Security and Privacy Analysis of Vinoth et al.’s Authenticated Key Agreement Scheme for Industrial IoT

Abstract

Vinoth et al. proposed an authenticated key agreement scheme for industrial IoT (Internet of Things) applications. Vinoth et al.’s scheme aimed to protect the remote sensing data of industrial IoT devices under hostile environments. The scheme is interesting because the authorized user is allowed simultaneously to access the multiple IoT sensing devices. Therefore, we carefully analyzed the security and privacy implications of Vinoth et al.’s scheme. Our findings are summarized as follows. One, Vinoth et al.’s scheme failed to defeat user impersonation attacks. Second, Vinoth et al.’s scheme did not prevent IoT sensing device impersonation attacks. Third, Vinoth et al.’s scheme suffered from replay attacks. Fourth, Vinoth et al.’s scheme was vulnerable to desynchronization attacks. Fifth, Vinoth et al.’s scheme could not maintain user privacy. As a case study, our analysis results enlighten researchers and engineers on the design of robust and efficient authenticated key agreement schemes for IoT applications.

1. Introduction

The Internet of Things (IoT) is a fast development in the long and continuing revolution of communications and computing. The IoT has expanded the interconnection of billions of industrial and personal objects through IoT sensing devices, which are typically composed of sensors, actuators, microcontrollers, transceivers, and batteries. IoT sensing devices bound to objects deliver sensor information, act on their environments, and in some cases adapt for the overall management of a larger system, such as a factory [1] or a city [2]. Moreover, these devices always communicate each other and form a remote sensing network. As a typical scenario, Industrial IoT is deployed for achieving intelligent manufacturing because of its advantages in automatic monitoring and efficient control. Under the industrial IoT environment, sensing devices can be remotely accessed and controlled by authorized users. During the process of industrial production, sensing devices collect real-time data. Users obtain this real-time data and then send control commands according to said data.

IoT sensing security [3] is perhaps the most complex and immature area of cybersecurity. The following characteristics hinder secure IoT sensing:

(1) Very large attack surfaces: There is a wide variety of points of vulnerability in IoT sensing systems and a large amount of data that may be compromised.

(2) Widespread deployment: There is ongoing, rapid deployment of IoT arrangements in commercial and industrial environments and, more importantly, in critical infrastructure environments. Most IoT sensing devices are remote and out of control. These deployments are attractive targets for security attacks.

(3) Constrained device resources: IoT sensing devices are typically constrained, with limited memory, processing power, and power supply.

(4) Low cost: IoT sensing devices are always manufactured, purchased, and deployed in the millions. This fact provides great incentive for manufacturers and customers to minimize the cost of these devices.

Motivation of This Paper. In the normal course of things, the user requires simultaneously access to multiple IoT sensing devices for a complex industrial task. Because of serious security and privacy threats, IoT sensing devices, especially remote devices, are required to support mutual authentication and secret key establishment with their users. The authenticated key agreement scheme provides authentication and key establishment services among users and multiple IoT sensing devices. We therefore analyzed the security and privacy of the authenticated key agreement scheme. Our research focused on not only outside but inside attackers, i.e., malicious users and corrupt IoT sensing devices.

1.1. Industrial IoT Sensing Model and Its Authenticated Key Agreement Scheme

In this section, we describe the sensing model and authenticated key agreement scheme studied in this paper.

1.1.1. Industrial IoT Sensing Model

The sensing model is depicted in Figure 1. There are three categories of entities, i.e., gateway nodes (GWNs), users, and industrial IoT sensing devices.

(1) GWN: GWNs interconnect IoT sensing devices with high-level communication networks and perform the necessary translation between the protocols used in communication networks and those used in IoT sensing devices.

(2) Users: The users are allowed to access IoT sensing devices through GWNs. They gain security and privacy services with the help of embedded devices such as smart cards.

(3) IoT sensing devices: IoT sensing devices are utilized to monitor the status of objects and collect the information stored therein. Users can obtain the information collected by these devices in real time.

In our industrial IoT sensing model, we assumed that the users and the IoT sensing devices were untrusted entities. GWNs [4], meanwhile, cannot be compromised and were therefore considered to be fully trusted by the users and the IoT sensing devices. This assumption is reasonable because GWNs are usually placed in secure environments and equipped with tamper-resistant devices.

