1. Introduction
As a new type of wireless network, Ad hoc network does not depend on any pre-founded infrastructure, and it has no centralized control unit. The computation and transmission capability of each node are limited. The interconnection and data transmission between the nodes can be achieved through MultiHop. Ad Hoc network has the advantages such as self-organized, dynamics, and invulnerability. However, it is open to all kinds of attacks, and obviously, the traditional security techniques cannot directly apply in the Ad hoc network, meanwhile, the existed security techniques used in Ad hoc do not address the security problems properly. Therefore, the effective methods, such as authentication, data protection, privacy-preserving, has drawn more and more concerns. Among them, authentication is the basis of communication, considering limited computing and transmitting power of each node, how to design a lightweight and secure authentication protocol has become a research hotspot.
In 1981, Lamport [1] firstly suggested the concept of one-time password based on hash function. It adds uncertain factors into the identity information sending to the server, making the message varied in each time. This method can effectively resist intercept/replay attack, but the amount of encryptions needed in the protocol is a heavy burden for the user. Later, Haller refined this method as S/KEY standard [2]. In succeeding research, one-time pass word authentication also can be implemented in two other ways: time synchronization and challenge/response. The former requires the user and the server keep time synchronized, the two parties use the identical time as calculating factor to generate one time password, and then carry out identity authentication. In the latter way, the server sends “challenge” to the user, and authenticates the identity of the user based on its “response”.
Sandirigama et al. [3] proposed a simple and secure authentication protocol (SAS) for enhancing security level apart from low processing, storage and transmission overheads. Tsuji et al. [4] improved SAS, it reduces 40% overhead of hash function adaptation, and the method has a mutual authentication phase which keeps synchronous data communications in an authentication procedure.
The traditional one-time password authentication protocol has a shortcoming that the time of authentication is limited. When the authentication times up to a certain value, the re-initialization is required. Yeh et al. [5] proposed a secure one-time password authentication scheme using smart cards. The scheme is free from any of server spoofing attacks, replay attacks, and off-line dictionary attacks. A session key here is also established to provide confidentiality. Goyal et al. [6] constructed a N/R One Time Password System. The basic idea is have the server aid the client computation by inserting “breakpoints” in the hash chains. Client computational requirements are dramatically reduced without any increase in the server computational requirements and the number of times a client may login before the system has to be reinitialized is also increased significantly. Zhang et al. [7] designed a novel scheme with a new kind of hash chain. It achieves self-updating, fine-authentication and proactive updating, and the updating process is smooth, secure and efficient which does not need additional protocols or an independent re-initialization process. In 2008, Chefranov [8] changed the traditional construction of backward hash chain. Under C/S model, the proposed scheme based on infinite forward stepping hash chains, and not requiring re-initialization after a certain number of authentications. Wang et al. [9] proposed a novel multi-party key agreement scheme with password authentication and sharing password evolvement. The password is not only used to authenticate the mobile node’s secret keys, but also used to encrypt alternating information between mobile nodes. The freshness and security of passwords are guaranteed by sharing password evolvement every time in mobile node’s secret keys authentication and key agreement. Li et al. [12] proposed a two-layer authentication protocol for wireless ad hoc networks, without adopting public key computations to provide secure and anonymous communication, then it can be efficiently implemented on small ad hoc devices, moreover, the protocol accomplishes mutual authentication, session key agreement, and along with integration of non-PKI techniques, the source node can anonymously interact with the destination node. Later, to remedy the security weaknesses existed in the authentication scheme introduced by He et al. [13], such as attacks against the user anonymity, lack of user friendliness and so on, a novel privacy-preserving authentication scheme which is immune to various known types of attack was proposed in [14], and the scheme is practical for mobile wireless networking. Paterson et al. [15] considered the use of one-time passwords in the context of password-authenticated key exchange (PAKE), which allows for mutual authentication, session key agreement, and resistance to phishing attacks, and advanced a general technique for building a secure one-time-PAKE protocol from any secure PAKE protocol, based on describing a security model for the use of one-time passwords. Eldefrawy et al. [16] proposed a one-time password system, involving two different nested hash chains, which provide the authentication seed updating and the OTP production respectively. The system achieves some favourable properties, such as non-restricted one-time password generation.
