Security analysis on "EAKE-WC: Authenticated Key Exchange Protocol for Wearable Computing"
Authors: 
Zahid Ghaffar, Khalid Mahmood, Muhammad Farooq, Khalid Yahya, Chien-Ming Chen, Shehzad Ashraf ChaudharyAuthors Info & Claims
Zahid Ghaffar, Khalid Mahmood, Muhammad Farooq, Khalid Yahya, Chien-Ming Chen, Shehzad Ashraf ChaudharyAuthors Info & ClaimsPages 148 - 153
Abstract
The rapidly growing field of wearable computing has demonstrated significant promise in its ability to transform and enhance the quality of human existence fundamentally. The increasing adoption of hardware and software technology has led to the ubiquitous presence of smart wearable gadgets in our everyday lives. Certainly, the issue of ensuring safe data transfer in wearable computing has emerged as a significant challenge that has attracted much attention from the academic community. In this regard, several authentication procedures have been developed for wearable devices in order to offer secure and reliable communication. However, the majority of the current protocols are susceptible to various security vulnerabilities. Very recently, Tu et al. presented an authenticated key exchange protocol for wearable computing. In this article, we deliberate on the security issues of Tu et al.’s protocol (IEEE Transactions on Mobile Computing, 10.1109/TMC.2023.3297854). They declared that their protocol preserves anonymity and is capable enough to resist masquerading and password-guessing attacks. The security analysis in this article reveals significant vulnerabilities in the authentication phase of Tu et al.’s protocol. We have identified that the adversary can successfully masquerade the sensor and user through this protocol. Moreover, their protocol violates anonymity and is vulnerable to device stolen and password guessing attacks. Consequently, we suggest a possible solution for attack resilience.
1 Introduction
Wearable devices [8, 10, 16] are technological tools that are seamlessly incorporated into garments or accessories, enabling connectivity to the Internet and software applications for the purpose of monitoring both personal health and environmental conditions. The applications of these technologies are many, encompassing mobile payment systems, social networking platforms, gaming platforms, and healthcare services. The prevalent categories encompass smart watches, apparel, eye-wear, and auditory devices. Within the healthcare domain, wearable devices are utilized to monitor and record physiological information such as glucose levels, blood pressure, and heart rate. These devices then communicate the collected data to mobile devices and cloud-based platforms for further analysis. This technological capability facilitates remote monitoring and allows healthcare professionals to provide treatment suggestions based on the analyzed data [17].
The increasing availability of hardware and software technology has led to the ubiquitous presence of smart wearable gadgets in our everyday lives, hence facilitating significant levels of ease. However, the wearable devices and applications deployed within this infrastructure encounter significant concerns pertaining to security and privacy. Moreover, the incorporation of wireless transmission technologies in the context of wearable computing, where the processes of data collection, transmission and storage are more vulnerable to various attacks, constitutes a more serious security concern [1, 4, 24].
Authenticated key exchange (AKE) techniques [6, 7, 22] are designed to enhance security by effectively mitigating a range of potential attacks, including de-synchronization, ephemeral secret leakage, replay, and masquerading. Mutual authentication is facilitated by these mechanisms, which establish a secure communication channel between two entities and derive a shared session key to be used for further encryption purposes [11, 19]. The utilization of AKE systems is crucial in ensuring the security of communication [9, 12]. Lightweight cryptographic primitives, such as symmetric cryptography and hash functions, are frequently employed in wireless communication due to limited resources [3, 13, 25]. Nevertheless, it is worth noting that many AKE techniques implemented in wireless environments may not entirely achieve their intended security objectives [15].
Hence, in order to maintain the integrity of the wearable computing infrastructure against possible security breaches, numerous protocols have been put forth. Recently, Tu et al. [20] introduced an authentication protocol designed to ensure authentication issues in wearable computing. The authors asserted that their protocol not only mitigates the risk of anonymity violation but also demonstrates resilience against potential security vulnerabilities. The primary objective of this comment is to underscore vulnerabilities present in Tu et al.’s protocol. This study demonstrates that their protocol fails to fulfill the objectives they have put forward. Our primary objective is to mitigate the possibility of such attacks in future developments of authentication protocols for wearable computing environments.
| Notation | Expansions |
| Uj, WDi | jth user and ith wearable device of Uj |
| RA | Registration authority |
| PDNj | pseudo-identity of user |
| IDj | Identity of jth user |
| PWj | Uj Password |
| MTj | jth mobile terminal |
| PDNi, IDi | pseudo-identity and ith wearable device unique identity |
| k | ASCON encryption/decryption key |
| K | master secret key of Cloud server |
| \(\mathcal {E^*_{\mathbb {A}}}\) | Adversary |
| SK | Session key |
| \(\mathbb {MAC}_i\) | Message Authentication code |
| \(\mathbb {CT}_i\) | ith cipher text |
2 Revisit of Tu et al.’s protocol
In this section, we review Tu et al.’s protocol [20], which consists of three phases: setup, registration, and login & authentication phases. The commonly used notations of Tu et al.’s protocol are tabulated in Table 1.
2.1 Setup Phase
The RA creates secret credentials during this phase according to the guidelines for each wearable device as listed below.
(1)
The RA chooses a master secret key K for the cloud server.
(2)
The RA choose an identity IDi, a pseudo-random identity PDNi, and an encryption key kW for each wearable device WDi.
(3)
The RA stores the following parameters {IDi, PDNi, kW} in the WDi’s memory and also keeps the credentials \((ID_i, PDN^{old}_i = null, PDN^{new}_i = PDN_i, k^{old}_W = null, k^{new}_W = k_W)\) in the cloud server’s database.
