Swaraj Bhat,Pradeep B.H,Keerthi S.Shetty,Sanjay Singh

DOI: https://doi.org/10.48550/arXiv.1208.4321

2012-08-22

Abstract:In ubiquitous computing devices, users tend to store some valuable information in their device. Even though the device can be borrowed by the other user temporarily, it is not safe for any user to borrow or lend the device as it may cause private data of the user to be public. To safeguard the user data and also to preserve user privacy we propose and model the technique of ownership authentication transfer. The user who is willing to sell the device has to transfer the ownership of the device under sale. Once the device is sold and the ownership has been transferred, the old owner will not be able to use that device at any cost. Either of the users will not be able to use the device if the process of ownership has not been carried out properly. This also takes care of the scenario when the device has been stolen or lost, avoiding the impersonation attack. The aim of this paper is to model basic process of proposed ownership authentication transfer protocol and check its safety properties by representing it using CSP and model checking approach. For model checking we have used a symbolic model checker tool called NuSMV. The safety properties of ownership transfer protocol has been modeled in terms of CTL specification and it is observed that the system satisfies all the protocol constraint and is safe to be deployed.

Logic in Computer Science

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

Hanguang Luo,Tao Zou,Chunming Wu,Dan Li,Shunbin Li,Chu

DOI: https://doi.org/10.32604/cmc.2022.027118

2022-01-01

Abstract:In the emerging Industrial Internet of Things (IIoT), authentication problems have become an urgent issue for massive resource-constrained devices because traditional costly security mechanisms are not suitable for them. The security protocol designed for resource-constrained systems should not only be secure but also efficient in terms of usage of energy, storage, and processing. Although recently many lightweight schemes have been proposed, to the best of our knowledge, they are unable to address the problem of privacy preservation with the resistance of Denial of Service (DoS) attacks in a practical way. In this paper, we propose a lightweight authentication protocol based on the Physically Unclonable Function (PUF) to overcome the limitations of existing schemes. The protocol provides an ingenious authentication and synchronization mechanism to solve the contradictions amount forward secrecy, DoS attacks, and resource-constrained. The performance analysis and comparison show that the proposed scheme can better improve the authentication security and efficiency for resource-constrained systems in IIoT.

Ye Bi,Kai Fan,Kuan Zhang,Yuhan Bai,Hui Li,Yingtang Yang

DOI: https://doi.org/10.1109/jiot.2023.3267501

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Modern business models improve the efficiency of supply chain management by attaching tags to products. These tagged products typically change owners multiple times during their life cycles. The ownership transfer protocol authorizes the new owner by replacing the old owner’s authentication information stored in the tag with the new owner’s. Until now, a considerable amount of literature has proposed solutions to the problem of RFID ownership transfer. Unfortunately, these existing protocols are either flawed in some security properties especially in protecting new and old owners’ privacy, or are associated with huge computational overheads. In this paper, we propose an ultra-lightweight RFID ownership transfer protocol based on permutation function. The tag and reader only use efficient bit operations, which greatly reduce the computational overhead. An important feature of the proposed protocol is that the new owner can impose calculations on data that has been encrypted by the old owner. The new owner is authorized by the old owner and does not have access to the tag’s key, which protects the old owner’s privacy stored in the tag side. We compare our protocol with existing work, and show the advantages in terms of security, computational overhead, and time cost.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qing-Shan Li,Xiao-Lin Xu,Zhong Chen

DOI: https://doi.org/10.1109/pdcat.2014.25

2014-01-01

Abstract:In the supply chain, RFID tags are deployed more widely. In the life of the supply chain, the owner of the tag will change frequently. Ownership transfer protocol can achieve the purpose that the access rights of the tag are transferred from the original owner to the new owner, and protect the privacy of the original owner and the new owner. To resist cloning attack and side channel analysis attack, physical unclonable function (PUF) has been proposed to enhance the security of the tags. Since the PUF of each tag is unique and different, it is difficult to be forged. However, most of PUF-based authentication protocols need the response value previously stored in the readers. On the other hand, most of the ownership transfer protocols assume the original owner and the new owner has a secure channel. However, in an open environment, due to time and space constraints, such a channel is often unable to quickly established. In this paper, we studied the ownership transfer protocols in an open environment and proposed a PUF-based RFID ownership transfer protocols, PROTP. The new protocol is the first ownership transfer protocol based on the PUF in an open environment. The new protocol does not need to store the respond values of the PUF. To utilize the randomness of the PUF, it replaces the pseudo-random generator. Meanwhile, PROTP can protect the privacy of the original owner and the new owner. In terms of efficiency, since the protocol is designed to satisfy the requirement in an open environment, the total cost of the computation is more than others protocols. However, due to the new protocol utilizes the PUF to replace the pseudo-random generator, the each step of the authentication messages achieves a better optimization in computational cost.

