Cryptanalysis on Privacy-Aware Two-Factor Authentication Protocol for Wireless Sensor Networks

Das first proposed two-factor authentication combining the smart card and password to resolve the security problems of wireless sensor networks (WSNs). After that, various researchers studied two-factor authentication suitable for WSNs. In user authentication protocols based on the symmetric key approach, a number of elliptic curve cryptography (ECC)-based authentication protocols have been proposed. To resolve the security and efficiency problems of ECC-based two-factor authentication protocols, Jiang et al. proposed a privacy-aware two-factor authentication protocol based on ECC for WSNs. However, this paper performs a vulnerability analysis on Jiang et al.’s authentication protocol and shows that it has security problems, such as a lack of mutual authentication, a risk of SID modification and DoS attacks, a lack of sensor anonymity, and weak ID anonymity

. However, this paper analyzes Jiang et al. 's protocol and shows that it has security vulnerabilities, such as a lack of mutual authentication, a risk of SID modification and DoS attacks, a lack of sensor anonymity, and weak ID anonymity. The remainder of this paper is organized as follows. Section 2 explains Jiang et al.'s privacy-aware two-factor authentication protocol based on ECC for WSNs. Section 3 shows that Jiang et al. 's authentication protocol has the security vulnerabilities noted above. Section 4 concludes this paper.

Review of Jiang et al.' two-factor Authentication Protocol
Jiang et al.'s protocol is based on ECC for WSNs. It consists of four phases: registration, login, authentication, and password change. Table 1 shows the notations used in this paper [2]. The ECC provides better efficiency than Rivest Shamir and Adleman (RSA), because it can achieve the same security strength with a smaller key size. Specifically, the 160bit ECC and the 1024-bit RSA have the same security strength [10,11]. The elliptic curve equation is defined in the form: E p (a,b) : where , b ∈ F p , and 4a 3 +27b 2 ≠ 0 ( mod p ).

Registration Phase
Prior to starting Jiang et al.'s authentication protocol, GWN selects the finite cyclic additional group G generated by a point P with a large prime order n over a finite field F p on an elliptic curve. Then, GWN randomly chooses a number x as its private key, computes the corresponding public key y = xP, and generates two master secret keys K GWN-U and K GWN -S . Then, GWN stores x and produces the system parameters {E(F p ), G, P, y}. Figure 1 shows the user registration process. It is assumed that the communication channel between the participants is secure.
(R1-U) When a user U i registers to GWN, U i selects his/her own identity ID i and password PW i and randomly chooses a number r i .  16 integer, which determines the capacity of the pool of < ID i , PW i > pairs against offline password guessing attacks [12]. Then, U i hoards r i and HPW ′ i into the card. The sensor registration process is described as follows: (R1-S) S j presents its identity SID j to GWN using a secure channel.

Login Phase
The following steps are performed in the system login phase. (L1) When U i wants to access S j , U i slots the smart card into a terminal and inputs i is not the same, the card rejects the request. Otherwise, it continues to compute

Authentication Phase
Subsequent to the login phase, the communicating agents ( U i , S j , and GWN ) mutually authenticate each other and establish a session key as follows. Figure 2 depicts these phases.
(A1) U i selects a random number a ∈ Z * p-1 and calculates A i = aP,

Cryptanalysis on Jiang et al.'s Two-Factor Authentication Protocol
This paper analyzes Jiang et al.'s authentication protocol and determines various security vulnerabilities, including a lack of mutual authentication, a risk of SID modulation and DoS attacks, a lack of sensor anonymity, and weak ID anonymity.

Lack of Mutual Authentication
Mutual authentication means that two or three parties authenticate each other. All of the parties (e.g., client/user, gateway, and sensors) are assured of the others' identity. The user and gateway authenticate each other using ID i and TC i , while the gateway and sensors authenticate each other using TC j and C GWN . However, mutual authentication between the user and sensors is not provided. The sensors can authenticate the user with the gateway's help. However, the user cannot authenticate the sensors. Thus, the user cannot verify whether the sensor SID j is normal.

