Security Analysis of a Lightweight Identity-Based Two-Party Authenticated Key Agreement Protocol for IIoT Environments

Internet of )ings brings convenience to the social life, at the same time, putting forward higher requirements for the security of data transmission and storage. Security incidents based on industrial Internet of )ings have occurred frequently recently, which should be given full consideration. )e identity-based authenticated key agreement protocol can solve these security threats to a certain extent. Recently, a lightweight identity-based authenticated key agreement protocol for Industrial Internet of)ings, called ID-2PAKA protocol, was claimed to achieve secure authentication and meet security properties. In this paper, we show that the ID-2PAKA protocol is insecure in identity authentication and cannot resisting ephemeral key compromise impersonation attack.


Introduction
e application field of the Internet of ings is very extensive, especially in the industry [1]. As increasingly more devices such as sensors are connected together [2], related industries are getting closer and integrated with the Industrial Internet of ings (IIoT). IIoT can be regarded as a high degree of integration of industrial automation systems and IoT systems. With the explosive growth of industrial information, the large amount of data generated in the industrial production is a challenge for IIoT. How to effectively process, analyze, and record these data, and extract the results of guiding suggestions for industrial production, is the core difficulty of IIoT [3].
e system architecture of IIoT is shown in Figure 1. e perception layer is composed of widely deployed physical devices (such as sensors, actuators, manufacturing equipment, facility utilities, and other industrial manufacturing and automation related objects) and is responsible for realtime collection of industrial environment and production resource data. e network layer makes short-distance access and long-distance transmission of perception data a reality, while the data processing layer is for fully mining and utilizing the aggregated perception data. e application layer is composed of various industrial applications, including smart factories and smart supply chains. ese intelligent industrial applications utilize numerous sensors and actuators to achieve real-time monitoring, precise control, and effective management.
With attendant, incidents based on IIoT security have occurred frequently recently. For intruders, attacks on IIoT systems can attract more attention or get more than attacks on IoT systems in other industries. Attackers have adopted a variety of intrusion methods, such as the leakage of industrial key data, and the illegal hijacking and manipulation of interconnected terminals [4]. e IIoT relies on modern and mature industrial automation systems and integrates a large number of technologies and applications from the fields of communications and computers. e wide application of the IoT puts forward more strict security requirements for data transmission and storage. erefore, some traditional network attack methods are also suitable for IIoT systems. A large number of attacks have occurred in the past few years. Exposing the various hidden dangers of IIoT in terms of information security is a major obstacle to the rising trend of IoT.
Specifically, the security threats faced by IIoT can be divided into two categories, namely, the hidden dangers of the internal structure of IIoT and the hidden dangers of external network attacks. Among them, attacks against external networks have the characteristics of wide coverage, multiple levels, and diverse attack methods. e solutions to these security problems usually use a mixture of computing, encryption, image processing, and identity authentication.
Applying cryptography to network communication can solve these security threats to a certain extent. Cryptography realizes the encryption, decryption, user identity authentication, key agreement, and privacy protection of important information through strict mathematical theories. It is one of the important means to protect communication security.
e key agreement protocol is an important branch of cryptography, which refers to the rule that two or more parties in communication negotiate a symmetric encryption key on a common channel before formal communication.
e key agreement protocol determines the security of the symmetric encryption key and thus determines the information security of the communication participants. erefore, the study of session key agreement protocol can strengthen the security of the network to a certain extent, and it is of great significance to the protection of personal privacy and commercial interests.
Traditional key agreement protocols use certificates to authenticate the participants of the protocol, which are easy to be forged and tampered with. erefore, the traditional session key agreement protocol still has certain deficiencies in security. e identity-based authenticated key agreement (ID-AKA) protocol integrates identity authentication into the key agreement process, avoiding the use of digital certificates and improving the security of the key agreement protocol [5,6]. According to whether bilinear pairing is used in the ID-AKA protocol, it can be divided into the ID-AKA protocol based on bilinear pairing and the ID-AKA protocol without bilinear pairing. Although the ID-AKA protocol without bilinear pairing has an advantage over the ID-AKA protocol based on bilinear pairing in terms of computational efficiency, the ID-AKA protocol without bilinear pairing is not satisfactory in terms of security [7]. Bilinear pairing operation is a computationally intensive operation, so ID-AKA protocol based on bilinear pairing has obvious shortcomings in computational efficiency. is affects the comprehensive performance of the ID-AKA protocol based on bilinear pairs and also seriously affects its practical application range [8].
In this paper, we analyze the ID-2PAKA protocol for IIoT environments from [9] in terms of a security perspective and discover some insecure threats. When the protocol is analyzed, it is insecure in terms of identity authentication. Moreover, there were some threats in resistance to ephemeral key compromise impersonation attack. e organization of this paper is arranged as follows. Related works are firstly introduced in Section 2. en, we briefly review the ID-2PAKA protocol in Section 3. Furthermore, Section 4 points out the weaknesses of the ID-2PAKA protocol. Conclusion will be given in Section 5.

Related Work
In recent years, cyberattacks against industrial IoT systems have emerged one after another, showing a continuous upward trend. e security issues of industrial IoT systems have attracted great attention in the information security industry.
In view of the security issues of the IoT, a large number of security mechanisms have been proposed [10,11], especially the wireless sensor network as an important supporting technology of IoT. In [12], in response to the vulnerability of wireless sensor network nodes and limited resources, Zhou and Xiong propose a lightweight smart card-based wireless sensor network user authentication scheme, which is based on random values as temporary keys.
rough the request-response handshake mechanism to ensure the two-way authentication between the user and the gateway node, this solution avoids the problem of asynchrony between the smart card and the gateway node. e literature [13] presents a two-factor authentication protocol that provides a powerful authentication and session key establishment process. e protocol resists the threat of multiple users logging in with the same identity. e authentication process does not require public key operations, and it uses a cryptographic hash function to achieve higher efficiency.
e literature [14] proposes a new method adapted to resource-constrained wireless sensor networks. Only legitimate users can access node resources, and illegal users are denied access. e solution is based on ID technology and elliptic curve cryptosystem (ECC), which provides mutual authentication and key agreement processes between users and nodes. In [15], Liu et al. analyze the wireless sensor network in the perception layer of the IoT and propose an identity authentication scheme for the wireless sensor network.
e scheme uses ECC, protecting the data confidentiality and integrity of the perception layer of the IoT. However, this scheme only protects the data security of the perception layer of the IoT system and does not protect the IoT terminal devices at the perception layer.
At present, many key agreement protocols for the IoT environment pay more attention to lightweight requirements [16,17]. In 2016, Farash et al. [18] improved the key agreement protocol based on heterogeneous sensor network proposed by Turkanovic. e improved version can strengthen the security level. Srinivas et al. [19] proposed a chaotic mapping-based key agreement protocol for IIoT environment. However, the author uses a weaker model to prove the protocol; thus, there is still room for further improvement in the security of the protocol.
In addition to the traditional key agreement protocol, some other methods have also been introduced into the field of IIoT security protection. Recently, Xiong et al. [20] combined data encryption with game theory, designing a personalized privacy protection framework. e advantage is to find a reasonable balance between retaining quality of crowdsensing services and privacy. Besides, in order to solve the key management problem of dynamic wireless sensor networks in IIoT, Tian et al. [21] presented a key management scheme based on blockchain.
is scheme used stake blockchain to replace the base station to implement key management, avoiding the security threats of untrusted base stations.
e summary of literature studies is given in Table 1.

Review of ID-2PAKA Protocol
A brief introduction of ID-2PAKA protocol will be given in this section. It consists of three phases: setup phase, privatekey generation phase, and session key agreement phase. e notations and the corresponding meanings used in ID-2PAKA protocol are shown in Table 2.
ere are three entities participating in ID-2PAKA protocol: the initiator P 1 , the responder P 2 , and the PKG. Among them, the PKG is only responsible for generating the identity-based private key of P i (i � 1, 2). Other details can be depicted in the following subsections.

Setup Phase.
In setup phase, the PKG generates the system parameters according the security parameter k: (1) With a given security parameter k, the PKG chooses a prime number q greater than 2 k , then generates an additive cyclic group G 1 , and a multiplicative group G 2 of order q. e generator of G 1 is P.

Private-Key Generation Phase.
In this phase, the identity-based private keys and the corresponding public keys of P i (i � 1, 2) are generated by the PKG. e main details are shown in Figure 2: (1) P i (i � 1, 2) submits the identity ID i (i � 1, 2) to the PKG. (2) e PKG first authenticates the legality of ID i (i � 1, 2), then computes the public key q i � H 1 (ID i ) and the identity-based private key Pr i � (s/(s + q i )).

Session Key Agreement Phase.
is phase is executed between the initiator P 1 and the responder P 2 . e details are described in Figure 3: (1) e initiator P 1 chooses a random number r 1 ∈ Z * q , then computes ψ 1 � r 1 P and σ 1 � r 1 Pr 1 . en, P 1 sends the tuple ψ 1 , σ 1 to the responder.

Security Analysis of ID-2PAKA Protocol
ere are some security vulnerabilities in the proposed ID-2PAKA protocol that cannot be ignored, which will be introduced in detail in this subsection. e security analysis of ID-2PAKA protocol in this paper is based on the theory of eCK model, which is mainly composed of Ephemeral Key Compromise Impersonation Attack and Secure Authentication.
In the idea of eCK model, we can consider the security of the scheme from the perspective of leaking any two keys, except for leaking the long-term private key and temporary private key of a communicating party at the same time. e security analysis of ID-2PAKA protocol is given as follows.

Ephemeral Key Compromise Impersonation Attack.
After analysis, when the ephemeral keys r 1 and r 2 of both communicating parties are leaked, the adversary A can recover the corresponding session key according to the leaked messages.
us, ID-2PAKA protocol cannot resist ephemeral key compromise impersonation attack. e details are described in the following.
In the case that r 1 , r 2 are known to A and q, G 1 , G 2 , P, e, H 1 , H 2 , P 0 } are public to all entities, so that A can compute ψ 1 � r 1 P, ψ 2 � r 2 P and X � r 1 r 2 P. e session key is computed as sk 1 � H 2 (ID 1 � � � �ID 2 � � � �ψ 1 � � � �ψ 2 � � � �X). In this way, the adversary can easily compute the vital session key without having to do any modification or insertion operations.

Secure Authentication.
In addition to the ephemeral key compromise impersonation attack, the ID-2PAKA protocol is also insecure in terms of identity authentication. e verification of either party to the other is based on the equation e(σ 1 , P 0 + q 1 P) � e(r 1 (S/(s + q 1 ))P, (s + q 1 )P). However, the equation is essentially established by relying on the ephemeral key r 1 . e processes of disguising P 1 and P 2 and completing the session key agreement phase are described below.

Conclusions
Secure communication is a vital point in IIoT environment, which should be given full consideration. ere are many ID-AKA protocols for IIoT environments suffer from a variety of attacks. ID-AKA protocols based on bilinear pairing have advantage in terms of security. In this paper, we analyze the ID-2PAKA protocol, which is a lightweight identity-based authenticated key agreement protocol for industrial Internet of ings proposed by Gupta et al. recently. e analysis results show that the ID-2PAKA protocol cannot obtain the secure identity authentication or resist ephemeral key compromise impersonation attack. e main reason for this situation is that there are some security flaws in the misusage of ephemeral key and long-term private key.

Data Availability
No data were used to support this study.