Next Article in Journal
Tobacco and Deforestation Revisited. How to Move towards a Global Land-Use Transition?
Next Article in Special Issue
A Traceable Online Insurance Claims System Based on Blockchain and Smart Contract Technology
Previous Article in Journal
Nutritional Profile and Potential Health Benefits of Super Foods: A Review
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments

1
School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Korea
2
School of Computer Engineering, Keimyung University, Daegu 42601, Korea
3
School of Electronics Engineering, Kyungpook National University, Daegu 41566, Korea
*
Authors to whom correspondence should be addressed.
Sustainability 2021, 13(16), 9241; https://doi.org/10.3390/su13169241
Submission received: 13 July 2021 / Revised: 11 August 2021 / Accepted: 13 August 2021 / Published: 17 August 2021

Abstract

:
The Internet of Things (IoT) is being applied to various environments such as telecare systems, smart homes, and intelligent transportation systems. The information generated from IoT devices is stored at remote servers, and external users authenticate to the server for requesting access to the stored data. In IoT environments, the authentication process is required to be conducted efficiently, and should be secure against various attacks and ensure user anonymity and untraceability to ensure sustainability of the network. However, many existing protocols proposed in IoT environments do not meet these requirements. Recently, Rajaram et al. proposed a paring-based user authentication scheme. We found that the Rajaram et al. scheme is vulnerable to various attacks such as offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks. Additionally, as their scheme uses bilinear pairing, it requires high computation and communication costs. In this study, we propose a novel authentication scheme that resolves these security problems. The proposed scheme uses only hash and exclusive-or operations to be applicable in IoT environments. We analyze the proposed protocol using informal analysis and formal analysis methods such as the BAN logic, real-or-random (ROR) model, and the AVISPA simulation, and we show that the proposed protocol has better security and performance compared with existing authentication protocols. Consequently, the proposed protocol is sustainable and suitable for real IoT environments.

1. Introduction

The Internet of Things (IoT) has become an essential technology in business and industry that is being applied to various environments [1,2,3,4,5,6,7,8] including telecare systems, smart grids, intelligent transportation systems, and global roaming systems to make human lives more prosperous. For example, in IoT-based telecare environments (see Figure 1), medical devices and sensors check the patient’s pulse, blood pressure, and body temperature in real time, and transmit the information to a remote server. Thereafter, users such as doctors and researchers authenticate the server using mobile devices (i.e., smart phones) and access the information for diagnosis or research. IoT-based telecare systems can provide convenience to patients and contribute to the progress of healthcare. In addition, the IoT can be applied to other environments for increasing business productivity and industrial efficiency.
However, despite these advantages, several challenges must be addressed. Communications in IoT environments are performed on wireless channels, which are prone to attacks by adversaries. They can obtain transmitted messages and can attempt various attacks including replay, man-in-the-middle, and impersonation attacks [9,10,11] and also attempt to trace a user to obtain sensitive information. Additionally, to ensure real-time communication of mobile devices with limited computing power [12], the efficiency of the authentication protocol should be considered. Therefore, a secure and efficient authentication protocol is necessary for sustainable communications in IoT environments. However, recently proposed authentication schemes in IoT environments have several security vulnerabilities, and require high amounts of computation using elliptic curve cryptosystem (ECC) [13] scalar multiplication and bilinear paring operations [14]. These shortcomings can cause problems with the sustainability of the network.
Rajaram et al. [15] proposed a user authentication scheme using bilinear pairing in 2019. They claimed that their scheme is secure against possible attacks and provides various security features. However, we analyze that their scheme has several security vulnerabilities to be applied in wireless networks. Their scheme cannot guarantee user anonymity and requires a high amount of computational cost because it uses bilinear pairing. Therefore, we propose an improved authentication protocol that can resolve these issues.

1.1. Motivation

In IoT environments, each message is transmitted through public channels. The messages can contain personal sensitive information, and if the information is leaked to an adversary, it can cause serious privacy threats. Additionally, IoT devices have limited computing resources, a high amount of computation cost can cause delays. Therefore, a secure and efficient authentication protocol is essential for sustainable IoT environments. In 2019, Rajaram et al. proposed a pairing-based user authentication scheme. However, Rajaram et al. scheme does not have resistance to off-line guessing, impersonation, privileged insider, and known session-specific temporary information attacks. In addition to Rajaram et al. scheme, we note the limitations and weaknesses of existing researches (see Section 2). Several schemes used elliptic curve multiplication and bilinear pairing which require a high amount of computation, making it unsuitable for IoT environments. Additionally, most schemes do not have resistance to various attacks including impersonation, off-line guessing, and privileged insider attacks, and cannot guarantee security features such as mutual authentication, user anonymity, and user untraceability. Because of these weaknesses, existing schemes are not sustainable in IoT environments, and it motivated us to design a new authentication protocol that overcomes the drawbacks of existing researches and ensures both security and efficiency.

1.2. Main Contributions

The main contributions of this paper are as follows.
  • We analyze that Rajaram et al. scheme [15] is vulnerable to offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks, and does not provide user anonymity and untraceability.
  • We propose a secure, lightweight, and anonymous authentication protocol, which uses only hash and exclusive-or operations, making it suitable for IoT environments.
  • We provide informal analyses of the proposed protocol and perform a security analysis under the real-or-random (RoR) model to prove the session key security.
  • We prove correctness of the proposed protocol using the BAN logic, and show that the proposed protocol is secure against replay and MiTM attacks using automated validation of internet security protocols and application (AVISPA) simulation tool.
  • We provide comparison results between the proposed protocol with existing protocols proposed in IoT environments. It shows that our protocol has lower computation and communication costs than the existing protocols, and that the proposed protocol is more suitable to real IoT environments.

2. Related Works

Over the past few years, many authentication protocols have been proposed for IoT environments. In 2018, Chen et al. [16] proposed a lightweight and anonymous authentication scheme for IoT environments. They used ECC for authentication and analyzed the scheme using the BAN logic. They also simulated computation and communication costs using C++. Dhillon and Kalra [17] proposed a three-factor user authentication scheme for IoT-based healthcare systems. They handled authentication between medical professionals and a cloud server. Thakare and Kim [18] indicated security and efficiency of the existing protocols and proposed an ECC-based authentication scheme for IoT environments. They formally analyzed the scheme using both AVISPA and ProVerif tools to prove security and correctness. However, these schemes [16,17,18] suffer from high computation cost, as they used an elliptic curve cryptosystem.
Some studies proposed lightweight authentication protocols using only hash and exclusive-or operations. In 2014, Kumari et al. [19] proposed a two-factor remote user authentication scheme for distributed systems. They claimed that their scheme has various security characteristics including resistance to smart card stolen attack and user impersonation attack. However, Kaul and Awasthi [20] indicated that the Kumari et al. scheme is vulnerable to smart card loss attacks. They proposed an enhanced authentication protocol and formally analyzed it using the AVISPA simulation tool. Kang et al. [21] showed that Kaul and Awasthi’s scheme cannot guarantee user anonymity, and is not secure against off-line password guessing and desynchronization attacks. They proposed a biometric-based key agreement scheme. However, they does not consider known session-specific temporary information attacks. Rana et al. [22] also asserted that Kaul and Awasthi’s scheme cannot resist user impersonation attacks using a stolen smart card, and proposed a lightweight authentication scheme, which is suitable for IoT infrastructures. However, their scheme does not consider known session-specific temporary information attacks and cannot ensure user untraceability.
In 2019, Rajaram et al. [15] proposed a bilinear pairing based user authentication scheme. They claimed that their scheme is secure against off-line guessing, privileged insider, and impersonation attacks and can ensure mutual authentication. However, we observe that Rajaram et al. scheme cannot defend against mentioned attacks, and is vulnerable to known session-specific temporary information attack and suffers from lack of user anonymity. Their scheme also requires high computation cost as it uses bilinear pairing operation. In this paper, we propose a secure, lightweight, and anonymous user authentication scheme that resolves the above mentioned issues and is suitable for IoT environments.

