Next Article in Journal
Mechatronics and Remote Driving Control of the Drive-by-Wire for a Go Kart
Next Article in Special Issue
A Methodology for Network Analysis to Improve the Cyber-Physicals Communications in Next-Generation Networks
Previous Article in Journal
Detecting Respiratory Pathologies Using Convolutional Neural Networks and Variational Autoencoders for Unbalancing Data
Previous Article in Special Issue
Study of Human Thermal Comfort for Cyber–Physical Human Centric System in Smart Homes
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments

1
Department of Information Technology, Jadavpur University, Salt Lake City, Kolkata 700 098, India
2
Department of Computer Science and Information Systems, Birla Institute of Technology & Science, Pilani Hyderabad Campus, Hyderabad 500 078, India
3
Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad 500 032, India
4
Northumbria University, Newcastle upon Tyne NE1 8ST, UK
5
School of Electronics Engineering, Kyungpook National University, 80 Daehak-ro, Sangyeok-dong, Buk-gu, Daegu 41566, Korea
*
Author to whom correspondence should be addressed.
Sensors 2020, 20(4), 1215; https://doi.org/10.3390/s20041215
Submission received: 27 January 2020 / Revised: 13 February 2020 / Accepted: 20 February 2020 / Published: 22 February 2020

Abstract

:
In recent years, the Internet of Things (IoT) has exploded in popularity. The smart home, as an important facet of IoT, has gained its focus for smart intelligent systems. As users communicate with smart devices over an insecure communication medium, the sensitive information exchanged among them becomes vulnerable to an adversary. Thus, there is a great thrust in developing an anonymous authentication scheme to provide secure communication for smart home environments. Most recently, an anonymous authentication scheme for smart home environments with provable security has been proposed in the literature. In this paper, we analyze the recent scheme to highlight its several vulnerabilities. We then address the security drawbacks and present a more secure and robust authentication scheme that overcomes the drawbacks found in the analyzed scheme, while incorporating its advantages too. Finally, through a detailed comparative study, we demonstrate that the proposed scheme provides significantly better security and more functionality features with comparable communication and computational overheads with similar schemes.

1. Introduction

Interest in the Internet of Things (IoT) has grown exponentially over recent years, and it is likely to continue growing for the foreseeable future [1]. The smart home as an important IoT application has also gained much interest in recent years. Adoption of home automation systems for monitoring and controlling various smart devices is at an all-time high [2,3]. The reduced operating expenses, coupled with the increased quality of life, encourage the users to rely on these more and more. A smart home reduces expenses while providing higher comfort, security and safety to the users [4]. Additionally, smart homes can provide the elderly and disabled with prompt medical care based on the readings of smart gadgets [5]. However, as a direct result of using these services, a large volume of private and sensitive data is being transmitted over insecure networks. Security and privacy are considered the fundamental requirements for consumer technology deployment [6].
Consider a smart gadget for monitoring a patient. In order to get medical services, the external user (for example, a doctor) needs to have direct access to data sensed by the sensors in the gadget monitoring the patient’s body. Such information will invariably include current vital readings like blood sugar level, blood pressure, etc. For obvious reasons, this information needs to private and confidential. Similarly, data generated from the surveillance system, temperature and movement sensors, or control data for lighting or other appliances need to be secure and confidential. Devices in a smart home can be accessed through a gateway node that connects them to the Internet. To ensure data privacy and integrity, various entities, such as the users, the smart devices, and the gateway node need to generate session keys after their mutual authentication. The generated session keys can then be used for further communication without fear of data compromise.

1.1. Network and Threat Models

We follow the widely accepted network model for the proposed scheme, which is defined in the typical smart home architecture [7] shown in Figure 1. The smart devices connect to the public Internet through the gateway nodes ( G W N ). Users (U) and smart devices ( S D ) must be registered or enrolled with the registration authority R A before operating in the network. The R A is a fully trusted entity in the network. The registered mobile users can avail of the services provided by the already enrolled smart devices through the gateway node and negotiate the session keys after mutual authentication.
We evaluate the proposed scheme under the de-facto standard “Dolev-Yao (DY) threat model” [8]. In the DY-threat model, an adversary, say A , has ultimate authority over the communication channel, and consequently he/she is capable of eavesdropping, modifying, dropping, or even inserting forged messages for any communicated messages. Furthermore, it is assumed that A can physically capture some smart devices, as monitoring the devices 24 / 7 is not possible, to extract the sensitive information stored in them using power analysis attacks [9]. Moreover, the smart card of a user can be lost or stolen, and the adversary A can also extract all the sensitive information stored in its memory using power analysis attacks [9]. Both the registration authority ( R A ) and the gateway node ( G W N ) are considered trusted in the smart home environment. Furthermore, we use the stronger threat model, known as the “Canetti and Krawczyk’s (CK) adversary model” [10], wherein the adversary A , in addition to having all capacities of the DY-therat model, can also compromise ephemeral information like session-specific states and keys. Thus, in the presence of the CK-adversary, a user authentication scheme must be designed such that leakage of ephemeral secrets should have minimal impact on the security of unrelated entities in the authenticated key-exchange scheme [11].

1.2. Research Contributions

The main contributions are given below.
  • We first analyze the recently proposed anonymous authentication scheme by Shuai et al. [7] for the smart home environment and then highlight that their scheme fails to resist known attacks, such as privileged-insider attack, through offline password guessing and lost/stolen smart card attacks, user impersonation attacks, parallel session attacks, and password change attacks.
  • We present a more secure user authentication scheme that avoids the security pitfalls demonstrated in Shuai et al.’s scheme.
  • Through formal as well as informal security analysis, we show the resistance of the proposed scheme against various potential attacks needed in a smart home environment.
  • We then present a comparative study to demonstrate the superior security and functionality features of the proposed scheme relative to the existing relevant authentication schemes.
  • Finally, we provide a practical perspective on the applicability of the proposed scheme through a network simulator (NS3) simulation study.

1.3. Related Work

In the last decade, several authors investigated the issues of remote authentication for smart homes. Jeong et al. [12] suggested an authentication protocol for home networks based on “One-Time Passwords (OTPs)” and smart cards. However, their scheme not only transmitted the user identities in plaintext, but also did not provide mutual authentication. Vaidya et al. [13] designed a “remote authentication scheme using lightweight computation modules”. Unfortunately, Kim et al. demonstrated that [13] was not only vulnerable to known attacks, but it also failed to provide “user anonymity” and “forward secrecy”. To strengthen the security, Kim et al. presented an improved scheme [14] over the Vaidya et al. scheme. [13].
Vaidya et al. [15] presented an “Elliptic Curve Cryptography (ECC)” based device authentication scheme for smart home networks. However, their scheme was found to be susceptible to privileged-insider, password guessing, and user impersonation attacks. Pradeep and Singh [16] proposed a secure three-factor authentication scheme for “ubiquitous computing devices” with a pass-phrase based device integrity check.
Li proposed a lightweight key establishment scheme [17] as a solution to the security issue in smart home energy management systems. Unfortunately, their scheme was not scalable as it requires the management of many keys and certificates. Around the same time, Han et al. [18] designed a key agreement scheme for a secure pairing process for smart home systems. But, their scheme depends on an always-online service by the manufacturer of the devices, which is an infeasible requirement. Additionally, neither the scheme [17] nor the scheme [18] provided “mutual authentication between user and smart devices”.
Santoso and Vun [19] suggested an “ECC -based authentication scheme for smart homes”, where they presented the idea of using the Wi-Fi gateway as the central node of the system. Unfortunately, their scheme was vulnerable to privileged–insider attack, and consequently, it failed to guarantee user anonymity and untraceability properties.
Kumar et al. [4] designed a “lightweight anonymity preserving authentication scheme for smart home environments”. However, their scheme failed to provide “mutual authentication between the user and the smart device”. In their scheme, user anonymity and untraceability properties are also compromised.
Wazid et al. [20] suggested a lightweight remote user authentication scheme for the smart home environment which fulfills the design criteria for the smart home environment. Yu and Li [21] proposed another user authentication scheme for the smart home environment. However, their protocol did not necessitate a secure environment for user and device registration. Moreover, their scheme relied on bilinear pairing operations, and as a result, their scheme incurs exceptionally high overheads. Shuai et al. [7] designed an “ECC-based authentication scheme for the smart home environment”. However, in this paper, we discuss the advantages and limitations of their scheme in detail. Naoui et al. [22], Fakroon et al. [23] and Dey and Hossain [24] also presented other user authentication schemes for the smart home environment.

