A Secure and Anonymous Authentication Protocol Based on Three-Factor Wireless Medical Sensor Networks
Round 1
Reviewer 1 Report (Previous Reviewer 1)
1) In the abstract, the authors have failed to briefly enumerate the attacks prevented by their protocol. They have also not briefly described comparative analysis results for the computation and communication costs. This has to be done so that the contributions of this paper are clear to the readers
2)The second paragraph under the 'Introduction' section has not still been referenced at all.
3)The sub-title in Section 7.3.4 should be changed to 'BAN Logic initial state assumptions'
4)The authors have failed to include future research directions in the '9. Conclusion' section.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 2 Report (Previous Reviewer 2)
1. abstract needs improvement as it does not convey insight of the work perfectly
2. in proposed model the communication mode between gateway and access points has not been explained well and lacks in information
3. flow mechanism of Sensor Node Registration Phase should be explained in terms of format of data load also
4. modeling of login and authentication phase has not been validated with standards
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 3 Report (New Reviewer)
Dear Authors
Your proposal is very good to increase the security schemes in IoT networks, even more when they are equipment that transmit sensitive information, as it is in the medical field. Considering this, in order to provide a secure WMSN service, an authentication protocol is required. In this study, you have identified the problems of various authentication protocols using two-factor, three-factor, and PUF, and analyze the security vulnerabilities of Yuangbing´s protocol.
To manage security vulnerabilities in these protocols, in this paper, you present a proposal to improve the security schemes in IoT networks.
My suggestions:
It is a very analytical, formal research. The paper is very well elaborated.
1. The validation of your proposal was done using the AVISPA simulator, which is based on a modular and expressive formal language for specifying protocols. You must insert in your paper the screens of the final results of the simulations, in which you can see the formal and non-formal verifications of the states of the automates, as well as the interaction schemes with their respective steps.
2. Replay simulation attack and insert the results, with the objective of analyzing the behavior of your proposal, as well as indicating by means of an interaction scheme the respective steps of action and reaction of the protocol.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Round 2
Reviewer 3 Report (New Reviewer)
Dear Authors
It is much better.
This manuscript is a resubmission of an earlier submission. The following is a list of the peer review reports and author responses from that submission.
Round 1
Reviewer 1 Report
1) In the abstract, there is need to specify the kind of formal analysis used to evaluate the proposed protocol.
2) Briefly enumerate the attacks prevented by this protocol. Also, briefly describe comparative analysis results for the computation and communication costs.
3) The second paragraph under the 'Introduction' section is not referenced at all.
4) Some of the related works used in this paper are fairly old. There is need to replace them with relevant and recent works.
5) The authors should incorporate more detailed mathematical formulations for PUF and fuzzy extraction is Sections 3.3 and 3.4 respectively. Preferably, the relevant equations should be serialized for increased readability.
6) There are some grammatical errors that need to be checked and revised. For instance, in Section 7, the authors claim as follows:
"...At last, using AVIPA simulation tools, we show that PPTA-PUF is secure for replay and MITM attacks...." This sentence should be revised as follows:
"...At last, using AVIPA simulation tools, we show that PPTA-PUF is secure against replay and MITM attacks..."
7) In Section 7, it is a good practice to start by presenting the formal security analysis. This is then followed by informal security analysis.
8) In section 7.1, the authors should state each security feature/attack vector as lemma/theorem/hypothesis, followed by the proof. The following article may offer some guidance on this:
https://www.mdpi.com/2224-2708/11/3/55
9) In Section 7.3.3, the sub-title 'Idealized Forms' is not sufficient. I think what is represented in idealized Form are the exchanged messages. Therefore, the title and the discussion that follows should be revised accordingly.
10) The sub-title in Section 7.3.4 is also not sufficient. I believe these are the BAN Logic initial state assumptions. The sub-title and the preceding discussion should be revised accordingly.
11) In Section 7.3.5, these are BAN logic proofs that show the existence of strong mutual authentication and negotiation of the shared session key. Therefore, the sub-title and the discussions that follow should be revised to reflect this.
12) How do the AVISPA Simulation Analysis in Section 7.4 proof that this protocol is robust against man-in-the-middle and replay attacks? This needs to be described in a better form.
