Article

An Anonymous Device to Device Authentication Protocol Using ECC and Self Certified Public Keys Usable in Internet of Things Based

Autonomous Devices

Bander A. Alzahrani^1,* , Shehzad Ashraf Chaudhry², Ahmed Barnawi¹ , Abdullah Al-Barakati¹ and Taeshik Shon^3,*

1 Faculty of Computing and Information Technology, King Abdulaziz University, Jeddah 21589, Saudi Arabia;

ambarnawi@kau.edu.sa (A.B.); aaalbarakati@kau.edu.sa (A.A.-B.)

2 Department of Computer Engineering, Faculty of Engineering and Architecture, Istanbul Gelisim University, Istanbul, Avcılar, 34310 Istanbul, Turkey; sashraf@gelisim.edu.tr or ashraf.shehzad.ch@gmail.com

3 Department of Cyber Security, Ajou University San 5, Woncheon-Dong, Yeongtong-Gu, Suwon 443-749, Korea

* Correspondence: baalzahrani@kau.edu.sa (B.A.A.); tsshon@ajou.ac.kr (T.S.)

Received: 13 February 2020; Accepted: 17 March 2020; Published: 21 March 2020

Abstract: Two party authentication schemes can be good candidates for deployment in Internet of Things (IoT)-based systems, especially in systems involving fast moving vehicles. Internet of Vehicles (IoV) requires fast and secure device-to-device communication without interference of any third party during communication, and this task can be carried out after registration of vehicles with a trusted certificate issuing party. Recently, several authentication protocols were proposed to enable key agreement in two party settings. In this study, we analyze two recent protocols and show that both protocols are insecure against key compromise impersonation attack (KCIA) as well as both lack of user anonymity. Therefore, this paper proposes an improved protocol that does not only resist KCIA and related attacks, but also offers comparable computation and communication. The security of proposed protocol is tested under formal model as well as using well known Burrows–Abadi–Needham (BAN) logic along with a discussion on security features.

While resisting the KCIA and related attacks, proposed protocol also provides comparable trade-of between security features and efficiency and completes a round of key agreement in just 13.42 ms, which makes it a promising candidate to be deployed in IoT environments.

Keywords: Internet of Things; V2V Security; Internet of Vehicles; key compromise impersonation attack; 2PAKA

1. Introduction

A Two-Party Authentication Key Agreement Protocol (2PAKA) shares a secret key after authentication for secure communication between two parties. The certificate based 2PAKA can be deployed in Internet of Things (IoT)-based vehicular environments to offer autonomous device to device communication because in such dynamic and fast moving devices network, the interference of some gateway or trusted authority may lead to delay, and such delays may lead to infeasibility of the whole network [1]. In 2PAKA systems, the vehicle, after registering with the trusted certificate generation authority, gets a private and public key pair based credentials of both trusted authority and the requesting vehicle. However, the security and privacy of such schemes remain on stake due to open architecture beneath the communication. Such architecture is shown in Figure1, involving the smart

Electronics2020,9, 520 ; doi:10.3390/electronics9030520 www.mdpi.com/journal/electronics

devices networks and the certificate authority which can also termed as server. Every device in a smart network gets its key pair from certificate authority and then can communicate autonomously without involvement of the authority. In this article the term device and vehicle are used interchangeably as well as server and certificate authority means same.

Diffie & Hellman key exchange protocol [2] was the first approach in this direction. After then, several key exchange protocols [3–6] based on traditional public key infrastructure (PKI) were proposed to avoid man-in-middle (MIM) attack. The use of modular exponentiation in PKI led towards PKI’s inapplicability in resource constrained environments like smart phones, smadrcards etc. Therefore, research efforts then have focused on lightweight Elliptic Curve Cryptography (ECC) and some 2PAKA protocols based on ECC [7–9] were proposed. The ECC-based 2PAKA protocols require less computation and storage with same level of security, due to the use of 160 bits key in ECC instead of 1024 bits key in Rivest, Shamir, and Adleman (RSA) algorithm . The ECC-based 2PAKA protocols require a trusted third party, called certificate authority(CA), to manage and generate certificates.

It also validates and generates public keys of users.

Registration Procedure Authentication Procedure

Smart Home

Smart City

Smart Vehicles

Certificate Authority

Figure 1.Device to Device Authentication Scenario.

In 1989, Gunther et al. [10] proposed a key exchange protocol based on user’s identity. The protocol in [10] requires the intervention of certificate authority for establishing a secure channel between two users. In 2000 Saeedina [11] proposed the improvement over Gunther et al.’s identity-based key exchange protocol. The modified scheme overcomes the number of passes to half, and so minimize the communication between the parties. In 2002, Hsieh et al. [12] proposed a slight modification of Saeednia’s identity-based key exchange protocol to reduce computation cost. However, Tseng et al. [9] demonstrated that the scheme proposed by Hiesh et al. cannot withstand key compromise impersonation attack (KCIA). Holbl and Welzer [13] proposed two new two-party identity-based authenticated key agreement protocols.The first is based on the protocol of Hsieh et al.

to make it immune against KCIA, while the second is an efficient enhancement of Tseng’s protocol.

