Mutual Authentication: A New Requirement?

Maddy Chen

The Internet of Things is a relatively new addition to society, where endless amounts of physical devices can connect and communicate with each other via the Internet. However, with these devices communicating on insecure channels, it is important to keep these messages secure to prevent hackers from obtaining private data. This is where mutual authentication comes into play, keeping data transmission schemes secure. For those interested in learning about data transmission security and authentication protocols, keep on reading! Mutual authentication is when two (or more) entities verify that the other is a valid source before continuing with any further communication. Many data transmission schemes have mutual authentication as a base characteristic to consider it a secure protocol, but it is not yet considered a requirement for all data transmission schemes. I think that mutual authentication should be considered a requirement and be implemented in all future authentication schemes because it can greatly increase the security of a scheme.

By ensuring that mutual authentication occurs in one’s authentication protocol, there are certain adversarial attacks that will fail. In particular, mutual authentication can protect one’s scheme against man-in-the-middle (MITM) attacks, replay attacks, spoofing attacks, and other types of impersonation attacks. During a MITM attack, a hacker will insert themselves between the two communicating parties and alter messages sent from the other party. This will fail if mutual authentication is implemented because the party receiving the message will also verify the sender’s identity. Relay attackers use older messages from verified users and try to trick servers into accepting them, but by also requiring the server to verify the users, these relay attackers will be denied access. Similarly, spoofing attackers who use falsified information to gain access will also be denied because they will have to be verified by the server to be a legal party as well. With the message senders verified, mutual authentication also ensures that there is information integrity, because if the sender is verified to be a valid source, then the information must be valid as well and has not been manipulated at all. As you can see, there are many threats to data security that can be protected against with the implementation of mutual authentication in a scheme.

These types of attacks, whether with the goal of manipulating data or simply collecting data, are important to defend against, especially because of the specific types of data that is often transmitted over insecure channels. A lot of technologies are used for storing medical information and other general health tracking. An example of such use is when health patients need their vitals monitored, but should not be disturbed. Remote health tracking can continue to monitor the patient without interference. It is incredibly important to keep this data secure and out of reach from adversaries wishing to manipulate the data, so health officials can monitor accurate data and keep patients healthy with correct diagnoses. Other types of sensitive data that may be transmitted across public channels are people’s private locations from phones and smartwatches, a system’s properties and current status, and other types of wireless data. In the general case, data should be protected because there can be consequences if the data is obtained by adversaries or manipulated to display false information.  

With all types of messages containing information that should be protected, why are there still a lot of schemes written without mutual authentication? Why has it not become a base requirement for data transmission protocols now? Research has shown that by adding a mutual authentication step in data transmission schemes, runtimes or memory usage can increase. This eliminates a scheme from being lightweight, where a minimal amount of memory is used and processing time is kept low. According to Jan et al. and many other researchers, lightweightness becomes a desired characteristic for many schemes because many devices cannot handle extremely large memory demands.

While it is good to consider runtimes and memory usage, I would still argue that security should be the top priority, especially seeing how the scheme is written with the purpose of keeping the message transmission process secure. In fact, there are many researchers that have written schemes that sacrifice runtime in order to implement mutual authentication. Narwal and Mohapatra wrote a data transmission scheme that does not completely outperform all previous related works with regards to processing time and memory usage, but the scheme is able to withstand a wide range of adversarial attacks, which is more than the previous works could. Similarly, I would argue that adding a mutual authentication step does not drastically increase the runtime, because once the parties are verified, they establish a shared secret communication key and do not need to authenticate each other again for the rest of the session. Similarly, scheme writers can craft their systems to operate in a way such that repetitive authentication does not need to occur. When determining how to organize radio frequency identification tags and their respective tag readers, there was a solution of only assigning certain tag readers to specific tags so there did not have to be an excessive amount of authentication between different tags and readers. Lastly, as future improvements in technology will increase computational speed, lightweightness will become less of a concern. 

In conclusion, mutual authentication is an important factor in keeping data secure, and should become a requirement for data transmission schemes. Mutual authentication is beneficial because it can protect against MITM attacks, relay attacks, and spoofing attacks. It also implies information integrity because information sources have been verified. Although many argue for lightweightness as well, the goal of writing security schemes is to keep data secure, so protecting the data should be a higher priority. In the end, mutual authentication plays an important role in keeping our private information safe.

REFERENCES

Chen, Liquan, Sijie Qian, Ming Lim, and Shihui Wang. 2018. “An Enhanced Direct Anonymous Attestation Scheme with Mutual Authentication for Network-Connected UAV Communication Systems.” China Communications 15(5):61–76. https://doi.org/10.1109/CC.2018.8387987.

Chen, Yulei and Jianhua Chen. 2020. “A Secure Three-Factor-Based Authentication with Key Agreement Protocol for e-Health Clouds.” The Journal of Supercomputing: An International Journal of High-Performance Computer Design, Analysis, and Use 1–22. https://doi.org/10.1007/s11227-020-03395-8.

Guo, Fuchun, Yi Mu, Willy Susilo, and Vijay Varadharajan. 2017. “Privacy-Preserving Mutual Authentication in RFID with Designated Readers.” Wireless Personal Communications 96(3):4819–45. doi: 10.1007/s11277-017-4430-x.

Jan, Mian Ahmad, Fazlullah Khan, Muhammad Alam, and Muhammad Usman. 2019. “A Payload-Based Mutual Authentication Scheme for Internet of Things.” Future Generation Computer Systems 92:1028–39. http://dx.doi.org/10.1016/j.future.2017.08.035.

Narwal, Bhawna and Amar Kumar Mohapatra. 2020. “SEEMAKA: Secured Energy-Efficient Mutual Authentication and Key Agreement Scheme for Wireless Body Area Networks.” Wireless Personal Communications 113(4):1985–2008. https://doi.org/10.1007/s11277-020-07304-3.