Revisiting a Multifactor Authentication Scheme in Industrial IoT

Nowadays, as one of the key applications of Internet of*ings, Industry IoT (IIoT) has recently received significant attention and has facilitated our life. In IIoTenvironments, an amount of data generally requires to be transmitted between the user and sensing devices in an open channel. In order to ensure safe transmission of these data, it is necessary for the user and sensing devices to authenticate each other and establish a secure channel between them. Recently, a multifactor authenticated key agreement scheme for IIoTwas proposed, which aims to tackle this problem and provide solutions for user multiple sensing devices’ access.*is work claims that the proposed scheme is secure against vario us attacks and has less communication and computational costs than other existing related schemes. Unfortunately, we find that this scheme cannot resist smart card attack and sensing device capture attack. Furthermore, we show that this scheme fails to provide forward secrecy, which is essential for a secure multifactor authentication scheme.


Introduction
Internet of ings (IoT) has developed rapidly in recent years, which generally penetrates into people's life, and there are many IoT devices applied to various domains [1,2]. Due to the superiority in automatic monitoring, efficient control, and intelligent manufacturing, Industry IoT (IIoT) is widely concerned among these domains. In the IIoTenvironment, sensing devices can be accessed and controlled by users remotely. During the process of production, sensing devices collect the real-time data, and the data can be obtained by users. e network model for IIoT is described in Figure 1. As a security critical system, IIoT has higher requirements in the secure transmission and communication of data [3,4]. However, it is vulnerable to an attacker to perform attacks because the collected data is often transmitted through a public channel, and this brings security problems in the IIoT environment. It is possible for an adversary to launch attacks and impersonate an authorized user to obtain the data by accessing sensing devices. e unsatisfactory situation mentioned above will lead to destruction of the industrial production. erefore, in order to ensure the safe data transmission between users and sensing devices, many authenticated key designed by Vinoth et al., we do not think it can provide truly multifactor security.

Revisiting Vinoth et al.'s Scheme
In this section, we first revisit Vinoth et al.'s scheme [8] briefly and list some intuitive notations and abbreviates in Table 1 for the convenience of description. eir scheme includes six phases, while we only review the first three phases, which are related to our proposed attacks.

Offline Sensing Devices' Registration
Phase. Each sensing device SD j is registered by GWN in offline and is distributed a unique identity ID SD j . In order to calculate the secret, GWN chooses a secret value S and two vectors Vector 1 and Vector 2 . Assume that S � Vector 1 · x 0 and S 2 � Vector 2 · x 0 . GWN then computes s j � Vector 1 · x j and f j � Vector 2 · x j and picks pair-wise relative positive numbers k 1 , . . . , k n for each sensing device SD j . GWN computes Mul � n j�1 k j and Mul j � (Mul/k j ). en, GWN generates a random nonce Nonce j , which satisfies Mul j × Nonce j ≡ 1 mod k j . GWN calculates c as c � n j�1 Var j � n j�1 Mul j × Nonce j and stores it. GWN sends 〈ID SD j , s j , f j , k j 〉 to each sensing device.

User Registration Phase
(1) Step URP1: U i chooses a high-entropy password PW i and an identity ID i . U i imprints the biometrics B i and uses the generation algorithm to calculate (BK i , τ i ) � Gen(B i ). It notes that the algorithm is built into the fuzzy extractor. U i generates a 128-bit random nonce a and computes TPW i as (2) Step URP2: after receiving the message ID i , TPW i , GWN generates a 1024-bit random secret key KEY GWN and further calculates KEY GWN Step URP3: after receiving SC i , in order to protect A i , mod ω. Finally, U i needs to store TID i , A i ′ , C i ′ , D i , V i , Gen(·), τ i , ω, Rep(·), h(·)} into the memory.

Authenticated Key Agreement Phase.
is phase includes the following steps. is phase along with the login phase is summarized in Table 2   Step AKAP2: after receiving the broadcast message from GWN, each sensing device SD j verifies |TS 2 − TS 2 ′ | ≤ ΔTS to check the freshness of the message firstly. If the inequality holds, SD j uses CRT to obtain r * GWN � M 4 mod k j by its stored value k j . SD j then uses the group key r * GWN to decrypt M 5 to attain the sensitive parameter ID i , ID GWN , r * i , and to encrypt the legal share s j and f j and generates the current timestamp TS 3 . en, each sensing device SD j sends the reply message M 8 , TS 3 to GWN securely. (3) Step AKAP3: when receiving the message, GWN firstly verifies |TS 3 − TS 3 ′ | ≤ ΔTS to check the freshness of the message. If it holds, GWN obtains share s j and f j by calculating Dec r * t�1 λ t f t and checks whether θ 2 1 � θ 2 . If it holds, GWN can reconstruct the secret successfully. en, GWN computes . GWN then generates the current timestamps TS 4 and a new temporal identity TID new i and calculates M 13 GWN validates the shared session key by computing Step AKAP5: after receiving the message,

Cryptanalysis of Vinoth et al.'s Scheme
For a multifactor authentication scheme, it is essential to create a concise and concrete adversarial model. In this section, we propose two attacks, a smart loss attack and a sensing device capture attack to show the vulnerabilities of the scheme. First of all, we refer to the adversary model proposed by Wang et al. [9] which is strict but reasonable. e assumptions below are about the adversary's capabilities: (1) ere exist two kinds of communication channels: a secure channel and a public channel. e former is mainly used for registration, while the other is mainly used in login and authentication phases. e adversary A has full control of the public channel, i.e., A can eavesdrop, intercept, modify, and redirect messages transmitted between communication participants [10,11]. Symmetric key between U i and GWN SK Session key between the user and sensing devices S Secret value utilized for secret sharing s j , f j , and k j SD j 's secret parameters h(·) Hash function ⊕ and ‖ Concatenation and bit-wise XOR operation , and and (2) e adversary A can offline exhaust all the items in the Descartes space of identities and passwords which are of low entropy within polynomial time. (3) When it comes to multifactor authentication, the scheme should be secure even if one or more factors are compromised, which is called truly multifactor security [12]. erefore, it is reasonable to make an assumption that A may (i) obtain a victim's password by performing shoulder surfing or phishing attacks, (ii) extract the secret parameters in the lost smart card by performing side-channel attack, or (iii) attain a victim's biometric information using malicious devices. However, the above assumptions cannot be achieved at the same time; otherwise, it will be a trivial case. (4) e adversary A could be the administrator of the server or a legitimate user in the system. (5) e adversary A can determine victim's identity.
It is worth noting that users can select his/her identity ID and password PW in many protocols. However, the user selected identities and passwords are usually of low entropy (|D id | ≤ |D pw | ≤ 10 6 ) [13,14]. erefore, assumption (2) is realistic.
en, assumption (3) specifies truly three-factor security. And, assumption (4) can be used to capture the threats from the system when the server is corrupted or any legitimate users are malicious. Finally, assumption (5) describes the fact that most of the user identity are user's e-mail addresses or phone numbers, which can be easily obtained.
e following analysis will take the five assumptions mentioned above into account.

Smart Card Loss Attack.
We employ the user U i as the victim to show the process of this attack. According to assumption (3), it is reasonable for the adversary A to get U i 's smart card SC (stolen or picked up) and corresponding biometrics B * i . Besides, as a premeditated adversary, A has full control of the public channel, and she can collect a past transcript between U i and gateway node (GWN) (i.e., TID i , M 1 , M 2 , TS 1 ). en, A can guess U i 's password and identity correctly as following steps: where D id denotes the identity space and D pw denotes the password space Step 5. A computes r * i � M 1 ⊕A i ′ ⊕RPW * i , noted that A can extract A i ′ from victim's smart card and collect M 1 from the past transcript and verifies the correctness of (ID * i , PW * i ) pair by checking if M * 2 � M 2 Step 7. A executes the steps 2 ∼ 6 repeatedly until finding the correct values As mentioned before, users can choose his/her own ID and PW in most password-based authentication schemes (e.g., References [15][16][17]) aiming to achieve user-friendliness. And, Vinoth et al.'s scheme is no exception. It makes assumption (2) reasonable that users often select low entropy identities and passwords. erefore, it is possible for A to exhaust all the (ID, PW) pairs offline within polynomial time. We can calculate the running time of the attack procedure as O(3T H × |D id | × |D pw |), where |D id | represents the number of identities, |D pw | represents the number of passwords, and T H represents the running time for Hash operation. Note that the operation time of bit-wise XOR operation in Step 3 can be ignored. Since |D id | and |D pw | are very limited (e.g., |D id | ≤ |D pw | ≤ 10 6 ) [13,14], the attack mentioned above is significant and shows a challenge to user authentication protocols.

Sensing Device Capture
Attack. According to Vinoth et al.'s threat model, the adversary A can compromise a sensing device (SD) and extract the parameters stored in it (i.e., ID SD j , s i , f i , k j a ). We assume that SD j is captured by the adversary; then, A can successfully impersonate the user U i as follows: Step 2. Decrypts the received message M 5 by using the key r * GWN and obtains the security parameters (r GWN ⊕KEY GWN−U i , ID GWN , ID i , and r * i ) of the user U i who is sending the login request ) and verifies whether the calculated M 3 is equal to the received M 2 . If it holds, GWN will authenticate the authenticity of U i . Since the parameters are calculated correctly, the adversary A can pass the verification of the GWN. So far, the adversary has successfully impersonated user U i .

No Forward Secrecy.
When a scheme ensures that, even the long-term private keys (or secret) of communication participants are leaked, previously agreed session keys can Security and Communication Networks still be secure [18], then the scheme is called supporting