Light Weight Authentication Scheme for Smart Home IoT Devices
Abstract
:1. Introduction
1.1. Attacks on IoT and Computer Networks
- Distributed Denial of Service (DDoS) attacks. This attack is fired by an attacker by sending bulk requests to busy the server so that it is not available to legitimate users. Attackers send fake bulk requests from different computers, so the server is busy processing that and real users are not allowed to use the services. The attack is due to user authentication and can be prevented by challenging users, such as captcha [9].
- Man-in-the-Middle attacks. An attacker intercepts the communication and transmits an altered message to the receiver in this attack. The attacker receives the receiver’s message and sends a modified message to the sender in a man-in-the-middle attack. Both the sender and the recipient believe they are communicating with one another. In this case, either eavesdropping or mimicking one of the participants creates the illusion of a continuous flow of information.
- Code and SQL injection attacks. SQL injection, often known as SQLI, is a frequent attack vector in which malicious SQL code alters backend databases and gains information that should not be displayed. A user can gain access to illegal data by sharing facial information. A SQL server provides all results if the condition is proper. A user can build an always-true query condition and choose unpermitted data. This information might range from sensitive corporation information to usage lists to private customer information.
- Privilege escalation. A privilege escalation assault occurs when a person acquires illegal access to greater levels of rights or privileges than they are supposed to have. This attack’s perpetrators might be an external threat actor or an insider. A critical stage in the cyberattack chain is to exploit a privilege escalation vulnerability, such as a system flaw, misconfiguration, or insufficient access controls [10].
- Insider threats. An insider threat is a risky insider attack on a company that comes from within the organization. Examples include employees, former employees, contractors, or business partners who have inside knowledge of the company’s security procedures, information, and computer systems. An insider attack poses a greater threat than an external attack. Anyone who has the right to access system resources is vulnerable to attacks. For instance, a person might harbor animosity toward a former employer or a dishonest worker who gives away trade secrets to a rival. In comparison to other attackers, turn cloaks have an advantage because they are knowledgeable about a company’s security policies, procedures, and weaknesses. Inside intruders can exploit the access provided because they are more knowledgeable about the system.
- Wireless security: It becomes very difficult to secure a wireless network as the medium is the air, and data are transferred using a low-frequency radio channel. Anybody can attach to the access point using an appropriate device as access points are sending signals in every direction. Managing the access of these devices must be carefully designed, and admins have to authenticate every user accessing the network. Wireless security authentication can be local authentication if a third-party server is not used due to privacy or the admin does not believe a third-party device.
- Unauthorized access. A security breach occurs when an attacker gains access to a network without obtaining authorization. A physical attack may be on a network where a person compromises the node and accesses all the data, such as key and key generation functions stored on the node. Some of the attacks on the networks are eavesdropping, privilege escalation attack, and brute-force attack.
1.2. Authentication Techniques and Protocol for Networks
- RADIUS: Remote Authentication Dial-in Service is a centralized authentication for users on different networking devices and server authentication Remote VPN access 802.1X network access. This service provider also authenticates machines. Machine-to-machine authentication is very venerable as some external software can be set in the device. The service is available on almost any operating server. By activating this service, a network administrator authenticates users on the devices that are connected to the system [11].
- TACAC + S: Terminal access controller access control system is a networking authentication scheme that provides user authentication for devices with centralized authentication and permission management. This system is a scheme for new users from remote-place connections with any UNIX server. Allow/deny methods with authentication keys that match users’ and TACACS users’ passwords. A new version of TACACS, TACACS+, released in 1993, is an authentication method for network devices.
- LDAP (lightweight directory access protocol): It contains information about user devices. It uses the active Windows directory or Apple directory. The lightweight directory access protocol (LDAP) is an open-source standard application protocol that allows users to access and manage dispersed directory information services through an Internet Protocol network. Because LDAP is a protocol, it does not affect how directory applications work [12]. This protocol stores user information and grants access to just those users who have registered with the system. Instead, it is a type of language that enables consumers to discover the information they require. Because LDAP is vendor-neutral, it may be utilized with many directory applications. A directory usually contains the following types of information. Descriptive; an asset is defined by several factors, including its name and location. Static; the data does not change frequently, and the changes are minor. It is valuable; data in the directory are crucial to fundamental business processes and are often accessed. LDAP is sometimes used in conjunction with other systems throughout the workday. Employees may use LDAP to connect to printers or check credentials [13].
