User authentication schemes with pseudonymity for ubiquitous sensor network in NGN Authors: Binod Vaidya, Joel J. Rodrigues and Jong Hyuk Park Source: International Journal of Communication Systems, vol. 23, p.p , Presenter: Yung-Chih Lu ( 呂勇志 ) Date: 2010/03/18 1
Outline Introduction Dynamic user authentication schemes Proposed Scheme Performance Evaluation Security Analysis Conclusion Comment 2
Introduction (1/3) Goal ◦ Mutual authentication and User privacy ◦ Saving resource Computation cost Communication cost Storage Overhead 3
Introduction (2/3) Ubiquitous Sensor Network in NGN ◦ Support for a wide range of services ◦ Unrestricted access by users to different service providers 4 NGN : Next Generation Network GW: Registration Sensor Gateway UD : User’s Device LN: Sensor Login-Node
Introduction (3/3) Ubiquitous Sensor Network in NGN 5 NGN : Next Generation Network GW: Registration Sensor Gateway UD : User’s Device LN: Sensor Login-Node
Dynamic user authentication schemes (1/3) Registration Phase 6 User Device Sensor Gateway Sensor Login- Node UID, h(PW) 1.Compute N=h(PW) ㊉ h(x ㊉ UID) 2.Store UID, h(PW), N, TS Secure Channel Successful Reg. UID, N, TS (Lee-Chun Ko, IEEE ISWCS 2008) UID: A user’s identity ⊕ : Bitwise XOR operation TS: Timestamp PW: A user’s password h(.): A one-way hash function Store UID, N, TS
Dynamic user authentication schemes (2/3) Login & Authentication Phase 7 User Device Sensor Gateway Sensor Login-Node UID, A, t1 UID, C, t1,t3 A=h(h(PW) ㊉ t1) 1.Check(t2-t1)> △ T 2.Check UID C=h(A ㊉ h(N ㊉ t3)) 1.Check UID and t1 2.Check (t4-t3)> △ T 3.Verify if C=C’ Store t in the database A’=h(h(PW) ㊉ t1), C’=h(A’ ㊉ h(N ㊉ t3)) 4.MA SN =h(A ㊉ N ㊉ t5),MA U =h(A ㊉ h(PW)) Permit Login, MA SN ㊉ MA U, h(MA U ), t5 1.Check(t6-t5)> △ T 2. Compute MA SN =h(A ㊉ N ㊉ t5), 3.Verify h(MA U ) 4. Compute MA * U =h (MA U ||t7) UID: A user’s identity ⊕ : Bitwise XOR operation t, TS: Timestamp PW: A user’s password U: The user SN: The sensor login-node
Dynamic user authentication schemes (3/3) Login & Authentication Phase (Cont.) 8 User Device Sensor Gateway Sensor Login- Node Permit_Login, MA * U, t7 1.Check(t8-t7)> △ T 2.Compute MA U =h(A ㊉ h(PW)) 3.verify MA * U Password Change Phase UID, h(PW), h(PW’) 1.Check(UID, h(PW))in the database 2. N’=h(PW’) ㊉ h(x ㊉ UID) 3.Update UID, h(PW’), N’, TS’) Successful Change UID, N’, TS’ UID: A user’s identity ⊕ : Bitwise XOR operation t, TS: Timestamp PW: A user’s password U: The user SN: The sensor login-node Secure Channel
Proposed Scheme (1/3) Registration Phase 9 User Device Sensor Gateway Sensor Login- Node UID, vpw 1.Compute g=h(UID) 2. Compute TID=g ㊉ N 0 3.Compute X=h(TID||x) 4.Store TID, vpw, X, TS Secure Channel Succ_Reg(X, N 0 ) TID, X, TS vpw=h(PW) 1.Compute g = h(UID) 2.Compute TID=g ㊉ N 0 3.Store TID, X UID: A user’s identity ⊕ : Bitwise XOR operation t, T, TS: Timestamp PW: A user’s password N0, N1: Random nonces x: gateway’s Secret key ∆T: Allowed time interval for transmission delay Store TID, X, TS
