Common use of Security strength Clause in Contracts

Security strength. We here explain that the scheme satisfies the requirements mentioned in Section 3, together with resistance against the most important attacks. – Confidentiality. In order to construct the session key, the hash function H1 should be evaluated, which requires knowledge of either the secret key DKi or the key DKm. The key DKi is only known by TTP and device, while the second DKm by TTP and MEC. – Mutual authentication. The session key is built using random values derived by device, MEC and TTP. Both MEC and IoT are ensured on the authentication when the calculated value d3 matches with the received one, because only the TTP is able to construct this legitimate construction. Also the TTP is ensured about the identities of the device and MEC, because only the legitimate entities are able to make a valid request. As a consequence, attacks exploiting the authentication like impersonation and man-in-the-middle attacks can not be applied. Since the random values are unique and the identities/keys are updated in each round, replay attacks are also infeasible. – Unlinkability. In order to reveal the relation between the different dynamic identities, the attacker should be able to evaluate the hash function H1 and thus know DKi or DKm. Consequently, only the TTP, which has a table storing the secret key material of the devices and MEC nodes, is able to make the link between different requests. – Forward privacy. If the IoT device is captured and the attacker is able to reveal the security material (▇▇▇▇, DKi), then the previous session keys cannot be computed, neither a link with previously sent requests can be made, due to the one-way property of the hash function. The same holds for the MEC. – Session state specific information attack. The session specific information in our system is limited to R1, R2, R3. The first two variables are sent in public in any case and do not directly support to the underlying security. The knowledge of the last value is also not critical for the security of the scheme, even for inside attackers like MEC node and device, since the session key still involves ci , cm,

Security strength. We here explain that the scheme satisfies the requirements mentioned in Section 3, together with resistance against the most important attacks. – Confidentiality. In order to construct the session key, the hash function H1 should be evaluated, which requires knowledge of either the secret key DKi or the key DKm. The key DKi is only known by TTP and device, while the second DKm by TTP and MEC. – Mutual authentication. The session key is built using random values derived by device, MEC and TTP. Both MEC and IoT are ensured on the authentication when the calculated value d3 matches with the received one, because only the TTP is able to construct this legitimate construction. Also the TTP is ensured about the identities of the device and MEC, because only the legitimate entities are able to make a valid request. As a consequence, attacks exploiting the authentication like impersonation and man-in-the-middle attacks can not be applied. Since the random values are unique and the identities/keys are updated in each round, replay attacks are also infeasible. – Unlinkability. In order to reveal the relation between the different dynamic identities, the attacker should be able to evaluate the hash function H1 and thus know DKi or DKm. Consequently, only the TTP, which has a table storing the secret key material of the devices and MEC nodes, is able to make the link between different requests. – Forward privacy. If the IoT device is captured and the attacker is able to reveal the security material (▇▇▇▇DIDi, DKi), then the previous session keys cannot be computed, neither a link with previously sent requests can be made, due to the one-way property of the hash function. The same holds for the MEC. – Session state specific information attack. The session specific information in our system is limited to R1, R2, R3. The first two variables are sent in public in any case and do not directly support to the underlying security. The knowledge of the last value is also not critical for the security of the scheme, even for inside attackers like MEC node and device, since the session key still involves ci , cm,