- Network authentication protocol (Kerberos): Kerberos is the authentication protocol for internal networks. In this protocol, there are two servers used. One is the authentication server, AS, and one is the ticket granted server, TGT. A user that wants access to any service in the network should authenticate itself to AS and generate a ticket to access the services. This protocol prevents on-path or replay attacks. This is integrated on Window 2000 and some other operating systems [14].
- SSO with Kerberos: Used to authenticate cloud services as well. When it comes to implementing security in a wireless network, key distribution is one of the most common issues [15]. If every node has the same key and one of them is compromised or evil, the key for the whole network will be exposed. If each node has a separate key, it will be exceedingly difficult to maintain all of the keys due to the many devices. In the case of the pool key distribution, if each node has a limited number of keys, the network connection will suffer. If each node is given a more significant number of keys, network resiliency will suffer. The benefit of public-key cryptography is that it generally has many resources in demand. The multi-path random essential pre-distribution approach cannot fully protect the system. The Kerberos network can authenticate LDAP.
- IEEE 802.1x: Based on hardware port network access control protocol. It works as a physical layer and a data link layer. This protocol standard is used in conjunction with an access database portal. It is also used in VPNs as the constrictor can talk to the RADIUS server. This authentication scheme makes the access of systems standardized, and any CISCO device can support it with tacacs+.
- EAP: extensible authentication protocol integrated with IEEE 802.1x. To prevent access to a network from authenticating access, this protocol is used. This protocol is very strong and uses DES. The newer version of it uses the AES. It also uses MD5 and SHA-1 for authentication. It also includes the IEEE802.1 standard protocol. It is used in LAN device authentication. IEEE 802.1X describes the extensible authentication protocol (EAP) encapsulation over IEEE 802.11, sometimes known as “EAP over LAN” or EAPOL. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
1.3. Security Challenges in IoT
- Privacy and Security: Privacy is the leading cause of concern and difficulty for any technological development in today’s society, which is especially true for social media. When there is a public website thathas many connected users, it is very necessary to maintain privacy. To attack the system, a variety of techniques are possible. These include restricting network availability, providing misleading information to networks, and obtaining personal information. It is impossible to enforce a proper privacy and security system using the now available technologies. Because the Internet of Things uses a variety of item identification technologies, such as RFID and 2D barcodes, it must offer adequate privacy protections and prevent unwanted access [16].
- Data Storage and Intelligence: Cleaning, analyzing, and understanding the massive amounts of data collected by sensors is another difficulty in developing IoT applications. To create smart IoT applications, the data gathered by IoT devices must be appropriately maintained and utilized. To accomplish automated decision-making, IoT can be used for data collection and analysis. Wireless Sensor Networks are being investigated as a method for data analysis. These networks exchange data between sensor nodes, which are then sent to a distributed system to analyze the sensory data collected [17].
- Quality of Service: Throughput and bandwidth are the two most important factors that influence the quality of service (QoS) of IoT applications. Data generated by the Internet of Things (IoT) ranges from sensors linked to machine components or environmental monitors to the words we shout at our smart speakers in enormous numbers. Because of restrictions in resource allocation and management capabilities in shared wireless media, the devices will need a specific frequency in order to transmit data across the wireless medium. Another major research subject in cloud computing is quality of service, which will become more essential as the data and tools required for the Internet of Things become more readily available on the cloud [18].
- Interoperability and Standardization: There is a lack of interoperability, platform fragmentation, and widely accepted technological standards in the IoT networks. While developing apps that will work consistently across diverse technical ecosystems, it is critical to consider the broad range of Internet of Things devices accessible, both in hardware variances and changes in the software that runs on them. Given the fact that there will be a plethora of device makers in the future, technologies and services that are accessible for one device may become unavailable for other devices within the same period of time. Consequently, the standardization of all network objects and sensor devices is essential to improve interoperability [19].
- Object’s safety and security: It is difficult and potentially dangerous for attackers to access the Internet of Things due to the enormous number of perceptual objects spread across a vast deployment area. The things may be rendered unusable or physically damaged if the attackers get access to the goods.
1.4. Research Contributions
- Introduction of a generalized authentication method for low-power IoT devices to improve security in remote access scenarios.
- We investigate the most common authentication methods for low-power devices and discover the drawbacks of the available authentication methods.
- The proposed scheme explains the detailed working of the proposed authentication scheme for low-power devices and analyzes the performance.
1.5. Organization of the Paper
2. Related Work
3. Proposed Scheme
- The user sends the request to an authenticated device for login. This authentication request is sent using a secure public-key encryption algorithm, such as RSA, and the AD authenticates the user by the public/private key pair shared offline at the time of user registration. It gives the same level of security provided by publickey cryptography.
