Gas Sensor Physically Unclonable Function-Based Lightweight Bidirectional Authentication Protocol for Gas Sensor Networks

Abstract

In gas sensor networks, users can access the data collected by the sensor nodes, but there is a risk of data leakage during transmission. This paper proposes a lightweight bidirectional authentication protocol based on gas sensor physically unclonable functions (GS-PUFs) with authentication technology to guarantee the reliability of data from sensor nodes. A sensor PUF array is constructed by preparing gas sensors to enhance the data security of the physical layer and reduce hardware resource consumption. The authentication part of the protocol mainly uses lightweight encryption methods, consisting of PUF data, one-way cryptographic hash functions, and iso-or functions, to reduce the computational overhead of the authentication process. The protocol security is enhanced by encrypting the GS-PUF response as an irreversible hash value and verifying the hash value by the user, server, and sensor node to complete bidirectional authentication. The test results demonstrate that the protocol, verified through the ProVerif formal tool, can resist impersonation, replay, node tampering, and cloning attacks. Among the compared schemes, this protocol offers the highest security and the least resource overhead, making it effectively applicable in the Internet of Things and other fields.

1. Introduction

Sensor nodes play a critical role in sensor networks, as they collect and transmit environmental data in order to enable intelligent monitoring, control and decision-making functions for sensor platforms or other devices. They are a key component in building intelligent and automated IoT systems [1,2,3,4]. In recent years, with the rapid development of remote sensor nodes [5], the sensitive data involved with gas sensors have faced the risk of being tampered with or misappropriated by unauthorized users. Key management and authentication technologies can effectively reduce the risk of data corruption, ensuring the reliability and integrity of sensor networks. Physical Unclonable Functions (PUFs) [6,7,8,9,10,11], as novel hardware security primitives, have great potential and can be used to construct secure protocols for authentication and key exchange [12,13,14]. PUFs generate unique output responses from input challenges, verifying the challenge–response relationship to produce security parameters such as device identities and keys, ensuring the authenticity of devices and the security of communications. PUFs generate unique, non-replicable responses by leveraging the intrinsic physical properties of hardware or minor manufacturing variations, without needing additional random number generators or complex circuits, thus reducing resource consumption [7].

Authentication protocols based on sensor PUFs have been applied and researched in various fields, such as Radio Frequency Identification (RFID) systems, IoT devices, and wireless sensor networks (WSNs). Numerous PUF-based authentication protocols have been proposed. For example, reference [15] proposed a Cam-PUF based on commercial Complementary Metal Oxide Semiconductor (CMOS) image sensors for mobile device identification and anti-counterfeiting, but its fixed noise pattern may be affected by environmental changes, leading to instability. Reference [16] proposed a lightweight and privacy-preserving user authentication protocol for industrial wireless sensor networks, meeting the requirement for user access to node information, but its lightweight nature might reduce security. Reference [17] proposed a device fingerprinting technique based on the built-in microphones of smartphones for identifying and authenticating individual mobile devices. However, response consistency may be impacted by environmental noise and other factors affecting the physical properties of microphones. Reference [18] proposed a secure and lightweight mutual authentication and key agreement (MAAKA) protocol for wireless medical sensor networks (WMSNs), composed of hash and XOR operations over a fully public channel, which may not be suitable for point-to-point or multiparty communications. Reference [19] proposed an authentication key agreement protocol for electronic medical systems to address the efficiency issues of lightweight operations and employed PUFs to enhance security. However, medical sensing devices usually have limited computing resources, and the reliance on cloud server processing capabilities can lead to performance bottlenecks, making them vulnerable to attackers.