13) In Section 8.2, ' Computation Cost Comparison', the first sentence is poorly structured. You cannot start a sentence with citations. You may write as follows:
The cryptographic computation costs in [28] and [47] are used for comparative analysis of the computational costs of the proposed protocol. Thereafter, the obtained values are compared with the ones obtained in other related authentication protocols.
14) Under which test-bed/simulation environment are the cryptographic primitives computation costs in section 8.2 obtained?
15) In Section 8.3, the authors write as follows:
"..For comparing, we assume that hash value, entity ID, and symmetric encryption value are 160 bits, ECC value is 320 bits, random nonce is 128 bits, and timestamp value is 32 bits...." What informed this assumption? A good practice is either to cite some related work(s) that derived these values. Alternatively, you describe your own test-bed/simulation environment (inclusive of the simulation parameters) in which these values are obtained. The goal here is to facilitate replication and verification of the obtained results.
16) The authors need to point out that the messages included in Section 8.3 are exchanged during the Login and Authentication Phase
17) The scheme in Ali et al.[23] seems to have better performance than the proposed protocol. In Section 8.4, the authors need to explain how their protocol is better than the scheme in Ali et al.[23].
18) In Section 8.4, the authors claim as follows:
"..PPTA-PUF has higher computation and communication costs than Ali et al.’s protocol, but it is a good difference..." What do the authors mean by 'it is a good difference?'
19) In Section 9, the title should be 'Conclusion' and not 'Conclude'
20) The authors need to include future research directions in the Conclusion section.
21) PUF-based schemes are known to have stability issues. How is this issue handled in this proposed protocol?
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 2 Report
1. WMSN model has not been justified well with reference to proposed model
2. Sensor Node Registration Phase is not convincing
3. message receiving phase has not been explained well
4. Login and authentication phase need to clearly explained
5. Conclusion needs outcome in this section
6. referencing to be improved
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 3 Report
I appreciate the effort for this research. The one remark is AVISPA project was released in 2006 and it was abandoned. I am skeptical that the new authentication methods like 2FA and 3FA can be run in this simulation environment. This part was not clear to me and I ask for clarification.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Reviewer 4 Report
This paper investigates PPTA-PUF which is a secure mutual authentication protocol, to solve the security flaws of the existing protocols. Author shows that it outperforms existing methods and also comparing the existing methods in terms of computation and communication costs, and security.
Authors have recent papers which are not even cited and the algorithms and proposed methods almost same. Only reference 4 listed below is cited. I therefore do not recommend this paper. The references are listed below:
1) Kwon, DeokKyu, YoHan Park, and YoungHo Park. 2021. "Provably Secure Three-Factor-Based Mutual Authentication Scheme with PUF for Wireless Medical Sensor Networks" Sensors 21, no. 18: 6039. https://doi.org/10.3390/s21186039
2) Lee, JoonYoung, JiHyeon Oh, DeokKyu Kwon, MyeongHyun Kim, SungJin Yu, Nam-Su Jho, and Youngho Park. 2022. "PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices" Sensors 22, no. 18: 7075. https://doi.org/10.3390/s22187075
3) Son, Seunghwan, Yohan Park, and Youngho Park. 2021. "A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments" Sustainability 13, no. 16: 9241. https://doi.org/10.3390/su13169241
4) W. Yuanbing, L. Wanrong and L. Bin, "An Improved Authentication Protocol for Smart Healthcare System Using Wireless Medical Sensor Network," in IEEE Access, vol. 9, pp. 105101-105117, 2021, doi: 10.1109/ACCESS.2021.3099299.
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Round 2
Reviewer 2 Report
1. section 5 does not qualify to the test of quality
2. Off-line Guessing Attacks are not validated with the concrete justification
3. We indicate the goals for proving the mutual authentication of PPTA-PUF has not been validated for preposition
4. Results of Comparative Analysis section has nothing
Author Response
Please see the attachment.
Author Response File: Author Response.pdf
Round 3
Reviewer 2 Report
1. methodology could be improved for better understanding
2. result analysis could also be revisited for better explanation and understanding
3. other questions have been answered to the satisfaction
Author Response
Please see the attachment.
Author Response File: Author Response.pdf