- The authenticator device generates a session key and performs the following;
- Alice identity and Session Key are encrypted by a symmetric shared key with a controller device called the Authentication Coupon (AC).
- The Authentication Device sends the Session key and encrypted AC with the User public key to the user.
- The Authentication Device sends the Timestamp, Authentication Coupon, and user Identity to the Controller Device.
- 3.
- The user device requests the controller device to access HA with an Authentication Coupon AC. The controlling device performs the following;
- Decrypt the coupon with the shared key of AD and finds the identity of the user.
- The Controlling Device already has the AC, user identity, and time of request.
- The Controlling Device checks and authenticates the user and sends the command to HA.
- The Controller Device adds the entry in the log list record.
- 4.
- The controller authenticates the user and asks for the command to give to the HA.
- 5.
- The user sends the command to the controller.
- 6.
- The controller sends the command to the device and sends a notification to the user. All these steps are shown below in Scheme 4.
4. Security and Performance Analysis
4.1. Security Efficiency and Verification
4.2. Attacks Resistance
4.3. Simulation and Performance Analysis
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Zhang, Y.; Xiao, Y.; Ghaboosi, K.; Zhang, J.; Deng, H. A survey of cyber crimesYanping. Secur. Commun. Netw. 2012, 5, 422–437. [Google Scholar] [CrossRef]
- Suo, H.; Wan, J.; Zou, C.; Liu, J. Security in the internet of things: A review. In Proceedings of the 2012 International Conference on Computer Science and Electronics Engineering, Hangzhou, China, 23–25 March 2012; Volume 3, pp. 648–651. [Google Scholar]
- Wazid, M.; Das, A.K.; Hussain, R.; Succi, G.; Rodrigues, J.J. Authentication in cloud-driven IoT-based big data environment: Survey and outlook. J. Syst. Arch. 2019, 97, 185–196. [Google Scholar] [CrossRef]
- Kizza, J.M. Guide to Computer Network Security, 5th ed.; Springer: Berlin/Heidelberg, Germany, 2017; Chapters 2 and 3. [Google Scholar]
- Mamun, Q.; Islam, R.; Kaosar, M. Secured Communication Key Establishment for Cluster-Based Wireless Sensor Networks. Int. J. Wirel. Netw. Broadband Technol. 2015, 4, 29–44. [Google Scholar] [CrossRef]
- Schmitt, C.; Noack, M.; Stiller, B. TinyTO: Two-way authentication for constrained devices in the Internet of Things. In Internet of Things; Elsevier: Amsterdam, The Netherlands, 2016; pp. 239–258. [Google Scholar]
- Anthi, E.; Williams, L.; Slowinska, M.; Theodorakopoulos, G.; Burnap, P. A Supervised Intrusion Detection System for Smart Home IoT Devices. IEEE Internet Things J. 2019, 6, 9042–9053. [Google Scholar] [CrossRef]
- Zhu, W.T.; Zhou, J.; Deng, R.H.; Bao, F. Detecting node replication attacks in wireless sensor networks: A survey. J. Netw. Comput. Appl. 2012, 35, 1022–1034. [Google Scholar] [CrossRef]
- Ye, J.; Cheng, X.; Zhu, J.; Feng, L.; Song, L. A DDoS Attack Detection Method Based on SVM in Software Defined Network. Secur. Commun. Netw. 2018, 2018, 9804061. [Google Scholar] [CrossRef]
- Hema, B.R.K.; Sangeetha, S.; Bora, R.K.; Rao, K.S. Preference analysis of game theory for network security in WSN. J. Crit. Rev. Synth. Adv. Sci. Res. 2020, 7, 2637–2642. [Google Scholar]
- Smith, R.E. Authentication: From Passwords to Public Keys; Addison-Wesley Longman Publishing Co., Inc.: Boston, MA, USA, 2001. [Google Scholar]
- Vithanage, N.N.N.; Thanthrige, S.S.H.; Kapuge, M.C.K.P.; Malwenna, T.H.; Liyanapathirana, C.; Wijekoon, J.L. A Secure Corroboration Protocol for Internet of Things (IoT) Devices Using MQTT Version 5 and LDAP. In Proceedings of the 2021 International Conference on Information Networking (ICOIN), Jeju Island, Korea, 13–16 January 2021; pp. 837–841. [Google Scholar]
