Next Article in Journal
Nutritional Stress Causes Heterogeneous Relationships with Multi-Trait FA in Lesser Black-Backed Gull Chicks: An Aviary Experiment
Next Article in Special Issue
Improved Asymmetric Cipher Based on Matrix Power Function with Provable Security
Previous Article in Journal
Image Intelligent Detection Based on the Gabor Wavelet and the Neural Network
Previous Article in Special Issue
Scenario-Based Digital Forensics Challenges in Cloud Computing
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node

1
Department of Computer Science and Software Engineering, Xi’an Jiaotong-Liverpool University, Suzhou 215123, China
2
School of Electrical Engineering and Electronics and Computer Science, University of Liverpool, Liverpool L69 3BX, UK
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Symmetry 2016, 8(11), 131; https://doi.org/10.3390/sym8110131
Submission received: 12 July 2016 / Revised: 9 November 2016 / Accepted: 10 November 2016 / Published: 17 November 2016
(This article belongs to the Special Issue Symmetry in Secure Cyber World)

Abstract

:
The IEEE Std 802.15.6 is an international standard for wireless body area networks (WBANs). It contains many aspects of communications, and also provides security services, since some communications in WBANs can carry sensitive information. In this standard, the password authenticated association is a protocol for two participants to identify each other and establish a new master key based on a pre-shared short password. However, recent research shows that this protocol is vulnerable to several attacks. In this paper, we propose an improved protocol which can resist all of these attacks. Moreover, the improved protocol alleviates computational burden on one side of the two participants, the node, which is usually less powerful compared with the other side, the hub.

1. Introduction

A wireless body area network (WBAN) is a wireless network of wearable computing devices including implanted devices embedded inside the body or attached on the skin, and accompanied devices which humans can carry by hand, in clothes pockets or in bags [1,2,3,4]. WBAN applications [5,6] are growing and becoming more indispensable in people’s lives due to the increasing accessability of network service and computing devices. Despite the great progress in networking and computing technology, security is one significant factor that influences users’ choice of WBAN applications, since such applications involve a lot of personal information and therefore are vulnerable to security issues.
IEEE Standard (Std) 802.15.6 [7] is an international standard for wireless communication between nodes and hubs in WBANs. It provides strong security for communications that carry sensitive information. In the security services of this standard, the security association procedure activates a pre-shared or generates a new shared master key (MK) between a node and a hub. Several security association protocols suitable for a variety of use cases are provided in this standard. Among these protocols, password authenticated association [8,9] is a protocol for a node and a hub to generate a new shared MK from a pre-shared secret, i.e., the password. However, recent research shows that this protocol is vulnerable to several attacks, such as Man-in-the-Middle and impersonation attacks illustrated in [10], and the off-line dictionary attack and there being a lack of forward secrecy, which are discussed in [11,12]. To eliminate these attacks, the authors in [10] also proposes a modified version to this protocol.
In this paper, an improved password authenticated association protocol is proposed. In the rest of this paper, we denote this protocol by the improved protocol, protocol in [10] by the modified protocol and protocol in the IEEE 802.15.6 standard by the standard protocol. Compared with the modified protocol and the standard protocol, the improved protocol eliminates all the above attacks on one hand. Moreover, it alleviates computational burden on the node. Since the node usually has limited computational power compared with the hub, the improved protocol is meaningful in practise.
The remaining part of this paper is organized as follows: Section 1 contains preliminaries and symbols that are useful in this paper. In Section 3, we review the standard protocol and available attacks in literature. In Section 4, the improved protocol is proposed and its security and performance are analyzed in Section 5 and Section 6, respectively. Section 7 shows a use case of this improved protocol. Related works are provided in Section 8. Finally, Section 9 concludes this paper.

2. Preliminaries and Symbols

2.1. Elliptic Curve Public Key Cryptography

2.1.1. Elliptic Curve

The IEEE 802.15.6 password authenticated association protocol is based on the Diffie–Hellman key exchange [13] employing the elliptic curve public key cryptography (ECC). An elliptic curve E can be characterized by the following equation [14,15]:
y 2 x 3 + a x + b mod p with a , b G F ( p ) , 4 a 3 + 27 b 2 0
where ( x , y ) is a point on the curve; a and b are coefficients; p is an odd prime; and G F ( p ) is a prime finite field. For the choices of a suitable elliptic curve, the IEEE Std 802.15.6 suggests using Curve p-256 in FIPS Pub 186-3. Values of a, b, p, the base point G = ( G x , G y ) and the order r of G are given in the standard.

