Authentication and Key Agreement Phase Clause Samples
Authentication and Key Agreement Phase. When the user U wants to access the sensor node S, he or she initiates this phase by issuing a request via GWN. This phase enables GWN, U and S to effectively authenticate each other and then establish a session key between U and S. If a session key is negotiated successfully by U and S, then they can exchange private messages with each other via a public channel. A detailed description of the steps of this phase are as follows:
1. U selects a random number rU ∈ zq∗ , generates the current timestamp t1 and computes EU = rU P, M′ = M∗ ⊕ h (IDU dU), NU = rUQGWN = (N(x), N(y)), AIDU = MIDU ⊕ N(y), KU = (rU + dU)QGWN and hU = H1(KU M′ t1). Then, U sends the request message {EU, AIDU, hU, t1} via a public channel to GWN.
2. When GWN receives the authentication request message from U at the time t′ , it checks whether the condition |t′ − t1| ≤ ∆t holds. If yes, GWN then computes: N′ = dGWN EU = (N(x)′ , N(y)′ ). GWN then verifies U by computing the following: MID′ = AIDU ⊕ N(y)′ , MU = h(MID′ dGWN), K′ = dGWN(QU + EU), and h′ = H1 K′ MU t1 . GWN verifies if the equation ′ = hU holds or not. If the verification does not hold, GWN rejects the user’s authentication request; else, goes to 3.
3. GWN generates its current timestamp t2, selects a random number rGWN ∈ z∗q and calculates: EGWN = rGWNP, KGWN = (rGWN + dGWN )QS, MGWN = N(x)′ ⊕ h (RS KGWN EGWN ), hGWN = H1 (KGWN IDS t2). Then, the gateway node GWN sends the message {EU, EGWN, MGWN, hGWN, t2, t1} to S via a public channel.
4. Upon receiving the authentication message from GWN at time t′ , S first checks the validity of the timestamp on the condition |t′ − t2| ≤ ∆t. If t2 is invalid, S terminates the session. If it is valid, S then computes: K′ = dS (EGWN + QGWN ), N(x)′′ = MGWN ⊕ h RS K′ EGWN , and h′ = H1 K′ IDS t2 . Next, S verifies h′ . If h′ = hGWN, the sensor node S accepts ▇▇▇ and goes to 5; otherwise, it rejects GWN.
5. S generates its current timestamp t3 and selects a random number rS ∈ z∗q , and computes ES = rS P, KS = rS (RS − h(IDS dS)P), hS = H1 (KS IDS t3), skS = rS(EU + N(x)′′ P) and AuthS = H1(skS t3). S sends the message {ES, t3, hS, AuthS} to GWN via a public channel. Then, S computes the session key SK = H2(skS ES EU t3 t1).
6. Upon receiving the replied message from S at time t′ , GWN checks the validity of t3 on the condition |t′ − t3| ≤ ∆t. If t3 is valid, GWN computes K′ = h (IDS dGWN) ES and ′ = H1 K′ IDS t3 . Then, GWN checks whether h′ = hS. If yes, GWN generates its current timest...
Authentication and Key Agreement Phase. Step 1: GWN checks the validity of Ti and retrieves HIDi from TIDi. Then, GWN computes XSi = h(HIDi||K), ki = h(XSi ||Ti), X∗ = DIDi ⊕ ki, MU∗ i ,G = h((X∗ ⊕ HIDi)||XSi ||Ti), = then checks MU∗ ,G ? MU ,G. If it is correct, GWN computes XS = h(SIDj||K), MG,Sj = h(DIDi||SIDj||XSj ||TG), then sends {DIDi, MG,Sj , TG} to Sj, where TG is the timestamp. ?
