SPrivAD: A secure and privacy-preserving mutually dependent authentication and data access scheme for smart communities

Recent studies show that attackers evade authentication by exploiting valid credentials and crafting authentication request messages to compromise assets and illegitimately access data in smart communities such as smart campuses and smart cities. In addition, attackers can send large numbers of authentication and data access requests to spread malware across the smart communities' network and cause Distributed Denial of Service (DDoS) attacks. This paper proposes SPrivAD, a secure and privacy-preserving mutually dependent authentication and data access solution by which smart communities' assets such as users, devices, and apps can authenticate each other before allowing data access. SPrivAD uses an Inter-Attribute-based Zero Knowledge Proof of Knowledge (IA-ZKPK) protocol based on computational attributes of cryptographic operations, and cryptographic identities of the assets to perform Mutually Dependent Multi-Factor Authentication and Data Access (MDMFA). The computational attributes such as message size and number of executed steps of cryptographic operations are features derived from the knowledge of cryptographic operations between the assets. Our approach for deriving a unique, deactivatable, and revocable cryptographic identity is based on the secrets of an asset in a modified Elliptic Curve Pedersen Commitment Scheme (EC-PCS) with security and privacy guarantees. We implement a prototype of SPrivAD and evaluate it with respect to its security, privacy, and performance. The results show that it is secure, privacy-preserving, and efficient for mutually dependent authentication and data access in smart communities. Furthermore, we design and analyse a new attack, Smart Communities Authentication Bypass Attack (SCABA), on real-world authentication and secure access schemes such as Ruckus Cloudpath Enrollment System and Duo Multi-Factor Authentication (MFA). This type of attack exploits valid credentials of smart communities' assets. We show that SPrivAD mitigates SCABA. (C) 2022 Elsevier Ltd. All rights reserved.

Automated summary

Recent studies have shown that attackers exploit valid credentials and craft authentication request messages to evade authentication and access data illegitimately in smart communities. They can also spread malware and launch DDoS attacks by sending numerous authentication and data access requests. This paper proposes SPrivAD, a secure and privacy-preserving solution that enables mutual authentication and data access in smart communities. The approach utilizes a protocol called Inter-Attribute-based Zero Knowledge Proof of Knowledge (IA-ZKPK) and computational attributes derived from cryptographic operations to perform Mutually Dependent Multi-Factor Authentication and Data Access (MDMFA). The results demonstrate that SPrivAD is efficient, secure, and privacy-preserving.