- Cristescu, G.-C.; Croitoru, V. Spoofed Packet Injection Attack-Resistant AAA-RADIUS Solution Based on LDAP and EAP. In Proceedings of the 2021 International Symposium on Signals, Circuits and Systems (ISSCS), Iasi, Romania, 15–16 July 2021; pp. 1–4. [Google Scholar]
- Motero, C.D.; Higuera, J.R.B.; Higuera, J.B.; Montalvo, J.A.S.; Gomez, N.G. On Attacking Kerberos Authentication Protocol in Windows Active Directory Services: A Practical Survey. IEEE Access 2021, 9, 109289–109319. [Google Scholar] [CrossRef]
- Takieldeen, A.; Elkhalik, S.A.; Samra, A.; Mohamed, M.; Khalifa, F. A Robust and Hybrid Cryptosystem for Identity Authentication. Information 2021, 12, 104. [Google Scholar] [CrossRef]
- Porkodi, R.; Bhuvaneswari, V. The internet of things (IOT) applications and communication enabling technology standards: An overview. In Proceedings of the 2014 International Conference on Intelligent Computing Applications, Coimbatore, India, 6–7 March 2014; pp. 324–329. [Google Scholar]
- Hong-Tan, L.I.; Cui-hua, K.; Muthu, B.; Sivaparthipan, C.B. Big data and ambient intelligence in IoT-based wireless student health monitoring system. Aggress. Violent Behav. 2021, 101601. [Google Scholar] [CrossRef]
- Sodhro, A.H.; Obaidat, M.S.; Abbasi, Q.H.; Pace, P.; Pirbhulal, S.; Fortino, G.; Qaraqe, M. Quality of service optimization in an IoT-driven intelligent transportation system. IEEE Wirel. Commun. 2019, 26, 10–17. [Google Scholar] [CrossRef] [Green Version]
- Hazra, A.; Adhikari, M.; Amgoth, T.; Srirama, S.N. A Comprehensive Survey on Interoperability for IIoT: Taxonomy, Standards, and Future Directions. ACM Comput. Surv. 2021, 55, 1–35. [Google Scholar] [CrossRef]
- Seshadri, A.; Luk, M.; Perrig, A.; van Doorn, L.; Khosla, P. Using Fire & Ice for Detecting and Recovering Compromised Nodes in Sensor Networks; School of Computer Science, Carnegie Mellon University: Pittsburgh, PA, USA, 2004. [Google Scholar]
- Falk, R.; Fries, S. Advanced Device Authentication Bringing Multi-Factor Authentication and Continuous Authentication to the Internet of Things. In Proceedings of the First International Conference on Cyber-Technologies and Cyber-Systems, Venice, Italy, 9–13 October 2016; pp. 69–74. [Google Scholar]
- Jaros, D.; Kuchta, R. New location-based authentication techniques in the access management. In Proceedings of the 2010 6th International Conference on Wireless and Mobile Communications, Chengdu, China, 23–25 September 2010; pp. 426–430. [Google Scholar]
- Fang, H.; Wang, X.; Tomasin, S. Machine Learning for Intelligent Authentication in 5G and Beyond Wireless Networks. IEEE Wirel. Commun. 2019, 26, 55–61. [Google Scholar] [CrossRef] [Green Version]
- Alizai, Z.A.; Tareen, N.F.; Jadoon, I. Improved IoT Device Authentication Scheme Using Device Capability and Digital Signatures. In Proceedings of the 2018 International Conference on Applied and Engineering Mathematics (ICAEM), Taxila, Pakistan, 4–5 September 2018; pp. 115–119. [Google Scholar] [CrossRef]
- Nakouri, I.; Hamdi, M.; Kim, T.-H. Biometric-based Per-Packet Authentication Techniques in Communication Networks. In Proceedings of the 2018 14th International Wireless Communications & Mobile Computing Conference (IWCMC), Limassol, Cyprus, 25–29 June 2018; pp. 273–278. [Google Scholar]
- Adil, M.; Khan, R.; Almaiah, M.A.; Al-Zahrani, M.; Zakarya, M.; Amjad, M.S.; Ahmed, R. MAC-AODV Based Mutual Authentication Scheme for Constraint Oriented Networks. IEEE Access 2020, 8, 44459–44469. [Google Scholar] [CrossRef]