2.1.2. Elliptic Curve Diffie–Hellman

Elliptic curve Diffie–Hellman (ECDH) is an anonymous key agreement protocol that allows two parties, each having an elliptic curve public-private key pair, to establish a shared secret over an insecure channel [16]. Suppose S K A and S K B are private keys of two communicating parties A and B, respectively. S K A and S K B are random integers from the set { 1 , . . . , r 1 } . The corresponding public keys P K A and P K B are computed as follows:
P K A = S K A × G , P K B = S K B × G
where × denotes scalar multiplication of G by an integer. In the ECDH protocol, A and B exchange their public keys and compute ( x k , y k ) = S K A × P K B and ( x k , y k ) = S K B × P K A , respectively. The shares key is x k , i.e., the X coordinate of the point.

2.2. Password Authenticated Key Exchange

The password authenticated association protocol in the IEEE 802.15.6 standard is a variation of password authenticated key exchange (PAKE) [8]. A PAKE protocol uses a pre-shared password for an authenticated key establishment. The password is usually short and easy for humans to remember, and is not stored directly in the memory of physical devices for security purpose. Instead, it is input by the users at the beginning of each run of the PAKE protocol.

2.3. Symbols

The association protocol is initiated by the node to generate a shared master key with the hub from a pre-shared password between them. We denote the node as the initiator and the hub as the responder. Some other symbols used in this paper are summarized in Table 1.

3. IEEE 802.15.6 Password Authenticated Association Protocol

We review the IEEE 802.15.6 password authenticated association protocol, i.e., the standard protocol, and discuss its vulnerabilities in this section.

3.1. Description of the Standard Protocol

3.1.1. Set-Up

The initiator and the responder set up their private and public key as follows:
  • Initiator chooses a random S K I and computes the public key P K I = S K I × G .
  • Responder selects its private key S K R and computes P K R = S K R × G .

3.1.2. Master Key Generation

The initiator and the responder execute the following steps to generate a shared master key.
  • The initiator computes a password-scrambled public key
    P K I = P K I Q ( P W )
    and sends it to the responder along with a nonce N I and the identities I and R:
    M 1 = { R , I , N I , P K I }
  • After receiving M 1 , the responder sends the identities, a nonce and its public key back to the initiator:
    M 2 = { I , R , N R , P K R }
  • The responder recovers P K I as follows:
    P K I = P K I + Q ( P W )
    The initiator and the responder compute the Diffie–Hellman key, respectively, through
    K = S K I × P K R = S K R × P K I
    The responder computes a message authentication code
    M A C 3 = C M A C 64 ( R M B 128 ( K ) , I R N I N R )
    and then sends the initiator
    M 3 = { I , R , N R , P K R , M A C 3 }
  • The initiator verifies the received M A C 3 . If the verification succeeds, the initiator computes a message authentication code
    M A C 4 = C M A C 64 ( R M B 128 ( K ) , R I N R N I )
    and sends the responder
    M 4 = { R , I , N I , P K I , M A C 4 }
  • The responder verifies M A C 4 . If the verification succeed, both parties compute and activate their new master key as follows:
    M K = C M A C 128 ( L M B 128 ( K ) , N I N R )

3.2. Security Problems

The standard protocol uses the password to hide the public key of the initiator through P K I = P K I Q ( P W ) in the first step, so that only the responder can recover P K I from P K I = P K I + Q ( P W ) . However, the protocol reveals P K I in M 4 of step 4, which means an eavesdropper who intercepts M 4 can acquire Q ( P W ) . In this case, the password is no longer secret in the following runs of the protocol. This is the reason for the vulnerabilities of the standard protocol. Security problems and attacks to this standard protocol in literature are summarized as follows:
  • Impersonation attack. In [10] the authors illustrate an initiator impersonation attack and a responder impersonation attack to the standard protocol. At the end of these attacks, the attackers successfully establish a master key with one side of the communicating parties, while the other side thinks it has the shared master key with the true participant.
  • Man-in-the-Middle attack. In [10], the authors show that an attacker breaks into the communication between the initiator and the responder and modifies the messages at his/her will. At last, the attacker shares two master keys with the initiator and the responder, respectively, while the initiator and the responder think they have a shared master key. Figure 1 is a time-sequence diagram that illustrates the procedure of man-in-the middle attack against the protocol.
  • Off-line dictionary attack. The authors in [11,12] show that a dictionary attacker who eavesdrops messages between the initiator and the responder in a protocol run can obtain P K I and P K I and compute Q ( P W ) from Q ( P W ) = P K I P K I . Then, Q ( P W ) can be used as a verifier and the attacker can try probable P W s from a dictionary of most probable passwords and check them using Q ( P W ) .
  • Lack of forward secrecy. The author in [11,12] illustrates that if S K I has been compromised by an attacker, the attacker can acquire the Diffie–Hellman key K through computing K = S K I × P K R and M K from M K = C M A C 128 ( L M B 128 ( K ) , N I N R ) since P K R , N I and N R are sent in the form of plaintext.