2. Review of Shuai et al.’s Scheme

In this section, we briefly review Shuai et al.’s scheme. Their scheme has the following phases: (a) initialization phase, (b) registration phase, (c) login and authentication phase, and (d) password change phase. In this section, we only review the first three phases, and the details regarding the password change phase can be found in the scheme [7].

2.1. Initialization Phase

During initialization, the registration authority ( R A ) selects an elliptic curve E ( F p ) of the form y 2 = x 3 + a x + b ( mod p ) of order p over finite field F p with a generator point P, where p is a large prime number and a , b Z p = { 0 , 1 , , p 1 } such that 4 a 3 + 27 b 2 0 ( mod p ) . R A then creates a private key x and calculates the corresponding public key X = x · P . R A selects a “long term key K” and a “cryptographic one-way collision-resistant hash function h ( · ) * : { 0 , 1 } * Z p * ”, where Z p * = { 1 , 2 , , p 1 } . R A commits x and K to the G W N and makes { E ( F p ) , P , X , h ( · ) } public. R A also picks and saves G I D into gateway node’s memory as its unique identity. In addition, R A generates S I D d as a random unique identity for each smart device S D . These identities are saved to the respective smart devices S D .

2.2. Registration Phase

This phase comprises of the user registration as well as the smart device enrollment phases.

2.2.1. User Registration

A user U registers with the R A through the following steps:
  • Step 1.U first picks his/her identity I D u , password P W u and generates a random secret a. U then calculates pseudo-password H P W u = h ( P W i a ) and securely dispatches the credentials { I D u , H P W u } to R A .
  • Step 2. If I D u is already registered, R A rejects the request. Otherwise, R A computes K U G = h ( I D u K ) , A 1 = K U G H P W u . R A generates a random value T E M P in order to record the number of user login failures, and sets T E M P = 0 . Next, R A writes { A i , T E M P } to a smart card S C u and securely issues S C u to the user U.
  • Step 3. On receiving the smart card S C u , U calculates A 2 = a h ( I D u P W u ) and A 3 = h ( I D u H P W u ) , and appends A 2 and A 3 to the smart card S C u . The smart card S C u finally contains the credentials { A 1 , A 2 , A 3 , T E M P } .

2.2.2. Device Enrollment

The steps for smart device, S D ’s enrollment with the R A :
  • Step 1. S D first securely transmits its identity S I D d to R A .
  • Step 2. If S D is already enrolled, the request is rejected by the R A . Otherwise, R A computes K G S = h ( S I D d K ) and securely sends the secret key K G S to S D .
  • Step 3. On receiving the reply, S D saves the secret key K G S in its memory.

2.3. Login and Authentication Phase

For a registered user U to access a smart device S D , he/she must first establish a session key S K after“ mutual authentication between U, S D and G W N ”. The steps for login, and authentication and session key establishment phase are as follows:
  • Step 1. User U first enters his/her identity I D u and password P W u , and calculates a * = A 2 h ( I D u P W u ) , H P W u * = h ( P W u a * ) and A 3 * = h ( I D u H P W u * ) . Only if the check A 3 * = A 3 holds, the login is successful. In case of a failed login attempt, the smart card S C u of the user U updates T E M P = T E M P + 1 . This value records the login attempts and if it exceeds a pre-defied threshold, the user U is considered as compromised and is suspended till he/she re-registers.
    After a successful login, the smart card S C u generates two random numbers R 1 and w Z p * , and computes K G U = A 1 H P W u , A 4 = w · P , A 5 = w · X , D I D u = I D u A 5 , M 1 = ( R 1 S I D d ) K U G and V 1 = h ( I D u R 1 K U G M 1 ) , and sends the login request message D I D u , A 4 , M 1 V 1 〉 to G W N via open channel.
  • Step 2. On receiving the login request D I D u , A 4 , M 1 V 1 〉, G W N computes A 5 * = x · A 4 , I D u * = D I D u A 5 * , K G U = h ( I D u * K ) , ( R 1 * S I D d ) = M 1 K G U , V 1 * = h ( I D i * R 1 * K G U M 1 ) . Only if the condition V 1 * = V 1 holds, G W N believes the legitimacy of the login request. G W N then generates a random number R 2 Z p * and computes K G S = h ( S I D d K ) , M 2 = ( I D u G I D R 1 R 2 ) K G S , V 2 = h ( I D u G I D K G S R 1 R 2 ) . Finally, G W N sends the authentication request message M 2 , V 2 to S D via public channel.
  • Step 3. On receiving the message M 2 , V 2 , S D calculates ( I D u G I D R 1 R 2 ) = M 2 K G S , V 2 * = h ( I D u G I D K G S R 1 R 2 ) and checks if V 2 * = V 2 . If true, S D generates a random number R 3 Z p * and computes S K = h ( I D u G I D S I D d R 1 R 2 R 3 ) , M 3 = R 3 K G S , V 3 = h ( R 3 K G S S K ) and finally transmits the authentication reply message M 3 , V 3 to G W N .
  • Step 4. On receiving the message M 3 , V 3 from S D , G W N computes R 3 = M 3 K G S , S K = h ( I D u G I D S I D d R 1 R 2 R 3 ) , V 3 * = h ( R 3 K G S S K ) , and if V 3 * = = V 3 , G W N computes M 4 = ( G I D R 2 R 3 ) K G U and V 4 = h ( K G U S K R 2 R 3 ) , and sends the acknowledgement message M 4 , V 4 to U via public channel.
  • Step 5. On receiving the message M 4 , V 4 from G W N , U computes ( G I D R 2 R 3 ) = M 4 K G U , S K = h ( I D u G I D S I D d R 1 R 2 R 3 ) and V 4 * = h ( K G U S K R 2 R 3 ) , and if V 4 * = V 4 , S D is authenticated by the G W N , and also the session key S K is established between U and S D .

3. Security Vulnerabilities in Shuai et al.’s Scheme

In this section, we cryptanalyze the scheme proposed by Shuai et al. and observe that in the presence of a passive/active adversary, it is vulnerable to several potential attacks. We detail the possible attacks below.

3.1. Privileged-insider Attack through Offline Password Guessing and Lost/Stolen Smart Card Attacks

Suppose an adversary A , who is also a privileged insider user, acts as an adversary, say A . In this case, A knows the credentials I D u and H P W u of a legitimate registered user U which are submitted to the R A during the user registration phase (see Section 2.2.1), where H P W u = h ( P W i a ) and a is a random secret. Moreover, if A can acquire the lost/stolen smart card S C u of the user U, using the “power analysis attacks” [9,25], the adversary A can extract all the credentials { A 1 , A 2 , A 3 , T E M P } stored in the memory of S C u , where K U G = h ( I D u K ) , A 1 = K U G H P W u , A 2 = a h ( I D u P W u ) and A 3 = h ( I D u H P W u ) . Now, as A 2 = a h ( I D u P W u ) and H P W u = h ( P W u a ) , A can form the following relation:
H P W u = h ( P W u ( A 2 h ( I D u P W u ) ) ) .
A can then guess a password, say P W u . Using the guessed password P W u , and I D u and A 2 , A further can calculate H P W u = h ( P W u ( A 2 h ( I D u P W u ) ) ) , and verify if the condition H P W u = H P W u is valid or not. If the condition holds, it means that A is successful in guessing the user U’s correct password. Hence, it is clear that the low-entropy guessed passwords are easily guessed and verified in Shuai et al.’s scheme. As a result, Shuai et al.’s scheme is vulnerable to privileged-insider attack with the help of both offline password guessing and lost/stolen smart card attacks.