2.2 Registration Phase
The Uj registers securely with the RA via a private channel in this phase, as detailed below:
(1)
Using a secure private channel, Uj selects an identity IDj and an arbitrary nonce arj, then sends both parameters to the RA.
(2)
The pseudo-random identity PDNj and encryption key kU are chosen by the RA after collecting the parameters {IDj, arj}. The RA then computes Y1 ← h(IDj||K) and Qj as \(Q_j\leftarrow X^1_1 \oplus X^2_1\).
(3)
The RA stores the parameters \(\lbrace (ID_j , PDN^{old}_j = null, PDN^{new}_j = PDN_j, k^{old}_U =null, k^{new}_U = k_U)\rbrace\) in the cloud server database, and transfers {Qj, PDNj, kU} to Uj.
(4)
After receiving {Qj, PDNj, kU}, Uj choose a password PWj and then determine Y2 ← h(IDi||PWj), \(k \leftarrow X^1_2\oplus X^2_2\), \({CT, MAC} \leftarrow E_k(ar_j, X^2_2,(Q_j))\). Next, store the credentials \(\lbrace (ar_j, CT, MAC, PDN^{old}_j= null, PDN^{new}_j = PDN_j, k^{old}_U= null, k^{new}_U = k_U)\rbrace\) in the memory of MTj.
2.3 Login and Authentication Phase
In Tu et al.’s protocol, the entities involved in the environment go through the following login and authentication phase.
(1)
User Uj enters MTj using his or her identification IDj and password \(PW^l_j\).
(2)
MTj retrieves the credentials arj, \(\mathbb {CT}\), and MAC and then calculates \(Y_3 \leftarrow h(ID_j ||PW^l_j)\), \(k^l \leftarrow X^1_3 \oplus X^2_3\), and \(\lbrace PT_j, \perp \rbrace \leftarrow D_{k^l} (ar_j, X^2_3, CT, MAC)\), abort the login process, if verification is unsuccessful. If not, Uj logs in to MTj successfully and uses PTj ← Qj to obtain the secret parameter Qj from the plaintext.
(3)
Afterwards, MTj engenders an arbitrary nonce ar1 and current timestamp τs1. Next, it develops Ms1 ← < ar1, PDNj, τs1 > and transmits it to WDi using the public communication channel.
(4)
After WDi receives Ms1 from Uj, it checks \(|\tau s_2-\tau s_1| \stackrel{?}{ \leftarrow } \triangle \tau\) to confirm the validity of τs1. Here, τs2 denotes the current timestamp, and △τ is the maximum allowed time interval (note that the following steps all make use of the timestamp checking method). If the criteria are not met, the message is denied, and the request is canceled by WDi. Otherwise, the WDi retains Ms1, creates a random number ar2, selects the timestamp τs3, and gets IDi, PDNi, and kW from storage. \(\lbrace (\mathbb {CT}_1||\mathbb {CT}_2||\mathbb {CT}_3||\mathbb {CT}_4), MAC_1\rbrace \leftarrow E_{k_W} (ar_2\oplus \tau s_3, PDN_i,\\ (ar_1||PDN_j||ID_i||ar_2))\) is then computed by WDi. In this case, the plaintext is (ar1||PDNj||IDi||ar2), the nonce is ar2⊕τs3, and the associative data is PDNi. Lastly, using the credentials Ms2 ← < ar2, PDNi, MAC1, τs3 >, WDi fabricates the message Ms2 and sends it to Uj across the public communication channel.
(5)
For each received message, Uj verifies \(|\tau s_4 - \tau s_3| \stackrel{?}{\le } \triangle \tau\). If it holds true, Uj selects ar3, τs5 and computes \(\lbrace (\mathbb {CT}_5 ||\mathbb {CT}_6 ||\mathbb {CT}_7 \\ || \mathbb {CT}_8), MAC_2\rbrace , E_{k_U} (ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j,(ar_3||PDN_i||Q_j||\\ PDN_j))\). Lastly, Uj uses an open communication channel to communicate Ms3 ← < M2, ar1, ar3, PDNj, MAC2, τs5 > to CS.
(6)
To verify if the received message is replayed, CS examines \(|\tau s_6 - \tau s_5| \stackrel{?}{\le } \triangle \tau\). In the event that the message is not replayed, CS finds the matching IDj and kU by looking up PDNj in its database. Moreover, CS calculates Y4 ← h(IDj||K) and \(Q_j \leftarrow X^1_4 \oplus X^2_4\), \(\lbrace (\mathbb {CT}_9||\mathbb {CT}_{10}||\mathbb {CT}_{11}||\mathbb {CT}_{12}), MAC_3\rbrace \leftarrow E_{k_U}(ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j, (ar_3||PDN_i ||Q_j|| PDN_j))\). Finally, CS validates \(MAC_2 \stackrel{?}{ \leftarrow } MAC_3\) in order to verify the integrity and validity of the received message. In the event that the condition is not met, end the Login and Authentication phase (LAP). Otherwise, CS carries out the LAP process.
(7)
CS finds PDNi and fetch kW and IDi and determines \(\lbrace (\mathbb {CT}_{13}||\\ \mathbb {CT}_{14}||\mathbb {CT}_{15}||\mathbb {CT}_{16}), MAC_4\rbrace \leftarrow E_{k_W}(ar_2 \oplus \tau s_3, PDN_i, (ar_1||\\ PDN_j|| ID_i|| ar_2))\). In addition, to authenticate, CS checks \(MAC_1 \stackrel{?}{ \leftarrow } MAC_4\). If it is correct, CS continues procedure.