3.3. The Modified Protocol

The authors in [10] propose a modified protocol to the standard protocol. Specifically, the modified protocol is similar to the standard one except that it does not send P K I in the clear in M 4 . This modification solves most security problems as we mentioned in Section 3.2, but it still fails to provide forward secrecy. We will compare security and performance of the two protocols with those of our new proposed protocol later in this paper.

4. The Improved Protocol

The improved protocol assumes that P K and S K can be reused in each round of protocol. This assumption is reasonable since, in the improved protocol, the temporary Diffie–Hellman key K is derived from two random values chosen by the initiator and the responder, respectively, rather than their public and private keys. The improved protocol is described in detail as follows.
  • The initiator chooses a random value R I and computes
    U I = R I + S K I
    and
    P K I = P K I Q ( P W )
    Then, the initiator sends message M 1 to the responder.
    M 1 = { I , R , U I , P K I , N I }
  • The responder chooses a random value R R and computes
    U R = R R + S K R
    and
    T R = U R × G
    Then, the responder sends message M 2 to the initiator
    M 2 = { R , I , T R , P K R , N R }
  • The responder recovers P K I as follows:
    P K I = P K I + Q ( P W )
    The initiator computes the Diffie–Hellman key through
    K = ( T R P K R ) × R I = G × R R × R I
    The responder computes K as follows
    K = ( U I × G P K I ) × R R = G × R R × R I
    With the K, the responder computes a message authentication code
    M A C 3 = C M A C 64 ( R M B 128 ( K ) , I R N I N R )
    and then sends the initiator
    M 3 = { I , R , N R , P K R , M A C 3 }
  • The initiator verifies the received M A C 3 . If the verification succeeds, the initiator computes a message authentication code
    M A C 4 = C M A C 64 ( R M B 128 ( K ) , R I N R N I )
    and sends the responder
    M 4 = { R , I , N I , M A C 4 }
  • The responder verifies M A C 4 . If the verification succeeds, both parties compute and activate their new master key as follows:
    M K = C M A C 128 ( L M B 128 ( K ) , N I N R )

5. Security Analysis

In Section 3.2, we listed all the attacks to the standard protocol, and in this section, we will prove the security of the improved protocol under all of these attacks.

5.1. Impersonation Attack

Proposition 1.
Suppose the initiator and the responder have shared a password P W secretly, and an attacker is not able to impersonate the initiator to establish the master key M K with the responder.
Proof. 
Assume A I is an attacker who attempts to impersonate the initiator and establish M K with the responder. A I attacks the protocol as follows:
  • A I initializes the protocol with the responder by sending the first message M A 1 as follows:
    M A 1 = { I , R , U A , P K I , N A }
    where U A = R A + S K A and R A and N A are random values generated by A I .
  • After receiving M A 1 , the responder chooses a random value R R and computes U R = R R + S K R and T R = U R × G . Then, the responder replies A I with M 2 :
    M 2 = { R , I , T R , P K R , N R }
  • The responder recovers P K I and computes K = ( U A × G P K I ) × R R . Then, the responder computes M A C 3 = C M A C 64 ( R M B 128 ( K ) , I R N A N R ) and sends the following message M 3 to A I :
    M 3 = { I , R , N R , P K R , M A C 3 }
  • At this step, A I needs to send the responder with M A C A 4 , which should be equivalent with C M A C 64 ( R M B 128 ( K ) , R I N R N A ) so that it can pass the verification at the beginning of the next step.
In step 4, in order to compute a valid M A C A 4 , A I has to calculate K equals K = ( U A × G P K I ) × R R = ( R A × G + P K A P K I ) × R R . However, without any of P K I and R R , A I has no choice but to guess such a M A C A 4 . The probability of guessing a valid M A C A 4 is 1 2 64 .
Alternatively, in the first piece of message M A 1 , the adversary A I can send a U I intercepted in previous protocol runs instead of U A . In this case, K computed by the responder in step 3 equals ( U I × G P K I ) × R R , G × R I × R R and ( T R P K R ) × R I . It is still infeasible for A I to compute the K since R R and R I are unknown to A I .
From the above analysis, now we can draw the conclusion that the probability for A I successfully impersonating the initiator and establishing a master key with the responder is 1 2 64 , which is a minor value in a life circle of a normal node in WBAN applications. ☐
Proposition 2.
Suppose the initiator and the responder have shared a password P W secretly, and an attacker is not able to impersonate the responder to establish the master key M K with the initiator.
Proof. 
Assume A R is an attacker who intends to impersonate the responder and establish M K with the initiator. A R attacks the protocol as follows:
  • The initiator sends A R with M 1 , which is the same with the step 1 in the improved protocol:
    M 1 = { I , R , U I , P K I , N I }
  • After receiving M 1 , A R replies the initiator with M A 2 :
    M A 2 = { R , I , T A , P K A , N A , }
    with T A = U A × G and U A = R A + S K A , where S K A is the private key of A R and R A and N A are random values generated by A R .
  • At this step, A R needs to send the initiator with M A C A 3 involved in M A 3 , so that it can pass the verification at the beginning of the next step.
The M A C A 3 is checked to be valid only if it equals C M A C 64 ( R M B 128 ( K ) , I R N I N A ) . In order to generate a valid M A C A 3 , A R can compute the CMAC output by inputting K , I , R , N I , N A or guess the 64-bit result. To compute the CMAC output, A R has to calculate K that equals the K calculated by the initiator through K = ( T A P K A ) × R I = G × R A × R I . However, since R I is unknown to A R , it is infeasible for A R to acquire a valid K. Therefore, the adversary can only guess a valid M A C A 3 with a successful probability at 1 2 64 . Otherwise, the protocol will stop at the beginning of step 4 and the attack will fail.
 ☐
From Propositions 1 and 2, we can see impersonation attacks fail no matter if the attacker impersonates the initiator or the responder.

