Research on Lightweight Mutual Authentication for the Product Authorization Chain

With the development of the globalization economic integration in Internet of *ings (IoT), it is very crucial to protect the wireless two-way authentication between users’ intelligent terminals and servers in the product authorization chain. In order to ensure that legitimate users connect to the wireless network correctly, a lightweight wireless mutual authentication scheme for the product authorization chain was proposed contrapose to the security defect of Kaul and Awasthi’s scheme, which easily suffered from offline password guessing attack.*e improved scheme uses lightweight hash function and verifies the freshness of messages by using the send packet sequence number instead of timestamp, which can avoid strict clock synchronization between devices, and user passwords can be updated by themselves. Security analysis and cost and efficiency analysis show that the scheme presented in this paper has higher security, lower storage and communication costs, and lower computational complexity.


Introduction
With the progress of wireless technology, sensor network, and the explosion of intelligent terminals such as smart phones and smart watches, mobile users can enjoy a variety of overall service provided application, purchase products, and access to product information everywhere at any time through individual intelligent devices accessing the mobile Internet [1]. In the whole product authorization chain, from producer and agents to consumers, users want to use smart devices to purchase products at any time and place and obtain the product-related information. However, with the access of wireless network, intelligent terminals are vulnerable to unauthorized users to attack, intercept, steal, download, delete, or tamper with the private data [2]. erefore, in the process of data transmission between the intelligent terminal and the remote server in the product authorization chain, it is particularly critical to accurately verify the identities of the wireless communication parties to ensure data security. User identity authentication can accurately identify legitimate users and assign them to server authorization to eliminate network security and malicious users. At present, a large number of user authentication schemes have been put forward.
Lamport initially designed a password-based authentication scheme in an insecure channel in 1981, but the scheme verifies the user's legitimacy by constructing a password table, which has large hash overhead and is not suitable for the practical application system [3]. Subsequently, many scholars began to study and improve the scheme that cannot achieve mutual authentication. In 2009, Wang et al. proposed an enhanced scheme to provide higher security [4]. Wen and Li demonstrated that Wang et al.'s scheme could not defend against impersonation attack in 2012 [5]. e legitimate users could initiate offline password guessing attack through obtaining the sensitive private information of other legitimate users in the system. In 2014, Chang et al. showed that Wang et al.'s scheme still used plaintext to transmit user identity in public channel [6]. en, they designed an untraceable remote user authentication scheme on the basis of dynamic identity with a verifiable password update. In the same year, Kumari et al.
proved that Chang et al.'s scheme could not prevent offline password guessing attack, impersonation attack, and so on and proposed an improved scheme to overcome these security flaws [7]. In 2016, Kaul and Awasthi proved that Kumari et al.'s scheme is completely insecure because attackers can easily gain security parameters of the scheme and the public session key between the user and the server [8].
ey proposed a new authentication scheme and proved its security. However, in 2017, Wang and Xu indicated that Kaul and Awasthi's scheme could not prevent offline password guessing attack and meet security requirements in the authentication system [9]. In view of the security level of remote user ID authentication, Liu et al. proposed an improved two-way security authentication scheme by dividing hash value into two parts in 2018 [10].
All above schemes use the timestamp to ensure whether the communication message is fresh. It is necessary to ensure strict clock synchronization between the intelligent terminal and the server. However, with the increase in intelligent terminal devices accessing wireless network, it is difficult to ensure that the clock of all intelligent terminals and servers is strictly synchronized. Many scholars have studied this problem and proposed corresponding authentication schemes. In 2016, Wang et al. improved the scheme of Wen and Li by using the send packet sequence number instead of timestamp, but the login password could not be changed freely [11,12].
Given the above analysis, the scheme of the public key system proposed by Qiu et al. eliminates the long-standing problem of security and availability conflict in two-factor authentication mechanism by combining "honeyed words" with "fuzzy verifier" [13,14]. is paper analyzes the security flaw of Kaul and Awasthi's scheme and proposes a lightweight wireless mutual authentication scheme for product authorization chain [15]. e sequence number PN of sending packet is constantly updated to verify the freshness of the message. e iterative operation composed of strong one-way hash function, and simple XOR is used to securely mutually authenticate the user and the server. e user can change his password and generate a secure session [16,17]. e proposed scheme uses one-way hash function and bit exclusive or operation to realize the two-way authentication between users and servers and maintains the security advantage of the traditional scheme.

