A lightweight anonymous user authentication and key establishment scheme for wearable devices Source: Computer Networks Volume 149, 11 February 2019, Pages 29-42 Authors: Ankur Gupta, Meenakshi Tripathi, Tabish Jami lShaikh , Aakar Sharma Speaker: Yao-Zhu Zheng Date: 2019/03/07

Outline Introduction System model Proposed scheme Experimental results Conclusions

Introduction(1/2) IoT(Internet of Things) healthcare industry

Introduction(2/2) Wearable devices smartwatch, smart glasses, fitness tracker etc.

System model(1/2) 1. 2. 3. 5. 4. Wearable devices User/GWN Authentication server

System model(2/2) Adversary knows the authentication protocol used and may eavesdrop all the messages transmitted over an insecure channel. Adversary may modify or redirect the transmitted messages or replay the eavesdropped messages. Adversary may get any sensing device and extract all the stored parameters from its memory. However, adversary can not get the mobile terminal.

Proposed scheme (1/27) System setup Registration Authentication and key-establishment Password-change

Proposed scheme (2/27) System setup phase Sensing device setup phase Mobile terminal setup phase

Proposed scheme (3/27) Sensing device setup phase SDj Trusted Authority (TA) 1. chooses SIDj , XSDj for SDj 2. computes MSIDj = h(SIDj ∥ XSDj) secure channel 3. stores (h(·),SIDj,XSDj,MSIDj)  4. stores SIDj, MSIDj and XSDj 

Proposed scheme (4/27) Parameter stored in entities SDj GWN TA SIDj XSDj MSIDj SIDj XSer , XSDj MSIDj

Proposed scheme (5/27) Mobile terminal setup phase TA GWN 1. chooses GID , XGD for GWN 2. computes MGID = h(GID ∥ XGD) secure channel 3. stores (h(·), GID, XGD, MGID)  4. stores GID, MGID  and  XGD  

Proposed scheme (6/27) Parameter stored in entities SDj GWN TA SIDj XSDj MSIDj GID XGD MGID SIDj , GID XSer , XSDj , XGD MSIDj , MGID

Proposed scheme (7/27) Registration phase User registration phase Sensing device registration phase

Proposed scheme (8/27) User registration phase TA Ui(with GWN) 1. User chooses IDi , PWi 2. GWN chooses a random number ru to compute MIi = h(ID ∥  ru) , MPi = h(PW ∥  ru) 3. GWN sends MIi , MPi , MGID to TA  secure channel

Proposed scheme (9/27) User registration phase TA Ui(with GWN) 4. computes fi = h(MIi ∥  XSer) , xi = h(MPi ∥  XGD) 5. computes ei = fi ⊕ xi 6. sends ei  back to GWN secure channel

Proposed scheme (10/27) User registration phase Ui(with GWN) 7. computes xi = h(MPi ∥  XGD) 8. computes fi = ei ⊕ xi 9. stores xi , ei , fi , ru

Proposed scheme (11/27) Parameter stored in entities SDj GWN TA SIDj XSDj MSIDj GID XGD MGID xi , ei , fi ru SIDj , GID XSer , XSDj , XGD MSIDj , MGID

Proposed scheme (12/27) Sensing device registration phase SDj GWN TA 1. chooses random number rj 2. computes MPj = h(SIDj ∥  XSDj ∥ rj ∥ T1) 3. computes MNj = XSDj ⊕ rj 4. sends MSIDj, MNj, MPj, and T1 to GWN

Proposed scheme (13/27) Sensing device registration phase SDj GWN TA 5. checks  |T2 - T1|<ΔT  6. computes TI = h(GID∥ T2) 7. sends TI, MGID, MSIDj, MNj, MPj, T1, T2 to TA

Proposed scheme (14/27) Sensing device registration phase SDj GWN TA 8. checks  |T3 - T2|<ΔT  9. computes TI* = h(GID∥ T2) and checks TI =? TI* (confirms message from GWN) 10. computes rj* = MNj ⊕ XSDj 11. computes MPj* = h(SIDj ∥  XSDj ∥ rj* ∥ T1) (confirms message from SDj)

Proposed scheme (15/27) Sensing device registration phase SDj GWN TA 12. computes fj = h(SIDj∥ XSer) , xj = h(MPj∥ XSDj) 13. computes ej = fj ⊕ xj 14. computes TIj = h(SIDj∥ T3) , TISer = h(GID∥ T3) 15. sends ej , TIj , TISer , T3 to GWN

Proposed scheme (16/27) Sensing device registration phase SDj GWN TA 16. checks  |T4 – T3|<ΔT  17. computes TISer* = h(GID∥ T3) and checks TISer* =? TISer (confirms message from TA) 18. stores MSIDj 19. sends TIj , ej , MIi , MGID , T3 , T4 to SDj

Proposed scheme (17/27) Sensing device registration phase SDj GWN TA 20. checks  |T5 – T4|<ΔT 21. computes TIj* = h(SIDj∥ T3) and checks TIj* =? TIj (confirms message from TA) 22. computes xj = h(MPj∥ XSDj) , fj = ej ⊕ xj 23. stores ej , xj , fj , MIi , MGID

Proposed scheme (18/27) Parameter stored in entities SDj GWN TA SIDj XSDj MSIDj , MGID xj , ej , fj MIi GID XGD MSIDj , MGID xi , ei , fi ru SIDj , GID XSer , XSDj , XGD MSIDj , MGID

