Background/Objectives: The user authentication and key agreement protocol proposed by Jung et al., which is suitable for a wireless sensor network environment is vulnerable to an attack in which a user who is issued a smart card from the gateway, completing the registration step disguises as a random user.Methods/Statistical analysis: This study proposed a method of improving the problem of the security technique proposed by Jung et al., which is vulnerable to a user impersonation attack. This method uses the variable that recorded the times of a user’s request for registration to the gateway in the registration step in which the user is registered to the gateway and a smart card is issued and the login step in which the user issued the smart card is authenticated as a legitimate user.Findings: The security technique proposed in this study consists of four steps, same as the security technique of user authentication and key agreement proposed by Jung et al. In the first step, the registration step, if a user requests for registration to the gateway, the variables that recorded the times of the user’s request for registration (User: Un and Gateway: Gn) are renewed and stored respectively by the user and the gateway. Once the registration step is completed, the user who got a smart card issued from the gateway is authenticated as a legitimate user in the login step, using the issued smart card, ID, password and Un. When the login step is completed, in the third step, the authentication step, the authentication procedures are carried out for the gateway and the sensor node.An attacker obtains a user’s information through various attacks, such as smart-card loss attack, ID-guessing attack or password-guessing attack and attempts the login step, using the obtained information. However, the technique proposed in this study needs the variable that recorded the times of the user’s request for registration to the gateway in addition to a smart card, ID and password to proceed with user authentication in the login step. This variable is a value that only the user and the gateway know, not transmitted in any steps. The attacker who does not know the times of requests for registration cannot proceed with the login step, and the attacker cannot be authenticated as a legitimate user without proceeding to the login step. Thus, the user authentication and key agreement protocol proposed in this study is safe from an attacker’s attack of impersonation as a user.Improvements/Applications: This study proposed a technique of using the variable that recorded the times of the user’s request for registration to the gateway, managed and stored only by the user and the gateway, not transmitted in any steps in user authentication. The proposed technique is safe from an attacker’s attack of impersonation as a user.
Read full abstract