5.2. Man-in-the-Middle Attack

Proposition 3.
Suppose the initiator and the responder have successfully shared a password P W , a Man-in-the-Middle attacker is not able to complete the improved protocol between the initiator and the responder without being detected.
Proof. 
Suppose A is a Man-in-the-Middle attacker between the initiator and the responder. A participants the improve protocol as follows:
  • The initiator sends A with M 1 which is the same with M 1 in the improved protocol:
    M 1 = { I , R , U I , P K I , N I } .
  • A replaces M 1 with M 1 A and sends it to the responder:
    M A 1 = { I , R , U A , P K I , N A } .
  • The responder replies A with M 2 which is the same with M 2 in the improved protocol:
    M 2 = { R , I , T R , P K R , N R } .
  • A sends M A 2 to the initiator:
    M A 2 = { R , I , T A , P K A , N A } .
  • At this step, the Diffie–Hellman key K I A between A and the initiator and K R A between A and the responder are determined. Specifically, the initiator calculates K I A = ( T A P K A ) × R I = G × R A × R I , and the responder calculates K R A = ( U A × G P K I ) × R R = ( R A × G + P K A P K I ) × R R .
    The responder computes M A C 3 = C M A C 64 ( R M B 128 ( K R A ) , I R N A N R ) and sends A with M 3 :
    M 3 = { I , R , N R , P K R , M A C 3 }
  • A should send the initiator with
    M A 3 = { I , R , N A , P K A , M A C A 3 } .
    where M A C A 3 = C M A C 64 ( R M B 128 ( K I A ) , I R N I N A )
  • The initiator verifies M A C A 3 .
  • A should send the responder with
    M A 4 = { R , I , N A , M A C A 4 } ,
    where M A C A 4 = C M A C 64 ( R M B 128 ( K R A ) , I R N A N R ) .
  • The responder verifies M A C A 4 .
Since A does not have any of R I , R R , P K I , it is infeasible for A to compute K I A and K R A , and therefore A can not compute correct M A C A 3 in step 3 A and M A C A 4 in step 4 A . Without valid M A C A 3 and M A C A 4 , the initiator will stop the protocol at the beginning of step 4, and the responder will stop at the beginning of step 5, which means A fails to establish an M K either with the initiator or the responder. ☐

5.3. Off-Line Dictionary Attack

Proposition 4.
Suppose the initiator and the responder have successfully shared a password P W , and a passive eavesdropper who records one or more sessions of the improved protocol cannot eliminate a significant number of possible passwords.
Proof. 
In the improved protocol, values that are sent in the clear include I, R, U I , P K I , N I , T R , P K R , N R , M A C 3 and M A C 4 . In order to carry out an off-line dictionary attack, the adversary needs to acquire information that can help him to check possible passwords from a dictionary. Among all of these values sent in the clear, P W has a relationship only with P K I through the equation P K I = P K I Q ( P W ) . P K I is kept secretly in the protocol, and P K I = S K I × G , where S K I is a random integer. Therefore, P K I is a random value and is unknown to the adversary. The equation of P K I = P K I Q ( P W ) and the value of P K I do not give more information of P W to the attacker. Based on this acquired knowledge, the attacker is unable to eliminate possible passwords. ☐
According to Proposition 4, an off-line dictionary attack to the improved protocol is infeasible.

