Paper 2012/581

On the (in)security of some smart-card-based password authentication schemes for WSN

Ding Wang and Chun-guang Ma

Abstract

Understanding security failures of cryptographic protocols is the key to both patching existing protocols and designing future schemes. The design of secure and efficient remote user authentication schemes for real-time data access in wireless sensor networks (WSN) is still an open and quite challenging problem, though many schemes have been proposed lately. In this study, we analyze two recent proposals in this research domain. Firstly, Das et al.'s scheme is scrutinized, demonstrating its vulnerabilities to smart card security breach attack and privileged insider attack, which are among the security objectives pursued in their protocol specification. Then, we investigate a temporal-credential-based password authentication scheme introduced by Xue et al. in 2012. This protocol only involves hash and XOR operations and thus is suitable for the resource-constrained WSN environments where an external user wants to obtain real-time data from the sensor nodes inside WSN. However, notwithstanding their security arguments, we point out that Xue et al.'s protocol is still vulnerable to smart card security breach attack and privileged insider attack, and fails to provide identity protection. The proposed cryptanalysis discourages any use of the two schemes under investigation in practice and reveals some subtleties and challenges in designing this type of schemes. Besides reporting the security flaws, we put forward a principle that is vital for designing more robust two-factor authentication schemes for WSN.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. The abridged version of this paper has been submitted to WCNC 2013.
Contact author(s)
wangdingg @ mail nankai edu cn
History
2013-07-24: last of 6 revisions
2012-10-16: received
See all versions
Short URL
https://ia.cr/2012/581
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2012/581,
      author = {Ding Wang and Chun-guang Ma},
      title = {On the (in)security of some smart-card-based password authentication schemes for {WSN}},
      howpublished = {Cryptology {ePrint} Archive, Paper 2012/581},
      year = {2012},
      url = {https://eprint.iacr.org/2012/581}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.