Defending Industry 4.0: An Enhanced Authentication Scheme for IoT Devices.

To address the security concerns of Industry 4.0, recently, Garg et al. proposed a lightweight authentication protocol, and Akram et al. showed some of its security drawbacks. We continue this line by exposing how Garg et al.’s protocol suffers from noninvasive and invasive attacks. First, we explain that a passive attacker can trace any two communicating nodes to compromise their location privacy. Next, we show that an active though noninvasive adversary can compromise the integrity of the exchanged messages without being detected and run a de-synchronization attack. Besides, the adversary can extract any shared session key from any pair of nodes in the protocol. We named this attack a pandemic session key disclosure attack, and its consequences are more harmful than the impersonation of a compromised node. Finally, we disclose how the proposed scheme does not guarantee the privacy protection for the keys when we assume an honest but curious server. To overcome those existing security flaws, we finally propose a revised protocol called TARDIGRADE. First, our informal analysis, and then, our formal security analysis using the real-or-random model shows that TARDIGRADE provides the desired security, and likewise, our performance analysis confirms a reasonable cost compared with Garg et al.’s protocol. [ABSTRACT FROM AUTHOR]