(8)
In conclusion, CS holds \((PDN^{old}_j = PDN_j, PDN^{new}_j = \mathbb {CT}_{10},\\ k^{old}_U = k_U, k^{new}_U = \mathbb {CT}_{11})PDN^{new}_i=\mathbb {CT}_{14}, PDN^{old}_i = PDN_i, k^{old}_W = k_W, k^{new}_W = \mathbb {CT}_{15})\) within a personal database. Furthermore, the session key between Uj and WDi is computed by CS as \(SK_{UD} = \mathbb {CT}_{13}\), and between Uj and CS as \(SK_{CU}= \mathbb {CT}_9\). Additionally, after computing Y5 ← SKCU⊕SKUD, MAC5 ← h(Y5||Qj||τs7), CS creates τs7 and transmits the message \(Ms_4 \leftarrow \lt \mathbb {CT}_{12}, \mathbb {CT}_{16}, Y_5, MAC_5, \tau s_7\gt\) through an open communication channel to Uj.
(9)
As \(|\tau s_8 - \tau s_7| \stackrel{?}{\le } \triangle \tau\), Uj verifies the timeliness of the received message. Furthermore, Uj validates \(MAC_5 \stackrel{?}{ \leftarrow } h(Y_5|| Q_j|| \tau s_7)\) and finds \(\mathbb {CT}_8 \stackrel{?}{ \leftarrow } \mathbb {CT}_{12}\). If it holds, Uj proceeds with the LAP procedure. Additionally, Uj stores \((SK_{UC} = \mathbb {CT}_5, PDN^{old}_j = PDN_j, PDN^{new}_j = \mathbb {CT}_6, k^{old}_U = k_U, k^{new}_U = \mathbb {CT}_7\)) and uses SKUD ← Y5⊕SKUC) to find the session key between Uj and CS. At last, Uj selects τs9 and uses the open channel to deliver \(Ms_5 \leftarrow \lt \mathbb {CT}_{16},\tau s_9\gt\) to WDi.
(10)
Through the use of \(|\tau s_{10} - \tau s_9| \stackrel{?}{\le } \triangle \tau\), WDi determines if the received message is new. Additionally, WDi verifies that \(\mathbb {CT}_4 \stackrel{?}{ \leftarrow } \mathbb {CT}_{16}\). In order to accomplish the indecipherable communication between WDi and Uj, if it holds true, WDi computes the session key as \((SK_{DU}= \mathbb {CT}_1\)). Moreover, WDi modifies the parameters in its memory (\(PDN_i= \mathbb {CT}_2, k_W = \mathbb {CT}_3)\).
3 Crypt-analysis of Tu et al.’s Protocol
We conducted a crypt-analysis of the ’Authenticated Key Exchange protocol for Wearable Computing’ proposed by Tu et al. [20]. Before conducting cryptanalysis, we have discussed an attack model in 3.1 to show the capabilities of the adversary (\(\mathcal {E^*_{\mathbb {A}}}\)). This analysis uncovered vulnerabilities in their protocol, including susceptibility to masquerading attacks and a lack of user and sensor anonymity. Moreover, the details on the security issues of Tu et al.’s protocol are outlined below."
3.1 Attack Model
Some capabilities of the adversary (\(\mathcal {E^*_{\mathbb {A}}}\)) are summarized in the following subsequent steps.
(1)
\(\mathcal {E^*_{\mathbb {A}}}\) has the capability to initiate the transmission of counterfeit messages.
(2)
\(\mathcal {E^*_{\mathbb {A}}}\) possesses the capability to intercept and manipulate the entirety or portions of the content within the public channel’s communications.
(3)
\(\mathcal {E^*_{\mathbb {A}}}\) may be a system insider or an outsider.
3.2 Violation of Anonymity
When developing an authentication system for wearable computing infrastructure, maintaining user anonymity is a paramount security concern, especially in healthcare systems. If \(\mathcal {E^*_{\mathbb {A}}}\) successfully obtains a user’s identity, it gains immediate access to the user’s current location and login history. However, it’s important to highlight that the approach presented by Tu et al. [20] does not address this significant issue. This deficiency arises from the fact that the cloud server (CS) stores IDj in an unencrypted form within its database. When Uj initiates a login request message over the public channel, \(\mathcal {E^*_{\mathbb {A}}}\) intercepts the pseudo-identity (PDNj) of Uj. Subsequently, \(\mathcal {E^*_{\mathbb {A}}}\) can easily deduce the corresponding IDj from the database associated with the intercepted PDNj using a stolen verifier attack [2, 5, 18]. Consequently, the protocol presented in [20] falls short in ensuring user anonymity."
3.3 Password Guessing Attack
Suppose \(\mathcal {E^*_{\mathbb {A}}}\) gets temporary access to the mobile terminal MTj of user Uj. Then \(\mathcal {E^*_{\mathbb {A}}}\) can access the values \(\lbrace (ar_j, CT, MAC, PDN^{old}_j =\\ null, PDN^{new}_j = PDN_j, k^{old}_U= null, k^{new}_U = k_U)\rbrace\) from the MTj through power analysis [23] and replace them. Next, \(\mathcal {E^*_{\mathbb {A}}}\) extract the IDj of the Uj as mentioned in 3.2. \(\mathcal {E^*_{\mathbb {A}}}\) will guess the password \(PW^{l*}_j\) of Uj in the following manner. Initially, \(\mathcal {E^*_{\mathbb {A}}}\) guesses \(PW^{l*}_j\) and calculates \(Y_3^* \leftarrow h(ID_j ||PW^{l*}_j)\), \(k^{l*} \leftarrow X^{1*}_3 \oplus X^{2*}_3\), and \(\lbrace PT_j, \perp \rbrace \leftarrow D_{k^{l*}} (ar_j, X^{2*}_3, CT, MAC)\). If MAC ← MAC holds true, it implies that \(\mathcal {E^*_{\mathbb {A}}}\) possesses the correct password \(PW^{l*}_j\) of Uj. Moreover, \(\mathcal {E^*_{\mathbb {A}}}\) also possess the correct value PTj = Qj of Uj.
3.4 Uj Masquerading Attack
Since the CS stores \(\lbrace (ID_j, PDN^{new}_j = PDN_j, k^{old}_U =null, k^{new}_U= k_U, ID_i, PDN_i)\rbrace\) in its database, the values {IDj, PDNj, kU} are readily available to an insider adversary, and an outsider attacker can also determine these values through a stolen verifier attack [14]. After obtaining the IDj, PDNj, and kU of a user Uj, an adversary \(\mathcal {E^*_{\mathbb {A}}}\) is able to send a login request on behalf of a legitimate client. Following these steps, \(\mathcal {E^*_{\mathbb {A}}}\) can readily impersonate a legitimate user.
(1)
After obtaining Qj from the password guessing attack as mentioned in 3.3. \(\mathcal {E^*_{\mathbb {A}}}\) awaits for login message of Uj and whenever Uj initiates the login request message Ms1 ← < ar1, PDNj, τs1 > to WDi, \(\mathcal {E^*_{\mathbb {A}}}\) intercepts this message and obtains PDNj.
(2)
Whenever Uj finishes the session, \(\mathcal {E^*_{\mathbb {A}}}\) use the IDj and guessed password (\(PW^{l*}_j\)) and retrieves the parameters arj, \(\mathbb {CT}\), and MAC from the mobile device using power analysis [23]. As \(\mathcal {E^*_{\mathbb {A}}}\) have already obtained Qj as mentioned in 3.3, \(\mathcal {E^*_{\mathbb {A}}}\) then engender an arbitrary number ar1 and current timestamp τs1. Next, it determines Ms1 ← < ar1, PDNj, τs1 > and sends it to WDi on behalf of Uj and waits for the challenge message from WDi.
(3)
After WDi receives message Ms1 from \(\mathcal {E^*_{\mathbb {A}}}\), it evaluates the condition \(|\tau s_2-\tau s_1| \stackrel{?}{ \leftarrow } \triangle \tau\) to confirm the validity of τs1. WDi engenders an arbitrary nonce ar2, selects the timestamp τs3 and gets IDi, PDNi, and kW from storage. \(\lbrace (\mathbb {CT}_1||\mathbb {CT}_2||\mathbb {CT}_3||\\ \mathbb {CT}_4), MAC_1\rbrace \leftarrow E_{k_W} (ar_2\oplus \tau s_3, PDN_i, (ar_1||PDN_j||ID_i||ar_2))\) is then computed by WDi. Ultimately, WDi creates a message Ms2 using the credentials Ms2 ← < ar2, PDNi, MAC1, τs3 > and sends it towards \(\mathcal {E^*_{\mathbb {A}}}\).
(4)
Subsequently, \(\mathcal {E^*_{\mathbb {A}}}\) selects ar3 and τs5 and yields \(\lbrace (\mathbb {CT}_5 ||\mathbb {CT}_6 ||\\ \mathbb {CT}_7 ||\mathbb {CT}_8), MAC_2\rbrace \leftarrow E_{k_U} (ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j, (ar_3||PDN_i\\ ||Q_j||PDN_j))\). Lastly, \(\mathcal {E^*_{\mathbb {A}}}\) sends \(Ms_3 \leftarrow \lt M_2, ar_1, ar_3, PDN_j,\\ MAC_2, \tau s_5\gt\) to CS.
(5)
To verify if the received message is replayed, CS examines \(|\tau s_6 - \tau s_5| \stackrel{?}{\le } \triangle \tau\). In the event that the message is not replayed, CS finds the matching IDj and kU by looking up PDNj in its database. Further computations by CS include Y4 ← h(IDj||K), \(Q_j \leftarrow X^1_4 \oplus X^2_4\), \(\lbrace (\mathbb {CT}_9||\mathbb {CT}_{10}||\mathbb {CT}_{11}||\mathbb {CT}_{12}), \\ MAC_3\rbrace \leftarrow ^ E_{k_U}(ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j, (ar_3||PDN_i ||Q_j|| PDN_j))\). In order to verify the authenticity of the received message, CS validates \(MAC_2 \stackrel{?}{ \leftarrow } MAC_3\), which in this instance will be true.
(6)
Moreover, CS Searches PDNi and retrieves IDi and kW and computes \(\lbrace (\mathbb {CT}_{13}||\mathbb {CT}_{14}||\mathbb {CT}_{15}||\mathbb {CT}_{16}), MAC_4\rbrace \leftarrow E_{k_W}(ar_2 \oplus \tau s_3, PDN_i, (ar_1|| PDN_j|| ID_i|| ar_2))\). Furthermore, CS checks \(MAC_1 \stackrel{?}{ \leftarrow } MAC_4\) for authentication, which will also be true.
