Secure and Lightweight Authentication Protocol for Privacy Preserving Communications in Smart City Applications

Abstract

A smart city is a concept that leverages technology to improve the quality of life for citizens, enhance sustainability, and streamline urban services. The goal of a smart city is to use data and technology to manage resources and assets efficiently, make informed decisions, and create a more livable and thriving city for its residents. Smart cities rely on a range of technologies including the Internet of Things (IoT), Artificial Intelligence (AI), big data analytics, and cloud computing to gather, process, and analyze data from various sources. The aim is to create a city that is more connected, responsive, and sustainable, and that provides its residents with a better quality of life, opportunities, and services. A secure and efficient message communication protocol for sensitive information and real-time communication is critical for the functioning of a smart city environment. The main findings of this paper are to develop a new authentication protocol that meets the specific requirements and constraints of smart city applications. The message communication between smart cities is conducted with the help of a gateway. The challenge in constructing a working, viable infrastructure for a smart city is to provide secure authentication for message communication between the user and gateway node in one network, and the gateway node of one network to the gateway node of the other network. The objective for doing research to develop an authentication protocol that ensures the privacy and security of data transmitted in smart city applications while maintaining a lightweight and efficient design. This paper proposes a secure authentication protocol and key establishment scheme for access to the application in smart cities to make feasible access through the IoT environment. The proposed protocol ensures the mutual authentication between user and gateways, and the security analysis shows that the proposed protocol is effective against energy consumption and have less computational cost. The performance of the proposed method is analyzed and tested using BAN Logic and AVISPA security verification to confirm the authenticity of the security protocol. We do compare with past studies of which our proposed method outperformed.

1. Introduction

Smart cities are cities that use technology and data to enhance the quality of life for their citizens, increase sustainability, and streamline urban services. In terms of symmetry and asymmetry, these concepts can be applied to different aspects of a smart city. Symmetry in a smart city refers to a balanced distribution of resources and services across the city. For example, a symmetrical city would have equal access to healthcare, education, and public transportation regardless of location within the city. In contrast, an asymmetrical city would have an unequal distribution of resources and services, which can lead to disparities between different neighborhoods and populations. In terms of urban planning and design, symmetry can refer to the visual balance of buildings and public spaces, while asymmetry refers to an intentional imbalance in the design of a city. Both symmetry and asymmetry can be used to create aesthetically pleasing and functional cities, but it is important for cities to consider the effects of their design choices on the overall well-being and livability of the city for all its citizens. In smart cities, technology can also be used to achieve symmetry and address asymmetry. For example, smart transportation systems can help distribute resources more evenly across a city by optimizing traffic flow and reducing congestion, while data analysis can be used to identify areas with unequal access to resources and develop solutions to address these disparities [1].

The smart city application will be possible with the help of interconnected IoT devices [2]. Figure 1 shows all networks are connected to the internet through the specific gateway node. The user exchanges the information from one network to another network using the gateway node [3]. Due to the presence of a connected networks environment, it is imperative to implement security for communication between user to gateway, and gateway of one node to the gateway of another node. Moreover, several sensor devices are brought into contact with each other, raising the need for foolproof security for the fair exchange of information. Many protection methods and protocols were applied in different fields and layers of the networks [4], but, in the literature, many authentication protocols are not adequate for smart city application and environment security [5]. Due to the nature of the sensor having limited computational power and battery constraints, a specific and efficient cryptographic protocol is needed in the smart city scenario [6]. Furthermore, due to the heterogeneity of scenarios, a number of attack types are possible. These attacks can degrade the performance of smart cities application [7].

The principle of smart cities is associated with the number of security challenges and its requirements; it is necessary to provide a secure environment for the feasible transaction of information. In a smart city, there is communication between users with the gateway using a sensor device for secure authentication from user to gateway, gateway to user, and gateway of one node to another node. There is a need for mutual authentication to communicate each device in this environment. The past studies do not provide the solution of mutual authentication, whereas the present work is based on the authentication with less energy consumption and computational cost.

Following are the contributions given by this paper:

• An authentication protocol and critical exchange for smart cities is presented, and all the possible attacks and challenges are discussed in the paper;
• A proposed authentication protocol is analyzed with the help of Burrows–Abadi–Needham logic (BAN) to show the protocol is proficient and secure;
• The proposed protocol’s cryptographic computational cost and energy consumption are calculated to determine the protocol’s effectiveness;
• A proposed authentication protocol is simulated using automation validation of the internet security protocol and application (AVISPA) tool to verify the security;
• A proposed authentication protocol is compared with other related work, and the effectiveness in terms of minimization of different types of attacks is demonstrated.