Step 2: Sj checks the validity of TG and computes MG∗ ,Sj = h(DIDi||SIDj||XS∗j ||TG), then checks MG∗ ,S MG,S . If it is successful, Sj computes kj = h(XS ||Tj), Zi = MG∗ ,S ⊕ kj, = KS = f (▇▇▇▇, kj), MSj ,G = h(Zi||XS∗j ||Tj), then sends {MSj ,G , Tj} to GWN, where Tj is the timestamp. Step 3: GWN checks the validity of Tj and computes kj = h(XSj ||Tj), Zi∗ = MG∗ ,Sj ⊕ kj, = MS∗ ,G = h(Zi||XS∗ ||Tj), then checks MS∗ ,G ? MS ,G. If it is correct, GWN computes MG,Ui = h(DIDi||MU∗ i ,G||kj||XXi ||TG′ ), yi = kj ⊕ h(ki), TIDinew = h(HIDi||Ti), then sends {yi, MG,Ui , TG′ }, where TG′ (TIDinew , TIDi). is the timestamp. Additionally, GWN updates (TIDi, TID◦ ) as Step 4: Ui checks the validity of TG′ and computes kj = yi ⊕ h(ki), = MG∗ ,U = h(DIDi||MU ,G||kj||XS ||TG′ ), then checks MG∗ ,U ? MG,U If it is correct, Ui computes KS = f (▇▇▇▇, kj) and updates TIDi as h(HIDi||Ti).
Authentication and Key Agreement Phase. In this phase, Ui and Sj authenticate each other and generate a common session key SK by the help of GWN. The trusted party GWN is interconnected with Ui and Sj, respectively, and helps to establish a session key between Ui and Sj; however, GWN is not able to derive the session key. Figure 3 illustrates the authentication and key agreement phase, which is performed as follows:
Step 1: GWN ⇒ Sj : {DIDi, Xi, MG,Sj , TG} After receiving {▇▇▇▇, Xi, MUi ,G , Ti, TIDi}, GWN checks the validity of Ti and retrieves HIDi from TIDi. If no TIDi is found, GWN checks TIDi◦. If it still is not found, GWN rejects the login request; otherwise, GWN computes XSi = h(HIDi||K) and ki = h(XSi ||Ti). Then, = GWN verifies MU ,G ? h((DIDi ⊕ ki ⊕ HIDi)||XS ||Xi||Ti). If it is valid, GWN authenticates Ui and computes MG,Sj = h(DIDi||SIDj||XSj ||Xi||TG), then sends {▇▇▇▇, Xi, MG,Sj , TG} to Sj, where TG is the current timestamp.
Step 2: Sj ⇒ GWN : {MSj ,G , Yj, Tj} After receiving {▇▇▇▇, Xi, MG,Sj , TG}, Sj checks the validity of TG and verifies MG,S ? h(DIDi||Xi||XS∗j ||TG) using its stored secret value XS∗j = h(SIDj||K). If it is valid, Sj authenticates GWN and computes kj = h(XS∗j ||Tj), Zi = MG,Sj ⊕ kj, where Tj is the current timestamp. Then, Sj generates a random number b ∈ Z∗p and computes Yj = bP and a session key SK = kji = h(DIDi||kj||bXi). Finally, Sj computes (MSj ,G = h(Zi||XS∗j ||Xi||Yj||Tj)) and sends {MSj ,G , Yj, Tj} to GWN.
Step 3: GWN ⇒ Ui : {ei, MG,Ui , Yi, TG′ } ? After receiving {MSj ,G , ▇▇, ▇▇}, GWN checks the validity of Tj, computes kj = h(XSj ||Tj), Zi∗ = MG∗ ,S ⊕ kj and verifies MS ,G h(Zi∗ ||XS ||Xi||Yj||Tj). If it is valid, GWN = authenticates Sj and computes ei = kj ⊕ h(ki), (MG,Ui = h(DIDi||MUi ,G||kj||XSi ||Xi||Yj||TG′ )), TIDinew = h(HIDi||Ti), where TG′ is the current timestamp. Then, GWN sends {ei, MG,Ui , Yi, TG′ } to Ui and updates (TIDi, TIDi◦ ) as (TIDinew , TIDi) in its storage. ?
Step 4: After receiving {ei, MG,Ui , Yi, TG′ }, Ui checks the validity of TG′ , computes k∗j = ei ⊕ h(k∗i ) and verifies MG,U h(DIDi||MU ,G||k∗j ||XS ||Xi||Yj||TG′ ). If it is valid, Ui computes the session key SK = kij = h(DIDi||kj||aYi). Finally, Ui updates TIDi as h(HIDi||Ti).
Authentication and Key Agreement Phase. In this stage, the process of AKA unfolds between WDj and Ui/MTi, as well as between Ui and CS, culminating in the establishment of two distinct session keys. The detailed calculated as n∗2 = h(TIDW Dj PIDW Dj ) M1. Addi- tionally, n∗1 is derived from n∗1 = h(TIDi TIDW Dj ) M5. Finally, M2∗ is determined by M2∗ = h(M1 T2 n∗1 n∗2). CS then assesses the consistency between M2 and M2∗. Should any inconsistency arise from this comparison, the connection is forthwith terminated. A6 CS initiates the process by generating a nonce n4 and a timestamp T4. It then engages in several computations: M7 = Bi ⊕ T4 = h(TIDi Ri K) ⊕ T4, M8 = n4 h(TIDi Ri n3 T4), session key SKCS−Ui = h(TIDi M7 n3 n4 T3 T4), and M9 = h(M4 M8 SKCS−Ui T3 T4). A separate session key SKW Dj−Ui = h(TIDi TIDW ▇▇ ▇(IDW Dj K) n2 n4 T4) is computed, followed by M10 = h(M4 M8 SKWDj−Ui T3 T4) and M11 = SKWDj−Ui h(Bi n1 n3 n4 T3 T4). Subsequently, CS gen- i WDj i erates TIDnew and TIDnew , and updates (TIDold = TIDi,TIDnew = TIDnew), (TIDold = TIDW D , procedures of this authentication phase are systematically
Authentication and Key Agreement Phase. After completing this phase, the user Ui and the server S can achieve the goal of mutual authentication and session key agreement which can be used for secure subsequent communication without revealing user’s identity. The authentication and key exchange phase is depicted in FIGURE 4.
Step 1. The user Ui inserts his smart card into a card reader and inputs IDi and pwi; Step 2. The smart card selects a random number r′i∈RZn∗ and computes R′i = r′i × G, Ai = ri′ × Rs × h(IDi ⊕ pwi ⊕ ri). Then sends ⟨Ri′, Ai, Mi⟩ to the server S.
Authentication and Key Agreement Phase. This phase is established between 𝐷𝑖 and 𝐷𝑗 and shown in Fig. 1. Fig. 1. Authentication process in ▇▇▇▇▇▇▇▇▇ et al.’s protocol 𝑝 𝑖
Step 1. 𝐷𝑖 chooses a random number 𝑥 ∈ 𝑍∗ and calculates values of 𝜏 = 𝑥𝐺 and 𝛼 = 𝑥𝑄 where 𝑄 is the public 𝑖 𝑗 𝑗 key of 𝐷𝑗 . Then, it calculates pseudo-ID 𝐴𝐼𝐷𝑖 = 𝛼𝑖⨁𝐼𝐷𝑖 and calculates 𝑍𝑖 as 𝑍𝑖 = ℎ(𝛼�� ∥ 𝜏𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡1) where 𝑡1 is the current timestamp of the message. Finally, the message < 𝐴𝐼𝐷𝑖 , 𝜏𝑖 , 𝑍𝑖 , 𝑡1 > is sent to 𝐷𝑗 .
Step 2. 𝐷𝑗 receives the message < 𝐴𝐼𝐷𝑖 , 𝜏𝑖 , 𝑍𝑖 , 𝑡1 > at time 𝑡′. If 𝑡′ − 𝑡1 < Δ𝑇, it verifies the freshness of the message. Then, it calculates 𝛼𝑖 = 𝑑𝑗 𝜏𝑖 and retrieves 𝐼𝐷𝑖 = 𝐴𝐼𝐷𝑖 ⨁𝛼𝑖. After that, it checks whether or not 𝑍𝑖 = ? ℎ(𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡1) and verifies 𝐷𝑖 . Otherwise, it immediately aborts the session. 𝐷𝑗 then, picks the random nonce 𝑦 ∈ 𝑍∗ and timestamp 𝑡 and calculates the values of 𝜏 = 𝑦𝐺, 𝐾 = 𝑦𝑄 + 𝑑 𝜏 , 𝐴𝐼𝐷 = 𝛼 ⨁𝐼𝐷 , 𝑝 2 𝑖 𝑗 𝑖 𝑗 𝑖 𝑗 and 𝑍𝑗 = ℎ(𝑘𝑗 ∥ 𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡2). Finally, it transmits the message < 𝐴𝐼𝐷𝑗 , 𝜏𝑗 , 𝑍𝑗 , 𝑡2 > to 𝐷𝑖 .
Step 3. 𝐷𝑖 checks freshness of the received message and retrieves 𝐼𝐷𝑗 = 𝐴𝐼𝐷�� ⨁𝛼𝑖. Then, it calculates 𝐾𝑖 = 𝑥𝑄𝑗 + 𝑑𝑖 𝜏𝑗 and checks if 𝑍𝑗 =? ℎ(𝑘𝑖 ∥ 𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡2). If the condition holds, 𝐷𝑗 is verified. 𝐷𝑖 then calculates the session key 𝑆𝐾𝑖 as 𝑆𝐾𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐾𝑖) and generates message < 𝑅𝑖 > as 𝑅𝑖 = ℎ(𝑆𝐾𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑖) to transmit to 𝐷𝑗 .
Step 4. Upon the reception of the message, 𝐷𝑗 calculates session key as 𝑆𝐾𝑗 = ℎ(𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐾𝑗 ) and checks whether or not 𝑅𝑖 =? ℎ(𝑆𝐾𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑗 ). If not, it immediately terminates the session; otherwise, 𝑆𝐾 = 𝑆𝐾𝑖 = 𝑆𝐾𝑗 is verified.
Authentication and Key Agreement Phase. If the above verification is successful, it indicates that the user Ui has successfully passed the login phase. Then, the vehicle ▇▇ performs an encryption calculation and sends the encrypted request message M1 to the drone Dj. The drone Dj first checks the legitimacy of the timestamp Ti. If it is legal, the drone Dj encrypts the vehicle’s request message M1 into message M2 with its private information and forwards it to the control center (CC) for verification. The CC checks the legitimacy of the drone Dj and helps Dj verify the legitimacy of the vehicle Vi. If both the vehicle Vi and the drone Dj are legitimate, the CC helps the vehicle Vi and the drone Dj to generate the secrets for common verification. After that, the drone Dj and the vehicle Vi complete the authentication with the help of the CC and establish a session key for secure communication. Both the authentication and key agreement phases are briefed in Figure 6. The following steps are critical to completing this phase.
1) The vehicle Vi selects a random number αi, and generates an up-to-date timestamp Ti. To prevent temporary secret (αi) leak attack, the vehicle Vi computes ri = H2(αi si Ti), Ri = ri P , and Ri∗ = riPpub. To ensure security and save computing overhead, the vehicle Vi then computes an en- crypted ciphertext Ci = ER∗ (IDi, DIDj, PIDj, Ti) and a hash signature ρi = H4(DIDj PIDj IDi Ri Ri∗ si Ti), where Ri∗,x denotes the x-coordinate of the elliptic curve point Ri∗. At last, the vehicle Vi sends a request authentication s the legitimacy of the Vi by denying the request mes- sage M1. Otherwise, the CC confirms that the received credentials (IDi, DIDj, PIDj, Ti) are valid, and continues to decrypt [βj Tj] = DH2(sj||ρi||Ti)(Cj). Next, the CC authenticates the drone Dj by checking the hash signature δ =? H (C R ρ DID PID s β T ). If the authen- tication fails, the CC rejects the legitimacy of the Dj by denying the request message M2. Otherwise, the CC confirms that the drone Dj is valid, and generates a hash secret si,j = H6(si Ri∗ Ti Tcc) for the authentication of the Vi and the Dj. Then, the CC calculates an encrypted cipher- text Ci,j = EH2(sj||δj||βj )(▇▇▇▇ si,j) and a hash signature ψi,j = H5(si,j Ri sj δj Ci,j DIDj Ti Tcc) for the Dj. Finally, the CC transmits the message M3 = Ci,j, ψi,j, Tcc to the Dj.
4) Upon receiving the message M3, the drone Dj first checks the freshness of the timestamp Tcc. If |Tc∗c − Tcc| < ∆T , the Dj acquires [DIDj||sj] = DH2(sj||δj||βj )(Ci,j), then...
Authentication and Key Agreement Phase. During this stage, AKA process is conducted between WDj and Ui/MTi, as well as between Ui and CS. This stage culminates in the establishment of two distinct session keys. The following is a detailed explanation of the procedure. A1 A nonce n1 and the current time T1 are generated by MTi, which then forwards Msg1 = T1, TIDi, n1 to WDj via an open channel. A2 Upon receiving Msg1, WDj initially verifies whether the condition T2 T1 ∆T is satisfied, where T2 represents the current timestamp, and ∆T denotes the maximum h(TIDW Dj PIDW Dj ) M1, and M2∗ = h(M1 TIDi T2 n∗1 n∗2). Subsequently, CS verifies whether M2∗ = M2. If this condition holds true, CS authenticates WDj, indicating the successful validation of the device’s identity. A6 CS generates random nonce n4 and timestamp T4, and then computes SKCS−Ui = h(TIDi (Bi ⊕ T4) n3 n4 T3), M5 = (n2 n4) ⊕ h(TIDi Ri n3 T4), SKW Dj−Ui = h(TIDi TIDW Dj PIDW Dj n2 n4 T4), M6 = h(M5 SKCS−Ui SKWDj−Ui T3 T4), and M7 = SKW Dj−Ui h(Bi n1 n3 WDj n4 T3 T4). Further, CS assigns new temporary identities, TIDnew for MTi and TIDnew for WDj, and updates its database to reflect the new assignments, setting (TIDold = TIDi, TIDnew = TIDnew) and allowable delay for message transmission among WDj, (TIDold = TIDW D , TIDnew = TIDnew ). Sub- WDj j WDj MTi, and CS. In other words, the freshness of the mes- sage is checked to prevent replay attacks. If this condition sequent to these updates, CS further computes TIDi∗ = WDj TIDnew ⊕ h(TIDi n4 SKCS−U ), TID∗ = is met, WDj proceeds to generate a random number n2 TIDnew ⊕ h(TIDW D n4 SKW D −U ), and and computes and WDj
j j i new ∗ M1 = h(TIDW Dj PIDW Dj ) n2 M2 = h(M1 TIDi T2 n1 n2). Thereafter, WDj constructs message Msg2 = M1, M2, TIDW Dj , T2 and transmits it to MTi over an open channel. A3 After receiving Msg2, MTi verifies the message’s time- liness to ensure its relevance and integrity. If the mes- M8 = h(TIDi TIDWDj M6 M7 T3 T4). Finally, CS constructs message Msg4 = M5, M7, M8, TIDi∗, TIDW∗ Dj , T4 and transmits it to MTi via an open channel. A7 Upon receiving Msg4, MTi performs a verification pro- cess to ensure the message’s timeliness. If the message is sage is fresh, MTi generates a random nonce n3 and fresh, MTi computes (n n∗4) = M5 ⊕ h(TIDi Ri computes Bi = Ei ⊕ h(HIDi ⊕ HPWi ⊕ ri), M3 = n3 T4), SKC∗ S−Ui = h(TIDi (Bi ⊕ T4) n3 n4∗ (n1 n3) ⊕ h(Bi Ri T3), and M4 = h(TIDi T3), SKW∗ Dj−Ui = M7 ⊕ h(Bi n1 n3 n4∗ T3 TIDW Dj M2 M3 n3 T3). Then, MTi constructs T4), M6∗ = h(M5 SKC∗ S−Ui SK...