Security of a PUF Mutual Authentication and Session Key Establishment Protocol for IoT Devices

Recently, Zerrouki et al. proposed a Physically Unclonable Function (PUF) mutual authentication and session key establishment protocol for IoT (Internet of Things) devices. Zerrouki et al.’s PUF protocol is interesting because it does not require the storage of any sensitive information on the local memory of the IoT device, which avoids many potential attacks, especially side-channel attacks. Therefore, we carefully investigate the security of Zerrouki et al.’s PUF protocol under the leakage assumption of the session key. Our findings are in the following. First, Zerrouki et al.’s PUF protocol fails to provide known-key security. That is, the adversary can impersonate not only the server to cheat the IoT device but also the IoT device to cheat the server when the adversary corrupts a session key between the server and the IoT device. Second, Zerrouki et al.’s PUF protocol suffers from the key-compromise impersonation attack. It means that the adversary can impersonate the IoT device to cheat the server if the adversary discloses the server’s secret key. Third, Zerrouki et al.’s PUF protocol does not support backward secrecy for the session key. That is, the adversary is always able to derive the session key from the previous session key. We also suggest the root cause of these security flaws in Zerrouki et al.’s PUF protocol. As a case study, our cryptanalysis results would promote a security model for more robust and efficient PUF authentication and session key establishment protocol. Moreover, our idea of the key compromise can be used to evaluate other novel PUF protocol designs.