5.4. Forward Secrecy

Proposition 5.
Suppose the initiator and the responder have successfully shared a password P W , and compromise of the long-term secret keys of a set of principals does not compromise the M K s established in previous runs of the improved protocol involving those principals.
Proof. 
The principals of this protocols are the initiator and the responder, and the long-term secret keys of these principals are the private keys S K I and S K R , the password P W and the public key P K I that is masked during transmission. Assume the adversary A compromises these long-term secrets of the initiator and the responder, and then (s)he has S K I , S K R , P W and P K I . In order to calculate an M K established in a previous run, A needs to compute M K from the formula M K = C M A C 128 ( L M B 128 ( K ) , N I N R ) , where K is a necessary input in that run. Note that A can not use these values to run the protocol with the principals, since, in this case, the M K does not belong to a previous run but is established in the current run. Therefore, A has to compute K through K = ( T R P K R ) × R I , K = ( U I × G P K I ) × R R or K = G × R R × R I . All three of the formulas require at least one of R I and R R . However, R I and R R are random values chosen by the initiator and the responder, respectively, in each run of the protocol, which means that these values change in every protocol run and are kept unknown to A. Without any of R I and R R , A fails to compromise the M K , although (s)he compromises all the long-term secret keys and values. ☐
From Proposition 5, we can see the improved protocol provides forward secrecy.

6. Performance

In order to observe the performance of the improved protocol, we evaluate the computation and communication cost theoretically. In addition, we also test the performance through a set of experiments.

6.1. Evaluation

The overall burden of the protocol contains three parts: communication cost, computation cost on the node and computation cost on the hub. For the communication cost, we count all of the pieces of messages transmitted between the node and the hub within a run of the protocol. In order to evaluate the computation cost, we count the number of cryptographic algorithm CMAC and scalar multiplication of an element from the ecliptic curve by an integer, since other operations such as addition and subtraction require minor computation cost.
Denote the cost of transmitting a piece of message by M , the cost of executing one CMAC algorithm by H , and the cost of executing the operation of scalar multiplication one time by S , and we compare the evaluated cost of the improved protocol with the modified protocol and the standard protocol in Table 2.
From Table 2, we can see that the improved protocol reduces computation cost on the node, while overall computation and communication cost does not increase. One time-consuming operation S is done by the hub on behalf of the node. Since the hub is more powerful compared with the node, the improved protocol is more affordable for WBAN applications.

6.2. Experiments

The improved protocol contains the algorithm of CMAC and ECC key-generation (generating a private key and using scalar multiplication to compute the public key). We test the runtime of these algorithms on the node through a set of experiments. In the experiments, we use Arduino Uno as the node, SHA-256 as the CMAC algorithms and the ATECC108A crypto chip from Atmel to execute the ECC key-generation. The elliptic curve is curve p-256 in Federal Information Processing Standards (FIPS) Pub 186-3. Description of the node is listed in Table 3, and the results are summarized in Table 4.
From Table 4, we can see that the run-time of executing these algorithms is affordable for the node, which means that the improved protocol is suitable for WBAN applications.

7. Use Case

As described before, our improved protocol reduced the computational burden on one side of communication. This is a significant strength for some applications in wireless sensor networks. Here, we describe a smart lock system that uses our improved protocol to generate a master key. The specific system and the usage of the improved protocol are described as follows.

7.1. Smart Lock System

As is shown in Figure 2, the smart lock system consists of a lock which is a physical host embedded with a computational device, and a phone which has installed a smart lock application. The aim of this system is using this phone application to securely lock or unlock the lock. Obviously, the computationally limited lock is the initiator and the relatively powerful phone is the responder. The smart lock system includes the following three phases, and our protocol is involved in the first phase.
  • Master Key Generation. The lock and the phone secretly input the short password and then execute our improved protocol. After this stage, a relatively long master key is shared by the lock and the phone.
  • Session Key Generation. With the master key, the lock and the phone execute the session key generation protocol (such protocols are available in literature) to generate their session key for this round of communication.
  • Secure Communication. The newly generated session key is used for this round of communication between the phone and the lock. We describe the steps as:
    (1)
    The phone computes
    M A C = H M A C ( s e s s i o n k e y , P L R e q u e s t C o u n t e r )
    and sends the request ( L O C K / U N L O C K ) with the M A C to the lock. Here, P and L denote the identity of the phone and the lock, and C o u n t e r denotes the value of counter.
    (2)
    The lock verifies the M A C . If the verification succeeds, the lock executes the request to lock or unlock; otherwise, it does not execute the request or responds with a failure message.

7.2. Analysis

The smart lock system is secure since the session key is kept secretly by the two participants. An adversary can not request the system to lock or unlock because they can not compute the correct M A C without the session key. Therefore, the security of the session key is significant for the security of the whole system. Our improved protocol provides secure generation for the master key, which, in turn, guarantees the security of the session key.
Additionally, the device embedded in the lock is a less powerful device compared with a normal cell phone. Our password-based authenticated association protocol in the first phase reduces the computational cost of the lock, which makes the smart lock system more practicable.

8. Related Works

8.1. Comparison

In Section 6.1, we compared the cost of the improved protocol with other related protocols in Table 2. The comparison in terms of security of these protocols is listed in Table 5, where means being secure under the corresponding attacks or providing the corresponding security feature, while × means being insecure or not providing.

8.2. Password-Based Two-Party Key Exchange

Several password-based authenticated key exchange protocols have been proposed. In this subsection, we compare our improved protocol with three kinds of two-party key exchange protocols that are based on passwords.

8.2.1. Encrypted Key Exchange Using Diffie–Hellman

Diffie–Hellman-based Encrypted Key Exchange (EKE) protocols transmit the public keys encrypted using the password. The original protocol is proposed by Bellovin and Merritt in [17]. Variants and extensions of this protocol have been proposed. Such protocols are proved to be secure in the random-oracle model. However, in practice, attacks against these protocols exist since the two parties are not able to verify the integrity of the received messages. If an attacker maliciously modifies the message, the two participants will generate different keys while they are not aware.
The IEEE Std password authenticate association protocol and our improved protocol are developed from these kinds of protocols. As in the IEEE std protocol and our improved protocol Hash-based Message Authenticated Code (HMAC) is used for verifying the integrity of messages transmitted between the two parties, the above attacks against the original Diffie–Hellman-based EKE protocols are eliminated.

8.2.2. RSA-Based Protocols

Rivest-Shamir-Adleman (RSA)-Based Protocols use the RSA algorithm as the basis of the password authentication key exchange scheme. In [18], MacKenzie proposed a variant of RSA based open key exchange protocol called SNAPI (Secure Network Authentication with Password Information). Verification for the integrity of transmitted messages is involved in this protocol. However, this protocol is not suitable for wireless sensor networks since sensors are usually not powerful enough to run the RSA algorithm.

8.2.3. Protocols Using a Server Public Key

Some password-based authenticated key exchange protocols use a server public key in addition to the pre-shared password. Such protocols include the Gong-Lomas-Needham-Saltzer (GLNS) compact protocol proposed by Gong et al. in [19], Gong’s Optimal GLNS nonce-based protocol in [20], Kwon–Song Protocol in [21] and Halevi–Krawczyk Protocol in [22]. However, all four of the protocols used public key encryption, which is too high in computational cost for sensor devices. Moreover, the former two protocols need the participation of a server.

9. Conclusions

In low-power, low-complexity wireless sensor network applications such as WBANs, the communications security requirements mainly include authentication between participants, as well as confidentiality and integrity of transmitted messages. Mechanisms that aim to satisfy these requirements usually need a secret key to be held by participants. Therefore, key establishment and management are significant for security services in communications networks. The password authenticated association protocol is a scheme for the participants to generate a master key from a pre-shared password.
Considering the asymmetric power of the two participants in WBANs, we propose an improved password authenticated association protocol that reduces the computational cost on the less powerful participant of communication. The improved protocol can resist both impersonation attacks and Man-in-the-Middle attacks. A master key between the node and the hub will be established securely and efficiently through this protocol, and, afterwards, this is used for pairwise temporal key (PTK) creation, and the PTK is the key used in encryption and decryption process to provide authentication, confidentiality and integrity for communication.
The improved protocol requires one scalar multiplication and two HMAC computations on the nodes (i.e., the initiator). Since the computational costs of these algorithms are acceptable to devices with limited power in WBANs, the improved protocol is suitable for applications in WBANs.

Acknowledgments

This work has been supported by the Xi’an Jiaotong-Liverpool University research development fund projects RDF140243 and RDF150246, as well as by the Suzhou Science and Technology Development Plan under grant SYG201516, and Jiangsu Province National Science Foundation under grant BK20150376.

Author Contributions

Jie Zhang and Xin Huang attacked the standard protocol, and conceived and designed the improved protocol; Paul Craig and Alan Marshall analyzed the result; Jie Zhang wrote the paper; and Paul Craig and Alan Marshall modified the English language of the manuscript; Dawei Liu and Xin Huang contributed analysis tools.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
WBAN
Multidisciplinary Digital Publishing Institute
PTK
Pairwise Temporal Key
MAC
Message Authentication Code
EKE
Encrypted Key Exchange
SNAPI
Secure Network Authentication with Password Information
CMAC
Cypher-based message authentication code
SRAM
Static Random Access Memory
EEPROM
Electrically Erasable Programmable Read-Only Memory
SHA
Secure Hash Algorithm

References

  1. Huang, X.; Chen, B.; Markham, A.; Wang, Q.; Yan, Z.; Roscoe, A.W. Human interactive secure key and identity exchange protocols in body sensor networks. Inf. Sec. 2013, 7, 30–38. [Google Scholar] [CrossRef]
  2. Huang, X.; Wang, Q.; Chen, B.; Markham, A.; Jäntti, R.; Roscoe, A.W.F. Body sensor network key distribution using human interactive channels. In Proceedings of the 4th International Symposium on Applied Sciences in Biomedical and Communication Technologies, Barcelona, Spain, 26–29 October 2011.
  3. Ullah, S.; Higgins, H.; Braem, B.; Latre, B.; Blondia, C.; Moerman, I.; Saleem, S.; Rahman, Z.; Kwak, K.S. A comprehensive survey of wireless body area networks. J. Med. Syst. 2012, 36, 1065–1094. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  4. Movassaghi, S.; Abolhasan, M.; Lipman, J.; Smith, D.; Jamalipour, A. Wireless body area networks: A survey. IEEE Commun. Surv. Tutor. 2014, 16, 1658–1686. [Google Scholar] [CrossRef]
  5. Abdmeziem, M.R.; Tandjaoui, D. An end-to-end secure key management protocol for e-health applications. Comput. Electr. Eng. 2015, 44, 184–197. [Google Scholar] [CrossRef]
  6. Jovanov, E. Wireless technology and system integration in body area networks for m-health applications. In Proceedings of the 27th Annual International Conference of the Engineering in Medicine and Biology Society, Shanghai, China, 1–4 September 2005; pp. 7158–7160.
  7. IEEE Standards. IEEE Standard for Local and Metropolitan Area Networks-Part 15.6: Wireless Body Area Networks. 2012. Available online: http://standards.ieee.org/about/get/802/802.15.html (accessed on 29 February 2012).
  8. Boyd, C.; Mathuria, A. Protocols for Authentication and Key Establishment; Springer Science & Business Media: Berlin, Germany, 2013. [Google Scholar]
  9. Abdalla, M. Password-based authenticated key exchange: An overview. In Provable Security; Springer: Berlin, Germany, 2014; pp. 1–9. [Google Scholar]
  10. Huang, X.; Liu, D.; Zhang, J. An improved IEEE 802.15.6 password authenticated association protocol. In Proceedings of the 4th IEEE/CIC International Conference on Communications in China (ICCC 2015), Shenzhen, China, 2–4 November 2015.
  11. Toorani, M. Security analysis of the IEEE 802.15.6 standard. Int. J. Commun. Syst. 2016. [Google Scholar] [CrossRef]
  12. Toorani, M. On vulnerabilities of the security association in the IEEE 802.15. 6 standard. In Financial Cryptography and Data Security; Springer: Berlin/Heidelberg, Germany, 2015; pp. 245–260. [Google Scholar]
  13. Diffie, W.; Hellman, M.E. New directions in cryptography. IEEE Trans. Inf. Theory 1976, 22, 644–654. [Google Scholar] [CrossRef]
  14. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [Google Scholar] [CrossRef]
  15. Miller, V. Use of elliptic curves in cryptography. In Advances in Cryptology, CRYPTO85 Proceedings; Springer: Berlin/Heidelberg, Germany, 1986; pp. 417–426. [Google Scholar]
  16. Barker, E.; Chen, L.; Roginsky, A.; Smid, M. Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography; Technical Report; National Institute of Standards and Technology (NIST): Gaithersburg, MD, USA, 2012. [Google Scholar]
