An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments

Abstract

In recent years, the Internet of Things (IoT) has exploded in popularity. The smart home, as an important facet of IoT, has gained its focus for smart intelligent systems. As users communicate with smart devices over an insecure communication medium, the sensitive information exchanged among them becomes vulnerable to an adversary. Thus, there is a great thrust in developing an anonymous authentication scheme to provide secure communication for smart home environments. Most recently, an anonymous authentication scheme for smart home environments with provable security has been proposed in the literature. In this paper, we analyze the recent scheme to highlight its several vulnerabilities. We then address the security drawbacks and present a more secure and robust authentication scheme that overcomes the drawbacks found in the analyzed scheme, while incorporating its advantages too. Finally, through a detailed comparative study, we demonstrate that the proposed scheme provides significantly better security and more functionality features with comparable communication and computational overheads with similar schemes.

1. Introduction

Interest in the Internet of Things (IoT) has grown exponentially over recent years, and it is likely to continue growing for the foreseeable future [1]. The smart home as an important IoT application has also gained much interest in recent years. Adoption of home automation systems for monitoring and controlling various smart devices is at an all-time high [2,3]. The reduced operating expenses, coupled with the increased quality of life, encourage the users to rely on these more and more. A smart home reduces expenses while providing higher comfort, security and safety to the users [4]. Additionally, smart homes can provide the elderly and disabled with prompt medical care based on the readings of smart gadgets [5]. However, as a direct result of using these services, a large volume of private and sensitive data is being transmitted over insecure networks. Security and privacy are considered the fundamental requirements for consumer technology deployment [6].

Consider a smart gadget for monitoring a patient. In order to get medical services, the external user (for example, a doctor) needs to have direct access to data sensed by the sensors in the gadget monitoring the patient’s body. Such information will invariably include current vital readings like blood sugar level, blood pressure, etc. For obvious reasons, this information needs to private and confidential. Similarly, data generated from the surveillance system, temperature and movement sensors, or control data for lighting or other appliances need to be secure and confidential. Devices in a smart home can be accessed through a gateway node that connects them to the Internet. To ensure data privacy and integrity, various entities, such as the users, the smart devices, and the gateway node need to generate session keys after their mutual authentication. The generated session keys can then be used for further communication without fear of data compromise.

1.1. Network and Threat Models

We follow the widely accepted network model for the proposed scheme, which is defined in the typical smart home architecture [7] shown in Figure 1. The smart devices connect to the public Internet through the gateway nodes ($GWN$). Users (U) and smart devices ($SD$) must be registered or enrolled with the registration authority $RA$ before operating in the network. The $RA$ is a fully trusted entity in the network. The registered mobile users can avail of the services provided by the already enrolled smart devices through the gateway node and negotiate the session keys after mutual authentication.

We evaluate the proposed scheme under the de-facto standard “Dolev-Yao (DY) threat model” [8]. In the DY-threat model, an adversary, say $\mathcal{A}$, has ultimate authority over the communication channel, and consequently he/she is capable of eavesdropping, modifying, dropping, or even inserting forged messages for any communicated messages. Furthermore, it is assumed that $\mathcal{A}$ can physically capture some smart devices, as monitoring the devices $24/7$ is not possible, to extract the sensitive information stored in them using power analysis attacks [9]. Moreover, the smart card of a user can be lost or stolen, and the adversary $\mathcal{A}$ can also extract all the sensitive information stored in its memory using power analysis attacks [9]. Both the registration authority $\left(RA\right)$ and the gateway node $\left(GWN\right)$ are considered trusted in the smart home environment. Furthermore, we use the stronger threat model, known as the “Canetti and Krawczyk’s (CK) adversary model” [10], wherein the adversary $\mathcal{A}$, in addition to having all capacities of the DY-therat model, can also compromise ephemeral information like session-specific states and keys. Thus, in the presence of the CK-adversary, a user authentication scheme must be designed such that leakage of ephemeral secrets should have minimal impact on the security of unrelated entities in the authenticated key-exchange scheme [11].

1.2. Research Contributions

The main contributions are given below.

• We first analyze the recently proposed anonymous authentication scheme by Shuai et al. [7] for the smart home environment and then highlight that their scheme fails to resist known attacks, such as privileged-insider attack, through offline password guessing and lost/stolen smart card attacks, user impersonation attacks, parallel session attacks, and password change attacks.
• We present a more secure user authentication scheme that avoids the security pitfalls demonstrated in Shuai et al.’s scheme.
• Through formal as well as informal security analysis, we show the resistance of the proposed scheme against various potential attacks needed in a smart home environment.
• We then present a comparative study to demonstrate the superior security and functionality features of the proposed scheme relative to the existing relevant authentication schemes.
• Finally, we provide a practical perspective on the applicability of the proposed scheme through a network simulator (NS3) simulation study.

1.3. Related Work

In the last decade, several authors investigated the issues of remote authentication for smart homes. Jeong et al. [12] suggested an authentication protocol for home networks based on “One-Time Passwords (OTPs)” and smart cards. However, their scheme not only transmitted the user identities in plaintext, but also did not provide mutual authentication. Vaidya et al. [13] designed a “remote authentication scheme using lightweight computation modules”. Unfortunately, Kim et al. demonstrated that [13] was not only vulnerable to known attacks, but it also failed to provide “user anonymity” and “forward secrecy”. To strengthen the security, Kim et al. presented an improved scheme [14] over the Vaidya et al. scheme. [13].

Vaidya et al. [15] presented an “Elliptic Curve Cryptography (ECC)” based device authentication scheme for smart home networks. However, their scheme was found to be susceptible to privileged-insider, password guessing, and user impersonation attacks. Pradeep and Singh [16] proposed a secure three-factor authentication scheme for “ubiquitous computing devices” with a pass-phrase based device integrity check.

Li proposed a lightweight key establishment scheme [17] as a solution to the security issue in smart home energy management systems. Unfortunately, their scheme was not scalable as it requires the management of many keys and certificates. Around the same time, Han et al. [18] designed a key agreement scheme for a secure pairing process for smart home systems. But, their scheme depends on an always-online service by the manufacturer of the devices, which is an infeasible requirement. Additionally, neither the scheme [17] nor the scheme [18] provided “mutual authentication between user and smart devices”.

Santoso and Vun [19] suggested an “ECC -based authentication scheme for smart homes”, where they presented the idea of using the Wi-Fi gateway as the central node of the system. Unfortunately, their scheme was vulnerable to privileged–insider attack, and consequently, it failed to guarantee user anonymity and untraceability properties.

Kumar et al. [4] designed a “lightweight anonymity preserving authentication scheme for smart home environments”. However, their scheme failed to provide “mutual authentication between the user and the smart device”. In their scheme, user anonymity and untraceability properties are also compromised.

Wazid et al. [20] suggested a lightweight remote user authentication scheme for the smart home environment which fulfills the design criteria for the smart home environment. Yu and Li [21] proposed another user authentication scheme for the smart home environment. However, their protocol did not necessitate a secure environment for user and device registration. Moreover, their scheme relied on bilinear pairing operations, and as a result, their scheme incurs exceptionally high overheads. Shuai et al. [7] designed an “ECC-based authentication scheme for the smart home environment”. However, in this paper, we discuss the advantages and limitations of their scheme in detail. Naoui et al. [22], Fakroon et al. [23] and Dey and Hossain [24] also presented other user authentication schemes for the smart home environment.

2. Review of Shuai et al.’s Scheme

In this section, we briefly review Shuai et al.’s scheme. Their scheme has the following phases: (a) initialization phase, (b) registration phase, (c) login and authentication phase, and (d) password change phase. In this section, we only review the first three phases, and the details regarding the password change phase can be found in the scheme [7].

2.1. Initialization Phase

During initialization, the registration authority $\left(RA\right)$ selects an elliptic curve $E\left(F_p\right)$ of the form $y^2=x^3+ax+b(modp)$ of order p over finite field $F_p$ with a generator point P, where p is a large prime number and $a,b\in {\mathcal{Z}}_p=\{0,1,\cdots ,p-1\}$ such that $4a^3+27b^2\ne 0(modp)$. $RA$ then creates a private key x and calculates the corresponding public key $X=x·P$. $RA$ selects a “long term key K” and a “cryptographic one-way collision-resistant hash function $h{(·)}^{*}:{\{0,1\}}^{*}\to {\mathcal{Z}}_p^{*}$”, where ${\mathcal{Z}}_p^{*}=\{1,2,\cdots ,p-1\}$. $RA$ commits x and K to the $GWN$ and makes $\{E\left(F_p\right),P,X,h(·\left)\right\}$ public. $RA$ also picks and saves $GID$ into gateway node’s memory as its unique identity. In addition, $RA$ generates $SI{D}_d$ as a random unique identity for each smart device $SD$. These identities are saved to the respective smart devices $SD$.

2.2. Registration Phase

This phase comprises of the user registration as well as the smart device enrollment phases.

2.2.1. User Registration

A user U registers with the $RA$ through the following steps:

• Step 1.U first picks his/her identity $I{D}_u$, password $P{W}_u$ and generates a random secret a. U then calculates pseudo-password $HP{W}_u=h(P{W}_i\Vert a)$ and securely dispatches the credentials $\{I{D}_u,HP{W}_u\}$ to $RA$.
• Step 2. If $I{D}_u$ is already registered, $RA$ rejects the request. Otherwise, $RA$ computes $K_{UG}=h(I{D}_u\Vert K)$, $A_1=K_{UG}\oplus HP{W}_u$. $RA$ generates a random value $TEMP$ in order to record the number of user login failures, and sets $TEMP=0$. Next, $RA$ writes $\{A_i,TEMP\}$ to a smart card $S{C}_u$ and securely issues $S{C}_u$ to the user U.
• Step 3. On receiving the smart card $S{C}_u$, U calculates $A_2=a\oplus h(I{D}_u\Vert P{W}_u)$ and $A_3=h(I{D}_u\Vert HP{W}_u)$, and appends $A_2$ and $A_3$ to the smart card $S{C}_u$. The smart card $S{C}_u$ finally contains the credentials $\{A_1,A_2,A_3,TEMP\}$.

2.2.2. Device Enrollment

The steps for smart device, $SD$’s enrollment with the $RA$:

• Step 1.$SD$ first securely transmits its identity $SI{D}_d$ to $RA$.
• Step 2. If $SD$ is already enrolled, the request is rejected by the $RA$. Otherwise, $RA$ computes $K_{GS}=$$h(SI{D}_d\Vert K)$ and securely sends the secret key $K_{GS}$ to $SD$.
• Step 3. On receiving the reply, $SD$ saves the secret key $K_{GS}$ in its memory.

2.3. Login and Authentication Phase

For a registered user U to access a smart device $SD$, he/she must first establish a session key $SK$ after“ mutual authentication between U, $SD$ and $GWN$”. The steps for login, and authentication and session key establishment phase are as follows:

• Step 1. User U first enters his/her identity $I{D}_u$ and password $P{W}_u$, and calculates $a^{*}=A_2\oplus h(I{D}_u\Vert P{W}_u)$, $HP{W}_u^{*}=h(P{W}_u\Vert a^{*})$ and $A_3^{*}=h(I{D}_u\Vert HP{W}_u^{*})$. Only if the check $A_3^{*}=A_3$ holds, the login is successful. In case of a failed login attempt, the smart card $S{C}_u$ of the user U updates $TEMP=TEMP+1$. This value records the login attempts and if it exceeds a pre-defied threshold, the user U is considered as compromised and is suspended till he/she re-registers.
  After a successful login, the smart card $S{C}_u$ generates two random numbers $R_1$ and $w\in {\mathbb{Z}}_p^{*}$, and computes $K_{GU}=$$A_1\oplus HP{W}_u$, $A_4=w·P$, $A_5=w·X$, $DI{D}_u=I{D}_u\oplus A_5$, $M_1=$$(R_1\Vert SI{D}_d)\oplus K_{UG}$ and $V_1=$$h(I{D}_u\Vert R_1\Vert K_{UG}\Vert M_1)$, and sends the login request message $\langle DI{D}_u,$$A_4,$$M_1$$V_1$〉 to $GWN$ via open channel.
• Step 2. On receiving the login request $\langle DI{D}_u,$$A_4,$$M_1$$V_1$〉, $GWN$ computes $A_5^{*}=x·A_4$, $I{D}_u^{*}=DI{D}_u\oplus A_5^{*}$, $K_{GU}=h(I{D}_u^{*}\Vert K)$, $(R_1^{*}\Vert SI{D}_d)=M_1\oplus K_{GU}$, $V_1^{*}$$=h(ID{i}^{*}\Vert R{1}^{*}\Vert K_{GU}\Vert M_1)$. Only if the condition $V_1^{*}=V_1$ holds, $GWN$ believes the legitimacy of the login request. $GWN$ then generates a random number $R_2\in {\mathbb{Z}}_p^{*}$ and computes $K_{GS}=h(SI{D}_d\Vert K)$, $M_2$$=(I{D}_u\Vert GID\Vert R_1\Vert R_2)\oplus K_{GS}$, $V_2$$=h(I{D}_u\Vert GID\Vert K_{GS}\Vert R_1\Vert R_2)$. Finally, $GWN$ sends the authentication request message $\langle M_2$, $V_2\rangle$ to $SD$ via public channel.
• Step 3. On receiving the message $\langle M_2$, $V_2\rangle$, $SD$ calculates $(I{D}_u\Vert GID\Vert R_1\Vert R_2)=M_2\oplus K_{GS}$, $V_2^{*}=h(I{D}_u\Vert GID\Vert$$K_{GS}\Vert R_1\Vert R_2)$ and checks if $V_2^{*}=V_2$. If true, $SD$ generates a random number $R_3\in {\mathbb{Z}}_p^{*}$ and computes $SK=h(I{D}_u\Vert GID\Vert SI{D}_d\Vert R_1\Vert R_2\Vert R_3)$, $M_3$$=R_3\oplus K_{GS}$, $V_3=h(R_3\Vert K_{GS}\Vert SK)$ and finally transmits the authentication reply message $\langle M_3,V_3\rangle$ to $GWN$.
• Step 4. On receiving the message $\langle M_3,V_3\rangle$ from $SD$, $GWN$ computes $R_3=M_3\oplus K_{GS}$, $SK=h(I{D}_u\Vert$$GID\Vert SI{D}_d\Vert R_1\Vert R_2\Vert R_3)$, $V_3^{*}=h(R_3\Vert K_{GS}\Vert SK)$, and if $V_3^{*}==V_3$, $GWN$ computes $M_4=(GID\Vert R_2\Vert R_3)\oplus K_{GU}$ and $V_4=h(K_{GU}\Vert SK\Vert R_2\Vert R_3)$, and sends the acknowledgement message $\langle M_4,V_4\rangle$ to U via public channel.
• Step 5. On receiving the message $\langle M_4,V_4\rangle$ from $GWN$, U computes $(GID\Vert R_2\Vert R_3)=M4\oplus K_{GU}$, $SK$$=h(I{D}_u\Vert GID\Vert$$SI{D}_d\Vert R_1\Vert R_2\Vert R_3)$ and $V_4^{*}=h(K_{GU}\Vert SK\Vert R_2\Vert R_3)$, and if $V_4^{*}=V_4$, $SD$ is authenticated by the $GWN$, and also the session key $SK$ is established between U and $SD$.

3. Security Vulnerabilities in Shuai et al.’s Scheme

In this section, we cryptanalyze the scheme proposed by Shuai et al. and observe that in the presence of a passive/active adversary, it is vulnerable to several potential attacks. We detail the possible attacks below.

3.1. Privileged-insider Attack through Offline Password Guessing and Lost/Stolen Smart Card Attacks

Suppose an adversary $\mathcal{A}$, who is also a privileged insider user, acts as an adversary, say $\mathcal{A}$. In this case, $\mathcal{A}$ knows the credentials $I{D}_u$ and $HP{W}_u$ of a legitimate registered user U which are submitted to the $RA$ during the user registration phase (see Section 2.2.1), where $HP{W}_u=h(P{W}_i\Vert a)$ and a is a random secret. Moreover, if $\mathcal{A}$ can acquire the lost/stolen smart card $S{C}_u$ of the user U, using the “power analysis attacks” [9,25], the adversary $\mathcal{A}$ can extract all the credentials $\{A_1,A_2,A_3,TEMP\}$ stored in the memory of $S{C}_u$, where $K_{UG}=h(I{D}_u\Vert K)$, $A_1=K_{UG}\oplus HP{W}_u$, $A_2=a\oplus h(I{D}_u\Vert P{W}_u)$ and $A_3=h(I{D}_u\Vert HP{W}_u)$. Now, as $A_2=a\oplus h(I{D}_u\Vert P{W}_u)$ and $HP{W}_u=h(P{W}_u\Vert a)$, $\mathcal{A}$ can form the following relation:

$$HP{W}_u=h(P{W}_u\Vert (A_2\oplus h(I{D}_u\Vert P{W}_u\left)\right)).$$

(1)

$\mathcal{A}$ can then guess a password, say $P{W}_u^{\prime }$. Using the guessed password $P{W}_u^{\prime }$, and $I{D}_u$ and $A_2$, $\mathcal{A}$ further can calculate $HP{W}_u^{\prime }=$$h(P{W}_u^{\prime }\Vert$$(A_2\oplus$$h(I{D}_u$$\Vert P{W}_u^{\prime }\left)\right))$, and verify if the condition $HP{W}_u^{\prime }=$$HP{W}_u$ is valid or not. If the condition holds, it means that $\mathcal{A}$ is successful in guessing the user U’s correct password. Hence, it is clear that the low-entropy guessed passwords are easily guessed and verified in Shuai et al.’s scheme. As a result, Shuai et al.’s scheme is vulnerable to privileged-insider attack with the help of both offline password guessing and lost/stolen smart card attacks.

3.2. User Impersonation and Parallel Session Attacks

A privileged insider adversary $\mathcal{A}$ with the knowledge of registration information $I{D}_u$ and $HP{W}_u$, and extracted $A_1$ from the stolen smart card $S{C}_u$ of a valid registered user U (discussed in Section 3.1) can easily compute secret key $K_{GU}=$$A_1\oplus HP{W}_u$. Consequently, $\mathcal{A}$ can forge the login request message $\langle DI{D}_u,$$A_4,$$M_1,$$V_1\rangle$ to the $GWN$ in order to impersonate the user U due to the following reason. Since each smart device $SD$ sends its identity $SI{D}_d$ to the $RA$, the privileged insider adversary $\mathcal{A}$ of the $RA$ also knows it. Now, $\mathcal{A}$ can generate two random numbers $R_1^{\prime }$ and $w^{\prime }\in {\mathbb{Z}}_p^{*}$, and compute $A_4^{\prime }=w^{\prime }·P$, $A_5^{\prime }=w^{\prime }·X$, $DI{D}_u^{\prime }=I{D}_u\oplus A_5^{\prime }$, $M_1^{\prime }=$$(R_1^{\prime }\Vert SI{D}_d)\oplus K_{UG}$, $V_1^{\prime }=$$h(I{D}_u\Vert R_1^{\prime }\Vert K_{UG}\Vert M_1^{\prime })$. As a result, the adversary $\mathcal{A}$ is able to send a valid login request message $\langle DI{D}_u^{\prime },$$A_4^{\prime },$$M_1^{\prime },$$V_1^{\prime }\rangle$ to the $GWN$. Thus, a privileged adversary can impersonate a legal registered user U in Shuai et al.’s scheme.

We consider another attack, where privileged insider adversary $\mathcal{A}$ of the $RA$, who has calculated $K_{GU}$ from the previous attack, can intercept the message $\langle M_4,V_4\rangle$ that is sent from the $GWN$ to a user U. $\mathcal{A}$, having the knowledge of $K_{UG}$ and $I{D}_U$, can calculate $(GID\Vert R_2\Vert R_3)=$$M4\oplus K_{GU}$ and the session key $SK$$=h(I{D}_u$$\Vert GID$$\Vert SI{D}_d$$\Vert R_1$$\Vert R_2$$\Vert R_3)$. Thus, $\mathcal{A}$ can independently calculate the session key $SK$ making the scheme of Shuai et al. vulnerable to the parallel session attack.

3.3. Password Change Attack

Suppose a privileged insider of the $RA$ being an adversary $\mathcal{A}$ after learning the password $P{W}_u$ from the previously discussed attack in Section 3.1 can simply execute the password update phase to change a legal registered user U’s password if the smart card $S{C}_u$ of U is being stolen by $\mathcal{A}$. For this purpose, $\mathcal{A}$ has the credentials $\{A_1,$$A_2,$$A_3,$$TEMP\}$ stored in the memory of $S{C}_u$, where $K_{UG}=h(I{D}_u\Vert K)$, $A_1=K_{UG}\oplus HP{W}_u$, $A_2=a\oplus h(I{D}_u\Vert P{W}_u)$ and $A_3=h(I{D}_u\Vert HP{W}_u)$. $\mathcal{A}$ first calculates $K_{GU}=$$A_1\oplus HP{W}_u$ using previous registration information $HP{W}_u$ and $a=$$A_2\oplus h(I{D}_u$$\Vert P{W}_u)$. Next, $\mathcal{A}$ chooses his/her own password, say $P{W}_u^{\prime }$ and calculates $HP{W}_u^{\prime }=$$h(P{W}_u^{\prime }$$\Vert a)$, $A_1^{\prime }=$$K_{UG}\oplus$$HP{W}_u^{\prime }$, $A_2^{\prime }=a\oplus h(I{D}_u$$\Vert P{W}_u^{\prime })$ and $A_3^{\prime }=$$h(I{D}_u$$\Vert HP{W}_u^{\prime })$. Finally, $\mathcal{A}$ updates the old credentials $\{A_1,A_2,A_3,TEMP\}$ with the newly computed credentials $\{A_1^{\prime },A_2^{\prime },A_3^{\prime },TEMP\}$ in the memory of the smart card $S{C}_u$. This clearly shows that the password change attack is easily mounted on Shuai et al.’s scheme.

4. The Proposed Scheme

In this section, we present a more secure “anonymous authentication and session key establishment scheme” for smart home environments, which is free from all the mentioned security vulnerabilities discussed in Section 3. The important phases of our scheme are discussed below.

4.1. Initialization Phase

This phase is similar to that presented in Section 2.1. Note that during initialization, the registration authority $\left(RA\right)$ also generates a “long term key K” and a “ collision-resistant cryptographic one-way hash function $h{(·)}^{*}:{\{0,1\}}^{*}\to {\mathcal{Z}}_p^{*}$”. $RA$ then commits K to $GWN$ and makes $\left\{h\right(·\left)\right\}$ public.

4.2. Registration Phase

The registration phase details the procedure for dynamic device enrollment and user registration.

4.2.1. Dynamic Device Enrollment

Any time after initialization, a smart device $SD$ can be enrollment with the $RA$ via secure channel through the following steps:

• Step 1.$SD$ first securely transmits its identity $SI{D}_d$ to $RA$.
• Step 2. If $SD$ is already enrolled, the request is rejected by the $RA$. Otherwise, $RA$ computes the secret key $K_{GS}=h(SI{D}_d\Vert h\left(K\right))$, and securely sends $K_{GS}$ to $SD$ and makes $SI{D}_j$ public.
• Step 3. On receiving the reply from the $RA$, $SD$ saves the secret key $K_{GS}$ in its memory.

4.2.2. Mobile User Registration

After system initialization, a mobile user U can be registered with the $RA$ via secure channel.

In our scheme, we use the fuzzy extractor method for user biometric verification [26]. This step is necessary to reduce false negatives during biometric verification. A fuzzy extractor comprises of the following two procedures:

• Gen: It is a “probabilistic generation function” that computes a pair $({\sigma }_u,{\tau }_u)$ from the user biometrics information. The resultant ${\sigma }_u$ is the “biometric secret key” and ${\tau }_u$ is the “public reproduction parameter” necessary for reconstruction of ${\sigma }_u$ from $Bi{o}_u^{\prime }$, a noisy biometric reading from the same user. Formally, $({\sigma }_u,{\tau }_u)=$$Gen\left(Bi{o}_u\right)$.
• Rep: It is a “deterministic reproduction method” which constructs the original biometric secret key ${\sigma }_i$ using a noisy biometrics reading, $Bi{o}_u^{\prime }$ and the public reproduction parameter ${\tau }_i$ provided the Hamming distance $HD$ between $Bi{o}_u$ and $Bi{o}_u^{\prime }$ is less than or equal to a pre-defined error tolerance threshold value, say ${\mathsf{\Delta }}_t$. Formally, ${\sigma }_u=$$Rep(Bi{o}_u^{\prime },{\tau }_u)$, with the restriction that $\mid HD(Bi{o}_u,Bi{o}_u^{\prime })\le {\mathsf{\Delta }}_t$.

The following steps are involved in this phase:

• Step 1.U selects his/her identity $I{D}_u$ and securely sends $\left\{I{D}_u\right\}$ to $RA$.
• Step 2. If $I{D}_u$ is already registered, $RA$ rejects the request. Otherwise, $RA$ generates $R_g,DI{D}_u\in {\mathbb{Z}}_p$ and computes $K_{UG}=h(I{D}_u\Vert h(R_g\Vert K\left)\right)$, and also sets $TEMP=0$. After that $RA$ commits the tuple $\langle DI{D}_u,$$I{D}_u,$$R_g\rangle$ to the $user\_data$ table in the gateway node $GWN$. $RA$ also writes the credentials $\{K_{UG},$$DI{D}_u,$$TEMP\}$ to a smart card $S{C}_u$, and securely issues $S{C}_u$ to the user U.
• Step 3. After getting $S{C}_u$, U provides a password $P{W}_u$ and imprints biometric template $Bi{o}_u$ at the sensor of a specific terminal. U uses the probabilistic fuzzy generator function $Gen\left(Bi{o}_u\right)$ to calculate the biometric secret ket ${\sigma }_u$ and a public reproduction parameter ${\tau }_u$ as $({\sigma }_u,{\tau }_u)=Gen\left(Bi{o}_u\right)$. After that, U computes $A_1=DI{D}_u\oplus$$h(I{D}_u\Vert P{W}_u$$\Vert {\sigma }_u)$, $A_2=h(DI{D}_u$$\Vert I{D}_u$$\Vert {\sigma }_u\Vert P{W}_u)$ and $A_3=K_{UG}\oplus h(I{D}_u$$\Vert DI{D}_u\Vert P{W}_u\Vert {\sigma }_u)$, and replaces $K_{UG}$ and $DI{D}_u$ in the smart card with $A_1,A_2,A_3,{\tau }_u$. The smart card $S{C}_u$ finally contains the credentials $\{A_1,A_2,A_3,{\tau }_u,TEMP\}$.

The user registration phase is also briefed in Figure 2.

4.3. Login and Authentication Phase

A registered user U through the following steps can anonymously establish a session key with a smart device $SD$ once mutual authentication in presence of the gateway node $GWN$ is successful.

• Step 1.U first inputs his/her identity $I{D}_u$ and password $P{W}_u$, and imprints his/her biometric $Bi{o}_u$ at the sensor of a particular terminal. The smart card $S{C}_u$ of U then uses public ${\tau }_u$ to compute ${\sigma }_u$ from $Bi{o}_u$ as ${\sigma }_u=$$Rep(Bi{o}_u,{\tau }_u)$, and proceeds to calculate $DI{D}_u=A_1\oplus$$h(I{D}_u\Vert P{W}_u$$\Vert {\sigma }_u)$ and $A_2^{*}=h(DI{D}_u\Vert I{D}_u\Vert {\sigma }_u\Vert P{W}_u)$. If the condition $A_2^{*}=A_2$ holds, the login is treated as successful one. In case of a failed login attempt, the smart card $S{C}_u$ increments $TEMP$ and aborts the phase. On the other side, if it exceeds a pre-defined threshold, the user U is considered as compromised, and is suspended till he/she re-registers.
  After a successful login, $S{C}_u$ generates two random numbers $R_1$ and $w\in {\mathbb{Z}}_p^{*}$, and calculates $K_{UG}=A_3\oplus h(I{D}_u\Vert DI{D}_u\Vert P{W}_u\Vert {\sigma }_u)$, $M_1=(R_u\Vert SI{D}_d)\oplus K_{UG}$ and $V_1=h(I{D}_u\Vert R_u\Vert K_{UG}\Vert M_1)$, and dispatched the login request message $\langle DI{D}_u,M_1,V_1\rangle$ to the $GWN$ via public channel.
• Step 2. After receiving the login request $\langle DI{D}_u,M_1,V_1\rangle$, the $GWN$ looks up $I{D}_u,R_g$ using $DI{D}_u$ from its $user\_data$ table, and computes $K_{UG}=h(I{D}_u\Vert h(R_g\Vert K\left)\right)$, $(R_u\Vert SI{D}_d)=M_1\oplus K_{UG}$. If $R_u$ is fresh, the $GWN$ calculates $V_1^{*}$$=h(I{D}_u\Vert R_u\Vert K_{UG}\Vert M_1)$. Now, if $V_1^{*}\ne V_1$, the request is considered as invalid, and the process is aborted instantly. Otherwise, the $GWN$ generates a new random number $R_g^{\prime }\in {\mathbb{Z}}_p^{*}$ and calculates $K_{GS}=h(SI{D}_d\Vert h\left(K\right))$, $C_1=h(R_g^{\prime }\Vert K)$, $C_2=h(I{D}_u\Vert R_u\Vert C_1)$, $M_2=C_2\oplus K_{GS}$ and $V_2=h(C_2\Vert K_{GS})$. Finally, $GWN$ dispatches the authentication request message $\langle M_2$, $V_2\rangle$ to the accessed smart device $SD$ via open channel.
• Step 3. On receiving the message $\langle M_2$, $V_2\rangle$, $SD$ calculates $C_2=M_2\oplus K_{GS}$. If $C_2$ is fresh, $SD$ calculates $V_2^{*}=h(C_2\Vert K_{GS})$. If $V_2^{*}\ne V_2$, the request is considered as failed, and it is then aborted. On the other side, $SD$ picks a random number $R_d\in {\mathbb{Z}}_p^{*}$, computes the session key $SK=h(C_2\Vert R_d\Vert SI{D}_d)$ shared with U, $M_3=(R_d\Vert h\left(SK\right))\oplus K_{GS}$ and $V_3=h(R_d\Vert K_{GS}\Vert h\left(SK\right))$. Next, $SD$ transmits the authentication reply message $\langle M_3,V_3\rangle$ to $GWN$ via public channel.
• Step 4. On receiving the message $\langle M_3,V_3\rangle$ from $SD$, $GWN$ computes $(R_d\Vert h\left(SK\right))=M3\oplus K_{GS}$. If $R_d$ is also fresh, the $GWN$ continues to calculate $V_3^{*}=h(R_d\Vert K_{GS}\Vert h\left(SK\right))$. If $V_3^{*}\ne V_3$, the request is considered as invalid and the process is aborted immediately. Otherwise, the $GWN$ generates another random number $DI{D}_u^{\prime }\in {\mathbb{Z}}_p^{*}$ and computes $M_4=(DI{D}_u^{\prime }\Vert C_1\Vert R_d)\oplus K_{UG}$, $K_{UG}^{\prime }=h(I{D}_u\Vert C_1)$ and $V_4=h(DI{D}_u^{\prime }\Vert C_1\Vert R_d\Vert K_{UG}^{\prime })$. $GWN$ then updates the tuple $\langle DI{D}_u^{\prime },I{D}_u,R_g^{\prime }\rangle$ in its $user\_data$ table, and sends the ackowledgement message $\langle M_4,V_4\rangle$ to the U via open channel.
• Step 5. On receiving the message $\langle M_4,V_4\rangle$ from $GWN$, the user U recovers $(DI{D}_u^{\prime }\Vert C_1\Vert R_d)=M4\oplus K_{UG}$, and then computes $K_{UG}^{\prime }=h(I{D}_u\Vert C_1)$ and $V_4^{*}=h(DI{D}_u^{\prime }\Vert C_1\Vert R_d\Vert K_{UG}^{\prime })$. If $V_4^{*}\ne V_4$, the login is considered as failed one and it is aborted immediately. Otherwise, the user U computes the session key $SK=h\left(h\right(I{D}_u\Vert R_u\Vert C_1)\Vert R_d\Vert SI{D}_d)$ and the updated values for $A_1^{\prime }=(R_u\Vert DI{D}_u^{\prime })\oplus$$h(I{D}_u\Vert P{W}_u$$\Vert {\sigma }_u)$, $A_2^{\prime }=h(DI{D}_u$$\Vert {\sigma }_u\Vert P{W}_u)$, $A_3^{\prime }=K_{UG}^{\prime }\oplus h(DI{D}_u\Vert P{W}_u\Vert {\sigma }_u)$. Finally, U resets $TEMP$ to 0 as $TEM{P}^{\prime }=0$, and updates the smart card $S{C}_u$ with the values $\{A_1^{\prime },A_2^{\prime },A_3^{\prime },TEM{P}^{\prime }\}$ by replacing the old values $\{A_1,A_2,A_3,TEMP\}$.

The login and authentication phase is finally briefed in Figure 3.

Remark 1.

An adversary might block the message $\langle M_4,V_4\rangle$ during the communication happen in the login and authentication phase. As $DI{D}_u$ and $R_g$ have already been updated on the gateway node $GWN$, the subsequent login attempts by the user U will fail. This attack can be prevented, if the gateway node $GWN$ also maintains the old values of $DI{D}_u$ and $R_g$ until the next successful authentication happens.

4.4. Password and Biometric Update Phase

To update “password and/or biometric”, a registered user U inputs identity $I{D}_u$ along with the existing password $P{W}_{i}u$ and imprints biometric $Bi{o}_u$, and then logins with the steps similar to that described in the “login and authentication phase” discussed in Section 4.3.

If the login is successful, U provides new password $P{W}_u^{\prime }$, imprints new biometric $Bi{o}_u^{\prime }$ and recalculates $({\sigma }_u^{\prime },{\tau }_u^{\prime })=Gen\left(Bi{o}_u^{\prime }\right)$. Next, U computes $A_1^{\prime }=DI{D}_u\oplus$$h(I{D}_u\Vert P{W}_u^{\prime }$$\Vert {\sigma }_u^{\prime })$, $A_2^{\prime }=h(DI{D}_u$$\Vert I{D}_u$$\Vert {\sigma }_u^{\prime }\Vert P{W}_u^{\prime })$ and $A_3^{\prime }=K_{UG}\oplus h(I{D}_u$$\Vert DI{D}_u\Vert P{W}_u^{\prime }\Vert {\sigma }_u^{\prime })$, and replace $\{A_1,A_2,A_3,{\tau }_u\}$ in the smart card $S{C}_u$ with $\{A_1^{\prime },A_2^{\prime },A_3^{\prime },{\tau }_u^{\prime }\}$. $S{C}_u$ now contains the updated credentials $\{A_1^{\prime },A_2^{\prime },A_3^{\prime },{\tau }_u^{\prime },TEMP\}$.

4.5. Smart Card Revocation Phase

A “lost or stolen smart card” can be revoked by requesting for a new smart card by a registered authorized user U to the registration authority $RA$ via secure channel. Hence, the steps are identical to those for the mobile user registration phase as discussed in Section 4.2.2.

5. Security Analysis

In this section, through the widely accepted “Real-Or-Random (ROR) model” [27], the formal security analysis of the proposed scheme is presented. Furthermore, through the formal security verification tool, called AVISPA [28], the proposed scheme’s resistance to “man-in-the-middle and replay attacks” is verified. In addition, a through informal (non-mathematical) analysis presented in Section 5.3 demonstrates the proposed scheme’s resistance to various other known attacks.

5.1. Formal Security Analysis through Real-Or-Random Model

The ROR model proposed in [27] is widely accepted for security analysis of authentication and key agreement schemes. We describe the ROR model and then utilize the same to analyze the proposed scheme formally.

• Participants: Let the oracles ${\pi }_U^u$, ${\pi }_{SD}^d$ and ${\pi }_{GWN}^g$ denote the uth, dth and gth instances of a user U, a smart device $SD$ and the gateway node $GWN$, respectively.
• Partnering: Two oracles ${\pi }_U^u$ and ${\pi }_{SD}^d$ are said to be partnered provided they share the same communication session-id $sid$, and the partial transcript of the exchanged messages is unique.
• Freshness:${\pi }_U^u$ and ${\pi }_{SD}^d$ are considered fresh as long as the session key $SK$ between U and $SD$ remains unexposed to an adversary $\mathcal{A}$.
• Adversary: The ROR model defines the DY adversary $\mathcal{A}$. Formally, the adversary $\mathcal{A}$ can execute the queries described below.

  –

  $Execute({\pi }^u,{\pi }^d)$: This query is modeled as an eavesdropping attack. Therefore, this query allows $\mathcal{A}$ to intercept the messages exchanged among U, $SD$, and $GWN$.

  –

  $Send({\pi }^d,m)$: This query is modeled an active attack. It allows $\mathcal{A}$ to transmit a message, say $msg$ to an oracle ${\pi }^d$, and receive the response message in reply.

  –

  $CorruptSC\left({\pi }^u\right)$: Through this query, $\mathcal{A}$ can learn the confidential values $\{A_1$, $A_{2}t$, $A_3,$${\tau }_u,$$TEMP\}$ from a user U’s smart card $S{C}_u$.

  –

  $CorruptSD\left({\pi }^d\right)$: Through this query, $\mathcal{A}$ can learn the secret key $\left\{K_{GS}\right\}$ stored in the captured smart device $SD$. The queries $CorruptSC$ and $CorruptSD$ are assumed to be under a weak corruption model [29] and they can not corrupt the ephemeral keys and states of the participating oracle.

  –

  $Test({\pi }^u,{\pi }^d)$: As per the “indistinguishability in the ROR model” [27], the semantic security of the session key $SK$ between U and $SD$ can be determined by this query. To initiate, $\mathcal{A}$ tosses an “unbiased coin” whose outcome, say c, determines the output of the $Test$ query. If $SK$ is fresh, the oracle ${\pi }^u$ or ${\pi }^d$ produces $SK$, if $c=1$. Otherwise, if $c=0$, the oracle produces a random number. In all other cases, the returned value will be null.

• Semantic security of the session key: As per the ROR model, to compromise the semantic security of the session key, $\mathcal{A}$ must be able to differentiate an instance’s actual session key from a random key. $\mathcal{A}$ can perform a limited number of $CorruptSC\left({\pi }^u\right)$ and $CorruptSD\left({\pi }^d\right)$ queries, but can execute as many $Test(·)$ queries as desired.
  If $Ad{v}_{PS,\mathcal{A}}\left(t\right)$ represents the advantage of $\mathcal{A}$ in compromising the semantic security of the proposed scheme $PS$, we have, $Ad{v}_{PS,\mathcal{A}}\left(t\right)=$$|2.Pr[SCS]-1|$, where $SCS$ is an event of $\mathcal{A}$’s success.
• Random oracle: All participating entities including $\mathcal{A}$ can invoke the “cryptographic one-way hash function”, $h(·)$, which is further modeled as a random oracle, say $\mathcal{HO}$.

Accounting to Wang et al.’s important findings [30] regarding the Zipf’s law on passwords, Theorem 1 defines the “semantic security of the proposed scheme”.

Theorem 1.

Let a polynomial time adversary $\mathcal{A}$ attempts to break the semantic security of the proposed scheme $\mathcal{P}$ under the ROR model in time t. If the chosen passwords follow the Zipf’s law [30], and the bit-lengths of the biometric secret key ${\sigma }_u$ and the user identity $I{D}_u$ are $l_1$ and $l_2$, respectively, $\mathcal{A}$’s advantage in compromising the semantic security of the proposed scheme $PS$ is

$$Ad{v}_{PS,\mathcal{A}}\left(t\right)\le \frac{q_h^2}{|Hash|}+2max\{C^{\prime }.q_s^{s^{\prime }},\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\},$$

where $q_h$, $q_s$ and $|Hash|$ represent the number of hash queries, the number of $Send$ queries and the range of $h(·)$, respectively, and $C^{\prime }$ and $s^{\prime }$ are the Zipf’s parameters [30].

Proof. 

We design our proof on the lines of the proofs that presented in [11,31,32]. Four sequential games, say $G_i$, $i\in [0–3]$, are played. The event $SC{S}_i$ represents that an adversary $\mathcal{A}$ can successfully guess the bit c in the game $G_i$. The details regarding all the games are given below.

• Game$G_0$: This game models a real attack on the semantic security of the proposed scheme $PS$ by $\mathcal{A}$. As initially the bit c is guessed,

  $$Ad{v}_{PS,\mathcal{A}}\left(t\right)=|2.Pr\left[SC{S}_0\right]-1|.$$

  (2)
• Game$G_1$: This game models as an eavesdropping attack by $\mathcal{A}$ on $PS$. Through the $Execute({\pi }^u,{\pi }^d)$ query, $\mathcal{A}$ can intercept the messages $\langle DI{D}_u,M_1,V_1\rangle$, $\langle M_2$, $V_2\rangle$, $\langle M_3,V_3\rangle$ and $\langle M_4,V_4\rangle$. $\mathcal{A}$ can query the $Test$ oracle and attempt to determine if the received result is the actual session key. As the session key is $SK=$$h\left(h\right(I{D}_u\Vert R_u\Vert h(R_g^{\prime }\Vert K\left)\right)\Vert R_d\Vert SI{D}_d)$, and to compute the same $\mathcal{A}$ must learn short term secret keys ($R_u,R_g^{\prime }$ and $R_d$) as well as long term secrets ($I{D}_u,SI{D}_d$ and K). Therefore, $\mathcal{A}$ gains no additional advantage for wining this game. Consequently, it follows that

  $$Pr\left[SC{S}_1\right]=Pr\left[SC{S}_0\right].$$

  (3)
• Game$G_2$: This game models as an active attack through use of the $Send$ and hash queries. $\mathcal{A}$ attempts to beguile a legitimate entity into accepting a modified message. As discussed previously, $\mathcal{A}$ can repeat the queries to the oracles in order to induce hash collisions. However, since all the messages contain random nonces, hash coalitions cannot be induced on $h(·)$ by $\mathcal{A}$. It is worth noticing that both the games $G_1$ and $G_2$ are identical except for the $Send$ and hash queries in the game $G_2$. Thus, through the use of birthday paradox, we have,

  $$|Pr\left[SC{S}_2\right]-Pr\left[SC{S}_1\right]|\le \frac{q_h^2}{2|Hash|}.$$

  (4)
• Game$G_3$: An extension to $G_2$, the game $G_3$ is the final game and it simulates the $CorruptSC$ and $CorruptSD$ queries. Querying these oracles, $\mathcal{A}$ can learn $\{A_1$, $A_{2}t$, $A_3,$${\tau }_u$, $TEMP\}$ and $\left\{K_{GS}\right\}$, respectively. The probability of $\mathcal{A}$ to correctly guess the biometric secret key ${\sigma }_i$ of bit-length $l_1$ and the user identity $I{D}_u$ of bit-length $l_2$ are $\frac{1}{2^{l_1}}$ and $\frac{1}{2^{l_2}}$, respectively [33].
  As the user chosen passwords tend to follow the Zipf’s law, by utilizing trawling guessing attacks, $\mathcal{A}$’s advantage will be over $0.5$ when $q_s={10}^7$ or ${10}^8$ [30]. If $\mathcal{A}$ can utilize a user’s personal information for the targeted guessing attacks, he/she will have an advantage over $0.5$ when $q_s\le {10}^6$ [30]. In practical implementation, only a finite number of erroneous password attempts are permitted to the adversary $\mathcal{A}$. Therefore, the games $G_3$ and $G_2$ are identical except for the guessing attacks. Thus, we can formulate the following relation as in [32]:

  $$|Pr\left[SC{S}_3\right]-Pr\left[SC{S}_2\right]|\le max\{C^{\prime }.q_s^{s^{\prime }},\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}.$$

  (5)
  However, $\mathcal{A}$ must guess a bit $c^{\prime }$ after executing the $Test$ query to win the game $G_3$. Therefore, it follows that

  $$|Pr\left[SC{S}_3\right]=\frac{1}{2}.$$

  (6)

From Equations (2), (3) and (6), we have,

$$\begin{array}{cc}\hfill \frac{1}{2}Ad{v}_{PS,\mathcal{A}}\left(t\right)& =|Pr\left[SC{S}_0\right]-\frac{1}{2}|\hfill \\ & =|Pr\left[SC{S}_1\right]-\frac{1}{2}|\hfill \\ & =|Pr\left[SC{S}_1\right]-|Pr\left[SC{S}_3\right]|.\hfill \end{array}$$

(7)

Summing the inequalities from Equations (4) and (5), we obtain the following relation:

$$\begin{array}{c}\hfill |Pr\left[SC{S}_2\right]-|Pr\left[SC{S}_1\right]|+|Pr\left[SC{S}_3\right]-|Pr\left[SC{S}_2\right]|\\ \hfill \le \frac{q_h^2}{2|Hash|}+max\{C^{\prime }.q_s^{s^{\prime }},\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}.\end{array}$$

(8)

Simultaneously solving Equations (7) and (8), we arrive at the desired result:

$$Ad{v}_{PS,\mathcal{A}}\left(t\right)\le \frac{q_h^2}{|Hash|}+2max\{C^{\prime }.q_s^{s^{\prime }},\frac{q_s}{2^{l_1}},\frac{q_s}{2^{l_2}}\}.$$

 □

5.2. Formal Security Verification through AVISPA Simulation

AVISPA is an automated software tool for the formal verification of security-sensitive protocols and applications [28]. AVISPA implements the Dolev-Yao (DY) threat model and verifies whether a scheme is resistant to replay and man-in-the-middle attacks. A security protocol to be verified needs to be modeled in the associated “High Level Protocol Specification Language (HLPSL)” [34]. AVISPA provides a translator, known as HLPSL2IF, for translating HLSPL into the Intermediate Format (IF). The IF can be interpreted by one of the available four backends to generate a report in the Output Format (OF). The structure of the OF contains following:

• SUMMARY: It states if the tested protocol is “safe”, “unsafe”, or if the analysis was “inconclusive”.
• DETAILS: It reports the explanation relevant to the SUMMARY section.
• PROTOCOL: It provides the protocol to be verified.
• GOAL: It states the goal as specified in the HLPSL.
• BACKEND: It mentions the backend that has been utilized.
• STATISTICS: It provides the trace for the vulnerabilities to the target protocol, if they are present, with additional useful statistics.

A more detailed report on AVISPA and HLPSL is available at in [28]. The four backends available with AVISPA are [28]: (a) “On-the-fly Model-Checker (OFMC)”, (b) “Constraint-Logic-based Attack Searcher (CL-AtSe)”, (c) “SAT-based Model-Checker (SATMC)”, and (d) “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”. Among these, OFMC and CL-AtSe are most widely accepted, and we evaluate the proposed scheme under these backends to formally verify its resistance to the “man-in-the-middle and replay attacks”.

We have implemented the proposed scheme in HLSPL and defined the necessary roles for a user U, a smart device $SD$, and the $GWN$ for the different phases of the proposed scheme. We have also specified the roles for the session, goal, and environment as per the HLPSL specification. Finally, we have simulated the proposed scheme using the “SPAN, the Security Protocol ANimator for AVISPA tool’’ [35]. Figure 4 presents the simulation results under the widely-used OFMC and CL-AtSe backends. The simulation results clearly demonstrate that the proposed scheme is safe against the “man-in-the-middle and replay attacks”.

5.3. Informal Security Analysis

In the following, we demonstrate that the proposed scheme is secure against various known attacks.

5.3.1. Replay Attack

Assuming an adversary $\mathcal{A}$ replays the old message $M_1$ to $GWN$, $GWN$ will reject the replayed message after it detects that $R_u$ is not fresh. Similarly, all messages are composed of random nonces, which can be further verified for their freshness. Thus, the proposed scheme is resilient against replay attack.

5.3.2. Forgery Attack

An adversary $\mathcal{A}$ can attempt to forge the message $\langle DI{D}_u,M_1,V_1\rangle$ to the $GWN$. However, $M_1$ is encrypted with the secret key $K_{UG}$, and $V_1$ is also encapsulated with $DI{D}_U$ and $M_1$ against forgery. $\mathcal{A}$ cannot forge this message. Similarly, other messages cannot be forged either, and the proposed scheme is resilient against forgery attack.

5.3.3. Impersonation Attack

Assuming an adversary $\mathcal{A}$, after capturing the messages from a successful login an authentication attempts, to impersonate the user U. But, as $DI{D}_u$ is of single-use and $V_1$ encapsulates $I{D}_U$ and $M_1$ against forgery, $\mathcal{A}$ cannot simply modify the captured messages with his/her own $R_u$ to impersonate U. Similarly, $\mathcal{A}$’s attempt to impersonate the $GWN$ will fail because he/she will be unable to generate $\langle M_2,V_2\rangle$ and $\langle M_4,V_4\rangle$ without the knowledge of $K_{GS}$ and $K_{UG}$, respectively. As a result, the proposed scheme is resilient against impersonation attacks.

5.3.4. Man-in-the-Middle Attack

Assuming an adversary $\mathcal{A}$ attempts to execute a man-in-the-middle attack by capturing and modifying the login message from U to $GWN$. Nevertheless, the message cannot be forged or modified without knowledge of the secret credentials. Thus, the “man-in-the-middle attack” is also protected in the proposed scheme.

5.3.5. Loss of Smart Card and Offline Guessing Attack

Assuming an adversary $\mathcal{A}$ recovers a lost smart card, he/she can learn the values $A_1,A_2,A_3,{\tau }_u$ and $TEMP$ through the “power analysis attacks”. Of these, except for $TEMP$ and ${\tau }_u$, none is in plaintext and it is combination of the secret identity, password, and biometrics. It is worth noticing that ${\tau }_u$ and $TEMP$ are the public reconstruction parameter for biometrics and failed login attempts counter, respectively, which are not sensitive. For $\mathcal{A}$ to subvert the proposed scheme through the offline guessing attack, he/she will have to simultaneously guess $I{D}_u$, $P{W}_u$, and ${\sigma }_u$, which is “computationally infeasible” task. Thus, the proposed scheme is resilient against the “loss of smart card and offline guessing attacks”.

5.3.6. Privileged-Insider Attack

Assuming an adversary $\mathcal{A}$ is a privileged-insider, he/she can eavesdrop during the registration phase and learn user identity $I{D}_u$. Now, assume that he/she has subverted the user’s smart card $S{C}_u$ to recover the stored values $A_1=DI{D}_u\oplus$$h(I{D}_u\Vert P{W}_u$$\Vert {\sigma }_u),A_2=h(DI{D}_u$$\Vert I{D}_u$$\Vert {\sigma }_u\Vert P{W}_u)$ and $A_3=K_{UG}\oplus h(I{D}_u\Vert DI{D}_u\Vert P{W}_u\Vert {\sigma }_u)$. It is clear that even if $I{D}_u$ is known, in order to subvert the scheme with the available information, $\mathcal{A}$ must simultaneously guess password $P{W}_u$ and biometric secret key ${\sigma }_u$, which is computationally infeasible. As a result, the privileged-insider attack is protected in the proposed scheme.

5.3.7. Ephemeral Secret Leakage (ESL) Attack

Assume adversary $\mathcal{A}$ learns one or both of the session specific secrets ($R_u$, $R_g,R_d$) through the session hijacking attack under the CK-adversary model. Since the session key $SK=h\left(h\right(I{D}_u\Vert R_u\Vert C_1)\Vert R_d\Vert SI{D}_d)$ is derived from the user secret identity $I{D}_u$ and the $GWN$’s long term secret of K in addition to ($R_u$, $R_g,R_d$), $\mathcal{A}$ cannot subvert the session key $SK$ without any long term secrets. Thus, the proposed scheme is secure against ESL attack.

5.3.8. Parallel Session Attack

For an adversary $\mathcal{A}$ to successfully execute a parallel session attack, he/she needs to compose the session key $SK=h\left(h\right(I{D}_u\Vert R_u\Vert C_1)\Vert R_d\Vert SI{D}_d)$ by eavesdropping on the authentication related messages. But, no secrets are compromised regardless of lost smart card attack or privileged insider attack. As a result, the proposed scheme is secure against a parallel session attack.

5.3.9. Stolen Verifier Attack

As the gateway node $GWN$ maintains the tuple $\langle DI{D}_u,$$I{D}_u,$$R_g\rangle$ for each user U. Of these, $DI{D}_u$ and $R_g$ are the distict random nonces. Exposure of $I{D}_u$ is equivalent to a privileged-insider attack. However, the proposed scheme is resistant against privileged-insider attack. Thus, a stolen verifier attack is not a threat to the proposed scheme.

5.3.10. Smart Card Impersonation Attack

Smart card impersonation attack can only be executed by an adversary $\mathcal{A}$, if he/she can learn the secret values $I{D}_u$, $P{W}_u$ and ${\sigma }_u$ in a user’s smart card. Nevertheless, the secret values are not compromised through a lost smart card even in the presence of a privileged insider attacker. The proposed scheme is then secure against smart card impersonation attack.

5.3.11. Anonymity and Untracability

Assume that an adversary $\mathcal{A}$ eavesdrops and monitors the messages from a successful login and authentication. None of the eavesdropped values $\{DI{D}_u,M_1,M_2,M_3,M_4,V_1,V_2,V_3,V_4\}$, contains any plaintext information useful for identifying the user U or the smart device $SD$. Thus, the proposed scheme provides anonymity. Furthermore, all of the eavesdropped values are composed of some random nonces, and consequently these are always unique across different authentication sessions. Thus, the proposed scheme also provides anonymity and untracability.

6. Comparative Study

In this section, we benchmark the proposed scheme against the schemes proposed by Shuai et al. [7], Yu and Li [21], Naoui et al. [22], Fakroon et al. [23], and Dey and Hossain [24].

6.1. Communication Costs Comparison

For communication cost comparison, it is assumed that an ECC point is 320 bits, hash digest (assuming SHA-1 hashing algorithm is applied) is 160 bits, nonces as well as identities are 128 bits long. In the presented scheme, the four messages exchanged during the login and authentication phase are $\langle DI{D}_u,M_1,V_1\rangle$ which needs $(128+(128+126)+160)=544$ bits; $\langle M_2,V_2\rangle$ which requires $(160+160)=320$ bits; $\langle M_3,V_3\rangle$ which demands $\left(\right(128+160)+160)=448$ bits and $\langle M_4,V_4\rangle$ which needs $\left(\right(128+160+128)+160)=576$ bits. Thus, the total communication overhead of the proposed scheme turns out to be $(544+320+448+576)=1888$ bits $=236$ bytes.

Table 1. Communication costs comparison.

Scheme	No. of Bytes	No. of Messages
Shuai et al. [7]	(108 + 84 + 36 + 68) = 296	4
Yu and Li [21]	(84 + 124 + 164 + 164) × 2 = 1072	8
Naoui et al. [22]	(104 + 52 + 56 ) = 212	3
Fakroon et al. [23]	(100 + 52 + 52 +84) = 288	4
Dey and Hossain [24]	(132 + 132 + 52 + 52 + 52) = 420	5
Proposed scheme	(68 + 40 +56 +72) = 236	4

summarizes the proposed scheme and other existing schemes in terms of communications overheads. From this table, we observe that the proposed scheme requires less communication overhead as compared to that for the schemes of Shuai et al. [7] and second lowest among all other schemes.

6.2. Computation Costs Comparison

For computation cost analysis, we denote $T_{bp},T_m$, $T_b$ and $T_h$ as the time needed for computing “bilinear pairing”, “ECC multiplication”, “fuzzy extractor function $Gen(·)/Rep(·)$ for biometric verification” and “hashing” operations, respectively. Based on experimental results reported in [36], we have $T_{bp}\approx 32.713$ ms (milliseconds), $T_m\approx 13.405$ ms, $T_b\approx T_m=13.405$ ms and $T_h\approx 0.056$ ms, respectively.

Table 2. Computation costs comparison.

Scheme	U	$\mathit{GWN}$	$\mathit{SD}$	Total Cost
Shuai et al. [7]	$6T_h+1T_m$	$7T_h+1T_m$	$3T_h$	$16T_h+3T_m$
	≈ 13.741 ms	≈ 13.797 ms	≈ 0.168 ms	≈ 27.604 ms
Yu and Li [21]	$7T_h+14T_m$	$12T_h+19T_m+4T_{bp}$	$7T_h+14T_m$	$26T_h+47T_m+4T_{bp}$
	≈ 188.062 ms	≈ 386.219 ms	≈ 188.062 ms	≈762.343 ms
Naoui et al. [22]	$12T_h+3T_{sym}+2T_m$	$13T_h+4T_{sym}+2T_m$	$1T_h+1T_{sym}$	$26T_h+7T_{sym}+4T_m$
	≈ 32.453 ms	≈ 34.166 ms	≈ 1.713 ms	≈68.332 ms
Fakroon et al. [23]	$4T_h$	$5T_h$	$24T_h$	$33T_h$
	≈ 0.224 ms	≈ 0.28 ms	≈ 1.344 ms	≈1.848 ms
Dey and Hossain [24]	$4Th+2Tm+3Tsym$	-	$3Th+2Tm+3Tsym$	$7Th+4Te+6Tsym$
	≈ 32.005 ms	≈ 0.0 ms	≈ 31.949 ms	≈63.954 ms
Proposed	$10T_h+1T_b$	$10T_h$	$4T_h$	$24T_h+1T_b$
	≈ 13.965 ms	≈ 0.56 ms	≈ 0.224 ms	≈14.749 ms

briefs the computational costs for the proposed scheme and other existing schemes. It is clear that the presented scheme has a significantly less computation cost as compared to that for the schemes of Shuai et al. [7]. With the exception of Fakroon et al. [23], which might incur a greater computation cost, the proposed scheme has the lowest computation cost.

6.3. Security and Functionality Features Comparison

Finally, in

Table 3. Security & functionality features comparison.

Feature	${\mathit{V}}_1$	${\mathit{V}}_2$	${\mathit{V}}_3$	${\mathit{V}}_4$	${\mathit{V}}_5$	${\mathit{V}}_6$	${\mathit{V}}_7$	${\mathit{V}}_8$	${\mathit{V}}_9$	${\mathit{V}}_{10}$	${\mathit{V}}_{11}$
Shuai et al. [7]	☑	☑	☑	☑	☑	☒	☒	☒	☒	☒	☒
Yu and Li [21]	☑	☑	☑	☑	☑	☑	☑	☑	☑	☑	☑
Naoui et al. [22]	☑	☑	☑	☑	☑	☒	☒	☒	☒	☒	☒
Fakroon et al. [23]	☑	☑	☑	☑	☑	☒	☒	☒	☑	☑	☒
Dey and Hossain [24]	☒	☒	☒	☑	☒	☒	NA	NA	☒	NA	☒
Proposed	☑	☑	☑	☑	☑	☑	☑	☑	☑	☑	☑

Note: ☑: The scheme is resilient against an attack or it supports a feature; ☒: The scheme is not secure against an attack or it does not support a feature; ⧆: Discussed in text. $V_1$: “user anonymity”, $V_2$: “sensor node anonymity”, $V_3$: “untraceability”, $V_4$: “resilience against replay attack”, $V_5$: “resilience against man-in-the-middle attack”, $V_6$: “resilience against ESL attack under the CK-adversary model”, $V_7$: “resist off-line password guessing attack”, $V_8$: “resist smart card impersonation attack”, $V_9$: “resist parallel session attack”, $V_{10}$: “resist password change attack”, $V_{11}$: “support three-factor authentication”.

, the functionality of the proposed scheme and other existing schemes are compared. From this table, it is apparent that the proposed scheme provides better security and functionality features features as compared to those for other existing schemes. Moreover, from the Table 1 and Table 2, we can see that the proposed scheme requires less computation and communication overheads as compared to other schemes.

7. Practical Impact Study through NS3 Simulation

To estimate the practicability of the proposed scheme, we have performed a simulation study. We have utilized the most recent iteration of the widely accepted network simulator tool, NS3 (3.28). We run our simulation on a Linux workstation. For our simulation, we specify the location of the gateway node $\left(GWN\right)$ at the origin of the coordinate system. The smart devices are considered at random positions 20 to 100 m from the $GWN$. The users are permitted to move across a square of 150 m side centered around the gateway $GWN$ with a maximum speed of 3 m per second. Users attempt to establish session keys with all available devices. Communication is measured across the IEEE 802.11 2.4 GHz channel. We have then simulated several scenarios with differing number of users and smart devices. The details regarding the simulation parameters are presented in

Table 4. Simulation parameters.

Parameter	Description
Platform	NS3(3.28)/Ubuntu 16.04 LTS
Network scenarios	No. of users	No. of smart devices
1	3	5
2	3	10
3	3	15
4	5	15
5	5	20
6	8	20
Mobility	Random (0–3 m/s)
Simulation time	1200 s

. Any parameters that are not explicitly mentioned here are assumed to have their default values as defined by the NS3.

Figure 5a,b presents the network throughput and end-to-end delay for the proposed scheme, respectively, under different scenarios. The network throughput is calculated according to the formula:

$$\frac{N_p\ast |byte|}{T_{sum}},$$

whereas the end-to-end delay is computed with the formula:

$$\frac{{\sum }_{i=0}^{N_p}(T_{r_i}-T_{s_i})}{N_p}.$$

Here, $N_p$ is the total number of packets received, $|byte|$ is the number of bytes in each packet, $T_{sum}$ represents the total time taken, and $T_{s_i}$ and $T_{r_i}$ are the transmission and receiving time of the ith packet, respectively. The simulation results demonstrate the expected correlation between the number of participants, the network throughput and also the end-to-end delay.

8. Conclusions

We first discussed the issue of anonymous user authentication in smart home environments. We then cryptanalyzed the recently proposed user authentication scheme and discovered its several security vulnerabilities. Furthermore, we proposed a more secure and robust authentication scheme for anonymous user authentication and key agreement in smart homes to erase the security pitfalls found in the existing Shuai et al.’s scheme, while retaining its advantages at the same time. The security analysis and performance comparison show that the proposed scheme can provide better security and more functionality features at low communication and computation overheads, when compared these with other recent existing schemes. In our future work, we plan to investigate the possibility of extending the proposed scheme to support remote registration as it is designed in the scheme proposed by Yu and Li [21] at a more acceptable communication and computation overheads.