Based on the above analysis, one-time password authentication protocol has characteristics of simple designation, lightweight computational overhead and high efficiency, which are suitable for Ad hoc network. But the existed methods have relative demerits as well as merits. In this paper, a self-updating one-time password mutual authentication protocol for Ad hoc network is proposed. Through capturing the secure bit of the tip of a new chain, a hash chain can update by itself smoothly, also can be continued indefinitely to give rise to an infinite length hash chain. We add identity information into authentication process, making the protocol to resist man-in-the-middle attack, and achieve anonymity and traceability at the same time.
2. Preliminaries
2.1 Hard-Core Predicate [10]
General speaking, a polynomial-time predicate b is called a hard-core of a function f if each efficient algorithm, given f(x), can guess b(x) with success probability that is only negligibly better than one-half.
Definition 1 (Hard-Core Predicate) A polynomial-time-computable predicate b :{0,1}*→{0,1} is called a hard-core of a function f for each probabilistic polynomial-time algorithm A′, each positive polynomial p(⋅), and all sufficiently large n has Un is a random variable uniformly distributed in {0,1}n.
2.2 Hash Chain
Definition 2 (Hash Chain) Select a cryptographic secure hash function h with security parameter k: {0,1}∗→{0,1}k. Pick a seed s randomly and apply h recursively N times to an initial seed s to generate a hash chain. The tip ω of the chain equals hN(s).
3. Analysis of the Yeh’s Protocol
The protocol proposed in [5] is a mutual authentication protocol, utilizing hash chain to construct one-time password. The scheme has been divided into two phases: registration and authentication. C denotes the user and S denotes the server.
3.1 Registration
1) C←S:SEED;
2) C←S:N, SEED⊕D0, h(D0);
3) C→S:p0⊕D0
pt = hN−t(K⊕SEED), t ≥ 0, K is the user’s private key, N is the length of hash chain before reconstruction, N>>1, D0 is a temporary authenticating random number generated by the server.
3.2 Authentication
1) C←S:Mt=(Mt1,Mt2,Mt3)=(N−t,SEED⊕Dt,h(Dt)⊕pt−1) with N−1 ≥ t ≥ 1−integer;
2) C if h(M12⊕SEED)⊕PN-M11-1 ≠ M13, then the user determines that M1 doesn’t come from the server. Stop the process. Otherwise, continue;
3) C→S:Ut = pt⊕Dt. pt is a new password produced by the user, and pt−1 is stored on the server;
4) S if h(Ut⊕Dt)=pt−1, then the user passes the authentication. Substitute the new password pt = Ut⊕Dt for pt−1, while let t= t+1;
However, the protocol has the following security limits:
Aiming at the security problems above-mentioned, some improvements are made on the Yeh’s protocol in the next section.
4. Self-Updating One-Time Password Mutual Authentication Protocol for Ad Hoc Network
The protocol is consisted of two phrases: Initialization and Mutual Authentication.
4.1 Initialization
User A and B jointly select a secure hash function h with a security parameter N, and randomly choose a secure SEED from {0,1}k. Select a predicate function B:{0,1}*→{0,1} as the kernel of h. Each user has a unique ID. Take user A as an example to show the concrete initialization process.
1) Select a random number KA as A’s private key;
2) Generate a hash chain pAt= hN−t(KA⊕SEED⊕h(IDA)) with the tip value pA0, t denotes the t th time authentication, t ≥ 0, and send pA0 to user B securely;
3) Randomly select another private key K′A from {0,1}k, the corresponding tip value is p′A0. Store K′A and p′A0 on local device securely.
4) Generate a random number DAt, making B(DAt)=p′A[i], i=1(initial value).
4.2 Mutual Authentication
Generally, the process of t th time authentication is as follow.
