ESIKE: An Efficient and Secure Internet Key Exchange Protocol

The use of Internet key exchange protocols in IP Security architecture and IoT environments has vulnerable to various malicious attacks and affects communication efficiency. To address these weaknesses, we propose a novel efficient and secure Internet key exchange protocol (ESIKE), which achieves a high level of security along with low computational cost and energy consumption. ESIKE achieves perfect forward secrecy, anonymity, known-key security, and untraceability properties. ESIKE can resist several attacks, such as, replay, DoS, eavesdropping, man-in-the-middle and modification. In addition, the formal security validation using AVISPA tools confirms the superiority of ESIKE in terms of security.

In order to solve these problems, there are several authentication schemes, and authentication and key management protocols (DTLS and IKE) are proposed in the literature.
Unfortunately, the majority of proposed authentication works start with an initialization phase where the transmission channel is supposed secure and they share parameters which will be used during the authentication phase as secret values.In [1] the authors propose an authentication scheme based on a secure channel, and they share important parameters in this channel.Thereafter, the shared parameters are used as secret values in the authentication phase.In addition, they introduce the concept of a valid authentication period for IoT.Khemissa et al. designed an authentication scheme based on HMAC operation, where they used a secure channel to share parameters used for the following communication phases [2].Alshahrani et al. [3] presented an authentication protocol based on secure channel for exchanging an asymmetric key, where they introduced the concept of a counter that is used to verify authentication.In [4], the authors proved the vulnerability of the authentication schemes proposed by Kalra and Sood, and Chang et al. and proposed an improvement.6LoWPANs created by the IETF.It aim is to define an adaptation layer placed between the data link layer and the network layer in order to ensure the transmission of IP datagrams over IEEE 802.15.4 links.This layer performs fragmentation, reassembly and compression processes.In IoT, the internal security of messages transmitted between nodes is performed by several protocols such as DTLS and IKE [5].
The DTLS is developed to protect the CoAP (Constrained Application Protocol) application layer [5].A compression mechanism is required for the DTLS protocol.This mechanism can compromise end-to-end security dimensions.
In addition, the key management and authentication scheme based on Elliptic Curve Cryptography does not meet the needs of the IoT environment because of the fragmentation process of large messages made during adaptation.So, the retransmission and reorganization of messages is necessary [5].
Internet Protocol version 6 is considered an ideal solution for the IoT.The IPv6 use Internet Security Protocol (IPSec) to secure the information exchanged.The IPSec is part of the IETF protocols suite that provide the security of Internet Protocol (IP).It is designed to protect the exchanges in IP networks.This protocol aims to ensure several security dimensions such as: data source authentication, confidentiality, data integrity and access control.
IPSec provide security services combining two protocols.The AH protocol [6] is used to guarantee both authenticity and integrity of IP packets.The ESP protocol [7] is used to ensure two security dimensions such as authentication and confidentiality.Before providing thse security dimensions, IPSec decides on the security parameters to be applied such as: the cryptographic algorithms, the security protocols (AH, ESP), the secret keys, and the choice between transport mode or tunnel mode.
The Security Association (SA) is used by the IPSec in order to manage the confidential parameters.It consists of all the necessary information to make processing IPSec on an IP packet [8] [9].So, the IPSec needs a way to exchange security association information.It uses the IKE protocol to provide these capabilities.Figure 1 depicts the components of the IPSec.
The IKE protocol is the principal part of the IPSec implementation.It is used to negotiate the secret keys between the two parties, the initiator and responder.It is used to create security associations (SA) that define how the traffic between the two parties will be protected [10] [11] [12].The main security requirements of the IPSec protocol depends to IKE protocol.
In [13], the authors propose a protocol which is used to compress the headers of the IPSec protocol.Despite the compression, this protocol remains inapplicable in the IoT because it uses a heavy key management protocol.
In this article, we present the security analysis of the original IKE and his successor.Then, we propose a new efficient and secure internet key exchange protocol applicable in the IoT environment.Although the theoretical verification of security protocols is typically used to validate the security requirements, it remains inadequate.Consequently, AVISPA formal protocol analysis tools has been employed to verify the different security properties of ESIKE.
The rest of this article is organized as follows.In section 2, we present the original IKE protocol and his successor.Section 3, illustrates the proposed protocol.Then, the theoretical analysis and formal validation using AVISPA tools are discussed in section 4. In section 5, we present a performance comparison of ESIKE and other key management protocols existing in the literature.Finally, Conclusion is given in section 6.

| THE IKE PROTOCOLS
The Internet Key Exchange IKEv1 protocol is described in RFC 2409 and is used in IPSec.It is composed of two steps.
The first step is used to establish an IKE SA and create secrets keys and the second step is used to establish IPSec SA [14].
Moreover, IKEv1 protocol has two modes of exchange during step 1 ( Main Mode-MM and Aggressive Mode-AM), and one mode of exchanges during step 2. The difference between the two modes of the first step is that MM mode provides identity protection, and it is composed of six messages.In contrast, AM mode does not offer an identity protection, and it is composed of only three messages.In addition, both MM and AM support four authentication methods based on pre-shared key, public key signature, revised public key encryption and public key encryption.
Figure 2 represents the process of IKE protocol [14].
The IKEv1 protocol has been analyzed by several researchers.The first formal analysis was performed by Meadows in 1999.He proved that the IKEv1 is vulnerable to DoS attacks [15].In [16], Zhou showcased the weaknesses of IKEv1 protocol during step 1 and proposed some modifications in order to reduce these weaknesses.In 2001, Perlma and Kaufman have performed another analysis of IKEv1.Where, they demonstrated the weaknesses of IKEv1 when using a pre-shared key, and they give suggestions to improve and simplify it [17].The formal analysis of the IKEv2 performed by AVISPA project demonstrated the vulnerability of IKEv2 against the DoS attacks [22].The work presented in [23] is an enhancement of the IKEv2 protocol [20].Another IKEv2 protocol analysis was conducted in [24].The authors of this work introduced some updates to improve the resilience of the IKEv2 protocol against DoS attacks.A novel IKE protocol was proposed in [25], in this proposal, the generation of secret session key depends on a hash function.The parameters of this function are the public encryption key and the signature key, used as an alternative of nonce and cookie.Most recently, the proposition made in [26] provided an IKE protocol formal analysis.This analysis permits the discovering of different flaws on the IKE authentication properties which were not formerly reported.Taking advantage of the first version of IKE, authors in [27] propose a novel protocol protocol based on IKEv1.In [28], the authors focused on the resistance against cyber-attacks and proposed a new IKE protocol which they claim to be robust to several types of attack types such as man-in-the-middle, DoS and replay.
In [29] Lavanya and Natarajan propose a lightweight IKE protocol for IoT.This protocol has security weaknesses, mainly against a man-in-the-middle attack.

| THE PROPOSED IKE PROTOCOL
In this section, we explain our proposed protocol, entitled ESIKE, that reassures can be used as an Efficient and Secure Internet Key Exchange protocol.ESIKE is composed of two exchange messages.Using these messages, the sender and the receiver share their private key, establish IPSec-SA and authenticate each other.
In contrast to other similar works, the proposed protocol can satisfy all the security properties of the key management protocol and it can withstand to several attack types such as eavesdropping, man-in-the-middle, replay, modification and DoS.Moreover, ESIKE only uses a basic operations namely Exclusive OR providing protection against both passive and active attacks while reassuring at the same time low computational cost and limited energy consumption.

| Notations
We present in this subsection, the symbols used in the ESIKE (see Table 1).

| Protocol description
ESIKE is based on ECDH with modifications that guarantee the security properties and the efficiency of the key management protocol.As depicted in Figure 3. there are three steps in ESIKE: Step 1: Initiator to Responder: The initiator generates two random numbers r i , w i ∈ [1, n-1].Then, it makes the following operations: • It calculates: Step 2: Responder to Initiator: When the responder receives the initiator message, it makes the following operations: • It chooses a S A i psec2 from S A i psec1

S A i psec1
The security association proposals by I

S A i psec2
The security association selected by R The shared session key between I and R

K i r
The calculated session key between I and R E K 1 Symmetric encryption with the secret key K 1

TA B L E 1 Notations used in ESIKE
If the verification is successful, the responder confirms the identity of the initiator and makes the following operations: • It calculates: Step3: When the initiator receives the responder message, it makes the following operations: • It calculates: , it ends the execution.
Else, the initiator confirms the identity of responder.

| SECURITY ANALYSIS
In this section, we start by checking the security precepts and the resistance of our protocol against cyber-attacks.
Then, we present the obtained results of the formal verification of our protocol specifications obtained from the OFMC tool.

| Theoretical Analysis
Precept 1. ESIKE preserves the perfect forward secrecy property, the discovery of the session key by an adversary.
ESIKE doesn't allow the adversary to find any previous session keys.
Proof.Suppose that the adversary knows secret key K i r , he attempts to determine the session key K i r = I D i I D r X K 1 X y 1 X y 2 for past sessions.However, in order to derive the session key, the adversary needs to know the secret key K 1 , the identity of initiator and the identity of responder.the secret key K 1 depend to the random values r i , r r , w i and w r .Solving K 1 to get r i , r r , w i and w r correspondents to the resolution of Elliptic Curve Discrete Logarithm Problem (ECDLP).Likewise, the secret key of ESIKE is protected by a hash function.So, ESIKE has perfect forward secrecy property.

Precept 2. ESIKE preserves the Known-key security, in case of compromise of previously generated session key
does not help the adversary compromise other session keys.
Proof.Let us assume the adversary knows the session key derived by the ESIKE .The adversary is unable to generate the previous and future session keys, due to the fact that the generation of the session key requires the knowledge of K 1 , X y 1 and X y 2 .To calculate K 1 , X y 1 and X y 2 , the adversary needs to know r i , r r , w i and w r .Note that, computing of r i , r r , w i and w r from the K 1 is unfeasible, because it is equal to the resolution of ECDLP.Hence, known-key security is satisfied in our proposed protocol.
Precept 3. ESIKE provides the Key-Compromise Impersonation, if the long-term private key of the node is found; an adversary cannot impersonate as another node to communicate with the compromised node.
Proof.It is assumed that the long-term private key of the compromised node "I", r i is found by the adversary "Eve".It is clear that the adversary "Eve" can impersonate "I".However, in order to deceive any other node "R" that is communicating with I, Eve needs the session key, K i r = I D i I D r X K 1 X y 1 X y 2 .Thus, the adversary "Eve" needs to have the X y 1 , X y 2 and the identity of "R".Solving X y 1 and X y 2 to get r r , w i and w r is equal to solving of ECDLP.Therefore, ESIKE has this property.
Replay attack: ESIKE is robust to replay attacks.Suppose that an adversary intercepts old exchanged messages, and tries to replay them in order to impersonate another's node identity.The adversary cannot impersonate the sender or receiver node because new random numbers are generated for each authentication, and these with the use of timestamps detect the replay attack.
Efficiency: ESIKE is based on ECDH that uses a small key size.The use of shorter key length requires less space for key storage, therefore saves bandwidth for key transmission and reduces the arithmetic computation costs.These characteristics make elliptic curve cryptosystem the best choice to enhance security in IoT.ESIKE has only one-phase, which constitutes of two messages.These messages are used to share private keys, create security association of IPsec, and perform a mutual authentication between sender and receiver nodes.So, ESIKE is effective in IoT.

DoS robustness:
In ESIKE, there is one type of flooding packets M ess ag e1.if t hef al si f i ed − M ess ag e1 is sent to the receiver node.This falsified Message causes the responder node to execute once en /decryption and 3 hash functions.All these operations can be performed quickly.So, a DoS attack cannot prevent the receiver node from operating normally.
Eavesdropping attack: ESIKE can withstand to the Eavesdropping attack.Let us assume an adversary "Eve" intercepts the message exchange between the sender and receiver nodes ( The key K i r cannot be compromised by the attacker because the construction of the K i r includes I D i , I D r , and the hash of four values generated randomly.

Man-in-the-middle attack:
Suppose that an adversary is spying on the communication channel between the sender and receiver nodes.The man-in-the-middle attack cannot succeed because the receiver node computes V er f c .
Then, it verifies V er f c with V er f send .In these steps the adversary fails and ESIKE can withstand to man-in-the-middle attack.
Anonymity and untraceability properties: Suppose that Msg 1 and Msg 2 are intercepted by the attacker.During the authentication, we use nonce and timestamps, which ensure the freshness of the messages.In addition, the I D i , I D r , are sent in a hidden way.
Modification attack : ESIKE withstands to the modification attack.Suppose that the adversary "Eve" intercepts a message transmitted over a network and attempts to modify it, this won't be possible.Because our protocol uses the parameters such as V er f 1 ,and V er f 2 ,which are used to check the integrity of the message.

| Formal analysis
The usefulness of AVISPA is that automatically validates the security of Internet protocols and applications that are sensitive to security.The language proposed by AVISPA is expressive, formal, and modular.Hence, it is used to describe the protocols to be evaluated and the security properties related to them.AVSPA incorporates several verification tools (back-ends); these analyzers allow the implementation of different automatic analysis techniques.In addition, AVISPA extends a standard for intruders called: Dolev-Yao intruder model.An intruder is considered an active or a passive adversary.It is assumed that an intruder is able to spy on any transmitted message; he can also pretend to be an authorized user and performs a masquerade or an impersonation attack.Moreover, he can update the content of any message or inject other messages in order to launch a replay attack.However, in order to follow the perfect cryptography, it is assumed that an intruder is incapable to break cryptography.
The AVISPA framework is depicted in the below Figure 4.The High Level Protocol Specification Language (HLPSL) is an AVISPA's special language.It is primarily used to describe a protocol and its properties.After that, the protocol description is transparently translated by the HLPSL2IF module to an Intermediate Format (IF), which is a lower level language.The backends used by AVISPA are: On the fly Model Checker (OFMC), CL based Attack Searcher (CL-AtSe), SAT-based Model Checker (SATMC) and Tree Automata based Protocol Analyzer (TA4SP).These four back-ends utilize the IF presentation as an input to execute the protocol analysis.Thus the validation results are extracted as an output format that testifies whether the protocol is safe or not, in case of insecurity the flaw causes are also specified.
To analyze ESIKE with the AVISPA tool, the following steps were performed: Step1: the modelling of the protocol is done via the HLPSL formal language and saved in a hlpsl file.The basis of this language is roles.In ESIKE, we use Alice and Bob as the two essential roles.Alice represents the initiator and Bob represents the responder.Figure 5 illustrates the basic role of "Alice".
Step2: the roles which describe the different sessions of the protocol are defined in this step.A top-level role is also defined.This role encloses global constants, the intruder initial knowledge, and the other sessions composition.
Step3: security objectives are the properties used to examine potential attacks on the protocol.These objectives are specified in the goal section.Two types of events are used in this step, the first one is used for authentication property which includes witness and request events.The second type includes secrecy events which are used to check the shared secrecy between the agents "Alice" and "Bob".
Step4: the representation of the modelled protocol is validated via the SPAN tool [30].In order to confirm the security of ESIKE, the OFMC back-end executes this protocol against the modelled intruder.This step permits the verification of the desired security goals and the identification of the protocol's strengths and weaknesses in term of security.
The ESIKE is verified in the OFMC back-end, and the result is shown in Figure 6.Consequently and according to The framework of the AVISPA tool.
this result, ESIKE can resist to passive and active attacks.

| PERFORMANCE COMPARISON WITH COMPETITIVE PROTOCOLS
In this section, we give a performance and security comparison for ESIKE with authentication schemes in IoT and IKE protocols.Figure 7 illustrates a comparison between the messages number in phase 1 and phase 2 of ESIKE and five previous related protocols ( [16]; [16]; [20]; [27]; [29]).
ESIKE uses two messages to make mutual authentication between two communicating nodes, negotiate parameters of IPSec-SA and establish a shared secret.Our protocol uses the least number of messages.
The comparative study (see

| CONCLUSIONS
The IP-based Internet of Things is a technology that eliminates the boundaries between the physical world and the virtual world.The connected objects are generally heterogeneous and limited in resources.The exchange of the secrets between these objects and the authentication between them is a major problem.
Although many Internet key exchange protocols have been proposed recently, most of them suffer from many weaknesses like vulnerabilities to various attacks, high complexity of protocols structure, and low communication efficiency.
In These messages are used to share private keys between entities, establish IPSec-SA and authenticate each other.
Furthermore, ESIKE is efficient in terms of performance compared to existing key management and authentication protocols.Finally, the formal verification using AVISPA tools confirms the superiority of of ESIKE in terms of security.

| DECLARATIONS
• Funding: Not applicable U R E 2 IKE process To mitigate these weaknesses, several protocols have been proposed.Aiello et al. proposed a JKF protocol to remedy the vulnerability against DoS attacks [18].Afterward, in [19] the authors propose a modified IKE protocol that withstands to DoS attack.In 2005, RFCs [20] propose a new IKE protocol appointed as IKEv2 .Then, in 2006, Smith et al. have found two succesfull DoS attacks in JFK protocol [21].Later in 2007, Su and Chang [10] proposed an efficient version of Haddad et al. protocol [19].
then if the verification fails (V er f 1 ' V er f 1 ), it ends the execution.Secret keys of I and RT i , T rPublic keys of I and R, T i = H(r i w i ) .P , T r = H(r r w r ) .

F I G U R E 5
Alice role.

2 F I G U R E 7
Messages number in phase 1 and phase 2 of IKE protocol.

Table 2 )
of our protocol with IKEs and the authentication schemes for IoT existing in the literature shows that our protocol is better.ESIKE does not use a secure channel in the initialization phase.It ensures the security requirements of key management protocol and resists against various attacks types using at the same time smaller key size, making ESIKE an efficient protocol for use in IoT environments.
(PF); Known Key Security (KS); Protection to Modification Attack (PM); Protection to Reflection Attack (PR); Resistance to Replay Attack (RR); Protection to DoS Attack (DS); Protection to Man in the Middle Attack (MM); means 'satisfy' and × 'not satisfy'.
Comparison between ESIKE and previous related protocolsall the security features required by a key management protocol.ESIKE consists of the exchange of two messages.
order to overcome these shortcomings, we propose a new IKE based on ECDH.The proposed solution, entitled ESIKE, is robust against several attacks (man in the middle, modification, DoS, eavesdropping and replay) and it offers F I G U R E 6 The formal validation results of ESIKE by OFMC back-end.