3. Review of Rajaram et al.’s Scheme

Rajaram et al.’s scheme consists of initialization, user registration, user login, user authentication, and password update phase. Table 1 represents the notations of Rajaram et al.’s scheme and the detailed description of each phase is as follows.

3.1. Initialization Phase

R S generates a large prime number q, chooses an additive cyclic group G 1 and a multiplicative cyclic group G 2 with order q, and selects a cryptographic hash function h f 1 : { 0 , 1 } * Z q . Thereafter, R S chooses a generator R P G 1 and calculates e ( R P , R P ) = α , and selects a secret key s K and the public key of R S is P p u b = s K · R P . R S keeps s K securely and publishes ( q , G 1 , G 2 , R P , α , h ( · ) , P p u b ) .

3.2. User Registration Phase

U x registers to R S using I D x and P W x . Firstly, U x chooses a y Z q and computes P W D x = h f 1 ( P W x | | y ) . Thereafter, U x sends ( I D x , P W D x ) to R S . After R S receives the message, R S computes R x = h f 1 ( s K , I D x ) P W D x and R E G I D x = h f 1 ( s K , I D x ) · P W D x · R P . After that, R S stores ( R x , R E G I D x , h f 1 ( · ) , R P , P p u b ) in S C x . Thereafter, R S issues S C x to U x , and U x stores y in S C x . Subsequently, ( R x , R E G I D x , h f 1 ( · ) , R P , P p u b , y ) is stored in S C x . The registration phase is performed via a secure channel. Figure 2 shows the registration phase of Rajaram et al. scheme.

3.3. User Login Phase

A registered U x can be offered services form R S by inserting S C X to the card reader. After U x inputs I D x * and P W x * to S C x , S C x computes P W D x * = h f 1 ( P W x * | | y ) , L 0 = R x P W D x * , and R E G I D x * = L 0 · P W D x * · R P . Thereafter, S C x checks whether R E G I D x * = ? R E G I D x . If they are equal, S C x chooses y 1 and computes L 1 = h f 1 ( y 1 | | T 1 ) , L 2 = h f 1 ( P W D x | | L 1 ) , L 3 = ( L 0 + L 2 ) · P p u b , and L 4 = L 1 P W D x * . T 1 is a current timestamp. Thereafter, U x sends ( I D x , R x , L 3 , L 4 , T 1 ) to R S through a wireless channel. Figure 3 shows the login phase of Rajaram et al. scheme.

3.4. User Authentication Phase

After receiving the message from U x , R S verifies the validity of I D x and checks whether | T 1 T 1 * | Δ T ? , where T 1 * is a timestamp when R S received the message and Δ T is a tolerance. Thereafter, R S computes A 0 = h f 1 ( s K | | I D x ) , P W D x = R x A 0 , L 1 = P W D x L 4 , and L 2 = h f 1 ( P W D x | | L 1 ) . Subsequently, R S checks whether e ( L 3 , R P ) = ? α s K · ( A 0 + L 2 ) . If they are equal, R S chooses y 2 Z q * and computes A 1 = h f 1 ( y 2 | | T x ) , A 2 = h f 1 ( A 0 | | A 1 ) , A 3 = A 2 · P W D x · R P , y 3 = L 1 A 1 , and session key s s K = h f 1 ( A 2 | | L 1 | | A 1 | | L 2 ) . Then, R S sends ( A 3 , y 3 , T 2 ) to U x . After U x receives the message, U x checks whether | T 2 T 2 * | Δ T ? and computes A 1 * = y 3 L 1 , A 2 * = h f 1 ( L 0 | | A 1 * ) , and A 3 * = A 2 * · P W D x · R P . If A 3 = A 3 * , U x computes session key s s K = h f 1 ( A 2 | | L 1 | | A 1 | | L 2 ) . Figure 4 shows the authentication phase of Rajaram et al. scheme.

3.5. Password Change Phase

The password change phase of the Rajaram et al. scheme can be conducted through a new registration (see Section 3.2) or during the authentication phase (see Section 3.3 and Section 3.4).

4. Cryptanalysis of the Rajaram et al. Scheme

Rajaram et al. asserted that their scheme has resistance to impersonation and privileged insider attacks. However, we observed that their scheme cannot prevent impersonation and privileged insider attacks. We also analyzed the Rajaram et al. scheme with the CK model and found that it is vulnerable to known session-specific temporary information attacks.

4.1. Adversary Model

To analyze the security of the proposed protocol, we adopt the Dolev–Yao (DY) adversary model [23]. The DY model is an widely-accepted adversary model, which is applied to various authentication protocols [24,25,26,27]. An adversary A has the following assumptions in the DY model.
  • A has full control over transmitted messages on wireless channels. A can eavesdrop, delete, inject, and modify messages.
  • A can steal a smart card of a legitimate user and can extract the stored value using power analysis [28,29].
  • A can use the values obtained from the previous assumptions to attempt active attacks such as off-line guessing, impersonation, and session key disclosure.
We also apply the Canetti and Krawczyk (CK) adversary model [30] to further analyze the proposed protocol. The CK model has a stronger assumption compared to the DY model, and is also widely used in the analysis of an authentication protocol [31,32,33]. In the CK model, A can compromise session states and hijack random values generated in each session.

4.2. Off-Line Password Guessing Attack

By the assumptions of Section 4.1, an adversary A can obtain ( R x , R E G I D x , R P , P p u b , y ) stored in S C x and the transmitted message ( I D x , R x , L 3 , L 4 , T 1 ) through an open channel. Thereafter, A can attempt off-line password guessing attack as follows.
  • A guesses password P W x A from a password dictionary, and then computes P W D x A = h f 1 ( P W x A | | y ) .
  • Thereafter, A computes L 0 A = R x P W D x A and R E G I D x A = L 0 A · P W D x A · R P , and checks whether R E G I D x A = ? R E G I D x .
  • If it satisfies, A succeeds in guessing the correct password. If not, A performs the process again from the beginning.

