Security Analysis on “Anonymous Authentication Scheme for Smart Home Environment with Provable Security”

As an important application of the Internet of Things, smart home has greatly facilitated our life. Since the communication channels of smart home are insecure and the transmitted data are usually sensitive, a secure and anonymous user authentication scheme is required. Numerous attempts have been taken to design such authentication schemes. Recently, Shuai et al. (Computer & Security 86(2019):132146) designed an anonymous authentication scheme for smart home using elliptic curve cryptography. They claimed that the proposed scheme is secure against various attacks and provides ideal attributes. However, we show that their scheme cannot resist inside attack and offline dictionary attack and also fails to achieve forward secrecy. Furthermore, we give some suggestions to enhance the security of the scheme. These suggestions also apply to other user authentication schemes with similar flaws.


Introduction
Smart home is a new paradigm of the Internet of Things, which can greatly facilitate our life; thus, it attracts much attention. In smart home environments, the smart devices can communicate and cooperate with each other to provide comprehensive services for users. However, the conversations between the users and the smart devices are carried out in an insecure open channel. The adversary can eavesdrop the sensitive data transmitted over the insecure channel. Therefore, it is of importance to provide a security mechanism to secure the conversations. Multifactor user authentication [1,2] is one of the important ways to identify the authenticity of a user. In a multifactor user authentication scheme for smart home environment, there are usually four participants: a set of users, the register center, the gateways, and the sensor nodes. The user owns her personal secrecy information, such as a password and a smart device. All participants are required to register in the register center. When a user wants to access real-time data stored on a sensor node, she can initiate an access request. Then, the gateway and the sensor node will verify the user. If the user is valid, a session key will be built to encrypt the subsequent conversations. In such schemes, the adversary is usually assumed to be able to [3] (1) control the open channel, that is, she can intercept, modify, and eavesdrop the messages in the open channel; (2) list all the items in the space of passwords and identities; (3) compromise n − 1 factor(s) of a n-factor authentication scheme; (4) acquire the long-term secret key when accessing forward secrecy; (5) break some of sensor nodes; (6) obtain the previous session keys; and (7) register as a legitimate participant.
Recently, numerous user authentication schemes are proposed [4][5][6][7]. Most recently, Shuai et al. [8] designed a new anonymous authentication scheme for a smart home environment. They employ the elliptic curve cryptography to authenticate the users with resistance to offline dictionary attack and generate pseudoidentity DID i to provide user anonymity. However, some subtleties are overlooked, which results in vulnerability to various attacks. In this paper, we demonstrate that their scheme cannot resist offline dictionary attack and inside attack and fails to achieve forward secrecy. Besides, we also discuss the causes and countermeasures of these security flaws. The countermeasures we proposed can also be applied to other authentication schemes with similar problems.

Review of Shuai et al.'s Scheme
In this section, we briefly review Shuai et al.'s scheme. The notations and abbreviations are shown in Table 1. Firstly, the registration authority RA chooses an elliptic curve E and an additive group G of E with order q and generator P. Next, RA generates a pair of private/public key ðx, XÞ, where x ∈ Z q * and X = x ⋅ P, a long-term secret key K and a hash function hð⋅Þ: f0, 1g * → Z q * . Note that x and K will be stored in GWN, and fEðF p Þ, G, P, X, hð⋅Þg will be published to all participants.

User Registration Phase
Step 1. U i ⇒ RA : fID i , HPW i g, where HPW i = hðPW i kaÞ and a is a random nonce.
RA first checks the availability of ID i and computes K GU = hfID i kKg, Step 3. U i computes A 2 = a ⊕ hðID i kPW i Þ, A 3 = hðID i k HPW i Þ and stores fA 1 , A 2 , A 3 , TEMPg into the mobile device.

The Smart Device Registration Phase
Step 1. SD k ⇒ RA : fSID k g.
Step 2. RA ⇒ SD k : K GS . RA checks the validity of SID k and computes K GS = hðSID k kKÞ.
Step 3. SD k stores K GS .

Login and Authentication Phase
Step U i provides ID i and PW i , and then, the mobile device com- , the mobile device rejects the request and sets TEMP to TEMP + 1. Once TEMP ≥ 3, the mobile device will be suspended till U i reregisters. Otherwise, the mobile device computes n are two random numbers, and SID k is the identity of the target SD k .

