A secure and lightweight authentication scheme for next generation IoT infrastructure

Abstract

While the 6G/IoT transition is on the cards, the real advantage of this transition can be realized only if the user privacy and security are guaranteed. The smartcard and password based authentication protocols can help the transition in a rapid way. However, due to insecurities and/or heavy computation, many such protocols cannot cope with the dynamic requirements of future generation networks. Recently, Kaul and Awasthi presented a robust and secure user authentication protocol based on resource friendly symmetric cryptography primitives. They declared that their introduced protocol is convenient, efficient, and secure for the applications in real-world. In contrast, this article describes that protocol of Kaul and Awasthi is not secure because an attacker can easily find the identity of a legal user that is being sent on the public channel. Further, by using the identity of a legitimate user, an attacker can impersonate himself as a legitimate user of the system and can enjoy the services given by the server. So, their protocol is susceptible to user impersonation attacks, and their claim of being secure is proven to be wrong. Therefore, we have extended their work and presented an upgraded scheme by ensuring secure communication over the entire channel. Moreover, our proposed scheme is safe not solely against user impersonation attack but also major security attacks with reasonable communication, computation, and storage costs and is a better candidate for deployment in 6G/IoT networks.

Introduction

The 6G and Internet of Things (6G/IoT) are proposed to replace the existing communication infrastructure to provide endless connectivity. With an estimation of over fifty billion IoT devices till the end of the year 2020, the need for security and privacy for the users is growing. The users can take benefit the on demand infrastructure access in 6G/IoT revolution. However, the revolution comes with additional threats as compared with existing infrastructure, and the real benefit can only be realized after ensuring the security and privacy of the user. In the mechanism of smart card based distant user authentication, legal user and remote server authenticate each other on a transmission medium, which is not secure. The purpose of this mechanism is to provide on demand resources to legitimate service seekers remotely.

In 1981, Lamport [1] was the pioneer to introduce a remote user authenticated scheme on an insecure communication medium. This scheme was based on verification tables and passwords. Later on, it was identified that to ensure the safety needs of today’s digital world, the dependence on the validation tables is inadequate. To guarantee the secure transmission, authentication protocols based on the smart card are presented by Hwang and Li [2] and Chang and Wu [3], in 2001 respectively. According to the user’s concern, efficiency and security are the important parameters of authentication protocol. By keeping this user’s view in mind, many distant user authentication schemes [4], [5], [6], [7], [8], [9], [10] were presented.

Das et al. [11], in 2004, introduced the idea of pseudo ID based distant user authenticated protocol by utilizing the smart card. Still, this scheme was not practical because it was vulnerable to numerous security attacks. Afterward, Liao et al. [12] carried the previous work and introduced a mechanism of mutual authentication with enhanced security features. However, in 2006, Yoon and Yoo [13] demonstrated various security flaws in Liao et al.’s [12] scheme. Thus, Wang et al. [14], in 2009, also introduced an improved scheme of Das et al. [11] with an enhancement of password authentication, that still has major features of the original scheme and resists their weaknesses.

After that, Wen and Li [15], in 2012, analyzed that Wang et al.’s protocol [14] does not combat user and server impersonation attacks. Moreover, the user’s secret credentials can be leaked out by implementing an offline-password-guessing attack. Moreover, an insider, by using smart card parameters, can access all the secret factors of the legal user. Further, Chang et al. [16], in 2014, determined that Wang et al.’s [14] pseudo ID based scheme is insecure because the ID of a user is submitted in plaintext during the login phase. Besides, without any crucial verification, the adversary can exchange the user’s password with a new password. Then, Chang et al. [16] introduced pseudo ID based authenticated protocol with the enhancement of an authoritative password update.

Lately, Kumari et al. [17] described that Chang et al.’s [16] protocol is vulnerable to impersonation, offline password guessing, insider, and the server masquerading attacks. Moreover, they highlighted the loopholes which are present in the phase of password change. Further, the protocol of [16] does not maintain a session key agreement to communicate in the future. Consequently, Kumari et al. [17] presented a modified scheme for the distant user authentication along with the key acknowledgment to reduce stated security vulnerabilities, also they declared that their protocol is more protected, efficient, and suitable for the applications used in real life. Chaudhry et al. [18] also explained the design faults of some previous schemes and proposed some measures for avoiding the design faults. Hussain et al. [19] also proposed some design measures for the authentication schemes proposed using only symmetric key functions. Some other relevant schemes were presented by various researchers [20], [21], [22], [23], [24], [25], [26]. Chen et al. also explained some of the attacks on password based schemes [27]. However, due to the usage of public key based operation, some of these schemes cannot be used in resource sensitive applications.

Presently, Kaul and Awasthi [28] highlighted that Kumari et al.’s [17] proposed protocol is still vulnerable, as an attacker can easily get secure parameters of the scheme. The attacker also can obtain the session key, which is exchanged between the server and the user for future communication. In addition, the adversary can obtain the password of a legitimate user and server’s private key. Due to this, the entire system collapses. Hence, Kaul and Awasthi [28] introduced a modified and efficient authentication scheme to get rid of stated security weaknesses in [17].

Our paper highlights that Kaul and Awasthi’s [28] scheme is susceptible to user masquerading attacks. An attacker can masquerade himself as a legitimate user and can steal secret parameters of the legitimate user. Thus, we have presented an improved and more secure distant user authenticated protocol to resists numerous security weaknesses.

The remaining paper is divided into eight sections, which are stated as: Preliminaries are demonstrated in Section 2. Kaul and Awasthi’s [28] user authentication scheme is reviewed in Section 3. In Section 4, we have presented the cryptanalysis of Kaul and Awasthi’s [28] scheme. The proposed scheme is described in Section 5. Formal and informal security analysis of our enhanced protocol is described in Section 6. Section 7 evaluates security and performance comparison. Finally, in Section 8, we have concluded the paper.