4.3. Impersonation Attack

Using the guessed password as described in Section 4.2, A can impersonate as U x .
  • A generates a timestamp T A and y 1 A Z q * .
  • A computes L 1 A = h f 1 ( y 1 A | | T A ) , L 2 A = h f 1 ( P W D x | | L 1 A ) , L 3 A = ( L 0 + L 2 A ) · P p u b , and L 4 A = P W D x L 1 A .
  • A sends ( I D x | | R x | | L 3 A | | L 4 A | | T A ) to R S . After R S receives the message, R S regards the message as sent by U X , and sends a response message.
A succeeds in impersonating as U X . Therefore, Rajaram et al.’s scheme cannot defend against the impersonation attack.

4.4. Privileged Insider Attack

If A is an privileged insider, A can obtain the registration request message ( I D x , P W D x ) of U x and can attempt to discover the session key using the information. To calculate s s K , A can use R x , L 3 , L 4 , and y 3 , which are obtained from open channels. A computes L 0 = R x P W D x , L 1 = P W D x L 4 , and L 2 = h f 1 ( P W D x | | L 1 ) . Thereafter, A computes A 1 = y 3 L 1 and A 2 = h f 1 ( L 0 | | A 1 ) . Finally, A can calculate s s K = h f 1 ( A 2 | | L 1 | | A 1 | | L 2 ) , and therefore, Rajaram et al.’s scheme cannot resist a privileged insider attack.

4.5. Known Session-Specific Temporary Information Attack

Under the CK model, A can comprise a session and obtain session random numbers y 1 and y 2 . Then, A can disclose the session key s s K using the random numbers. A can obtain the messages ( I D x , R x , L 3 , L 4 , T 1 ) and ( A 3 , y 3 , T 2 ) , which are transmitted during the authentication phase. Thereafter, A can compute L 1 = h f 1 ( y 1 , T 1 ) , P W D x = L 4 L 1 , L 2 = h f 1 ( P W D x , L 1 ) , A 1 = y 3 L 1 , A 2 = h f 1 ( R x P W D x | | A 1 ) . A can calculate A 1 , A 2 , L 1 , and L 2 , and obtain s s K = h f 1 ( A 2 , L 1 , A 1 , L 2 ) . Therefore, Rajaram et al. scheme is vulnerable to known session-specific temporary information attacks.

4.6. User Anonymity and Untraceability

In Rajaram et al.’s scheme, user identity I D x is transmitted on a wireless channel without being masked and encrypted. Therefore, A can obtain I D x from transmitted messages to trace U x . Rajaram et al.’s scheme cannot support privacy-preservation and can raise serious security issues in several IoT environments, such as healthcare systems and smart home.

5. Proposed Scheme

The proposed scheme includes an initialization, user registration, user login, user authentication, and password update phase. Table 2 describes the notations of the proposed scheme.

5.1. Initialization

R S chooses a large prime q, generates a secret key s Z q * , and selects a cryptographic hash function h ( · ) : 0 , 1 * Z q . R S publishes ( q , h ( · ) ) and keeps s securely.

5.2. User Registration Phase

Before the authentication, U X registers to R S . U X chooses I D X and P W X , and generates r Z q * . U X computes P W D X = h ( P W X | | r ) , and then sends ( I D X , P W D X ) to R S . R S checks whether I D X is already registered after receiving the message. If not, R S chooses t Z q * , and computes T I D X = h ( I D X | | t ) and P I D X = h ( T I D X | | s ) . Thereafter, R S stores ( T I D X , h ( I D X | | P W D X ) ) in secure memory. R S generates a fuzzy extractor l [ 2 4 , 2 8 ] and stores ( T I D X , P I D X , h ( · ) , l ) in smart card S C X . R S transmits S C X to U X . Subsequently, U X computes A X = r h ( I D X | | P W X ) , B X = T I D X h ( I D X | | P W X | | r ) , C X = P I D X h ( T I D X | | r ) , and A u t h X = h ( T I D X | | P I D X ) m o d l. U X replaces P I D X to ( A X , B X , C X , A u t h X ) in S C X . The proposed user registration phase is shown in Figure 5.

5.3. User Login Phase

U X inputs I D X and P W X in S C X . Thereafter, S C X computes r = A X h ( I D X | | P W X ) , T I D X = B X h ( I D X | | P W X | | r ) , and P I D X = C X h ( T I D X | | r ) , and checks A u t h X = ? h ( T I D X | | P I D X ) m o d l. If they are equal, S C X generates a X Z q * and current timestamp T 1 , and computes M 1 = h ( P I D X | | h ( I D X | | P W D X ) ) a X and M 2 = h ( T I D X | | P I D X | | a X | | T 1 ) . Thereafter, S C X sends ( T I D X , M 1 , M 2 , T 1 ) to R S . The proposed login phase is shown in Figure 6.

5.4. User Authentication Phase

After R S receives the authentication request message, R S checks whether | T 1 T 1 * | Δ T ? . Subsequently, R S retrieves h ( I D X | | P W D X ) using T I D X , computes P I D X = h ( T I D X | | s ) and a X = h ( P I D X | | h ( I D X | | P W D X ) ) M 1 , and checks M 2 = ? h ( T I D X | | P I D X | | a X | | T 1 ) . If it is valid, R S generates b X Z q * and current timestamp T 2 . Thereafter, R S generates T I D X n e w = T I D X b X , P I D X n e w = h ( T I D X n e w | | s ) , M 3 = h ( P I D X | | h ( I D X | | P W D X ) ) b X , M 4 = P I D X n e w h ( T I D X n e w | | h ( I D X | | P W D X ) | | b X ) , S K = h ( P I D X | | a X | | b X ) , and M 5 = h ( S K | | P I D X n e w | | T 2 ) , where T I D X n e w and P I D X n e w are updated temporary identity and secret identity of U X , respectively. R S sends ( M 3 , M 4 , M 5 , T 2 ) to U X . After reception of the message, U X checks whether | T 2 T 2 * | Δ T ? , computes b X = h ( P I D X | | h ( I D X | | P W D X ) ) M 3 , T I D X n e w = T I D X b X , P I D X n e w = M 4 h ( T I D X n e w | | h ( I D X | | P W D X ) | | b X ) , and S K = h ( P I D X | | a X | | b X ) , and checks whether M 5 = h ( S K | | P I D X n e w | | T 2 ) . If they are equal, the session key is established. Thereafter, U X computes B n e w = T I D n e w h ( I D X | | P W X | | r ) , C n e w = P I D n e w h ( T I D n e w | | r ) , and A u t h n e w = h ( T I D n e w | | P I D n e w ) m o d l. Subsequently, U X updates ( B X , C X , A u t h X ) to ( B n e w , C n e w , A u t h n e w ) in S C X . The proposed mutual authentication phase is shown in Figure 7.

5.5. Password Change Phase

After the authentication phase, U X generates a new password P W X n e w and a random number r n e w , computes P W D X n e w = h ( P W X n e w | | r n e w ) , and sends a password change request message to R S including ( I D X , P W D X n e w ) . Thereafter, R S updates h ( I D X | | P W D X ) to h ( I D X | | P W D X n e w ) and the password update is completed.