The paper is divided into seven sections. Section 2 provides the related work on authentication protocol for a remote user to access the technology. Section 3 discusses the methodology and various phases to our proposed protocol to provide mutual authentication. Section 4 and Section 5 give the detailed security analysis including formal and informal verification. The comparative study is provided in Section 6. This paper is finally concluded in Section 7.

2. Literature Review

Many authentication protocols for sensor networks and communication have been proposed for different active and passive security attacks. These protocols may also deal with smart city authentication frames due to the presence of sensor nodes. The related work uses either symmetric key-based [8] or an asymmetric key-based approach [9]. For multicasting and the broadcasting of communication, symmetric-based public key cryptography is used. Mainly RSA [10] and ECC (elliptic curve cryptography) [11] are used for the sensor-based application. The number of the authentication protocols is based on this category [12,13,14,15,16].

In the literature, different user authentication protocols have been proposed based on smart cards. Turkanovic et al. [17] derived a protocol to provide user authentication for an ad hoc wireless sensor network (WSN). The protocol is lightweight and allows a remote user to generate a key to establish a session and do authentication. However, there is no such evidence that provides mutual authentication between remote users and the gateway. The four-step authentication model was not suitable to fulfill all the requirements such as anonymity and privacy in the network. In 2015 Mishra et al. [18] proposed the use of a password-based authentication. The protocol provides resistance against some known active and passive attacks and maintains user secrecy. In addition, it gives a lot of overhead for gateway nodes and is practically infeasible to implement.

In 2017 Moon et al. [19] provided an improved and efficient password authentication for remote users based on smart card technology. The protocol improved the performance and security functionally but still did not provide user anonymity and was not resistant against hidden gateway node attacks. The spoofing and impersonation attack may also not be ruled out in the alternatives suggested by this aforementioned literature. In 2019, Fatty and Amin proposed a protocol based on the ElGamal cryptosystem to provide security. The author claimed that it is safe against all types of active and passive attacks and provides less computational cost than other protocols [20]. The author claimed that the system overcomes all the other protocols’ limitations and provides the authentication framework with a low computational cost [21].

In the year 2020, Basudeb et al. [22] proposed a new biometric-based authentication protocol for smart cities. They allow a registered user to update their password based on biometric authentication. The scheme is robust and dynamically allocates the smart devices to the network. The comparative analysis shows it is secure against all potential attacks. Ghahramani et al. [23] proposed a biometric-based authentication protocol for smart city mobile networks. They remove the time complexity up to 53% in the proposed protocol. Xie et al. [24] proposed a secure authentication protocol for a wireless sensor network in smart cities. They improve the efficiency of resources such as transportation, healthcare, and energy. They use pi calculation-based formal verification to prove the efficiency of the protocol. Xueya et al. [25] proposed an authentication protocol for smart cities. They assure that the protocol provides better privacy and data security for the Internet of Things. They show that the protocol is secure under q-SDM problem and provide better performance than other proposed protocols.

Table 1. Comparison of communication, computation, and challenges in current authentication protocols.

References	Communication Cost	Computational Cost	Challenges of the Approach, Attacks Possible
[17]	4 messages	23TH + 8TE	Denial of service attack, privilege attack, ansider attack, untraceability, session key security, no mutual authentication
[18]	3 Messages	19TH + 3TM	Privilege attack, password guessing attack, untraceability, spoofing attack, no mutual authentication
[19]	4 Messages	17TH + 2TE + 6TM	Impersonation attack, anonymity, gateway spoofing attack, sensor spoofing attack, no mutual authentication
[20]	5 Messages	16TH + 4TE + 6TM	Password guessing attack, impersonation attack, no mutual authentication
[21]	4 messages	12TH + 4TE + 5TM	Anonymity, impersonation attack, denial-of-service attack, no mutual authentication
[22]	3 Messages	26TH + 2TE + 2TM	Password guessing attack, anonymity, no mutual authentication
[23]	5 messages	17TH + 4TE + 7TM	Denial of service attack, no mutual authentication
[24]	4 Messages	20TH + 6TE + 4TM	Impersonation attack, untraceability, no mutual authentication
[25]	4 messages	10TH + 7TE + 11TM	Anonymity, impersonation attack, no mutual authentication

shows analyses of computational comparison, communication cost, and the challenges in relation with attack possibility in the current authentication protocols.

On the basis of a sensor tag-based smart healthcare system, Deepak and Al-Turjman [26] suggested a user sign-in authentication approach that leverages single user sign-in for privacy. The protocol’s formal verification demonstrates its resistance to denial of service and replay attacks. A lightweight authentication approach for secured computing was put forth by Hammami et al. [27]. To provide a mechanism that establishes the authenticity of the user, the author analyzed the advantages and disadvantages of various protocols. The proposed methodology for supplying security is shown by the author to have lower computational and communication costs. By implementing the concept of multiple keys utilizing the key derivation function for end-to-end encryption and privacy, Masud et al. [28] established a strong and secure access scheme for cloud-based e-healthcare. According to Zhang et al. [29], it is effective to share cloud resources to deliver individualized medical treatment to patients utilizing smart IoT healthcare.