Zhang et al. [14] proved that the protocols proposed in [13] cannot resist impersonation attack as well as KCIA. Smart [15] proposed another identity based key agreement protocol using weil pairing. Chen and Kudla [16] and Shim [17] independently purposed authenticated key agreement (AKA) protocols.

Sun and Hsieh [18] proved that both the protocols [16,17] are vulnerable to KCIA and man-in-middle (MIM) attacks. Ryu et al. [19] also proposed another protocol and demonstrated that their protocol minimizes the cost of computation and communication and is more efficient than Chen and Kudla’s

protocol with same security properties. Boyd and Choo [20] showed that the Ryu et al.’s protocol could not achieve the KCIA resilience properties. McCullagh and Barreto [21] claimed that their protocol can be used in either escrow or escrow-less mode. They also described conditions under which users of different key generation centers can agree on a shared secret key. In 2005 Zu-hua et al. [22]

proposed bilinear pairing based self-certified protocol using computational Diffie-Hellman assumption.

Ni et al. [23] also presented two secure variants of their proposal.

In 2008 Cao et al. [24] put forwarded a new identity-based authentication key agreement protocol and claimed it to achieve forward secrecy. Tsaur [25] also proposed an ECC-based self-certified public key cryptosystem based AKA and their protocol achieved session and public keys in a single step. In 2009 Hölbl and Welzer [26] proposed two new identity-based 2PAKA protocols but their scheme were proved to be vulnerable to key compromise impersonation attacks. Their protocol do not offer provable security. Some other IBC-based 2PAKA protocols using ECC were also proposed [9,11–13,16–21,27–30], these protocols suffer from private key escrow problem because the private key is known as Private Key Generation (PKG) party. If the PKG is malicious with man-in-middle (MIM) attack then the whole protocol is suffered [31].

Motivations and Contribution

In 2015, Islam & Biswas (Islam-Biswas) [31] proposed a self certified ECC based key agreement protocol and claimed that their protocol provides security against all kinds of attacks. Mandal et al. [32]

found that their protocol lacks anonymity and is defenseless against replay and clogging attacks [33].

However, in this paper we show that both the protocols of Islam-Biswas and Mandal et al. are insecure against key compromise impersonation attack (KCIA). Moreover, both protocols lack user anonymity. This paper then introduces a new scheme to overcome the insecurities of Islam-Biswas and Mandal et al.’s protocols. The proposed protocol achieves following merits:

1. Proposed protocol resists KCIA and related attacks under the hardness assumption of Elliptic Curve Discrete Logarithm Problem (ECDLP).

2. Proposed protocol achieves low computation and communication cost as compared with related secure schemes.

2. Fundamentals

This section describes some fundamental concepts relating to Hash Functions, Elliptic Curve Cryptography along with some hard problems. The adversarial model is also defined in this section.

Moreover, notation guide is provided in Table1.

Table 1.Notation Guide.

Notation Definition U_x,S Userx, Server D_a,D_b Deviceaand Deviceb ID_x,F_p Identity ofU_x, Prime Field

E/Fp,G Elliptic Curve overFp, Base Point overE/Fp

K_Pri,K_Pub Private and public key pair ofS E_ki,D_ki Encryption, Decryption usingkias key

||,⊕ Concatenation and Exclusive-Or operations h(.),H(.),H_i(.) Hash Functions

=? Equality Checking operator

2.1. Hash Function

The arbitrary size inputSato a hash functionH:{0, 1}^∗→Z^∗_q with collision resistant property yields a fixed length valueFh=H(Sa) with following additional pre-requisit properties:

• A slight fluctuation inSa(the input), there is a massive change in outputF_h=H(Sa).

• ComputingF_h, givenSais easy; whereas, computingSa, givenF_his a hard problem

• Finding a pair{Sa,Sb}such thatH(Sa) =H(Sb) is a hard problem and this property is termed as collision resistance property (CRP).

Definition 1. [CRP for Secure Hash] Given H(.), an attackerAcan compute an input pair{Sa,S_b}such that H(Sa) = H(S_b)with probability Advg_A^{H ASH}(t) =P[(Sa,S_b) ⇐r A : (Sa 6= S_b)and H(Sa) = H(S_b)]. Ais considered to select the pair at random. The computed advantage is based on polynomial-time t bound arbitrary choices. As per CRP Advg_A^{H ASH}(t)≤efore>0.

2.2. Elliptic Curve Cryptography

Considerp(a very large prime, (160bits≤ |p|), an Elliptic CurveEC:j²=i³+αi+β mod pis a set with finite pointsEp(α,β). The pair{α,β}is pragmatically selected to satisfy the relationship (4α³+ 27β²) mod p6= 0. The pointWmultiplication with some chosen scalaracan be computed as a.W={W+W+ ... +W}atimes addition repeatedly. All system parameters are chosen from finite fieldFp; whereas,ECforms an abelian group with pointOconsidered to be at infinity and described as additive identity.

Definition 2. [ Discrete logarithm problem for EC (ECDLP)]Consider{V,W}are two points overEp(α,β) such thatV=aW, knowing the duo{(V=aW,W)}, the probability of computingacan be solicited as: Advg^ECDLP_A (t) =P[(A(V= aW,W) =a:a∈Zp], the experiment is allowed to be conducted by a polynomial-timetbound attackerA. As perECDLP,Advg^ECDLP_A (t)≤e.

