Abstract
Among other security concerns, the reliable device to device direct communication is an important research aspect in sensor cloud system application of Internet of things (IoT). The access control mechanism can ensure the reliability through secure communication among two IoT devices without mediation of intermediate agent. Mainly, it requires twofold strategy involving the authentication of each other and session key establishment. Quite recently, in 2019, Das <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">et al.</i> proposed a certificate based lightweight access control and key agreement scheme for IoT devices (LACKA-IoT) to ensure smooth and secure access control and claimed LACKA-IoT to withstand the several attacks. Specifically, it is claimed that LACKA-IoT can resist device impersonation and man in middle attacks. However, the proof in this article refutes their claim and it is shown here, that LACKA-IoT is insecure against both device impersonation and man in middle attacks. An adversary just by using public parameters and by listening the communication channel can impersonate any device. Moreover, the same can also launch successful man in middle attack using public parameters and listened messages from public channel. An improved protocol iLACKA-IoT is then proposed in the paper. The iLACKA-IoT provides resistance against various types of threats and provides the required level of security, for evidence both formal validation through random or real (ROR) model as well as the informal validation through discussion on attack resilience is provided. The iLACKA-IoT is not only better in security but also provides performance efficiency as compared with LACKA-IoT and related schemes.
Highlights
Consisting of several interconnected things including both physical smart-devices like sensors, mobiles, road and aerial vehicles etc. and soft/virtual objects like electronic wallets, tickets etc., the internet of things facilitates the accumulation of data and the decision making using the accumulated data
The Internet of things (IoT) encompasses a wide range of applications which has empowered the sharing of information between the physical and virtual things directly or through some interfaces provided by high computing infrastructures like cloud computing to augment the low capacity personal smart devices, all this is achieved via public internet [1]–[3]
The common parameter sizes are selected for computing the comparative communication costs of the proposed and related schemes [7], [8], [11]–[13], we have considered SHA−1 with 160 bit size, the size of RSA modular parameters and elliptic curve cryptography (ECC) point are taken as 1024 and 320 bits, as per the recommended size by NIST, the size of identity and random numbers are fixed as 160 bits, while size of timestamps is taken as 32 bits long
Summary
Consisting of several interconnected things including both physical smart-devices like sensors, mobiles, road and aerial vehicles etc. and soft/virtual objects like electronic wallets, tickets etc., the internet of things facilitates the accumulation of data and the decision making using the accumulated data. Di construct an access control request and for this Di selects ri ∈ Zp∗ and timestamp Ti. Di further computes Ri = riP, zi = ci+H (Ai||ci||Ri||Qi||Ti)(ri+xi) and sends Msg1 = {IDi, Ai, ci, Ti, zi, Ri, Qi} to Dj. DAC 2: Dj → Di : {Msg2}. Proposition 1: In the device access control system of Das et al, an attacker A by using public parameters and listening to the communication channel can authenticate himself as a legitimate device Dk from a device Ds and can share a session key with Ds. Proof 1: A computes and sends Msga1 = {IDk , Ak , ck , Ta , za, Ra, Qa} to Ds, and Ds on reception of the message authenticates A on behalf of Dk subject to timestamp freshness and the verification of equalities shown in Eqs. 2 and 3. As the steps are very similar, as given in subsection III-A, are not being reproduced here
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
