Lightweight Authentication Protocol Based on Physical Unclonable Function

Hanguang Luo,Tao Zou,＊,Chunming Wu,Dan Li,Shunbin Li and Chu Chu

1Zhejiang Lab,Hangzhou,311121,China

2Zhejiang University,Hangzhou,310058,China

3Tsinghua University,Beijing,100084,China

4The University of British Columbia,Vancouver,V1V1V7,Canada

Abstract: In the emerging Industrial Internet of Things (IIoT), authentication problems have become an urgent issue for massive resource-constrained devices because traditional costly security mechanisms are not suitable for them.The security protocol designed for resource-constrained systems should not only be secure but also efficient in terms of usage of energy,storage,and processing.Although recently many lightweight schemes have been proposed,to the best of our knowledge, they are unable to address the problem of privacy preservation with the resistance of Denial of Service (DoS)attacks in a practical way.In this paper, we propose a lightweight authentication protocol based on the Physically Unclonable Function(PUF)to overcome the limitations of existing schemes.The protocol provides an ingenious authentication and synchronization mechanism to solve the contradictions amount forward secrecy, DoS attacks, and resource-constrained.The performance analysis and comparison show that the proposed scheme can better improve the authentication security and efficiency for resource-constrained systems in IIoT.

Keywords:Lightweight;authentication;physically unclonable functions

1 Introduction

With the development of Internet of Things (IoT)technology, machine-to-machine (M2M)communication supports various applications for monitoring and control in such areas as eHealth,smart factory, and smart city.The research by Gartner [1] estimates that up to $2.5 million will be spent on sensing devices/actuators in a single minute by 2021,which means that the IoT devices will not only be used in home or office but also deployed in industrial manufacture,known as Industrial IoT or Industrial 4.0.A typical IIoT scenario primarily comprises the sensors, actuators, and other devices that periodically capture data of their immediate surroundings.A specific resource-constrained IIoT system is depicted in Fig.1.

Figure 1:Typical resource-constrained IIoT system

Since the development of openness and extensive interconnection in IIoT,security has become a global challenge in M2M communication.Although authentication is the cornerstone of providing adequate protection,and numerous schemes have been proposed to ensure security in traditional IT networks [2-10], these schemes cannot be readily applied for IIoT.Because in IIoT, many resourceconstrained devices are limited to computation power and communication bandwidth,such as Radio Frequency Identification(RFID)chips,wireless sensors,and so on.Therefore,it is essential to reduce the operational cost while ensuring the authentication protocol’s security for resource-constrained devices.This paper proposes a lightweight authentication protocol based on a series of operations,namely Physically Unclonable Functions(PUF),hash function,and exclusive-OR(XOR)operations,respectively,to provide mutual authentication between resource-constrained IIoT devices and gateway.The proposed protocol guarantees a higher degree of practicality,efficiency,and security than existing schemes.

2 Related Work and Motivation

Over the past years,some lightweight authentication schemes for IIoT have been proposed,which can be divided into two categories:hash-based schemes and PUF based schemes.Hash-based methods are designed only on the hash function,which cannot guarantee security against cloning attacks.On the contrary,PUF based methods add Physically Unclonable Functions to the authentication process on the foundation of a hash-based scheme to resist cloning attacks.A PUF is considered a unique physical feature of an electronic device,just like biometric features like fingerprints.When queried with a challenge C,it generates a response R that depends on both C and the specific physical properties of the device that cannot be reproduced or cloned, i.e.,R=PUF(C).Because of that, PUF based schemes have become popular research in recent years.

In 2012, Kardas et al.[11] proposed an RFID authentication scheme based on PUFs.However, this protocol cannot ensure forward secrecy and resilience of DoS [12] attacks.Hereafter,Akgun et al.[13] proposed another PUF based protocol.Regrettably, their scheme cannot ensure forward secrecy,which is an imperative security requirement for the authentication protocol.In 2017,Esfahani et al.[14]proposed a hash-based authentication scheme for M2M communication,but the protocol is vulnerable to traceability,impersonation,DoS,and cloning attacks.Recently,Gope et al.[15] proposed a novel PUF based scheme and claimed that the protocol is more practical and can overcome the limitations of existing schemes,especially ensuring forward secrecy and resilience of DoS attacks simultaneously.However, according to our analysis, the DoS resistance mechanism of their protocol is impractical.In their scheme,the additional use of emergency challenge and response pairs(i.e.,the(Cem,Rem))will be exhausted soon and unable to be synchronized again when suffered from DoS attacks frequently.Furthermore,the large number of(Cem,Rem)pairs stored in the server will cost expensive search and synchronization recovery overhead, which cannot be scalable for applications with a large database scale.

To solve the problems in the existing authentication schemes above, we proposed a lightweight PUF based authentication protocol in this paper.Our new method achieves higher security,efficiency,and practicality compared to the existing schemes.Furthermore,our protocol’s novel authentication and synchronization recovery mechanism can better deal with the problem between forward secrecy and resilience of DoS attacks that cannot be well resolved in the existing schemes.

3 Proposed Scheme

In this section, we describe the proposed lightweight authentication protocol for resourceconstrained devices in IIoT.The proposed scheme has two phases: registration and authentication.The symbols and cryptographic functions used in this article are defined in Tab.1.

Table 1: Symbols and cryptographic function

3.1 Registration Phase

Each resource-constrained device should be registered into the backend server through a secure channel.Firstly, the server generates a random challengeCj1and a temporary identityTID1jand then sends them to the device.Upon receiving the server’s message, the device storesTID1jandCj1then produces and sends the cor responding responsesto the server.Finally, the server stores the corresponding entry for each device,i.e.,theDetails of this phase are depicted in Fig.2.

Figure 2:Registration phase of the proposed scheme

3.2 Authentication Phase

This phase achieves authentication between the resource-constrained devices(abbreviated as D),gateway,and the backend server.Since each gateway is connected to the server through a secure wired link,we consider the gateway and server as a single unitGSUin the authentication phase.For that,the authentication phase consists of the following steps.The details of the authentication phase are depicted in Fig.3.

Figure 3:Authentication phase of the proposed scheme

(1)TheDgenerates a random numberNd,computes its temporary identityTIDij,and then sends them to theGSU.There are two cases.For the first round(wheni=1),theTID1jcan be picked from the register directly.When thei ＞1,TIDijcan achieve bywhereis the challenge fori-th round andis the temporary identity for(i-1)-th round.

(2)Upon receiving the,GSUuses it as an index to search the corresponding entry in the database.When a matched entry is found, theGSUgenerates a random numberNsand computesAt last,GSUconstitutes a response messageM2: 〈V1,Ns〉and sendsitto the D.If there is no matchTIDijin the database,the authentication requests will be rejected.

(3)After receiving theGSU’s response message, theDusesCjito generate the responseRijby its PUF.Subsequently,Dchecks whether the response parameterV1is valid or not.If the validation is successful, thenDcomputesand sendstoGSU.Finally,DupdatesCji,TIDij-1andCji-1withCji+1,TIDijandCjirespectively.

(4)Upon receiving the response message from D,GSUfirst computesandThen validates whether the response parameterV2is valid or not.If the validation is successful, thenGSUcalculatesand subsequently storesandin its memory for the following round communication.

In the case of the DoS attacks,the resynchronization mechanism will be executed by our scheme.When theGSUrejects the authentication request fromDfor the first time, where the temporary identityTIDijis computed bytheDwill directly chooseas the request parameter and generate a new random number,then send them toGSUagain.Sincemust have been used in the previous round successfully,GSUdefinitely can find the matched entry in its database.After that, the authentication process will do the same as the process above from steps (1)to (4).Finally,GSUandDwill update and hold the newest authentication entry together after the resynchronization mechanism.

4 Security Analysis

In this section, the security analysis shows that our scheme can overcome several imperative security properties and the malicious behaviors assumed in the security properties.Through both the rigorous informal and formal security analysis,we figure out that our proposed scheme achieves the desired security features to tolerate various known attacks in authentication in IIoT.

4.1 Informal Security Analysis

4.1.1 User Anonymity

Anonymity includes untraceability and unlinkability.Untraceability means that an adversary cannot identify which identities from the same group belong to whom.In comparison,unlinkability implies that an adversary cannot distinguish whether two identities belong to the same user.In our proposed scheme, the devices don’t reveal their real identities or secrets during each authentication instance since all the transmitted messages are computed with a random number.Hence,the devices are not traceable to the adversary with temporary identities or other secrets.Moreover, the temporary identitiesTIDijare calculated by random challengeand one-way hash function h, i.e.,whereCijis updated with the random number in each round.So,it is difficult for an adversary to correlate the current round temporary identityTIDijwith the next round.The same is between the different devices.

4.1.2 Confidentiality

The transmitted messagesM1,M2andM3between theDandGSUare all related to the secret response parameterRij.Without knowingRij,the adversary cannot forge the valid parameterandV2,which are used for authentication and transmitting confidential information.Besides,in the authentication process,all the verified messages and parameters are protected by hash function h.Even if the adversary may obtain the corresponding temporary identities and challenges from the captured device’s memory, it cannot recover other secrets that can help itself pass theGSU’s interrogation process.

4.1.3 Forward Secrecy

In the authentication phase, mutual authentication between theDandGSUcan be achieved based on the verified messagesM2andM3.DauthenticatesGSUby verifying the parameterV1=where an adversary cannot generate legitimateV1without knowing the responseRij.A similar process takes place when theGSUreceives messagesM3.TheGSUverifies the parameterto verify the legality of D.As depicted in the authentication process,an attacker also cannot generate a legalV2without the correct responseRij.Hence,our protocol achieves mutual authentication between resource constrain device and Gateway-Server Unit.

4.1.4 Mutual Authentication

An authentication protocol should provide forward secrecy to protect past sessions against future compromises of the secret keys.In our protocol, after completing each successful mutual authentic ation,the challenge parameterCjiand responseparameterRijwill be updated with the random number,i.e.,Due to the one-way characteristic of the hash function and PUF,the attacker cannot acquirefromorfrom.

4.1.5 The Resilience of DoS Attacks

Since both communicators need to update their secret security credentials to ensure forward secrecy, an attacker can cause a desynchronization problem by blocking the messages between two communicators,eventually causing the DoS problem.As mentioned in sect.2,almost all the existing lightweight authentication protocols fail to deal with the problem of forward secrecy and DoS attacks at once.In our proposed scheme, we utilize an ingenious resynchronization mechanism to cope with this problem.SinceDandGSUupdate temporary identityTIDij, challengeCji, and responseRijafter e ach authentication process,theGSUneeds to preserve current and previous round authentication entry, i.e.,whileDonly needs to preserve the last round authentication entryand the present round challenge parameterCji.When it comes to thei-th round authentication,Dcomputes the current round temporary identityTIDijby,and one-way hash function h,i.e.,theSuppose thatGSUhas rejected D’s first authentication request becauseGSUfailed to update the authentication entry during the last round by spontaneous failure or malicious attack.Since bothDandGSUmust have kept the previous successful authentication entry, they can revert to the synchronization state byDsendingtoGSUonce again.In this way,the proposed scheme ensures security against DoS to desynchronization attacks.

4.1.6 The Resilience of Clone Card Attack

An attacker can capture a valid device and access secrets stored in it to produce the cloned devices.Since PUF is based on a unique and complex physical characteristic,in our proposed scheme,even if the attackers obtain the device’s memory(i.e.,the,and),they cannot use them to forge or get the secret,which must be generated by the PUF.As a result,the attacker cannot impersonate a valid device by clone attack to pass theGSU’s authentication in our proposed scheme.

4.2 Formal Security Analysis

This section conducts a formal security verification using the widely accepted Automated Validation of Internet Security Protocols and Applications (AVISPA)[16] tool to demonstrate that our protocol fulfills the required security properties.It provides a modular and expressive formal language for specifying protocols and their security properties and integrates different backends that implement various state-of-the-art automatic analysis techniques.The formal security verification and the results of our protocol using OFMC backend are depicted in Fig.4.The details of the HLPSL code are provided in the supplementary material at https://github.com/lhguestc/AVISPA.

Figure 4:The result of the analysis of the proposed scheme using OFMC

5 Performance Analysis and Comparison

5.1 Security Feature Comparison

In this section,we compare some critical security properties of our protocol with recently proposed schemes.From Tab.2, we can see that our protocol can satisfy all the important required security requirements.Particularly, only our scheme can better ensure forward secrecy with the resistance of the DoS attack.

Table 2: Comparison of the required security properties(SP)

5.2 Computational and Communication Cost Comparison

Since resource-constrained devices generally have limited res ources such as storage and computation,it is important to consider the efficiency of the proposed scheme.We compare the performance of the proposed scheme in terms of the computation cost as shown in Tab.3, which illustrates the numbers of operations including hash (denoted by H), PUF (denoted by P), and random number generator (denoted by RNG).Tab.3 shows that our protocol’s computation overhead is lower than other existing schemes for the same condition.However, it provides better security which is shown earlier in Tab.2.It is worth mentioning that the computational cost of SHA-256 is similar to 256-bit Arbiter PUF[17],which can provide a reference for the comparison between our scheme and[14].

Table 3: Comparison of the computational cost

In Tab.4, we compare the efficiency of our scheme to the existing schemes in terms of device storage overhead,communication cost,and resynchronization complexity.According to[14]and[15],each authentication parameter will cause 128-bit storage or communication costs.Tab.4 shows that,in our proposed scheme,the device storage overhead and communication costs are 384-bit and 768-bit,which is less than all other existing schemes for the same condition.Furthermore,the proposed protocol’s resynchronization mechanism complexity is less than the latest Gope scheme [15], which claims to be the only scheme to meet the challenge between forward secrecy and DoS attacks.

Table 4: Comparison of the other cost

6 Conclusion

In this paper,we propose a PUF based lightweight authentication scheme for resource-constrained devices in IIoT.The proposed scheme provides ubiquitous demands for mutual authentication in M2M communication.Formal and informal security analysis shows that the proposed protocol achieves better security features than existing schemes.Moreover, the performance analysis and comparison indicate that our proposed approaches are more practical and suitable for ensuring secure communication in IIoT.

Funding Statement:This work was supported by China Postdoctoral Science Foundation under Grant Nos.2020M681959 and 2020TQ0291, in part by the national key R&D project under Grant No.2018YFB2100401, in part by the National Key Research and Development Project No.2018YFB2100400.

Conflicts of Interest:The authors of this paper declare that there are no conflicts of interest regarding the publication of this paper.