3. Methodology

This section presents the secure authentication protocol and key exchange for access to information in IoT applications. In the Figure 1 scenario, one network user wants to communicate with a user of another network. Authentication is needed between the user to gateways, and gateway 1 to gateway 2 of different network.

The proposed protocol comprises the following seven phases in order to ensure the security and privacy of sensitive information and devices. Firstly, the devices themselves need to be authenticated. This involves verifying that the device is legitimate and authorized to access the network. Secondly, the communication between devices needs to be authenticated. This involves verifying that the data being exchanged are coming from a legitimate device and have not been tampered with in transit. The protocol can be applied to all classes of communication between heterogeneous networks for IoT applications.

• Setup phase (Gateway);
• Registration phase (User);
• Sensor registration phase;
• Login phase (User);
• Authentication and key exchange phase (User);
• Update phase (Password);
• Revocation phase.

By implementing these various phases of authentication, IoT smart city providers can help to ensure that devices and networks are secure and protected against malicious attacks and unauthorized access.

Table 2. Symbolizations used in the paper.

Symbol	Description
Uj	User
GW	Gateway
d	Private key of gateway
ISi	Identity of the sensor
PKs	Public key of sensor
di	Private key of sensor
IUj	Identity of user
PUj	Password of the user
H( )	One-way hash function
SCj	Smart card
a,b	Prime numbers
ΔT	Transmission delay
T1, T2, T3	Time stamp
⊕	XOR operation
||	Concatenation

shows the notations used in the proposed protocol.

3.1. Gateway Setup Phase:

The gateways of different networks initiate a setup phase in offline mode as follows:

Step 1: The gateway ‘GW’ first selects the two large prime numbers p and q and computes n = p*q.

Step 2: The ‘GW’ chooses a number e and integer d such that

e*d = 1 mod n

d = e − 1 mod n

where we consider d as a gateway private key and e as a gateway public key for the initial setup phase.

3.2. Sensor Registration Phase:

All the sensor device communicating with the gateway should be registered offline with gateways as follows:

Step 1: For every sensor device ‘Si’, the GW chooses an identity ISi, private key di, and calculates the sensor public key as PKs = di*p, where p indicates the large prime number.

Step 2: Gateway GW further calculates pseudo-random identity

RSi = h (ISi || di)

where h indicates a one-way hash function.

Step 3: The gateway ‘GW’ loads {ISi, di, RSi} in the sensor memory Si and GW itself store (ISi, RSi, Pks) in its database and make PKs key as a public for all the users.

3.3. User Registration Phase:

The user ‘U’ sends a request to GW for registration and executes the following steps. Figure 2 explains the steps implemented in the registration phase.

Step 1: The user Uj select its identity IUj, random number Rj and the password PUj.

The user Uj completes the random identity of itself as

PUj = H (IUj || Rj).

The PUj is sent to the gateway for the registration of the user Uj using a secure communication link.

Step 2: The gateway ‘GW’, after receiving PUj from user Uj, then computes a message.

Mi = H (PUj || d),

where H indicates the one-way hash function and d is the private key of the gateway.

Step 3: The gateway generates a smart card SCj = {Mi, H (.), a, b} and sends it to user Uj using a secure communication link.

Step 4: A user Uj receives a smart card SCj and computes another password

APUj = H (PUj || Rj).

The user also computes three parameter Aj, Bj, Cj as

Aj = M1 ⊕ H (APUj || IUj)

Bj = H (IUj ⊕ APUj)

Cj = Rj ⊕ H (IUj || PUj).

All three parameters (Aj, Bj, Cj) are stored into the smart card SCj. The user Uj deletes the stored value M1 from the smart card (SCj) memory. The smart card now contains the information {(Aj, Bj, Cj, a, b, H (.))}.

3.4. User Login Phase:

User Uj executes the following login message to initiate a phase with the gateway node.

Step 1: The user Uj inserts a smart card with their identity IUj and password PUj.

Step 2: The smart card SCj computes the following

Rj′ = Cj ⊕ H (IUj || PUj)

PUj′ = H (IUj || Rj′)

APUj = H (PUj || Rj′)

Bj = H (IUj ⊕ APUj′)

Mj′ = Aj ⊕ H (APUj′ || IUj).

If Bj′ = Bj holds true, it verifies the user Uj and goes to the next phase.

If Bj’ ≠ Bj, i.e., not hold the condition, it does not verify the login request, and it gets rejected.

