An improved authentication scheme for Internet of things

Designing a secure authentication scheme is of great importance to the practical applications of the Internet of Things (IoT). In 2017, Wang et al. proposed an improved mutual authentication scheme for the embedded devices and a server over Kalra et al.’s and Chang et al.’s. And they provided a formal proof for their scheme. However, their scheme is still insecure and cannot resist against key compromise impersonation (KCI) attack. In the paper, we first demonstrate the shortcoming of Wang et al.’s scheme, and then we carry out an improvement over Wang et al.’s scheme to address the revealed issue by using an auxiliary server.


Introduction
The Internet of Things (IoT) is considered to be the technological and economic wave of the global information industry after the Internet [1]. The use of IoT applications [2][3][4][5] brings many conveniences to people. In these IoT applications, the things can collect sensitive information from the environment, which is then used to analyze and make decisions [6]. However, the security issues of the IoT are more challenging than that of the traditional Internet [7]. Most of the IoT devices are resource-constrained, and it is difficult to implement complex encryption algorithms on them. If the security issues cannot be addressed, it will hinder the massive use of IoT applications [8]. Therefore, it is important to design a secure and lightweight authentication scheme for the IoT.
Traditional Public Key Cryptosystems (PKC) have to deal with the distribution and management of certificates which are too complex to be utilized for the IoT devices [9]. In 1984, Shamir [10] first introduced the idea of ID-based cryptosystems (IBC). IBC avoid time-consuming and complex certificate mechanisms by using the entity's ID or email address as its public key, which are suitable for IoT scenarios. An ID-based cryptosystem often uses elliptic curve cryptography (ECC [11]) for the reason that ECC can obtain the same security strength with a smaller key size [12]. Truong et al. [13] proposed an ID-based authentication for mobiles on ECC. Liao et al. [14] proposed a secure ECCbased RFID authentication scheme. The scheme is integrated with ID-verifier transfer protocol. Shah et al. [15] used a variant of the three-way authentication mechanism to authenticate the IoT device and the server. They used the secure vault to store keys and change the secure vault according to the data exchanged between the server and the device after every session. Yao et al. [16] proposed a lightweight attribute-based encryption scheme for the IoT on ECC. Aman et al. [17] proposed a mutual authentication scheme for the IoT systems using physical unclonable functions. Hao et al. [18]  proposed a collaborative PHY(physical-layer)-Aided technique for end-to-end IoT devices. They used the devices' unique PHY features (carrier frequency offset (CFO), in-phase/quadrature-phase imbalance (IQI)) and the collaboration of several intermediate nodes to achieve an elevated resistance to computation-based attacks.
In 2015, Kalra et al. [19] proposed a lightweight authentication scheme by using elliptic curve cryptography. In their scheme, they implement mutual authentication between the embedded devices and the cloud server. However, Chang et al. [20] found that Kalra et al.'s scheme cannot achieve mutual authentication and the server cannot calculate the session key, so Chang et al. proposed an improved scheme to address these problems. In 2017, Wang et al. [21] found that Chang et al.'s improved scheme is still insecure. The adversary can impersonate the server to communicate with the device and can further obtain session keys which may bring huge damage (Kalra et al.'s scheme cannot withstand this attack as well). Therefore, Wang et al. proposed a modified scheme to solve the problem and gave a formal proof for their improved scheme. However, Wang et al.'s scheme is still not safe. In this paper, we demonstrate that Wang et al.'s scheme cannot resist against key compromise impersonation (KCI) attack [22]. The adversary can impersonate the legitimate device to communicate with the server. And we offer an improved scheme to address the revealed issue without losing the security features and advantages of the Wang et al.'s scheme.
The paper is organized as follows. Section II reviews Wang et al.'s scheme. Section III shows the insecurity of Wang et al.'s scheme. Section IV is our improved scheme and the analysis of it. Section V compares our scheme with relevant schemes. Section VI presents the conclusion.

Review Wang et al.'s scheme
In this section, we review the scheme proposed by Wang et al. Some intuitive notations are listed in table 1.

System initialization phase
Before the system begins, the server S selects a secret key X with h l -bit long, a one-way hash function (.) H , an elliptic curve E and a generator G on E . And then S publishes ( (.), , ) H E G as system parameters and keeps the key X secret.

