Authentication and Key Agreement Phase Sample Clauses

Authentication and Key Agreement Phase. When the user U wants to access the sensor node S, he or she initiates this phase by issuing a request via GWN. This phase enables GWN, U and S to effectively authenticate each other and then establish a session key between U and S. If a session key is negotiated successfully by U and S, then they can exchange private messages with each other via a public channel. A detailed description of the steps of this phase are as follows: 1. U selects a random number rU ∈ zq∗ , generates the current timestamp t1 and computes EU = rU P, M′ = M∗ ⊕ h (IDU dU), NU = rUQGWN = (N(x), N(y)), AIDU = MIDU ⊕ N(y), KU = (rU + dU)QGWN and hU = H1(KU M′ t1). Then, U sends the request message {EU, AIDU, hU, t1} via a public channel to GWN. 2. When GWN receives the authentication request message from U at the time t′ , it checks whether the condition |t′ − t1| ≤ ∆t holds. If yes, GWN then computes: N′ = dGWN EU = (N(x)′ , N(y)′ ). GWN then verifies U by computing the following: MID′ = AIDU ⊕ N(y)′ , MU = h(MID′ dGWN), K′ = dGWN(QU + EU), and h′ = H1 K′ MU t1 . GWN verifies if the equation ′ = hU holds or not. If the verification does not hold, GWN rejects the user’s authentication request; else, goes to 3. 3. GWN generates its current timestamp t2, selects a random number rGWN ∈ z∗q and calculates: EGWN = rGWNP, KGWN = (rGWN + dGWN )QS, MGWN = N(x)′ ⊕ h (RS KGWN EGWN ), hGWN = H1 (KGWN IDS t2). Then, the gateway node GWN sends the message {EU, EGWN, MGWN, hGWN, t2, t1} to S via a public channel. 4. Upon receiving the authentication message from GWN at time t′ , S first checks the validity of the timestamp on the condition |t′ − t2| ≤ ∆t. If t2 is invalid, S terminates the session. If it is valid, S then computes: K′ = dS (EGWN + QGWN ), N(x)′′ = MGWN ⊕ h RS K′ EGWN , and h′ = H1 K′ IDS t2 . Next, S verifies h′ . If h′ = hGWN, the sensor node S accepts XXX and goes to 5; otherwise, it rejects GWN. 5. S generates its current timestamp t3 and selects a random number rS ∈ z∗q , and computes ES = rS P, KS = rS (RS − h(IDS dS)P), hS = H1 (KS IDS t3), skS = rS(EU + N(x)′′ P) and AuthS = H1(skS t3). S sends the message {ES, t3, hS, AuthS} to GWN via a public channel. Then, S computes the session key SK = H2(skS ES EU t3 t1). 6. Upon receiving the replied message from S at time t′ , GWN checks the validity of t3 on the condition |t′ − t3| ≤ ∆t. If t3 is valid, GWN computes K′ = h (IDS dGWN) ES and ′ = H1 K′ IDS t3 . Then, GWN checks whether h′ = hS. If yes, GWN generates its current timest...

Authentication and Key Agreement Phase. After completing this phase, the user Ui and the server S can achieve the goal of mutual authentication and session key agreement which can be used for secure subsequent communication without revealing user’s identity. The authentication and key exchange phase is depicted in FIGURE 4. Step 1. The user Ui inserts his smart card into a card reader and inputs IDi and pwi; Step 2. The smart card selects a random number r′i∈RZn∗ and computes R′i = r′i × G, Ai = ri′ × Rs × h(IDi ⊕ pwi ⊕ ri). Then sends ⟨Ri′, Ai, Mi⟩ to the server S.

Authentication and Key Agreement Phase. Step 1: GWN checks the validity of Ti and retrieves HIDi from TIDi. Then, GWN computes XSi = h(HIDi||K), ki = h(XSi ||Ti), X∗ = DIDi ⊕ ki, MU∗ i ,G = h((X∗ ⊕ HIDi)||XSi ||Ti), = then checks MU∗ ,G ? MU ,G. If it is correct, GWN computes XS = h(SIDj||K), MG,Sj = h(DIDi||SIDj||XSj ||TG), then sends {DIDi, MG,Sj , TG} to Sj, where TG is the timestamp. ? Step 2: Sj checks the validity of TG and computes MG∗ ,Sj = h(DIDi||SIDj||XS∗j ||TG), then checks MG∗ ,S MG,S . If it is successful, Sj computes kj = h(XS ||Tj), Zi = MG∗ ,S ⊕ kj, = KS = f (XXXx, kj), MSj ,G = h(Zi||XS∗j ||Tj), then sends {MSj ,G , Tj} to GWN, where Tj is the timestamp. Step 3: GWN checks the validity of Tj and computes kj = h(XSj ||Tj), Zi∗ = MG∗ ,Sj ⊕ kj, = MS∗ ,G = h(Zi||XS∗ ||Tj), then checks MS∗ ,G ? MS ,G. If it is correct, GWN computes MG,Ui = h(DIDi||MU∗ i ,G||kj||XXi ||TG′ ), yi = kj ⊕ h(ki), TIDinew = h(HIDi||Ti), then sends {yi, MG,Ui , TG′ }, where TG′ (TIDinew , TIDi). is the timestamp. Additionally, GWN updates (TIDi, TID◦ ) as Step 4: Ui checks the validity of TG′ and computes kj = yi ⊕ h(ki), = MG∗ ,U = h(DIDi||MU ,G||kj||XS ||TG′ ), then checks MG∗ ,U ? MG,U If it is correct, Ui computes KS = f (XXXx, kj) and updates TIDi as h(HIDi||Ti).