3.2. User Impersonation and Parallel Session Attacks

A privileged insider adversary A with the knowledge of registration information I D u and H P W u , and extracted A 1 from the stolen smart card S C u of a valid registered user U (discussed in Section 3.1) can easily compute secret key K G U = A 1 H P W u . Consequently, A can forge the login request message D I D u , A 4 , M 1 , V 1 to the G W N in order to impersonate the user U due to the following reason. Since each smart device S D sends its identity S I D d to the R A , the privileged insider adversary A of the R A also knows it. Now, A can generate two random numbers R 1 and w Z p * , and compute A 4 = w · P , A 5 = w · X , D I D u = I D u A 5 , M 1 = ( R 1 S I D d ) K U G , V 1 = h ( I D u R 1 K U G M 1 ) . As a result, the adversary A is able to send a valid login request message D I D u , A 4 , M 1 , V 1 to the G W N . Thus, a privileged adversary can impersonate a legal registered user U in Shuai et al.’s scheme.
We consider another attack, where privileged insider adversary A of the R A , who has calculated K G U from the previous attack, can intercept the message M 4 , V 4 that is sent from the G W N to a user U. A , having the knowledge of K U G and I D U , can calculate ( G I D R 2 R 3 ) = M 4 K G U and the session key S K = h ( I D u G I D S I D d R 1 R 2 R 3 ) . Thus, A can independently calculate the session key S K making the scheme of Shuai et al. vulnerable to the parallel session attack.

3.3. Password Change Attack

Suppose a privileged insider of the R A being an adversary A after learning the password P W u from the previously discussed attack in Section 3.1 can simply execute the password update phase to change a legal registered user U’s password if the smart card S C u of U is being stolen by A . For this purpose, A has the credentials { A 1 , A 2 , A 3 , T E M P } stored in the memory of S C u , where K U G = h ( I D u K ) , A 1 = K U G H P W u , A 2 = a h ( I D u P W u ) and A 3 = h ( I D u H P W u ) . A first calculates K G U = A 1 H P W u using previous registration information H P W u and a = A 2 h ( I D u P W u ) . Next, A chooses his/her own password, say P W u and calculates H P W u = h ( P W u a ) , A 1 = K U G H P W u , A 2 = a h ( I D u P W u ) and A 3 = h ( I D u H P W u ) . Finally, A updates the old credentials { A 1 , A 2 , A 3 , T E M P } with the newly computed credentials { A 1 , A 2 , A 3 , T E M P } in the memory of the smart card S C u . This clearly shows that the password change attack is easily mounted on Shuai et al.’s scheme.

4. The Proposed Scheme

In this section, we present a more secure “anonymous authentication and session key establishment scheme” for smart home environments, which is free from all the mentioned security vulnerabilities discussed in Section 3. The important phases of our scheme are discussed below.

4.1. Initialization Phase

This phase is similar to that presented in Section 2.1. Note that during initialization, the registration authority ( R A ) also generates a “long term key K” and a “ collision-resistant cryptographic one-way hash function h ( · ) * : { 0 , 1 } * Z p * ”. R A then commits K to G W N and makes { h ( · ) } public.

4.2. Registration Phase

The registration phase details the procedure for dynamic device enrollment and user registration.

4.2.1. Dynamic Device Enrollment

Any time after initialization, a smart device S D can be enrollment with the R A via secure channel through the following steps:
  • Step 1. S D first securely transmits its identity S I D d to R A .
  • Step 2. If S D is already enrolled, the request is rejected by the R A . Otherwise, R A computes the secret key K G S = h ( S I D d h ( K ) ) , and securely sends K G S to S D and makes S I D j public.
  • Step 3. On receiving the reply from the R A , S D saves the secret key K G S in its memory.

4.2.2. Mobile User Registration

After system initialization, a mobile user U can be registered with the R A via secure channel.
In our scheme, we use the fuzzy extractor method for user biometric verification [26]. This step is necessary to reduce false negatives during biometric verification. A fuzzy extractor comprises of the following two procedures:
  • Gen: It is a “probabilistic generation function” that computes a pair ( σ u , τ u ) from the user biometrics information. The resultant σ u is the “biometric secret key” and τ u is the “public reproduction parameter” necessary for reconstruction of σ u from B i o u , a noisy biometric reading from the same user. Formally, ( σ u , τ u ) = G e n ( B i o u ) .
  • Rep: It is a “deterministic reproduction method” which constructs the original biometric secret key σ i using a noisy biometrics reading, B i o u and the public reproduction parameter τ i provided the Hamming distance H D between B i o u and B i o u is less than or equal to a pre-defined error tolerance threshold value, say Δ t . Formally, σ u = R e p ( B i o u , τ u ) , with the restriction that H D ( B i o u , B i o u ) Δ t .
The following steps are involved in this phase:
  • Step 1.U selects his/her identity I D u and securely sends { I D u } to R A .
  • Step 2. If I D u is already registered, R A rejects the request. Otherwise, R A generates R g , D I D u Z p and computes K U G = h ( I D u h ( R g K ) ) , and also sets T E M P = 0 . After that R A commits the tuple D I D u , I D u , R g to the u s e r _ d a t a table in the gateway node G W N . R A also writes the credentials { K U G , D I D u , T E M P } to a smart card S C u , and securely issues S C u to the user U.
  • Step 3. After getting S C u , U provides a password P W u and imprints biometric template B i o u at the sensor of a specific terminal. U uses the probabilistic fuzzy generator function G e n ( B i o u ) to calculate the biometric secret ket σ u and a public reproduction parameter τ u as ( σ u , τ u ) = G e n ( B i o u ) . After that, U computes A 1 = D I D u h ( I D u P W u σ u ) , A 2 = h ( D I D u I D u σ u P W u ) and A 3 = K U G h ( I D u D I D u P W u σ u ) , and replaces K U G and D I D u in the smart card with A 1 , A 2 , A 3 , τ u . The smart card S C u finally contains the credentials { A 1 , A 2 , A 3 , τ u , T E M P } .
The user registration phase is also briefed in Figure 2.

