Impersonation Attack. In this attack, assume that Xxx tries to impersonate as a legal meter to the NAN gateway. To do that, Xxx randomly picks uSMeve and computes ASMeve using uSMeve P and fabricates a false BSMeve . Eve then computes own messages, i.e., L1eve = H(SMIDeve NID ASMeve BSMeve T 1eve) and Y 1eve = MACL1eve [SMIDeve , T 1eve, ASMeve ] and sends αeve, Q1, ASMeve , Y 1eve, φeve, T 1eve to the NAN gate- way. However, the NAN gateway cannot obtained the real identity of the meter since it is encrypted in Q1 = ESTj [SMIDj , NID, T 1] therefore Xxx’s fake identity can- forward secrecy(MFS). Here, PFS defines that if a compromise of long-term private key of either the legitimate parties (e.g., a SM or NAN gateway) should not be compromising secrecy of the previously established sessions. Whereas, MFS satisfies – whenever the master key of a legitimate entity is being compromised then the protocol should hold the security of session key. The proposed LAKA therefore holds both PFS and MFS properties. For instance, assume that if the long- term secret keys (e.g., (STj, SMprj, Mk) of meter and NAN are exposed to Eve. However Xxx still cannot determine the previous session keys because each previous session between the meter and XXX is computed independently and fresh i.e., (SK = H(SMIDj NID ASMj CN WSMj ))) that includes ASMj (= uSMj P ), CN (=vN P ) and WSMj (=uSMj CN ). Here uSMj and vN are random numbers of the meter and NAN, respectively. In addition, with the fact of the ECDLP hardness, Xxx cannot determine the real value of uSM and vN , which are random numbers. Therefore, the proposed scheme holds FS.
Appears in 4 contracts
Samples: Lightweight Authentication and Key Agreement, Lightweight Authentication and Key Agreement, Repository License Agreement