Authentication and Key Agreement Phase. In this phase, Ui and Sj authenticate each other and generate a common session key SK by the help of GWN. The trusted party GWN is interconnected with Ui and Sj, respectively, and helps to establish a session key between Ui and Sj; however, GWN is not able to derive the session key. Figure 3 illustrates the authentication and key agreement phase, which is performed as follows: Step 1: GWN ⇒ Sj : {DIDi, Xi, MG,Sj , TG} After receiving {XXXx, Xi, MUi ,G , Ti, TIDi}, GWN checks the validity of Ti and retrieves HIDi from TIDi. If no TIDi is found, GWN checks TIDi◦. If it still is not found, GWN rejects the login request; otherwise, GWN computes XSi = h(HIDi||K) and ki = h(XSi ||Ti). Then, = GWN verifies MU ,G ? h((DIDi ⊕ ki ⊕ HIDi)||XS ||Xi||Ti). If it is valid, GWN authenticates Ui and computes MG,Sj = h(DIDi||SIDj||XSj ||Xi||TG), then sends {XXXx, Xi, MG,Sj , TG} to Sj, where TG is the current timestamp. Step 2: Sj ⇒ GWN : {MSj ,G , Yj, Tj} After receiving {XXXx, Xi, MG,Sj , TG}, Sj checks the validity of TG and verifies MG,S ? h(DIDi||Xi||XS∗j ||TG) using its stored secret value XS∗j = h(SIDj||K). If it is valid, Sj authenticates GWN and computes kj = h(XS∗j ||Tj), Zi = MG,Sj ⊕ kj, where Tj is the current timestamp. Then, Sj generates a random number b ∈ Z∗p and computes Yj = bP and a session key SK = kji = h(DIDi||kj||bXi). Finally, Sj computes (MSj ,G = h(Zi||XS∗j ||Xi||Yj||Tj)) and sends {MSj ,G , Yj, Tj} to GWN. Step 3: GWN ⇒ Ui : {ei, MG,Ui , Yi, TG′ } ? After receiving {MSj ,G , Xx, Xx}, GWN checks the validity of Tj, computes kj = h(XSj ||Tj), Zi∗ = MG∗ ,S ⊕ kj and verifies MS ,G h(Zi∗ ||XS ||Xi||Yj||Tj). If it is valid, GWN = authenticates Sj and computes ei = kj ⊕ h(ki), (MG,Ui = h(DIDi||MUi ,G||kj||XSi ||Xi||Yj||TG′ )), TIDinew = h(HIDi||Ti), where TG′ is the current timestamp. Then, GWN sends {ei, MG,Ui , Yi, TG′ } to Ui and updates (TIDi, TIDi◦ ) as (TIDinew , TIDi) in its storage. ? Step 4: After receiving {ei, MG,Ui , Yi, TG′ }, Ui checks the validity of TG′ , computes k∗j = ei ⊕ h(k∗i ) and verifies MG,U h(DIDi||MU ,G||k∗j ||XS ||Xi||Yj||TG′ ). If it is valid, Ui computes the session key SK = kij = h(DIDi||kj||aYi). Finally, Ui updates TIDi as h(HIDi||Ti).