Problem Statement and Motivation
Due to space limitations, Kaul and Awasthi's specific implementation steps are detailed in literature [8]. Table 1 presents the notations of this study.
It is discovered that Kaul and Awasthi's scheme cannot resist offline password guessing attack. e analysis is as follows.
Suppose that an adversary A can gain the smart card of A i by stealing and other means and obtain SPI β i , SPI c i , SPI χ i , η i , h(·) stored in the smart card through some technology. Due to ID i being transmitted in plaintext on the public channel, ID i can be gained illegally by the adversary A in the authentication phase [18,19]. And then, A performs the following operations to realize offline password guessing attack: (1) From the password space D P W, A selects a PW * i to guess as PW i value, in which (2), and (3) until PW i is found From the above analysis, the time complexity of this attack process is O(‖D PW ‖ * (5T h + 5T XOR )), T h is the runtime of the hash function operation, T X OR is the runtime of XOR operation, and |D P W| expresses the number of passwords in D P W. |D P W| is very limited in practice, usually D PW ≤ 10 6 [12]. erefore, the above attack is very effective.
e scheme needs to include the encryption information of the product corresponding to the current authorization and the authorization information of all or part of the earlier authorized products. e product authorization chain is also important in tracking product flow through the logistics pipelines. rough the after-sales service tracking of aftersales certification authorized products or service behaviors, a trusted platform based on consumer information binding product information is formed to realize product and user information feedback and transmission under big data. It ensures consumers' understanding, exquisite manufacturing, and sincere service so as to realize the healthy cycle of social consumption circle.

3.1.
e Model of Product Authorization Chain. Contrapose to the existing problem in Kaul and Awasthi's authentication scheme, this paper proposes a model of product authorization chain, which consists of three flows: data flow, product flow, and product information flow. Product information flow flows the most frequently and the most sensitively responses to authorization chain, and it affects the product flow and subordinate agents information, and it is the main basis of authorization chain decisionmaking. In view of attacks data communication between both parties, the polymorphic authentication service protocol, due to the role of the built-in self-compiling system of the security subsystem, makes the active attacker face the improved virtual iterative function polytropic function set [20]. By using multiagent technology, the model of product authorization chain typically includes three roles: producer, consumer, and n-level agent. Producers with root access rights can access all information of products from the cloud server [21]. Other roles are authorized by the superior and can access the corresponding product information. Figure 1 illustrates the authorization process of the product authorization chain. e producer owns the complete product information such as product composition, processing technology, and production cost. Each level of agent can obtain the corresponding amount of information through registration, paging, authorization, and encoding. An agent in authorization chain distributes the information it receives from a superior agent only if it is authorized and not solely based on the discrepancy among superior and subordinate agents information, which might be caused by legitimate changes and not attacks. e product information flow received by primary agent, secondary agent, n-level agent, and consumer is the same or different, in which P a1 , P a2 , P a1n+i , and P a2n+j may be equal or different.
is paper proposes a lightweight wireless two-way authentication scheme for product authentication chain, which improves the security performance and efficiency of the authentication system by the improvement based on Kaul and Awasthi's scheme. Figure 2 illustrates the authentication process of registration, login, authentication, and password changing phase of the proposed scheme. e validity of the improved scheme can be verified by logical reasoning of the security model. Burrows-Abadi-Needham (BAN) logic is used to prove the security of the proposed scheme in this paper [22]. e two authentication entities in the scheme are the ith level agent user A i and the server S. e transmission plaintext irrelevant to the security attribute to be demonstrated in the authentication process is eliminated.
Only the security attributes and logical parts related to mutual authentication are retained. e ideal goal formula of the authorization chain model is as follows: ID i is the secret shared by both A i and the server S. e ultimate objective of mutual authentication scheme is as follows: e scheme is initialized and assumed that In order to achieve the final goal (4) of the scheme, we will prove the following main logical conclusion.
It can be deduced from the idealized model (1).
Based on assumptions (6), the result can be obtained by substituting (7) e inference rules of the freshness in BAN logic can be applied to infer the formula.
According to the improved scheme proposed in this paper, the session key is e result can be derived by combining the results of (6), (9), and (10).
Based on assumptions (6), the result can be obtained by substituting (11) into jurisdiction rule R5: e safety target (4) is achieved, and the proof is completed.

Registration
Phase. So as to acquire services from S, new user A i must register as follows:

Symbols
Meaning A i saving the last send packet sequence number in authentication phase h(·) Strong one-way hash function Step 1. A i chooses his own ID i , PW i , and a random number R a , calculates RPW i � h(R a ⊕ PW i ), and transmits ID i , RPW i to remote server S by the secure channel.
Step 2. S selects randomly an unique random number R si and computes the values of four security parameter indexes (SPI) SPI α i , SPI β i , SPI c i , and SPI χ i : in the smart card and delivers it to A i .
and stores it in the smart card.

Login Phase.
If A i wants to log in S, it must insert the smart card into the card reader, and then does as follows: Step 1. A i inputs ID * i and PW * i and computes the following: If the calculated SPI * χ i is equivalent to SPI χ i saved in the smart card, the reader accepts the login request of A i ; else, exits. In addition, in order to prevent online password guessing attack, if wrong passwords are entered more than a preset number of times, the card is locked in a predefined limited period of time.
Step 2. After verifying the legality of the login request, A i calculates λ i , ω i , and ϑ i as follows: A i updates the sending package sequence number PN i � PN i + 1 and then sends the login request information λ i , ω i , ϑ i , PN i to the server S.

Authentication
Phase. At this phase, A i and S complete two-way authentication and establish a secure session key: Step Step 2. S computes SPI * α i , R * si , ID * i , and ϑ * i as follows:   Security and Communication Networks 5 S checks ϑ * i � ? ϑ i . If they are equal, the identity of A i is legal; if not, S withdraws from the authentication phase. Step

Information Inquiry and Information Authorization Phase
Step 1. Information inquiry phase: After the two-way authentication between the intelligent terminal and the server, if A i wants to query the product information, the identity ID i is encrypted by the secure session key generated after mutual authentication and then A i transmits it and the query request to S. S inquires the information authorization of the authorization user granted by the upper level user, and then S sends relevant encrypted information to the user A i through using the session key SK.
Step 2. Information authorization phase: After the user successfully logs in the system, the user sends an information authorization request to the server and uses SK to encrypt the identity of the next-level user and encrypted amount of information granted and sends it to S. e server saves it and waits for the query of the next-level user.

Security
Analysis. e security of our scheme is investigated, which is the ability of a scheme to fend off some well-known attacks and is compared with the schemes in [4][5][6][7][8]11]. Table 2 is the comparison result. "✔" indicates that it has resistance to some known attacks. "✕" indicates that it cannot be defended or does not have the resistance. e result illustrates that even if attackers extract all the values saved in the smart card and intercept all communication information in public channel, the security of the proposed solution is not affected.

Resist Offline Password Guessing Attack.
Assume an attacker A obtains the user's smart card and extracts all values SPI β i , SPI c i , SPI χ i , η i saved in the smart card by taking some actions. At the same time, the security pa- i are unknown, A needs to correctly surmise the values of two unknowns at least each time, which is impossible in polynomial time [13]. erefore, A cannot guess the values ID i and PW i from all the gained information. erefore, the scheme proposed in this article can defend against offline password guessing attack.

Resist Impersonation Attack
(1) Impersonating Legitimate User A i . For counterfeiting A i , A must be able to calculate the correct user login request λ i , ω i , ϑ i , PN i ; as can be seen from the model of product authorization chain, it is impossible for A to get useful information from the obtained information from the missing or stolen smart card to infer ID i , PW i , b, and R si . And A cannot gain the server's private key x and random number R si to calculate SPI α i � h((ID i ⊕ R si )‖x � � � �y). So, A cannot successfully disguise as a legitimate user A i . (2) Impersonating Server S. e server does not reveal the unique key x and number y. Hash function has the strong unidirectionality; hence, A cannot calculate SPI * α i � h(λ * i ‖x � � � �y) accurately and then cal- is not able to successfully dress up as a server.

Resist DoS Attack.
When A i logs in the server, the smart card first checks whether the input ID i and PW i are correct or not. Only with the correct input ID i and PW i , the smart card would accept the login request. erefore, it does not exist that A i inputs error login request ID i and PW i to cause login request calculated incorrectly. e user is exposed to denial-of-service vulnerabilities after the server verification test failure. Similarly, it is impossible for A to update the values SPI β i , SPI c i , SPI χ i , η i in the smart card with any password so that it cannot be used anymore. In addition, due to a fake login request or a legitimate user's wrong operation or malicious attacks from A, when the number of failed logins exceeds a predetermined value, the card would be locked during a certain period of time, which economizes on server time, cost, and computing resources. erefore, the scheme can avoid the situation of the DoS caused by a wrong operation of a legitimate user or a malicious attack by an attacker.

Resist Man in Middle Attack.
Suppose that A gets all the parameters transmitted on the public network channel. e authentication message is is not saved in the smart card and transferred in public channel, x and y are the server private key and number, respectively, and R si is the random number chosen for the server randomly. Only U ′ knows all the above parameters, and it is possible to intercept during the session. All the secret parameters are unlikely to be correctly guessed at the same time. erefore, the scheme can resist man in the middle attack.

Efficiency Analysis.
From the aspects of memory space, communication cost, and computational complexity, this section analyzes our scheme and other schemes in [4][5][6][7][8]11] and compares the cost and efficiency of seven schemes in the registration, login, and authentication phase. Assume that all parameter byte lengths are equal to the strong one-way hash function output byte length. Table 3 demonstrates the memory and communication cost, where L means the output byte length of the hash function. In our scheme, the security parameters saved in the smart card are erefore, the memory cost is 5L, and the communication cost includes all message bits λ i , ω i , ϑ i , PN i , μ i , PN s transferred in public network channel in the login and authentication phase. erefore, the communication cost is 6L. In Table 3, it illustrates that the proposed scheme is equal to the scheme in [5,7,8,11], which is the lowest, in terms of communication cost. e storage overhead of our scheme is equal to Kaul and Awasthi's scheme, which indicates the proposed scheme does not increase memory cost contrast to Kaul and Awasthi's scheme [8]. Combined with the security analysis of six attacks mentioned in Table 2, only our scheme can resist all attacks. erefore, considering the proposed scheme meets all security properties shown in Table 2, our scheme performs best in terms of security attributes and communication cost on the whole, which is more appropriate for resource-constrained intelligent terminal systems. Table 4 shows the results of the computational complexity comparison to other scheme, in which T h indicates the runtime of the hash function operation and T XOR indicates the runtime of the XOR operation. e computational complexity of Kaul and Awasthi's scheme is (20T h + 28T XOR ), and ours has a smaller computational complexity (18T h + 21T XOR ) to meet more security needs. Our scheme only uses strong one-way hash function and simple XOR operation to operate. It is suitable for smart terminals with lightweight operation. It has low system overhead and low computational complexity, while ensuring the security and reliability of the system. e requirements of smart devices for data processing performance make them have good scalability.
e diagram in Figure 3 shows comparative analysis of the calculation complexity about four phases including Kaul and Awasthi's, AES, ECC, and ours schemes. e scheme proposed by Kaul and Awasthi is test time 57 μs. e scheme Kaul and Awasthi's [8] Ours Resist offline password guessing attack based on ECC is test time 65.8 μs. ECC has high computational complexity in password changing phase, but it has good performance in registration and login phase. Our scheme computational complexity of test time is 50.6 μs, one of the lowest values of four schemes. Taking computational complexity as metric, we also proved the model of product authorization chain performs much better than the other three schemes during registration stage, login, and authentication stage.

Conclusions
In view of the limitation of Kaul and Awasthi's scheme in resisting offline password guessing attack, this paper retains other security advantages of Kaul and Awasthi's scheme and proposes a lightweight wireless two-way authentication scheme based on product authentication chain. is scheme is suitable for solving the problem of limited authentication calculation of IoT terminals. It can effectively avoid common attacks such as offline password guessing attack and man in the middle attack, establish a secure session key, modify the password freely, and ensure the security of Internet of things system. At the same time, in order to avoid strict clock synchronization of various devices in network, the continuously updated sending packet sequence number is used to ensure the validity of the message. According to the analysis of security, cost, and efficiency, the proposed scheme has higher security, less system overhead, lower computational cost, and higher operational efficiency and is more fit for resource-limited user intelligent terminal equipment.

Data Availability
All the data in this study are from experimental data statistics.

Conflicts of Interest
e authors declare that there are no conflicts of interest.