Step 3: The smart card SCj calculates a pseudo-random number Rs, the current timestamp Ti, and calculates

Dj = H (APUj′ || Rs || M1′ || T1)

Ej = H (PUj′ || APUj′ || Mj′) ⊕ Rs

Fj = H (PUj′ || APUj′ || Rs || M1′ || T1) a mod b.

After that smart card, SCj sends the message ˂Dj, Ej, Fj˃ to the gateway node through a secure communication network.

3.5. User Authentication and Key Exchange Phase

The gateway node GW verifies the user Uj and establishes the key exchange process, accessed between the sensor device and the user Uj of the system. A mutual authentication process between the user and the gateway with a shared session key will be generated as the following steps. Figure 3 explains the authentication phase and the key exchange steps.

Step 1: The gateway node GW received ˂Dj, Ej, Fj˃ message from the user Uj and finds the information {PUj′, APUj′, Rs, Mj, Tj}. The gateway node decrypts the Fj by using gateway private key d. The following node is able to find out

D = (Fj) mod b = (PUj′, APUj′, Rs, Mj, Tj).

The gateway GW verifies the validation of time stamp T ie |T2 − T1| ≤ ΔT. The timestamp helps to remove the replay attack from the authentication. If the timestamp condition is not satisfied, the procedure will terminate; else, it goes to the next stage of the authentication.

Step 2: Gateway compute M1′ = H (PUj || d) and compare with M1. If M1′ = M1, it holds true, and the process goes to the next stage; else, it terminates the user login request.

Step 3: If M1′ = M1 the gateway calculates Rs′ = Ej ⊕ H (PUj || APUj || M1), and if it find Rs′ = Rs it holds true, then goes to the next stage; else, it terminates in this phase.

Step 4: Gateway GW calculates Dj′ = H (APUj′ || Rs || M1′ || Tj) and verifies with Dj. If Dj′ = Dj it holds true, then the process moves to the next stage; else, the request is terminated.

Step 5: Gateway GW generates a pseudo-random number Rg and current timestamp T2, then calculates the session key as follows.

Sk = H (PUj || APUj || Rs′ || Rg || T1 || T2)

Gj = Rs′ ⊕ Rg

Kj = H (Sk || M1′ || Rg || T1 || Rs || T2)

and then the gateway sends the authentication request <Gj, Kj, T2> to the user Uj.

Step 6: The user Uj with the smart card SCj receives <Gj, Kj, T2>. The user first verifies the time stamp |T2 − T1| ≤ ΔT. If the time stamp holds true, the session goes to step 7; otherwise, the session is terminated.

Step 7: The user Uj computes

Rg′ = Rs ⊕ Gj

Sk = H (PUj || APUj || Rs′ || Rg || T1 || T2)

Kj = H (Sk || M1′ || Rg || T1|| Rs || T2).

If Kj′ = Kj holds true means, the user and gateway get mutually authenticated, and the authentication phase goes to the next stage; else, the session will terminate.

Step 8: The smart card SCj computes another timestamp T3 and calculates

Sk′ = H (Sk || M1′ || PUj || T2 || T3)

and sends <Sk′, T3> to the gateway node GW through the secure communication channel.

Step 9: The gateway node GW receives message <Sk′, T3>. The GW first verifies the time stamp and if |T3 − T2| ≤ Δ T holds true, then it computes

Sk′ = H (Sk || M1′ || PUj || T2|| T3)

and check Sk = Sk′.

3.6. Password Change Phase:

A user Uj executes this phase internally as follows:

Step 1: User Uj enters their identity IUj and its password PUj using the smart card to the specific sensor terminal ‘Si’.

Step 2: The smart card SCj calculates

Rj′ = Ci ⊕ H (IUj || PUj)

PUj′ = H (IUj || Rj′)

APUj = H (PUj || Rj′)

Bj′ = H (IUj ⊕ APUj′)

M1′ = Aj ⊕ H (APUj || IUj).

It checks the stored Bj in the smart card SCj and compares it with Bj′ if Bj′ = Bj. If it holds true, then verify that the user is authentic and ask for a new password NPUj; otherwise, terminate the session.

Step 3: The user Uj sends the generated new password to the gateway ‘GW’.

Step 4: The smart card SCj calculates

ANPUj = H (NPUj || Rj′)

NAj = M1′ ⊕ H (ANPUj || IUj)

NBj = H (IUj ⊕ ANPUj)

NCj = Rj′ ⊕ H (IUj || NPUj).

The smart card replaces all the values of Aj with new Aj (NAj), Bj with new Bj (NBj), and Cj with new Cj (NCj).

3.7. Revocation Phase

If the smart card SCj of any authentic user Uj is stolen or missing, it may be recovered by executing the following steps.

Step 1: The gateway node ‘GW’ helps users with new requests from users with new passwords. The old value of password and pseudo-random number will not be used again for the new user registration of the user. The reason behind this is to prevent impersonation attacks.

Step 2: The user Uj requests the gateway node GW to revoke the smart card. The gateway node verifies the user Uj with the help of previous known identification or values provided by the user Uj.

Step3: After verification from the user, the gateway node asks for a new password from the user. The user generates a new password PUj′ = H (IUj || Rj′) and submits the request to the gateway A <PUj′> through a secure communication channel.

Step 4: The gateway node calculates M1′ = H (PUj′ || d), where d is the gateway private key. The information (M1′a, b, (H)( is sent to the user through a secure communication channel.

Step 5: The user UJ with smart card SCj calculates

AUj′ = H (PUj′ || Rj′)

Aj = M1 ⊕ H (APUj || IUj)

Bj = H (IUj ⊕ APUj)

Cj = Rj ⊕ H (IUj || PUj).

All three parameters Aj′, Bj′, Cj′ are stored into the new smart card. Therefore, the new smart card contains {Aj′, Bj′, Cj′, a, b, h (.ּ)}.

4. Security Analysis

This section shows the informal analysis using BAN logic for proof of authentication in the proposed authentication protocol [30]. Additionally, we offer that the proposed work provides robust security against different types of known attacks. BAN logic helps the protocol to ensure that it works correctly. The logic allows for belief in the trusted parties involved in the communication and provides authenticity.

4.1. Informal Security Proof Using BAN Logic

To provide mutual, trustworthy authentication, we use BAN logic between user Uj, sensor Si, and GW. The following statements and notations prove that the proposed work follows the BAN Logic.

• A beliefs B: A |→ B states that user ‘A’ believes the statement of user ‘B’;
• A sees B: A ∇ B, i.e., A receives a B’s communication, which may be possible after decryption;
• A said B: A |~ B, i.e., A once said B, means A sent a message that includes a statement of user B;
• A control B: A has jurisdiction over B. A|⇒B, i.e., A believes that it is a trusted authority and can generate encryption keys;
• Fresh (B): The B is a new formula; this usually means for nonce includes time stamp or random number, which is used only once;
• A$\stackrel{K}{\leftrightarrow }$ B: This states that user A and user B shared a key ‘K’ for the communication;
• |$\stackrel{K}{\to }$A: This says that A has a public key, ‘k’;
• A$\stackrel{X}{\iff }$ B: The formula X is known to only users A and B;
• {B}k: Formula B is hashed with key k;
• < B > Y: this represents B confined with the formula Y.

The following logical hypotheses of BAN logic shows rules concern with the message.

Rule 1: Meaning message rule.

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{B} \stackrel{K}{\leftrightarrow } \mathrm{A}, \mathrm{A}\mathrm{sees} \{\mathrm{X}\}\mathrm{k}}{\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{said} \mathrm{B}}$$

i.e., the equation says that user ‘A’ believes that key ‘k’ is shared with user B and see ‘X’ is encrypted under ‘k’; i.e., shows user A believes user B once said X.

For shared secret key the postulate becomes

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{B} \stackrel{Y}{\iff }\mathrm{A}, \mathrm{P} \mathrm{sees}\langle \mathrm{B}\rangle \mathrm{Y}}{\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{said} \mathrm{X}}$$

Rule 2: Nonce rule of verification.

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{fresh} \left(\mathrm{B}\right),\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{said} \mathrm{X}}{\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{believes} \mathrm{X}}$$

It says that A believes B believes X, if A believes B once A believes X is fresh.

Rule 3: The jurisdiction rule.

It states that user A believes user B has authority over X, then user A trusts user B’s beliefs on X

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{control} \mathrm{X},\mathrm{A} \mathrm{believes} \mathrm{B} \mathrm{believes} \mathrm{X}}{\mathrm{P} \mathrm{believes} \mathrm{X}}$$

Rule 4: Belief rule if user A sees a formula, then they also see all the component.

$$\frac{\mathrm{A} \mathrm{sees} \left(\mathrm{X},\mathrm{Y}\right)}{\mathrm{A} \mathrm{see} \mathrm{X}}$$

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{k}| \mathrm{B}, \mathrm{A} \mathrm{sees} \left\{\mathrm{X}\right\}\mathrm{K}-1 }{\mathrm{A} \mathrm{see} \mathrm{X}}$$

Rule 5: Freshness rule.

It says that the complete formula is said to be fresh, if one part of the formula is fresh.

$$\frac{\mathrm{A} \mathrm{believes} \mathrm{fresh} \left(\mathrm{X}\right)}{\mathrm{A} \mathrm{believes} \mathrm{fresh}\langle \mathrm{X},\mathrm{Y}\rangle }$$

Theorem 1.

The proposed authentication protocol provides the mutual authentication between user Uj and gateway node GW.

Proof. 

The following procedure shows the mutual authentication between user Uj and gateway with their goal.

