Impersonation attack. In this attack, assume that Xxx tries to impersonate as a legal meter to the NAN gateway. To do that, Xxx randomly picks uSMeve and computes ASMeve using uSMeve P and fabricates a false BSMeve . Eve then computes own messages, i.e., L1eve = H(SMIDeve NID ASMeve BSMeve T 1eve) and Y 1eve = MACL1eve [SMIDeve , T 1eve, ASMeve ] and sends αeve, Q1, ASMeve , Y 1eve, φeve, T 1eve to the NAN gate- way. However, the NAN gateway cannot obtained the real identity of the meter since it is encrypted in Q1 = ESTj [SMIDj , NID, T 1] therefore Xxx’s fake identity can- forward secrecy(MFS). Here, PFS defines that if a compromise of long-term private key of either the legitimate parties (e.g., a SM or NAN gateway) should not be compromising secrecy of the previously established sessions. Whereas, MFS satisfies || || || || – whenever the master key of a legitimate entity is being compromised then the protocol should hold the security of session key. The proposed LAKA therefore holds both PFS and MFS properties. For instance, assume that if the long- term secret keys (e.g., (STj, SMprj, Mk) of meter and NAN are exposed to Eve. However Xxx still cannot determine the previous session keys because each previous session between the meter and XXX is computed independently and fresh i.e., (SK = H(SMIDj NID ASMj CN WSMj ))) that includes · · · ASMj (= uSMj P ), CN (=vN P ) and WSMj (=uSMj CN ). Here uSMj and vN are random numbers of the meter and NAN, respectively. In addition, with the fact of the ECDLP hardness, Xxx cannot determine the real value of uSM and vN , which are random numbers. Therefore, the proposed scheme holds FS.
Impersonation attack. Impersonation attack means that illegal users impersonate legal ones and pass the authentication process with the stolen authenticated message to enter the system. In the proposed group authenticated key agreement mechanism, the attacker can not obtain the authenticated message of KGSi because KGSi is encrypted. Without KGSi , the attacker can not impersonate Ui or GWN. Therefore, PL-GAKA can defend impersonation attacks.
Impersonation attack. To successfully perform this attack and forge IoT devices, the adversary needs to duplicate messages = ℎ( ∥ ∥ ∥ 1) and = ℎ( ∥ ∥ 2) to be certified by the shared protocol. An adversary can never generate a valid message to forge an authorized device in the network because it does not have access to private key and original . Our proposed protocol is able to withstand impersonation attack.
Impersonation attack. Motivation of impersonation attacks is to take place any of B-GKAP entity during the protocol execution. To do that, an attacker needs to be able to generate the signature of an entity. Since our models are based on [11], we also utilize Xxxxxxx signature scheme [54] for outputs of B-GKAP functions. As stated in [55] and [56], Xxxxxxx is secure against impersonation and related key attacks, respectively.
Impersonation attack. In ZSM-2 protocol, they did not consider about the existence of malicious participants. Also, their batch verification only executes if the message is correctly generated with secret value r, not if the message is sent by correct user. Therefore, the malicious insider who knows the secret value r can impersonate the other users, that is, impersonation attack by the insider will happen. The following is an attack on the protocol that the legitimated user Uk impersonates the user Xx. = < H2(r||L)xxX, kiPpub + H2(r||L)Si > || · Σ Σ
Impersonation attack. In this type of attack, the attacker impersonates as a legitimate client and forges the authentication messages using the information obtained from the authentication protocol. The attacker can attempt to modify a login request message (IDi*, C2, T) into (IDi*, C2*, T*) so as to succeed in the authentication phase, where T* is the attacker’s current date and time. However, such a modification will fail in Step 1 of the authentication phase because the attacker has no way of obtaining the value of C1 = H (IDi* | TTSA | x) to compute the valid parameter C2*. Moreover, the attacker can not compute the agreed session key SK = H (C1 | H (TTSA) | T) between the user Ui and the server S. Therefore, the proposed protocol is secure against impersonation attack.
Impersonation attack. It means that attackers imper- sonate one of the protocol participants to another partici- pant and finally, share a session key with the participant. In the authentication phase of Xxxxxxx et al.’s scheme, an adversary E is capable of impersonating utility control UCj to deceive the smart meter SMi. p ij The adversary could capture the message {M1, Z} sent to UCj, randomly pick up a number b∗ from Z∗, and success- fully execute the protocol with SMi. Finally, the adversary establishes a session key K∗ with SMi. The detailed process is illustrated below. • After XXx performs some related calculation and sends {M1, Z} to UCj , the adversary E intercepts it. • Then, E randomly selects b∗ ∈ Z∗ and computes K∗ = p ij * Corresponding author (email: xxxx0@xxxx.xxxxxx.xxx.xx) Ⓧc Science China Press and Springer-Verlag GmbH Germany, part of Springer Nature 2021 xxxx.xxxxxxxx.xxx xxxx.xxxxxxxx.xxx Table 1 Comparison of security attributes with related schemes Scheme A1 A2 A3 A4 A5 A6 A7 [1] × √ × × × × √ [2] √ √ √ × × × × [5] √ × × × √ √ × Ours √ √ √ √ √ √ √ ∗ ∗ H2(Zb ) = H2(e(P, P )ab ). Afterwards, attacker E com-
Impersonation attack. If A can obtain the information {Ai ,< IDS j , Eij >, ei , fi ,τ i , h(⋅)} stored in the smart card and the information msg1= {IDS , IDjk ,Cij , M1, M 2} ,msg2= j j {IDS , IDjk ,Cij , M3 , M 4 , M5 , M 6} ,msg3= {IDjk , M 7 , M8} ;in public channel. A (other medical servers, physician servers and malicious-legitimate patients) cannot get the secret information Dij only shared between Ui and