Proposed Scheme (2/3) Login & Authentication Phase 10 User Device Sensor Gateway Sensor Login-Node TID, A, t TID, C K,T 0, t A=h(vpw||t) 1.Check TID 2.Check (T 0 -t) ≧△ T 3.C k =h(X ㊉ A ㊉ T 0 ) 1.Check TID and t 2.Check (T 1 -T 0 ) ≧△ T ; (T 0 -t) ≧△ T 3.Verify if C K =C K ’ Store t in the database A’=h(vpw||t), C K ’=h(X ㊉ A’ ㊉ T 0 ) 4.V M =h(X||A’||T 1 ) 5. Store t Acc_login, V M, T 1 1.Check (T 2 -T 1 ) ≧△ T 2.Verify V M = V M ’ V M ’=h(X||A||T 1 ) 3. Compute Y K =H(V M '||T 2 ) UID: A user’s identity ⊕ : Bitwise XOR operation PW: A user’s password N0, N1: Random nonces t, T, TS: Timestamp ∆T: Allowed time interval for transmission delay
Proposed Scheme (3/3) Login & Authentication Phase (Cont.) 11 User Device Sensor Gateway Sensor Login- Node Acc_login, Y K, T 1, T 2 Password Change Phase TID, vpw, vpw 1 1.Compute TID 1 =g ⊕ N 1 2.Compute X 1 =H(TID 1 ||x) 3.Compute TID 1 ’=TID 1 ⊕ X 4.Update TID, vpw, X, TS TID, TID 1 ’, X 1, TS 1 Compute vpw 1 =H(PW 1 ) Succ_Change(X1, N 1 ) 1.Obtain TID 1 =g ⊕ N 1 2.Update TID, X 1.Obtain TID 1 =TID 1 ’ ⊕ X 2.Update TID, X, TS 1.Check (T 3 -T 2 ) ≧△ T ; (T 2 -T 1 ) ≧△ T 2.Verify Y K =Y K ’ V M ''= h(X||A||T 1 ) Y K '= h(V M ''||T 2 ) TID:Temporary User ID ⊕ : Bitwise XOR operation t, T, TS: Timestamp PW: A user’s password N0, N1: Random nonces x: gateway’s Secret key ∆T: Allowed time interval for transmission delay Secure Channel
Performance Evaluation (1/4) Overheads Cost 12 K: The number of sensor nodes T XOR : The time for performing an XOR operation T H : The time for performing a one-way hash function C MH : The delay time for the communication taken place between the LN and the GW in multi-hops
Performance Evaluation (2/4) Functional Requirements 13
Performance Evaluation (3/4) Computational overheads for authentication 14
Performance Evaluation (4/4) Authentication latency time 15
Security Analysis (1/3) Replay attack ◦ Login message Solution: timestamp ◦ Accept login message Solution: timestamp Forgery attack with node capture attack ◦ Get TID, X, TS, C K, T 0, t Solution: A cannot be capture ◦ Get TID, X, TS, TID, A, t Solution: t is already in the database A: the stored bits by the adversary. B: the common stored bits by two neighboring sensor nodes α : the number of broadcasted random bits 16
Security Analysis (2/3) Man-in-the-middle attack ◦ Get TID, A, t, C K, T 0, t Solution: X cannot be capture Stolen verifier attack with node capture attack ◦ Get vpw, TID, X, TS Solution: user pseudomynity Secret key forward secrecy ◦ Get secret key x, TID, A, t Solution: without knowing X=(TID||x) 17
Security Analysis (3/3) Provide user pseudonymity ◦ Reason: TID=h(UID) ㊉ N 0 Provide Mutual authentication ◦ Reason: common secret value 18
Conclusion The proposed protocols are robust against many security attacks and have better security properties in terms of user privacy and mutual authentication. They have analyzed the proposed schemes using simulations and the results show that both are quite efficient. 19
Comment Key Recovery In login phase, (T 0 -t) ≧△ T is an unnecessary check. Maybe ⊕ is simpler than ||. 20