In summary, the research field of PUF-based secure authentication protocols encompasses various aspects such as security analysis, privacy protection, multi-PUF systems, and performance optimization [20]. The Gas Sensor Physical Unclonable Function (GS-PUF) possesses the capability to withstand physical attacks and reverse engineering, and it does not rely on additional hardware or power sources, making it particularly suitable for low-cost, low-power, and small-sized IoT devices [21]. To cite one example, a gas leakage detection system in a chemical plant may utilize GS-PUF technology to guarantee the uniqueness and tamper-proof nature of the sensor nodes, thereby enhancing the safety and reliability of the system. In IoT setups, users generally expect to receive up-to-the-minute data from designated gas sensor nodes, necessitating a dependable and secure communication protocol between users and the sensor nodes. To achieve this, an efficient lightweight bidirectional authentication protocol is designed to enhance the real-time data security of gas sensor nodes. This scheme only allows registered legitimate users to access the gas sensor nodes, without storing any sensitive information on the sensing devices, ensuring the security of both users and gas sensor nodes. The main contributions of this study on the GS-PUF-based secure authentication protocol are as follows:

• GS-PUF Preparation: A detailed introduction of the GS-PUF preparation method, along with the response extraction and analysis process, provides a foundation for subsequent research.
• Proposed Authentication Protocol: We provide the design of a lightweight bidirectional authentication protocol based on GS-PUF, aimed at enhancing the data security of sensor nodes and the efficiency of data transmission.
• Security Analysis: We conduct a security analysis and compare the designed protocol to verify its reliability and security, offering a dependable reference for practical applications.

2. Gas Sensor Physical Unclonable Function

This chapter presents the principles and methods of GS-PUF preparation and systematically analyses the responses generated by GS-PUF in the authentication domain. By exploring the characteristics of GS-PUF, its unique value and potential applications in the field of authentication are revealed.

2.1. GS-PUF Preparation

Nanomaterials exhibit composite forms of nanoparticles and nanofibers. Gas sensors are prepared using ZnO-SnO₂ nanomaterials through electrospinning and electrospray techniques [22]. Figure 1 illustrates the preparation of the GS-PUF. By regulating the concentration of the polymer solution, different morphologies of nanomaterials are obtained, which can influence the electrical characteristics of the gas sensor. Initially, stannous chloride dihydrate and zinc acetate are added to a mixed solution, followed by the addition of polyvinyl pyrrolidone and stirring before injection. The voltage is adjusted to form a nanofilm on aluminum foil, which is then heated to 500 °C and allowed to cool naturally. Subsequently, the nanomaterials are blended with purified water to create a paste, which is applied to the surface of an alumina ceramic tube equipped with Au electrodes. A nickel–chromium heating wire is then inserted into the tube, aged at 200 °C for 20 h, and subsequently welded and secured to a base.

In our experiments, we used an Agilent 34970A data acquisition instrument, sourced from Agilent Technologies, Santa Clara, California, USA, to observe and analyze the changes in sensor resistance data. The gas sensor is configured into a reconfigurable sensor array, utilizing multiple sensors within the array to generate PUF responses, as depicted in Figure 2. To enhance the reliability of the gas sensor results, a median averaging filter method is employed for noise reduction. To more accurately assess the reliability of the ZnO-SnO₂ gas sensor PUF, the GS-PUF response was recorded for 20 days using the initial day’s response as a reference. As illustrated in Figure 2, the PUF reliability was diminished due to the impact of sensor aging, yet it remained above 98%, effectively reducing the likelihood of the response flip phenomenon occurring when the gas sensors were compared.

2.2. GS-PUF Response Analysis

This section uses ethanol and methanol gases as examples. In practice, the actual engineering should encompass the evaluation of a diverse range of gases. In practical scenarios, a variety of gases will invariably be present, and the computer is able to correct and deconvolute the sensor’s response data through the application of machine learning and data processing algorithms. By training the model to identify and separate the characteristic responses of different gases, the impact of cross-response can be effectively reduced, thereby enhancing the accuracy of gas detection. The sensor response can be obtained through normal operation of the device without the need for additional specialized measuring equipment. The experimental setup is shown in Figure 3a. First, air is introduced into a sealed chamber, and the operating voltage of the sensor array is adjusted to 4.6 V. At this stage, the resistance values of the sensors can be observed to gradually increase. Following this step, formaldehyde gas at a concentration of 200 ppm is introduced into the chamber, resulting in a rapid decrease in sensor resistance values until reaching a steady state. Following this, air is reintroduced to restore the gas sensors to their original state. Finally, ethanol gas at a concentration of 200 ppm is introduced until achieving a stable state. The reactions of the gas sensors to formaldehyde and ethanol are illustrated in Figure 3b; Δ is the difference between the resistance response of the two gases. The analogous trend in the response of gas sensors to formaldehyde and ethanol may result in a considerable challenge for gas sensor nodes that rely on resistive response to detect target gases.

To illustrate potential disruptions in the operational environment more effectively, a deviation of 0.1 V is applied to the operational voltage of the gas sensors. Three sets of experiments are carried out for each gas, aligning with three distinct operational voltages: 4.5 V, 4.6 V, and 4.7 V. PUF responses are generated at these three different operating voltages, and the Hamming distances between different PUF responses are tested. The Hamming distances of the GS-PUF are normalized during the calculation process where HD (i, j) is equal to HD (j, i). The test results are shown in Figure 3c. The GS-PUF data at different voltages are symmetrical [23].

At the same operating voltage, the minimum Hamming distance (HD) between GS-PUFs in different gas environments is 57.1%. Conversely, the maximum HD between GS-PUFs in the same gas environment is 3.9% at different operating voltages, which is significantly less than 57.1%. The distinctive equilibrium affinities of formaldehyde and ethanol result in varying effects on the PUF response, enabling precise differentiation between these gases. The uniqueness of the GS-PUF can be utilized to identify whether the gas environment has been altered. After obtaining response data from the gas sensor, it is compared with the reference PUFs for different gases pre-stored in the server database. The threshold THD is set to the maximum HD of 3.9% between gas sensor PUFs in the same gas environment. If the HD difference between the generated PUF and the reference PUF is below a defined threshold, the database is able to identify this gas. Conventional methods only trigger an alarm based on a sensor resistance threshold without having the ability to identify a particular type of gas.

3. GS-PUF-Based Authentication Protocol

Before gas authentication, it is necessary to authenticate sensor nodes in order to safeguard the confidentiality of data in the sensor from unauthorized access. This section will focus on the key design elements of the protocol, as well as its encryption and decryption methods in the authentication process. Starting with the overall architecture of the protocol, the specific processes and mechanisms of the registration phase and the authentication phase will be discussed. Each phase’s functions and characteristics will be analyzed, and the full process of the GS-PUF lightweight bidirectional authentication protocol will be introduced.

3.1. Overall Architecture of the Protocol

The proposed bidirectional authentication protocol is based on lightweight security primitives. In resource-constrained sensor nodes, using XOR operations and hash functions instead of traditional encryption algorithms can effectively reduce resource overhead [24]. The proposed bidirectional authentication protocol includes the following stages: user registration stage, gas sensor node registration stage, and authentication stage. It is crucial to keep session keys confidential before identity authentication as a compromise of these keys would jeopardize the entire system’s security [25,26].

Table 1. Notations.

Notation	Definition
IDu	Identity of U
Regreq	Register request
IDs	Identity of S
TIDu	Temporary identity of U
IDs	Unique identity of S
PID	Pseudo-identity of U
CRP(C, R)	Challenge–response pair
h(.)	One-way cryptographic hash function
⊕	Bitwise XOR operator
||	Concatenation operator

lists the important symbols used in this paper.

3.2. User Registration Phase

Assuming that the user wishes to access real-time data from the gas sensor node, they need to register with the server, and the user registration process is shown in Figure 4.

Step 1: The user sends an identification ID_u and Reg_req to the server, where Reg_req is a registration request.

Step 2: Upon receipt of the registration message from the user, the server generates a random incentive C_u for authentication and a set of incentives C_setup = {c₁, c₂, …, c_n} for synchronization of the information, packaging the information and sending it to the user.

Step 3: After receipt of {C_u, C_setup}, the user generates the response R_u and R_setup using their own PUF and transmits the corresponding response message to the server.

Step 4: The server generates a unique user temporary identity TID_u and a set of pseudo-identities PID, stores all the information pertaining to the user, and transmits {TID_u, PID} to the user.

Step 5: The user saves the received {TID_u, PID}.

3.3. Sensor Node Registration Phase

It is also necessary to register the sensor nodes on the server in order to guarantee that users are able to access only sensor nodes that have been duly authorized. The registration process for a sensor node is illustrated in Figure 5.

Step 1: The server first generates the incentives C_s for authentication with the sensor node and also generates a new set of incentives C_setup = {c₁, c₂, …, c_n} to synchronize with the sensor node and transmits the information {C_s, C_setup} to the sensor node.

Step 2: After receiving the registration information, the sensor node generates a PUF response R_s = PUF(C_s), R_setup = PUF(C_setup) and packages {R_s, R_setup} for transmission to the server.

Step 3: The server assigns a unique identity ID_s to the sensor node and stores the registration data {ID_s, C_s, C_setup, R_s, R_setup} in the database.

3.4. Authentication Phase

Assuming that the user wishes to access the real-time data from the gas sensors at work, bidirectional authentication with the server and the sensor node is required. The authentication process is illustrated in Figure 6.

Step 1: The user generates a random number N_u and transmits this number and its unique identification TID_u to the server.

Step 2: Upon receipt of the authentication information, the server first verifies the TID_u in the database. Then, the server selects the incentive response pair for authentication, generates the random number N_g, and employs the XOR function and hash function to generate the encrypted data N*_g and the hash value V₀. Finally, the server transmits the authentication data {N*_g, C_u, V₀} to the user.

Step 3: After receiving the message D₂, the user generates the PUF response R_u corresponding to C_u and verifies the hash value V₀. If the verification is successful, N_g is restored, C_u^new = h(C_u||R_u) is computed, and the PUF response R_u^new is generated. Then, the user enters the identity ID_u as well as the sensor node identity ID_s of the sensor nodes that need to be accessed, and computes the encrypted data R*_u, ID*_s and the hash value V₁ for the server to authenticate the user. Finally, the user sends {R*_u, ID*_s, V₁} to the server.

Step 4: Following receipt of the message D₃, the server verifies V₁. Upon successful verification, the server decrypts the sensor node identity ID_s and selects the excitation response pairs for verification of the sensor node. Subsequently, the server encrypts the generated random numbers and keys to obtain N*₁ and SK*_s, and then uses the encrypted information to calculate the hash value V₂. Finally, the message D₄ is transmitted to the sensor node for verification.

Step 5: Upon receipt of the message D₄, the sensor node generates the PUF response Rs, corresponding to C_s, and verifies the hash value V₂. If the verification is successful, the node decrypts N₁ and SK*_s, computes C_s^new = h(C_s||R_s) and the corresponding response R_s^new, and uses R_s^new to compute R*_s and the hash value V₃. Finally, the sensor node sends the {R*_s, V₃} to the server.

Step 6: The server verifies the hash value V₃ after receiving D₅; if the verification is successful, it selects the new challenge–response pair used to authenticate the sensor node and the user. Then, it updates the temporary identity of the user and encrypts SK and TID_u^new and calculates the hash value V₄. Finally, the server stores the data {TID_u^new, C_u^new, R_u^new, C_s^new, R_s^new} to be used for the next authentication and sends the encrypted data together to the user to update the identity.

Step 7: The subscriber verifies the hash value V₄ after receiving the message D₆; if the verification is successful, the session key SK for transmitting the gas data is decrypted and the identity is updated in TID_u^new.

In the event of an unsuccessful authentication step, the authentication process will be terminated, resulting in the user being unable to access the sensor node information. Subsequently, the user is permitted to reapply for authentication using the pseudo-identity pid_i ∈ PID. Upon successful authentication, the system will delete the previously used pid_i, thus ensuring the anonymity and security of the identity information.

4. Analysis of Protocol Security

4.1. Analysis of Formal Security

ProVerif is an automated tool for formally verifying the security of cryptographic protocols [27]. It does not require users to perform tedious manual calculations, and it supports multiple attack models, including passive and active attacks, which can simulate the behavior of attackers in different scenarios and provide us with comprehensive analysis of protocol security. To test the security of a protocol designed for testing, ProVerif. 2.05 is used to verify the protocol flow, as shown in Figure 7, which is the preset part of ProVerif.

In the provided ProVerif script, “value” denotes a private bit string or constant, “function” denotes an encrypted function or operation included, “event” denotes an event used to define a security attribute, and “query” denotes the security query being verified. The preset parts c and sc represent the public channel and secure channel, respectively. PUF(), XOR(), h1(), h2(), h3(), and h4() represent the actual PUF generation function, XOR operation, and different bit-length hash operations in the protocol, respectively. The 13 events defined are to verify whether bidirectional authentication is implemented between users, servers, and sensors. Attackers can eavesdrop on messages in the public channel to try to analyze important information such as the session’s security key and identity (ID). The security of the designed protocol flow is evaluated by asking for ID, SK, and the order of event occurrence. The security verification results of ProVerif on the terminal are shown in Figure 8.

4.2. Informal Safety Analysis

• Mutual authentication: In the above authentication process, the user verifies the hash value V₀ to determine the legitimacy of the server and the server checks the hash value V₁ to verify the user. The hash value is obtained from R_u, which is a confidential dataset. Consequently, it is not possible for an attacker to mimic a legitimate user or forge an identity to obtain the hash value used for authentication. The authentication process between the sensor and the server is similar, where the sensor authenticates V₂ and the server matches V₃ to authenticate the sensor. The proposed protocol implements two-way authentication to ensure the legitimacy of the identities of the two communicating parties.
• Anonymous identity: In the protocol, the server is the sole repository of the users’ authentic identity. The user’s temporary identity is generated randomly and is not the same every time the user applies for authentication. Consequently, it is not possible for an attacker to restore the user’s real identity from the eavesdropped messages. When synchronization is lost or a DoS attack occurs, the user can use the pseudo-identity pid_i ∈ PID stored during the registration phase, and then the server and user need to delete it to further enhance the user’s anonymity and the untraceability of the scheme. The user encrypts the sensor’s identity ID_s; ID*_s = h(ID_u||N_g) ⊕ ID_s. The hash function is irreversible, and an attacker cannot distinguish the encrypted result from a random string. Therefore, the proposed protocol achieves identity anonymity for users and sensors.
• Forward secrecy: After a session, the attacker may attempt to guess the session key SK using captured information, but it will not affect the security of subsequent sessions, because in the next session, the server will generate (C_u, R_u) and (C_s, R_s) and update the database, and the information obtained by the attacker in the previous session is not time-sensitive, so it cannot crack the session key SK. Therefore, the session has forward secrecy.
• Resistance to common attacks: The protocol involves the establishment of two-way authentication between sensors, users, and servers, which means that data transmission can only be performed after mutual verification to prevent malicious attackers from posing as legitimate identities to attack. The (C_u, R_u), (C_s, R_s), TID_u, SK in the protocol are all one-time, which can prevent attackers from repeatedly using data and spoofing legitimate identities. In addition, the SK*_u = h(ID_u||R_u||N_g) ⊕ SK involved in the protocol process is relatively confidential, and the GS-PUF can generate an exponential number of responses. Attackers cannot obtain SK*_u by brute-force attack using exhaustive search.
• Physical attack resistance: If the attacker physically tampers with the sensor node or the user device, the GS-PUF will be unable to provide the correct response of R_u and R_s during the authentication phase of the protocol. The server is therefore able to ascertain whether it has been subjected to an attack based on the presence of erroneous data. In addition, PUF is not cloneable and cannot create an identical PUF structure. Therefore, this scheme has the effect of resisting physical attacks.

4.3. Comparative Analysis

As shown in

Table 2. Comparison of security and computational overhead.

	Security Features											Computation Overheads (ms)
	C1	C2	C3	C4	C5	C6	C7	C8	C9	C10	C11	Sensor Node	User	Server	Total Computation Time	PRTCT
[18]	√	√	√	×	√	√	×	√	√	√	√	7TH + 5TXOR ≈0.03927	10TH + 7TXOR ≈0.05609	9TH + 4TXOR ≈0.05032	26TH + 16TXOR ≈0.14568	19.08%
[19]	√	√	√	√	√	×	√	√	×	√	√	7TH + 3TXOR ≈0.03913	7TH + 3TXOR ≈0.03913	10TH + 6TXOR ≈0.05602	24TH + 12TXOR ≈0.13428	12.21%
[25]	√	√	×	√	√	√	×	×	×	√	√	7TH + 14TXOR ≈0.03990	12TH + 11TXOR ≈0.06749	22TH + 21TXOR ≈0.12379	41TH + 46TXOR ≈0.23118	49.01%
Ours	√	√	√	√	√	√	√	√	√	√	√	4TH + 3TXOR ≈0.02245	6TH + 5TXOR ≈0.03371	11TH + 8TXOR ≈0.06172	21TH + 16TXOR ≈0.11788	-

Remark: C₁: Anonymity of sensor nodes; C₂: user anonymity; C₃: forward secrecy; C₄: key update; C₅: anti replay attack; C₆: anti violent attacks; C₇: against desynchronization attacks; C₈: preventing man-in-the-middle attacks; C₉: anti-DoS attacks; C₁₀: resistance to physical and clone attacks; C₁₁: mutual authentication.

, several existing sensor protocol schemes are compared in terms of their security features and computational overhead during the protocol authentication phase. From the table, it can be observed that the protocol in [18] does not update the private key generated during the registration phase and cannot resist desynchronization attacks. The protocol in [19] involves computations that are not fully secure, making it susceptible to brute-force attacks and incapable of preventing DoS attacks. The protocol in [25] requires users to apply for and successfully authenticate the key for updates, lacking forward secrecy and being unable to resist desynchronization attacks, man-in-the-middle attacks, and DoS attacks. To ensure the fairness, accuracy, and reliability of the results produced by the methods in [18,19,25], computational costs consisting of irreversible hash functions and bitwise XOR operations were used. TH represents the time for the hash function, and TXOR represents the time for the XOR operation. The computational cost of bitwise XOR is much lower than that of the hash operation. The authentication experiments were conducted on a laptop with an Intel Core i9-12900H processor, 2.50 GHz frequency, and 16 GB of memory. The sensor node experiments were conducted on a desktop computer with an Intel Core i5-9500 processor, 3.00 GHz frequency, and 8 GB of memory. As evidenced in Table 2, the proposed protocol exhibits a markedly reduced computational overheads relative to existing approaches. The highest Percentage Reduction in Total Computational Time (PRTCT) is 49.01%, contributing to a notable reduction in the computational burden.

5. Conclusions

This paper analyzes the PUF response of GS-PUF in different gas environments and utilizes the excitation response relationship to determine the authentication scheme. The output of GS-PUF is based on physical properties that are challenging to replicate, thereby rendering it difficult for attackers to counterfeit or tamper with the device. Furthermore, the GS-PUF is highly reliable, responding correctly to the gas environment and guaranteeing the correctness of the data. We propose an anonymous bidirectional authentication protocol based on GS-PUF to protect the security of data during transmission. The protocol encrypts the data using physically unclonable functions, irreversible hash functions, and XOR functions for data encryption, aiming to reduce computational overhead through lightweight encryption. In the security analysis and overhead comparison, the proposed authentication scheme not only ensures multiple critical security properties but also reduces computational costs, thereby enhancing the security of sensor data. With this scheme, gas sensors can operate under server monitoring, ensuring that users receive authentic and reliable gas sensor data while maintaining the security of legitimate users.