Common use of Authentication and Key Agreement Phase Clause in Contracts

Authentication and Key Agreement Phase. When the user U wants to access the sensor node S, he or she initiates this phase by issuing a request via GWN. This phase enables GWN, U and S to effectively authenticate each other and then establish a session key between U and S. If a session key is negotiated successfully by U and S, then they can exchange private messages with each other via a public channel. A detailed description of the steps of this phase are as follows: 1. U selects a random number rU ∈ zq∗ , generates the current timestamp t1 and computes EU = rU P, M′ = M∗ ⊕ h (IDU dU), NU = rUQGWN = (N(x), N(y)), AIDU = MIDU ⊕ N(y), KU = (rU + dU)QGWN and hU = H1(KU M′ t1). Then, U sends the request message {EU, AIDU, hU, t1} via a public channel to GWN. 2. When GWN receives the authentication request message from U at the time t′ , it checks whether the condition |t′ − t1| ≤ ∆t holds. If yes, GWN then computes: N′ = dGWN EU = (N(x)′ , N(y)′ ). GWN then verifies U by computing the following: MID′ = AIDU ⊕ N(y)′ , MU = h(MID′ dGWN), K′ = dGWN(QU + EU), and h′ = H1 K′ MU t1 . GWN verifies if the equation ′ = hU holds or not. If the verification does not hold, GWN rejects the user’s authentication request; else, goes to 3. 3. GWN generates its current timestamp t2, selects a random number rGWN ∈ z∗q and calculates: EGWN = rGWNP, KGWN = (rGWN + dGWN )QS, MGWN = N(x)′ ⊕ h (RS KGWN EGWN ), hGWN = H1 (KGWN IDS t2). Then, the gateway node GWN sends the message {EU, EGWN, MGWN, hGWN, t2, t1} to S via a public channel. 4. Upon receiving the authentication message from GWN at time t′ , S first checks the validity of the timestamp on the condition |t′ − t2| ≤ ∆t. If t2 is invalid, S terminates the session. If it is valid, S then computes: K′ = dS (EGWN + QGWN ), N(x)′′ = MGWN ⊕ h RS K′ EGWN , and h′ = H1 K′ IDS t2 . Next, S verifies h′ . If h′ = hGWN, the sensor node S accepts ▇▇▇ and goes to 5; otherwise, it rejects GWN. 5. S generates its current timestamp t3 and selects a random number rS ∈ z∗q , and computes ES = rS P, KS = rS (RS − h(IDS dS)P), hS = H1 (KS IDS t3), skS = rS(EU + N(x)′′ P) and AuthS = H1(skS t3). S sends the message {ES, t3, hS, AuthS} to GWN via a public channel. Then, S computes the session key SK = H2(skS ES EU t3 t1). 6. Upon receiving the replied message from S at time t′ , GWN checks the validity of t3 on the condition |t′ − t3| ≤ ∆t. If t3 is valid, GWN computes K′ = h (IDS dGWN) ES and ′ = H1 K′ IDS t3 . Then, GWN checks whether h′ = hS. If yes, GWN generates its current timestamp t4, computes AuthGWN = H1(rGWNQU MU t4) and sends the message {ES, EGWN, t3, t4, AuthS, AuthGWN} to U. 7. After receiving the replied message from GWN at time t′ , U checks the validity of t′ with the condition |t′ − t4| ≤ ∆t. If it is valid, U computes Auth′ = H1(dU EGWN M′ t4) and checks whether Auth′ = AuthGWN. If yes, U computes skU = (rU + N(x))ES, Auth′ = H1(skU t3). Then, U checks whether Auth′ = AuthS. If yes, U calculates the secret session key SK = H2(skU ES EU t3 t1). The process of authentication and key agreement is visually illustrated in Figure 2. SK = H2 (skU || ES || EU || t3 || t1) checks Auth' = Auth Auth' = H (sk || t ) sk = (r + N (x) )E ←⎯ES⎯, EG⎯WN , ⎯t3 , t4⎯, Au⎯thS ,⎯Auth⎯GWN⎯⎯ checks Auth' = Auth || M ' || t ) 1 U GWN Auth' = H (d E selects timestamp t4 AuthGWN = H1(rGWNQU || MU || t4 )