Hanguang Luo,Tao Zou,Chunming Wu,Dan Li,Shunbin Li,Chu

DOI: https://doi.org/10.32604/cmc.2022.027118

2022-01-01

Abstract:In the emerging Industrial Internet of Things (IIoT), authentication problems have become an urgent issue for massive resource-constrained devices because traditional costly security mechanisms are not suitable for them. The security protocol designed for resource-constrained systems should not only be secure but also efficient in terms of usage of energy, storage, and processing. Although recently many lightweight schemes have been proposed, to the best of our knowledge, they are unable to address the problem of privacy preservation with the resistance of Denial of Service (DoS) attacks in a practical way. In this paper, we propose a lightweight authentication protocol based on the Physically Unclonable Function (PUF) to overcome the limitations of existing schemes. The protocol provides an ingenious authentication and synchronization mechanism to solve the contradictions amount forward secrecy, DoS attacks, and resource-constrained. The performance analysis and comparison show that the proposed scheme can better improve the authentication security and efficiency for resource-constrained systems in IIoT.

Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Liang Kou,Yiqi Shi,Liguo Zhang,Duo Liu,Qing Yang

DOI: https://doi.org/10.32604/cmc.2019.03760

2019-01-01

Abstract:With the development of computer hardware technology and network technology, the Internet of Things as the extension and expansion of traditional computing network has played an increasingly important role in all professions and trades and has had a tremendous impact on people lifestyle. The information perception of the Internet of Things plays a key role as a link between the computer world and the real world. However, there are potential security threats in the Perceptual Layer Network applied for information perception because Perceptual Layer Network consists of a large number of sensor nodes with weak computing power, limited power supply, and open communication links. We proposed a novel lightweight authentication protocol based on password, smart card and biometric identification that achieves mutual authentication among User, GWN and sensor node. Biometric identification can increase the non-repudiation feature that increases security. After security analysis and logical proof, the proposed protocol is proven to have a higher reliability and practicality.

YAO Lin,FAN Qing-na,KONG Xiang-wei

DOI: https://doi.org/10.3778/j.issn.1002-8331.2010.32.030

2010-01-01

Abstract:Pervasive computing raises new challenges to the security and privacy of the Internet communication,and conventional authentication protocols cannot meet the requirements of this new pervasive environment.A novel mutual authentication and key establishment scheme to secure the interactions between mobile users and service providers is proposed.Highly integrating biometric encryption and the Diffie-Hellman key exchange,the proposed protocol achieves mutual authentication without revealing any privacy information of the user.Secure session key establishment is enabled by the proposed algorithm.Differentiated service access control is also achieved with the biometric encryption.It is shown that the protocol can resist most of the attacks,especially the denial of service attack.

Lin Yao,Lei Wang,Xiangwei Kong,Guowei Wu,Feng Xia

DOI: https://doi.org/10.1016/j.camwa.2010.01.010

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:In a pervasive computing environment, mobile users often roam into foreign domains. Consequently, mutual authentication between the user and the service provider in different domains becomes a critical issue. In this paper, a fast and secure inter-domain authentication and key establishment scheme, namely IDAS, is proposed. IDAS adopts Biometrics to guarantee the uniqueness and privacy of users and adopts signcryption to generate a secure session key. IDAS can not only reduce the burden of certificates management, but also protect the users and authentication servers against fraud. Compared with some other authentication methods, our approach is superior with faster key exchange and authentication, as well as more privacy. The correctness is verified with the Syverson and Van Oorschot (SVO) logic. Crown Copyright (C) 2010 Published by Elsevier Ltd. All rights reserved.

Yuanchao Shu,Yu (Jason) Gu,Jiming Chen

DOI: https://doi.org/10.1109/tpds.2013.153

IF: 5.3

2014-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial, and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges cannot be transferred among trusted users. In this work, we introduce a dynamic authentication with sensory information for the access control systems. By combining sensory information obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss, stolen, and duplication. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with sensory information of different sensors and empirically demonstrate simple rotations can increase key space by more than 1,000,000 times with an authentication accuracy of 90 percent. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Yuanchao Shu,Yu Gu,Jiming Chen

