One time password authentication scheme based on elliptic curves for Internet of Things (IoT)

Establishing end-to-end authentication between devices and applications in Internet of Things (IoT) is a challenging task. Due to heterogeneity in terms of devices, topology, communication and different security protocols used in IoT, existing authentication mechanisms are vulnerable to security threats and can disrupt the progress of IoT in realizing Smart City, Smart Home and Smart Infrastructure, etc. To achieve end-to-end authentication between IoT devices/applications, the existing authentication schemes and security protocols require a two-factor authentication mechanism. Therefore, as part of this paper we review the suitability of an authentication scheme based on One Time Password (OTP) for IoT and proposed a scalable, efficient and robust OTP scheme. Our proposed scheme uses the principles of lightweight Identity Based Elliptic Curve Cryptography scheme and Lamport's OTP algorithm. We evaluate analytically and experimentally the performance of our scheme and observe that our scheme with a smaller key size and lesser infrastructure performs on par with the existing OTP schemes without compromising the security level. Our proposed scheme can be implemented in real-time IoT networks and is the right candidate for two-factor authentication among devices, applications and their communications in IoT.

[1]  Oscar Garcia-Morchon,et al.  Security Considerations in the IP-based Internet of Things , 2013 .

[2]  Qing Liu,et al.  Directed Path Based Authentication Scheme for the Internet of Things , 2012, J. Univers. Comput. Sci..

[3]  Jongsung Kim,et al.  On the Security of HMAC and NMAC Based on HAVAL, MD4, MD5, SHA-0 and SHA-1 (Extended Abstract) , 2006, SCN.

[4]  Dan Boneh,et al.  TWENTY YEARS OF ATTACKS ON THE RSA CRYPTOSYSTEM , 1999 .

[5]  Muhammad Khurram Khan,et al.  One-Time Password System with Infinite Nested Hash Chains , 2010, FGIT-SecTech/DRBC.

[6]  Dan Boneh,et al.  The Decision Diffie-Hellman Problem , 1998, ANTS.

[7]  Antonio F. Gómez-Skarmeta,et al.  The Internet of Everything through IPv6: An Analysis of Challenges, Solutions and Opportunities , 2013, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[8]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[9]  Thomas Weigold,et al.  Secure Internet banking authentication , 2006, IEEE Security & Privacy.

[10]  Christopher Miceli One Time Password Scheme Via Secret Sharing Techniques , 2011 .

[11]  P. Balamuralidhar,et al.  Lightweight IBE scheme for Wireless Sensor nodes , 2013, 2013 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS).

[12]  Wei Wang,et al.  Cryptanalysis on HMAC/NMAC-MD5 and MD5-MAC , 2009, EUROCRYPT.

[13]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[14]  Yunjin Lee,et al.  Insider Attack-Resistant OTP (One-Time Password) Based on Bilinear Maps , 2013 .

[15]  Jingcheng Wang,et al.  A novel mutual authentication scheme for Internet of Things , 2011, Proceedings of 2011 International Conference on Modelling, Identification and Control.

[16]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[17]  Ramjee Prasad,et al.  Threshold Cryptography-based Group Authentication (TCGA) scheme for the Internet of Things (IoT) , 2014, 2014 4th International Conference on Wireless Communications, Vehicular Technology, Information Theory and Aerospace & Electronic Systems (VITAE).

[18]  Burkhard Stiller,et al.  Two-way Authentication for IoT , 2015 .

[19]  Yun Liu,et al.  The Novel Authentication Scheme Based on Theory of Quadratic Residues for Wireless Sensor Networks , 2013, Int. J. Distributed Sens. Networks.

[20]  Gaëtan Leurent,et al.  Full Key-Recovery Attacks on HMAC/NMAC-MD4 and NMAC-MD5 , 2007, CRYPTO.

[21]  Ramjee Prasad,et al.  Identity Authentication and Capability Based Access Control (IACAC) for the Internet of Things , 2012, J. Cyber Secur. Mobil..

[22]  Zheng Huang,et al.  A new One-time Password Method , 2013 .

[23]  Sugata Sanyal,et al.  The N/R one time password system , 2005, International Conference on Information Technology: Coding and Computing (ITCC'05) - Volume II.

[24]  David M'Raïhi,et al.  HOTP: An HMAC-Based One-Time Password Algorithm , 2005, RFC.

[25]  Leslie Lamport,et al.  Password authentication with insecure communication , 1981, CACM.

[26]  Dongho Won,et al.  Weaknesses and Improvements of a One-time Password Authentication Scheme , 2009 .

[27]  Ioannis Broustis,et al.  IBAKE: Identity-Based Authenticated Key Exchange , 2012, RFC.