Authentication and Key Agreement Phase. This phase is established between 𝐷𝑖 and 𝐷𝑗 and shown in Fig. 1. Fig. 1. Authentication process in Xxxxxxxxx et al.’s protocol 𝑝 𝑖 Step 1. 𝐷𝑖 chooses a random number 𝑥 ∈ 𝑍∗ and calculates values of 𝜏 = 𝑥𝐺 and 𝛼 = 𝑥𝑄 where 𝑄 is the public 𝑖 𝑗 𝑗 key of 𝐷𝑗 . Then, it calculates pseudo-ID 𝐴𝐼𝐷𝑖 = 𝛼𝑖⨁𝐼𝐷𝑖 and calculates 𝑍𝑖 as 𝑍𝑖 = ℎ(𝛼�� ∥ 𝜏𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡1) where 𝑡1 is the current timestamp of the message. Finally, the message < 𝐴𝐼𝐷𝑖 , 𝜏𝑖 , 𝑍𝑖 , 𝑡1 > is sent to 𝐷𝑗 . Step 2. 𝐷𝑗 receives the message < 𝐴𝐼𝐷𝑖 , 𝜏𝑖 , 𝑍𝑖 , 𝑡1 > at time 𝑡′. If 𝑡′ − 𝑡1 < Δ𝑇, it verifies the freshness of the message. Then, it calculates 𝛼𝑖 = 𝑑𝑗 𝜏𝑖 and retrieves 𝐼𝐷𝑖 = 𝐴𝐼𝐷𝑖 ⨁𝛼𝑖. After that, it checks whether or not 𝑍𝑖 = ? ℎ(𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡1) and verifies 𝐷𝑖 . Otherwise, it immediately aborts the session. 𝐷𝑗 then, picks the random nonce 𝑦 ∈ 𝑍∗ and timestamp 𝑡 and calculates the values of 𝜏 = 𝑦𝐺, 𝐾 = 𝑦𝑄 + 𝑑 𝜏 , 𝐴𝐼𝐷 = 𝛼 ⨁𝐼𝐷 , 𝑝 2 𝑖 𝑗 𝑖 𝑗 𝑖 𝑗 and 𝑍𝑗 = ℎ(𝑘𝑗 ∥ 𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡2). Finally, it transmits the message < 𝐴𝐼𝐷𝑗 , 𝜏𝑗 , 𝑍𝑗 , 𝑡2 > to 𝐷𝑖 . Step 3. 𝐷𝑖 checks freshness of the received message and retrieves 𝐼𝐷𝑗 = 𝐴𝐼𝐷�� ⨁𝛼𝑖. Then, it calculates 𝐾𝑖 = 𝑥𝑄𝑗 + 𝑑𝑖 𝜏𝑗 and checks if 𝑍𝑗 =? ℎ(𝑘𝑖 ∥ 𝛼𝑖 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝑡2). If the condition holds, 𝐷𝑗 is verified. 𝐷𝑖 then calculates the session key 𝑆𝐾𝑖 as 𝑆𝐾𝑖 = ℎ(𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐾𝑖) and generates message < 𝑅𝑖 > as 𝑅𝑖 = ℎ(𝑆𝐾𝑖 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑖) to transmit to 𝐷𝑗 . Step 4. Upon the reception of the message, 𝐷𝑗 calculates session key as 𝑆𝐾𝑗 = ℎ(𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝜏𝑖 ∥ 𝜏𝑗 ∥ 𝐾𝑗 ) and checks whether or not 𝑅𝑖 =? ℎ(𝑆𝐾𝑗 ∥ 𝐼𝐷𝑖 ∥ 𝐼𝐷𝑗 ∥ 𝐾𝑗 ). If not, it immediately terminates the session; otherwise, 𝑆𝐾 = 𝑆𝐾𝑖 = 𝑆𝐾𝑗 is verified.

Authentication and Key Agreement Phase. If the above verification is successful, it indicates that the user Ui has successfully passed the login phase. Then, the vehicle Xx performs an encryption calculation and sends the encrypted request message M1 to the drone Dj. The drone Dj first checks the legitimacy of the timestamp Ti. If it is legal, the drone Dj encrypts the vehicle’s request message M1 into message M2 with its private information and forwards it to the control center (CC) for verification. The CC checks the legitimacy of the drone Dj and helps Dj verify the legitimacy of the vehicle Vi. If both the vehicle Vi and the drone Dj are legitimate, the CC helps the vehicle Vi and the drone Dj to generate the secrets for common verification. After that, the drone Dj and the vehicle Vi complete the authentication with the help of the CC and establish a session key for secure communication. Both the authentication and key agreement phases are briefed in Figure 6. The following steps are critical to completing this phase. 1) The vehicle Vi selects a random number αi, and generates an up-to-date timestamp Ti. To prevent temporary secret (αi) leak attack, the vehicle Vi computes ri = H2(αi si Ti), Ri = ri P , and Ri∗ = riPpub. To ensure security and save computing overhead, the vehicle Vi then computes an en- crypted ciphertext Ci = ER∗ (IDi, DIDj, PIDj, Ti) and a hash signature ρi = H4(DIDj PIDj IDi Ri Ri∗ si Ti), where Ri∗,x denotes the x-coordinate of the elliptic curve point Ri∗. At last, the vehicle Vi sends a request authentication s the legitimacy of the Vi by denying the request mes- sage M1. Otherwise, the CC confirms that the received credentials (IDi, DIDj, PIDj, Ti) are valid, and continues to decrypt [βj Tj] = DH2(sj||ρi||Ti)(Cj). Next, the CC authenticates the drone Dj by checking the hash signature δ =? H (C R ρ DID PID s β T ). If the authen- tication fails, the CC rejects the legitimacy of the Dj by denying the request message M2. Otherwise, the CC confirms that the drone Dj is valid, and generates a hash secret si,j = H6(si Ri∗ Ti Tcc) for the authentication of the Vi and the Dj. Then, the CC calculates an encrypted cipher- text Ci,j = EH2(sj||δj||βj )(XXXx si,j) and a hash signature ψi,j = H5(si,j Ri sj δj Ci,j DIDj Ti Tcc) for the Dj. Finally, the CC transmits the message M3 = Ci,j, ψi,j, Tcc to the Dj. 4) Upon receiving the message M3, the drone Dj first checks the freshness of the timestamp Tcc. If |Tc∗c − Tcc| < ∆T , the Dj acquires [DIDj||sj] = DH2(sj||δj||βj )(Ci,j), then...