Wei Xie,Lei Xie,Chen Zhang,Qiang Wang,Chao Wang,Chaojing Tang

DOI: https://doi.org/10.1002/sec.965

IF: 1.968

2014-01-01

Security and Communication Networks

Abstract:ABSTRACTThis paper addresses radio frequency identification (RFID) authentication and ownership transfer in offline scenarios. Four typical related works are reviewed in detail. A series of shortcomings and vulnerabilities of them are pointed out. A new RFID authentication protocol based on a novel tag‐owner‐assisting architecture is proposed, making a tag's owner an essential participant of the RFID authentication process. The proposed protocol is distinguished from existing works in providing ownership transfer, access control, and mutual authentication without any centralized database neither on a backend server nor in a reader. The security of the proposed protocol is verified by using automated validation of Internet security protocols and applications tool. The proposed protocol is server‐less, simple, scalable, untraceable, and device‐independent. These features are simultaneously achieved in a single RFID authentication protocol for the first time. Copyright © 2014 John Wiley & Sons, Ltd.

Nazmus Sakib,Md Yeasin Ali,Nuran Mubashshira Momo,Marzia Islam Mumu,Masum Al Nahid,Fairuz Rahaman Chowdhury,Md Sadek Ferdous

2024-08-30

Abstract:The popularity of the Internet of Things (IoT) has driven its usage in our homes and industries over the past 10-12 years. However, there have been some major issues related to identity management and ownership transfer involving IoT devices, particularly for consumer IoT devices, e. g. smart appliances such as smart TVs, smart refrigerators, and so on. There have been a few attempts to address this issue; however, user-centric and effective ownership and identity management of IoT devices have not been very successful so far. Recently, blockchain technology has been used to address these issues with limited success. This article presents a Self-sovereign Identity (SSI) based system that facilitates a secure and user-centric ownership management and transfer of consumer IoT devices. The system leverages a number of emerging technologies, such as blockchain and decentralized identifiers (DID), verifiable credentials (VC), under the umbrella of SSI. We present the architecture of the system based on a threat model and requirement analysis, discuss the implementation of a Proof-of-Concept based on the proposed system and illustrate a number of use-cases with their detailed protocol flows. Furthermore, we analyse its security using ProVerif, a state-of-the art protocol verification tool and examine its performance.

Cryptography and Security,Emerging Technologies

Manojkumar Vivekanandan,Sastry V. N.,Srinivasulu Reddy U.

DOI: https://doi.org/10.1007/s12083-020-00963-w

2020-08-22

Abstract:Due to the advancement of wireless technology, the Internet of Things (IoT) Device to Device communication for exchanging messages is feasible without human involvement. Authentication and identification of device location are highly essential tasks to verify the originality of IoT Devices (IoTDs) during communication via open channel. In recent days, IoTD registration is processed through the Registration Center Authority (RAC) and this may face single point of failure and insider attack. To solve these problems, we propose a Blockchain based Internet of Things (IoT) Device to Device Authentication Protocol for Smart City Applications using 5G Technology (BIDAPSCA5G). In the proposed protocol, the IoT Devices registration process is performed through private blockchain. The Blockchain has the Distributed Ledger (DL) for storing IoTD credential details, which is accessed only by authenticated entities. In the proposed protocol, mutual authentication was performed without involvement of RAC/Gate-Way-Node (GWN) to reduce the computation cost. The proposed protocol has the additional features such as location based authentication, blockchain based revocation phase and registration of IoTDs, IoTD anonymity property at device level. The security analysis of the proposed protocol was performed through formal security verification using Proverif tool, formal security analysis using Random Oracle Model (RoM) and informal security analysis. The security analysis proved that the proposed protocol is secured against well-known attacks and also it provides better performance as well as additional features when compared to existing protocols.

computer science, information systems,telecommunications

Tongliang Li,Zhigang Jin,Chaoyi Pang

DOI: https://doi.org/10.1109/icinis.2010.13

2010-01-01

Abstract:Although widely used in various applications, the current RFID (Radio Frequency Identification) systems lack efficiently enforcement of security and privacy. Furthermore, considering that the bearer of a RFID tag might be changed, the ownership transferring of the tags also becomes an issue. Some schemes have been suggested, but they are lack of participation of people. In this paper, we propose a novel scheme for the low-cost passive RFID tags. In our approach, people are involved in the authentication process. After getting some information from the assistant tag and user's password, the reader uses them to update the key of the common tags to be identified, and this makes the secured ownership transfer come true. In order to reach our goal, pseudonym, mutual authentication mechanism, and lightweight functions are employed. The analysis shows that our scheme not only achieves the secure and private goals, but also supports secured controlled ownership transfer.