Definition 3. [ Diffie Hellman problem for EC (ECDHP)]Consider{V,W,G}are three points overEp(α,β) such thatV=aG,W=bGand knowing the trio{(V=aG,W=bG),G}, the probability of computing X = abG can be solicited as: Advg_A^ECDHP(t) = P[(A(V = aG,W = bG,G) = {a,b} : (a,b) ∈ Zp], the experiment is allowed to be conducted by a polynomial-timetbound attackerA. As perECDHP, Advg^ECDHP_A (t)≤e.

2.3. Attacker Model

The authenticated key agreement is achieved over an insecure networks, assuming a strong attacker having many capabilities [34,35]. Some common assumptions related with attackers’

capabilities are made as follows:

• The adversaryAis having access to public keys of both parties.

• Aknows public identities of all users of the system.

• Acan control the insecure communication channel, preciselyAcan eavesdrop, inject, delete or replay any message, whileAcan not have any access to secure channel.

3. Review of Islam-Biswas Protocol

In this section, we review Islam-Biswas 2PAKA protocol [31] consisting of three phases: system setup, registration and authenticated key agreement phase, the detail of each phase is as follows:

3.1. System setup Phase

In system setup phase, the server (S) initializes the system parameterΩ. InitiallyS chooses a security parameter k ∈ Z⁺ along with an elliptic curve E/Fp, thenS selects a base point Gover E/Fp. Further S selects K_Pri as his private key and computes K_Pub = K_PriG and chooses three one-way hash functionsH0,H1,H2 : {0, 1}^∗ → {0, 1}^k. Finally S publishes all public parameters Ω={E/Fp,H0,H1,H2,G,K_Pub}and keepsK_Prisecret.

3.2. Registration Phase

This phase is executed when a userU_awants to register with server.U_aselects his identityIDa

and a random numberxa ∈_R Z^∗_p, thenUacomputesXa = H₀(IDakxa)Gand sendsIDa,XatoS via some secure channel, which selectsta ∈_R Z^∗_pupon receiving a message fromU_a. S then computes Pa =H0(IDakta)K_Pub+Xa,ra= [H0(IDakta) +H0(IDakPa)]K_PriandQa=Pa+H0(IDakPa)K_Pub.Ssends (IDa,Pa,ra) toUvia some secure channel and publishesQa. Upon receiving,U_acomputes his private keyda = [ra+H0(IDakxa)], the public key ofUaisdaG=Qa.

3.3. Authenticated Key Agreement Phase

This phase takes place when two users sayU_iandU_jwant to exchange information andU_iinitiates the process. The following steps as shown in Figure2are performed amongU_iandU_j.

IKA 1: U_i → U_j:m_j{ID_i,T_i,R_i}

U_iselectsx∈_RZ^∗_pand computesT_i=xQ_i&R_i=H₁(T_ikd_iQ_j),U_ithen sendsID_i,T_i,R_itoU_j. IKA 2: U_j → U_i: mi={IDj,Tj,Rj}

U_jselectsy∈_RZ^∗_pand computesTj=yQj&Rj=H1(TjkdjQi),U_jthen sendsIDj,Tj,RjtoU_i. IKA 3: Now the authenticated key is computed as follows:

1. U_i computesR^∗_j = H₁(T_jkd_iQ_j) and verifies R^∗_j =^? R_j, if not true,U_i aborts the session, otherwise the key is computed as:Ki= (xdi)Tj=xydidjG.

2. SimilarlyU_j computesR^∗_i = H₁(T_ikd_jQ_i) and verifies R^∗_i =^? R_i, if not true,U_j aborts the session, otherwise the key is computed as:Kj= (ydj)Ti =xydidjG.

UserU_i UserU_j

Selectx∈_RZ^∗_p ComputeT_i=xQ_i

ComputeR_i=H1(T_ikd_iQ_j)

mx={IDi,Ti,Ri}

−−−−−−−−−−−−−−−−−−−−→

Selecty∈_RZ^∗_p ComputeT_j=yQ_j

ComputeR_j=H₁(T_jkd_jQ_i)

my={ID_j,Tj,Rj}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−

ComputeR^∗_j =H₁(T_jkd_iQ_j) ComputeR^∗_i =H₁(T_ikd_jQ_i) CheckR^∗_j =^?R_j CheckR^∗_i =^?R_i

K=K_i= (xd_i)T_j=xyd_id_jG K=K_j= (yd_j)T_i=xyd_id_jG Session key

SK=H2(ID_ikID_jkT_ikT_jkR_ikR_jkK) SK=H2(ID_ikID_jkT_ikT_jkR_ikR_jkK) Figure 2.Islam-Biswas Key Agreement Protocol.

4. Review of Mandal et al.’s Protocol

In this section, we review Mandal et al.’s 2PAKA protocol [32] consisting of three phases: system setup, registration and authenticated key agreement phase. The system setup phase is as it is taken from Islam-Biswas protocol, except Mandal et al. just selected one hash functionH(.) instead of three in Islam-Biswas protocol. The detail of other two phases is as follows:

4.1. Registration Phase

This phase is executed when a userU_a wants to register with server. U_a selects his identity IDa and a random number xa ∈_R Z^∗_p, thenUa computesXa = H(IDakxa)G and sends{IDa,Xa}

toS via some secure channel, which selectska ∈_R Z^∗_p upon receiving a message fromU_a. S then computesVa = H(IDakka)K_Pri,T IDa = Xa⊕Va,Wa = Xa⊕kaGandXsa = H(T IDakWa)K_Pri⊕ka. S sends{IDa,T IDa,Wa,Xsa}toUavia some secure. Upon receiving, Uacomputes his private key da=Xsa⊕H(IDakxa), and public keyQa=daG.U_achecks the validity/correctness of public private key pair as da.G = [H(T ID^? a||Wa)KPub⊕Wa]. On successful verification, Ua keepsda secret and publishesQa.

4.2. Authenticated Key Agreement Phase

This phase takes place when two users sayU_iandU_jwant to exchange information andU_iinitiates the process. The following steps as shown in Figure3are performed amongU_iandU_j.

MKA 1: U_i → U_j:m_i ={N_i,t_i,C_i}

U_iselectsNi∈_RZ^∗_p, generatetiand computesW1=T IDi⊕Wi,Zi =H(xi),Keyi =H(diQj||Ni||ti), M1 = H(W1||Key_i||N_i||Z1) and Z1 = Z_i ⊕M1. U_i then compute encryption as : C_i = E_Keyi(T ID_i||M₁||Z₁||W_i||N_i||t_i) and sendsm_i={N_i,t_i,C_i}toU_j.

MKA 2: U_j → U_i: m_j={N_j,t_j,Z2,C_j}

On receiving a message,U_jchecks the time-stamp freshness and aborts the session iftc−t_i ≤

∆T, does not hold. Otherwise, U_j computes Key⁰_i = H(djQi||Ni||ti) and decrypts Ci using key Key⁰_i to obtain (T IDi||M1||Z1||Wi||Ni||ti). U_j further computesW₁⁰ = T IDi⊕Wi, M⁰₁ = H(W1||Keyi||Ni||Z1) and aborts the session ifM⁰₁=^? M1, does not hold. Otherwise,U_jcomputes Z_i⁰=Z1⊕M₁⁰ and selectsNj∈_RZ^∗_pand current time-stamptjand further computesZj=H(xj), Z2 = Z_j⊕M⁰₁,Key_j = H(Z⁰_iZ_j||N_j||t_j),W2 = T ID_j⊕W_j, M2 = H(W2||Key_j||N_j||Z2). U_j then computes session keySKxy = H(T ID_i||T ID_j||Z_i⁰Z_jd_jQ_i||key⁰_i||key_j||M⁰₁||M₂||N_i||N_j) andC_j = EKey_j(T IDj||M2||Wj||Nj||tj) and sends backmj ={Nj,tj,Z2,Cj}toU_j.

MKA 3: On receiving a message, U_i checks the time-stamp freshness and aborts the session if tc−tj ≤ ∆T, does not hold. Otherwise,U_i computesZ⁰_j = Z2⊕M1,Key⁰_j = H(ZiZ⁰_j||Nj||tj) and decrypts C_j using Key⁰_j to obtain (T ID_j||M2||W_j||N_j||t_j). Further U_i computes W₂⁰ = T IDj⊕Wj, M⁰₂ = H(W₂⁰||Key⁰_j||Nj||Z2) and aborts the session if M₂⁰ =^? M2, does not hold. Otherwise, U_i considers U_j is authenticated and computes session key SKxy = H(T ID_i||T ID_j||Z_iZ_j⁰d_iQ_j||key_i||key⁰_j||M₁||M₂⁰||N_i||N_j).

UserU_i UserU_j SelectN_i∈_RZ^∗_p, Generatet_i

ComputeW₁=T ID_i⊕W_i Z_i=H(x_i)

Key_i=H(d_iQ_j||N_i||t_i) M₁=H(W₁||Key_i||N_i||Z₁) Z₁=Z_i⊕M₁

C_i=E_Keyi(T ID_i||M₁||Z₁||W_i||N_i||t_i)

mi={Ni,ti,Ci}

−−−−−−−−−−−−−−−−−−−→

Checktc−tx≤∆T

ComputeKey⁰_i=H(d_jQ_i||N_i||t_i) (T ID_i||M₁||Z₁||W_i||N_i||t_i) =D_Keydi(C_i) W₁⁰ =T ID_i⊕W_i

M⁰₁=H(W₁||Key_i||N_i||Z₁) CheckM₁⁰ =^? M₁

ComputeZ⁰_i=Z₁⊕M⁰₁ SelectN_j∈_RZ^∗_pand Generatet_j Z_j=H(x_j)

Z2=Z_j⊕M⁰₁ Key_j=H(Z⁰_iZ_j||N_j||t_j) W2=T ID_j⊕W_j

M₂=H(W₂||Key_j||N_j||Z₂)

SKxy=H(T ID_i||T ID_j||Z_i⁰Z_jd_jQ_i||key⁰_i||key_j||M⁰₁||M2||N_i||N_j) C_j=E_Keyj(T ID_j||M₂||W_j||N_j||t_j)

mj={Nj,tj,Z2,Cj}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−

Checktc−t_j≤_∆T Z⁰_j=Z₂⊕M₁

ComputeKey⁰_j=H(Z_iZ⁰_j||N_j||t_j) (T ID_j||M2||W_j||N_j||t_j) =DKeyj(C_j) W₂⁰ =T ID_j⊕W_j

M⁰₂=H(W₂⁰||Key⁰_j||N_j||Z2) CheckM₂⁰ =^? M₂

SKxy=H(T ID_i||T ID_j||Z_iZ_j⁰d_iQ_j||key_i||key⁰_j||M₁||M₂⁰||N_i||N_j)

Figure 3.Mandal Key Agreement Protocol.

5. Weakness of Existing Protocols

In this section, firstly we perform cryptanalysis of Islam-Biswas protocol to show its weaknesses and then we perfom the cryptanalysis of Mandal et al.’s protocol. The following subsections show that both the protocols of Islam-Biswas and Mandal et al. are vulnerable to key compromise impersonation attack, and lack of user anonymity.

5.1. Key Compromise Impersonation Attack on Islam-Biswas Protocol

By key compromise impersonation attack, if an active adversary is able to get access to a user’s (e.g., U_i) long term private key, then he can masquerade himself as an other user (e.g., U_j) to the victim. In this subsection, we show that Islam-Biswas protocol is vulnerable to key compromise impersonation attack. An active adversary can mount this attack to share a session key with a peer.

LetAbe an attacker who wants to impersonate as a legal userU_ito another legal userU_j. For successful impersonation, the steps performed betweenAandU_jare described as follows:

Step KCI 1: Acomputes:

T_i⁰=G (1)

R⁰_i=H1(T_i⁰kdjQi) (2) ThenAsends (IDi,T_i⁰,R⁰_i) toU_j.

Step KCI 2: Upon receiving the messageU_jselectsy∈_RZ^∗_p, and computesU_j

T_j=yQ_j (3)

R_j=H₁(T_jkd_jQ_i) (4) FurtherU_jsends (ID_j,T_j,R_j) toU_i.

Step KCI 3: Aintercepts the message and computes

R^∗_j =H₁(T_jkd_jQ_i) (5) and verifies

R^∗_j =^? Rj (6)

ThenAcomputes:

K=K⁰_i= (dj)Tj=ydjG (7) SK=H₂(ID_ikID_jkT_i⁰kT_jkR⁰_ikR_jkK) (8) SimilarlyU_jcomputes:

R_i^∗=H1(T_i⁰kdjQi) (9) and verifies

R^∗_i =^? R⁰_i (10)

If Equation (10) does not hold,U_jaborts the session, otherwiseU_j believes the party on other side isU_iand computes:

K=K_j= (yd_j)T_i⁰=yd_jG (11)

SK=H2(ID_ikID_jkT_i⁰kT_jkR⁰_ikR_jkK) (12) Proposition 1. In Islam-Biswas protocol, upon execution of key compromise impersonation attack, user U_jaccepts adversaryAas another userU_iandAshares the session key withU_jon behalf ofU_i.

Proof. A initiates the key compromise impersonation attack by computing T_i⁰ = G and R⁰_i = H1(T_i⁰kdjQi), then A sends IDi,T_i⁰,R⁰_i to U_j, which believes the other party is legal U_i if Equation (10) holds. U_j computesR^∗_i in Equation (9), which is equal toR⁰_i computed byA in Equation (2). HenceAis believed to beU_ibyU_j. The session key computed by bothAand U_j is also same, asA computed session keySKin Equation (8) which is exactly the same as computed byU_jin Equation (12). Hence,Ahas successfully launched KCIA on Islam-Biswas’s protocol.

5.2. Key Compromise Impersonation Attack on Mandal et al.’s Protocol

This subsection shows that the protocol of Mandal et al. is also vulnerable to Key Compromise Impersonation Attack (KCIA). LetA be an attacker who wants to impersonate as a legal userU_i to another legal userU_j. For successful impersonation, the steps performed betweenAandU_jare simulated as follows:

KCM 1: Arandomly selectsNa,T IDa,Wa,Za∈_RZ^∗_p, generatestaand computes:

W₁=T IDa⊕Wa (13)

Keya=H(d_jQ_i||Na||ta) (14) M₁=H(W₁||Keya||Na||Z₁) (15)

Z1=Za⊕M1 (16)

Ca=EKeya(T IDa||M1||Z1||Wa||Na||ta) (17) Asendsma={Na,ta,Ca}toU_j.

KCM 2: On receiving a message,U_jchecks the time-stamp freshness and aborts the session iftc−ta≤

∆T, does not hold.U_jthen computes:

Key⁰_a =H(djQi||Na||ta) (18) (T IDa||M1||Z1||Wa||Na||ta) =D_Key⁰

a(Ca) (19)

W₁⁰ =T IDa⊕Wa (20)

M₁⁰ =H(W1||Keya||Na||Z1) (21) U_jthen checks :

M⁰₁=^? M₁ (22)

Upon success,U_jselectsN_j∈_RZ^∗_pandt_jand computes:

Z⁰_a=Z₁⊕M⁰₁ (23)

Zj=H(xj) (24)

Z₂=Z_j⊕M₁⁰ (25)

Keyj=H(Z⁰_aZj||Nj||tj) (26)

W2=T ID_j⊕W_j (27)

M₂=H(W₂||Key_j||N_j||Z₂) (28)

SKxy=H(T IDa||T IDj||Z⁰_aZjdjQa||key⁰_a||keyj||M⁰₁||M2||Na||Nj) (29) C_j=EKey_j(T ID_j||M2||W_j||N_j||t_j) (30) U_jsends backm_j={N_j,t_j,Z₂,C_j}toU_i.

KCM 3: Aintercepts the messages and computes:

Z⁰_j=Z2⊕M₁ (31)

(T IDj||M2||Wj||Nj||tj) =D_Key⁰

j(Cj) (32)

W₂⁰ =T ID_j⊕W_j (33)

M⁰₂=H(W₂⁰||Key⁰_j||N_j||Z2) (34)

Athen computes session key as:

SKxy=H(T IDa||T ID_j||ZaZ⁰_jd_jQ_i||keya||key⁰_j||M₁||M⁰₂||Na||N_j) (35) Proposition 2. In Mandal et al.’s protocol, upon execution of key compromise impersonation attack, userU_j accepts adversaryAas another userU_iandAshares the session key withU_jon behalf ofU_i.

Proof. Ainitiates the key compromise impersonation attack by computingW1,Keya,M1,Z1andCa

thenAsends{Na,ta,Ca}tuple toU_j, which believes the other party is legalU_iif Equation (22) holds.

The security of the protocol relies on the computation ofKeya, ifKeyais computed same on both sides, then decryption ofCaonU_jwill be same as computed byA. Therefore,M1computed in Equation (15) byAand in Equation (21) byU_jwill also be same. Hence Equation (22) will hold true.U_jcomputes Key⁰_ain Equation (18), which is equal toKeyacomputed byAin Equation (14). Therefore, Equation (22) holds. Hence,A is believed to be U_i byU_j. The session key computed by both Aand U_j is also same, asAcomputed session keySKin Equation (35) which is exactly the same as computed byU_jin Equation (29). Hence,Ahas successfully launched KCIA on Mandal et al.’s protocol.

5.3. Lacking User Anonymity

Both the protocols of Islam-Biswas and Mandal et al., lack user anonymity and privacy. The former did not claim to provide anonymity, whereas, latter claimed to provide it. However, after a careful analysis, it is revealed that their protocol lacks anonymity. Our analysis is simulated as follows:

After computingW1,Keyi,M1,Z1andCa, theU_isends{Ni,ti,Ci}tuple toU_j.U_jafter verification of freshness computes:

Key⁰_i=H(d_jQ_i||N_i||t_i) (36) The computation of Equation (36) requires the public keyQ_iof the userU_i. However, the received message {Ni,ti,Ci}does not contain any information to identify the requesting user. Therefore, the protocol will not work. The authors in this paper consider it a typographical mistake and the complete request message may be{N_i,t_i,C_i,ID_i}, because in other case, the protocol is incorrect and cannot complete the authentication process. As per the valid assumption made by authors, the protocol of Mandal et al. does not provide user anonymity.

6. Proposed Protocol

This section briefly explains the proposed protocol designed specifically to resist key compromise impersonation attack (KCIA). The proposed protocol is based on ECC and self certified keys and resist all known attacks. The proposed protocol involves two entities: (1) The server is responsible for registration of the devices and assigns certificates to each of the device, the server is assumed to be trusted, (2) the communicating devices after getting certificate from server can establish secure connection with each other without intervention of server or any other party. Following subsections explains the proposed methodology:

6.1. Setup Phase

In system setup phase, the server (S) initializes the system parameterΩ. InitiallyS chooses a security parameterk∈Z⁺along with an elliptic curveE/Fp, thenSselects a base pointGoverE/Fp. FurtherS selectsKPrias his private key and computesK_Pub = KPriGand chooses a one way hash functionsH:{0, 1}^∗→ {0, 1}^k. FinallySpublishes all public parametersΩ={E/Fp,H,G,K_Pub}and keepsK_Prisecret.

6.2. Registration Phase

This phase is very similar to the corresponding phase of Islam et al.’s protocol and is initiated by a deviceDa, whenDawants to register withS.Daselects his identityIDaand a random number xa ∈_R Z^∗_p, thenD_a computesXa = H(IDakxa)Gand sends IDa,Xa toS via some secure channel, which selectsta∈_RZ^∗_pupon receiving a message fromD_a.Sthen computesPa=H(IDakta)K_Pub+Xa, ra= [H(IDakta) +H(IDakPa)]K_PriandQa=Pa+H(IDakPa)K_Pub.Ssends (IDa,Pa,ra) toD_avia some secure channel and publishesQa. Upon receiving,Dacomputes his private keyda= [ra+H(IDakxa)], the public key ofD_aisdaG=Qa. The registration phase is also illustrated in Figure4. The private key ofD_acan be verified as follows:

daG = [ra+H(IDakxa)]G

= [[H(IDakta) +H(IDakPa)]K_Pri+H(IDa||Xa)]G

= [H(IDakta)KPub+H(IDakPa)KPub+H(IDa||Xa)G

=Pa+H(IDa||Pa)KPub

=Qa

(37)

DeviceD_a ServerS

Selects identityIDaandxa∈_RZ^∗_p ComputeX_a=H(ID_akx_a)G

Ru={IDa,Xa}

−−−−−−−−−−−−−−−−−−−−−−→

Select a random numberta∈_RZ^∗_p ComputePa=H(IDakta)K_Pub+Xa

ra= [H(IDakta) +H(IDakPa)]K_Pri Qa=Pa+H(IDakPa)K_Pub PublishQa

Rs={IDa,Pa,ra}

←−−−−−−−−−−−−−−−−−−−−−−−−−−

da= [ra+H(IDakxa)]

Q_a=^? d_aG=P_a+H(ID_akX_a)G

Figure 4.Proposed registration.

6.3. Authenticated Key Agreement Phase

In proposed scheme, a device sayD_iinitiates the process to exchange authenticated key with peer sayD_j. Following steps as shown in Figure5are performed amongD_iandD_j:

PKA 1: D_i → D_j:mi1={AIDi,τ_i,γ_i,ti}

D_i selects x ∈_R Z^∗_p, generates t_i and computes τ_i = xG, α_i = xQ_j, AID_i = α_i⊕ID_i and γ_i=H(α_i||τ_i||ID_i||ID_j||t_i). ThenD_isendsm_i1={AID_i,τ_i,γ_it_i}toD_j.

PKA 2: D_j → D_i:m_j={AID_j,τ_j,R_j,t_j}

On receiving request message,D_jaborts the session iftc−ti ≤ ∆T. Otherwise,D_jcomputes αi = djτi,IDi = AIDi⊕αi and aborts the session ifγi 6= H(αi||τi||IDi||IDj||ti). Otherwise,D_j selectsy ∈_R Z^∗_p, generatest_j and computesτ_j = yG, K = K_j = yQ_i+d_jτ_i, AID_j = α_i⊕ID_j, R_j =H(K||α_i||τ_i||τ_j||ID_i||ID_j||t_j). TheD_jsendsm_j={AID_j,τ_j,R_j,t_j}toD_i.

PKA 3: D_i → D_j:m_i2={R_i}

After receiving the reply, D_i aborts the session if tc−t_j ≤ ∆T. Otherwise, D_i computes ID_j =AID_j⊕α_i,K=K_i =xQ_j+d_iτ_jand checksR_j=^? H(K||α_i||τ_i||τ_j||ID_i||ID_j||t_j), continues to computeSK=H(IDikIDjkτ_ikτ_jkK) andRi= H(SK||IDi||IDj||K), if the equality holds. TheD_i sendsmi2={Ri}toD_j.

PKA 4: D_jon receivingm_i2computesSK=H(ID_ikID_jkτ_ikτ_jkK) and verifiesR_i =^? H(SK||ID_i||ID_j||K).

D_jterminates the session on failure and keepsSKas session key upon success.

DeviceD_i DeviceD_j Selectx∈_RZ^∗_pandt_i

Computeτ_i=xG α_i=xQ_j

AID_i=α_i⊕ID_i

γi=H(α_i||_τi||ID_i||ID_j||t_i)

mi1={AIDi,τi,γi,ti}

−−−−−−−−−−−−−−−−−−−−−−→

Checktc−t_i≤_∆T Computeαi=d_jτi

IDi=AIDi⊕αi

γ_i=^? H(α_i||τ_i||ID_i||ID_j||t_i) Selecty∈_RZ^∗_pandt_j Compute:τ_j=yG K=K_j=yQ_i+d_jτ_i AID_j=αi⊕ID_j

R_j=H(K||α_i||τ_i||τ_j||ID_i||ID_j||t_j)

mj={AIDj,τj,Rj,tj}

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−

Checktc−t_j≤_∆T ID_j=AID_j⊕αi

K=K_i=xQ_j+d_iτ_j

R_j=^?H(K||α_i||τ_i||τ_j||ID_i||ID_j||t_j) SK=H(ID_ikID_jkτ_ikτ_jkK) R_i=H(SK||ID_i||ID_j||K)

mi2={Ri}

−−−−−−−−−−−−−−−−→

SK=H(ID_ikID_jkτ_ikτ_jkK) R_i=^? H(SK||ID_i||ID_j||K) Figure 5.Proposed key agreement.

7. Security Analysis

In this section the security of proposed protocol under the attack model of automated tool Scyther is performed, backed by the security requirements discussion. This section also provides a security features comparison of the proposed and existing protocols [13,31,32,36,37] in Table2. Referring to Table2, only the proposed schemes provide all security features, whereas all other protocols lacks device anonymity. The protocols [13,36,37] are insecure key replication (KRA/KOA) attack, the protocols [13,31,32] are insecure against Key compromise impersonation attack (KCIA). Protocol proposed by Islam-Biswas [31] is also insecure against replay attack. Following subsections provides detailed security analysis and security features provided by the proposed protocol:

Table 2.Security Comparison table.

Features→ RF₁ RF₂ RF₃ RF₄ RF₅ RF₆ RF₇ RF₈ RF₉ RF₁₀ Protocols↓

Ours 3 3 3 3 3 3 3 3 3 3

[13] 7 7 3 3 3 3 3 7 3 3

[36] 3 7 3 3 3 3 3 7 3 3

[37] 3 7 3 3 3 3 3 7 3 3

[31] 7 7 3 3 3 3 3 3 3 3

[32] 7 7 3 3 3 3 3 3 3 7

Note:RF₁: Key Compromise Impersonation Attack;RF₂: device Anonymity;RF₃: Man in Middle Attack;

RF₄: Known Key attack;RF₅: Unknown Key Share Attack;RF₆: Perfect Forward Secrecy;RF₇: Known Session Specific Information Attack;RF₈: Key Offset/Replicate Attack;RF₉: No Key Control;RF₁₀: Replay Attack3: indicates that the scheme provides or is secure against that feature;7: indicates that the scheme does not provide or is insecure against that feature.

7.1. Formal Security

To analyze formally, the security and privacy of the proposed protocol, following oracles are defined:

• Reveal_h:Execution of this oracle unconditionally yieldsSaout ofH(Sa).

• Reveal_{dl p}:Given the pair{V=a.W,W}, execution of this oracle unconditionally providesa.

Theorem 1. The proposed device to device security protocol is secure forA- an attacker, to expose IDaof device D_a, the parameter K = yQ_i+d_j.τ_i, the session key SK = H(ID_i||ID_j||τ_i||τ_j||K)shared betweenD_a andS under the hardness of ECDLP and hash function is considered as a random oracle.

Proof. A is considered as an attacker with abilities to compute IDa of device D_a, secretly computed parameter K = yQ_i +d_jτ_j and SK = H(ID_i||ID_j||τ_i||τ_j||K) between D_a and D_b. A simulates the oracles oraclesReveal_handReveal_{dl p}for the execution of the algorithmic experiment (Algorithm 1)EXPE1ECDLP,H ASH

A,2DTDAKA against the two party device-to-device authenticated key agreement (2DTDAKA) protocol. The success probability of EXPE1ECDLP,H ASH

A,2DTDAKA can be solicited as Suc_ex1 =

|P[EXPE1ECDLP,H ASH

A,2DTDAKA = 1]−1|, where the advantage of A is Advt1ECDLP,H ASH

A,2DTDAKA (t_f,qrevH,qrevD) = maxA(Succe_ex1). The maximum allowed queriesAcan make areq_revHandq_revD, for each of the oracles Reveal_handReveal_{dl p}. Referring the simulation ofEXPE1ECDLP,H ASH

A,2DTDAKA ,Acan compute IDa,Kand SKifAhas the abilities to (i) break one-way property of hash and (ii) Compute the hard ECDLP.

As per Definition1, inverting hash is hard problem; likewise, by Definition2solving ECDLP is also computationally infeasible for large parameter sizes (geq160 bits). Hence, proposed 2DTDAKAis unbreakable against disclosure of secretly computed parameterK, session keySKand device identity IDa.

Algorithm 1EXPE1ECDLP,H ASH A,2DTDAKA

1: Eavesdrop the Request m_i1 = {AID_i,τ_i,γ_i,t_i}, Where AID_i = α_i⊕ID_i, τ_i = x.G and γ_i = H(α_i||τ_i||ID_i||ID_j||t_i)

2: CallReveal_{dl p}oracle onτ_iandGand getx⁰←Reveal_{dl p}(τi,G)

3: Computeα

0

i =x⁰.QjandID⁰_i =AIDi⊕α

0 i 4: CallReveal_honγ_iand get (α⁰⁰_i||τ

0

i||ID_i⁰⁰||ID⁰_j||t⁰_i)←Reveal_h(γ_i)

5: if(ID⁰⁰_i =ID_i⁰andti==t⁰_iandα⁰_i ==α⁰⁰_i )then

6: AcceptID_i⁰along-with session parametersx⁰andτ

0 i and

7: Eavesdrop Challengem_j = {AID_j,τ_j,R_j,t_j}, where AID_j = α_i⊕ID_j, τ_j = y.G and R_j = H(K||αi||τi||τj||IDi||IDj||tj)

8: ComputeID⁰_j=AID_j⊕α

0 i

9: CallRevealhonRjand get (K⁰||α⁰⁰⁰_i ||τ_i⁰⁰||τ_j⁰||ID⁰⁰⁰_i ||ID⁰⁰_j||t⁰_j)←Revealh(Rj)

10: if(ID⁰_j =ID⁰⁰⁰_j andt_j==t⁰_i)then

11: AcceptK⁰and computeSK⁰ =H(ID⁰_i||ID⁰_j||τ_i⁰||τ_j⁰||k⁰)

12: Eavesdrop responsemi2={Ri}

13: CallReveal_honR_iand get (SK⁰⁰||ID_i⁰⁰⁰||ID⁰⁰⁰_j ||K⁰⁰)←Reveal_h(R_i)

14: if(SK⁰==SK⁰⁰)then

15: AcceptSK⁰

16: else

17: returnFail

18: end if

19: else

20: returnFail

21: end if

22: else

23: returnFail

24: end if