Our goals:

G1:	$\mathrm{Uj} |\equiv \mathrm{Uj} \stackrel{Sk}{\leftrightarrow }$GW
G2:	$\mathrm{GW} |\equiv \mathrm{UJ} \stackrel{Sk}{\leftrightarrow }$ GW
A1:	Uj |≡ # (Ti), Uj |≡ # (Tj);
A2:	GW |≡ # (Ti), Uj |≡ # (Tk);
A3:	GW |≡ # (Ti), GW |≡ # (Tk), GW |≡ # (Tj);
A4:	$\mathrm{GW} |\equiv (\mathrm{GW}\stackrel{e,d}{\leftrightarrow }$Uj);
A5:	$\mathrm{SCj} |\equiv (\mathrm{GW} \stackrel{e,d}{\leftrightarrow }$ Scjj);
A6:	SCj |≡ (GW ⇒ GW |~ X;
A7:	$\mathrm{Uj} |\equiv (\mathrm{Uj} \stackrel{RSi}{\leftrightarrow }$ SCj);
A8:	$\mathrm{SCj} |\equiv (\mathrm{Uj} \stackrel{RSi}{\leftrightarrow }$ SCj)
A9:	Uj |≡ SCj ⇒$(\mathrm{Uj} \stackrel{Sk}{\leftrightarrow }$ SCj).
A10:	$\mathrm{Uj} |\equiv \mathrm{Uj} \stackrel{Sk}{\leftrightarrow }$ GW
A11:	$\mathrm{GW} |\equiv \mathrm{Uj} \stackrel{Sk}{\leftrightarrow }$ GW

Goal G1 and G2 clearly shows that the user is mutually authenticated with the sensor and the gateway. □

4.2. Security Analysis on the Different Attacks

In this section, we examined the ways in which our proposed protocol protects against different types of known security attacks.

Property 1.

The proposed protocol is resistant against user impersonation attacks.

The proposed authentication protocol provides resistance against impersonation attacks. Let the intruder I intercept the communicated message < Dj, Ej, Fj> during the login phase, where

Dj = H (APUj′ || Rs || Mj′ || Tj)

Ej = H (PUj′ || APUj′ || Mj′) ⊕ Rs

Fj = H (PUj′ || APUj′ || Rs || Mj′ || Tj) a mod b.

The intruder does not have knowledge of the parameter PUj′, Rs, Ej for logging into the session. So, the proposed work is secure against the impersonation attack.

Property 2.

The proposed work provides protection against denial-of-service attacks.

The proposed protocol uses the concept of current timestamp T1, T2, T3 during user authentication and key exchange phase. In the proposed protocol, the gateway GW verifies the user Uj with identity IUj and password PUj before providing access to the information. Hence, the proposed work is secure against denial-of-service attacks.

Property 3.

The proposed work provides protection against privileged insider attacks.

A privileged user at the gateway node may be the intruder I and obtain RIUj, which may be the user Uj information during the registration phase. Let the smart card be stolen and lost. Intruder A may not be able to guess the password PUj and APUj due to the presence of a masked password APUj, which is not directly shared with the smart card SCj. Further, the information is protected through the one-way hash function, and it is infeasible to calculate the hash.

Property 4.

The proposed work provides protection against insider attacks.

Let the intruder I be at the gateway node and able to obtain PUj. The user UJ does the hash function on the password and a random number PUj = H (IUj II Rj). Intruders are not able to get the identification because the hash function is a one-way function and not reversible. In addition, PUj is not used in any authentication procedure for any computation. Hence, intruders ‘I’ may not be able to forge any information used PUj.

Property 5.

The proposed work provides protection against lost/stolen smart card attacks.

Let us assume that the intruder gets the smart card of any legitimate user Uj. The security parameter that the smart card contains is {Aj′, Bj′, Cj′, a,b,h(ּ)}. An intruder may perform several attacks to known Ai, Bi, and Ci, but intruder I will never be able to find out these parameters.

Aj = M1 ⊕ H (APUj || IUj)

Bj = H (IUj ⊕ APUj)

Cj = Rj ⊕ H ( IUj || PUj).

Hence, all the parameters are collision resistance hash function (hּ). So, intruder I cannot forge and find out any information if the smart card is stolen or lost.

Property 6.

The proposed work provides protection against offline password guessing attacks.

This is a common type of attack that any intruder tries to attempt. Let us suppose the intruder steals the smart card of any user Uj and is able to see {Aj, Bj′, Cj′ (a,b,hּ)} where

Aj = M1 ⊕ H (APUj || IUj)

Bj = H (IUj ⊕ APUj)

Cj = Rj ⊕ H (IUj || PUj)

and APUj = H (Puj || Rj).