Chandranshu Gupta,Gaurav Varshney

2023-11-07

Abstract:The Internet of Things (IoT) has improved people's lives by seamlessly integrating into many facets of modern life and facilitating information sharing across platforms. Device Authentication and Key exchange are major challenges for the IoT. High computational resource requirements for cryptographic primitives and message transmission during Authentication make the existing methods like PKI and IBE not suitable for these resource constrained devices. PUF appears to offer a practical and economical security mechanism in place of typically sophisticated cryptosystems like PKI and IBE. PUF provides an unclonable and tamper sensitive unique signature based on the PUF chip by using manufacturing process variability. Therefore, in this study, we use lightweight bitwise XOR, hash function, and PUF to Authenticate IoT devices. Despite several studies employing the PUF to authenticate communication between IoT devices, to the authors' knowledge, existing solutions require intermediary gateway and internet capabilities by the IoT device to directly interact with a Server for Authentication and hence, are not scalable when the IoT device works on different technologies like BLE, Zigbee, etc. To address the aforementioned issue, we present a system in which the IoT device does not require a continuous active internet connection to communicate with the server in order to Authenticate itself. The results of a thorough security study are validated against adversarial attacks and PUF modeling attacks. For formal security validation, the AVISPA verification tool is also used. Performance study recommends this protocol's lightweight characteristics. The proposed protocol's acceptability and defenses against adversarial assaults are supported by a prototype developed with ESP32.

Cryptography and Security

Yongming Jin,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1109/ICEBE.2009.77

2009-01-01

Abstract:In the real society, the owner of a tagged object may transfer its ownership to another party. An ownership transfer must satisfy the forward and backward untraceability. It is a new problem in the research of RFID security and privacy. In this paper, a simple and efficient security protocol, HBOT, for lightweight RFID tags with support for ownership transfer is proposed. The new protocol is based on hash function. It is deeply analyzed and it achieves a very strong notion of security that is necessary in RFID ownership transfer: forward and backward privacy. It is also obtained higher performance.

Wei Xin,Zhi Guan,Tao Yang,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-37401-2_53

2013-01-01

Abstract:RFID technology is increasingly become popular in supply chain management. When passing tags on to the next partner in the supply chain, ownership of the old partner is transferred to the new partner. In this paper, we first introduce some existing RFID tag ownership transfer protocols, then give the security and privacy requirements for such kind of protocols, finally, we propose a novel RFID tag ownership transfer protocol which supports constant-time authentication, and effectively protects the privacy of the old tag owner and the new tag owner. © 2013 Springer-Verlag.

Khan Reaz,Gerhard Wunder

2024-03-18

Abstract:The existing high-friction device onboarding process hinders the promise and potentiality of Internet of Things (IoT). Even after several attempts by various device manufacturers and working groups, no widely adopted standard solution came to fruition. The latest attempt by Fast Identity Online (FIDO) Alliance promises a zero touch solution for mass market IoT customers, but the burden is transferred to the intermediary supply chain (i.e. they have to maintain infrastructure for managing keys and digital signatures called `Ownership Voucher' for all devices). The specification relies on a `Rendezvous Server' mimicking the notion of Domain Name System (DNS) server'. This essentially means resurrecting all existing possible attack scenarios associated with DNS, which include Denial of Service (DoS) attack, and Correlation attack. `Ownership Voucher' poses the risk that some intermediary supply chain agents may act maliciously and reject the transfer of ownership or sign with a wrong key. Furthermore, the deliberate use of the weak elliptic curve SECP256r1/SECP384r1 (also known as NIST P-256/384) in the specification raises questions. We introduce ASOP: a sovereign and secure device onboarding protocol for IoT devices without blindly trusting the device manufacturer, supply chain, and cloud service provider. The ASOP protocol allows onboarding an IoT device to a cloud server with the help of an authenticator owned by the user. This paper outlines the preliminary development of the protocol and its high-level description. Our `zero-trust' and `human-in-the-loop' approach guarantees that the device owner does not remain at the mercy of third-party infrastructures, and it utilises recently standardized post-quantum cryptographic suite (CRYSTALS) to secure connection and messages.

Cryptography and Security,Networking and Internet Architecture

Yu Liu,Kaiping Xue,Peixuan He,David S. L. Wei,Mohsen Guizani

DOI: https://doi.org/10.1109/jiot.2020.2975140

IF: 10.6

2020-07-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) has set off a new information technology revolution due to its convenience and efficiency. An IoT enables sharing economy, as more people are willing to share their own things (mostly mobile devices) to leverage the under-used value. In such a situation where owners and users are often not familiar with each other, an efficient access control mechanism is needed to deal with the trust issue and support service accountability to help owners accurately get their deserved profits. Besides, in such a sharing economy environment, the mobility of most shared IoT devices and their privacy preserving should also be taken into account. Regrettably, the existing schemes cannot achieve all of the aforementioned goals simultaneously and only few schemes were implemented to evaluate the claimed performance. In this article, we propose an efficient, accountable, and privacy-preserving access control solution for IoT in a sharing economy environment. In our scheme, we utilize the one-time signature to achieve anonymous authentication and let gateways store the signatures as service credentials for accountability. Meanwhile, we adopt the identity-based authentication to exclude malicious gateways and shared devices from the system and design a specialized protocol for those devices moving with the users. We conduct a detailed security analysis to show that our scheme can effectively defend against potential attacks, and also implement a prototype system to demonstrate that our design is indeed an efficient one.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chien-Ming Chen,King-Hang Wang,Tsu-Yang Wu,Jeng-Shyang Pan,Hung-Min Sun

DOI: https://doi.org/10.1109/tifs.2013.2270106

IF: 7.231

2013-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The man-in-the-middle (MITM) attack is the major threat for handheld devices to agree on a session key in which they do not share any prior secret in advance, even if these devices are physically located in the same place. Apart from insecurely typing passwords into handheld devices or comparing long hexadecimal keys displayed on the devices' screens, many other human-verifiable protocols have been proposed in the literature to solve the problem. Unfortunately, most of these schemes are unscalable to more users. Even when there are only three entities attempting to agree on a session key, these protocols need to be rerun three times. In this paper, we present a bipartite and a tripartite authentication protocol using a temporary confidential channel. Besides, we further extend the system into a transitive authentication protocol that allows multiple handheld devices to establish a conference key securely and efficiently. In addition, we provide a formal proof to our protocol to demonstrate our scheme is indeed secure. We also implement the prototype of the system on a mobile phone with satisfying performance.

Zhiwei Wang,Qingqing Chen,Lei Liu

DOI: https://doi.org/10.1109/jiot.2023.3242959

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:In this Internet of Things era, privacy preserving is one of the most vital barriers for personal data sharing. In this article, we present a secure and privacy-preserving data sharing protocol over the permissioned blockchains which require to certificate the users before they submit the transactions. We use the structure-preserving Groth signature to construct the anonymous credentials for satisfying the requirement of permissioned blockchains, and the anonymous credentials does not disclose the real identities of data owners. We prove that the anonymous credential in our protocol achieves the ideal functionality. For the secure access control and privacy protection of the data accessors, we propose an efficiently anonymous authentication scheme which utilizes the ElGamal commitment and the one-out-of-many proof to ensure a data accessor is authorized, but any unauthorized entities cannot learn the real identity of the data accessor, and even the data owner does not know who (although in the access control list) and when downloads his/her data. The blockchain platform is used to record the data storing, access control list, and the storage addresses, which helps to enhance the security level of the protocol. We implement our protocol over the ThinkPad, the RaspBerry Pi, the Huawei cloud, and the Hyperledger Fabric, and the experiments show the good performances.

computer science, information systems,telecommunications,engineering, electrical & electronic

Inderpal Singh,Balraj Singh

DOI: https://doi.org/10.1007/s40998-024-00748-4

2024-09-11

Iranian Journal of Science and Technology Transactions of Electrical Engineering

Abstract:Internet of Things (IoT) applications are popularly involved in day-to-day life. The increase in utilization leads to an increase in network traffic. The incoming users have different intentions in the network and hence security is essential. The data user accesses the data in the cloud that is collected from IoT devices. A large-scale IoT environment has challenges in the provisioning of security as well as the management of access control mechanisms. The problem is a generation of policies and authenticating devices with minimum credentials. In this paper, Blockchain-based decentralized authentication and access control systems are designed. The process of authentication is conducted for the data owner and data user by considering identity, device type, IP address and signature, PUF, and biometric respectively. PUF stands for Physical Unclonable Function, which is a hardware-based security feature that generates a unique identifier for a device based on its physical properties, SALSA20 and PRESENT are encryption algorithms used in the proposed system to encrypt data chunks. SALSA20 is a stream cipher that generates a keystream to encrypt data, while PRESENT is a block cipher that encrypts data in fixed-size blocks These authentication credentials are managed in the blockchain. The credentials are stored in encrypted form using the Key schedule PRESENT algorithm. In the authentication of data users, the number of credentials is selected using fuzzy logic that improves security. To assure data storage security, the data is split into two chunks, and it is encrypted using SALSA20 and PRESENT algorithm. The proposed model is developed in an ifogsim simulator, and the performance metrics are evaluated in terms of authentication time, storage efficiency, running time, throughput, latency, and blocksize.

engineering, electrical & electronic

Mohd Shariq,Mauro Conti,Karan Singh,Sanjeev Kumar Dwivedi,Mohammad Abdussami,Ruhul Amin,Mehedi Masud

DOI: https://doi.org/10.1016/j.comcom.2024.107971

IF: 5.047

2024-10-19

Computer Communications

Abstract:Drones also called Unmanned Aerial Vehicles (UAVs) have become more prominent in several applications such as package delivery, real-time object detection, tracking, traffic monitoring, security surveillance systems, and many others. As a key member of IoT, the group of Radio Frequency IDentification (RFID) technologies is referred to as Automatic Identification and Data Capturing (AIDC). In particular, RFID technology is becoming a contactless and wireless technique used to automatically identify and track the tagged objects via radio frequency signals. It also has drawn a lot of attention among researchers, scientists, industries, and practitioners due to its broad range of real-world applications in various fields. However, RFID systems face two key concerns related to security and privacy, where an adversary performs eavesdropping, tampering, modification, and even interception of the secret information of the RFID tags, which may cause forgery and privacy problems. In contrast to security and privacy, RFID tags have very limited computational power capability. To deal with these issues, this paper puts forward an RFID-based Lightweight and Provably Secure Authentication Protocol (LPSAP) for Unmanned Aerial Vehicle Systems. The proposed protocol uses secure Physically Unclonable Functions (PUFs), Elliptic-Curve Cryptography (ECC), secure one-way hash, bitwise XOR, and concatenation operations. We use Ouafi and Phan's formal security model for analyzing security and privacy features such as traceability and mutual authentication. The rigorous informal analysis is carried out which ensures that our proposed protocol achieves various security and privacy features as well as resists various known security attacks. The performance analysis demonstrates that our proposed protocol outperforms other existing protocols. In addition, Scyther and Automated Validation of Internet Security Protocols and Applications (AVISPA) tool simulation results demonstrates that there is no security attack possible within bounds. Therefore, our proposed LPSAP protocol achieves an acceptable high level of security with the least computational, communication, and storage costs on passive RFID tags.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jing Huey Khor,Michail Sidorov,Seri Aathira Balqis Zulqarnain

DOI: https://doi.org/10.3390/s23073433

2023-03-24

Abstract:Scalability prevents public blockchains from being widely adopted for Internet of Things (IoT) applications such as supply chain management. Several existing solutions focus on increasing the transaction count, but none of them address scalability challenges introduced by resource-constrained IoT device integration with these blockchains, especially for the purpose of supply chain ownership management. Thus, this paper solves the issue by proposing a scalable public blockchain-based protocol for the interoperable ownership transfer of tagged goods, suitable for use with resource-constrained IoT devices such as widely used Radio Frequency Identification (RFID) tags. The use of a public blockchain is crucial for the proposed solution as it is essential to enable transparent ownership data transfer, guarantee data integrity, and provide on-chain data required for the protocol. A decentralized web application developed using the Ethereum blockchain and an InterPlanetary File System is used to prove the validity of the proposed lightweight protocol. A detailed security analysis is conducted to verify that the proposed lightweight protocol is secure from key disclosure, replay, man-in-the-middle, de-synchronization, and tracking attacks. The proposed scalable protocol is proven to support secure data transfer among resource-constrained RFID tags while being cost-effective at the same time.