4.3. Login and Authentication Phase

A registered user U through the following steps can anonymously establish a session key with a smart device S D once mutual authentication in presence of the gateway node G W N is successful.
  • Step 1.U first inputs his/her identity I D u and password P W u , and imprints his/her biometric B i o u at the sensor of a particular terminal. The smart card S C u of U then uses public τ u to compute σ u from B i o u as σ u = R e p ( B i o u , τ u ) , and proceeds to calculate D I D u = A 1 h ( I D u P W u σ u ) and A 2 * = h ( D I D u I D u σ u P W u ) . If the condition A 2 * = A 2 holds, the login is treated as successful one. In case of a failed login attempt, the smart card S C u increments T E M P and aborts the phase. On the other side, if it exceeds a pre-defined threshold, the user U is considered as compromised, and is suspended till he/she re-registers.
    After a successful login, S C u generates two random numbers R 1 and w Z p * , and calculates K U G = A 3 h ( I D u D I D u P W u σ u ) , M 1 = ( R u S I D d ) K U G and V 1 = h ( I D u R u K U G M 1 ) , and dispatched the login request message D I D u , M 1 , V 1 to the G W N via public channel.
  • Step 2. After receiving the login request D I D u , M 1 , V 1 , the G W N looks up I D u , R g using D I D u from its u s e r _ d a t a table, and computes K U G = h ( I D u h ( R g K ) ) , ( R u S I D d ) = M 1 K U G . If R u is fresh, the G W N calculates V 1 * = h ( I D u R u K U G M 1 ) . Now, if V 1 * V 1 , the request is considered as invalid, and the process is aborted instantly. Otherwise, the G W N generates a new random number R g Z p * and calculates K G S = h ( S I D d h ( K ) ) , C 1 = h ( R g K ) , C 2 = h ( I D u R u C 1 ) , M 2 = C 2 K G S and V 2 = h ( C 2 K G S ) . Finally, G W N dispatches the authentication request message M 2 , V 2 to the accessed smart device S D via open channel.
  • Step 3. On receiving the message M 2 , V 2 , S D calculates C 2 = M 2 K G S . If C 2 is fresh, S D calculates V 2 * = h ( C 2 K G S ) . If V 2 * V 2 , the request is considered as failed, and it is then aborted. On the other side, S D picks a random number R d Z p * , computes the session key S K = h ( C 2 R d S I D d ) shared with U, M 3 = ( R d h ( S K ) ) K G S and V 3 = h ( R d K G S h ( S K ) ) . Next, S D transmits the authentication reply message M 3 , V 3 to G W N via public channel.
  • Step 4. On receiving the message M 3 , V 3 from S D , G W N computes ( R d h ( S K ) ) = M 3 K G S . If R d is also fresh, the G W N continues to calculate V 3 * = h ( R d K G S h ( S K ) ) . If V 3 * V 3 , the request is considered as invalid and the process is aborted immediately. Otherwise, the G W N generates another random number D I D u Z p * and computes M 4 = ( D I D u C 1 R d ) K U G , K U G = h ( I D u C 1 ) and V 4 = h ( D I D u C 1 R d K U G ) . G W N then updates the tuple D I D u , I D u , R g in its u s e r _ d a t a table, and sends the ackowledgement message M 4 , V 4 to the U via open channel.
  • Step 5. On receiving the message M 4 , V 4 from G W N , the user U recovers ( D I D u C 1 R d ) = M 4 K U G , and then computes K U G = h ( I D u C 1 ) and V 4 * = h ( D I D u C 1 R d K U G ) . If V 4 * V 4 , the login is considered as failed one and it is aborted immediately. Otherwise, the user U computes the session key S K = h ( h ( I D u R u C 1 ) R d S I D d ) and the updated values for A 1 = ( R u D I D u ) h ( I D u P W u σ u ) , A 2 = h ( D I D u σ u P W u ) , A 3 = K U G h ( D I D u P W u σ u ) . Finally, U resets T E M P to 0 as T E M P = 0 , and updates the smart card S C u with the values { A 1 , A 2 , A 3 , T E M P } by replacing the old values { A 1 , A 2 , A 3 , T E M P } .
The login and authentication phase is finally briefed in Figure 3.
Remark 1.
An adversary might block the message M 4 , V 4 during the communication happen in the login and authentication phase. As D I D u and R g have already been updated on the gateway node G W N , the subsequent login attempts by the user U will fail. This attack can be prevented, if the gateway node G W N also maintains the old values of D I D u and R g until the next successful authentication happens.

4.4. Password and Biometric Update Phase

To update “password and/or biometric”, a registered user U inputs identity I D u along with the existing password P W i u and imprints biometric B i o u , and then logins with the steps similar to that described in the “login and authentication phase” discussed in Section 4.3.
If the login is successful, U provides new password P W u , imprints new biometric B i o u and recalculates ( σ u , τ u ) = G e n ( B i o u ) . Next, U computes A 1 = D I D u h ( I D u P W u σ u ) , A 2 = h ( D I D u I D u σ u P W u ) and A 3 = K U G h ( I D u D I D u P W u σ u ) , and replace { A 1 , A 2 , A 3 , τ u } in the smart card S C u with { A 1 , A 2 , A 3 , τ u } . S C u now contains the updated credentials { A 1 , A 2 , A 3 , τ u , T E M P } .

4.5. Smart Card Revocation Phase

A “lost or stolen smart card” can be revoked by requesting for a new smart card by a registered authorized user U to the registration authority R A via secure channel. Hence, the steps are identical to those for the mobile user registration phase as discussed in Section 4.2.2.

5. Security Analysis

In this section, through the widely accepted “Real-Or-Random (ROR) model” [27], the formal security analysis of the proposed scheme is presented. Furthermore, through the formal security verification tool, called AVISPA [28], the proposed scheme’s resistance to “man-in-the-middle and replay attacks” is verified. In addition, a through informal (non-mathematical) analysis presented in Section 5.3 demonstrates the proposed scheme’s resistance to various other known attacks.

