Universal Forgery Attacks on Remote Authentication Schemes for Wireless Body Area Networks Based on Internet of Things

Abstract

Recently, in IEEE Internet of Things Journal (DOI: 10.1109/JIOT.2018.2876133), Saeed et al. proposed a lightweight online/offline certificateless signature scheme, L-OOCLS, and proposed a heterogeneous remote anonymous authentication protocol (HRAAP) based on L-OOCLS for remote wireless body area networks users to enjoy various healthcare services on Internet of Things applications. In this paper, we show that L-OOCLS is entirely broken: anyone can forge certificateless signatures on any messages for any identities from only publicly known information. Thus, the scheme is trivially insecure against the type I adversary who can replace user public keys and the type II adversary who knows the master secret key. Our result shows that their security proofs are also flawed.