Registration phase
In this phase, the embedded device i D is registered with the server S . i D sends its i ID to S . Then S calculates

Analysis of the Wang et al.'s scheme
In this section, we demonstrate Wang et al.'s scheme cannot withstand a realistic attack, namely key compromise impersonation (KCI) attack. In the case of KCI attack [22], if the adversary A gets the key of a communicating party, it can impersonate the compromised party to communicate with the other parties, or impersonates the other parties to communicate with the compromised party. A scheme that free from this form of "reverse impersonation" is said to resist against KCI attack, that is, in the scheme, the adversary A can only use the key to impersonate the compromised party.
Here, we show the damages of KCI attack. If the adversary A impersonates the device D to communicate with the server, it may send some false information to the server, causing the server to fail to make the right decisions (e.g., temperature alarms, etc.). At the same time, according to the access control policy, the data (such as some sensitive medical data) stored on the server by the device D is only accessible by the device D itself, and the server has no access rights, which is very common in practical applications. If the server is compromised, the adversary A may not be able to get the device's data, but if the adversary A impersonates the device D to communicate with the server as well as gets the session key, the adversary A will get the data that the device D stored on the server.
Under the scheme of Wang et al., if the adversary A breaks into the server (e.g., using zero-day attacks like Heartbleed [23,24]), and gets the server's secret key X and stored database information . The adversary A can impersonate i D as follows: Step to the server.
Step 2: Upon receiving   , which is equal to the session key that A holds. Therefore, Wang et al.'s scheme is insecure. In the KCI attack scenario, it assumes that the server was compromised, but it was discovered a long time later. This exists in real-world. For example, JPMorgan Chase's server was found to be attacked a few months later after it was compromised [25].  [26], when an authentication server also acts as a registry, it is impossible for the authentication server to withstand KCI attack. Inspired by the study of Camenisch et al. [27] and Wang et al. [12], we use one more server (i.e., an auxiliary server) to solve the insecure problem of Wang et al.'s scheme. For security reasons, we can deploy two servers (e.g., A and B) on the same Local Area Network (LAN). Therefore, both A and B have an IP address on the LAN. In addition, one (assumed A) is also deployed on the Internet, so A also has a public IP address, and others can access A through the Internet. A firewall inside the LAN can be used to implement an access policy that only A's LAN internal IP is allowed to access B. In this way, it is impossible to access B through the Internet. As a result, it is a good choice to store important or sensitive data on B. Details can be seen in figure 2.   Figure 3 shows our improved scheme, the bottom of the place we modified was marked with a solid line. Based on the above analysis, we decided to deploy the auxiliary server AS and server S on the same LAN. The server S has both a public IP address and a LAN IP address. We set the policy to only allow the server S 's LAN IP address to access the auxiliary server AS , and the server S is restricted to only send the ID to the auxiliary server AS .

Details of the improvement
In the device registration phase, the server S does not store i T anymore, instead, it sends i T through a secure channel to the auxiliary server AS for storage together with the device's ID i ID . Besides, the server will not only send CK´to the device i D over the secure channel but also send i T to the device i D . In the login and authentication phase, the server S extracts the device's ID i ID from the login request and sends it to the auxiliary server AS by using its LAN IP address. The auxiliary server AS . queries the database to get the corresponding i T based on the ID i ID and sends , i i ID T back to the server S . The message that the server S responds to the device i D is only 3 4 , P P , and there will be no more i T .

Analysis of our improved scheme
Theorem 1: Our improved scheme retains the security features and advantages of Wang et al.'s scheme. Proof: In our proposed scheme, only the storage location of i T has been changed, that is, i T is stored in the device and the auxiliary server separately. Other than that, no change has been made elsewhere. Therefore, our scheme inherits the security features and advantages of Wang et al.'s scheme. Details of the security features and advantages of the Wang et al.'s scheme can be seen in [21].
Theorem 2: Our improved scheme can resist against KCI attack. Proof: Now if the adversary A breaks into the server S and gets the server's secret key X as well as database information, but because of lacking of i T , and the adversary A cannot intercept i T (only 3 4 , P P are sent by the server S , no more i T ) from the channel, so the adversary A will not be able to reconstruct CK , which means A cannot calculate CK´, let alone 2 P and i V . As a result, the adversary A cannot impersonate the device i D to communicate with the server S , which means that the adversary A will not be able to conduct KCI attack unless A breaks into the auxiliary server AS as well. In fact, it is almost impossible to break into two servers with different protection measures at the same time. Further, when we adopt the above deployment or other methods to ensure the security of the auxiliary server AS , it is impossible for the adversary A to carry out KCI attack, which means that our scheme can resist against KCI attack.

Efficiency and comparison
In this section, we compare our scheme with relevant [20] and [21]. Without loss of generality, for the sake of simplicity, here we assume that all values (device ID, the output of hash functions, points on  Table 2 shows the results of the comparison.
As can be seen from the table, the efficiency of our scheme is slightly lower than that of Chang et al. [20] and Wang et al. [21]. But considering that our scheme solves the security flaws of their schemes, the loss of efficiency is worthwhile.

Conclusion
In this paper, we prove that Wang et al.'s scheme is insecure and unable to resist against KCI attack. The adversary can impersonate a legitimate device to communicate with the server, which may bring many security risks. Using an auxiliary server successfully solves the defects of Wang et al.'s scheme while retaining the security features and advantages of the Wang et al.'s scheme. In general, our improved scheme can provide greater security for the embedded devices and the server.