6. Security Analysis

We analyze the security of the proposed protocol using informal analysis and formal analysis such as the BAN logic, RoR model, and AVISPA.

6.1. Informal Analysis

We informally describe that the proposed protocol is secure against the following attacks.

6.1.1. Replay and MITM Attacks

In the proposed protocol, each message transmitted during the authentication contains a timestamp and random number. Timestamps T 1 and T 2 , and random numbers a x and b x are included in message hash values M 2 and M 5 . An adversary cannot forge these message hash values, and therefore, the proposed protocol is secure against replay and MITM attacks.

6.1.2. Off-Line Guessing Attack

By assumption of the adversary model, an adversary A can attempt off-line guessing attack using transmitted messages ( T I D X , M 1 , M 2 , T 1 ) and ( M 3 , M 4 , M 5 , T 2 ) , and the extracted values ( A X , B X , C X , A u t h X , h ( . ) , l ) from S C X . Using a password dictionary, A can guess P W X * and calculate r * = A X h ( I D X | | P W X * ), T I D X * = B X h ( I D X | | P W x * | | r * ) , and P I D X * = C X h ( T I D X * | | r ) , and can check whether A u t h X = ? h ( T I D X * | | P I D X * ) m o d l. However, A cannot know that the guessed P W x * is legitimate because A u t h X is masked using fuzzy verifier l. The probability that P W x * is a legitimate password is 2 8 | h a s h | 1 10 15 , which is negligible.

6.1.3. Impersonation Attack

A can attempt to impersonate as U x and send the authentication request message to R S . A can obtain T I D X from the transmitted message. However, referring to Section 6.1.2, A cannot generate a valid authentication request message because A cannot guess the correct P W X in polynomial time and A cannot calculate the valid M 1 and M 2 . Therefore, the proposed protocol can defend against the impersonation attack.

6.1.4. Session Key Disclosure Attack

A can directly attempt to compute S K using transmitted messages and extracted values of S C x . A has to obtain P I D x , a x , and b x to calculate S K = h ( P I D x | | a x | | b x ) . However, A cannot acquire any of these values because they are masked using s, I D X , and P W D X , which are secret values. The proposed protocol has resistance to session key disclosure attacks.

6.1.5. Perfect Forward Secrecy

If the long-term secret key s is compromised to A, then A can compute P I D X = h ( T I D X | | s ) , where T I D X is obtained from a public channel. However, R S cannot calculate a X and b X without obtaining h ( I D X | | P W D X ) , which is stored in the secure memory of R S . Therefore, A cannot calculate S K and the proposed protocol supports perfect forward secrecy.

6.1.6. Privileged Insider Attack

As we described in Section 4.4, A can obtain the message transmitted during the registration phase, and can use it to calculate S K . A can calculate h ( I D X | | P W D X ) using ( I D X , P W D X ) , and can obtain messages transmitted on public channels. In this scenario, A still cannot calculate the session key without knowing P I D X , which is masked with secret key s. A also cannot calculate a X and b X . Therefore, the proposed protocol is secure against privileged insider attacks.

6.1.7. Stolen Verifier Attack

When the verification table stored in R S can be compromised, then A can obtain the list of h ( I D | | P W D ) . A can retrieve the corresponding h ( I D X | | P W D X ) from T I D X . However, A cannot calculate P I D X or obtain a x and b x , which are necessary to compute S K . The proposed protocol has resistance to stolen verifier attacks.

6.1.8. Known Session-Specific Temporary Information Attack

A can hijack the session and obtain random numbers a x and b x , which are generated during the authentication. A cannot calculate P I D X without knowing R S ’s secret key s. Additionally, A cannot gain any information for a future authentication request message of U X . Even if session random numbers are leaked to A, the proposed protocol is secure.

6.1.9. User Anonymity and Untraceability

In the proposed protocol, I D X is not transmitted in public channels. Instead, U X uses temporal identity T I D X for authentication. T I D X is updated to T I D X n e w in every session, and T I D X n e w is veiled until U X request a new authentication to R S . Therefore, user anonymity is ensured in the proposed protocol. Additionally, A cannot find the connection between T I D X and T I D X n e w to trace U X .

6.2. Formal Analysis Using the Ban Logic

The BAN logic [34] is a widely-accepted [35,36,37] analysis method to verify the correctness of an authentication protocol. The BAN logic is simple but robust validation logic to prove the mutual authentication of an authentication protocol. In the BAN logic analysis, we set the idealized form of the transmitted messages and assumptions of the BAN logic proof. Thereafter, we perform the proof based on the BAN logic rules. We have presented notations of the BAN logic in Table 3, then describe the assumptions and idealized forms, and conduct the BAN logic proof in turn.

6.2.1. BAN Logic Rules

The basic rules of the BAN logic are as followings:
  • Message meaning rule (MMR):
    π 1 | π 1 K π 2 , ρ 1 ( σ 1 ) K π 1 | π 2 | σ 1
  • Nonce verification rule (NVR):
    π 1 | # ( σ 1 ) , π 1 | π 2 | σ 1 π 1 | π 2 | σ 1
  • Jurisdiction rule (JR):
    π 1 | π 2 | σ 1 , π 1 | π 2 | σ 1 π 1 | σ 1
  • Belief rule (BR):
    π 1 | ( σ 1 , σ 2 ) π 1 | σ 1
  • Freshness rule (FR):
    π 1 | # ( σ 1 ) π 1 | # ( σ 1 , σ 2 )

6.2.2. Goals

The goals are to show that U X and R S believe that they agreed on the same session key.
Goal 1:
U X | U X S K R S
Goal 2:
U X | R S | U X S K R S
Goal 3:
R S | U X S K R S
Goal 4:
R S | U X | U X S K R S

6.2.3. Idealized Forms

The idealized forms of the messages exchanged during the authentication can be described as follows.
M s g 1
: U X R S : ( T I D X , a X , T 1 ) P I D X
M s g 2
: R S U X : ( P I D X n e w , a X , b X , T 2 ) P I D X

6.2.4. Assumptions

The basic assumptions for the BAN logic proof are as follows:
A 1 :
R S | # ( T 1 )
A 2 :
U X | # ( T 2 )
A 3 :
U X | R S ( U X S K R S )
A 4 :
R S | U X ( U X S K R S )
A 5 :
U X | U X P I D X R S
A 6 :
R S | U X P I D X R S

6.2.5. Ban Logic Proof

We perform the BAN logic proof of the proposed protocol as below:
Step 1:
R S receives M s g 1 .
S 1 : R S ( T I D X , a X , T 1 ) P I D X
Step 2:
Applying S 1 and A 6 to the MMR, we can obtain S 2 .
S 2 : R S | U X | ( T I D X , a X , T 1 )
Step 3:
Applying S 2 and A 1 to the FR, we can obtain S 3 .
S 3 : R S | # ( T I D X , a X , T 1 )
Step 4:
Applying S 2 and S 3 to the NVR, we can obtain S 4 .
S 4 : R S | U X | ( T I D X , a X , T 1 )
Step 5:
We can obtain S 5 applying S 4 to the BR.
S 5 : R S | U X | ( a X )
Step 6:
U X receives M s g 2 .
S 8 : U X ( P I D X n e w , a X , b X , T 2 ) P I D X
Step 7:
Applying S 6 and A 5 to the MMR, we can obtain S 7 .
S 7 : U X | R S | ( P I D X n e w , a X , b X , T 2 )
Step 8:
Applying S 7 and A 2 to the FR, we can obtain S 8 .
S 8 : U X | # ( P I D X n e w , a X , b X , T 2 )
Step 9:
Applying S 7 and S 8 to the NVR, we can obtain S 9 .
S 9 : U X | R S | ( P I D X n e w , a X , b X , T 2 )
Step 10:
We can obtain S 10 applying S 9 to the BR.
S 10 : U X | R S | ( P I D X n e w , a X , b X )
Step 11:
From S 5 and S 10 , R S and U X can compute session key S K = h ( P I D X | | a X | | b X ) .
S 11 : U X | R S | ( U X S K R S ) ( Goal 2 )
S 12 : R S | U X | ( U X S K R S ) ( Goal 4 )
Step 12:
The JR can be applied to S 11 and S 12 using A 3 and A 4 , respectively.
S 11 : U X | ( U X S K R S ) ( Goal 1 )
S 12 : R S | ( U X S K R S ) ( Goal 3 )
Finally, the user and server are mutually authenticated each other.

6.3. Formal Analysis Using the Ror Model

The RoR model [38] is a formal analysis method of an authentication protocol [39,40,41,42]. The RoR model is used to verify the semantic security of session key S K of an authentication protocol probabilistically. Under the RoR model, an adversary A can attempt passive and active attacks represented by queries to find S K . Before conducting the RoR model based analysis, we explain notations and queries to be used. We denote p t as a participant with the t t h instance. Thereafter, p U X t 1 and p R S t 2 are participants U X and R S with t 1 t h and t 2 t h instances, respectively. Additionally, the queries executed by A are presented in Table 4.
A can get the output value of the hash function for the input by performing a H a s h query. When A d v ( A ) is the probability of the advantage for A to break the session key, we prove the following equation:
A d v ( A ) q h 2 | H a s h | + 2 q s e n d | D i d D p w | ,
where q h represents the number of hash queries performed by A, | H a s h | represents the range space of the cryptographic hash function, q s e n d represents the number of S e n d queries performed by A, and | D | represents the size of the password dictionary.
Proof. 
A plays four games G i ( i = 0 , 1 , 2 , 3 ) under the RoR model. We denote A d v G i ( A ) is a advantage of A to compromise S K after playing G i .
  • G 0 : A selects the bit c at the start of the game. In the first game, A has no information about S K and no queries to perform. By the definition of semantic security, we can induce the following equation.
    A d v ( A ) = | 2 A d v G 0 ( A ) 1 | .
  • G 1 : A attempts an eavesdropping attack in this game. First, A uses the E x e c u t e query. Thereafter, A performs a T e s t query to receive the return value. Finally, A guesses whether the value is S K or a random number. For A to win the game, A should be able to calculate S K , which is computed by P I D X , a X , and b X . These values cannot be obtained using eavesdropping attacks. There is no advantage for A to be gained by the E x e c u t e query. Therefore, the advantage of A at the end of G 1 is equal to that at the end of G 0 .
    A d v G 0 ( A ) = A d v G 1 ( A ) .
  • G 2 : In this game, A uses the S e n d and H a s h queries to compromise S K . From the transmitted messages, A obtains ( T I D X , M 1 , M 2 , T 1 ) and ( M 3 , M 4 , M 5 , T 2 ) . However, the only way for A to win the game is to find a hash collision because there is no information about S K from these values. The advantage function at the end of G 2 is as follows by the birthday paradox.
    | A d v G 2 ( A ) A d v G 1 ( A ) | q h 2 2 | H a s h | .
  • G 3 : In the final game, A performs a stolen smart card attack, which is represented as the C o r r u p t S C query, then A can extract ( A X , B X , C X , A u t h X ) from S C X . To win the game, A should succeed in finding the identity I D X and password P W X simultaneously to login to S C X . Because A cannot obtain any information about I D X and P W X , A should guess the values from identity dictionary D i d and password dictionary D p w . Thereafter, the following equation can be induced.
    | A d v G 3 ( A ) A d v G 2 ( A ) | q s e n d | D i d D p w | .
After all the games are over, A should guess the correct bit c from the T e s t query. It follows that
A d v G 3 ( A ) = 1 2 .
From Equations (2) and (3), we can obtain the following equation:
1 2 A d v ( A ) = | A d v G 1 ( A ) 1 2 | = | A d v G 1 ( A ) A d v G 3 ( A ) | .
We can apply the triangular inequality to Equation (7).
| A d v G 3 ( A ) A d v G 1 ( A ) | | A d v G 3 ( A ) A d v G 2 ( A ) | + | A d v G 2 ( A ) A d v G 1 ( A ) | q h 2 | H a s h | + 2 q s e n d | D i d D p w | .
We can obtain the following equation using Equations (7) and (8).
A d v ( A ) q h 2 | H a s h | + 2 q s e n d | D i d D p w | ,
which is the same as Equation (1). Finally, we prove the semantic security of the proposed protocol using the RoR model. □

6.4. Formal Analysis Using Avispa Simulation

The AVISPA tool [43] can verify that the authentication protocol is secure against replay and MITM attacks by simulating the implementation of the authentication protocol as code. AVISPA is used in many authentication protocols as a formal verification tool [44,45,46]. It is implemented using the “High-Level Protocol specification Language” (HLPSL) and uses four back-ends: “On-the-fly Model-Checker (OFMC)”, “SAT-based Model-Checker (SATMC)”, “Constraint Logic Based Attack Searcher (CL-AtSe)”, and “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”. The HLPSL2IF translator converts the intermediate format (IF) of the code implemented using HLPSL into the output format (OF). The OF shows the simulation results which include “SUMMARY”, “DETAILS”, “PROTOCOL”, “GOAL”, “BACKEND”, and “STATISTICS”. The SUMMARY shows whether the protocol is safe, the BACKEND gives the name of the back-ends, and STATISTICS shows the time of the trace of the attack. The left side of Figure 8 represents the role of user implemented in AVISPA tool. The remote server is implemented similar to the user. Furthermore, the right side of Figure 8 shows the session, environments, and goals of the proposed protocol.
Generally, the AVISPA simulation is executed using the OFMC and CL-AtSe models, which support the exclusive-or operation. If the summaries under the two back-end models are safe, we can say that the protocol is secure against replay and MITM attacks. The simulation results are shown in Figure 9. The simulation summaries of the proposed protocol are safe under the OFMC and CL-AtSe back-ends. This means that the back-ends cannot search for an attack. Therefore, we verify that the proposed protocol has resistance to the replay and MITM attacks.

7. Performance Analysis

In this section, we compare the computation and communication cost of the proposed protocols with related protocols [15,16,17,18,19,20,21,22].