(7)
Between Uj and WDi, CS computes the session key as \(SK_{UD} \leftarrow \mathbb {CT}_{13}\), and between Uj and CS, as \(SK_{CU} \leftarrow \mathbb {CT}_9\). Moreover, CS computes τs7 and generates \(Ms_4 \leftarrow \lt \mathbb {CT}_{12}, \mathbb {CT}_{16}, Y_5,\\ MAC_5, \tau s_7\gt\), and \(Y_5 \leftarrow SK_{CU} \oplus SK_{UD}, MAC_5 \leftarrow h(Y_5 ||Q_j ||\\ \tau s_7)\) to \(\mathcal {E^*_{\mathbb {A}}}\).
(8)
\(\mathcal {E^*_{\mathbb {A}}}\) determines \(\mathbb {CT}_8 \stackrel{?}{ \leftarrow } \mathbb {CT}_{12}\) and validates \(MAC_5 \stackrel{?}{ \leftarrow } h(Y_5|| Q_j\\ || \tau s_7)\), which will ultimately holds true. Further, \(\mathcal {E^*_{\mathbb {A}}}\) computes the session key between CS and Uj as SKUD ← Y5⊕SKUC).
(9)
Finally the \(\mathcal {E^*_{\mathbb {A}}}\) keeps SKUD as common key with CS. Hence, the \(\mathcal {E^*_{\mathbb {A}}}\) successfully impersonates on behalf of legitimate client Uj. Therefore, this protocol is vulnerable to user masquerading attacks.
3.5 WDi Masquerading Attack
During the registration stage of a wearable device WDi, the CS stores the encryption key (kw), IDi, and PDNi in memory of WDi. However, \(\mathcal {E^*_{\mathbb {A}}}\) can easily extract kw, IDi, and PDNi from the memory of the WDi via the power analysis technique [23]. Since kw is used by WDi to generate the messages that are transmitted during the login and authentication phase, Ms2 ← < ar2, PDNi, MAC1, τs3 >. As a valid WDi, \(\mathcal {E^*_{\mathbb {A}}}\) can thus mimic to generate a valid message Ms2. As a result, it is possible for \(\mathcal {E^*_{\mathbb {A}}}\) to impersonate WDi and control other entities engaged in the authentication phase. For achieving this, \(\mathcal {E^*_{\mathbb {A}}}\) carries out the subsequent actions:
(1)
First, \(\mathcal {E^*_{\mathbb {A}}}\) waits for Uj to transmit Ms1 ← < ar1, PDNj, τs1 > toward WDi. Whenever it happens, the \(\mathcal {E^*_{\mathbb {A}}}\) intercepts Ms1 and imitates as a WDi to generate Ms2. \(\mathcal {E^*_{\mathbb {A}}}\) engender an arbitrary nonce \(ar^*_2\), picks the current timestamp \(\tau s^*_3\), and use IDi, PDNi, and kW extracted from the memory of WDi to construct the request message.
Next, \(\mathcal {E^*_{\mathbb {A}}}\) encrypts associative data and nonce using kw to detrmine the ciphertext and MAC such as \(\lbrace (\mathbb {CT}^*_1||\mathbb {CT}^*_2 ||\mathbb {CT}^*_3||\\ \mathbb {CT}^*_4), MAC^*_1\rbrace \leftarrow E_{k_W} (ar^*_2\oplus TS^*_3, PDN_i, (ar_1||PDN_j||ID_i||\\ ar^*_2))\). Here, associative data is PDNi, \(ar^*_2\oplus TS^*_3\), as well as \((ar_1||PDN_j||ID_i||ar^*_2)\). Finally, \(\mathcal {E^*_{\mathbb {A}}}\) construct the message \(M^*_2\) with credentials \(M^*_2 \leftarrow \lt ar^*_2, PDN_i, MAC^*_1, TS^*_3\gt\) and transmits it to Uj.
(2)
After receiving \(M^*_2\), Uj checks \(|\tau s_4 - TS^*_3| \stackrel{?}{\le } \triangle \tau\) check the validity of time. If it holds true, Uj selects ar3 and τs5 and derives \(\lbrace (\mathbb {CT}_5 ||\mathbb {CT}_6 ||\mathbb {CT}_7 ||\mathbb {CT}_8), MAC_2\rbrace \leftarrow E_{k_U}(ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j ,(ar_3||PDN_i||Q_j||PDN_j))\). Finally, Uj transmits
Ms3 ← < M2, ar1, ar3, PDNj, MAC2, τs5 > to CS.
(3)
To verify if the received message is replayed, CS examines \(|\tau s_6 - \tau s_5| \stackrel{?}{\le } \triangle \tau\). In the event that the message is not replayed, CS finds the matching IDj and kU by looking up PDNj in its database. Further, CS determines Y4 ← h(IDj||K), \(Q_j \leftarrow X^1_4 \oplus X^2_4\), \(\lbrace (\mathbb {CT}_9||\mathbb {CT}_{10}||\mathbb {CT}_{11}||\mathbb {CT}_{12}), MAC_3\rbrace \leftarrow ^ E_{k_U}(ar_1 \oplus ar_3 \oplus \tau s_5, PDN_j, (ar_3||PDN_i ||Q_j || PDN_j))\). Finally, CS validates \(MAC_2 \stackrel{?}{ \leftarrow } MAC_3\) in order to verify the integrity and validity of the received message. If it holds true, CS carries on with the authentication and login procedure.