Risk of SID Modification Attacks
The user receives {SID j , TS 2 , B j , E GWN } from GWN and checks the message's accuracy and freshness. However, there is no information indicating that SID j in {SID j , TS 2 , B j , E GWN } is now authenticated by GWN, so an attacker can perform a SID modification attack. When the attacker modifies the SID j in {SID j , TS 2 , B j , E GWN } to SID attacker , the user is unaware of the change. Therefore, the user mistakenly believes that SID attacker is a normal sensor node and thus computes the session key SK ij for secure communication with SID attacker even though the attacker cannot know the SK ij . Moreover, when SID j requests communication, the user cannot know whether SID j is an authenticated sensor node, so they cannot communicate with each other.

Lack of Sensor Anonymity
Anonymity is a desirable security feature, and it provides identification and key agreement of the user and sensors during the login and authentication phases. Thus, Jiang et al.'s authentication protocol provides the user's dynamic identification DID i to protect the user's anonymity. Moreover, this protocol uses DID GWN to protect the gateway node's identification. However, Jiang et al.'s authentication protocol does not provide anonymity of the sensor node. Therefore, an attacker can know which sensor node is communicating with users. In addition, the attacker can abuse the sensor node's identification, because SID j can be easily known by the attacker. Therefore, the anonymity of sensor nodes needs to be provided. First, S j checks the freshness of TS 2 . Then, if TS 2 is valid, S j computes ID i = DID GWN ⊕ H( DID i || TC j || TS 2 ) and checks whether H( ID i || TC j ||A i || TS 2 ) and the received C GWN are equal.

DoS Attack
A DoS attack is an attempt to make a machine or network resource unavailable so regular users cannot use the system's resources. Although the methods, motives, and targets of DoS attacks may vary, they generally involve efforts to temporarily or indefinitely interrupt or suspend the services of a host connected to the Internet. In Jiang et al.'s authentication protocol, sensor nodes can verify the freshness of a message using TS 2 . Therefore, when an attacker sends a previous message to the sensor node, the sensor node knows whether this message is a current message or a previous message. However, after an attacker gets the previous message { TS 2 , DID i , DID GWN , C GWN , A i }, the attacker sends the message changing only TS 2 to the current timestamp. To check the legitimacy of the message, the sensor node needs to execute various computations, such as hash function (twice), verification function (twice), and timestamp checking (once). The sensor node has limited battery power and computational ability, so it is possible that a sensor node cannot perform its normal functions when an attacker executes a DoS attack on the sensor node.

Weak ID Anonymity
In Jiang et al.'s authentication protocol, the user can maintain the ID anonymity using DIDi. An attacker cannot compute ID i from DID i , because the attacker does not know H( A i || D i ) However, ID i can be exposed in the sensor nodes gained by the attacker. The sensor nodes are scattered in various places, so the attacker can find the sensor nodes and obtain their authority. Therefore, the attacker can compute the user's identity using IJEECS ISSN: 2502-4752  ID i = DID GWN ⊕ H( DID i || TC j || TS 2 ), because the sensor nodes know TC j , which is shared in the sensor registration phase. Hence, the attacker can get ID i after gaining the sensor nodes, and the anonymity of this protocol is not strong.

Conclusion
Jiang et al. proposed a privacy-aware two-factor authentication protocol using ECC for WSNs. They insist that their protocol achieves various security and usability features necessary for real-life application environments while maintaining acceptable efficiency. However, this paper analyzed Jiang et al.'s protocol and showed that this protocol has security vulnerabilities, such as a lack of mutual authentication, a risk of SID modification and DoS attacks, a lack of sensor anonymity, and weak ID anonymity. To solve these vulnerabilities, a security-enhanced privacy-aware two-factor authentication protocol using ECC for WSNs needs to be proposed.