Abstract

As an important application of the Internet of Things, smart home has greatly facilitated our life. Since the communication channels of smart home are insecure and the transmitted data are usually sensitive, a secure and anonymous user authentication scheme is required. Numerous attempts have been taken to design such authentication schemes. Recently, Shuai et al. (Computer & Security 86(2019):132146) designed an anonymous authentication scheme for smart home using elliptic curve cryptography. They claimed that the proposed scheme is secure against various attacks and provides ideal attributes. However, we show that their scheme cannot resist inside attack and offline dictionary attack and also fails to achieve forward secrecy. Furthermore, we give some suggestions to enhance the security of the scheme. These suggestions also apply to other user authentication schemes with similar flaws.

1. Introduction

Smart home is a new paradigm of the Internet of Things, which can greatly facilitate our life; thus, it attracts much attention. In smart home environments, the smart devices can communicate and cooperate with each other to provide comprehensive services for users. However, the conversations between the users and the smart devices are carried out in an insecure open channel. The adversary can eavesdrop the sensitive data transmitted over the insecure channel. Therefore, it is of importance to provide a security mechanism to secure the conversations. Multifactor user authentication [1, 2] is one of the important ways to identify the authenticity of a user. In a multifactor user authentication scheme for smart home environment, there are usually four participants: a set of users, the register center, the gateways, and the sensor nodes. The user owns her personal secrecy information, such as a password and a smart device. All participants are required to register in the register center. When a user wants to access real-time data stored on a sensor node, she can initiate an access request. Then, the gateway and the sensor node will verify the user. If the user is valid, a session key will be built to encrypt the subsequent conversations. In such schemes, the adversary is usually assumed to be able to [3] (1) control the open channel, that is, she can intercept, modify, and eavesdrop the messages in the open channel; (2) list all the items in the space of passwords and identities; (3) compromise factor(s) of a -factor authentication scheme; (4) acquire the long-term secret key when accessing forward secrecy; (5) break some of sensor nodes; (6) obtain the previous session keys; and (7) register as a legitimate participant.

Recently, numerous user authentication schemes are proposed [47]. Most recently, Shuai et al. [8] designed a new anonymous authentication scheme for a smart home environment. They employ the elliptic curve cryptography to authenticate the users with resistance to offline dictionary attack and generate pseudoidentity to provide user anonymity. However, some subtleties are overlooked, which results in vulnerability to various attacks. In this paper, we demonstrate that their scheme cannot resist offline dictionary attack and inside attack and fails to achieve forward secrecy. Besides, we also discuss the causes and countermeasures of these security flaws. The countermeasures we proposed can also be applied to other authentication schemes with similar problems.

2. Review of Shuai et al.’s Scheme

In this section, we briefly review Shuai et al.’s scheme. The notations and abbreviations are shown in Table 1. Firstly, the registration authority chooses an elliptic curve and an additive group of with order and generator . Next, generates a pair of private/public key , where and , a long-term secret key and a hash function . Note that and will be stored in , and will be published to all participants.

2.1. User Registration Phase

Step 1. , where and is a random nonce.

Step 2. .

RA first checks the availability of and computes . Finally, generates where is initialized to 0.

Step 3. computes , and stores into the mobile device.

2.2. The Smart Device Registration Phase

Step 1. .

Step 2. . RA checks the validity of and computes .

Step 3. stores .

2.3. Login and Authentication Phase

Step 1. .

provides and , and then, the mobile device computes , . . If , the mobile device rejects the request and sets to . Once , the mobile device will be suspended till reregisters. Otherwise, the mobile device computes , ,, , , and , where and are two random numbers, and is the identity of the target .

Step 2. .

computes ,, , ,. If , GWN ends the session. Otherwise, computes , , and , where is a random number.

Step 3. .

computes , . If , ends the session. Otherwise, computes , , and , where is a random number.

Step 4. .

computes , , and . If , ends the session. Otherwise, computes and .

Step 5. computes , , and . If , the authentication is finished sucessfully.

3. Cryptanalysis of Shuai et al.’s Scheme

In this section, we demonstrate that Shuai et al.’s scheme suffers from various attacks when assuming the adversary armed with real-world capabilities [911] as below: (1)Exhaust all the items in the Descartes space of passwords and identities(2)Get when assess the security of the scheme(3)Intercept, eavesdrop, or resend the messages in the open channel(4)Get the data stored in the smart device(5)Get previous session keys(6)Get the secret key when accessing forward secrecy(7)The adversary can be the administrator of the registration authority

3.1. Offline Dictionary Attack

When the adversary gets the data ({}) stored in the victim ’s mobile device, she can guess ’s password and identity correctly as the following steps:

The attack steps are as follows:

Step 1. Guess to be , to be .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Verify the correctness of and by checking if .

Step 6. Repeat Steps 15 until the equation holds.

The time complexity is , where is the time of the hash function.

Assuming the adversary gets the victim’s identity , the adversary, with the data stored in the smart device and transmitted in the open channel, can guess ’s password successfully as below:

The attack steps are as follows:

Step 1. Guess to be , to be .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

Step 5. Compute .

Step 6. Compute .

Step 7. Verify the correctness of and by checking if .

Step 8. Repeat Steps 16 until the correct value of is found.

The time complexity is .

Possible Countermeasures: In offline dictionary attack, the inherent causes are as follows: (1) the adversary can find a verifier to check the correctness of the guessed password and (2) to the adversary, the verifier only contains one unknown parameter (i.e., the victim’s password), that is, all the parameters which consist of the verifier can be derived from the victim’s password. According to Wang and Xu [12], the offline dictionary attack can be divided into two types in terms of where the verifier is from. In the former attack, the verifier is extracted from the smart device. To deal with this attack, Wang and Wang [13] proposed a way of integrating the fuzzy-verifier technique and honeywords. That is, let , where is an integer and .

As such, there are about candidate pairs of identity and password which satisfy the equation of Step 5, when . To test the specific pair of identity and password, the adversary needs to initiate the access request online, and this (the failure attempt) can be detected and stopped by the parameter .

To the second attack, a public key is necessary [14]. In Shuai et al.’s scheme, we need to set the verifier and . As such, there are essentially two unknown parameters to the adversary, i.e., the password and , and the space of is too large for the adversary to conduct the offline dictionary attack.

3.2. Forward Secrecy

Forward secrecy requires that the exposure of the secrecy key will not affect the security of previous conversations. However, we find this scheme cannot provide forward secrecy. If the adversary gets and eavesdrops the parameters {}, she can get the session key as the following steps:

The attack steps are as follows:

Step 1. Compute .

Step 2. Compute .

Step 3. Compute .

Step 4. Compute .

The time complexity is .

Possible Countermeasures: According to Ma et al. [14], the public key technique and two modular exponentiation or point multiplication operations on the smart device are required. Following this principle, we can let , where , is computed by and should be transmitted to in the open channel. also needs to be sent to . cannot be transmitted to any participants. As such, the adversary has no way to compute (it is a computational difficult problem which cannot be solved within polynomial time), and the forward secrecy is achieved.

3.3. Inside Attack

Suppose the adversary is also the administrator of RA, then she can exploit the register message and the data stored in mobile devices to guess the victim’s password as follows:

The attack steps are as follows:

Step 1. Guess to be , to be .

Step 2. Compute .

Step 3. Compute .

Step 4. Verify the correctness of and by checking if .

Step 5. Repeat Steps 14 until the correct value of and is found.

The time complexity is .

Possible Countermeasures: Inside attack is practical although it has high requirements on the adversary’s capability. In this scheme, the verifier contains and , and can be computed using the parameters in the mobile device. Therefore, a way to deal with this attack is to update after the registration. After receiving the response from , the user side should select a new random nonce , update as , and then set and .

4. Conclusion

In this paper, we have analyzed an anonymous authentication scheme for a smart home environment proposed by Shuai et al. [8]. We demonstrated that their scheme suffers from various attacks although it is proved to be secure under the random oracle model. We showed that this scheme cannot resist offline dictionary attack and inside attack and also fails to provide forward secrecy. After pointing out these security flaws, we proposed possible countermeasures to deal with them. These suggestions can also be applied to most similar schemes. Thus, our work is helpful to the design of a secure and efficient user authentication scheme for the smart home environment.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.