CS finds PDNi and extracts IDi and kW and determine \(\lbrace (\mathbb {CT}_{13}\\ ||\mathbb {CT}_{14}||\mathbb {CT}_{15}||\mathbb {CT}_{16}), MAC_4\rbrace \leftarrow E_{k_W}(ar^*_2 \oplus TS^*_3, PDN_i, (ar_1||\\ PDN_j|| ID_i|| ar^*_2))\). In addition, CS checks \(MAC^*_1 \stackrel{?}{ \leftarrow } MAC_4\) for verification. If it holds, CS continues the LAP process.
Finally, CS stores \((PDN^{old}_j = PDN_j, PDN^{new}_j = \mathbb {CT}_{10}, k^{old}_U=k_U, k^{new}_U= \mathbb {CT}_{11})\) and \((PDN^{old}_i=PDN_i, PDN^{new}_i=\mathbb {CT}_{14},\\ k^{old}_W = k_W, k^{new}_W = \mathbb {CT}_{15})\) in database. Moreover, CS determines SK between Uj and WDi as \(SK_{UD} = \mathbb {CT}_{13}\) and Uj and CS as \(SK_{CU} \leftarrow \mathbb {CT}_9\). Furthermore, CS engenders τs7 and calculates Y5 ← SKCU⊕SKUD, MAC5 ← h(Y5||Qj||τs7) and sends \(Ms_4 \leftarrow \lt \mathbb {CT}_{12}, \mathbb {CT}_{16}, Y_5, MAC_5, \tau s_7\gt\) to Uj via open communication channel.
(4)
Uj checks the timeliness of the received message as \(|\tau s_8 - \tau s_7| \stackrel{?}{\le } \triangle \tau\). Further, Uj calculates \(\mathbb {CT}_8 \stackrel{?}{ \leftarrow } \mathbb {CT}_{12}\) and verify \(MAC_5 \stackrel{?}{ \leftarrow } h(Y_5|| Q_j|| \tau s_7)\). If it is true, Uj further stores \((SK_{UC} \leftarrow \mathbb {CT}_5, PDN^{old}_j= PDN_j, PDN^{new}_j = \mathbb {CT}_6, k^{old}_U = k_U, k^{new}_U = \mathbb {CT}_7\) and computes the session key between Uj and CS as SKUD ← Y5⊕SKUC). Finally, Uj selects τs9 and transmits \(Ms_5 \leftarrow \lt \mathbb {CT}_{16},\tau s_9\gt\) to \(\mathcal {E^*_{\mathbb {A}}}\) using the open channel.
(5)
\(\mathcal {E^*_{\mathbb {A}}}\) checks the freshness of message through \(|\tau s_{10} - \tau s_9| \stackrel{?}{\le } \triangle \tau\). Furthermore, \(\mathcal {E^*_{\mathbb {A}}}\) checks \(\mathbb {CT}_4 \stackrel{?}{ \leftarrow } \mathbb {CT}_{16}\), which will be true. In this way, \(\mathcal {E^*_{\mathbb {A}}}\) on the behalf of WDi negotiate the session key as \(SK_{DU} \leftarrow \mathbb {CT}_1\) to achieve the communication with Uj. Hence, the protocol in [20] is susceptible to WDi masquerading attack.
4 Probable Remedies to Enhance Security of Tu et al.’s Protocol
There are the following remedies for the possible vulnerabilities discussed in Tu et al.’s protocol.
4.1 Remedy for Guessing Attacks
Suppose \(\mathcal {E^*_{\mathbb {A}}}\) gets temporary access to the mobile terminal MTj of user Uj. Then \(\mathcal {E^*_{\mathbb {A}}}\) can access the values \(\lbrace (ar_j, CT, MAC, \\ PDN^{old}_j = null, PDN^{new}_j = PDN_j, k^{old}_U= null, k^{new}_U = k_U)\rbrace\) from the MTj through power analysis [23] and use them to guess password or identity. In order to resist password-guessing attacks, fuzzy verifier integration is very useful and efficient. In this way, the number of the IDj and PWj is larger enough to resist an online guessing attack, so it will suspend until Uj re-registers once the wrong login times exceeds the fixed value N (such as 10).
4.2 Remedy for WDi Masquerading
Sensor nodes lack tamper resistance features, making them especially susceptible to attacks by \(\mathcal {E^*_{\mathbb {A}}}\). By employing power analysis techniques, this vulnerability enables \(\mathcal {E^*_{\mathbb {A}}}\) to obtain stored credentials from the memory of a sensor node and use them to pretend to be a legitimate sensor node when negotiating keys with other parties. Unfortunately, this crucial security issue was overlooked by Tu et al. [20], leaving their protocol vulnerable to attacks impersonating sensor nodes. One potential strategy can be followed to reduce this security risk.
Since sensor nodes do not have tamper-resistant devices, when creating the protocol, it is necessary to incorporate a Physically Unclonable Function (PUF) and challenge-response messages into the integrated circuits of the sensor nodes. PUF outputs are unique, meaning that no two outputs—even from the same manufacturer—can ever be identical. As a result, even in the event that an adversary manages to breach a sensor node and obtain access to all of its characteristics, it will still be unable to produce a message that accurately imitates a genuine sensor node. This is because \(\mathcal {E^*_{\mathbb {A}}}\) cannot reach the challenge-response messages sent by the integrated PUF."
4.3 Remedy for Uj Masquerading
Tu et al.’s approach is susceptible to client masquerading attacks since the CS keeps {(IDj, PDNj, kU)} in plain text in its database during the registration phase. As a result, using a stolen verifier attack, a \(\mathcal {E^*_{\mathbb {A}}}\) with access to the verifier table can readily extract these parameters and utilize them for a variety of illicit purposes. The attacker can successfully assume the identity of a genuine user because these parameters are crucial in producing the request message.