DOI: https://doi.org/10.1109/MASS.2012.6502522

2012-01-01

Abstract:Access card authentication is critical and essential for many modern access control systems, which have been widely deployed in various government, commercial and residential environments. However, due to the static identification information exchange among the access cards and access control clients, it is very challenging to fight against access control system breaches due to reasons such as loss, stolen or unauthorized duplications of the access cards. Although advanced biometric authentication methods such as fingerprint and iris identification can further identify the user who is requesting authorization, they incur high system costs and access privileges can not be transferred among trusted users. In this work, we introduce a sensory-data-enhanced authentication for access control systems. By combining sensory-data obtained from onboard sensors on the access cards as well as the original encoded identification information, we are able to effectively tackle the problems such as access card loss and stolen. Our solution is backward-compatible with existing access control systems and significantly increases the key spaces for authentication. We theoretically demonstrate the potential key space increases with simple sensor data and empirically demonstrate simple rotations can increase key space by more than 30, 000 times with an authentication accuracy of 95%. We performed extensive simulations under various environment settings and implemented our design on WISP to experimentally verify the system performance.

Xuefei Yin,Song Wang,Muhammad Shahzad,Jiankun Hu

DOI: https://doi.org/10.1109/jiot.2021.3131956

IF: 10.6

2021-01-01

IEEE Internet of Things Journal

Abstract:Identity authentication has become an essential component for access control in the Internet of Things (IoT) environment. To overcome the inherent weakness of password-based authentication, many present IoT devices (e.g., commercial banking smart cards) are equipped with the fingerprint authentication mechanism. However, due to the resource constraints of IoT devices, oversimplified authentication schemes are deployed, which compromise system performance significantly. Moreover, fingerprint templates in these existing schemes are unprotected. To address these issues, we propose an IoT-oriented privacy-preserving fingerprint authentication system. The proposed system is composed of four main components: 1) minutiae extraction; 2) the minutia cylinder-code (MCC)-based cancelable binary template, generated by the proposed normalized random projection; 3) the lightweight, privacy-preserving template, built by novel pairwise Boolean operations; and 4) fingerprint matching. Our system can effectively mitigate preimage and hill-climbing attacks. A prototype of the proposed system is developed using a popular open-source platform (i.e., Open Virtual Platforms). Comprehensive experimental results on eight benchmark data sets validate the effectiveness of the proposed IoT-oriented fingerprint authentication system. Our system also achieves equivalent authentication accuracy to that of the unprotected fingerprint authentication systems deployed in the resource-rich, non-IoT environment. More importantly, our system prototype is deployable to commercially available low-cost smart cards, such as Atmel AT24C256C Memory Smart Card 256K Bits. To the best of our knowledge, the proposed system is the first privacy-preserving, cancelable fingerprint authentication system developed in such a resource-constrained IoT setting.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hang Xu,Chingfang Hsu,Lein Harn,Janqun Cui,Zhuo Zhao,Ze Zhang

DOI: https://doi.org/10.1109/tsc.2023.3257569

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:With the increasing popularity and wide application of the Internet, the users (such as managers and data consumers) in the Industrial Internet of Things (IIoT) can remotely analyze and control real-time data collected by various smart sensor devices. However, there are many security and privacy issues in the process of transmitting collected data through public channels in IIoT environment. In order to against the illegal access by opponents, a novel anonymous user authentication and key agreement scheme based on hash and elliptic curve encryption is proposed in this paper, which not only uses a pseudonym tuple database in control nodes to realize the functions of user dynamic joining and anonymity protection, but also resists key loss and device capture attacks through fuzzy biometric extraction technology. In addition, the formal secure analysis of the proposed scheme is carried out using the BAN logic model and ROR model, which proves the security of the proposed scheme. Meanwhile, we also prove the scheme can against the described existing attacks and meet the design goals by a detailed informal security discussion. Compared with the latest similar IIoT authentication proposals, our solution has a very obvious advantage in communication efficiency and realizes more functions. Hence, our scheme is more suitable for the IIoT environment, and can also generate greater benefits.

computer science, information systems, software engineering

Zuowen Tan,Jintao Jiao,Mengjiang Yu

DOI: https://doi.org/10.1155/2022/9919089

IF: 1.968

2022-10-18

Security and Communication Networks

Abstract:Nowadays, the industrial Internet of Things (IIoT) is playing a promising role in the optimization of industrial systems. IIoT devices generate a great amount of data that could be used for different applications. Due to the untrusted nature of machine-to-machine (M2M) communication channels, data authenticity and integrity are an important issue that must be addressed. Especially, it is challenging to deal with the privacy disclosure that the heterogeneity of IIoT brings about. In this paper, we propose a privacy-preserving scheme for authenticity in heterogeneous IIoT systems. Our authentication schemes support many kinds of IIoT devices with multicryptographic configurations such as RSA-based, DL-based, ECC-based, and lattice-based cryptosystems. We provide the formalized proof of the unforgeability and privacy of the proposed schemes in the random oracle model. The experimental simulation demonstrates that the proposed schemes are feasible in the heterogeneous IIoT environment.

computer science, information systems,telecommunications

Qi Jiang,Xin Zhang,Ning Zhang,Youliang Tian,Xindi Ma,Jianfeng Ma

DOI: https://doi.org/10.1016/j.comcom.2021.03.022

IF: 5.047

2021-01-01

Computer Communications

Abstract:As an extension of Internet of Things (IoT) in transportation sector, the Internet of Vehicles (IoV) can greatly facilitate vehicle management and route planning. With ever-increasing penetration of IoV, the security and privacy of driving data should be guaranteed. Moreover, since vehicles are often left unattended with minimum human interventions, the onboard sensors are vulnerable to physical attacks. Therefore, the physically secure authentication and key exchange (AKE) protocol is urgently needed for IoV to implement access control and information protection. In this paper, physical unclonable function (PUF) is introduced in the AKE protocol to ensure that the system is secure even if the user devices or sensors are compromised. Specifically, PUF, as a hardware fingerprint generator, eliminates the storage of any secret information in user devices or vehicle sensors. By combining password, biometrics with PUF, the user device cannot be used by someone else to be successfully authenticated as the user. Finally, the elaborate security analysis demonstrates that the proposed protocol is free from the influence of known attacks and can achieve expected security properties, and the performance evaluation indicates the efficiency of our protocol.

Xianji Jin,Na Lin,Zhongwei Li,Wenqi Jiang,Yuge Jia,Qingyang Li

DOI: https://doi.org/10.1109/access.2024.3413853

IF: 3.9

2024-06-21

IEEE Access

Abstract:With the wide application of IoT technologies in the power sector, power IoT faces serious security challenges, which can be severely affected by malicious attacks and unauthorised access. Meanwhile, devices in power IoT are usually resource-constrained and deployed in a decentralised manner, making them vulnerable to physical attacks. Therefore, a robust and reliable lightweight authentication scheme needs to be constructed to guarantee its information security. A lightweight authentication scheme for the power IoT based on Physical Unclonable Function (PUF) and Chebyshev chaotic map is proposed in this paper, which achieves two-way authentication and session key negotiation between gateways and terminal devices. Comparing with traditional authentication schemes, the PUF and Chebyshev chaotic map used in this scheme have high security and lower resource overhead. PUF is used to generate Challenge and Response Pairs (CRPs) for two-way authentication and key negotiation without storing any secret information about authentication in the device memory. At the same time, Chebyshev chaotic map is used to protect the transmission of secret information such as CRPs in insecure channels. The solution is therefore resistant to attacks such as physical, machine learning modelling and impersonation, ensuring the information security of the authentication process. The proposed scheme is analyzed and verified using the formal verification tool ProVerif and improved BAN logic along with informal methods. The verification results show that the scheme satisfies 12 security properties such as two-way authentication and user anonymity. Comparative analysis with existing related authentication schemes shows that the proposed scheme has low computation and communication costs while guaranteeing security, thus rendering it suitable for resource-constrained terminal devices in the power IoT.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sensen Li,Yicai Huang,Bin Yu

DOI: https://doi.org/10.1016/j.comnet.2024.110426

IF: 5.493

2024-05-09

Computer Networks

Abstract:With the explosive development of the Internet of Things (IoT), its security has become a critical concern. As a lightweight hardware primitive, Physical Unclonable Function (PUF) provides a promising solution for IoT security. Nevertheless, as per the knowledge of the authors, most of the existing PUF-based anonymous authentication protocols for IoT are not suitable for end-to-end IoT applications due to their flexibility or security. Specifically, there are two main issues with existing related protocols: (1) the end-to-end anonymous authentication between IoT devices requires the participation of a trusted third party, which seriously affects the flexibility of interaction; (2) most related protocols provide weak anonymity, that is, they are anonymous against only eavesdroppers. To solve these problems, a new PUF-based end-to-end anonymous authentication protocol is proposed. Without needing the real-time participation of the third party, the proposed protocol realizes end-to-end direct mutual authentication and session key agreement while maintaining strong anonymity. It also provides an online dynamic updating mechanism for security parameters. The security analysis shows that the proposed protocol has perfect forward secrecy while resisting various known attacks including physical attacks and modeling attacks. Meanwhile, it outperforms related protocols in terms of protocol rounds and communication costs.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Aseel Bedari,Song Wang,Jucheng Yang

DOI: https://doi.org/10.1109/tii.2021.3101208

IF: 12.3

2022-04-01

IEEE Transactions on Industrial Informatics

Abstract:The significant and rapid development of the Internet of Things (IoT) in recent years has greatly benefited people's lives. However, there are serious security and privacy concerns that need to be addressed when using the IoT for distributed authentication. In this article, we propose a secure fingerprint authentication system to protect user privacy for authentication on IoT devices. The proposed system applies a two-stage feature transformation scheme. Specifically, a weight-based fusion mechanism is designed in the first stage, while the second stage is featured by a linear convolution-based transformation with element removal from the convolution output to increase the security and protection. The proposed authentication system satisfies all the requirements of cancelable biometrics: accuracy, revocability, and diversity, unlinkability, and noninvertibility. Evaluated over six public fingerprint databases, the proposed authentication system exhibits highly competitive performance when compared with the existing cancelable fingerprint templates. Moreover, its energy efficiency on savings in memory space and low computational costs make the proposed scheme a good fit for resource-limited IoT devices.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Kaiyan He,Zhe Ren

DOI: https://doi.org/10.1016/j.comnet.2024.110450

IF: 5.493

2024-04-26

Computer Networks

Abstract:The Industrial Internet of Things (IIoT) is an emerging technology for smart manufacturing and productivity improvement. Due to the increasing complexity of manufacturing, devices with smart industrial sensors from several domains work together on the same job, raising serious security and privacy concerns about peer-to-peer (P2P) communication. Specifically, P2P secure communication should be focused on when it comes to high efficiency and security of information exchange between two industrial sensors. However, none of the existing schemes can resist physical attacks toward industrial sensors. To resolve the problem, we propose a new three-factor authentication and key agreement scheme named NTFAK for P2P IIoT communication using Physical Unclonable Functions (PUF) and Chebyshev chaotic mapping, where PUF is used to replace the smart card factor in the traditional schemes. The unclonable property of PUF and its ability to securely identify a device by challenge-response can provide safety to physical attacks. Besides, the use of the Chebyshev chaotic map also can provide high computational efficiency while ensuring better security. The proposed scheme enables secure communication between any two industrial sensors, which can resist physical attacks and offer a smaller key size, faster computation, and higher efficiency for IIoT. The security of our scheme is formally proved by the random oracle model, and security properties are discussed to show our scheme resists various attacks. Moreover, experiments were implemented to prove the efficiency of our scheme. Specifically, the results show that NTFAK can improve the computation and communication overheads by 36.6% and 17.5% at least, compared to existing schemes, while also ensure a minimum time reduction of 30.4% in delay time. In terms of security and functionality features, NTFAK satisfies the proposed 14 properties, outperforming existing solutions.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Yiran Han,Hua Guo,Jianwei Liu,Brou Bernard Ehui,Yapeng Wu,Sijia Li

DOI: https://doi.org/10.1109/jiot.2024.3355228

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The Industrial Internet of Things (IIoT) is the application of the Internet of Things (IoT) in the industrial field. IIoT allows users to remotely access industrial equipment and the data in it, which also brings certain challenges to the security of industrial data. Authentication and key agreement protocols are very effective security technologies in the matter of protecting industrial data. There is a large amount of research work on authentication protocols in IIoT, but most of the protocols have security weaknesses. Recently, Rafique et al. proposed a multi-factor protocol in IIoT that can accomplish authentication and session key establishment through a gateway. Rafique et al. claimed that their protocol is secure, unfortunately, we carefully analyze the protocol of Rafique et al. and find some security flaws, i.e., it is vulnerable to insider attack and known session-specific temporary information (KSSTI) attack, and unable to provide forward security. We explore the factors of insecurity and propose an enhanced multi-factor secure authentication and key agreement protocol in IIoT. The new protocol improves the security of the protocol while using only symmetric cryptography, hash function, and XOR operation. Formal security analysis and informal security discussions demonstrate that the new protocol is resistant to a variety of known attacks. After performance analysis, our protocol has lower computational cost, and increases no significant communication cost, while providing more secure and robust properties.

computer science, information systems,telecommunications,engineering, electrical & electronic

Hu Xiong,Yan Wu,Chuanjie Jin,Saru Kumari

DOI: https://doi.org/10.1109/jiot.2020.2999510

IF: 10.6

2020-12-01

IEEE Internet of Things Journal

Abstract:The Industrial Internet of Things (IIoT) is expected to provide a promising opportunity to revolutionize the production operation of the existing industrial systems by leveraging smart devices. Due to the untrusted nature of communication channels, ensuring data authenticity is a critical challenge. Besides, devices' privacy and communication heterogeneity raise crucial concerns about the IIoT applications since the existing authentication protocols for the IIoT environment face the potential threats of privacy leakage and cannot achieve secure communication between heterogeneous industrial systems. To address these challenges, this article proposes an efficient privacy-preserving authentication protocol for heterogeneous systems in IIoT using proxy resignature. The presented protocol not only provides heterogeneous communication between ID-based and certificateless-based cryptosystems but also achieves various security requirements. The security of our protocol has been proven based on the extended Computational Diffie–Hellman (eCDH) assumption in the random oracle model. The experimental simulation demonstrates that our protocol is feasible for the IIoT-based environment.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wenting Li,Ping Wang

DOI: https://doi.org/10.1016/j.future.2019.06.020

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Due to the sensitiveness of the physical environments and resource-constrained nature of edge devices, how to securely and efficiently access real-time data in Industrial Internet-of-Things (IIoT) is becoming an increasingly imperative concern. Though intensive efforts have been made to design password-based user authentication schemes for IIoT environments, the majority of them are subject to weaknesses, either suffering from various known attacks or lack of critical features. To ameliorate this situation, firstly, we put forward a criteria set on the basis of related state-of-art evaluation set to fairly assess authentication schemes for IIoT environments. The effectiveness and practicality of our criteria are tested by 42 representative schemes. Secondly, we revisit two representative schemes, namely Amin et al.’s scheme and Gope–Hwang’s scheme, as case studies to demonstrate the common pitfalls in designing robust schemes. Finally, we propose a practical authentication scheme for Industrial Internet-of-Things with provable security, and shed light on how to tackle node capture attack by using the “honeywords” technique. The security and performance evaluation results show that our new scheme is superior to other related ones, and thus, more suitable for IIoT environments.

Chengqi Wang,Xiao Zhang,Lijia Xie,Zhiming Zheng

DOI: https://doi.org/10.14257/ijsia.2017.11.9.04

2017-01-01

International Journal of Security and Its Applications

Abstract:To satisfy the security requirements of patients' privacy and data's security for health Internet of Things (IoT), various authentication schemes are proposed as guaranteed countermeasures. In particular, Wang et al. built an identity-based authentication scheme with extended Chebyshev chaotic maps. Nevertheless, considering service misuse attack and Denial-of-Service attack, Wang et al.' s method works inadequately. Also it is insufficient to provide efficient password change phase, fast error detection and session key agreement. As a remedy, we propose a novel dynamic identity authenticated key agreement scheme. Our scheme achieves resistance to the known attacks in order to meet the desirable security requirements. Furthermore, the presented scheme practically enables both user revocation/re-registration and biometric information protection, which are significant features ignored by most previous schemes. We confirm the effectiveness of our scheme via comprehensive comparisons in terms of resistance, functionality and performance.

Junhui Zhao,Fanwei Huang,Huanhuan Hu,Longxia Liao,Dongming Wang,Lisheng Fan

DOI: https://doi.org/10.1016/j.adhoc.2024.103427

IF: 4.816

2024-01-31

Ad Hoc Networks

Abstract:5G technology has been applied and popularized, leading to the widespread usage of the Internet of Things (IoT) in various areas such as intelligent transportation, home security, fire protection, industrial monitoring, healthcare, and data collection intelligence. Data sharing is one of the key factors for successful application in these fields. However, real-time data sharing through open channels may result in transmitted messages being illegally accessed by attackers, leading to privacy breaches. At present, most existing authentication schemes focus on single gateway authentication models. In order to overcome issues such as elevated communication overhead, reduced network performance, and inefficient cross-domain access in the single gateway model with larger network sizes, we introduce a multi-gateway lightweight authentication scheme as a solution. Firstly, our scheme is based on a three-factor authentication scheme of Chebyshev chaotic mapping, hash function, and XOR operation. This scheme achieves secure authentication between sensor nodes and users, establishes session keys, and also supports user key updates. Secondly, through security analysis, we demonstrate that the proposed scheme resists internal disguise attacks, sensor capture attacks, temporary secret leakage attacks, and achieves forward security of session keys. We additionally provide a demonstration of the semantic security of session keys by utilizing a Random Oracle Model (ROM). Finally, compared to other schemes, the results show that our proposed scheme has lower communication overhead and computational resource requirements, and is more in line with the requirements of lightweight device security authentication in the IoT.

computer science, information systems,telecommunications