1.1.2. Authenticated Key Agreement Scheme

To set up a secure sensing network, the GWN initially writes some authentication credentials into IoT sensing devices. The user first registers to the GWN, and both the user and GWN write the authentication credentials into the user’s embedded device. When the registered users want to access the deployed IoT sensing devices, they run an authentication session using their embedded device. During the authentication session, GWN helps the user and the IoT sensing devices authenticate each other and establish a shared secret key for subsequent secure communication. In addition, the users can change their authentication credentials, and the GWN can allow new IoT sensing devices to join the deployed sensing network and revoke existing devices from said network.

However, an attacker may exploit the vulnerabilities in the authenticated key agreement scheme to perform attacks, because the messages of the authentication session are often transmitted through a public channel, and this brings security problems in the industrial IoT environment. It is possible for an inside or outside attacker to impersonate an authorized user to obtain data by accessing sensing devices or to impersonate a legal IoT sensing device to provide fake data. These unsatisfactory security risks could lead to the destruction of industrial activity.

1.2. Related Work

In recent years, many authenticated key agreement schemes [5,6] have been proposed for IoT remote sensing environments, such as industrial IoT, telemedicine, and smart home. We review previous work on four dimensions.

From the user credentials perspective, authenticated key agreement schemes are classified into two categories, i.e., two- and three-factor (multifactor) schemes. In two-factor schemes [7,8,9,10,11,12,13,14,15], the security of the user is protected by both the secret key stored in the smart card and the human-memorizable password, and the user applies the password and the smart card to complete the authentication session. Compared to two-factor schemes, three-factor schemes [4,16,17,18,19,20,21,22] add biometrics to the user credentials; that is, the user must provide the smart card, the password, and biometrics at the same time.

In many privacy applications, the users does not want authentication sessions to be associated with their identity. This means that the user’s identity is disclosed only to an authorized set of GWN and IoT sensing devices during the authentication sessions. Therefore, to preserve user privacy, authenticated key agreement schemes [23,24,25,26,27] thwart attempts to disclose or link users’ identities by exploiting their authentication sessions.

Many researchers have extended authenticated key agreement schemes [28,29,30,31,32,33,34] to multi-gateway IoT environments. These revised schemes provide the user with a single sign under a set of GWNs. That is, when the user is authenticated by a GWN in the set of GWNs, he/she can access all IoT sensing devices governed by the set of GWNs even if the devices in question are not directly managed by the specific GWN that authenticated the user. In addition, the multi-gateway schemes can solve the packet-collision problem due to single GWN mode.

Users often access multiple IoT sensing devices to complete complex tasks. It is inefficient for the user to run a separate authentication session with each IoT sensing device. Moreover, the logical relevance of the authentications and the shared secret keys cannot be guaranteed if the user independently runs several authentication sessions for a task. Hence, some authenticated key agreement schemes [4,35,36] have recently begun to provide authentication and group secret-key establishment between the user and multiple IoT sensing devices in an authentication session.

1.3. Our Contributions

In the IEEE Internet of Things Journal, Vinoth et al. [4] proposed an authenticated key agreement scheme that aimed to protect the remote sensing data of industrial IoT under the hostile environments. We carefully analyzed security and privacy under Vinoth et al.’s scheme. Our results are as follows.

(1) Vinoth et al.’s scheme failed to defeat a user impersonation attack. A legal but malicious user could impersonate IoT sensing devices, other users, and the GWN.

(2) Vinoth et al.’s scheme did not prevent IoT sensing device impersonation attacks. A legal but corrupt IoT sensing device can impersonate users, the GWN, and other IoT sensing devices.

(3) Vinoth et al.’s scheme suffered from replay attacks. Attackers can reuse the previous message in the authentication session to cheat the user and the GWN.

(4) Vinoth et al.’s scheme was vulnerable to desynchronization attacks. In these attacks, an attacker induces an inconsistent internal status between the user and the GWN. This security flaw causes the GWN to deny the service for the user.

(5) Vinoth et al.’s scheme cannot maintain user privacy. User identity is compromised during the run of the authentication session.

As a matter of convenience, in

Table 1. Description of notations.

Term	Definition
GWN, U	Gateway node and user
Sj	jth IoT sensing device
IDGWN, IDU, IDSj	GWN’s, U’s, and Sj’s identities
TIDU	U’s temporary identity for user anonymity
γ, KGWN	GWN’s long-term secret keys
KGWN-U	Long-term secret key shared by GWN and U
PW	U’s password
B, BK, τ	U’s biometrics, biometrics key, and public reproduction parameter
sj, fj, kj	Sj’s secret parameters
KGWN-Sj	Secret key shared by GWN and Sj
KU-Sj	Secret session key shared by U and Sj
rGWN, rU, RN	Random numbers
TS1, TS2, TS3, TS4,TS1′, TS2′, TS3′, TS4′	Timestamps
ΔTS	Maximum transmission delay
φ()	Vinoth et al.’s access structure function [4]
Gen()/Rep()	Generation algorithm/reproduction algorithm using biometrics fuzzy extractor
h()	Cryptographic hash function
EK()/DK()	Encryption algorithm/decryption algorithm using secret key K
mod	Congruent
⊕, ‖	Bitwise exclusive-or and concatenation

, we list some notation used throughout our paper.

2. Review of Vinoth et al.’s Authenticated Key Agreement Scheme

2.1. Scheme Description

Vinoth et al.’s scheme is composed of seven phases: the offline sensing device registration phase, the user registration phase, the login phase, the authenticated key agreement phase, the biometrics and password update phase, the dynamically sensing device joining phase, and the sensing device revocation phase. For a self-contained discussion, we review the first four phases, which are related to our discussion. The full technical details of Vinoth et al.’s scheme can be found in [4].

2.1.1. Offline Sensing Device Registration Phase

GWN picks a unique ID_Sj for S_j, where j = 1, 2, …, n. GWN then chooses a K_GWN-Sj and two n-dimensional vectors Vector₁ and Vector₂ such that K_GWN-Sj= Vector₁·x₀ and K_GWN-Sj² = Vector₂·x₀, where x₀ = φ(GWN). GWN calculates s_j = Vector₁·x_j and f_j = Vector₂·x_j, where x_j = φ(S_j) (1 ≤ j ≤ n). GWN computes and stores λ_t, where $K_{\mathit{GWN}\text{-}{S}_j=}{\sum }_{t=1}^n{\lambda }_t{s}_t$ and $K_{\mathit{GWN}\text{-}{S_j}^2=}{\sum }_{t=1}^n{\lambda }_t{f}_t$. GWN selects the pairwise relative positive numbers k_j for each S_j (1 ≤ j ≤ n). GWN computes $\mathit{Mul}={\prod }_{j=1}^n{k}_j$ and Mul_j = Mul/k_j and generates a random number Nonce_j such that Mul_j × Nonce_j ≡ 1 mod k_j. GWN computes $\gamma ={\sum }_{j=1}^n{\mathit{Var}}_j={\sum }_{j=1}^n{\mathit{Mul}}_j{\times \mathit{Nonce}}_j$ and stores γ. GWN securely sends ID_Sj, s_j, f_j, and k_j to each S_j (1 ≤ j ≤ n), and then S_j stores them. In the end, GWN deletes other messages.

2.1.2. User Registration Phase

Step 1: U chooses a unique ID_U and a PW, imprints the B, and computes (BK, τ) = Gen(B). U generates a random 128-bit number a, calculates TPW = h(ID_U‖PW‖BK)⊕a, and securely sends the message <ID_U, TPW> to GWN.

Step 2: When receiving <ID_U, TPW>, GWN randomly generates a 1024-bit K_GWN and a 128-bit TID_U, and then computes K_GWN-U = h(ID_U‖K_GWN), A = K_GWN-U⊕TPW, and C = ID_GWN⊕ TPW. GWN stores TID_U, ID_U, and K_GWN-U in its database. Finally, GWN writes {TID_U, A, C, h()} into a smart card and securely sends the card to U.

Step 3: When receiving the card, U computes RPW = h(ID_U‖PW‖BK), A’ = A⊕TPW⊕ RPW, D = a⊕h(ID_U‖BK), C’ = C⊕TPW⊕h(ID_U‖BK), and V ≡ h(RPW‖A‖a‖h(ID_U‖BK)) mod ω, where ω is the medium integer [37,38,39]. Finally, U rewrites {TID_U, A’, C’, D, V, Gen(), Rep(), h(), τ, ω} into the card.

2.1.3. Login Phase

Step 1: U inserts the smart card into the card reader, and then further inputs the ID_U and PW and imprints the B. The smart card reconstructs BK = Rep(B, τ) and computes RPW = h(ID_U‖PW‖BK), a = D⊕h(ID_U‖BK), and A = A’⊕a. The smart card further checks whether V ≡ h(RPW‖A‖a‖h(ID_U‖BK)) mod ω. If not, the smart card terminates the login request.

Step 2: The smart card generates r_U and obtains current TS₁. The smart card computes ID_GWN = C’⊕h(ID_U‖BK), M₁ = A’⊕RPW⊕r_U, and M₂ = h(TID_U‖M₁‖ID_GWN‖r_U‖TS₁). In the end, the smart card sends the message <TID_U, M₁, M₂, TS₁> to GWN.

2.1.4. Authenticated Key Agreement Phase

Step 1: After receiving <TID_U, M₁, M₂, TS₁>, GWN obtains the current TS₁’and checks the freshness of the login request by verifying whether |TS₁ − TS₁’| ≤ ΔTS. If not, GWN terminates this session. GWN searches its database by using the keyword TID_U and retrieves ID_U and K_GWN-U. GWN calculates r_U = M₁⊕K_GWN-U and checks whether M₂ = h(TID_U‖M₁‖ID_GWN‖r_U‖TS₁). If not, GWN terminates this session. GWN generates r_GWN (r_GWN ≤ min{k_j}, j = 1, 2, …, n) and obtains the current TS₂. GWN computes M₃ = r_GWN × γ, M₄ = E_rGWN(ID_U, ID_GWN, r_U, r_GWN⊕K_GWN-U), and M₅ = h(ID_U‖ID_GWN‖r_U‖M₃‖K_GWN-U‖TS₂). Finally, GWN broadcasts the message <M₃, M₄, M₅, TS₂> to all S_js.

Step 2: When receiving <M₃, M₄, M₅, TS₂>, each S_j obtains current TS₂’ and checks the freshness of the message by verifying whether |TS₂ − TS₂’| ≤ ΔTS. If not, S_j terminates this session. S_j computes r_GWN ≡ M₃ mod k_j and (ID_U, ID_GWN, r_U, r_GWN⊕K_GWN-U) = D_rGWN(M₄), and further checks whether M₅ = h(ID_U‖ID_GWN‖r_U‖M₃‖r_GWN⊕K_GWN-U⊕r_GWN‖TS₂). If not, S_j terminates this session. S_j computes M₆ = E_rGWN(ID_Sj, s_j, f_j) and obtains current TS₃. S_j returns the message <M₆, TS₃> to GWN.

Step 3: When receiving <M₆, TS₃>, GWN obtains current TS₃’ and checks the freshness of the message by verifying whether |TS₃ − TS₃’| ≤ ΔTS. If not, GWN terminates the session. GWN computes (ID_Sj, s_j, f_j) = D_rGWN(M₆) from each S_j. GWN calculates ${\theta }_1={\sum }_{t=1}^n{\lambda }_t{s}_t$ and ${\theta }_2={\sum }_{t=1}^n{\lambda }_t{f}_t$ and checks whether ${\theta }_1^2{=\theta }_2$. If not, GWN terminates this session. GWN views θ₁ as K_GWN-Sj and computes M₇ = h(K_GWN-Sj‖r_GWN), M₈ = M₇ × γ, and M₉ = h(M₇‖M₈). Moreover, GWN generates a new temporary identity TID_U^new, obtains the current TS₄, and computes M₁₀ = E_KGWN-U(r_GWN, r_U, M₇), M₁₁ = h(ID_U‖K_GWN-U‖TS₄)⊕TID_U^new, and M₁₂ = h(M₁₀‖M₇‖r_U). In the end, GWN broadcasts the message <M₈, M₉> to all S_js and sends the message <M₁₀, M₁₁, M₁₂, TS₄> to U.

Step 4: When receiving <M₈, M₉>, each S_j calculates M₇≡M₈ mod k_j and checks whether M₉ = h(M₇‖M₈). If not, S_j terminates this session. S_j computes K_U-Sj= h(ID_U‖ ID_GWN‖r_GWN‖r_U‖M₇‖K_GWN-U) and M₁₃ = h(K_U-Sj‖ID_GWN‖ID_U), and then sends the message <M₁₃> to U.

Step 5: When receiving <M₁₀, M₁₁, M₁₂, TS₄>, U obtains the current TS₄’ and checks the freshness of the message by verifying whether |TS₄ − TS₄’| ≤ ΔTS. If not, U terminates this session. U computes (r_GWN, r_U, M₇) = D_KGWN-U(M₁₀). Then, U checks whether the decrypted r_Uis equal to the local r_U and M₁₂ = h(M₁₀‖M₇‖r_U). If any one of them is unequal, U terminates this session. U calculates K_U-Sj= h(ID_U‖ID_GWN‖r_GWN‖r_U‖M₇‖K_GWN-U). Furthermore, when receiving <M₁₃> from each S_j, U checks whether M₁₃ = h(K_U-Sj‖ID_GWN‖ID_U). If not, U terminates this session. U computes TID_U^new = h(ID_U‖K_GWN-U‖TS₄)⊕M₁₁ and replaces TID_U with TID_U^new.

Figure 2 shows the process of Vinoth et al.’s login phase and authenticated key agreement phase.

2.2. Vinoth et al.’s Security Assumption

Vinoth et al. claimed that their scheme was secure under the Canetti–Krawczyk threat model [40], which assumes that an attacker can eavesdrop on, intercept, modify, forge, and delete messages transmitted between any two entities over the public channel. An attacker can also impersonate users, IoT sensing devices, and the GWN to receive and send the messages. Furthermore, the attacker has the capability to expose some secrets of the users and the IoT sensing devices. More importantly, the attacker can be an insider, i.e., a user or an IoT sensing device, because users and sensing devices are untrusted entities. Under the Canetti–Krawczyk threat model, we discuss five types of attacks on Vinoth et al.’s scheme.

3. User Impersonation Attack

We showed that Vinoth et al.’s scheme was vulnerable to user impersonation attacks. That is, a legal but malicious user could impersonate IoT sensing devices, any other user, and the GWN in the deployed network. We assume that U_a is a legal but malicious user in Vinoth et al.’s scheme and maintains the identity ID_Ua, temporary identity TID_Ua, and long-term secret key K_GWN-Ua shared with GWN.

3.1. Impersonation of IoT Sensing Devices

To impersonate a target S_j, U_a first initiates his/her authentication session with GWN. In Steps 2 and 3 of the authenticated key agreement phase, U_a eavesdrops on GWN’s message <M₆, TS₃> from S_j and S_j’s <M₈, M₉> from GWN. When U_a receives the message <M₁₀, M₁₁, M₁₂, TS₄> in Step 3 of the authenticated key agreement phase, U_a computes (r_GWN, r_U, M₇) = D_KGWN-Ua(M₁₀). Now, U_a is able to compute (ID_Sj, s_j, f_j) = D_rGWN(M₆) and derive γ by evaluating M₈/M₇.

Figure 3 illustrates that U_a impersonates S_j using γ, ID_Sj, s_j, and f_j and cheats the GWN and any other U during an authentication session. In Step 2 of the authenticated key agreement phase, U_a uses M₃/γ instead of M₃ mod k_j to recover r_GWN. In Step 4 of the authenticated key agreement phase, U_a uses M₈/γ instead of M₈ mod k_j to recover M₇. Other operations of U_a and S_j are exactly the same. After the authentication session, U shares K_U-Sj = h(ID_U‖ID_GWN‖r_GWN‖r_U‖M₇‖K_GWN-U) with U_a instead of S_j and updates a new temporary identity TID_U^new.

3.2. Impersonation of Other Users

Assume that any other user U runs the login phase and authenticated key agreement phase. In Step 1 and Step 3 of the authenticated key agreement phase, U_a eavesdrops on S_j’s message <M₃, M₄, M₅, TS₂> from GWN and U’s message <M₁₀, M₁₁, M₁₂, TS₄> from GWN. From Section 3.1, we know that U_a obtains GWN’s γ. Hence, U_a computes r_GWN = M₃/γ and (ID_U, ID_GWN, r_U, r_GWN⊕K_GWN-U) = D_rGWN(M₄). Since U_a has U’s ID_U and K_GWN-U, U_a can further compute U’s new temporary identity TID_U^new by computing h(ID_U‖K_GWN-U‖TS₄)⊕M₁₁. Now, U_a can exploit U’s ID_U, K_GWN-U, and TID_U^new to impersonate U in a new authentication session.

3.3. Impersonation of GWN

U_a can impersonate GWN to cheat U and S_j. First, U_a obtains ID_U, K_GWN-U, ID_GWN, and γ as described in Section 3.2. Figure 4 shows how U_a impersonates GWN. In Step 3 of the authenticated key agreement phase, U_a neither decrypts M₆, retrieves K_GWN-Sj, nor computes M₇ = h(K_GWN-Sj‖r_GWN). Instead, U_a directly replaces M₇ with his/her random RN. Note that both U and S_j should authenticate each other and share K_U-Sj = h(ID_U‖ID_GWN‖r_GWN‖r_U‖RN‖K_GWN-U), because they do not check the validity of M₇.

3.4. Further Disscussion

In every authentication session of Vinoth et al.’s scheme, the GWN uses its long-term secret key γ to secure its short-term secret key r_GWN for each user and each IoT sensing device. However, any user can directly recover γ after an authentication session. Hence, the user derives all the secrets of other users, the GWN, and IoT sensing devices and implements the impersonation attacks. To defeat a user’s impersonation attack, γ cannot be disclosed to users.

User impersonation attacks are a serious threat under industrial IoT environments. Malicious users may impersonate other, honest users to collect sensitive industrial data or set dangerous processing instructions. By impersonating IoT sensing devices, malicious users can provide fake industrial data to other users. If malicious users employ impersonation of the GWN, they can manipulate a secure connection between the target user and IoT sensing devices. That is, malicious users can decide which IoT sensing devices can be connected to the target user.

4. IoT Sensing Device Impersonation Attacks

We showed that Vinoth et al.’s scheme was vulnerable to IoT sensing device impersonation attacks. That is, any legal but corrupt sensing device could impersonate users, the GWN, and any other IoT sensing devices in the deployed network. We assumed that S_j is a legal but corrupt IoT sensing device.

4.1. Impersonation of Users

To obtain TID_U, S_jeavesdrops on GWN’s message <TID_U, M₁, M₂, TS₁> during Step 2 of the login phase. S_jfurther obtains U’s ID_U, ID_GWN, and K_GWN-U in Step 2 of the authenticated key agreement phase. However, S_j does not return the message <M₆, TS₃> to GWN. In this situation, both U and GWN terminate this session and therefore fail to update TID_U. Alternatively, S_j returns the message <M₆, TS₃> to GWN in Step 2 of the authenticated key agreement phase and further eavesdrops on U’s message <M₁₀, M₁₁, M₁₂, TS₄> during Step 3 of the authenticated key agreement phase. At this time, S_j further obtains TID^new by computing h(ID_U‖K_GWN-U‖TS₄)⊕M₁₃. Now, S_j knows all of U’s secrets. As shown in Figure 5, S_j can start a new authentication session and perform the following steps to impersonate U:

(1) In Step 2 of login phase, S_juses K_GWN-U, TID_U, and ID_GWN to generate M₁ and M₂.

(2) In Step 5 of authenticated key agreement phase, S_jdoes exactly the same as U.

At the end of the authentication session, S_m (1 ≤ m ≠ j ≤ n) authenticates S_j as U and shares K_U-Sj = h(ID_U‖ID_GWN‖r_GWN‖r_U‖M₇‖K_GWN-U) with S_j.

4.2. Impersonation of GWN

Moreover, in Step 2 of the authenticated key agreement phase, S_j can use k_j to compute r_GWN≡M₃ mod k_j. Hence, S_jcan further derive GWN’s γ by computing M₃/r_GWN. Now, S_j can exploit TID_U, ID_U, K_GWN-U, ID_GWN, and γ to impersonate GWN. As shown in Figure 6, the fake GWN impersonated by S_j omits M₆, generates its own RN, and then replaces M₇ with RN. Both U and S_j believe that RN is a legal M₇ because they do not check the validity of M₇. Finally, both U and S_m authenticate each other and share K_U-Sj = h(ID_U‖ID_GWN‖r_GWN‖r_U‖RN‖K_GWN-U).

4.3. Impersonation of Other IoT Sensing Devices

If S_j wants to impersonate any other IoT sensing device S_m(1 ≤ m ≠ j ≤ n), S_j first eavesdrops on S_m’s message <M₆, TS₃> during Step 2 of the authenticated key agreement phase and computes (ID_Sm, s_m, f_m) = D_rGWN(M₆).

As shown in Figure 7, S_j can impersonate S_m using ID_Sm, s_m, f_m, and k_j in a new authentication session. In Step 2 of the authenticated key agreement phase, S_j recovers r_GWN by computing M₃ mod k_j. Then, S_j uses ID_Sm, s_m, f_m to fabricate S_m’s M₆. In Step 4 of the authenticated key agreement phase, S_j calculates M₇ by computing M₈ mod k_j. At the end of the new authentication session, U believes that S_j is S_m and shares K_U-Sj = h(ID_U‖ID_GWN‖ r_GWN‖r_U‖M₇‖K_GWN-U) with S_j.

4.4. Further Disscussion

A legal but corrupt S_j can derive U’s TID_U, ID_U, and K_GWN-U; GWN’s ID_GWN and γ; and another IoT sensing device S_m’s ID_Sm, s_m, and f_m from the public messages of the authentication session. Hence, S_j successfully impersonates U, GWN, and S_m by exploiting those secret parameters. To defeat the proposed attacks, Vinoth et al.’s scheme should avoid disclosing the secret parameters of other entities to S_j.

Industrial IoT sensing devices are perhaps exposed to hostile environments. An attacker may hijack and compromise industrial IoT sensing devices by physical means or Trojan horses. Once the attackers control an industrial IoT sensing device, they can subvert the industrial IoT sensing system just like the malicious user described in Section 3.4.

5. Replay Attack

As shown in Figure 2, we found that S_j’s TS₃ in the message <M₆, TS₃> was not protected by any cryptographic mechanism. Based on this observation of Vinoth et al.’s scheme, an outside attacker can eavesdrop on a valid message <M₆, TS₃> in a normal run of the authenticated key agreement phase. Then, the attacker reuses M₆ and attaches the current timestamp TS₃* to impersonate S_j. Figure 8 describes this replay attack on Vinoth et al.’s scheme. After the replay attack, GWN believes that the attacker is S_j, although the attacker does not know any secret of S_j. Meanwhile, U does not authenticate the attacker as S_j. Note that GWN actually finishes its session in Step 3 of the authenticated key agreement phase and updates U’s temporary identity. As a result, GWN updates the old TID_U to a new TID_U^new, but U still keeps the old TID_U. This means that U cannot log into the deployed network anymore, because during Step 1 of the authenticated key agreement phase, GWN fails to retrieve ID_U and K_GWN-U according to U’s old TID_U. For the industrial IoT sensing system, the legal user faces denial of service once the attacker implements the replay attack.

To fix this vulnerability, we suggest that TS₃ should be protected by the cryptographic mechanism. For example, S_jcould compute M₆ = E_rGWN(ID_Sj, s_j, f_j, TS₃) instead of M₆ = E_rGWN(ID_Sj, s_j, f_j) in Step 2 of the authenticated key agreement phase.

6. Desynchronization Attack

In Vinoth et al.’s scheme, U and GWN keep the same TID_U to authenticate each other. Hence, as shown in Figure 9, an outside attacker can block the message <M₁₀, M₁₁, M₁₂, TS₄> in Step 3 of the authenticated key agreement phase and instead send the message <M₁₀, RN, M₁₂, TS₄*> to U. Here, TS₄* is the attacker’s current timestamp. During Step 5 of the authenticated key agreement phase, U confirms the freshness of TS₄* in the fabricated message <M₁₀, RN, M₁₂, TS₄*>, decrypts r_U from M₁₀, and successfully verifies r_U and M₁₂. U also computes K_U-Sj = h(ID_U‖ID_GWN‖r_GWN‖r_U‖M₇‖K_GWN-U) and verifies M₁₃. Then, U further updates TID_U to TID_U^new = h(ID_U‖K_GWN-U‖TS₄*)⊕RN. The TID_U^new computed by U is not equal to the TID_U^new generated by GWN during Step 3 of the authenticated key agreement phase. This causes the failure to authenticate in the subsequent runs of Vinoth et al.’s scheme, though U, GWN, and S_jare all legal and honest.

The attacker randomly changes M₁₁ because Vinoth et al.’s scheme does not check the authenticity of M₁₁. To overcome the desynchronization attack, our suggestion is to apply the message authentication code algorithm for M₁₁. Where industrial IoT sensing applications are concerned, this desynchronization attack has the same negative impact as the replay attack discussed in Section 5.

7. Weakness of User Privacy

In the authenticated key agreement scheme, user privacy guarantees that the attacker cannot derive the user’s identity from the transmitted messages of the authentication sessions. This is called user anonymity. Moreover, the attacker also fails to link two different authentication sessions to the same user. This is called untraceability. User privacy is a concern in industrial IoT sensing applications, as users’ private data can be leaked and misused if a factory deployed with IoT sensing devices is subjected to cyberattacks. For example, users’ presence or absence at the industrial control room can be revealed simply by observing authentication sessions.

Vinoth et al. claimed that their scheme supported both user anonymity and untraceability because it employed the temporal TID_U to hide U’s long-term ID_U. Furthermore, the symmetric encryption algorithm and cryptographic hash function were utilized to protect U’s ID_U. In Section 3.2, we show that U_a can attain any other target user U’s ID_U, K_GWN-U, and TID_U^new. Hence, when U_a finds TID_U^new in the message <TID_U, M₁, M₂, TS₁> during Step 2 of the login phase, U_a knows that U is running a session. Then, U_a can eavesdrop on the message <M₁₀, M₁₁, M₁₂, TS₄> in Step 3 of the authenticated key agreement phase and synchronously update U’s new temporal TID_U^new by computing h(ID_U‖K_GWN-U‖TS₄)⊕M₁₁. As a result, U_a can track any U all the time. S_j also can track any target user U. S_j first derives U’s TID_U, ID_U, and K_GWN-U as discussed in Section 4.1. Then, S_j uses TID_U to identify U, eavesdrops on the message <M₁₀, M₁₁, M₁₂, TS₄> during Step 3 of the authenticated key agreement phase and updates TID_U just like U. In conclusion, Vinoth et al.’s scheme fails to provide the user privacy protection.

Vinoth et al.’s scheme suffers from weak user privacy because it is vulnerable to user and IoT sensing device impersonation attacks. Vinoth et al.’s scheme could provide better user privacy if both user and IoT sensing device impersonation attacks are repaired correctly.

8. Conclusions and Future Work

In Vinoth et al.’s scheme, the user and multiple IoT sensing devices negotiate a secret session key via a group key, i.e., r_GWN. This novel design improves the efficiency of Vinoth et al.’s scheme. It is a desirable feature of the IoT sensing applications. Hence, we study Vinoth et al.’s scheme in aspects of security and privacy. Although Vinoth et al.’s scheme proved secure under the Canetti–Krawczyk threat model [40], we still revealed several serious security and privacy vulnerabilities in the scheme. In addition, Vinoth et al.’s scheme employs random numbers such as r_U and r_GWN and timestamps such as TS₁, TS₂, TS₃, and TS₄ at the same time. It is widely known that random numbers and timestamps are both used to defeat reply attacks and ensure the freshness of the message. From the perspective of applications, the use of both random numbers and timestamps increases the complexity of the authentication system and brings greater security risk. Therefore, it would be best to adopt only one of them in an authenticated key agreement scheme.

It is still a challenge to design a robust and efficient authenticated key agreement scheme for IoT sensing applications. One avenue for future work is to formulate a communication model appropriate for defining authentication and key agreement goals and present the definitions of security and privacy under the communication model. The results of our analysis of Vinoth et al.’s scheme can provide a reference for these definitions. Another avenue for future work is to develop an authenticated key agreement scheme that not only satisfies our formal definitions but also achieves high efficiency. In [41], Bellare and Rogaway proposed a security definition, a protocol, and a proof for secure session key distribution with the trust three-party case. One feasible idea is to extend Bellare and Rogaway’s definition and protocol for IoT sensing models. We expect that this will require a great deal of research work to accomplish.