  17. Bellovin, S.M.; Merritt, M. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, CA, USA, 4–6 May 1992; pp. 72–84.
  18. MacKenzie, P.; Patel, S.; Swaminathan, R. Password authenticated key exchange based on RSA. In Advances in Cryptology-Asiacrypt 2000; Springer: Berlin/Heidelberg, Germany, 2000; pp. 599–613. [Google Scholar]
  19. Gong, L.; Lomas, M.; Needham, R.M.; Saltzer, J.H. Protecting poorly chosen secrets from guessing attacks. IEEE J. Sel. Areas Commun. 1993, 11, 648–656. [Google Scholar] [CrossRef]
  20. Gong, L. Optimal authentication protocols resistant to password guessing attacks. In Proceedings of the 8th IEEE Computer Security Foundations Workshop, County Kerry, Ireland, 13–15 June 1995; pp. 24–29.
  21. Kwon, T.; Song, J. Efficient and secure password-based authentication protocols against guessing attacks. Comput. Commun. 1998, 21, 853–861. [Google Scholar] [CrossRef]
  22. Halevi, S.; Krawczyk, H. Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Sec. (TISSEC) 1999, 2, 230–268. [Google Scholar] [CrossRef]
Figure 1. The sequence diagram of Man-in-the-Middle attack.
Figure 1. The sequence diagram of Man-in-the-Middle attack.
Symmetry 08 00131 g001
Figure 2. Smart lock system.
Figure 2. Smart lock system.
Symmetry 08 00131 g002
Table 1. Symbols and definitions.
Table 1. Symbols and definitions.
SymbolMeaning
Iidentity of the initiator (i.e., the node)
Ridentity of the responder (i.e., the hub)
Aidentity of an adversary
P W the pre-shared password
Kthe temple Diffie–Hellman key used for computing CMAC
M K the master key to be generated
concatenation of bit strings
S K I , P K I private and public keys of the initiator
S K R , P K R private and public keys of the responder
S K A , P K A private and public keys of the adversary
N I a nonce generated by the initiator
N R a nonce generated by the responder
N A a nonce generated by the adversary
Q ( x ) a function that maps a positive integer x to a point on the elliptic curve
Gbase point in the elliptic curve
×scalar multiplication
R M B n ( x ) the n rightmost bits of x
L M B n ( x ) the n leftmost bits of x
Table 2. Evaluation of performance.
Table 2. Evaluation of performance.
ProtocolComputation CostComputation CostTotal ComputationCommunication
on Nodethe HubCostCost
improved protocol S + 2 H 3 S + 2 H 4 S + 4 H 4 M
modified protocol 2 S + 2 H 2 S + 2 H 4 S + 4 H 4 M
standard protocol 2 S + 2 H 2 S + 2 H 4 S + 4 H 4 M
Table 3. Details of the node (implemented on Arduino Uno).
Table 3. Details of the node (implemented on Arduino Uno).
Micro Controller16 MHz, 8 bit (ATmega328)
SRAM2 KB
EEPROM1 KB
Flash memory32 KB (bootloader 0.5 K)
Table 4. Run-time of involved cryptographic algorithms on the node.
Table 4. Run-time of involved cryptographic algorithms on the node.
AlgorithmLength of Keys (Bits)Runtime (ms)
ECC key generation48
SHA-2565123
Table 5. Comparison of security (“” denotes the protocol resist the attack or possess the security feature, and “×” denotes the the protocol does not resist the attack or does not possess the security feature).
Table 5. Comparison of security (“” denotes the protocol resist the attack or possess the security feature, and “×” denotes the the protocol does not resist the attack or does not possess the security feature).
Attacks/Security FeatureImproved ProtocolModified ProtocolStandard Protocol
Impersonation attack×
Man-in-the-Middle attack×
Off-line dictionary attack×
Forward secrecy××

Share and Cite

MDPI and ACS Style

Zhang, J.; Huang, X.; Craig, P.; Marshall, A.; Liu, D. An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node. Symmetry 2016, 8, 131. https://doi.org/10.3390/sym8110131

AMA Style

Zhang J, Huang X, Craig P, Marshall A, Liu D. An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node. Symmetry. 2016; 8(11):131. https://doi.org/10.3390/sym8110131

Chicago/Turabian Style

Zhang, Jie, Xin Huang, Paul Craig, Alan Marshall, and Dawei Liu. 2016. "An Improved Protocol for the Password Authenticated Association of IEEE 802.15.6 Standard That Alleviates Computational Burden on the Node" Symmetry 8, no. 11: 131. https://doi.org/10.3390/sym8110131

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop