Illustration of the Offline Password Guessing Attack. 

Contexts in source publication

Context 1

... authentication is essential for the security of a Wireless Sensor Network (WSN). Since the network can be deployed in a hostile environment and data in the network can be crucially important, the user needs to be authenticated before being allowed to access the data. A user can access data from a gateway-node ( ) or directly from a specific sensor node ( ), whereby mutual authentication is very important in order to avoid spoofing and masquerading attacks. Recently Xue et al. [1] presented a new key agreement scheme with mutual authentication for WSN based on temporal credential. Their scheme is innovative in a way that it offers relatively high security level and uses only hash and XOR computations, thus has low computational cost. In comparison, other similar schemes offer nearly the same security level, but have higher computational cost due to the use of asymmetric encryption [2,3]. Other similar schemes like Xue et al.’s use only hash and XOR computation and thus have lower computation cost, but offer lower security level than Xue et al.’s scheme [4-6]. Xue et al.’s scheme provides security features likes mutual authentication, password and identity protection, key agreement a nd resilience to stolen smart card attack, gateway node bypassing attack, replay attack, insider and masquerade attack. Unfortunately, as we will show shortly, we found that Xue et al.’s scheme suffers from offline password guessing attacks, node capture attacks and denial-of-service attacks and has some inconsistencies, making the scheme more computationally costly and with lower security level as originally presumed. In this paper we aim to identify the vulnerabilities and inconsistencies of Xue et al.’s scheme. The rest of the paper is organized as follows. Section 2 reviews Xue et al.’s scheme. Section 3 and 4 describe the vulnerabilities and inconsistencies of their scheme. Finally we conclude the paper in Section 5. In this section, for the purpose of better understanding, we briefl y review Xue et al.’s scheme. A detailed overview of the scheme is depicted in Figure 1. The notations used in the scheme are summarized in Table 1. Xue et al. ’s scheme consists of three phases; the registration phase, the login phase, and the authentication and key agreement phase. The registration phase is divided into user- gateway node ( ) registration phase and sensor node-gateway node ( ) registration phase. Prior to the registration phase it is assumed that the shares identities and hashed passwords with every user . This is done by a system administrator, who stores the mentioned values into the memory of the which acts like a base station for the network. The purpose of the registration phase for the user is to get a personalized smart card which can later be used to authenticate and access the data from the network. For the user to get a personalized smart card and thus accomplish the registration phase, following steps are needed. First of all, the user uses his/her current timestamp and password to compute . After having the computed , the user sends it in an open and public network to the alongside with its identity and the previously used timestamp . If an eavesdropper would intercept this message between the user and the gateway, he would know the identity of the user , but not his/her password , since it is hidden inside the pre-computed by a hash function, thus meaning that it is computationally infeasible to extract the from . However, later in the security analysis we will show that an attack at this point is possible if the adversary is highly skilled. After receiving , the firstly checks for a possible replay attack by using the timestamp and checks whether , whereby is ’s current timestamp, and is an allowed time interval for a transmission delay (e.g. 5min). If verification does not hold, the stops with the registration phase and sends a reject message to the user , thus preventing a replay attack. In contrary if the verification holds, the proceeds with its part of the registration phase by finding its copy of ’s hashed password with the help of ’s identity , which was sent previously. As aforementioned, the is pre-configured with and of every user . After having found its copy of ’s hashed password, the than uses it alongside with the received timestamp in order to compute its own version of the . At this point, the checks if the received and the computed are equal . If not, the user used an incorrect or and is marked as invalid, hence the stops the registration process and sends a reject message to the . If in contrary, the verification holds, the user is verified as a legitimate one and the proceeds with the registration phase. Using user’s identity and , the computes , whereby is the expiration time of the temporal credential. Furthermore, the computes the temporal credential , using , the previously computed and , which is a private and secure parameter known only to the . After having the , the now computes the protected version of it ⨁ , by XOR-ing it with ’s hashed password. Finally, having computed all the necessary values, the can complete the registration phase by personalizing ’s smart card with the following parameters ( ) . The user can now use the in order to securely login and authenticate with the network. Prior to the registration phase it is assumed that the shares identities and hashed passwords with every sensor node . Moreover it is assumed that each sensor node is pre-configured with its and a random password . The purpose of the registration phase for the sensor node is to gain the temporal credential and store it into its memory. The is later on used in the authentication phase to verify the user and the . For a sensor node to accomplish the registration phase, following steps are needed. Similar to the registration process of the user , the sensor node starts the registration process by computing , whereby is the current timestamp of the and is its hashed password. Having computed the first parameter , the sensor node sends a message containing to the over an open and public network. After receiving the initial registration message from the , in order to avoid a replay attack, the firstly checks whether . is the ’s current timestamp, is the received timestamp from the , and is the allowed time interval for a transmission delay. After having checked for a replay attack, the uses the received identity of the to search for its copy of ’s hashed password . Having found the hashed password ( ) for the appropriate sensor node , the uses it in order to compute its own version of . It then uses the received and the previously computed and checks whether in order to verify the legitimacy of the sensor node . If the verification does not hold, the stops the registration process and sends a reject message to the , hence the has sent invalid credentials. If in contrary the verification holds, the acknowledges that the sensor node is a legitimate one and proceeds with the registration process. Using the identity of the sensor node , the ...

Context 2

... this chapter we will demonstrate that a lthough Xue et al.’s scheme is secure against smart card breach attack, insider attack and sends masked passwords over public network, a successful offline password guessing attack could be launched by using these attack methods. In a password guessing attack an adversary tries to impersonate a user by iteratively guessing his password or some other login credential. In an online version of the password guessing attack, an adversary tries to guess a password by logging to a server. This version of the attack is less powerful than the offline version since the adversary is limited by maximum allowed login attempts, whereby no such limitations exist in the offline version. In the offline version an adversary gets in the possession of some password- related data of a user (e.g. hashed password) and thus iteratively tries to guess a password and verify its hashed version with the intercepted one [7,8]. In this version of the password guessing attack, the adversary is only limited with the processing power of its own machine, meaning there exists no other lock to stop him/her from trying to guess the password, since the attack is done locally on the adversary’s machine . Because hardware is getting ever more powerful according to Moore’s Law , the adversaries can use such enhanced power for more guessing attempts per second. There are two offline password guessing attack methods, i.e. brute force attack and dictionary attack [9,10]. According to [11] an adversary can guess passwords at the rate of 1 billion guesses per second, or more precisely he/she can guess a five-character password in only 10 seconds. The guessing time grows exponentially in a relation to a password with more than five characters. Using such methods, adversaries can usually break any password with seven or less characters in a feasible and acceptable time [11]. For passwords with more characters, the dictionary attack comes in place, since it uses a huge library of words to compare them with the secret hashed password. According to [12], studies showed that 20-50% of 20 30 passwords were broken using such attacks with dictionary sizes of 2 -2 . The adversary could get in the possession of the password related message using numerous methods, e.g. by intercepting an encrypted login request message sent over insecure public network, by stealing user’s smart card and disclosing the data from it (i.e. smart card breach attack), by being a privileged server user with access to the password table (i.e. insider attack), etc. Although Xue et al.’s scheme is secure against smart card breach attack, insider attack and sends masked passwords over publi c network, we can demonstrate that an adversary can use some aforementioned methods to successfully run an offline password guessing attack. In the user- part of registration phase, the user in order to accomplish the registration, firstly computes , using his current timestamp and his hashed password . He then sends a registration message to the over an insecure channel (e.g. public network). The message contains the following parameters . Let us assume an adversary intercepts the user’s registration message (Fig. 1). Since the message contains both the timestamp and the pre-computed parameter , the adversary can derive an perform an offline password guessing attack. He can check the guessed password by comparing . If the verification holds, he guessed the correct password . Having the valid password, the adversary needs only the smart card to successfully impersonate a valid user . Also in the registration phase of Xue et al.’s scheme, the personalizes a smart card for a user containing following parameters ( ) . Let us assume an adversary can get in possession of a smart card and knows a way to breach it e.g. using power analysis attack [13,14]. He is afterwards able to read the secret parameters from the smart card. Since the adversary can extract the double-hashed password ( ) , he can use it to perform an offline password guessing attack to reveal the valid password, thus enabling him to successfully impersonate a valid user . Moreover in Xue et al.’s scheme the gate -way node stores identity and hashed password for every registered user . Let us assume some privileged but malicious network user has full access to the . The adversary can than target a specific user , already knowing his identity , to find his hashed password and construct an offline password guessing attack to reveal the real user’s password. After having the user’s password, the attacker can try to impersonate the user . A node capture attack is a WSN-specific physical type of an attack. This is an attack where an adversary captures a legitimate node from the network and extracts some private information from it, and uses it to target the entire network. The adversary could also use the captured node to run a sybil attack [15], node replication attack [16], DoS attack [17], etc. Since node capture attack can lead to numerous other types of attack, whereby causing serious problems to the WSN, the attack is also classified as hazardous [18] and should not be neglected. In Xue et al.'s scheme a resilience against node capture attack was not found, since an adversary could capture a node and no mechanism exists to detect it. The adversary cannot gain any specific security and private information from the captured node to use it against the user or the GWN, but since no mechanism for detection exists, the adversary could use the capture node to impersonate a valid sensor node and sent malicious and false data to the user, thereby cause damage. The adversary could also use this captured node for other aforementioned types of attacks (e.g. Sybil, replication, DoS) (Fig. 2). A detailed description of a node capture attack in Xue et al.'s scheme is as follows. Before deployment each sensor node is preconfigured with an identity and a hashed password . During the part of the registration phase, the sensor node computes its temporal credential and stores it in its memory. Let us assume an attacker captures a sensor node . When a user wants to access the data from the network and starts the authentication process, the sends an authentication message { } to the captured sensor node . The captured sensor node then computes and and sends an authentication message { } to and user . Both, unaware about the theft, can compute and verify that , thus allowing the user to read possible malicious data from a captured node. Xue et al.’s scheme does not provide any solution resp. countermeasure for such a possib le event, thus making the scheme vulnerable to node capture attack. Although WSN has energy limitations and thus require lightweight protocols, security should not be neglected. A lot of research [19,17,20,21] was done that shows the potential threats of the DoS attack in WSNs, thus adding the resilience against these attacks to the basic requirements of the network. A DoS attack can be launched on different layers (e.g., physical, link, network) with different types of attacks (e.g. jamming, collision, exhaustion, black holes, etc.). The main requirement for a DoS attack to be considered successful is that the network's capacity to perform its expected function is being disturbed. Since nodes in a WSN are energy constrained, a powerful DoS attack could be deadly for the whole network. Considering that some WSN are used for monitoring the health of humans or to detect chemical attacks, a real-life damage should be considered. In Xue et al.'s scheme, no security mechanism was presented to mitigate DoS attacks. Moreover, the authors have not discussed any security mechanism or specific method to mitigate this type of attack. As an example, an adversary could launch a DoS attack by targeting the gate-way node and thus successfully saturate it with requests (jamming), so that any other legitimate request would end up non-responded (Fig. 3). The attack could be initiated by firstly capturing a node as aforementioned in the previous section. In this section we highlight some inconsistencies of Xue et al.’s scheme . The following comments show that the scheme in this form is infeasible for implementation and thus is more computationally costly as originally presented. Since the imperfections are easily avoided, as we will show below, we conclude that these are mainly inconsistencies which are consequently connected and easily overlooked. The descriptions of the inconsistencies are as ...