,et al.  Robust Smart Card based Password Authentication Scheme against Smart Card Loss Problem , 2012, IACR Cryptol. ePrint Arch..

[11]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[12]  Peilin Hong,et al.  A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks , 2013, J. Netw. Comput. Appl..

[13]  Yongge Wang,et al.  Password Protected Smart Card and Memory Stick Authentication Against Off-line Dictionary Attacks , 2012, IACR Cryptol. ePrint Arch..

[14]  Ran Canetti,et al.  The random oracle methodology, revisited , 2000, JACM.

[15]  Andrei Gurtov,et al.  A Strong Authentication Scheme with User Privacy for Wireless Sensor Networks , 2013 .

[16]  Cheng-Chi Lee,et al.  Towards Secure and Dynamic Password Based User Authentication Scheme in Hierarchical Wireless Sensor Networks , 2013 .

[17]  Robert H. Deng,et al.  Privacy Protection for Transactions of Digital Goods , 2001, ICICS.

[18]  Jing Liu,et al.  Improved privacy-preserving authentication scheme for roaming service in mobile networks , 2014, 2014 IEEE Wireless Communications and Networking Conference (WCNC).

[19]  Juan Qu,et al.  An Improved Dynamic ID-Based Remote User Authentication with Key Agreement Scheme , 2013, J. Electr. Comput. Eng..

[20]  Chun Chen,et al.  Distributed Access Control with Privacy Support in Wireless Sensor Networks , 2011, IEEE Transactions on Wireless Communications.

[21]  Jing Xu,et al.  A Generic Framework for Anonymous Authentication in Mobile Networks , 2013, Journal of Computer Science and Technology.

[22]  Jianfeng Ma,et al.  A new authentication scheme with anonymity for wireless environments , 2004, IEEE Trans. Consumer Electron..

[23]  Yun Zhao,et al.  Cryptanalysis and improvement of an authentication scheme for telecare medical information systems , 2014, Int. J. Electron. Secur. Digit. Forensics.

[24]  Yuguang Fang,et al.  SAT: A Security Architecture Achieving Anonymity and Traceability in Wireless Mesh Networks , 2011, IEEE Transactions on Dependable and Secure Computing.

[25]  Gerhard P. Hancke,et al.  Attacking smart card systems: Theory and practice , 2009, Inf. Secur. Tech. Rep..

[26]  Rafail Ostrovsky,et al.  Efficient and secure authenticated key exchange using weak passwords , 2009, JACM.

[27]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[28]  Wei-Kuan Shih,et al.  A Robust Mutual Authentication Protocol for Wireless Sensor Networks , 2010 .

[29]  Daniel R. Simon,et al.  Finding Collisions on a One-Way Street: Can Secure Hash Functions Be Based on General Assumptions? , 1998, EUROCRYPT.

[30]  Chunguang Ma,et al.  Security flaws in two improved remote user authentication schemes using smart cards , 2014, Int. J. Commun. Syst..

[31]  Tatsuaki Okamoto,et al.  Secure Integration of Asymmetric and Symmetric Encryption Schemes , 1999, Journal of Cryptology.

[32]  Ahto Buldas,et al.  Does Secure Time-Stamping Imply Collision-Free Hash Functions? , 2007, ProvSec.

[33]  Sunil Arya,et al.  Space-time tradeoffs for approximate nearest neighbor searching , 2009, JACM.

[34]  Da-Zhi Sun,et al.  On the security and improvement of a two-factor user authentication scheme in wireless sensor networks , 2012, Personal and Ubiquitous Computing.

[35]  Vipul Gupta,et al.  Energy analysis of public-key cryptography for wireless sensor networks , 2005, Third IEEE International Conference on Pervasive Computing and Communications.

[36]  Dong Hoon Lee,et al.  Security flaw of authentication scheme with anonymity for wireless communications , 2009, IEEE Communications Letters.

[37]  Michael Scott,et al.  Implementing Cryptographic Pairings on Smartcards , 2006, CHES.

[38]  Pietro Michiardi,et al.  Password Strength: An Empirical Analysis , 2010, 2010 Proceedings IEEE INFOCOM.

[39]  Daojing He,et al.  An efficient and DoS-resistant user authentication scheme for two-tiered wireless sensor networks , 2011, Journal of Zhejiang University SCIENCE C.

[40]  Wei-Kuan Shih,et al.  Improvement of the secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[41]  Ping Wang,et al.  Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards , 2013, ISC.

[42]  Huan Guo Zhang,et al.  Cryptanalysis of a Remote User Authentication Scheme , 2013 .

[43]  Kai Bu,et al.  Robust localization against outliers in wireless sensor networks , 2013, TOSN.

[44]  Vitaly Shmatikov,et al.  Information Hiding, Anonymity and Privacy: a Modular Approach , 2004, J. Comput. Secur..

[45]  Xuemin Shen,et al.  SE-AKA: A secure and efficient group authentication and key agreement protocol for LTE networks , 2013, Comput. Networks.

[46]  Jianhua Li,et al.  Anonymity Enhancement on Robust and Efficient Password-Authenticated Key Agreement Using Smart Cards , 2010, IEEE Transactions on Industrial Electronics.

[47]  Sencun Zhu,et al.  Least privilege and privilege deprivation: towards tolerating mobile sink compromises in wireless sensor networks , 2005, MobiHoc '05.

[48]  W M Ross Whats in a name? , 1989, Clinical radiology.

[49]  Jin-Young Choi,et al.  Improved User Authentication Scheme with User Anonymity for Wireless Communications , 2011, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[50]  Guomin Yang,et al.  A Secure and Effective Anonymous User Authentication Scheme for Roaming Service in Global Mobility Networks , 2013, Wireless Personal Communications.

[51]  Fan Wu,et al.  A Collusion-Resistant Routing Scheme for Noncooperative Wireless Ad Hoc Networks , 2010, IEEE/ACM Transactions on Networking.

[52]  David Evans,et al.  Reverse-Engineering a Cryptographic RFID Tag , 2008, USENIX Security Symposium.

[53]  Ramesh Govindan,et al.  Cloud-enabled privacy-preserving collaborative learning for mobile sensing , 2012, SenSys '12.

[54]  Xiaohui Liang,et al.  CPAL: A Conditional Privacy-Preserving Authentication With Access Linkability for Roaming Service , 2014, IEEE Internet of Things Journal.

[55]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[56]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[57]  Jian-Jun Yuan,et al.  An enhanced two-factor user authentication in wireless sensor networks , 2014, Telecommun. Syst..

[58]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[59]  Chin-Chen Chang,et al.  An authentication and key agreement protocol for satellite communications , 2014, Int. J. Commun. Syst..

[60]  Hsin-Wen Wei,et al.  A Secured Authentication Protocol for Wireless Sensor Networks Using Elliptic Curves Cryptography , 2011, Sensors.

[61]  Liaojun Pang,et al.  An efficient authentication protocol with user anonymity for mobile networks , 2013, 2013 IEEE Wireless Communications and Networking Conference (WCNC).

[62]  Cheng-Chi Lee,et al.  Security Enhancement on a New Authentication Scheme With Anonymity for Wireless Environments , 2006, IEEE Transactions on Industrial Electronics.

[63]  Chun Chen,et al.  Secure and Efficient Handover Authentication Based on Bilinear Pairing Functions , 2012, IEEE Transactions on Wireless Communications.

[64]  Chunguang Ma,et al.  Cryptanalysis of a remote user authentication scheme for mobile client-server environment based on ECC , 2013, Inf. Fusion.

[65]  Berk Sunar,et al.  Cryptography on a Speck of Dust , 2007, Computer.

[66]  Kangseok Kim,et al.  An efficient secure authentication scheme with user anonymity for roaming user in ubiquitous networks , 2013, Peer-to-Peer Networking and Applications.

[67]  Chun Chen,et al.  A strong user authentication scheme with smart cards for wireless communications , 2011, Comput. Commun..

[68]  Xi Fang,et al.  Two-Tiered Constrained Relay Node Placement in Wireless Sensor Networks: Computational Complexity and Efficient Approximations , 2012, IEEE Transactions on Mobile Computing.

[69]  Xiong Li,et al.  An improved remote user authentication scheme with key agreement , 2014, Comput. Electr. Eng..

[70]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[71]  Pietro Michiardi,et al.  Measuring Password Strength: An Empirical Analysis , 2009, ArXiv.

[72]  Pardeep Kumar,et al.  E-SAP: Efficient-Strong Authentication Protocol for Healthcare Applications Using Wireless Medical Sensor Networks , 2012, Sensors.

[73]  Pardeep Kumar,et al.  RUASN: A Robust User Authentication Framework for Wireless Sensor Networks , 2011, Sensors.

[74]  Chun Chen,et al.  An Enhanced Two-factor User Authentication Scheme in Wireless Sensor Networks , 2010, Ad Hoc Sens. Wirel. Networks.

[75]  Ashok Kumar Das,et al.  A dynamic password-based user authentication scheme for hierarchical wireless sensor networks , 2012, J. Netw. Comput. Appl..

[76]  Muhammad Khurram Khan,et al.  Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme' , 2011, Comput. Commun..

[77]  Shuenn-Shyang Wang,et al.  A secure dynamic ID based remote user authentication scheme for multi-server environment , 2009, Comput. Stand. Interfaces.

[78]  Bart Preneel,et al.  Security implications in Kerberos by the introduction of smart cards , 2012, ASIACCS '12.

[79]  Zhenfu Cao,et al.  On the anonymity of some authentication schemes for wireless communications , 2009, IEEE Commun. Lett..

[80]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[81]  H. T. Mouftah,et al.  Two-factor mutual authentication with key agreement in wireless sensor networks , 2016, Secur. Commun. Networks.

[82]  Jing Xu,et al.  Provable secure authentication protocol with anonymity for roaming service in global mobility networks , 2011, Comput. Networks.

[83]  Ashutosh Saxena,et al.  A dynamic ID-based remote user authentication scheme , 2004, IEEE Transactions on Consumer Electronics.

[84]  Michael Scott,et al.  On the application of pairing based cryptography to wireless sensor networks , 2009, WiSec '09.

[85]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[86]  Huaqun Wang,et al.  On the Security of a Ticket-Based Anonymity System with Traceability Property in Wireless Mesh Networks , 2012, IEEE Transactions on Dependable and Secure Computing.

[87]  Deborah Estrin,et al.  The Tenet architecture for tiered sensor networks , 2006, SenSys '06.

[88]  Russell Impagliazzo,et al.  Limits on the Provable Consequences of One-way Permutations , 1988, CRYPTO.

[89]  Cheng-Chi Lee,et al.  An Advanced Temporal Credential-Based Security Scheme with Mutual Authentication and Key Agreement for Wireless Sensor Networks , 2013, Sensors.

[90]  Ma,et al.  Security Enhancement of Robust User Authentication Framework for Wireless Sensor Networks , 2012 .

[91]  Ping Wang,et al.  Understanding security failures of two-factor authentication schemes for real-time applications in hierarchical wireless sensor networks , 2014, Ad Hoc Networks.

[92]  Dan Boneh,et al.  Simplified OAEP for the RSA and Rabin Functions , 2001, CRYPTO.

[93]  Xiaotie Deng,et al.  Two-factor mutual authentication based on smart cards and passwords , 2008, J. Comput. Syst. Sci..

[94]  Fan Wu,et al.  Security analysis and Improvement of a Privacy Authentication Scheme for Telecare Medical Information Systems , 2012, Journal of Medical Systems.

[95]  Hugo Krawczyk,et al.  Public-key cryptography and password protocols , 1999 .

[96]  Debiao He,et al.  A new dynamic identity-based authentication protocol for multi-server environment using elliptic curve cryptography , 2012, Secur. Commun. Networks.

[97]  Muhammad Khurram Khan,et al.  Cryptanalysis and Security Improvements of ‘Two-Factor User Authentication in Wireless Sensor Networks’ , 2010, Sensors.

[98]  Jizhou Sun,et al.  Improvements of Juang 's Password-Authenticated Key Agreement Scheme Using Smart Cards , 2009, IEEE Transactions on Industrial Electronics.

[99]  Jian Ma,et al.  An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards , 2012, J. Netw. Comput. Appl..

[100]  Ajinkya Kulkarni,et al.  Understanding identity exposure in pervasive computing environments , 2012, Pervasive Mob. Comput..

[101]  Lein Harn,et al.  An Efficient Threshold Anonymous Authentication Scheme for Privacy-Preserving Communications , 2013, IEEE Transactions on Wireless Communications.

[102]  Chunguang Ma,et al.  On the (in)security of some smart-card-based password authentication schemes for WSN , 2012, IACR Cryptol. ePrint Arch..

[103]  Julien Lancia,et al.  Java Card Combined Attacks with Localization-Agnostic Fault Injection , 2012, CARDIS.

[104]  Jian Ma,et al.  A novel smart card and dynamic ID based remote user authentication scheme for multi-server environments , 2013, Math. Comput. Model..

[105]  Muhammad Khurram Khan,et al.  Cryptanalysis and Improvement of "An Efficient and Secure Dynamic ID-based Authentication Scheme for Telecare Medical Information Systems" , 2014, Secur. Commun. Networks.

[106]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[107]  Qi Xie,et al.  Security Analysis of a Single Sign-On Mechanism for Distributed Computer Networks , 2013, IEEE Transactions on Industrial Informatics.

[108]  Colin Boyd,et al.  Forward Secrecy and Its Application to Future Mobile Communications Security , 2000, Public Key Cryptography.

[109]  Rui Zhang,et al.  Secure Range Queries in Tiered Sensor Networks , 2009, IEEE INFOCOM 2009.

[110]  Manik Lal Das,et al.  Two-factor user authentication in wireless sensor networks , 2009, IEEE Transactions on Wireless Communications.

[111]  Minh-Huyen Nguyen,et al.  The Relationship Between Password-Authenticated Key Exchange and Other Cryptographic Primitives , 2005, TCC.

[112]  Hung-Min Sun,et al.  On the Security of Chien's Ultralightweight RFID Authentication Protocol , 2011, IEEE Transactions on Dependable and Secure Computing.

[113]  Tae Hyun Kim,et al.  Side channel analysis attacks using AM demodulation on commercial smart cards with SEED , 2012, J. Syst. Softw..

[114]  Jenq-Shiou Leu,et al.  Efficient and secure dynamic ID-based remote user authentication scheme for distributed systems using smart cards , 2014, IET Inf. Secur..

[115]  J. van Leeuwen,et al.  Information Hiding , 1999, Lecture Notes in Computer Science.

[116]  Meng Chang Chen,et al.  SPAM: A Secure Password Authentication Mechanism for Seamless Handover in Proxy Mobile IPv6 Networks , 2013, IEEE Systems Journal.

[117]  Dongho Won,et al.  A Privacy-Protecting Authentication Scheme for Roaming Services with Smart Cards , 2012, IEICE Trans. Commun..

[118]  Hung-Min Sun,et al.  Practical RSA signature scheme based on periodical rekeying for wireless sensor networks , 2012, TOSN.

[119]  Wei-Bin Lee,et al.  A Secure Authentication Scheme with Anonymity for Wireless Communications , 2008, IEEE Commun. Lett..

[120]  Chun Chen,et al.  Security and efficiency in roaming services for wireless networks: challenges, approaches, and prospects , 2013, IEEE Communications Magazine.

[121]  Chun Chen,et al.  Lightweight and provably secure user authentication with anonymity for the global mobility network , 2011, Int. J. Commun. Syst..

[122]  Rajendra S. Katti,et al.  A Secure Identification and Key agreement protocol with user Anonymity (SIKA) , 2006, Comput. Secur..