- Costello, C. B-SIDH: Supersingular isogeny Diffie-Hellman using twisted torsion. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Daejeon, Korea, 6–10 December 2020; pp. 440–463. [Google Scholar]
- Tewari, A.; Gupta, B.B. Secure Timestamp-Based Mutual Authentication Protocol for IoT Devices Using RFID Tags. Int. J. Semantic Web Inf. Syst. 2020, 16, 20–34. [Google Scholar] [CrossRef]
- Majeed, U.; Khan, L.U.; Yaqoob, I.; Kazmi, S.M.A.; Salah, K.; Hong, C.S. Blockchain for IoT-based smart cities: Recent advances, requirements, and future challenges. J. Netw. Comput. Appl. 2021, 181, 103007. [Google Scholar] [CrossRef]
- Aboubakar, M.; Kellil, M.; Roux, P. A review of IoT network management: Current status and perspectives. J. King Saud Univ. Inf. Sci. 2021, 34, 4163–4176. [Google Scholar] [CrossRef]
- Hayashi, V.T.; Arakaki, R.; Ruggiero, W.V. OKIoT: Trade off analysis of smart speaker architecture on open knowledge IoT project. Internet Things 2020, 12, 100310. [Google Scholar] [CrossRef]
- Yin, J.; Zhu, H.; Fei, Y. Formal analysis and automated validation of privacy-preserving AICE protocol in mobile edge computing. Mob. Networks Appl. 2021, 26, 2258–2271. [Google Scholar] [CrossRef]
- Kampova, K.; Lovecek, T.; Rehak, D. Quantitative approach to physical protection systems assessment of critical infrastructure elements: Use case in the Slovak Republic. Int. J. Crit. Infrastruct. Prot. 2020, 30, 100376. [Google Scholar] [CrossRef]
- Mallik, A. Man-in-the-middle-attack: Understanding in simple words. Cybersp. J. Pendidik. Teknol. Inf. 2019, 2, 109–134. [Google Scholar]
- Jo, H.J.; Kim, J.H.; Choi, H.-Y.; Choi, W.; Lee, D.H.; Lee, I. MAuth-CAN: Masquerade-Attack-Proof Authentication for In-Vehicle Networks. IEEE Trans. Veh. Technol. 2019, 69, 2204–2218. [Google Scholar] [CrossRef]
- Sathyadevan, S.; Achuthan, K.; Doss, R.; Pan, L. Protean Authentication Scheme—A Time-Bound Dynamic KeyGen Authentication Technique for IoT Edge Nodes in Outdoor Deployments. IEEE Access 2019, 7, 92419–92435. [Google Scholar] [CrossRef]
Symbol | Meaning |
---|---|
AD | Authentication Device |
CD | Controlling Device |
UD | User device |
HA | Home Appliances |
SK | Session Key |
Kp | Private Kay |
Ku | Pubic Key |
En(K,M) | Message M encrypted with Key K |
TS | Time Stamp |
Parameter | Output |
---|---|
Parse Time | 0.05 s |
Search Time | 1.2 s |
Depth | 12 |
Translation | 222 States |
Computation | 0.45 s |
Reachable | 234 States |
Cryptographic Scheme | AES | SHA-1 |
---|---|---|
User | 0.001975 ms | 0.001135 ms |
AD | 0.003945 ms | 0.002135 ms |
CD | 0.004155 ms | 0.002511 ms |
Device | Message Storage (Bits) | Energy (mJ) |
---|---|---|
UD | 525 | 0.196 |
AD | 235 | 0.31 |
CD | 235 | 0.247 |
HA | 95 | 0.2116 |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Kumar, V.; Malik, N.; Singla, J.; Jhanjhi, N.Z.; Amsaad, F.; Razaque, A. Light Weight Authentication Scheme for Smart Home IoT Devices. Cryptography 2022, 6, 37. https://doi.org/10.3390/cryptography6030037
Kumar V, Malik N, Singla J, Jhanjhi NZ, Amsaad F, Razaque A. Light Weight Authentication Scheme for Smart Home IoT Devices. Cryptography. 2022; 6(3):37. https://doi.org/10.3390/cryptography6030037
Chicago/Turabian StyleKumar, Vipin, Navneet Malik, Jimmy Singla, N. Z. Jhanjhi, Fathi Amsaad, and Abdul Razaque. 2022. "Light Weight Authentication Scheme for Smart Home IoT Devices" Cryptography 6, no. 3: 37. https://doi.org/10.3390/cryptography6030037
APA StyleKumar, V., Malik, N., Singla, J., Jhanjhi, N. Z., Amsaad, F., & Razaque, A. (2022). Light Weight Authentication Scheme for Smart Home IoT Devices. Cryptography, 6(3), 37. https://doi.org/10.3390/cryptography6030037