1) User A sends the authenticating information to B:
2) User B firstly verifies the authenticity of the information, that is, checks h(MAt12⊕SEED)⊕pN-MAt11-1 = MAt13 whether holds or not. If not, stop authenticating. If so, computes B(MAt12⊕SEED), and then sends the message back to A:
3) User A firstly verifies the authenticity of the information, that is, checks h(MBt12⊕SEED)⊕pN-MBt11-1 = MBt13 whether holds or not. If not, stop authenticating. If so, computes B(SEED⊕DBt). Then A sends the new password pAt to B for the next authentication:
4) User B firstly verifies the message whether comes from A, that is, checks if h(MAt2⊕DBt) = pA(t−1). If so, it returns the new pBt:A←B:MAt2 = pBt⊕DAt. Substitutes the new pAt = MAt2⊕DBt for pA(t−1), and lets t = t+1.
5) User A firstly checks h(MAt2⊕DAt)=pB(t−1) whether holds or not. If so, substitutes the new pBt = MAt2⊕DAt for pB(t−1), and lets t = t+1.
After N times authentication, user A and B both obtain Nth bit tip value of the new hash chain contained in DAt and DBt. Once the old hash chain is exhausted, a new one is activated. This process can be continued indefinitely, achieving a hash chain self-updating smoothly.
Fig. 1 illustrates the interaction flow between user A and B to complete the mutual authentication.
Fig. 1.The process of the t th time authentication
5. Security Analysis
The security of our protocol is totally based on the hash function and hard-core predicate function. If the hash function is one-way and collision resistant, the protocol is provably secure.
1) Anonymity
In our protocol, the node value of one-way hash chain is utilized to process authentication, without exposing any identity information of the user. So, the privacy of the user is preserved.
2) Non-Repudiation
Only the two parties who engaged in the authentication process can produce the value of the hash chain for authenticating, and the others who attempt to generate a valid one is equivalent to break the properties of hash function, which is computationally infeasible. So, the two parties can not repudiate themselves once the session is established.
3) Traceability
The node value of the hash chain used in each time authentication is generated by the secret seed KA⊕SEED⊕h(IDA), which contains the unique ID number of the corresponding user. If something misbehaved happens, the person in charge can be traced through the secret seed.
4) Non-Masquerading
The key message in the authentication process is the node value of hash chain. Any adversary attempts to impersonate user A to communicate with the others, it has to present hN−t−1(KA⊕SEED⊕h(IDA)) correctly, but it does not know KA⊕SEED⊕h(IDA). The only way is try to obtain the hash value from hNKA⊕SEED⊕h(IDA)). Unfortunately, it is computationally infeasible.
5) Resist Replay Attack
If the message MAt1 and MAt1 have been intercepted by the adversary, it still need to get MAt2 and MAt2 to launch a replay attack. So it has to find out pAt and pBt, but deriving pAt and pBt from the known pA(t−1) and pB(t−1) is equivalent to break one-way hash function, which is computationally infeasible.
6) Resist Man-In-The-Middle Attack
Literature [11] pointed out Yeh’s Protocol [5] is vulnerable to man-in-the-middle attack, and gave the concrete attack method.
(1) The attacker eavesdrops on the t th and (t−1)th authentication, then it can obtain:
(2) Utilizing the stolen information, the attacker forges the password for the t+2 th authentication:
Except the random number Dt+1 used in t+1 th authentication, other factors in the forged t+2 th authentication password M′(t+2)=(M′(t+2)1,M′(t+2)2,M′(t+2)3) are all valid. Due to the random variable is not stored on the user side, it will not perceive that the attacker pretend to be the server and communicate with it by M′(t+2), then the attacker will obtain the password for the next time authentication. Subsequently, it can masquerade as the user to complete the authentication with the server, using the true password.
In our protocol, user A and B respectively generate a random number DAt and DBt for securely transmitting the bit of the tip of a new chain, and store them on local; and the digit i of the bits which have been transmitted is recorded in each authentication, so the times of authentication is also recorded through this tag. Then our protocol can resist the man-in-the-middle attack described in [11].
Meanwhile, if DAt and DBt are tampered, then the tip value of a new hash chain will be consequentially altered, apparently, it is no longer valid for passing the verification in authenticating process.
5. Conclusion
Based on the Yeh’s Protocol, a self-updating one-time password mutual authentication protocol was proposed, which allows unlimited times of authentication. Through capturing the secure bit of the tip of a new chain, the hash chain can update by itself smoothly without any re-initialization process, effectively mitigating the risk caused by the frequent interactions in the process of reconstruction. The improved protocol has a low computation overhead and traffic, which is suitable for Ad hoc environment. It can resist man-in-the-middle attack, and achieves anonymity and traceability at the same time.
References
- L. Lamport, "Password Authentication with Insecure Communication," Communications of the ACM, vol. 24, issue 11, pp. 770-772, November, 1981. https://doi.org/10.1145/358790.358797
- N. Haller, The S/Key One-Time Password System, http://mail.tools.ietf.org/html/rfc1760, 1995.
- M. Sandirigama, A. Shimizu, and M. T. Noda, "Simple and Secure Password Authentication Protocol (SAS)," IEICE TRANSACTIONS on Communications, vol. E83-B, no. 6, pp. 1363-1365, June, 2000.
- T. Tsuji, T. Kamioka, and A. Shimizu, "Simple and Secure Password Authentication Protocol Ver.2 (SAS-2)," IEICE TRANSACTIONS on Communications, vol. 102, no. 314, pp. 7-11, September, 2002.
- T. C. Yeh, H. Y. Shen, and J. J. Hwang, "A Secure One-Time Password Authentication Scheme Using Smart Cards," IEICE TRANSACTIONS on Communications, vol. E85-B, no. 11, pp. 2515-2518, November, 2002.
- V. Goyal, A. Abraham, S. Sanyal, and S. Y. Han, "The N/R One Time Password System," in Proc. of International Conference on Information Technology: Coding and Computing, pp. 733-738, April 4-6, 2005.
- H. Zhang, and Y. Zhu, "Self-Updating Hash Chains and their Implementations," in Proc. of 7th International Conference on Web Information Systems Engineering, pp. 387-397, October 23-26, 2006.
- A. G. Chefranov, "One-Time Password Authentication with Infinite Hash Chains," Novel Algorithms and Techniques in Tele-Communications, Automation and Industrial Electronics, pp. 283-286, 2008.
- X. Wang, J. Zhang, S. Wang, and et al, "A Key Agreement Scheme for Mobile Ad Hoc Networks Based on Password Authentication," Journal of Software, vol. 17, no. 8, pp. 1811-1817, August, 2006. https://doi.org/10.1360/jos171811
- O. Goldreich, Foundation of Cryptography: Basic Tools, Cambridge University Press, pp. 64-74, 2001.
- D. H. Yum, and P. J. Lee, "Cryptanalysis of Yeh-Shen-Hwang's One-Time Password Authentication Scheme," IEICE TRANSACTIONS on Communications, vol. E88-B, no. 4, pp. 1647-1648, April, 2005. https://doi.org/10.1093/ietcom/e88-b.4.1647
- C. Li, and M. Hwang, "A Lightweight Anonymous Routing Protocol without Public Key En/Decryptions for Wireless Ad Hoc Networks," Information Sciences, vol. 181, issue 23, pp. 5333-5347, December, 2011. https://doi.org/10.1016/j.ins.2011.07.014
- D. He, M. Ma, Y. Zhang, and et al, "A Strong User Authentication Scheme with Smart Cards for Wireless Communications," Computer Communications, vol. 34, issue 3, pp. 367-374, March, 2011. https://doi.org/10.1016/j.comcom.2010.02.031
- C. Li, and C. Lee, "A Novel User Authentication and Privacy Preserving Scheme with Smart Cards for Wireless Communications," Mathematical and Computer Modelling, vol. 55, issue 1-2, pp. 35-44, January, 2012. https://doi.org/10.1016/j.mcm.2011.01.010
- K. G. Paterson, and D. Stebila, "One-Time-Password-Authenticated Key Exchange," in Proc. of 15th Australasian Conference on Information Security and Privacy, pp. 264-281, July 5-7, 2010.
- M. H. Eldefrawy, M. K. Khan, and K. Alghathbar, "One-Time Password System with Infinite Nested Hash Chains," in Proc. of International Conferences on Security Technology, Disaster Recovery and Business Continuity, pp. 161-170, December 13-15, 2010.
Cited by
- An Improved Broadcast Authentication Protocol for Wireless Sensor Networks Based on the Self-Reinitializable Hash Chains vol.2020, pp.None, 2014, https://doi.org/10.1155/2020/8897282