Formal Security Analysis. We now show that our key agreement scheme offers session key security under the CK adversary model [3,21] and in the random oracle model, following the method of [10,11,22]. The participants U in our scheme are the SM, SP, TTP or a random oracle O, i.e., U = {SM, SP, TTP, O}. Taking into account the CK adversary model, we assume that the attacker can run the following queries. • Hash queries Hi(m) with i ∈ {0, 1, 2, 3, 4, 5}. If m already exists in the list LHi , the value Hi(m) will be returned. Otherwise, a random value will be generated, added to the list LHi , and returned. • Send queries. These queries simulate active attacks, in which the adversary is able to modify the transmitted messages. As a result, a corresponding reply will be generated. Since there are three communication passes, four different Send queries need to be defined. – Send(0,SP). A random value r2 is chosen to compute R2 = r2P. The output of the query is M0 = {R2}. – Send(M0,SM). A random value r1 is chosen to compute R1 = (r1 + dA)P. Next, K = H1((r1 + dA)PB) is determined, together with C = EK(IDAǁcertA). Then, h1 = H2(IDAǁIDBǁR1 ǁR2ǁPAǁPB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPA) are computed to derive SK = H3((( r1 + dA)h1 + dA)(h2R2 +PB)). Finally, S1 = H4(R1ǁ CǁPAǁSK) is computed. The message M1 = {R1, C, S1} is returned. – Send(M1,SP). First, K = H1(dB R1) is determined, leading to IDAǁcertA = DK(C). Then, PA = H0(certAǁIDA)certA + PTTP is derived. Next, h1 = H2(IDAǁIDBǁR1ǁR2ǁPAǁPB) and h2 = H2(IDBǁIDAǁR2ǁR1ǁPBǁPA) are computed, to find SK = H3((r2h2 + dB)(h1R1 + PA)) and check H4(R1ǁCǁPAǁSK) against S1. If the verification is unsuccessful, the session can stop, otherwise S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSK) is computed and M2 = {S2} is the output of the query. – Send(M2,SP). If S2 = H5(IDAǁIDBǁR1ǁR2ǁPAǁPBǁSK) is not valid, then the session is terminated. Otherwise, both SP and SM have successfully negotiated a common secret key SK. • Execute queries. These queries simulate the passive attacks, in which the adversary can only eavesdrop onto the channel and is able to collect the transmitted messages. We can distinguish three different execute queries resulting from the first three Send queries, as defined above. • Session specific state reveal queries (SSReveal). According to the CK adversary model, the attacker is able to retrieve session specific state information, derived by the SM and the SP, respectively. Note that no long-term private keys are revealed in this query. – SSReveal(SM)...
Formal Security Analysis. We choose to use Xxxxx-logic [38] to perform the verification of the protocol, which is a non-monotonic logic based verification method for cryptographic protocols. It has been successfully used in several protocols to verify the security claims [27][17][12] and is in particular practical as it is close to real implementation.
Formal Security Analysis. In this analysis, we conduct a formal security analysis to show that the proposed scheme is secure. First, we describe the scheme in algorithmic language. As described in the algorithm, the sensor initiates the authentication scheme. It generates a random nonce N, computes an h(MSIdi, Xxx, N), and sends to the remote user R a message composed of [MSIdi, N, h(MSIdi, Idi, N)]. The remote user receives the message. It verifies the integrity of the message by computing the hash of the message. Then, it compares with the received hash. If the check is successful, it generates a random nonce M, else it sends an authentication failure message F1 to the sensor node SN. ⊕ The remote user checks the sensor location. If the sensor node SN is not in the same covered area as the remote user, then it computes a h(Idi, N, M), and sends to the gateway node G a message composed of [MSIdi, N, M, h(Xxx, N, M)]. Upon receiving the message by the gateway node, it verifies the integrity of the message by computing the hash of the message. Then, it compares with the received hash. If the check is successful, the gateway node generates a random nonce S, computes T = N S, computes h(Xxx, M, S), and sends to the remote user a message composed of [N, M, T, h(Xxx, M, S)]. In the case of a unsuccessful check, the gateway node sends an authentication failure message F2 to the remote user.
Formal Security Analysis. This section covers the formal security analysis of proposed scheme under Xxxxxxx-Xxxxx-Xxxxxxx (BAN) logic [46] , while, this model analyzes the security based on mutual authentication, key distribution, and the strength against session key disclosure. In this logic analysis, Principals are such agents that are involved in a protocol, while Keys are to be used for symmetric message encryption. Few notations that have been used in the BAN security analysis are given as follows: P |≡ X: The principal P believes X, or alternatively, X believes the statement X. P 𝝰 X: P sees X. P receives some message X and may read or repeat it in any message. P| ~ X: P once said X. Earlier in time; P had sent some message X and P believed that message. : P has got jurisdiction over X; or P has authority over X and could be trusted.
Formal Security Analysis. Theorem 5.1: Let U2L be an event that 𝒜 could control GA procedure between OBU and LE shown in Figure 7. Let D be a password dictionary and |D| denotes its size. Let |Hash| be the capacity of the hash function, which is of 2𝑙, where l is the bit length of hash values. Let 𝒜 runs against general authentication procedure of our scheme by performing 𝑞𝑒𝑥𝑒 (execute), 𝑞𝑠𝑒𝑛𝑑 (send) and 𝑞ℎ𝑎𝑠ℎ (hash) queries. Then, ( 𝐴𝑑𝑣𝑎𝑘𝑒(𝒜) = 𝑞ℎ𝑎𝑠ℎ2 + 2𝑞 ∗ 𝑚𝑎𝑥 1 , 𝜀) (1) 𝑈2𝐿 |𝐻𝑎𝑠ℎ| 𝑠𝑒𝑛𝑑 |𝐷|
Formal Security Analysis. Compared to the num- ber of cryptographic protocols proposed in the lit- erature, security of very few of them have been proved under a formal model. In this work, apart from informal analysis of protocol goals, we pro- vide the security guarantee of the protocols under provable security model.