Cryptanalysis of Shuai et al.'s Scheme
In this section, we demonstrate that Shuai et al.'s scheme suffers from various attacks when assuming the adversary armed with real-world capabilities [9][10][11] as below: (1) Exhaust all the items in the Descartes space of passwords and identities (2) Get ID i when assess the security of the scheme The attack steps are as follows: Step 1. Guess PW i to be PW i * ,ID i to be ID i * .
Step 5. Verify the correctness of PW i and ID i by checking if A * 3 == A 3 .
The time complexity is OðjD PW j * jD id j * 3T H Þ, where T H is the time of the hash function.
Assuming the adversary gets the victim's identity ID i , the adversary, with the data stored in the smart device and transmitted in the open channel, can guess U i 's password successfully as below: The attack steps are as follows: Step 1. Guess PW i to be PW i * , ID i to be ID i * .
Step 7. Verify the correctness of PW i and ID i by checking if V * 1 == V 1 .
Step 8. Repeat Steps 1-6 until the correct value of PW i is found.
The time complexity is OðjD pw j * jD id j * 3T H Þ. Possible Countermeasures: In offline dictionary attack, the inherent causes are as follows: (1) the adversary can find a verifier to check the correctness of the guessed password and (2) to the adversary, the verifier only contains one unknown parameter (i.e., the victim's password), that is, all the parameters which consist of the verifier can be derived from the victim's password. According to Wang and Xu [12], the offline dictionary attack can be divided into two types in terms of where the verifier is from. In the former attack, the verifier A 3 is extracted from the smart device. To deal with this attack, Wang and Wang [13] proposed a way of integrating the fuzzy-verifier technique and honeywords. That is, let A 3 = hðID i kHPW i Þ mod n 0 , where n 0 is an integer and 2 4 ≤ n 0 ≤ 2 8 .
As such, there are about jD id * D pw j/l 0 ≈ 2 32 candidate pairs of identity and password which satisfy the equation of Step 5, when l 0 = 2 8 . To test the specific pair of identity and password, the adversary needs to initiate the access request online, and this (the failure attempt) can be detected and stopped by the parameter TEMP.
To the second attack, a public key is necessary [14]. In Shuai et al.'s scheme, we need to set the verifier V i = hðID i k R 1 kK GU kM 1 kA 5 Þ and DID i = ID i ⊕ hðAÞ. As such, there are essentially two unknown parameters to the adversary, i.e., the password and A 5 , and the space of A 5 is too large for the adversary to conduct the offline dictionary attack.

Forward Secrecy.
Forward secrecy requires that the exposure of the secrecy key K will not affect the security of previous conversations. However, we find this scheme cannot provide forward secrecy. If the adversary gets K and eavesdrops the parameters {M 2 , M 3 }, she can get the session key SK as the following steps: The attack steps are as follows: Step 1. Compute K * GS = hðSID k kKÞ.
The time complexity is OðjD pw j * jD id j * 2T H Þ. Possible Countermeasures: According to Ma et al. [14], the public key technique and two modular exponentiation or point multiplication operations on the smart device are required. Following this principle, we can let SK = hðID i kGID j kA 4 kA 6 kA 7 Þ, where A 6 = R 3 ⋅ P, A 7 = ω ⋅ A 6 = R 3 ⋅ A 4 ⋅ A 6 is computed by SD k and should be transmitted to U i in the open channel. A 4 also needs to be sent to SD k . R 3 cannot be transmitted to any participants. As such, the adversary has no way to compute A 7 (it is a computational difficult problem which cannot be solved within polynomial time), and the forward secrecy is achieved.

Inside Attack.
Suppose the adversary is also the administrator of RA, then she can exploit the register message and the data stored in mobile devices to guess the victim's password as follows:

Wireless Communications and Mobile Computing
The attack steps are as follows: Step 1. Guess PW i to be PW i * , ID i to be ID * i .
Step 4. Verify the correctness of PW i and ID i by checking if HPW * i == HPW i .
Step 5. Repeat Steps 1-4 until the correct value of PW i and ID i is found.
The time complexity is OðjD pw j * jD id j * 2T H Þ.
Possible Countermeasures: Inside attack is practical although it has high requirements on the adversary's capability. In this scheme, the verifier HPW i contains PW i and a, and a can be computed using the parameters in the mobile device. Therefore, a way to deal with this attack is to update a after the registration. After receiving the response from RA, the user side should select a new random nonce a′, update HPW i as hðPW i ka′Þ, and then set A 2 = a′ ⊕ hðID i k PW i Þ and A 3 = hðID i kHPW i Þ.

Conclusion
In this paper, we have analyzed an anonymous authentication scheme for a smart home environment proposed by Shuai et al. [8]. We demonstrated that their scheme suffers from various attacks although it is proved to be secure under the random oracle model. We showed that this scheme cannot resist offline dictionary attack and inside attack and also fails to provide forward secrecy. After pointing out these security flaws, we proposed possible countermeasures to deal with them. These suggestions can also be applied to most similar schemes. Thus, our work is helpful to the design of a secure and efficient user authentication scheme for the smart home environment.

Data Availability
No data were used to support this study.

Conflicts of Interest
The authors declare that they have no conflicts of interest.