5.1. Formal Security Analysis through Real-Or-Random Model

The ROR model proposed in [27] is widely accepted for security analysis of authentication and key agreement schemes. We describe the ROR model and then utilize the same to analyze the proposed scheme formally.
  • Participants: Let the oracles π U u , π S D d and π G W N g denote the uth, dth and gth instances of a user U, a smart device S D and the gateway node G W N , respectively.
  • Partnering: Two oracles π U u and π S D d are said to be partnered provided they share the same communication session-id s i d , and the partial transcript of the exchanged messages is unique.
  • Freshness: π U u and π S D d are considered fresh as long as the session key S K between U and S D remains unexposed to an adversary A .
  • Adversary: The ROR model defines the DY adversary A . Formally, the adversary A can execute the queries described below.
    E x e c u t e ( π u , π d ) : This query is modeled as an eavesdropping attack. Therefore, this query allows A to intercept the messages exchanged among U, S D , and G W N .
    S e n d ( π d , m ) : This query is modeled an active attack. It allows A to transmit a message, say m s g to an oracle π d , and receive the response message in reply.
    C o r r u p t S C ( π u ) : Through this query, A can learn the confidential values { A 1 , A 2 t , A 3 , τ u , T E M P } from a user U’s smart card S C u .
    C o r r u p t S D ( π d ) : Through this query, A can learn the secret key { K G S } stored in the captured smart device S D . The queries C o r r u p t S C and C o r r u p t S D are assumed to be under a weak corruption model [29] and they can not corrupt the ephemeral keys and states of the participating oracle.
    T e s t ( π u , π d ) : As per the “indistinguishability in the ROR model” [27], the semantic security of the session key S K between U and S D can be determined by this query. To initiate, A tosses an “unbiased coin” whose outcome, say c, determines the output of the T e s t query. If S K is fresh, the oracle π u or π d produces S K , if c = 1 . Otherwise, if c = 0 , the oracle produces a random number. In all other cases, the returned value will be null.
  • Semantic security of the session key: As per the ROR model, to compromise the semantic security of the session key, A must be able to differentiate an instance’s actual session key from a random key. A can perform a limited number of C o r r u p t S C ( π u ) and C o r r u p t S D ( π d ) queries, but can execute as many T e s t ( · ) queries as desired.
    If A d v P S , A ( t ) represents the advantage of A in compromising the semantic security of the proposed scheme P S , we have, A d v P S , A ( t ) = | 2 . P r [ S C S ] 1 | , where S C S is an event of A ’s success.
  • Random oracle: All participating entities including A can invoke the “cryptographic one-way hash function”, h ( · ) , which is further modeled as a random oracle, say HO .
Accounting to Wang et al.’s important findings [30] regarding the Zipf’s law on passwords, Theorem 1 defines the “semantic security of the proposed scheme”.
Theorem 1.
Let a polynomial time adversary A attempts to break the semantic security of the proposed scheme P under the ROR model in time t. If the chosen passwords follow the Zipf’s law [30], and the bit-lengths of the biometric secret key σ u and the user identity I D u are l 1 and l 2 , respectively, A ’s advantage in compromising the semantic security of the proposed scheme P S is
A d v P S , A ( t ) q h 2 | H a s h | + 2 max { C . q s s , q s 2 l 1 , q s 2 l 2 } ,
where q h , q s and | H a s h | represent the number of hash queries, the number of S e n d queries and the range of h ( · ) , respectively, and C and s are the Zipf’s parameters [30].
Proof. 
We design our proof on the lines of the proofs that presented in [11,31,32]. Four sequential games, say G i , i [ 0 3 ] , are played. The event S C S i represents that an adversary A can successfully guess the bit c in the game G i . The details regarding all the games are given below.
  • Game G 0 : This game models a real attack on the semantic security of the proposed scheme P S by A . As initially the bit c is guessed,
    A d v P S , A ( t ) = | 2 . P r [ S C S 0 ] 1 | .
  • Game G 1 : This game models as an eavesdropping attack by A on P S . Through the E x e c u t e ( π u , π d ) query, A can intercept the messages D I D u , M 1 , V 1 , M 2 , V 2 , M 3 , V 3 and M 4 , V 4 . A can query the T e s t oracle and attempt to determine if the received result is the actual session key. As the session key is S K = h ( h ( I D u R u h ( R g K ) ) R d S I D d ) , and to compute the same A must learn short term secret keys ( R u , R g and R d ) as well as long term secrets ( I D u , S I D d and K). Therefore, A gains no additional advantage for wining this game. Consequently, it follows that
    P r [ S C S 1 ] = P r [ S C S 0 ] .
  • Game G 2 : This game models as an active attack through use of the S e n d and hash queries. A attempts to beguile a legitimate entity into accepting a modified message. As discussed previously, A can repeat the queries to the oracles in order to induce hash collisions. However, since all the messages contain random nonces, hash coalitions cannot be induced on h ( · ) by A . It is worth noticing that both the games G 1 and G 2 are identical except for the S e n d and hash queries in the game G 2 . Thus, through the use of birthday paradox, we have,
    | P r [ S C S 2 ] P r [ S C S 1 ] | q h 2 2 | H a s h | .
  • Game G 3 : An extension to G 2 , the game G 3 is the final game and it simulates the C o r r u p t S C and C o r r u p t S D queries. Querying these oracles, A can learn { A 1 , A 2 t , A 3 , τ u , T E M P } and { K G S } , respectively. The probability of A to correctly guess the biometric secret key σ i of bit-length l 1 and the user identity I D u of bit-length l 2 are 1 2 l 1 and 1 2 l 2 , respectively [33].
    As the user chosen passwords tend to follow the Zipf’s law, by utilizing trawling guessing attacks, A ’s advantage will be over 0.5 when q s = 10 7 or 10 8 [30]. If A can utilize a user’s personal information for the targeted guessing attacks, he/she will have an advantage over 0.5 when q s 10 6 [30]. In practical implementation, only a finite number of erroneous password attempts are permitted to the adversary A . Therefore, the games G 3 and G 2 are identical except for the guessing attacks. Thus, we can formulate the following relation as in [32]:
    | P r [ S C S 3 ] P r [ S C S 2 ] | max { C . q s s , q s 2 l 1 , q s 2 l 2 } .
    However, A must guess a bit c after executing the T e s t query to win the game G 3 . Therefore, it follows that
    | P r [ S C S 3 ] = 1 2 .
From Equations (2), (3) and (6), we have,
1 2 A d v P S , A ( t ) = | P r [ S C S 0 ] 1 2 | = | P r [ S C S 1 ] 1 2 | = | P r [ S C S 1 ] | P r [ S C S 3 ] | .
Summing the inequalities from Equations (4) and (5), we obtain the following relation:
| P r [ S C S 2 ] | P r [ S C S 1 ] | + | P r [ S C S 3 ] | P r [ S C S 2 ] | q h 2 2 | H a s h | + max { C . q s s , q s 2 l 1 , q s 2 l 2 } .
Simultaneously solving Equations (7) and (8), we arrive at the desired result:
A d v P S , A ( t ) q h 2 | H a s h | + 2 max { C . q s s , q s 2 l 1 , q s 2 l 2 } .
 □

5.2. Formal Security Verification through AVISPA Simulation

AVISPA is an automated software tool for the formal verification of security-sensitive protocols and applications [28]. AVISPA implements the Dolev-Yao (DY) threat model and verifies whether a scheme is resistant to replay and man-in-the-middle attacks. A security protocol to be verified needs to be modeled in the associated “High Level Protocol Specification Language (HLPSL)” [34]. AVISPA provides a translator, known as HLPSL2IF, for translating HLSPL into the Intermediate Format (IF). The IF can be interpreted by one of the available four backends to generate a report in the Output Format (OF). The structure of the OF contains following:
  • SUMMARY: It states if the tested protocol is “safe”, “unsafe”, or if the analysis was “inconclusive”.
  • DETAILS: It reports the explanation relevant to the SUMMARY section.
  • PROTOCOL: It provides the protocol to be verified.
  • GOAL: It states the goal as specified in the HLPSL.
  • BACKEND: It mentions the backend that has been utilized.
  • STATISTICS: It provides the trace for the vulnerabilities to the target protocol, if they are present, with additional useful statistics.
A more detailed report on AVISPA and HLPSL is available at in [28]. The four backends available with AVISPA are [28]: (a) “On-the-fly Model-Checker (OFMC)”, (b) “Constraint-Logic-based Attack Searcher (CL-AtSe)”, (c) “SAT-based Model-Checker (SATMC)”, and (d) “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”. Among these, OFMC and CL-AtSe are most widely accepted, and we evaluate the proposed scheme under these backends to formally verify its resistance to the “man-in-the-middle and replay attacks”.
We have implemented the proposed scheme in HLSPL and defined the necessary roles for a user U, a smart device S D , and the G W N for the different phases of the proposed scheme. We have also specified the roles for the session, goal, and environment as per the HLPSL specification. Finally, we have simulated the proposed scheme using the “SPAN, the Security Protocol ANimator for AVISPA tool’’ [35]. Figure 4 presents the simulation results under the widely-used OFMC and CL-AtSe backends. The simulation results clearly demonstrate that the proposed scheme is safe against the “man-in-the-middle and replay attacks”.

5.3. Informal Security Analysis

In the following, we demonstrate that the proposed scheme is secure against various known attacks.

5.3.1. Replay Attack

Assuming an adversary A replays the old message M 1 to G W N , G W N will reject the replayed message after it detects that R u is not fresh. Similarly, all messages are composed of random nonces, which can be further verified for their freshness. Thus, the proposed scheme is resilient against replay attack.

5.3.2. Forgery Attack

An adversary A can attempt to forge the message D I D u , M 1 , V 1 to the G W N . However, M 1 is encrypted with the secret key K U G , and V 1 is also encapsulated with D I D U and M 1 against forgery. A cannot forge this message. Similarly, other messages cannot be forged either, and the proposed scheme is resilient against forgery attack.

5.3.3. Impersonation Attack

Assuming an adversary A , after capturing the messages from a successful login an authentication attempts, to impersonate the user U. But, as D I D u is of single-use and V 1 encapsulates I D U and M 1 against forgery, A cannot simply modify the captured messages with his/her own R u to impersonate U. Similarly, A ’s attempt to impersonate the G W N will fail because he/she will be unable to generate M 2 , V 2 and M 4 , V 4 without the knowledge of K G S and K U G , respectively. As a result, the proposed scheme is resilient against impersonation attacks.

