• No results found

Security Enhanced and Cost-effective User Authentication Scheme for Wireless Sensor Networks

N/A
N/A
Protected

Academic year: 2020

Share "Security Enhanced and Cost-effective User Authentication Scheme for Wireless Sensor Networks"

Copied!
20
0
0

Loading.... (view fulltext now)

Full text

(1)

Security Enhanced and

Cost-effective User

Authentication Scheme for

Wireless Sensor Networks

ITC 2/47

Journal of Information Technology and Control

Vol. 47 / No. 2 / 2018 pp. 275-294

DOI 10.5755/j01.itc.47.2.16397 © Kaunas University of Technology

Security Enhanced and Cost-effective User Authentication Scheme for Wireless Sensor Networks

Received 2016/10/10 Accepted after revision 2018/04/03

http://dx.doi.org/10.5755/j01.itc.47.2.16397

Wenfen Liu

School of Computer Science and Information Security, Guangxi Key Laboratory of Cryptography and Information Security, Guilin University of Electronic Technology, Guilin 541004, China

State Key Laboratory of Integrated Services Networks(Xidian University), Xian 710071, China

Gang Zhou, Jianghong Wei

State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002, China State Key Laboratory of Integrated Services Networks(Xidian University), Xian 710071, China

Xuexian Hu

State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002, China.

Saru Kumari

Department of Mathematics, Chaudhary Charan Singh University, Meerut, Uttar Pradesh 250 005, India.

Corresponding author: [email protected]

(2)

a novel user authentication scheme for WSNs by introducing Diffie-Hellman key exchange. The security anal-ysis and performance discussion demonstrate that the proposed scheme is secure against various well known attacks, and also is efficient enough. Thus, it is more desirable for securing communications in WSMs.

KEYWORDS: user authentication, cryptanalysis, password, smart card, wireless sensor networks.

Introduction

A wireless sensor network (WSN) usually consists of a large number of autonomous sensor nodes, which only have limited capacity of computation and stor-age. Specifically, in a WSN, the sensor nodes are in charge of sensing required data and forwarding them to a nearby gateway node (GWN), which is regarded

as a computation-efficient node, and a valid user is allowed to access these sensor nodes and obtain the collected data. Nowadays, WSNs are widely deployed in many areas, such as healthcare monitoring, envi-ronment monitoring, military sensing and tracking, measurement of seismic activity and so on.

Originally, the data collected by sensor nodes are transmitted over a public channel. This implies that an adversary can maliciously delete, intercept the transmitted data, and further destroy the usability and the reliability of the WSN. Particularly, when the data involve sensitive and valuable information, the above security issues become more serious. There-fore, it is necessary to deploy security mechanisms in WSNs for securing communications. Among avail-able security mechanisms designed for WSNs, the user authentication protocol based on password and smart card receives a substantial attention from re-searchers [34, 31, 18, 17, 19, 16, 15, 10, 33, 9, 5] since it can provide mutual two-factor authentication and es-tablish a shared session key between protocol partici-pants. In addition, this kind of authentication scheme is convenient to be implemented in WSNs, without mandatory requirement for public key infrastructure as in the setting of certificate based authentication scheme.

Compared with user authentication schemes [2, 25, 26, 13] that are solely based on password, the two-fac-tor authentication scheme based on password and smart card, as its name suggests, provides stronger security guarantee. Concretely, in the setting of this kind of authentication scheme, each user holds a password with low entropy and a smart card storing

some secret values. The password and smart card of each user are bonded together by the gateway node. Consequently, a user intending to validly access a sen-sor node must provide the correct password and the corresponding smart card simultaneously. In order to capture the security of the two-factor authentication scheme based on password and smart card, Xu et al. [36] suggest that the following two assumptions on the adversary’s capabilities should be explicitly made: _ The adversary is allowed to record, insert, delete, or modify any message transmitted over the public channel.

_ The adversary can either obtain a user’s smart card and then extract secret values in it by the method introduced by Kocher et al. [21] and Messerges et al. [27], or get a user’s password, but not the both. For a two-factor authentication scheme based on password and smart card, it is required that the scheme should remain secure under the above two assumptions. This has been widely approved in the literature of two-factor authentication scheme, and the security analysis of lots of such authentication schemes [14, 35, 23, 28, 32, 3, 11, 12] follows from the above assumptions.

(3)

recently, Farash et al. [7] proposed a user authentica-tion scheme for WSN based on password and smart card to overcome the identified security weaknesses in Turkanovic et al.’s [30] scheme, and Kumari et al. [22] introduced another efficient scheme for user au-thentication and key agreement for WSN.

In this paper, we find that Farash et al.’s [7] scheme suffers from offline password guessing attack, sensor node spoofing attack, and fails to provide anonymity and forward secrecy. We also point out that Kumari et al.’s [22] scheme is vulnerable to offline password guessing attack when the smart card is lost, and thus fails to provide the security guarantee as a two-factor authentication scheme should do. To conquer the se-curity pitfalls in the above two schemes, we propose a novel user authentication scheme based on pass-word and smart card by introducing Diffie-Hellman key exchange. Security analysis and performance discussion show that not only does the proposed scheme achieve intended security properties, but it also has moderate computation cost and communica-tion overhead, and thus is more desirable for securing communications in WSNs.

The rest of the paper is organized as follows. In Sec-tion 2, we introduce Farash et al.’s [7] scheme and present the security pitfalls in this scheme. In Sec-tion 3, we briefly review Kumari et al.’s [22] scheme and demonstrate that this scheme suffers from of-fline password guessing attack. The details of the im-proved scheme is given in Section 4. In Section 5 and Section 6, we discuss the security and performance of the proposed scheme. Finally, we conclude this paper in Section 7.

2. Security Analysis of Farash et al.’s

Scheme

2.1. Review of Farash et al.’s Scheme

Farash et al.’s [7] authentication scheme involves three participants, i.e., a user Ui, a sensor node Sj and the gateway node GWN. Initially, the gateway node se-lects a secure one-way hash function h(.), and chooses a random nonce XGWN as its master secret key. In ad-dition, it assigns an identity SIDj and a shared secret value XGWN–Sj for each sensor node Sj. Then, Ui and Sj need to register with the gateway node GWN. During this process, GWN will issue a smart card SCi con-taining several secret values to Ui through a private channel, and distribute some other secret values to Sj over the public channel by using the previously shared secret value XGWN–Sj . After that, whenever the user Ui wants to access the sensor node Sj, they have to au-thenticate each other by the help of the gateway node

GWN, and establish a shared session key for securing subsequent communications.

Specifically, Farash et al.’s scheme consists of three phases, namely, registration phase, authentication phase and password change phase. We now briefly re-view each phase of this scheme. The notations used throughout this paper are summarized in Table 1. 2.1.1. Registration Phase

The registration phase is comprised of two parts, user registration and sensor node registration. As shown in Figure 1, whenever a user Ui wants to register with

Table 1

Notations used in this paper

Symbol Description Symbol Description

Ui i th user GWN gateway node of the network

IDi identity of i th user SK the shared session key between Ui and Sj

PWi password of the i th user h(.) one-way Hash function

TIDi the provisional identity of i th user ⊕ bitwise exclusive-OR operation

XGWN secret key of the gateway node || bitwise concatenation operation

Sj j th sensor node of the network Tx current timestamp, x = 1, 2, ...

(4)

Figure 1

Registration phase for a user Ui in Farash et al.’s scheme

User Ui Gateway node GWN

Choose IDi, PWi

Select a random nonce ri

Get timestamp T1

Compute MP h r PWi = ( ||i i)

Set RMU GWNi = {MP IDi, i} RMU GWNi

Compute = ( || )

i i i

e h MP ID

= ( || )

i i GWN

d h ID X

= ( ) ( || )

i GWN i i

g h Xh MP d

= ( || )

i i i i

f dh MP e

i

SC

 SCi { , , }e f gi i i

Write ri into SCi

Figure 1. Registration phase for a user Ui in Farash et al.’s scheme

Step 1 Ui chooses an identity IDi and a password PWi, as well as a random nonce ri. Then, Ui

computes MP h r PWi = ( ||i i), and sends the registration message RMU GWNi = {MP IDi, i} to the

gateway node GWN in a secure way.

Step 2 Upon receipt of RMU GWNi from Ui, the gateway node GWN first checks Ui’s identity, and

then successively computes = (e h MP IDi i|| i), di = (h ID Xi|| GWN), gi = (h XGWN)h MP d( i|| )i and

= ( || )

i i i i

f dh MP e . At last, GWN issues a smart card SCi containing { , , }e f gi i i to the user Ui.

Step 3 After receiving SCi from the gateway node GWN, the user Ui writes the previously

selected random nonce ri into SCi.

Sensor node Sj Gateway node GWN

the gateway node GWN, they cooperatively conduct the following steps:

Step  1. Ui chooses an identity IDi and a password i

PW, as well as a random nonce ri. Then, Ui computes

= ( || )

i i i

MP h r PW , and sends the registration message

= { , }

U GWNi i i

RM - MP ID to the gateway node GWN in a secure way.

Step  2. Upon receipt of U GWN i

RM - from Ui, the gateway node GWN first checks Ui’s identity, and then succes-sively computes e h MP IDi = ( i|| i), di = (h ID Xi|| GWN),

= ( ) ( || )

i GWN i i

g h Xh MP d and fi =dih MP e( i|| )i . At last, GWN issues a smart card SCi containing { , , }e f gi i i to the user Ui.

Step  3. After receiving SCi from the gateway node

GWN, the user Ui writes the previously selected ran-dom nonce ri into SCi.

As depicted in Figure 2, for a sensor node Sj holding an identity SIDj and a shared secret value XGWN S j- , it registers with the gateway node GWN by carrying out the following steps:

Step  1. The sensor node Sj first selects a random nonce rj and gets the current timestamp T1. Then, it computes MP h Xj = ( GWN S- j || ||r SID Tj j|| )1 and

=

j j GWN S j

MN rX - , and sends the registration

mes-sage RMS GWNj- = {SID MP MN Tj, j, j, }1 to the gateway node GWN.

Step  2. After receiving RMS GWNj- from Sj, the gateway node GWN checks the validity of T1 by verifying if |T Tc- 1|<ΔT, where Tc is the current timestamp. If T1 does not pass through the check,

GWN rejects Sj’s registration request. Other-wise, it computes rj′=MNjXGWN S j- , and fur-ther verifies if MP h Xj = ( GWN S- j || ||r SID Tjj|| )1 . If not, GWN terminates this session. Otherwise, it computes xj = (h SID Xj|| GWN), ej =xjXGWN S j- ,

2

= ( ||1) ( || )

j GWN GWN S j

d h Xh X - T and fj = ( || ||h x d Xj j GWN S j- || )T2 2

= ( || || || )

j j j GWN S j

f h x d X - T . Here, T2 is the current timestamp. Then, the gateway node GWN returns the response message

2

= { , , , } GWN Sj j j j

RM - e f d T to the sensor node Sj. Mean-while, it deletes SIDj and XGWN S j- .

Step 3. Upon receipt of RMGWN S j- from GWN, the sensor node Sj checks the validity of T2 by verify-ing if |T Tc- 2|<ΔT, where Tc is the current time-stamp. If not, Sj aborts the registration. Other-wise, it computes xj′=ejXGWN S j- , and further verifies if fj = ( || ||h x d Xjj GWN S j- || )T2 . If not, Sj also

aborts the registration. Otherwise, it stores xj′ and

2

( GWN||1) = j ( GWN|| )

(5)

Figure 2

Registration phase for a sensor node Sj in Farash et al.’s scheme

Sensor node Sj Gateway node GWN

Select a random nonce rj

Get timestamp T1

Compute

1

= ( || || || )

j GWN Sj j j

MP h Xr SID T

=

j j GWN S j

MN rX

Set RMS GWNj = {SID MP MN Tj, j, j, }1 RMS GWNj

Get timestamp Tc

Check if |T Tc 1|<T

Compute rj=MNjXGWN S j

Check if

1

= ( || || || )

j GWN Sj j j

MP h Xr SID T

Get timestamp T2

Compute

= ( || )

j j GWN

x h SID X

=

j j GWN S j

e xX

2

= ( ||1) ( || )

j GWN GWN S j

d h Xh X T

2

= ( || || || )

j j j GWN S j

f h x d XT

Erase SIDj and XGWN S jGWN S j

RM

 Set RMGWN Sj = { , , , }e f d Tj j j 2

Get timestamp Tc

Check if |T T2 c|<T

Compute xj=ejXGWN S j

Check if fj = ( || ||h x d Xjj GWN S j || )T2

Compute

2

( GWN||1) = j ( GWN S j|| )

h X dh XT

Store xj and (h XGWN||1) into the

memory Erase XGWN S j

Meanwhile, Sj erases the previously shared secret val-ue

GWN S j X - .

2.1.2. Authentication Phase

Whenever a user Ui wants to access a sensor node Sj,

he/she has to complete mutual authentication and es-tablish a shared session key for securing subsequent communications with the help of the gateway node

(6)

Figure 3

(7)

Step  1. The user Ui inserts the smart card SCi into a card reader, and inputs the identity IDi and the password PWi. The smart card SCi computes

= ( || )

i i i

MP h r PW′ , and checks if e h MP IDi = ( i′|| i). If not, SCi terminates the authentication procedure. Oth-erwise, it gets the current timestamp T1 and computes

= ( || ),

i i i i

d fh MP eh X( GWN) =gih MP d( i′|| )i and

,1= ( ( ) || ).1

i i GWN

M IDh h X T Moreover, SCi chooses a random nonce Ki, and produces Mi,2=Kih d T( || )i 1

and Mi,3= (h Mi,1||Mi,2||K Ti|| ).1 After that,

SCi sends the authentication request message

,1 ,2 ,3 1

= { , , , }

U Si j i i i

AM - M M M T to the sensor node Sj . Step  2. After receiving the message AMU Si- j from Ui , the sensor node Sj checks the validity of

T1 by verifying if |T Tc- 1|<ΔT, where Tc is the cur-rent timestamp. If not, the sensor node Sj aborts the authentication process. Otherwise, it gets the current timestamp T2 and computes a tempo-rary identity ESIDj =SIDjh h X( ( GWN||1) || )T2 . Furthermore, Sj selects a random nonce Kj, and generates Mj,1= ( || || )h x T Tj 1 2Kj and

,2= ( || ,1|| || ||1 2 ).

j j j j

M h SID M T T K Then, it sends

the authentication request message AMS GWNj- = {AMU Si- j,ESID M M Tj, j,1, j,2, }2

,1 ,2 2

= { , , , , }

S GWNj U Si j j j j

AM - AM - ESID M M T to the gateway node

GWN.

Step 3. Upon receipt of AMS GWNj- from Sj, the gate-way node GWN checks the validity of T2 by verifying if |T Tc- 2|<ΔT, where Tc is the current timestamp. If not, GWN aborts the authentication procedure. Other-wise, it computes SIDj =ESIDjh h X( ( GWN||1) || ),T2

= ( || ),

j j GWN

xh SIDX Kj′=Mj,1⊕h x T T( || || )j′ 1 2 , and

further verifies if Mj,2= (h SID Mj′|| j,1|| || ||T T K1 2 j′). If not, GWN also terminates the session. Otherwise, it further computes IDi′ =Mi,1⊕h h X( ( GWN) || ),T1

= ( || )

i i GWN

dh ID X′ and Ki′=Mi,2⊕h d T( || )i′ 1 . Then, GWN checks if Mi,3= (h Mi,1||Mi,2||K Ti′|| ).1 If not,

GWN rejects the authentication request. Other-wise, it gets the current timestamp T3 and computes

,1= ( || )3

GWN j i

M K ′⊕h d T′ , MGWN,2=Ki′⊕h x T( || )j′ 3

and MGWN,3= (h MGWN,1|| || )d Ti′ 3 , as well as

,4= ( ,2|| || )3

GWN GWN j

M h M x T′ . After that, the gateway node GWN sends the authentication message to the sensor node Sj.

Step  4. Once receiving AMGWN S j- from the gate-way node GWN, the sensor node Sj checks if

3

|T Tc- |<ΔT and MGWN,4= (h MGWN,2|| || )x Tj 3 ,

where Tc is the current timestamp. If not, Sj

aborts this procedure. Otherwise, Sj obtains the current timestamp T4 and further computes

,2 3

= ( || )

i GWN j

KMh x T , SK h K= ( i′⊕Kj) and

,3= ( || ,1|| ,3|| )4

j GWN GWN

M h SK M M T . After that, the

sensor node Sj sends the message AMS Uj- i = {MGWN,1,MGWN,3,M T Tj,3, , }3 4

,1 ,3 ,3 3 4

= { , , , , }

S Uj i GWN GWN j

AM - M M M T T to the user Ui.

Step 5. When receiving the message MS Uj- i from

Sj, the smart card SCi verifies the validity of T4 by checking if |T Tc- 4|<ΔT. If not, SCi aborts the ses-sion. Otherwise, it computes Kj′ =MGWN,1⊕h d T( || )i 3

and SK h K= ( iKj′), and further verifies if

,3= ( || ,1|| ,3|| )4

j GWN GWN

M h SK M M T . If not, SCi also

terminates the session. At this point, Ui and Sj com-plete mutual authentication and share a common ses-sion key SK h K= ( iKj).

2.1.3. Password Change Phase

In this phase, a user Ui is allowed to update his/her password offline. To this end, the user Ui and the smart card SCi interactively perform as follows: Step  1. The user Ui inserts the smart card SCi into a card reader and inputs the identity IDi and the pass-word PWi.

Step  2. The smart card SCi computes

= ( || )

i i i

MP h r PW′ and checks if e h MP IDi = ( i′|| i). If not, the smart card rejects the user’s password update request. Otherwise, it further computes

= ( || )

i i i i

d fh MP e′ and h X( GWN) = (h MP di′|| )igi. After that, the smart card SCi requires Ui to input a new password.

Step 3. The user Ui selects and inputs a new pass-word new

i

PW .

Step  4. The smart card computes new= ( || new),

i i i

MP h r PW

= ( || ),

new new

i i i

MP h r PW new = ( new|| ),

i i i

e h MP ID new= ( new|| new)

i i i i

f dh MP e

= ( || )

new new new

i i i i

f dh MP e and new= ( ) ( new|| new)

i GWN i i

g h Xh MP d .

Then, SCi successively replaces ei, fi and gi with einew, new

i

f and new i g .

2.2. Security Pitfalls of Farash et al.’s Protocol

(8)

secrecy. Here, we emphasize that we discuss the se-curity of Farash et al.’s protocol under the same threat assumption as adopted in [7].

2.2.1. Offline Dictionary Attack

In this attack, an adversary  first observes an au-thentication instance executed among a user Ui, a sensor node Sj and the gateway node GWN, and re-cords these messages AMU Si- j, AMS GWNj- , AMGWN S j -and AMS Uj- i, which are transmitted over a public channel. Then,  obtains the user Ui’s smart card

SCi and extracts the values r e fi, ,i i and gi stored in

SCi by using technologies introduced in [21, 27]. After that, the adversary  launches offline dictionary at-tack by conducting the following steps:

Step  1. Establish a password dictionary space i.

Step  2. Select a candidate password *

i

PW from the dictionary space i, and compute *= ( || *)

i i i

MP h r PW ,

* *

,2 1

= ( || )

i i i

K Mh d T as well as * = ( *|| )

i i i i

d fh MP e .

Step  3. Check the validity of *

i

PW using one of the following manners:

_ Compute * *

,3= ( ,1|| ,2|| || )1

i i i i

M h M M K T and verify if

*

,3= ,3

i i

M M .

_ Compute * * ,3= ( ,1|| || )3

MGN GWN i

M h M d T , and verify if

*

,3= ,3

MGN MGN

M M .

_ Compute K*j =MGWN,1⊕h d T( || )i* 3 ,

*= ( * *)

i j

SK h KK

*= ( * *)

i j

SK h KK and * *

,3= ( || ,1|| ,3|| )4

j GWN GWN

M h SK M M T

* *

,3= ( || ,1|| ,3|| )4

j GWN GWN

M h SK M M T , and verify if *

,3= ,3

j j

M M .

_ Compute h X( GWN) =* gih MP d( i*|| )i* , * *

,1 1

= ( ( ) || )

i i GWN

ID Mh h X T

* *

,1 1

= ( ( ) || )

i i GWN

ID Mh h X T and * = ( *|| *)

i i i

e h MP ID , and

verify if *=

i i e e. Step 4. If *

i

PW passes through the above check then it must be that *=

i i

PW PW. This completes the at-tack. Otherwise, choose a new candidate password from i, and repeat the Steps 2 and 3 until the correct

password is found.

Denote by Th the running time of a hash operation and Txor the running time of an XOR operation. If we choose one of the first two equalities (i.e., *

,3= ,3

i i

M M

and *

,3= ,3

MGN MGN

M M ) to check the validity of a candi-date password, then the time complexity of the above attack procedure is (4Th+2Txor), which is nearly negligible. On the other hand, since passwords are usually generated in a personal way such that they can be easily memorable by human beings, the size of the

dictionary space i will be very limited. Thus, once

a user’s smart card is lost, an adversary can recover the correct password within seconds by running the above attack procedure on a PC. After that, as shown in the fourth check manner, with the recovered cor-rect password PWi, the adversary can further get the user’s identity IDi. As a result, the adversary  can legitimately access any sensor node on behalf of the user Ui just by obeying the authentication mecha-nism.

2.2.2. Sensor Node Spoofing Attack

In this attack, an adversary  first corrupts a sensor node Sc, and obtains the identity SIDc and the secret values xc, h X( GWN||1). Then, the adversary  imper-sonates any sensor node Sj a user Ui is trying to access. The details of this attack are as follows:

Step  1. When the user Ui sends the message

,1 ,2 ,3 1

= { , , , }

U Si j i i i

AM - M M M T to the sensor node

, j

S the adversary  intercepts this message. Then, it computes ESIDc=SIDch h X( ( GWN||1) || )T2 ,

,1= ( || || )1 2

c c c

M h x T TK and Mc,2= (h SID Mc|| c,1|| || || )T T K1 2 c

,2= ( || ,1|| || || )1 2

c c c c

M h SID M T T K . After that, the adversary  sends the message S GWN = { U S , c, c,1, c,2, }2

c i j

AM - AM - ESID M M T

to the gateway node GWN.

Step  2. When receiving the message AMS GWNc- from the sensor node Sc, the gateway node GWN performs the same as in Step 3 of the authentication phase. Since the message AMU Si- j does not contain any in-formation about the intended sensor node identity

j

SID , the gateway node GWN does not know that this message is originally sent to Sj, rather than Sc. On the other hand, the adversary  has the correct values xc and h X( GWN||1), and thus can pass through the verification of the gateway node GWN. Hence, the gateway node would conclude that the message

S GWNc

AM - is correct and return the response message

,1 ,2 ,3 ,4 3

= { , , , , }

GWN Sc GWN GWN GWN GWN

AM - M M M M T to

the sensor node Sc.

Step  3. After receiving the message AMGWN Sc -from the gateway node GWN, with the knowledge of

c

x and h X( GWN||1), the adversary  can correctly compute Ki′ =MGWN,2h x T( || ),c 3 SK h K= ( i′⊕Kc) and Mj,3= (h SK M|| GWN,1||MGWN,3|| )T4 . After that,

 sends the message S U = { GWN,1, GWN,3, j i

AM - M M

,3, , }3 4

j

(9)

Step  4. Upon receipt of the message AMS Uj- i, the user Ui checks if MGWN,3= (h MGWN,1|| || )d Ti 3 and

,3= ( || ,1|| ,3|| )4

j GWN GWN

M h SK M M T . Evidently, the

two values would pass through the check since the gateway node GWN correctly produces MGWN,3 using

i

d and the adversary  also computes the correct value Mj,3 with the knowledge of SK .

At last, the user Ui and the adversary  complete mutual authentication and establish a shared session key SK h K= ( iKc), which implies that  has suc-cussed in masquerading as the sensor node Sj. 2.2.3. Fail to Achieve Anonymity and Forward Secrecy

In Farash et al.’s scheme, to provide user and sensor node anonymity, a user Ui and a sensor node Sj use different temporary identities Mi,1=IDih h X( ( GWN) || )T1 and

2

= ( ( ||1) || ) j GWN

ESID h h x T in each authentication pro-cess. It seems that only the gateway node GWN, with the knowledge of the secret key XGWN, can recover the original identities IDi and SIDj. However, we note that all of users share a common secret value h X( GWN) and all of sensor nodes share another common se-cret value h X( GWN||1). Consequently, a malicious user Um, who possesses h X( GWN) =gmh MP d( m|| )m , can extract any user Ui’s identity from Mi,1 by computing ID Mi= i,1h X( GWN), and a corrupt-ed sensor node Sc, who holds h X( GWN||1), can ob-tain any sensor node Sj’s identity by computing

1 2

= ( ( ||1) || || ),

j j GWN

SID ESIDh h X T T where T1 and

T2 are the corresponding timestamps. Therefore, even if the private values of a user Ui and a sensor node Sj are absolutely secure, Farash et al.’ scheme cannot guarantee the anonymity of Ui and Sj.

The session key in Farash et al.’s protocol is comput-ed as SK h K= ( iKj), where Ki=Mi,2h d T( || )i 1 and Kj =Mj,1h x T T( || || )j 1 2 are two random values independently chosen by two protocol participants, a user Ui and a sensor node Sj. Thus, once eitherm

Ui’s smart card and password are compromised or Sj’s secret value xj is revealed, an adversary can recov-er Ki and Kj from those messages transmitted over public channel, and further obtain the session key

= ( i j)

SK h KK . Therefore, Farash et al.’s protocol fails to provide forward secrecy.

3. Security Analysis of Kumari et al.’s

Scheme

Kumari et al. [22] proposed a new authentication pro-tocol for WSN to partially conquer the above security pitfalls in Farash et al.’s [7] protocol. Roughly speak-ing, the two authentication protocols have the similar structure. For the limit of space, we just briefly review the user registration phase and login phase of Kumari et al.’s protocol, and then show that this protocol suf-fers from offline password guessing attack when the smart card is lost.

3.1. A Brief Review of Kumari et al.’ Scheme

In the user registration phase of Kumari et al.’s [22] scheme, a user Ui registers with GWN by carrying out the following steps:

Step  1. Ui chooses an identity IDi and a password

PWi, as well as a random nonce ri. Then, Ui computes = ( || )

i i i

MID h r ID and MP h r PWi = ( ||i i), and sends the registration message U GWN= { i, i}

i

RM - MP MID to

the gateway node GWN in a secure way.

Step  2. Upon receipt of RMU GWNi- from Ui, the gateway node GWN first checks Ui’s identity, and then successively computes e h MP MIDi = ( i|| i),

= ( || ),

i i GWN

d h MID X gi = (h XGWN|| )yih MP d( i|| )i and fi =dih MP e( i|| )i , where yi is a random num-ber. At last, GWN issues a smart card SCicontaining { , , , , ( )}e f g y hi i i i ⋅ to the user Ui.

Step  3. After receiving SCi from the gateway node

GWN the user Ui computes c r h ID PWi = i⊕ ( i|| i), and writes

c

i into SCi.

In the login phase, the user Ui performs the following operations:

Step  1. Ui inserts the smart card SCi into a device reader and inputs his/her identity IDi and pass-word PWi′. Then, the smart card SCi computes

= ( || )

i i i i

r c′ ⊕h ID PW′ ′ , MIDi′= ( ||h r IDii′) as well as

= ( || )

i i i

MP h r PW′ ′ ′ . Moerover, the smart card checks whether e h MP MIDi = ( i′|| i′) or not. If not, the smart card terminates the login process.

Step  2. In the case that IDi and PWi′ are both correct, the smart card SCi further computes

= ( || )

i i i i

(10)

1= i ( ( GWN|| ) || )i 1

M ID′⊕h h X y T . The smart card then picks a random number Ki and continues to calculate

2= i ( || ),i 1

M Kh d T M3= ( ,h M M SID K T1 2, j, , )i 1 , where T1 is the current time stamp on the user side and SIDj is the identity of the sensor node Sj to be ac-cessed. Finally, the smart card sends the login request message AMU Si- j = { ,M M M y T1 2, 3, , }i 1 to the sensor

node Sj via a public channel.

3.2. Security Pitfalls in Kumari et al.’s Protocol

In this section, we demonstrate that Kumari et al.’s protocol is vulnerable to offline password guessing attack when the smart card is lost. In Kumari et al’s protocol, since a user Ui needs to provide his/her identity IDi and password PWi simultaneously in the login phase, they have the same feature. Namely, they are both easy to remember and thus suffer from the threat of offline password guessing attack.

After obtaining a login request message

1 2 3 1

= { , , , , }

U Si j i

AM - M M M y T and the corresponding

user Ui’s smart card SCi, an adversary  first extracts { , , , , , ( )}e f g c y hi i i i i ⋅ from SCi. Then, the adversary  launches offline dictionary attack by conducting the following steps:

Step  1. Establish a password dictionary space pw

and an identity dictionary space id, respectively.

Step  2. Select a candidate password *

i

PW from the dictionary space pw and a candidate identity

*

i

ID from the dictionary space id, and sequentially

compute *= ( *|| *),

i i i i

r ch ID PW *= ( ||* *)

i i i

MP h r PW

and *= ( ||* *)

i i i

MID h r ID . *= ( || *)

i i i

MP h r PW ,

* *

,2 1

= ( || )

i i i

K Mh d T as well as *= ( *|| )

i i i i

d fh MP e .

Step  3. Check the validity of *

i

PW and *

i

ID using one of the following manners:

_ Check if = ( *|| *)

i i i

e h MP MID .

_ Compute * *

3= ( 1|| 2|| j|| i || )1

M h M M SID K T , and verify if

*

3= 3

M M .

Step  4. If *

i

PW and *

i

ID pass through the above check, then it must be that *=

i i

PW PW and *=

i i ID ID. This completes the attack. Otherwise, choose a new candidate password and identity from pw and id,

respectively, and repeat Steps 2 and 3 until the correct password is found.

Denote by Th the running time of a hash operation and Txor the running time of an XOR operation. If

we choose the first equality to check the validity of a candidate password and a candidate identity, then the time complexity of the above attack procedure is

(4T Th+ xor)

 , which is nearly negligible.

We note that the above attack implies that an adver-sary can directly recover a user’s identity and pass-word simultaneously. Thus, the protocol naturally fails to achieve user anonymity. In addition, similar to Farash et al.’s protocol, Kumari et al.’s protocol also cannot provide forward secrecy since the authenti-cation procedure only involves XOR operation, and an adversary can thus utilize the secret key of the gateway node to recover all secret values from those transmitted messages.

4. The Proposed Protocol

In this section, we propose an improved authentica-tion protocol AP that conquers the security pitfalls in Farash et al.’s [7] protocol and Kumari et al.’s [22] protocol. Next, we provide the details of the protocol. Similarly, there are three kinds of participants in the protocol AP, namely, a user Ui , a sensor node Sj and the gateway node GWN. Initially, the gateway node GWN

chooses an elliptic curve group G with prime order p. Let g be a random generator of G. GWN also chooses a secure one-way hash function h( ) :{0,1} *{0,1}. Then, the gateway node GWN selects a random inte-ger *

GWN p

X ∈Z as its long-term secret key. For each sensor node Sj, the gateway node GWN assigns a unique identity SIDj to identify Sj, and stores a secret value xj = (h SID Xj|| GWN) into Sj’s memory before deploying it into the network. This, in fact, completes

Sj’s registration to the gateway node. We now describe the details of the protocol AP.

4.1. Registration Phase

In this phase, a user Ui wanting to access any sensor node registers with the gateway node GWN. As shown in Figure 4, the user Ui and the gateway node GWN in-teractively complete the registration process by car-rying out the following steps:

Step  1. Ui selects an identity IDi and a password

PWi, as well as a random nonce ri∈Z*p. Then, Ui computes MP h r PWi = ( ||i i), and sends the registra-tion message = { , }

U GWNi i i

RM - MP ID to the gateway node

(11)

GWN via a secure channel. Step  2. After receiving U GWN

i

RM - from Ui, the gate-way node GWN first checks the uniqueness of IDi , namely, whether IDi is occupied by the other regis-tered users. If yes, the gateway node GWN prompts

Ui to choose a new identity. Otherwise, GWN selects a random nonce *

i p

t ∈Z , and then successively com-putes di = (h ID Xi|| GWN), TID ID h t Xi = i⊕ ( ||i GWN) and fi =dih ID MP( i|| i). At last, GWN issues a smart card SCi containing { ,f TIDi i} to the user Ui, and stores the tuple ( ,t TIDi i) into the user database. Step  3. Upon receipt of SCi from GWN, the user Ui writes the previously selected random nonce ri into SCi .

4.2 Authentication Phase

In this phase, a user Ui intending to access a sensor node Sj authenticates against Sj to ensure that Sj is a valid sensor node deployed by the gateway node GWN. Meanwhile, the sensor node Sj verifies Ui’s validity to avoid unauthorized access. When they successful-ly complete mutual authentication, a shared session key is established for securing subsequent communi-cations between Ui and Sj. Concretely, as depicted in Figure 5, the authentication procedure is executed in the following manner:

Figure 4

Registration phase in the protocol AP

User Ui Gateway node GWN

Choose IDi, PWi Select a random integer ri Compute MP h r PWi= ( ||i i)

Set RMU GWNi = {MP IDi, i} RMU GWNi

Check IDi Compute

= ( || )

i i GWN

d h ID X

TID ID h t Xi = i ( ||i GWN)

= ( || )

i i i i

f dh ID MP

Store ( ,t TIDi i) into the database i

SC

 SCi{ ,f TIDi i} Write ri into SCi

Step  1. Ui inserts the smart card SCi into a terminal and inputs the identity IDi and the password PWi. The smart card SCi computes MP h r PWi′= ( ||i i) and

= ( || || )

i i i i i

dfh ID TID MP′ . Moreover, SCi selects a random integer *

p

x∈Z and sets = x i

K g . Then, it gets the current timestamp T1, and further computes

*=

i i i

d d′⊕K and Mi,1= ( ||h d TID SID Ti* i|| j|| ).1 After

that, SCi sends the authentication request message

*

,1 1

= { , , , }

U Si j i i i

AM - d TID M T to the sensor node Sj. Step  2. Upon receipt of AMU Si- j from Ui, the sensor node Sj captures the current time-stamp Tc and checks whether |T Tc- 1|<ΔT and

*

,1= ( || || || )1

i i i j

M h d TID SID T , where ΔT is the al-lowed maximum transmission delay. If not, Sj terminates this session. Otherwise, it choos-es a random integer *

p

y∈Z and sets = y j

K g .

Then, it gets the current timestamp T2, and com-putes the two values Mj,1= ( || )h x Tj 2Kj and

,2= ( ,1|| || )

j j U Si j j

M h M AM - K . Subsequently, it sends

the authentication request message AMS GWNj- = {AMU Si- j,SID M M Tj, j,1, j,2, }2

,1 ,2 2

= { , , , , }

S GWNj U Si j j j j

AM - AM - SID M M T to the gateway node

GWN.

Step  3. After receiving S GWN j

AM - from Sj, the gate-way node GWN checks the validity of T2 and

M

j,2

(12)

in a similar way. If they are not acceptable, GWN

terminates this session. Otherwise, GWN computes

= ( || )

j j GWN

xh SID X and cj' =Mj,1⊕h x T( || )j′ 2 .

Then, the gateway node GWN examines whether it holds that Mj,2= (h Mj,1||AMU Si- j ||SID K Tj|| j′|| )2 .

If not, GWN also terminates this session. Otherwise, it retrieves the tuple ( ,t TIDi i) from the database and recovers IDi′ =TID h t Xi⊕ ( ||i GWN). Moreover, GWN computes di′′= (h ID Xi′|| GWN) and Ki' = 'di′ ⊕di*. Af-ter that, the gateway node GWN selects a random in-teger *

p

z∈Z and captures the current timestamp T3, and further computes the following values:

,1= ( || ),3 ,2= ( || || ) ( ) ,3 z

GWN j GWN j i i

M h K TM h x TID T′ ⊕ K

,1= ( || ),3 ,2= ( || || ) ( ) ,3 z

GWN j GWN j i i

M h K TM h x TID T′ ⊕ K

,3= ( || || ) ( ) ,3 z ,4= ( ,1|| ,2|| ,3|| ).3

GWN i j j GWN GWN GWN GWN

M h d′′ SID TKM h M M M T

,3= ( || || ) ( ) ,3 z ,4 = ( ,1|| ,2|| ,3|| ).3

GWN i j j GWN GWN GWN GWN

M h d′′ SID TKM h M M M T

At the end, the gateway node GWN sends the re-sponse message AMGWN S- j = {MGWN,1,MGWN,2,

,3, ,4, }3

GWN GWN

M M T to the sensor node Sj .

Step  4. Once receiving AMGWN S j- from GWN, the sensor node Sj gets the current timestamp

c

T and verifies whether |T Tc- 3|<ΔT and

,4= ( ,1|| ,2|| ,3|| )3

GWN GWN GWN GWN

M h M M M T . If not,

Sj aborts this session. Otherwise, Sj further checks whether it holds that MGWN,1= (h K Tj|| )3 . If not,

Sj also terminates this session. Otherwise, Sj au-thenticates against the gateway node GWN. More-over, Sj recovers ( ) =Kiz MGWN,2⊕h x TID T( ||j i|| )3 .

Then, it obtains the current timestamp T4 and computes Mj,3= (( ) || || )h Kizy T T3 4 and

,4= ( ,3|| ,3|| || )3 4

j j GWN

M h M M T T . After that, the

sensor node Sj sends the message AMS Uj- i = {MGWN,3,Mj,3,M T Tj,4, , }3 4

,3 ,3 ,4 3 4

= { , , , , }

S Uj i GWN j j

AM - M M M T T to the user Ui.

Step  5. When receiving MS Uj- i from Sj, the smart card SCi first checks the validity of T4 and Mj,4. If they are not acceptable, SCi aborts this session. Other-wise, it computes ( ) =z ,3 ( || || )3

j GWN i j

KMh d SID T

and verifies if ,3= (( ) || || ).zx 3 4

j j

M h KT T If not, SCi also terminates this session. Otherwise, SCi au-thenticates against the sensor node Sj and

produc-es the sproduc-ession key as = (( ) ||zx || )

j i j

SK h KTID SID .

Moreover, it gets the current timestamp T5 and com-putes Mi,2= (( ) || )h Kjzx T5 , and sends the message

,2 5

' = { , } U Si j i

AM - M T to the sensor node Sj.

Step  6. After receipt of AMU Si- j' from Ui, the sen-sor node Sj gets the current timestamp Tc and checks whether |T Tc- 5|<ΔT and Mi,2= (( ) || ).h Kizy T5 If

not, Sj terminates this session. Otherwise, the sensor node Sj authenticates against the user Ui and gener-ates the session key as = (( ) ||zy || )

i i j

SKh KTID SID . Here we briefly describe the intuition behind the above authentication mechanism. First, Ui sends a hidden challenge value Ki in the form of *=

i i i d Kd′ to Sj, where di′= (h ID Xi|| GWN), such that only the gateway node GWN can recover it from *

i

d with the knowledge of long-term secret key XGWN. We emphasize that the computation of hash value Mi,1 does not involve any private value (e.g., Ki). Thus, it naturally cannot be used to check the validity of a candidate password. After receiving the authentication message, Sj itself produces challenge values Mj,1= ( || )h x Tj 2Kj and

,2= ( ,1|| || || )2

j j U Si j j

M h M AMK T , and sends them to , and sends

GWN. With these two values and the long-term se-cret value XGWN, the gateway node can ensure that Sj is a registered sensor node since it holds the initially issued secret value

x

j. Moreover GWN recovers Ui’s identity IDi and the challenge value Ki, but it cannot directly check their validity. Therefore, GWN also chooses a challenge value z, and computes

M

GWN,1

and

M

GWN,2 for Sj, and

M

GWN,3 for Ui. By checking the two values, Sj can be convinced that GWN also knows the secret value

x

j and thus is valid. Mean-while, Sj recomputes the hash value Mj,3 for Ui . Giv-en Mj,3 and MGWN,3, the user Ui can make sure that Sj knows the value z

i

K and thus is valid. Finally, Ui gen-erates a hash value Mi,2 for Sj to prove that he also knows the value z

j

K , which implies that Ui is a valid user.

4.3. Password Change Phase

In this phase, a user Ui updates the original pass-word PWi under the supervision of the gateway node

(13)

Figure 5

(14)

PWi and the identity IDi input by the user Ui are correct. After that, Ui is required to select and input a new password new.

i

PW Then, the smart card SCi successively computes new= ( || new)

i i i

MP h r PW and

= ( || ) ( || ),

new new

i i i i i i

f fh ID MPh ID MP and

replac-es fi with new i

f . This completes Ui ’s password update. In the protocol AP, password change is done in an online way, rather than offline update as in Farash et al.’s protocol. Essentially, the difference between the two methods comes from the fact that who is in charge of checking the validity of the password PWi and the identity IDi input by the user Ui. Note that it is the gateway node GWN in the protocol AP, and the smart card SCi in Farash et al.’s protocol. However, as demonstrated in Subsection 2.2, once the correspond-ing verification information stored in the smart card

SCi is revealed, an adversary can utilize it to launch offline password guessing attack. This is also why we adopt an online manner of updating password. Name-ly, a smart card in the protocol AP does not contain any information that can be directly used to check the validity of the corresponding password.

5. Security Analysis

In this section, we evaluate the security of the pro-tocol AP. Specifically, we demonstrate that AP can withstand various well-known attacks, including offline password guessing attack, user/sensor node impersonation attack, parallel and reflection attack, reply attack and privileged insider attack. We also show that AP features desired security properties, such as mutual authentication, user anonymity and key agreement.

5.1. Offline Password Guessing Attack

Assuming an adversary  has obtained a legal user Ui ’s smart card SCi, from which  extracted { , ,f r TIDi i i}, where fi = (h ID Xi|| GWN)h ID h r PW( i|| ( ||i i)). More-over, we suppose that  also has recorded these au-thentication messages U S

i j

AM - , AMS GWNj- ,

AM

GWN S j- , S Uj i

AM - and AMU Si- j' that were transmitted publicly among Ui, Sj and GWN. Now we show that  cannot use the above values to verify the validity of a candi-date password. Given a candicandi-date password *

i PW ,

the adversary  would compute *= ( || *)

i i i

MP h r PW ,

* = ( || || *)

i i i i i

dfh ID TID MP and Ki*=di*⊕di*′. If one of the above values is correctly computed, then *

i PW is the correct one (i.e., *=

i i

PW PW). Since *

i MP is just used to compute *

i

d′, thus the only way for  to launch offline password guessing attack is to check the correctness of *

i d′ or Ki*.

First, if the long-term secret key XGWN gets compro-mised, then  can compute di = (h ID Xi|| GWN) and further check the validity of *

i

PW by comparing *

i d′ with di. Of course, the offline password guessing at-tack in this case is trivial. Second, note that the com-putation of MGWN,3 involves di, which means that

 can recover *

,3 3

( ) =z ( || || )

j GWN i j

KMh d SID T′ .

Observe that ( )z j

K′ is never transmitted among the

protocol participants and thus is not available to . Consequently,  cannot utilize the recovered value

( )z j

K′ to check the validity of

*

i

d

′. Moreover, even if j

S ’s secret key xj is revealed, which implies that 

can recover Kj =Mj,1h x T( || )j 2 , the adversary 

also cannot check the validity of the recovered value ( )z

j

K′ without the knowledge of z, which is randomly

sampled from * p

Z by the gateway node. To get the value

z, the adversary  has to solve the discrete logarithm problem, which is believed to be hard. Thus,  cannot verify the validity of *

i

d′. Finally, note that  can uti-lize xj to recover ( ) =z ,2 ( || || )3

i GWN j i

KMh x TID T .

However, without the knowledge of z, the adversary

 also cannot check the validity of *

i

K . Therefore, we conclude that the proposed protocol is secure against offline password guessing attack, even if the private information stored in the smart card gets compro-mised and the sensor node a user trying to access is corrupted.

5.2. User Impersonation Attack

In this attack, an adversary  intends to access a sen-sor node Sj by impersonating an honest user Ui. To this end, from the protocol flow we know that  is ini-tially required to produce an authentication message

*

,1 1

= { , , , }

U Si j i i i

AM - d TID M T and finally has to gen-erate a response message AMU Si- j' = {TID M Ti, i,2, }5 ,

where *=

i i i

d d′⊕K and Ki =gx. By the protocol cri-teria, if  can pass Sj’s check, then it must hold that

,2 = (( ) ||zx || || ) =5 ,2' = (( ) ||zy || || ).5

i j i j i i i j

M h KTID SID T M h KTID SID T

(15)

,2= (( ) ||zx || || ) =5 ,2' = (( ) ||zy || || ).5

i j i j i i i j

M h KTID SID T M h KTID SID T Moreover, due to the

proper-ty of the hash function h( )⋅ withstanding col-lision attack, the above equality indicates that

( ) = ( )zx zy

j i

KK′ . If Ki′ = (h ID Xi′|| GWN)⊕di*=Ki, then the previous equality requires that  must correctly recover ( ) =z ,3 ( || || )3

j GWN i j

KMh d SID T′ ,

which also means that  has to get the value

= ( || ) = ( || || ( || ))

i i GWN i i i i i

dh ID X fh ID TID h r PW .

There are two ways for  to compute this value, namely, getting the long-term secret key XGWN or Ui ’s password PWi and the value fi stored in Ui’s smart card SCi. In the first case that  obtains XGWN, it can impersonate any legal user. In the second case that 

gets PWi and fi, it in fact has corrupted the user Ui. Thus, despite in which case ’s impersonation attack is trivial. If x

i i

K gK

′ ≠ , then  possessing Ki and

( ) =z yz j

Kg must correctly compute ( ) =Kizy gx yz′ . From the discrete logarithm assumption we know that this is impossible for  without the knowledge of x′. In conclusion, the proposed protocol can with-stand user impersonation attack.

5.3. Sensor Node Spoofing Attack

In this attack, a malicious sensor node Sc tries to im-personate an honest sensor node Sj that a user Ui in-tends to access. Recall that the reason why Farash et al’s protocol suffers from sensor node spoofing attack is that the message AMU Si- j in their protocol does not contain any information about Sj’s identity SIDj, and the gateway node does not care which sensor node that Ui is trying to access. To fix this security pitfall, we let Ui compute Mi,1= ( ||h d TID redSID Ti* i|| j|| )1 and GWN produce MGWN,3= ( ||h d redSID Ti′′ j|| ) ( )3 ⊕ Kjz,

which guarantees that the sensor node Ui is trying to access is consistent with the one that authenticates against the gateway node GWN. In other words, from

Sc’s perspective, if it wants to pass through GWN’s authentication on behalf of Sj , then it must know the value xj, which implies that Sj is corrupted and this attack is trivial. On the other hand, Sc can success-fully authenticate to GWN by using its own secure value xc. However, this will result in that GWN would compute MGWN,3= ( ||h d redSID Ti′′ c|| ) ( )3 ⊕ Kjz and Ui would recover '

,3 3

( ) =z ( || || )

j GWN i j

KMh d redSID T′ .

Clearly, we have that ( )z ( )'z

j j

K ′ ≠ K′ under the

as-sumption that h( )⋅ can withstand collision attack.

Consequently, Sc cannot pass through Ui’s authenti-cation because '

,3 (( ) || )zx 3

j j

Mh KT . Hence, the pro-posed protocol can resist sensor node spoofing attack.

5.4. Reflection Attack

In a reflection attack, when an honest protocol par-ticipant sends to an intended communication partner for the later to perform a cryptographic process, an ad-versary  intercepts the message and simply sends it back to the message originator. In such an attack, 

tries to deceive the message originator into believing that the reflected message is expected by the origina-tor from the intended communication partner, either as a response to, or as a challenge for, the originator. If

 is successful, the message originator would either accept an “answer” to a question which was, in fact, asked and answered by the originator itself, or would provide  with an oracle service which  needs but cannot provide to itself.

In the proposed protocol, a user Ui sends the message U Si j

AM - to a sensor node Sj, from which Ui expects to receive the message S U

j i

AM - . Obviously, an adver-sary  cannot pass through Ui’s authentication by simply sending AMU Si- j back to Ui, since S U

j i

AM

-and AMU Si- j are different in terms of structure and associated timestamp. Moreover, Sj successively sends AMS GWNj- and AMS Uj- i to the gateway node

GWN, and expects to receive AMGWN S j- from GWN and AMU Si- j' from Ui, respectively. For the same rea-son, the adversary  also cannot utilize these mes-sages to launch reflection attack. Therefore, the pro-posed protocol is secure against reflection attack.

5.5. Replay Attack

Figure

Table 1 Notations used in this paper
Figure 1 Registration phase for a user
Figure 2 Registration phase for a sensor node
Figure 3 Authentication phase in Farash et al.’s scheme
+5

References

Related documents

Given the industrial relations setting in Germany, where collective contracts are generally applied to all employees in a firm irrespective of whether they belong to a trade union

In our research, we focused on the plant water stress in the drought periods and optimization of the irrigation dose in real–time, based on the dendrometric changes.. MATERIAL

Additionally, our scheme gives shorter signatures than in the LMRS sequential aggregate signature scheme [20] and has a more efficient verification algorithm than the BGLS

The aim and objectives of the study are to produce the recovery or recycling process flow for potential scheduled wastes that can be recovered or recycled, identify the

In mutants bsx3 and bsx10, the corre- tions existed between style number and carpel number or pollen viability and seed set in crosses of wild type sponding male sterility or

Fig 4.1: 3-D model of multipurpose wheel chair with Baby stroller concept selected in Pugh‟s method.. C

A varying of urea concentration solution was prepared and injected in engine tail pipe before SCR catalyst with a constant flow rate of 0.75 lit/hr and constant pressure of

The effect of modifiers of PEV suggest that this dependence reflects a requirement for the proteins en- riched in heterochromatin (HEARN et al. Hetero-