Proposed scheme (19/27) Authentication and key-establishment SDj Ui (with GWN) TA 1. inputs IDi , PWi 2. GWN computes MIi* = h(IDi∥ ru), MPi* = h(PWi∥ ru), xi* = h(MPi* ∥ XGD) and checks MIi* =? MIi , xi* =? xi 3. sends MIi , MGID , T1 to SDj

Proposed scheme (20/27) Authentication and key-establishment SDj Ui (with GWN) TA 4. checks  |T2 – T1|<ΔT 5. chooses random number Kj 6. computes Aj = h(MIi ∥ XSDj ∥ T2) ⊕ xj and Zj = Kj ⊕ fj 7. sends MSIDj , Aj , Zj , T2 to GWN

Proposed scheme (21/27) Authentication and key-establishment SDj Ui (with GWN) TA 8. checks  |T3 – T2|<ΔT 9. stores Zj 10. sends MIi , MGID , MSIDj , ei , Aj , T2 , T3 to TA

Proposed scheme (22/27) Authentication and key-establishment SDj Ui (with GWN) TA 11. checks  |T4 – T3|<ΔT 12. compute xj* = Aj ⊕ h(MIi ∥ XSDj ∥ T2) and check xj* =? xj (confirm SDj) 13. compute fi* = h(MIi ∥ XSer) , xi* = ei ⊕ fi* and check xi* =? xi (confirm Ui)

Proposed scheme (23/27) Authentication and key-establishment SDj Ui (with GWN) TA 14. computes Fij = fj ⊕ h(fi* ∥ XGD), Hi = h(fi* ∥ XGD ∥T4), Sj = h(xj* ∥ XSDj ∥T4) 15. sends Fij , Hi , Sj , T4 to GWN

Proposed scheme (24/27) Authentication and key-establishment SDj Ui (with GWN) TA 16. checks  |T5 – T4|<ΔT 17. computes Hi* = h(fi ∥ XGD ∥T4) and check Hi* =? Hi (confirm TA) 18. computes fj = Fij ⊕ h(fi ∥ XGD), Kj = Zj ⊕ fj 19. chooses random number Ki 20. computes Rij = h(fj ∥ MGID ∥ T5 ) ⊕ Ki and SK = h(Ki ⊕ Kj ) 21. sends Rij , Sj , T4 , T5 to SDj

Proposed scheme (25/27) Authentication and key-establishment SDj Ui (with GWN) TA 22. checks  |T6 – T5|<ΔT 23. computes Sj* = h(xj ∥ XSDj ∥T4) and check Sj* =? Sj (confirm TA) 24. computes Ki = Rij ⊕ h(fj ∥ MGID ∥ T5 ) 25. computes SK = h(Ki ⊕ Kj )

Proposed scheme (26/27) Password-change Ui(with GWN) TA 1. inputs IDi , PWi 2. GWN computes xi* =? xi 3. inputs new password PWinew 4. computes MPinew = h(PWinew ∥  ru) 5. sends MIi , MPi , MPinew to TA

Proposed scheme(27/27) Password-change Ui(with GWN) TA 6. computes fi* = h(MIi ∥ XSer) 7. computes xi* = fi* ⊕ ei and check xi* =? xi 8. computes xinew = h(MPinew ∥ XGD) , einew = fi ⊕ xinew 9. sends einew back to GWN 10. stores einew

Experimental results (1/5) Comparison of security features Security property [22] [24] [26] [28] [30] [31] Proposed Anonymity and untraceability N Y Perfect forward secrecy Replay attack User impersonation attack Sensing device impersonation attack Gateway impersonation attack Node capture attack Offline guessing attack Privileged insider attack Man-in-the-middle attack

Experimental results (2/5) Computation cost comparison Scheme Sensor side User side Server side Total Cost Amin et al. 5Th + 3TXOR 12Th + 7TXOR 15Th + 7TXOR 32Th + 17TXOR Chang and Le 5Th + 4TXOR 7Th + 4TXOR 8Th + 1TXOR 20Th + 9TXOR Gope and Hwang 3Th + 1TXOR 14Th + 7TXOR 9Th + 4TXOR 26Th + 12TXOR Adavoudi-Jofaei et al. 3Th + 2TXOR 8Th + 9TXOR 9Th + 7TXOR 20Th + 19TXOR Li et al. 3Th + 7TXOR - 4Th + 12TXOR 7Th + 19TXOR Wu et al. 6Th + 1TXOR 7Th + 1TXOR 10Th + 2TXOR 23Th + 4TXOR Das et al. 7Th + 2TXOR 9Th + 5TXOR 16Th + 7TXOR Proposed 4Th + 4TXOR 16Th + 11TXOR

Experimental results (3/5) Communication cost comparison Scheme Number of messages Number of bits Amin et al. 6 4096 Chang and Le 4 3104 Gope and Hwang 3184 Adavoudi-Jofaei et al. 3696 Li et al. 4672 Wu et al. 5 3932 Das et al. 3 1696 Proposed 3808

Experimental results (4/5)

Experimental results (5/5)

Conclusions A new lightweight anonymous user authentication and key- establishment scheme for wearable devices. This protocol is cost efficient in terms of computation and communication overheads.