Due to the presence of polynomial time, the intruder cannot find IUj or PUj and these values are not directly stored into the smart card due to the presence of a one-way hash function. The intruder may not be able to calculate or guess the password and identity of users.

Property 7.

The proposed work provides protection against man-in-the-middle attacks.

Suppose the intruder I intercept in the login phase where the smart card sends a message <Dj, Ej, Fj> to the gateway node. They may try to acquire the message and modify the message for another login request, for this intruder will have to select a random number Rs* and current timestamp T1* and try to able to calculate.

Dj = H (APUj′ || Rs* || M1′ || T1*)

Ej = H (Puj′ || APUj′ || M1′) ⊕ Rs*

Fj = H (Puj′ || APUj′ || Rs* || M1′ || T1*) a mod b.

However, this is infeasible for an intruder to find PUj, M1, and APUj and again all the parameters Dj,Ej,Fj are hashed which is not reversible. Consequently, the MIMA is not possible in the proposed protocol.

Property 8.

The proposed work provides protection against anonymity and is untraceable.

Let us assume intruder I calculates and tries to find out login request < Dj, Ej, Fj > and <Dj*, Ej*, Fj*>

where

Dj = H (APUj′ || Rs* || M1′ || T1*)

Ej = H (PUj′ || APUj′ || M1′) ⊕ Rs*

Fj = H (PUj′ || APUj′ || Rs*|| M1′ || T1*) a mod b.

To find the intruder and legitimate user, both have the same parameter and value. The value of Rs and T1 should be the same, and the importance of random number Rs is constantly changing. The intruder is unable to find out the exact value Rs and the time stamp T1. Further, user identity is not identified in any message, hence the proposed scheme provides anonymity and intractability.

Property 9.

The proposed work provides the mutual authentication.

The proposed work provides the mutual authentication between users Uj with the gateway GW. Both user and gateway validate each other. Similarly, the user with sensor Sj also authenticates itself to the gateway. Thus, the gateway and sensor provide mutual authentication with each other. Overall, there is authentication needed at each level of sharing of information in the communication channel.

Property 10.

The proposed work provides the security of the session key.

The session key Sk = H (PUj′ || APUj′ || Rs′ || Rg || T1 || T2) is secure, due to presence of random number Rs and Rg. In the session key, there is no clear indication of user identification IUj and password PUj, so the intruder may not be able to find out the value of APUj and <Dj, Ej, Fj> using these parameters. Thus, the proposed work provides security for the shared session key.

5. Formal Validation Using Avispa

In this section, we make a presentation for the simulation of authentication and key exchange protocol using automation validation of internet security protocol and application (AVISPA) [31,32]. AVISPA is coded in high-level protocol specification language (HLPSL) [33,34,35].

This is a compelling language for the authentication protocol. Using the simulation, we find that our protocol is free from all types of known attacks. The HLPSL code for the proposed protocol with all entities (such as user Uj and gateway GW) is provided in Figure 4 and Figure 5. The HLPSL code for goal, session, and environment is shown in Figure 6 and Figure 7. The result of the simulation is shown in Figure 8 and Figure 9. From these figures, our proposed work confirmations resist all types of known attacks. Figure 8 and Figure 9 show that our protocol is SAFE in both simulation environments, that is, OFMC and CI-Atse model. This indicates that the protocol is secure against reply attacks, MITM attacks, and other active and passive attacks.

6. Comparative Analysis

This section presents a comparison of the security feature of proposed work with other related work. Developing a secure and lightweight authentication protocol for privacy preserving communications in smart city applications is a challenging task that involves several technical and non-technical problems. Some of the key problems include:

• Security: One of the main challenges in developing an authentication protocol is ensuring its security against various types of attacks, such as impersonation, replay, and man-in-the-middle attacks. The protocol must be designed to prevent these attacks and protect sensitive data transmitted between devices;
• Privacy: Another challenge is preserving the privacy of user data, which is critical in smart city applications that involve sensitive information, such as location and personal data. The protocol must be designed to prevent tracking, profiling, and other privacy violations;
• Resource constraints: Smart city devices, such as sensors and mobile devices, often have limited computational power, memory, and battery life. The protocol must be lightweight and efficient to minimize resource consumption and avoid impacting device performance;
• Scalability: Smart city applications involve a large number of devices and users, which can make it challenging to scale the authentication protocol. The protocol must be designed to support large-scale deployments and minimize communication overhead;
• Compatibility: Smart city applications may use different communication technologies and protocols, which can make it difficult to ensure compatibility and interoperability between devices. The authentication protocol must be designed to support different communication technologies and ensure interoperability between devices;
• Cost: Developing and deploying a new authentication protocol can be costly, especially in large-scale smart city applications. The protocol must be cost-effective and scalable to minimize the overall cost of the smart city system.

A comparative analysis with selected papers on authentication in IoT smart cities can help to provide a deeper understanding of the various authentication methods and techniques being used in this field, as well as their strengths and limitations. The comparison provides the security feature and usefulness of proposed work.

Table 3. Comparison of the security feature of proposed work with other related work.

S.No	Security Feature	Mishra et al. [18]	Moon et al. [19]	Turkanovic et al. [17]	Proposed
1	Impersonation attack	Yes	No	Yes	Yes
2	Denial of service attack	Yes	Yes	No	Yes
3	Privilege attack	No	Yes	No	Yes
4	Insider attack	Yes	Yes	No	Yes
5	Smart card stolen	Yes	Yes	Yes	Yes
6	Offline password guessing attack	No	Yes	No	Yes
7	Man in the middle attack	Yes	Yes	Yes	Yes
8	Anonymity	Yes	No	Yes	Yes
9	Untraceability	No	Yes	No	Yes
10	Session key security	Yes	Yes	No	Yes
11	Forgery attack	Yes	Yes	Yes	Yes
12	Mutual authentication	Yes	Yes	No	Yes
13	Smart card revocation	Yes	Yes	No	Yes
14	Forward secrecy	Yes	Yes	Yes	Yes
15	Authentication of smart card	Yes	Yes	Yes	Yes
16	Gateway spoofing attack	No	No	No	Yes
17	Online password guessing attack	No	Yes	No	Yes
18	Malicious user attack	No	Yes	No	Yes
19	Sensor spoofing attack	No	No	No	Yes
20	Hidden gateway attack	No	No	No	Yes

shows the assessment of cryptographic computational cost among the proposed work.

Table 4. Assessment of cryptographic computational cost of proposed protocol with related work.

Protocol	Registration Phase	Login Phase	Authentication Phase	Password Change Phase
Mishra et al. [25]	3TH	TE + 3 TH	3TE + 6 TH	4TE + 11TH
Moon et al. [36]	5TH	2TM + 4 TH	4TM + 2TE + 5TH	3TH
Turkanovic et al. [24]	7TH	5TH + TM	7TH + 2TM	-
Proposed	3TH	TE + 4TH	2TE + 5TH	2TH

T_E: time for exponential computation, T_H: time for hash, T_M: time for multiplication and division.

uses the notation TE for time required for exponential computation, TH for time needed for hash computation, TM is for multiplication and division, and TF is for fuzzy extraction. The comparison shows the great efficiency of the proposed work. The proposed work is lightweight and uses one-way hash function h() and Exclusive-OR (XOR) operation to better the IoT environment.

Table 5. Time taken and energy consumption of proposed protocol.

Protocol Phase	Mishra et al. [25]	Moon et al. [36]	Turkanovic et al. [24]	Proposed Protocol
Total cost	23TH + 8TE	17TH +2TE+ 6TM	19TH +3TM	14TH + 3TE
Total time taken	1.37 ms	1.64 ms	0.70 ms	0.53 ms
Total energy consumption	32.8 mj	39.36 mj	16.8 mj	12.72 mj

shows the computation cost of cryptographic operations of related work. Our scheme demands less computational cost related to other protocols. For example, according to the data available in Xu et al. [34] the execution time required for the hash function TH is 0.004 ms, and the time for the execution of exponential function TE is 0.16 ms, while the time needed for the performance of multiplication function TM is 0.21ms. These values are calculated by using C/C++ library in MI RACL.

The efficiency of the proposed protocol in terms of time effectiveness and energy consumption is shown in Figure 10. The proposed protocol takes 0.53 ms to complete the execution process and required 12.72 mj of energy consumption. We used the formula E = U *I * t for calculating the energy consumption for the value of I = 8mA and U = 3.0 V at active mode. Table 4 shows significant improvement in the proposed protocol. Figure 10 shows the execution time and the energy consumption of the different authentication protocols.

7. Conclusions

We have discussed the smart city scenario based on IoT applications and their security requirements and challenges. The proposed protocol is designed to ensure the privacy and security of data transmitted in smart city applications while maintaining a lightweight and efficient design. The proposed protocol provides efficient authentication between users to the gateway in an IoT network. The key exchange provides the user and gateway for the effective sharing of information. In this paper, proposed work provides mutual authentication for communication between user, sensor, and gateway node. The proposed protocol is scalable and interoperable to support large-scale smart city deployments and different communication technologies. The security analysis using BAN logic helps to provide proof of the proposed protocol and shows that it is perfect and secure against different types of active and passive attacks. The proposed protocol is efficient in terms of computational cost, execution time, energy efficiency, and security features. The AVISPA analysis shows the practical implementation and feasibility in the smart city environment with great security features.

In future work, a more secure protocol for mutual authentication will be designed for intelligent transportation and smart healthcare. In addition, we would also extend this work by using some machine learning techniques.