7.1. Computation Cost

Referring to the classification in [12], user’s mobile device is class 15, and the remote server is class 19. Considering the different computing powers of user’s mobile device and the remote server, we conducted the experiment in both Raspberry PI (class 14) and desktop environments (class 17). The desktop is quad-core i7-4790 CPU with a 16GB RAM and the operation system is the Linux Ubuntu 20.04, and Raspberry PI 3B is a quad-core system with 1GB RAM. We used the MIRACL Cryptography library to implement the operations used for the authentication protocols [47]. The executed operations and execution time are as presented in Table 5. As shown in Table 5, the operations on Raspberry Pi take 2–3 times longer than the operations on desktop.
According to the results shown in Table 5, we calculate the total computation cost of the proposed protocol and other related protocols [15,16,17,18,19,20,21,22] as shown in Table 6. Some existing lightweight schemes are more efficient than the proposed scheme. However, the existing lightweight schemes is vulnerable to a variety of attacks. The proposed scheme has considerably higher efficiency than the public key-based protocols and also can provide better security.

7.2. Communication Cost

We calculate the total bits transmitted during the authentication to compare the communication costs. We assumed that a timestamp is 32 bits, identity and password are 128 bits, SHA-256 hash output is 256 bits, a random number is 256 bits, an elliptic curve point is 320 bits, and an element of a pairing-based group is 1024 bits. The total communication cost of the existing and proposed schemes are as presented in Table 7.
Similar to the results in Table 6, the total communication cost of the proposed scheme is slightly higher than those of the existing lightweight protocols [19,20,21,22]. However, the proposed scheme generates lower communication cost than those in [15,16,17,18]. Furthermore, as described in Section 7.3, our protocol is more secure than existing schemes.

7.3. Security Features

We analyzed security characteristics of the proposed protocol with related protcols. This includes: A1: “ Resistance to replay attack”, A2: “Resistance to privileged insider attack”, A3: “Resistance to known session specific temporary information attack”, A4: “Resistance to off-line guessing attack”, A5: “Resistance to impersonation attack”, A6: “Resistance to session key disclosure attack”, A7: “Support of perfect forward secrecy”, A8: “Support of user anonymity”, A9: “Support of user untraceability”, A10: “Formal proof using the BAN logic” A11: “Formal proof using the RoR model”, and A12: “Formal proof using the AVISPA simulation”. Table 8 shows that the proposed protocol has better security than other protocols.

8. Conclusions

In this paper, we designed a secure, lightweight, and anonymous authentication protocol suitable for IoT environments. The proposed protocol resolved security flaws of the Rajaram et al. scheme. It uses only hash and exclusive-or operations during the authentication. Therefore, it is considerably more efficient than Rajaram et al. scheme as well as other existing authentication schemes proposed for IoT environments. Additionally, the proposed protocol can defeat various attacks and ensure more security features than the existing protocols. We analyzed the proposed protocol using BAN logic analysis to prove the correctness, the RoR model to formally verify the session key security, and the AVISPA simulation tool to show the resistance against replay and man-in-the-middle (MITM) attacks. The proposed protocol is sustainable because it has a high security level and low computation cost, and it can contribute to increase energy efficiency and reduce economic costs. Therefore, the proposed protocol can be applied to for various IoT environments. In the future work, we plan to implement the proposed protocol in practice.

Author Contributions

Conceptualization, S.S.; methodology, S.S. and Y.P. (Yohan Park); software, S.S.; validation, Y.P. (Yohan Park) and Y.P. (Youngho Park); formal analysis, S.S. and Y.P. (Yohan Park); writing—original draft preparation, S.S.; writing—review and editing, Y.P. (Yohan Park) and Y.P. (Youngho Park); supervision, Y.P. (Youngho Park). All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Education(2021R1I1A3059551).

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Chen, C.M.; Xiang, B.; Liu, Y.; Wang, K.H. A secure authentication protocol for internet of vehicles. IEEE Access 2019, 7, 12047–12057. [Google Scholar] [CrossRef]
  2. Bagga, P.; Das, A.K.; Wazid, M.; Rodrigues, J.J.P.C.; Kim, K.R.C.; Park, Y. On the design of mutual authentication and key agreement protocol in internet of vehicles-enabled intelligent transportation system. IEEE Trans. Veh. Technol. 2021, 70, 1736–1751. [Google Scholar] [CrossRef]
  3. Rathee, G.; Ahmad, F.; Sandhu, R.; Kerrache, C.A.; Azad, M.A. On the design and implementation of a secure blockchain-based hybrid framework for industrial Internet-of-Things. Inf. Process. Manag. 2021, 58, 102526. [Google Scholar] [CrossRef]
  4. Nikooghadam, M.; Amintoosi, H.; Islam, S.H.; Moghadam, M.F. A provably secure and lightweight authentication scheme for Internet of Drones for smart city surveillance. J. Syst. Archit. 2021, 115, 101955. [Google Scholar] [CrossRef]
  5. Barka, E.; Dahmane, S.; Kerrache, C.A.; Khayat, M.; Sallabi, F. STHM: A secured and trusted healthcare monitoring architecture using SDN and blockchain. Electronics 2021, 10, 1787. [Google Scholar] [CrossRef]
  6. Wazid, M.; Das, A.K.; Hussain, R.; Succi, G.; Rodrigues, J.J. Authentication in cloud-driven IoT based big data environment: Survey and outlook. J. Syst. Archit. 2019, 97, 185–196. [Google Scholar] [CrossRef]
  7. Mahmood, K.; Akram, W.; Shafiq, A.; Altaf, I.; Lodhi, M.A.; Islam, S.H. An enhanced and provably secure multi-factor authentication scheme for Internet-of-Multimedia-Things environments. Comput. Elect. Eng. 2020, 88, 106888. [Google Scholar] [CrossRef]
  8. Belghazi, Z.; Benamar, N.; Addaim, A.; Kerrache, C.A. Secure WiFi-direct using key exchange for Iot device-to-device communications in a smart environment. Future Internet 2019, 11, 251. [Google Scholar] [CrossRef] [Green Version]
  9. Banerjee, S.; Das, A.K.; Chattopadhyay, S.; Jamal, S.S.; Rodrigues, J.J.; Park, Y. Lightweight failover authentication mechanism for IoT-based fog computing environment. Electronics 2021, 10, 1417. [Google Scholar] [CrossRef]
  10. Oh, J.; Yu, S.; Lee, J.; Son, S.; Kim, M.; Park, Y. A secure and lightweight authentication protocol for IoT-based smart homes. Sensors 2021, 21, 1488. [Google Scholar] [CrossRef]
  11. Das, A.K.; Wazid, M.; Yannam, A.R.; Rodrigues, J.J.; Park, Y. Provably secure ECC-based device access control and key agreement protocol for IoT environment. IEEE Access 2019, 7, 55382–55397. [Google Scholar] [CrossRef]
  12. Terminology for Constrained-Node Networks. Available online: https://datatracker.ietf.org/doc/draft-bormann-lwig-7228bis/06/ (accessed on 17 August 2020).
  13. Miller, V.S. Use of elliptic curves in cryptography. In Proceedings of the Conference on the Theory and Application of Cryptographic Techniques, Linz, Austria, 9–11 April 1985; pp. 417–426. [Google Scholar]
  14. Boneh, D.; Franklin, M. Identity-based encryption from the Weil pairing. In Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 2001; pp. 213–229. [Google Scholar]
  15. Rajaram, S.; Maitra, T.; Vollala, S.; Ramasubramanian, N.; Amin, R. eUASBP: Enhanced user authentication scheme based on bilinear pairing. J. Ambient Intell. Humaniz. Comput. 2019, 11, 2827–2840. [Google Scholar] [CrossRef]
  16. Chen, Y.; Martínez, J.F.; Castillejo, P.; López, L. A lightweight anonymous client–server authentication scheme for the internet of things scenario: LAuth. Sensors 2018, 18, 3695. [Google Scholar] [CrossRef] [Green Version]
  17. Thakare, A.; Kim, Y.G. Secure and efficient authentication scheme in IoT environments. Appl. Sci. 2021, 11, 1260. [Google Scholar] [CrossRef]
  18. Dhillon, P.K.; Kalra, S. Multi-factor user authentication scheme for IoT-based healthcare services. J. Reliab. Intell. Environ. 2018, 4, 141–160. [Google Scholar] [CrossRef]
  19. Kumari, S.; Khan, M.K.; Li, X. An improved remote user authentication scheme with key agreement. Comput. Elect. Eng. 2014, 40, 1997–2012. [Google Scholar] [CrossRef]
  20. Kaul, S.D.; Awasthi, A.K. Security enhancement of an improved remote user authentication scheme with key agreement. Wirel. Pers. Commun. 2016, 89, 621–637. [Google Scholar] [CrossRef]
  21. Kang, D.; Jung, J.; Kim, H.; Lee, Y.; Won, D. Efficient and secure biometric-based user authenticated key agreement scheme with anonymity. Secur. Commun. Netw. 2018, 2018, 9046064. [Google Scholar] [CrossRef] [Green Version]
  22. Rana, M.; Shafiq, A.; Altaf, I.; Alazab, M.; Mahmood, K.; Chaudhry, S.A.; Zikria, Y.B. A secure and lightweight authentication scheme for next generation IoT infrastructure. Comput. Commun. 2021, 165, 85–96. [Google Scholar] [CrossRef]
  23. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  24. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [Google Scholar] [CrossRef]
  25. Ali, Z.; Ghani, A.; Khan, I.; Chaudhry, S.A.; Islam, S.H.; Giri, D. A robust authentication and access control protocol for securing wireless healthcare sensor networks. J. Inform. Secur. Appl. 2020, 52, 102502. [Google Scholar] [CrossRef]
  26. Xiong, H.; Wu, Y.; Jin, C.; Kumari, S. Efficient and privacy-preserving authentication protocol for heterogeneous systems in IIoT. IEEE Internet Things J. 2020, 7, 11713–11724. [Google Scholar] [CrossRef]
  27. Lee, J.; Kim, G.; Das, A.K.; Park, Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng. 2021. [Google Scholar] [CrossRef]
  28. Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 1999; pp. 388–397. [Google Scholar]
  29. Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 2002, 51, 541–552. [Google Scholar] [CrossRef] [Green Version]
  30. Canetti, R.; Krawczyk, H. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 2001; pp. 453–474. [Google Scholar]
  31. Fotouhi, M.; Bayat, M.; Das, A.K.; Far, H.A.N.; Pournaghi, S.M.; Doostari, M.A. A lightweight and secure two-factor authentication scheme for wireless body area networks in health-care IoT. Comput. Netw. 2020, 177, 107333. [Google Scholar] [CrossRef]
  32. Khan, A.A.; Kumar, V.; Ahmad, M.; Rana, S. LAKAF: Lightweight authentication and key agreement framework for smart grid network. J. Syst. Archit. 2021, 116, 102053. [Google Scholar] [CrossRef]
  33. Nakkar, M.; AlTawy, R.; Youssef, A. Lightweight broadcast authentication protocol for edge-based applications. IEEE Internet Things J. 2020, 7, 11766–11777. [Google Scholar] [CrossRef]
  34. Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [Google Scholar] [CrossRef]
  35. Wu, T.Y.; Lee, Y.Q.; Chen, C.M.; Tian, Y.; Al-Nabhan, N.A. An enhanced pairing-based authentication scheme for smart grid communications. J. Ambient. Intell. Humaniz. Comput. 2021. [Google Scholar] [CrossRef]
  36. Son, S.; Lee, J.; Kim, M.; Yu, S.; Das, A.K.; Park, Y. Design of secure authentication protocol for cloud-assisted telecare medical information system using blockchain. IEEE Access 2020, 8, 192177–192191. [Google Scholar] [CrossRef]
  37. Lee, J.; Yu, S.; Kim, M.; Park, Y.; Das, A.K. On the design of secure and efficient three-factor authentication protocol using honey list for wireless sensor networks. IEEE Access 2020, 8, 107046–107062. [Google Scholar] [CrossRef]
  38. Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005; pp. 65–84. [Google Scholar]
  39. Kwon, D.; Yu, S.; Lee, J.; Son, S.; Park, Y. WSN-SLAP: Secure and lightweight mutual authentication protocol for wireless sensor networks. Sensors 2021, 21, 936. [Google Scholar] [CrossRef] [PubMed]
  40. Das, A.K.; Bera, B.; Wazid, M.; Jamal, S.S.; Park, Y. iGCACS-IoD: An Improved Certificate-Enabled Generic Access Control Scheme for Internet of Drones Deployment. IEEE Access 2021, 9, 87024. [Google Scholar] [CrossRef]
  41. Lee, J.; Yu, S.; Kim, M.; Park, Y.; Lee, S.; Chung, B. Secure key agreement and authentication protocol for message confirmation in vehicular cloud computing. Appl. Sci. 2020, 10, 6268. [Google Scholar] [CrossRef]
  42. Ayub, M.F.; Shamshad, S.; Mahmood, K.; Islam, S.H.; Parizi, R.M.; Choo, K.K.R. A provably secure two-factor authentication scheme for USB storage devices. IEEE Trans. Consum. Elect. 2020, 66, 396–405. [Google Scholar] [CrossRef]
  43. AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 17 August 2021).
  44. Yu, S.; Lee, J.; Park, K.; Das, A.K.; Park, Y. IoV-SMAP: Secure and efficient message authentication protocol for IoV in smart city environment. IEEE Access 2020, 8, 167875–167886. [Google Scholar] [CrossRef]
  45. Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Park, Y. An efficient, anonymous and robust authentication scheme for smart home environments. Sensors 2020, 20, 1215. [Google Scholar] [CrossRef] [Green Version]
  46. Kim, M.; Lee, J.; Park, K.; Park, Y.; Park, K.; Park, Y. Design of secure decentralized car-sharing system using blockchain. IEEE Access 2021, 9, 54796–54810. [Google Scholar] [CrossRef]
  47. MIRACL Cryptographic SDK: Multiprecision Integer and Rational Arithmetic Cryptographic Library. Available online: https://github.com/miracl/MIRACL (accessed on 17 August 2021).
Figure 1. IoT-based telecare environment.
Figure 1. IoT-based telecare environment.
Sustainability 13 09241 g001
Figure 2. The registration phase of the Rajaram et al. scheme.
Figure 2. The registration phase of the Rajaram et al. scheme.
Sustainability 13 09241 g002
Figure 3. The login phase of the Rajaram et al. scheme.
Figure 3. The login phase of the Rajaram et al. scheme.
Sustainability 13 09241 g003
Figure 4. The authentication phase of the Rajaram et al. scheme.
Figure 4. The authentication phase of the Rajaram et al. scheme.
Sustainability 13 09241 g004
Figure 5. Proposed registration phase.
Figure 5. Proposed registration phase.
Sustainability 13 09241 g005
Figure 6. Proposed login phase.
Figure 6. Proposed login phase.
Sustainability 13 09241 g006
Figure 7. Proposed authentication phase.
Figure 7. Proposed authentication phase.
Sustainability 13 09241 g007
Figure 8. Role of user and session, environment, and goal.
Figure 8. Role of user and session, environment, and goal.
Sustainability 13 09241 g008
Figure 9. Simulation result under OFMC and CL-AtSe.
Figure 9. Simulation result under OFMC and CL-AtSe.
Sustainability 13 09241 g009
Table 1. Notations of the Rajaram et al. scheme.
Table 1. Notations of the Rajaram et al. scheme.
NotationDescription
U x User/client X
I D x , P W x Identity and password of U x
S C x Smart card of U x
R S The remote server
G 1 Cyclic additive group
G 2 Cyclic multiplicative group
R P Generator of G 1
qLarge prime order of the cyclic groups
h f 1 : { 0 , 1 } * Z q Cryptographic hash function
e : G 1 × G 1 G 2 Bilinear mapping
s K Secret key of R S
P p u b = s K · R P Public key of R S
y 1 , y 2 Session random numbers
s s K Session key between U x and R S
*Multiplication operation
Table 2. Notations of the proposed scheme.
Table 2. Notations of the proposed scheme.
NotationDescription
U X User/client X
I D X , P W X Identity and password of U X
S C X Smart card of U X
T I D X Temporary identity of U X
P I D X Secret temporary identity of U X
R S The remote server
h : { 0 , 1 } * Z q Cryptographic hash function
a x , b x Session random numbers
sSecret key of R S
S K Session key between R S and U X
Table 3. BAN logic notations.
Table 3. BAN logic notations.
NotationDescription
π 1 , π 2 Two principals
σ 1 , σ 2 Two statements
π 1 | σ 1 π 1 believes σ 1
π 1 | σ 1 π 1 once said σ 1
π 1 σ 1 π 1 controls σ 1
π 1 μ 1 π 1 receives σ 1
# σ 1 π 1 is fresh
( σ 1 ) K σ 1 is encrypted with K
π 1 K π 2 π 1 and π 2 have shared key K
S K The session key
Table 4. Queries of the ROR model.
Table 4. Queries of the ROR model.
QueryDescription
E x e c u t e ( p U X t 1 , p R S t 2 ) A can perform eavesdropping attack using this query. A can obtain messages transmitted during the authentication between p U X t 1 and p R S t 2
C o r r u p t S C ( p U X t 1 ) A can steal the smart card of p U X t 1 and extract the stored data using this query.
S e n d ( p t , M ) Using this query, A sends message M to participant p t to receive the response of sent messages.
T e s t ( p t ) A executes this query at the end of each game. When this query is executed, an unbiased coin c is flipped. The heads represents 1 and the tails represents 0. After c is flipped, p t returns S K when c = 1 and a random number when c = 0 . Otherwise, p t returns N U L L . If A can distinguish between S K and a random value, A wins the game.
Table 5. Execution time of each operation.
Table 5. Execution time of each operation.
NotationDescriptionRaspberry PIDesktop
T b p Bilinear pairing operation46.130 ms13.440 ms
T e x p Modular exponentiation operation5.119 ms1.864 ms
T m u l b p Scalar multiplication in pairing-based group5.611 ms2.521 ms
T a d d b p Point addition in pairing-based group0.043 ms0.018 ms
T m u l e c c Scalar multiplication in elliptic curve group2.579 ms1.489 ms
T a d d e c c Point addition in elliptic curve group0.019 ms0.008 ms
T h SHA-256 hash operation0.025 ms0.004 ms
Table 6. Computation cost comparison.
Table 6. Computation cost comparison.
SchemeUser OverheadServer Overhead
[15] 3 T m u l b p + 7 T h 17.008 ms T b p + T m u l b p + 6 T h 15.985 ms
[16] T m u l e c c + 5 T h 2.704 ms T m u l e c c + 4 T h 1.505 ms
[17] 2 T m u l e c c + 3 T h 5.233 ms 2 T m u l e c c + 6 T h 3.002 ms
[18] 2 T m u l e c c + 8 T h 5.358 ms T m u l + T h 1.493 ms
[19] 11 T h 0.275 ms 5 T h 0.02 ms
[20] 10 T h 0.25 ms 5 T h 0.02 ms
[21] 8 T h 0.2 ms 4 T h 0.016 ms
[22] 20 T h 0.5 ms 5 T h 0.032 ms
Proposed 14 T h 0.35 ms 8 T h 0.032 ms
Table 7. Communication cost comparison.
Table 7. Communication cost comparison.
SchemeTotal Communication CostNumber of Messages
[15]1824 bits2
[16]1696 bits2
[17]1920 bits3
[18]1804 bits2
[19]1344 bits2
[20]960 bits2
[21]1536 bits2
[22]1216 bits2
Proposed1600 bits2
Table 8. Security features comparison.
Table 8. Security features comparison.
Security Features[15] [16] [17] [18] [19] [20] [21] [22] Proposed
A1OOOOOOOOO
A2X-OOOOOOO
A3XOO-----O
A4XOOOXOXOO
A5XOOXXXXOO
A6OOOOOXXOO
A7-OOO----O
A8XOXXXXX-O
A9XOXXXXXXO
A10OXXXXXXXO
A11XOXXXXXOO
A12XXOOXXXOO
-: Not considered. X: Insecure. O: Secure.
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Son, S.; Park, Y.; Park, Y. A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments. Sustainability 2021, 13, 9241. https://doi.org/10.3390/su13169241

AMA Style

Son S, Park Y, Park Y. A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments. Sustainability. 2021; 13(16):9241. https://doi.org/10.3390/su13169241

Chicago/Turabian Style

Son, Seunghwan, Yohan Park, and Youngho Park. 2021. "A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments" Sustainability 13, no. 16: 9241. https://doi.org/10.3390/su13169241

APA Style

Son, S., Park, Y., & Park, Y. (2021). A Secure, Lightweight, and Anonymous User Authentication Protocol for IoT Environments. Sustainability, 13(16), 9241. https://doi.org/10.3390/su13169241

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop