Formal security analysis of an IoT mutual authentication protocol

. Wireless sensor networks (WSNs) are widely used in day to day activities in order to provide users with multiple services such as smart grids, smart homes, industrial internet of things (IoT), agriculture and health-care. These services are provided by collecting and transmitting the sensing data to the gateway node over an unsafe channel, having constraints of security, energy consumption and connectivity. In 2022, Fariss et al. proposed an ECC-based mutual authentication and key agreement protocol for WSNs. They provided its informal security and showed that it’s secure against many security threats. They also formally analyzed the scheme’s security using AVISPA Tool. In this article, we analyze the security of Fariss et. Al protocol using GNY logic, an advanced version of BAN logic.


Introduction
Wireless Sensor Networks (WSNs) are one of the main parts of Internet of Things (IoT). One of its most important components are sensor nodes. Their main role is to detect and monitor different kinds of data by transmitting it to users through a gateway node that analyzes it. These users should imperatively be legitimate users. The gateway node is not only responsible for data transmission, it also securely stores some private data of sensor nodes and users. One of the biggest security issues in data transmission between the gateway node and the other entities in the network is that the communication channel is public, so anyone can access the network without any control, which exposes it to various attacks.
In fact, if a milicious attacker intercepts the exchanged data between these entities, he/she can recover sensitive information or even disguise as a legitimate party and send incorrect messages to the sensor node or the user. Another challenge related to IoT is the resource constrained devices with limited available power and computational capabilities, which makes the use of lightweight security solutions more suitable for IoT environments.
Many research studies and security protocols were proposed to attain various security objectives. After analyzing some of these protocols, many of them were found to be vulnerable to few attacks even if they were considered to be secure by their designers. That is because one minor mistake may cause the failure of the entire protocol. These minor mistakes are hard to detect informally.
As a result, the research community was, and is still trying to create formal security analysis methods to detect as many vulnerabilities as possible in the authentication protocols' designs. One of the wellknown formal security analysis techniques is modal logics that are used to verify that, given a set of assumptions, a set of expected beliefs can be obtained after the execution of the protocol. Burrows-Abadi-Needham (BAN) logic is the milestone when it comes to modal logics. Automated Validation of Internet Security Protocols and Applications (AVISPA) is another formal automated security analysis tool that uses a formal language for specifying security protocols and properties. The protocol can still be vulnerable to an attack that the formal method was not able to detect. Consequently, it is a good practice to analyze an authentication protocol using many formal methods to be more confident about its security.
In this paper, we review an Elliptic Curve Cryptography (ECC) based three-factor mutual authentication and key agreement protocol in WSNs [1]. This protocol's authors provided a security formal analysis using the AVISPA tool alone. To strengthen the proof of the security of this protocol, we provide another formal security analysis using GNY (Gong-Needham-Yahalom) logic, which is an improved version of BAN logic.
The remainder of this paper is organized as follows: In Section II, we present the related work. In Section III, we present an overview of the main preliminaries of the present paper. In Section IV, we provide a formal security analysis of the reviewed protocol using GNY logic. Finally, we give some concluding remarks.

Related Work
In the past few years, many authentication schemes have been proposed for WSN environments. In 2007, Tseng et al. [2] proposed a dynamic user authentication scheme [3]. They provided an informal security analysis of their protocol and showed that it can withstand replay attack and forgery attack. Subsequently, Das [4] suggested a hash-based user authentication protocol that uses two factors: passwords and smart cards. He also provided an informal security analysis of his protocol and showed that it can resist many attacks such as replay attack and impersonation attack. However, Nyang and Lee [5] showed that Das's protocol is vulnerable to password guessing attacks performed by insiders and to node compromise attacks. Xue et al. [6] proposed a temporal-credential-based mutual authentication and key agreement scheme. They claimed that it allows mutual authentication among the user, the gateway node (GWN), and the sensor node. It is also secure against many attacks such as masquerade and replay attacks. Thereafter, He et al. [7] suggested another temporal-credential-based mutual authentication and key agreement protocol. They formally analyzed its security using BAN logic and proved that it allows a secure session key and identity sharing between the user and the sensor node. They also proved that their scheme can overcome the security flaws detected in Xue et al.'s protocol, namely user anonymity, offline password guessing attacks, and user and sensor node attacks. Qi and Chen [8] suggested an ECC-based mutual authentication and key agreement scheme that uses biometrics. They claimed that their scheme provides session key agreement and is robust against multiple known attacks. Moreover, using BAN logic, they demonstrated that their scheme provides secure mutual authentication. Nonetheless, in 2019, Sahoo et al. [9] discovered that the scheme is vulnerable to many attacks such as key compromise impersonation attack and offline password guessing attack. Thereafter, they proposed a mutual authentication scheme based on biometrics and ECC. They asserted that their scheme is resistant to replay attacks, stolen smart cards, and offline password guessing. However, in 2022, Ryu et al. [10] demonstrated that this proposed protocol cannot resist insider and privileged insider attacks. Moreover, it cannot provide patient anonymity. To address these security flaws, they proposed an ECC-based three-factor mutual authentication protocol for telecare medical information systems. Through formal security analysis using BAN logic, AVISPA, and Real-Or-Random (ROR) model, they proved that this protocol can prevent various security attacks. Gope P et al. [11] proposed a lightweight and physically secure anonymous mutual authentication protocol for real-time data access in Industrial Wireless Sensor Networks (IWSNs) using Physical Unclonable Funcions (PUF). They formally analyzed the security of their protocol using the ROR model. Subsequently, Moghadam et al. [12] designed an efficient authentication and key agreement scheme based on Elliptic-Curve Diffie-Hellman (ECDH). The proposed protocol is claimed to support the dynamic node addition and allows the generation of a unique symmetric key and session key for each session. Moreover, the security simulation using Scyther validation tool [13] and the informal security analysis showed that the protocol is secure againt many attacks such as reply attack, Denial of Service (DOS) attack, and known-session-specific temporary information attack. In 2021, Deok et al. [14] proved that Moghadam et al.'s scheme does not achieve perfect forward secrecy. To overcome this security issue, they proposed a secure and lightweight mutual authentication protocol and they proved its security using BAN logic, ROR model, and AVISPA simulation tool.
In 2022, Fariss et al. [1] proposed an ECC-based mutual authentication and key agreement protocol for WSNs. They informally proved that their protocol is secure against many attacks notably, insider attacks, offline password guessing, impersonation attacks, and cloning attacks. The authors used the AVISPA tool to analyze the security of their protocol. However, as we can notice from the previously discussed contributions (e.g., Qi and Chen's scheme [8]), relying on the informal security analysis and only one formal security analysis method does not give us sufficient confidence in the security of the protocol. Consequently, in this paper, we aim to, additionally, analyze this work using the GNY logic, an advanced version of BAN logic.

Preliminaries
This section gives an overview of the basic concepts used in this paper including ECC and belief based formal security analysis especially BAN logic and its extended version GNY logic.

Elliptic Curve Cryptography
To provide better security with a smaller key size, Koblitz [15] and Miller [16] proposed ECC as a type of public-key cryptography. Let E(FP) denote an elliptic curve over a prime finite field FP. E(FP) is defined by (1) where p>3 and the discriminant ∆=4a 3 +27b 2 ≠0 (mod p) : The point O that is equal to (-P)+P is called the point at infinity. All the points of the cyclic additive group G are generated by a generator point P and the order of P is the smallest integer that verifies n ×P=O, where × denotes the elliptic curve point multiplication operation. The point multiplication over the elliptic curve can be summarized as follows: given two points P and Q on the elliptic curve and an integer k, Q=kP means that the point Q is equal to P+P+⋯+P (k times). The security provided by ECC can be summarized in the difficulty of solving the Elliptic Curve Discrete Logarithm Problem (ECDLP). The ECDLP states that given two points P and Q=kP on an elliptic curve E(FP), it is computationally hard to find k. k is called discrete logarithm of Q to the base P.

GNY logic (Gong-Needham-Yahalon)
BAN logic was invented in 1989. It was the start of the field of formal security analysis. It is a modal logic of knowledge and beliefs and it soon became a milestone in protocol security analysis. This pioneer work is characterized by its simplicity and strong analytic capability. It is used to detect major security threats and to prove the correctness of a protocol. In 1990, Gong et al. [17] extended BAN logic to GNY logic that covers a broad range of protocols. This method aims to prove whether the protocol reaches its goals. It considers belief as a systematic way of understanding how cryptographic protocols work. In comparison with BAN logic, GNY logic requires less universal assumptions such as redundancy in encrypted messages. Moreover, GNY logic allows reasoning about different levels of trust due to the separation between the physical world and the principal beliefs.

Formal security analysis using GNY logic
In this section, we provide a formal security analysis of the reviewed protocol using GNY logic. We cite here some of GNY logic notions used in our analysis: -The notion of possession -The notion of honesty and competence -The notion of message extension -The not-originated-here notion

Postulates
First, we provide the inference rules used in our analysis and the description of each rule. We note that all the following rules are inherited from the GNY logic paper [17] except the Key-Agreement Rules which we developed based on [18].
-Rationality Rule : (L1) : if A has been told (X,Y), then she has been told X. : if A believes X is fresh, then she is entitled to believe that any formula consisting of X is fresh too. agreement public key and believes in her own key-agreement private key −1 ( ), then A is entitled to believe that the key K computed using these two key-agreement keys is a good secret key between A and B.
: if A possesses B's keyagreement public key and her own key-agreement private key −1 ( ), then A is capable of possessing the key K computed using these two key-agreement keys.
: if A believes that B's key-agreement public key or her own key-agreement private key −1 ( ) are fresh, then A is entitled to believe that the key K computed using these two key-agreement keys is fresh too. : if A has been told a formula H(X,〈K〉) which is not-originated-here (A did not generate it before in the actual protocol run), A possesses (X,K), A believes K is a good shared secret between A and B, and A believes (X,K) is fresh, then A is intended to believe that B once conveyed (X,〈K〉) and H(X,〈K〉). : if A believes that B once conveyed a formula X and A believes X is fresh, then A is entitled to believe that B possesses X. : if A believes that B has jurisdiction over his own beliefs (honest and competent), A believes B once conveyed X↝C, and A believes X is fresh, then A is entitled to believe that B believes C. (J2) ⫢ ⤇ , ⫢ ⫢ ⫢ : if A believes that B has jurisdiction over a statement C, A believes that B is entitled to believe C, then A is entitled to believe C too. ( , ), ∋ ( , )) GNY proposed the following two checks to test whether a protocol is consistent and valid or not:

Idealized Protocol
-Possession consistency (i.e. a principal should only be able to include in any message he sends, a formula he possesses): obviously, the reviewed protocol is valid according to this check since all the formulae contained in the messages are whether generated or previously received by the sender.
-Belief consistency (i.e. a message extension should include only beliefs held by the sender at the time the message is sent): The message extension in the first communication is valid since all the beliefs included in this message extension are provided as assumptions of U_i (see the assumptions A5, A6, and A7 below) The message extension appended to the second communication is valid since before sending the message, GWN believes in all the statements included in this message extension (see the beliefs B16, B17, B18, and B19 below) The message extension appended to the third communication is valid since before sending the message, S_j believes in all the statements included in this message extension (see the assumptions A23, A24, and A25 and the beliefs B23, B29, and B30 below) The message extension appended to the fourth communication is valid since before sending the message, GWN believes in all the statements included in this message extension (see the beliefs B43, B44, B46, B47, B51, B52, B53, and B54 below)

Protocol Analysis
In the following analysis, the expression (Ai) + (Bj) + (Pk) ⇒ (Bl) means: given the assumption (Ai) and the belief (Bj), and applying the inference rule (Pk) we get the belief (Bl).