The protocol should be created so that CS does not need to keep a verifier table for storing these parameters, which would address this issue. Alternatively, these parameters should be encrypted if it is necessary to keep them in a verifier table. Another strategy is to come up with a way to compute the values required to construct authentication messages at the respective ends during message generation, hence avoiding the need to keep the verifier table entirely. Moreover, session keys should be calculated using random parameters that are not communicated via public channels in order to guarantee both forward and backward secrecy. We can successfully address the security problems found in Tu et al.’s system [20] by putting these measures into practice.
4.4 Remedy for Anonymity Violation
Tu et al.’s method [20] lacks user anonymity protection, similar to masquerading attacks, because the CS keeps the IDj of user Uj directly in its database, accessible to possible insiders. It is recommended that the CS refrain from keeping a verifier table containing IDj in order to allay this worry. If IDj needs to be stored, it should be encrypted with the secret key of CS. This method guarantees that the IDj of a given Uj is only known to the CS.
5 Conclusion
An authenticated key exchange protocol for wearable computing was recently introduced by Tu et al. This paper performs a comprehensive security analysis of their suggested approach. Several security flaws, such as anonymity violation, vulnerability to password guessing, wearable device masquerading, and user masquerading attacks, are exposed by our thorough cryptanalysis of Tu et al.’s protocol. This investigation clearly shows that the protocol proposed by Tu et al. is not suited for real-world use in a wearable computing system. Finally, we offer suggestions for creating an improved protocol to solve the security flaws found in Tu et al.’s research.
Acknowledgments
This research was partially supported by the Natural Science Foundation of Shandong Province, China (Grant no. ZR2022MF298). Shehzad Ashraf Chaudhry acknowledges financial support from Abu Dhabi University’s Office of Research and Sponsored Programs. Grant number: 19300810. The work of Chien-Ming Chen was partially supported by the Natural Science Foundation of Shandong Province, China (Grant no. ZR2022MF298).
References
[1]
Orlando Arias, Jacob Wurm, Khoa Hoang, and Yier Jin. 2015. Privacy and security in internet of things and wearable devices. IEEE transactions on multi-scale computing systems 1, 2 (2015), 99–109.
[2]
Shehzad Ashraf Chaudhry, Azeem Irshad, Muhammad Asghar Khan, Sajjad Ahmad Khan, Summera Nosheen, Ahmad Ali AlZubi, and Yousaf Bin Zikria. 2023. A Lightweight Authentication Scheme for 6G-IoT Enabled Maritime Transport System. IEEE Transactions on Intelligent Transportation Systems 24, 2 (2023), 2401–2410.
[3]
Shehzad Ashraf Chaudhry, Azeem Irshad, Jamel Nebhen, Ali Kashif Bashir, Nour Moustafa, Yasser D Al-Otaibi, and Yousaf Bin Zikria. 2021. An anonymous device to device access control based on secure certificate for internet of medical things systems. Sustainable Cities and Society 75 (2021), 103322.
[4]
Shehzad Ashraf Chaudhry, Jamel Nebhan, Khalid Yahya, and Fadi Al-Turjman. 2022. A Privacy Enhanced Authentication Scheme for Securing Smart Grid Infrastructure. IEEE Transactions on Industrial Informatics 18, 7 (2022), 5000–5006.
[5]
Shehzad Ashraf Chaudhry, Khalid Yahya, Sahil Garg, Georges Kaddoum, Mohammad Mehedi Hassan, and Yousaf Bin Zikria. 2023. LAS-SG: An Elliptic Curve-Based Lightweight Authentication Scheme for Smart Grid Environments. IEEE Transactions on Industrial Informatics 19, 2 (2023), 1504–1511.
[6]
Chien-Ming Chen, Zhaoting Chen, Ashok Kumar Das, and Shehzad Ashraf Chaudhry. 2023. A Security-Enhanced and Ultra-Lightweight Communication Protocol for Internet of Medical Things. IEEE Internet of Things Journal (2023).
[7]
Chien-Ming Chen, Yiru Hao, and Tsu-Yang Wu. 2023. Discussion of “Ultra Super Fast Authentication Protocol for Electric Vehicle Charging Using Extended Chaotic Maps”. IEEE Transactions on Industry Applications 59, 2 (2023), 2091–2092.
[8]
Chien-Ming Chen, Shuangshuang Liu, Xuanang Li, SK Hafizul Islam, and Ashok Kumar Das. 2023. A provably-secure authenticated key agreement protocol for remote patient monitoring IoMT. Journal of Systems Architecture 136 (2023), 102831.
[9]
Chien-Ming Chen, Bin Xiang, Yining Liu, and King-Hang Wang. 2019. A secure authentication protocol for internet of vehicles. Ieee Access 7 (2019), 12047–12057.
[10]
Chien-Ming Chen, Bing Xiang, Tsu-Yang Wu, and King-Hang Wang. 2018. An anonymous mutual authenticated key agreement scheme for wearable sensors in wireless body area networks. Applied Sciences 8, 7 (2018), 1074.
[11]
Jiahui Chen, Hang Xiao, Muchuang Hu, and Chien-Ming Chen. 2023. A blockchain-based signature exchange protocol for metaverse. Future Generation Computer Systems 142 (2023), 237–247.
[12]
Mingchang Ge, Saru Kumari, and Chien-Ming Chen. 2022. AuthPFS: a method to verify perfect forward secrecy in authentication protocols. J. Netw. Intell 7, 3 (2022), 734–750.
[13]
Bei Gong, Guiping Zheng, Muhammad Waqas, Shanshan Tu, and Sheng Chen. 2023. LCDMA: Lightweight cross-domain mutual identity authentication scheme for Internet of Things. IEEE Internet of Things Journal (2023).
[14]
Sajid Hussain and Shehzad Ashraf Chaudhry. 2019. Comments on “biometrics-based privacy-preserving user authentication scheme for cloud-based industrial internet of things deployment”. IEEE Internet of Things Journal 6, 6 (2019), 10936–10940.
[15]
Xuanang Li, Shuangshuang Liu, Saru Kumari, and Chien-Ming Chen. 2023. PSAP-WSN: a provably secure authentication protocol for 5g-based wireless sensor networks. CMES-Computer Modeling in Engineering & Sciences 135, 1 (2023), 711.
[16]
Aryan Rana, Sunil Prajapat, Pankaj Kumar, Deepika Gautam, and Chien-Ming Chen. 2023. Designing a security framework based on hybrid communication in the Internet of Nano Things. IEEE Internet of Things Journal (2023).
[17]
Suranga Seneviratne, Yining Hu, Tham Nguyen, Guohao Lan, Sara Khalifa, Kanchana Thilakarathna, Mahbub Hassan, and Aruna Seneviratne. 2017. A survey of wearable devices and challenges. IEEE Communications Surveys & Tutorials 19, 4 (2017), 2573–2620.
[18]
Salman Shamshad, Khalid Mahmood, and Saru Kumari. 2020. Comments on “a multi-factor user authentication and key agreement protocol based on bilinear pairing for the internet of things”. Wireless Personal Communications 112, 1 (2020), 463–466.
[19]
Garima Thakur, Pankaj Kumar, Chein-Ming Chen, Athanasios V Vasilakos, Sunil Prajapat, et al. 2023. A Robust Privacy-Preserving ECC-Based Three-Factor Authentication Scheme for Metaverse Environment. Computer Communications 211 (2023), 271–285.
[20]
Shanshan Tu, Akhtar Badshah, Hisham Alasmary, and Muhammad Waqas. 2023. EAKE-WC: Efficient and Anonymous Authenticated Key Exchange Scheme for Wearable Computing. IEEE Transactions on Mobile Computing (2023).
[21]
Libing Wu, Qianqian Sun, Xinpei Wang, Jing Wang, Shui Yu, Yifei Zou, Bingyi Liu, and Zike Zhu. 2019. An efficient privacy-preserving mutual authentication scheme for secure V2V communication in vehicular ad hoc network. IEEE access 7 (2019), 55050–55063.
[22]
Tsu-Yang Wu, Liyang Wang, and Chien-Ming Chen. 2023. Enhancing the Security: A Lightweight Authentication and Key Agreement Protocol for Smart Medical Services in the IoHT. Mathematics 11, 17 (2023), 3701.
[23]
Qing Yang, Paolo Gasti, Gang Zhou, Aydin Farajidavar, and Kiran S Balagani. 2016. On inferring browsing activity on smartphones via USB power analysis side-channel. IEEE Transactions on Information Forensics and Security 12, 5 (2016), 1056–1066.
[24]
Jun Zhou, Zhenfu Cao, Xiaolei Dong, and Xiaodong Lin. 2015. Security and privacy in cloud-assisted wireless wearable communications: Challenges, solutions, and future directions. IEEE wireless Communications 22, 2 (2015), 136–144.
[25]
Maryam Zia, Mohammad S. Obaidat, Khalid Mahmood, Salman Shamshad, Muhammad Asad Saleem, and Shehzad Ashraf Chaudhry. 2023. A Provably Secure Lightweight Key Agreement Protocol for Wireless Body Area Networks in Healthcare System. IEEE Transactions on Industrial Informatics 19, 2 (2023), 1683–1690.
Index Terms
- Security analysis on "EAKE-WC: Authenticated Key Exchange Protocol for Wearable Computing"
Recommendations
Comments on “EAKE-WC: Efficient and Anonymous Authenticated Key Exchange Scheme for Wearable Computing”
In the above paper, Tu et al. proposed an efficient and anonymous authenticated key exchange scheme optimized for wearable computing environments, utilizing lightweight cryptographic primitives like XOR, ASCON, and hash functions. They claimed the ...
Security analysis of a multi-factor authenticated key exchange protocol
ACNS'12: Proceedings of the 10th international conference on Applied Cryptography and Network SecurityThis paper shows several security weaknesses of a Multi-Factor Authenticated Key Exchange (MK-AKE) protocol, proposed by Pointcheval and Zimmer at ACNS'08. The Pointcheval-Zimmer scheme was designed to combine three authentication factors in one system, ...
Security weaknesses of authenticated key agreement protocols
In this paper, we analyze the protocols of Tan, Lim et al., Chen et al. and five protocols of Holbl et al. After the analysis, we found that Tan et al.@?s, Lim et al.@?s and two protocols of Holbl et al. are insecure against the impersonation attack and ...
Comments
Information & Contributors
Information
Published In
December 2023
175 pages
ISBN:9798400709050
DOI:10.1145/3659154
Copyright © 2023 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 26 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- Natural Science Foundation of Shandong Province, China
Conference
ICEA 2023
ICEA 2023: The 2023 International Conference on Intelligent Computing and Its Emerging Applications
December 14 - 16, 2023
Kaohsiung, Taiwan
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 112Total Downloads
- Downloads (Last 12 months)112
- Downloads (Last 6 weeks)39
Reflects downloads up to 28 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in