5.3.4. Man-in-the-Middle Attack

Assuming an adversary A attempts to execute a man-in-the-middle attack by capturing and modifying the login message from U to G W N . Nevertheless, the message cannot be forged or modified without knowledge of the secret credentials. Thus, the “man-in-the-middle attack” is also protected in the proposed scheme.

5.3.5. Loss of Smart Card and Offline Guessing Attack

Assuming an adversary A recovers a lost smart card, he/she can learn the values A 1 , A 2 , A 3 , τ u and T E M P through the “power analysis attacks”. Of these, except for T E M P and τ u , none is in plaintext and it is combination of the secret identity, password, and biometrics. It is worth noticing that τ u and T E M P are the public reconstruction parameter for biometrics and failed login attempts counter, respectively, which are not sensitive. For A to subvert the proposed scheme through the offline guessing attack, he/she will have to simultaneously guess I D u , P W u , and σ u , which is “computationally infeasible” task. Thus, the proposed scheme is resilient against the “loss of smart card and offline guessing attacks”.

5.3.6. Privileged-Insider Attack

Assuming an adversary A is a privileged-insider, he/she can eavesdrop during the registration phase and learn user identity I D u . Now, assume that he/she has subverted the user’s smart card S C u to recover the stored values A 1 = D I D u h ( I D u P W u σ u ) , A 2 = h ( D I D u I D u σ u P W u ) and A 3 = K U G h ( I D u D I D u P W u σ u ) . It is clear that even if I D u is known, in order to subvert the scheme with the available information, A must simultaneously guess password P W u and biometric secret key σ u , which is computationally infeasible. As a result, the privileged-insider attack is protected in the proposed scheme.

5.3.7. Ephemeral Secret Leakage (ESL) Attack

Assume adversary A learns one or both of the session specific secrets ( R u , R g , R d ) through the session hijacking attack under the CK-adversary model. Since the session key S K = h ( h ( I D u R u C 1 ) R d S I D d ) is derived from the user secret identity I D u and the G W N ’s long term secret of K in addition to ( R u , R g , R d ), A cannot subvert the session key S K without any long term secrets. Thus, the proposed scheme is secure against ESL attack.

5.3.8. Parallel Session Attack

For an adversary A to successfully execute a parallel session attack, he/she needs to compose the session key S K = h ( h ( I D u R u C 1 ) R d S I D d ) by eavesdropping on the authentication related messages. But, no secrets are compromised regardless of lost smart card attack or privileged insider attack. As a result, the proposed scheme is secure against a parallel session attack.

5.3.9. Stolen Verifier Attack

As the gateway node G W N maintains the tuple D I D u , I D u , R g for each user U. Of these, D I D u and R g are the distict random nonces. Exposure of I D u is equivalent to a privileged-insider attack. However, the proposed scheme is resistant against privileged-insider attack. Thus, a stolen verifier attack is not a threat to the proposed scheme.

5.3.10. Smart Card Impersonation Attack

Smart card impersonation attack can only be executed by an adversary A , if he/she can learn the secret values I D u , P W u and σ u in a user’s smart card. Nevertheless, the secret values are not compromised through a lost smart card even in the presence of a privileged insider attacker. The proposed scheme is then secure against smart card impersonation attack.

5.3.11. Anonymity and Untracability

Assume that an adversary A eavesdrops and monitors the messages from a successful login and authentication. None of the eavesdropped values { D I D u , M 1 , M 2 , M 3 , M 4 , V 1 , V 2 , V 3 , V 4 } , contains any plaintext information useful for identifying the user U or the smart device S D . Thus, the proposed scheme provides anonymity. Furthermore, all of the eavesdropped values are composed of some random nonces, and consequently these are always unique across different authentication sessions. Thus, the proposed scheme also provides anonymity and untracability.

6. Comparative Study

In this section, we benchmark the proposed scheme against the schemes proposed by Shuai et al. [7], Yu and Li [21], Naoui et al. [22], Fakroon et al. [23], and Dey and Hossain [24].

6.1. Communication Costs Comparison

For communication cost comparison, it is assumed that an ECC point is 320 bits, hash digest (assuming SHA-1 hashing algorithm is applied) is 160 bits, nonces as well as identities are 128 bits long. In the presented scheme, the four messages exchanged during the login and authentication phase are D I D u , M 1 , V 1 which needs ( 128 + ( 128 + 126 ) + 160 ) = 544 bits; M 2 , V 2 which requires ( 160 + 160 ) = 320 bits; M 3 , V 3 which demands ( ( 128 + 160 ) + 160 ) = 448 bits and M 4 , V 4 which needs ( ( 128 + 160 + 128 ) + 160 ) = 576 bits. Thus, the total communication overhead of the proposed scheme turns out to be ( 544 + 320 + 448 + 576 ) = 1888 bits = 236 bytes. Table 1 summarizes the proposed scheme and other existing schemes in terms of communications overheads. From this table, we observe that the proposed scheme requires less communication overhead as compared to that for the schemes of Shuai et al. [7] and second lowest among all other schemes.

6.2. Computation Costs Comparison

For computation cost analysis, we denote T b p , T m , T b and T h as the time needed for computing “bilinear pairing”, “ECC multiplication”, “fuzzy extractor function G e n ( · ) / R e p ( · ) for biometric verification” and “hashing” operations, respectively. Based on experimental results reported in [36], we have T b p 32.713 ms (milliseconds), T m 13.405 ms, T b T m = 13.405 ms and T h 0.056 ms, respectively. Table 2 briefs the computational costs for the proposed scheme and other existing schemes. It is clear that the presented scheme has a significantly less computation cost as compared to that for the schemes of Shuai et al. [7]. With the exception of Fakroon et al. [23], which might incur a greater computation cost, the proposed scheme has the lowest computation cost.

6.3. Security and Functionality Features Comparison

Finally, in Table 3, the functionality of the proposed scheme and other existing schemes are compared. From this table, it is apparent that the proposed scheme provides better security and functionality features features as compared to those for other existing schemes. Moreover, from the Table 1 and Table 2, we can see that the proposed scheme requires less computation and communication overheads as compared to other schemes.

7. Practical Impact Study through NS3 Simulation

To estimate the practicability of the proposed scheme, we have performed a simulation study. We have utilized the most recent iteration of the widely accepted network simulator tool, NS3 (3.28). We run our simulation on a Linux workstation. For our simulation, we specify the location of the gateway node ( G W N ) at the origin of the coordinate system. The smart devices are considered at random positions 20 to 100 m from the G W N . The users are permitted to move across a square of 150 m side centered around the gateway G W N with a maximum speed of 3 m per second. Users attempt to establish session keys with all available devices. Communication is measured across the IEEE 802.11 2.4 GHz channel. We have then simulated several scenarios with differing number of users and smart devices. The details regarding the simulation parameters are presented in Table 4. Any parameters that are not explicitly mentioned here are assumed to have their default values as defined by the NS3.
Figure 5a,b presents the network throughput and end-to-end delay for the proposed scheme, respectively, under different scenarios. The network throughput is calculated according to the formula:
N p | b y t e | T s u m ,
whereas the end-to-end delay is computed with the formula:
i = 0 N p ( T r i T s i ) N p .
Here, N p is the total number of packets received, | b y t e | is the number of bytes in each packet, T s u m represents the total time taken, and T s i and T r i are the transmission and receiving time of the ith packet, respectively. The simulation results demonstrate the expected correlation between the number of participants, the network throughput and also the end-to-end delay.

8. Conclusions

We first discussed the issue of anonymous user authentication in smart home environments. We then cryptanalyzed the recently proposed user authentication scheme and discovered its several security vulnerabilities. Furthermore, we proposed a more secure and robust authentication scheme for anonymous user authentication and key agreement in smart homes to erase the security pitfalls found in the existing Shuai et al.’s scheme, while retaining its advantages at the same time. The security analysis and performance comparison show that the proposed scheme can provide better security and more functionality features at low communication and computation overheads, when compared these with other recent existing schemes. In our future work, we plan to investigate the possibility of extending the proposed scheme to support remote registration as it is designed in the scheme proposed by Yu and Li [21] at a more acceptable communication and computation overheads.

Author Contributions

Conceptualization, S.B., A.K.D., S.C. and Y.P.; Methodology, S.B. and A.K.D.; Security analysis, S.B. and A.K.D.; Investigation, S.B., A.K.D., V.O., S.C. and Y.P.; Formal security verification, S.B. and A.K.D.; Resources, A.K.D., V.O., S.C. and Y.P.; Writing-original draft preparation, S.B.; Writing-review and editing, A.K.D. and Y.P.; Supervision, A.K.D., V.O. and Y.P.; Project administration, A.K.D., S.C. and Y.P.; Funding acquisition, Y.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT and Future Planning (2017R1A2B1002147). This work is also supported by the Mathematical Research Impact Centric Support (MATRICS) project funded by the Science and Engineering Research Board (SERB), India (Reference No. MTR/2019/000699).

Acknowledgments

We thank the anonymous reviewers and the Editor for their valuable comments, which helped us to improve the quality and presentation of the paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Atzori, L.; Iera, A.; Morabito, G. The Internet of Things: A Survey. Comput. Netw. 2010, 54, 2787–2805. [Google Scholar] [CrossRef]
  2. Gomez, C.; Paradells, J. Wireless home automation networks: A survey of architectures and technologies. IEEE Commun. Mag. 2010, 48, 92–101. [Google Scholar] [CrossRef]
  3. Kim, J.E.; Boulos, G.; Yackovich, J.; Barth, T.; Beckel, C.; Mosse, D. Seamless integration of heterogeneous devices and access control in smart homes. In Proceedings of the Eighth International Conference on Intelligent Environments (IE’12), Guanajato, Mexico, 26–29 June 2012; pp. 206–213. [Google Scholar]
  4. Kumar, P.; Gurtov, A.; Iinatti, J.; Ylianttila, M.; Sain, M. Lightweight and secure session-key establishment scheme in smart home environments. IEEE Sen. J. 2015, 16, 254–264. [Google Scholar] [CrossRef] [Green Version]
  5. Suryadevara, N.K.; Mukhopadhyay, S.C.; Wang, R.; Rayudu, R. Forecasting the behavior of an elderly using wireless sensors data in a smart home. Eng. Appl. Artif. Intell. 2013, 26, 2641–2652. [Google Scholar] [CrossRef]
  6. Gubbi, J.; Buyya, R.; Marusic, S.; Palaniswami, M. Internet of Things (IoT): A vision, architectural elements, and future directions. Future Gener. Comput. Syst. 2013, 29, 1645–1660. [Google Scholar] [CrossRef] [Green Version]
  7. Shuai, M.; Yu, N.; Wang, H.; Xiong, L. Anonymous authentication scheme for smart home environment with provable security. Comput. Secur. 2019, 86, 132–146. [Google Scholar] [CrossRef]
  8. Dolev, D.; Yao, A.C. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  9. Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 2002, 51, 541–552. [Google Scholar] [CrossRef] [Green Version]
  10. Canetti, R.; Krawczyk, H. Universally Composable Notions of Key Exchange and Secure Channels. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques–Advances in Cryptology (EUROCRYPT’02), Amsterdam, The Netherlands, 28 April–2 May 2002; pp. 337–351. [Google Scholar]
  11. Banerjee, S.; Odelu, V.; Das, A.K.; Jangirala, S.; Kumar, N.; Chattopadhyay, S.; Choo, K.K.R. A Provably-Secure and Lightweight Anonymous User Authenticated Session Key Exchange Scheme for Internet of Things Deployment. IEEE Internet Things J. 2019, 6, 8739–8752. [Google Scholar] [CrossRef]
  12. Jeong, J.; Chung, M.Y.; Choo, H. Integrated OTP-based user authentication scheme using smart cards in home networks. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS’08), Waikoloa, HI, USA, 7–10 January 2008; p. 294. [Google Scholar]
  13. Vaidya, B.; Park, J.H.; Yeo, S.S.; Rodrigues, J.J. Robust one-time password authentication scheme using smart card for home network environment. Comput. Commun. 2011, 34, 326–336. [Google Scholar] [CrossRef]
  14. Kim, H.J.; Kim, H.S. AUTH HOTP-HOTP based authentication scheme over home network environment. In Proceedings of the International Conference on Computational Science and Its Applications (ICCSA’11), Santander, Spain, 20–23 June 2011; pp. 622–637. [Google Scholar]
  15. Vaidya, B.; Makrakis, D.; Mouftah, H.T. Device authentication mechanism for smart energy home area networks. In Proceedings of the IEEE International Conference on Consumer Electronics (ICCE’11), Berlin, Germany, 9–12 January 2011; pp. 787–788. [Google Scholar]
  16. Hanumanthappa, P.; Singh, S. Privacy preserving and ownership authentication in ubiquitous computing devices using secure three way authentication. In Proceedings of the International Conference on Innovations in Information Technology (IIT’12), Abu Dhabi, UAE, 18–20 March 2012; pp. 107–112. [Google Scholar]
  17. Li, Y. Design of a key establishment protocol for smart home energy management system. In Proceedings of the Fifth International Conference on Computational Intelligence, Communication Systems and Networks (CICSYN’13), Madrid, Spain, 5–7 June 2013; pp. 88–93. [Google Scholar]
  18. Han, K.; Kim, J.; Shon, T.; Ko, D. A novel secure key paring protocol for RF4CE ubiquitous smart home systems. Pers. Ubiquitous Comput. 2013, 17, 945–949. [Google Scholar] [CrossRef]
  19. Santoso, F.K.; Vun, N.C. Securing IoT for smart home system. In Proceedings of the International Symposium on Consumer Electronics (ISCE’15), Madrid, Spain, 9–11 April 2015; pp. 1–2. [Google Scholar]
  20. Wazid, M.; Das, A.K.; Odelu, V.; Kumar, N.; Susilo, W. Secure remote user authenticated key establishment protocol for smart home environment. IEEE Trans. Depend. Secur. Comput. 2017. [Google Scholar] [CrossRef]
  21. Yu, B.; Li, H. Anonymous authentication key agreement scheme with pairing-based cryptography for home-based multi-sensor Internet of Things. Int. J. Distrib. Sens. Netw. 2019, 15, 1–11. [Google Scholar] [CrossRef] [Green Version]
  22. Naoui, S.; Elhdhili, M.H.; Saidane, L.A. Novel Smart Home Authentication Protocol LRP-SHAP. In Proceedings of the IEEE Wireless Communications and Networking Conference (WCNC’19), Marrakech, Morocco, 15–18 April 2019; pp. 1–6. [Google Scholar]
  23. Fakroon, M.; Alshahrani, M.; Gebali, F.; Traore, I. Secure remote anonymous user authentication scheme for smart home environment. Internet Things 2020, 9, 1–20. [Google Scholar] [CrossRef]
  24. Dey, S.; Hossain, A. Session-key establishment and authentication in a smart home network using public key cryptography. IEEE Sen. Lett. 2019, 3, 1–4. [Google Scholar] [CrossRef]
  25. Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Proceedings of the Annual International Cryptology Conference (CRYPTO’99), Santa Barbara, CA, USA, 15–19 August 1999; pp. 388–397. [Google Scholar]
  26. Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: how to generate strong keys from biometrics and other noisy data. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques–Advances in Cryptology (EUROCRYPT’04), Lecture Notes in Computer Science (LNCS), Interlaken, Switzerland, 2–6 May 2004; Volume 3027, pp. 523–540. [Google Scholar]
  27. Abdalla, M.; Fouque, P.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Lecture Notes in Computer Science (LNCS), Les Diablerets, Switzerland, 23–26 January 2005; Volume 3386, pp. 65–84. [Google Scholar]
  28. AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/ (accessed on 23 March 2019).
  29. Chang, C.C.; Le, H.D. A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans. Wirel. Commun. 2016, 15, 357–366. [Google Scholar] [CrossRef]
  30. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s Law in Passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
  31. Gope, P.; Das, A.K.; Kumar, N.; Cheng, Y. Lightweight and Physically Secure Anonymous Mutual Authentication Protocol for Real-Time Data Access in Industrial Wireless Sensor Networks. IEEE Trans. Ind. Inf. 2019, 15, 4957–4968. [Google Scholar] [CrossRef]
  32. Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Rodrigues, J.J.; Park, Y. Physically Secure Lightweight Anonymous User Authentication Protocol for Internet of Things Using Physically Unclonable Functions. IEEE Access 2019, 7, 85627–85644. [Google Scholar] [CrossRef]
  33. Odelu, V.; Das, A.K.; Goswami, A. A Secure Biometrics-Based Multi-Server Authentication Protocol Using Smart Cards. IEEE Trans. Inf. Forensics Secur. 2015, 10, 1953–1966. [Google Scholar] [CrossRef]
  34. von Oheimb, D. The high-level protocol specification language hlpsl developed in the eu project avispa. In Proceedings of the 3rd APPSEM II (Applied Semantics II) Workshop (APPSEM’05), Frauenchiemsee, Germany, 12–15 September 2005; pp. 1–17. [Google Scholar]
  35. AVISPA. SPAN, the Security Protocol ANimator for AVISPA. 2019. Available online: http://www.avispa-project.org/ (accessed on 23 March 2019).
  36. Wu, L.; Wang, J.; Choo, K.R.; He, D. Secure Key Agreement and Key Protection for Mobile Device User Authentication. IEEE Trans. Inf. Forensics Secur. 2019, 14, 319–330. [Google Scholar] [CrossRef]
Figure 1. A typical smart home architecture (adapted from [7]).
Figure 1. A typical smart home architecture (adapted from [7]).
Sensors 20 01215 g001
Figure 2. Summary of user registration.
Figure 2. Summary of user registration.
Sensors 20 01215 g002
Figure 3. Summary of login and authentication phase.
Figure 3. Summary of login and authentication phase.
Sensors 20 01215 g003
Figure 4. The simulation results under OFMC & CL-AtSe back-ends.
Figure 4. The simulation results under OFMC & CL-AtSe back-ends.
Sensors 20 01215 g004
Figure 5. (a) Throughput (bytes per second) (b) End-to-end delay (seconds).
Figure 5. (a) Throughput (bytes per second) (b) End-to-end delay (seconds).
Sensors 20 01215 g005
Table 1. Communication costs comparison.
Table 1. Communication costs comparison.
SchemeNo. of BytesNo. of Messages
Shuai et al. [7](108 + 84 + 36 + 68) = 2964
Yu and Li [21](84 + 124 + 164 + 164) × 2 = 10728
Naoui et al. [22](104 + 52 + 56 ) = 2123
Fakroon et al. [23](100 + 52 + 52 +84) = 2884
Dey and Hossain [24](132 + 132 + 52 + 52 + 52) = 4205
Proposed scheme(68 + 40 +56 +72) = 2364
Table 2. Computation costs comparison.
Table 2. Computation costs comparison.
SchemeU GWN SD Total Cost
Shuai et al. [7] 6 T h + 1 T m 7 T h + 1 T m 3 T h 16 T h + 3 T m
≈ 13.741 ms≈ 13.797 ms≈ 0.168 ms≈ 27.604 ms
Yu and Li [21] 7 T h + 14 T m 12 T h + 19 T m + 4 T b p 7 T h + 14 T m 26 T h + 47 T m + 4 T b p
≈ 188.062 ms≈ 386.219 ms≈ 188.062 ms≈762.343 ms
Naoui et al. [22] 12 T h + 3 T s y m + 2 T m 13 T h + 4 T s y m + 2 T m 1 T h + 1 T s y m 26 T h + 7 T s y m + 4 T m
≈ 32.453 ms≈ 34.166 ms≈ 1.713 ms≈68.332 ms
Fakroon et al. [23] 4 T h 5 T h 24 T h 33 T h
≈ 0.224 ms≈ 0.28 ms≈ 1.344 ms≈1.848 ms
Dey and Hossain [24] 4 T h + 2 T m + 3 T s y m - 3 T h + 2 T m + 3 T s y m 7 T h + 4 T e + 6 T s y m
≈ 32.005 ms≈ 0.0 ms≈ 31.949 ms≈63.954 ms
Proposed 10 T h + 1 T b 10 T h 4 T h 24 T h + 1 T b
≈ 13.965 ms≈ 0.56 ms≈ 0.224 ms≈14.749 ms
Table 3. Security & functionality features comparison.
Table 3. Security & functionality features comparison.
Feature V 1 V 2 V 3 V 4 V 5 V 6 V 7 V 8 V 9 V 10 V 11
Shuai et al. [7]
Yu and Li [21]
Naoui et al. [22]
Fakroon et al. [23]
Dey and Hossain [24]NANANA
Proposed
Note: ☑: The scheme is resilient against an attack or it supports a feature; ☒: The scheme is not secure against an attack or it does not support a feature; ⧆: Discussed in text. V 1 : “user anonymity”, V 2 : “sensor node anonymity”, V 3 : “untraceability”, V 4 : “resilience against replay attack”, V 5 : “resilience against man-in-the-middle attack”, V 6 : “resilience against ESL attack under the CK-adversary model”, V 7 : “resist off-line password guessing attack”, V 8 : “resist smart card impersonation attack”, V 9 : “resist parallel session attack”, V 10 : “resist password change attack”, V 11 : “support three-factor authentication”.
Table 4. Simulation parameters.
Table 4. Simulation parameters.
ParameterDescription
PlatformNS3(3.28)/Ubuntu 16.04 LTS
Network scenariosNo. of usersNo. of smart devices
135
2310
3315
4515
5520
6820
MobilityRandom (0–3 m/s)
Simulation time1200 s

Share and Cite

MDPI and ACS Style

Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Park, Y. An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments. Sensors 2020, 20, 1215. https://doi.org/10.3390/s20041215

AMA Style

Banerjee S, Odelu V, Das AK, Chattopadhyay S, Park Y. An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments. Sensors. 2020; 20(4):1215. https://doi.org/10.3390/s20041215

Chicago/Turabian Style

Banerjee, Soumya, Vanga Odelu, Ashok Kumar Das, Samiran Chattopadhyay, and Youngho Park. 2020. "An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments" Sensors 20, no. 4: 1215. https://doi.org/10.3390/s20041215

APA Style

Banerjee, S., Odelu, V., Das, A. K., Chattopadhyay, S., & Park, Y. (2020). An Efficient, Anonymous and Robust Authentication Scheme for Smart Home Environments. Sensors, 20(4), 1215. https://doi.org/10.3390/s20041215

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop