Toward a Secure Smart-Home IoT Access Control Scheme Based on Home Registration Approach

Abstract

The extensive application of the Internet of Things (IoT) and artificial intelligence technology has greatly promoted the construction and development of smart cities. Smart home as the foundation of smart cities can optimize home lifestyles. However, users access the smart home system through public channels, and the transmitted information is vulnerable to attack by attackers, and the privacy and data security of the home user will be difficult to be guaranteed. Therefore, how to protect users’ data and privacy security becomes critical. In this paper, we design a provably secure authentication scheme for the smart home environment, which ensures that only legitimate users can use smart devices. We use the informal model to verify the security of the scheme and formally analyze the security and correctness of the scheme through the Real or Random model. Finally, through the comparison of security and performance analysis, it is proven that our scheme has higher security under similar performance.

1. Introduction

The Internet of things (IoT) [1,2], cloud computing [3,4], big data [5,6], artificial intelligence [7,8], 5G and other technologies have promoted the construction and development of smart city. Smart city [9] covers all fields of life, such as smart transportation [10,11], smart healthcare [12], smart home, smart grid, etc., which are an indispensable part of smart city. As the foundation of smart city, smart home [13,14] is also the field closest to people’s daily life. It can provide an information exchange function for families. People can operate and monitor smart home devices through the Internet and know what happens at home any time, improving people’s comfort in life and optimizing people’s lifestyles. The smart home environment includes various smart devices, such as refrigerators, cameras, curtains, etc. People can control smart devices through smartphones or tablets to enjoy their services. For example, users can view the camera remotely to understand what is happening at home; the users can control the temperature of the air conditioner through the smart phone.

A typical smart home architecture shown in Figure 1 consists of four entities: registration authority (RA), gateway, smart device, and users. RA is a trusted entity that mainly authorizes the gateway as the home registration center. Gateway is a semi-trusted entity that helps users to communicate with smart home devices and is responsible for registration. Smart device refers to all kinds of smart home appliances in the family, such as smart refrigerators, smart air conditioners, etc., where they are semi-trusted entities, and are connected to the gateway by wireless networks to provide users with various services. Only family members can register with the gateway to become legal users. In this architecture, users need to connect the home devices via the gateway, and then operate the home devices through the smart home APP or voice assistant, such as adjusting the indoor temperature, switching lights, adjusting curtains, playing music, etc. Although the smart home has changed people’s lives, it faces many security threats and challenges. For example, since smart home devices are connected to the Internet, malicious attackers can access users’ private information by intercepting transmitted messages via open channels. Therefore, ensuring a secure smart-home IoT access control scheme is very important.

At present, some scholars protect users’ privacy through differential privacy [15], quick response (QR) code [16] and other technologies, and many scholars have proposed many authentication and key agreement (AKA) schemes [13,17,18,19,20,21,22,23,24] to protect the confidentiality and security of transmitted information, but most of their schemes have various security problems, such as unable to achieve mutual authentication, unable to resist offline password guessing (OPG) attacks, insider attacks, impersonation attacks, etc. In order to protect and improve the security of information, Intel has proposed a new set of CPU instruction extensions called software guard extensions (SGX) [25,26] technology. It is a kind of hardware that can create a trusted execution environment (TEE) to protect code and data, which even high-level system software cannot access. The system will allocate a pre-reserved physical memory area for SGX technology, which is called enclave page cache (EPC), and the code and data are stored in a secure environment, called enclave. The application protected by SGX is divided into two parts: trusted part and untrusted part. The trusted part will run in the safe memory and conduct integrity measurement when loaded into Enclave to ensure the integrity and security of data. The program access address is in the Enclave and the physical address is in the EPC. Because the two achieve access control through a unique mapping relationship, it can ensure that external programs cannot access the enclave memory. SGX provides automatic generation functions Ecall and Ocall. Some privacy data is stored in Enclave memory through Ecall function. After confidential calculation is completed in Enclave, the calculated results are returned through Ocall function.

To ensure the secure transmission of remote control data, we propose a scheme based on SGX, which can help our scheme effectively resist insider attacks. Our main contributions are as below:

(1)

We propose a new framework that features the ability to be registered within a family. Different from the past, we authorize the smart gateway as a home registration center by the registration authority (RA), so that users and smart devices can complete registration at home, which also facilitates the addition of future members and devices. This process can be completed only at home.

(2)

According to our survey, this is the first paper to apply SGX to smart home environments. Using SGX can be effective to prevent insider attacks.

(3)

We demonstrate the security of the proposed scheme using Real-Or-Random (RoR) model and informal security analysis. Furthermore, we compare the proposed scheme with other existing schemes, and the results reveal that our scheme offers higher security with similar performance.

The remainder of the paper is arranged as follows. Section 2 is related work, Section 3 is the proposed scheme, the security analysis is in Section 4, and Section 5 is the performance comparison. Our conclusion is in Section 6.

2. Related Work

Numerous authentication and key agreement (AKA) schemes have been put forward to ensure the secure transmission of information in smart home systems. Some authentication schemes are listed in Table 1. Jeong et al. [27] devised an authentication scheme based on home network environment. The author proved that their scheme is secure, but the user’s identity is immediately transmitted on the public channel, which does not realize user anonymity, and is unable to withstand tracking attacks. Vaidya et al. [28] proposed a lightweight AKA scheme for secure remote access to the home network. However, Kim et al. [29] demonstrated that their scheme is unable to provide user anonymity, mutual authentication, and cannot resist OPG attacks. Later, Kim et al. [29] put forward an enhanced scheme based on Vaidya et al. [28]. Li et al. [30] put forward a lightweight AKA scheme for the home energy management system. The wireless node and the control center completed authentication and established session key, but the user and the control center lacked the authentication process. Han et al. [31] devised an authentication scheme to solve the problem of secure pairing of consumer electronic products in the smart home environment, but their scheme requires manufacturers to be online all the time is unrealistic. Santoso and Vun [32] devised a secure two-factor AKA scheme, which uses elliptic curve cryptography (ECC) technology and is suitable for the smart home environment based on the IoT. Kumar et al. [33] also proposed a lightweight scheme for this environment and realized the establishment of session key between gateway and smart device. However, other scholars have proved that anonymity and untraceability cannot be provided.

Ashibani and Mahmoud [34] designed an identity-based AKA scheme. The scheme uses ECC and pairing operations with high computational complexity, which can realize secure mutual authentication between users and smart devices. However, they ignore that smart devices have limited computing power. In order to solve the above problems, Wazid et al. [35] designed a lightweight remote user authentication scheme. The home gateway helps user and smart device complete authentication and establish session key, and proves that their scheme is secure. Unfortunately, Shuai et al. [13] discovered that Wazid et al.’s [35] scheme cannot withstand desynchronization attacks, and when the gateway is damaged, the user authentication table in the gateway is easy to be leaked. Users’ privacy is very easy to disclose. Shuai et al. [13] devised an AKA scheme using ECC. However, Kuar et al. [19] have demonstrated that their scheme cannot resist OPG, insider, and session key disclosure (SKD) attacks. Kaur et al. [19] proposed a two factor authentication scheme, but Yu et al. [17] stated that it cannot withstand simulated attacks and provide mutual authentication. Chifor et al. [36] devised an authentication scheme that can provide fast online identity authentication and realize password free authentication between users and smart devices. Ghosh et al. [37] designed a secure multi-level authentication scheme, which can resist many common attacks. Dey and Hossian [38] designed an authentication scheme using the public key cryptosystem and asserted that their scheme was resistant to various common attacks. However, Gaba et al. [39] found that their scheme is unable to resist smart device stolen (SDS) attacks, and could not guarantee anonymity and confidentiality. Then, Gaba et al. [39] designed an ECC-based authentication scheme to ensure the positioning security of household devices. Naoui et al. [40] designed an authentication framework based on the user’s configuration file, request time, location and other context information. Poh et al. [41] proposed a scheme to protect data privacy. However, Irshad et al. [42] proved that their scheme could not achieve the confidentiality of user authentication parameters. They propose a new two-factor AKA scheme that ensures perfect froward secrecy (PFS) by using a circular fuzzy extractor. Banerjee et al. [43] designed a lightweight anonymous AKA scheme suitable for this environment. Unfortunately, AL-Turjman and Deebak [44] discovered that their scheme could not provide identity protection and traceability. Zou et al. [18] devised a more secure scheme. Yu et al. [17] devised a three factor AKA scheme, but Alzahrani et al. [45] found that Yu et al.’s scheme [17] cannot provide mutual authentication. Piraytesh et al. [21] proposed a hyperelliptic curve cryptosystem-based AKA scheme in smart home, which they claim ensures good performance. Guo et al. [22] designed an AKA scheme based on smart home, and introduced fog nodes into the scheme to process the data of smart devices faster.

At present, some scholars have applied SGX to other environments to design schemes. Sun et al. [25] used SGX to design schemes to better protect dynamic identity authentication. Liu et al. [26] devised an AKA scheme that applies SGX to wireless sensor networks (WSNs). The scheme also uses dynamic authentication certificate (DAC) to ensure more effective secure communication.

Table 1. The summary of authentication schemes.

Schemes	Advantages	Shortcomings
Shuai et al. [13]	(1) Provides mutual authentication (2) Can resist impersonation attacks	(1) Cannot resist insider attacks (2) Cannot resist SKD attacks (3) Cannot resist OPG attacks
Yu et al. [17]	(1) Can provide user anonymity (2) Can resist PFS attacks	(1) Cannot provide mutual authentication
Zou et al. [18]	(1) Can resist SDS attacks (2) Provides mutual authentication	−
Kaur et al. [19]	(1) Can resist OPG attacks (2) Provides user anonymity	(1) Cannot resist impersonation attacks (2) Cannot provide mutual authentication
Vaidya et al. [28]	(1) Can resist SKD attacks (2) Provides PFS	(1) Cannot provide user anonymity (2) Cannot provide mutual authentication (3) Cannot resist OPG attacks
Santoso and Vun [32]	(1) Provides user anonymity (2) Provides PFS	−
Wazid et al. [35]	(1) Can resist insider attacks (2) Provides PFS (3) Can resist OPG attacks	(1) Cannot resist desynchronization attacks
Banerjee et al. [43]	(1) Provides PFS (2) Can resist OPG attacks	(1) Cannot provide user anonymity and untraceability

Table 1. The summary of authentication schemes.

Schemes	Advantages	Shortcomings
Shuai et al. [13]	(1) Provides mutual authentication (2) Can resist impersonation attacks	(1) Cannot resist insider attacks (2) Cannot resist SKD attacks (3) Cannot resist OPG attacks
Yu et al. [17]	(1) Can provide user anonymity (2) Can resist PFS attacks	(1) Cannot provide mutual authentication
Zou et al. [18]	(1) Can resist SDS attacks (2) Provides mutual authentication	−
Kaur et al. [19]	(1) Can resist OPG attacks (2) Provides user anonymity	(1) Cannot resist impersonation attacks (2) Cannot provide mutual authentication
Vaidya et al. [28]	(1) Can resist SKD attacks (2) Provides PFS	(1) Cannot provide user anonymity (2) Cannot provide mutual authentication (3) Cannot resist OPG attacks
Santoso and Vun [32]	(1) Provides user anonymity (2) Provides PFS	−
Wazid et al. [35]	(1) Can resist insider attacks (2) Provides PFS (3) Can resist OPG attacks	(1) Cannot resist desynchronization attacks
Banerjee et al. [43]	(1) Provides PFS (2) Can resist OPG attacks	(1) Cannot provide user anonymity and untraceability

3. The Proposed Scheme

In this section, we introduce the proposed scheme in detail, the network model of this scheme is shown in Figure 2. The proposed scheme includes three phases: authorization gateway, registration, and access and control. The notations used in the paper are listed in Abbreviations.

3.1. Authorization Gateway Phase

$RA$ selects $I{D}_k,r_k$, computes the temporary identity $PI{D}_k=h(I{D}_k \Vert r_k)$ of $GW$, and transmits $\{I{D}_k,PI{D}_k\}$ to $GW$; $GW$ stores $\left\{PI{D}_k\right\}$ in memory. Then, $GW$ selects $F_p,G,P$, x. Then, $GW$ computes $X=x·P$, stores $\left\{(PI{D}_k,I{D}_k,x)\right\}$ in SGX, and publish $\{E\left(F_p\right),G,P,X\}$.

3.2. Registration Phases

At this phase, users and smart devices register with the gateway as a legal entity, and all registration information is transmitted on the secure channel.

3.2.1. User Registration Phase

(1)

$U_i$ chooses identity $I{D}_i$, password $P{W}_i$ and biometrics $B_i$, and then transmits the $I{D}_i$ to the $GW$;

(2)

$GW$ selects random number $a_i$, computes $HI{D}_i=h(I{D}_i \Vert a_i)$, and sends $HI{D}_i$ to $U_i$;

(3)

$U_i$ calculates $Gen\left(B_i\right)=({\sigma }_i,{\tau }_i)$, $Aut{h}_i=h(I{D}_i \Vert P{W}_i \Vert {\sigma }_i)$, and stores $Aut{h}_i,HI{D}_i,{\tau }_i$ in their own mobile device.

Table 2. User registration phase.

${\mathit{U}}_{\mathit{i}}$		$\mathit{GW}$
Select $I{D}_i$, $P{W}_i$, $B_i$
	$\stackrel{\left\{I{D}_i\right\}}{\to }$
		Select $a_i$
		Compute $HI{D}_i=h(I{D}_i \Vert a_i)$
	$\stackrel{\left\{HI{D}_i\right\}}{\leftarrow }$
Compute $Gen\left(B_i\right)=({\sigma }_i,{\tau }_i)$
$Aut{h}_i=h(I{D}_i \Vert P{W}_i \Vert {\sigma }_i)$
Store {$Aut{h}_i,HI{D}_i,{\tau }_i$} in mobile device

shows the detailed process.

3.2.2. Smart Device Registration Phase

(1)

$D_j$ chooses its own identity $SI{D}_j$ and transmits it to the $GW$;

(2)

$GW$ selects random number $r_j$, computes $PI{D}_j=h(SI{D}_j \Vert r_j)$, stores $PI{D}_j$ in memory, and stores $\left\{(PI{D}_j,I{D}_j)\right\}$. Finally, it sends $PI{D}_j$ to $D_j$;

(3)

$D_j$ stores $PI{D}_j$ in its own memory.

3.3. Access and Control Phase

The $GW$ assists the $U_i$ and the $D_j$ in completing identity authentication and establishing a session key. Messages between devices are also transmitted through public channels. The detailed process is shown in

Table 3. Login and authentication phase.

${\mathit{U}}_{\mathit{i}}$	$\mathit{GW}$	${\mathit{D}}_{\mathit{j}}$
Input $I{D}_i$, $P{W}_i$, $B_i$
Compute ${\sigma }_i=Rep(B_i,{\tau }_i)$
$Aut{h}_i^{\prime }=h(I{D}_i \Vert P{W}_i \Vert {\sigma }_i)$
Check $Aut{h}_i^{\prime }\stackrel{?}{=}Aut{h}_i$
Select $d_1,d_2,T_1$
$C_1=d_1·P$
$C_2=d_1·X$
$C_3=d_2\oplus C_2\oplus SI{D}_j$
$C_4=I{D}_i\oplus h(SI{D}_j \Vert d_2)$
$V_1=h(C_2 \Vert I{D}_i \Vert T_1)$
$\stackrel{M_1=\left\{PI{D}_k,PI{D}_j,C_1,C_3,C_4,V_1,T_1\right\}}{\to }$
	$|T-T_1|\leqq \Delta T$
	Send $PI{D}_j,PI{D}_k$ to SGX
	Match $SI{D}_j,x$ according $PI{D}_j,PI{D}_k$
	Compute $C_2^{\prime }=x·C_1$
	$d_2^{\prime }=C_3\oplus C_2^{\prime }\oplus SI{D}_j$
	$I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$
	$V_1^{\prime }=h(C_2 \Vert I{D}_i \Vert T_1)$
	Check $V_1^{\prime }\stackrel{?}{=}{V}_1$
	Select $T_2$
	$C_5=I{D}_i\oplus d_2\oplus h(SI{D}_j \Vert T_2)$
	$V_2=h(SI{D}_j\oplus d_2\oplus T_2)$
	$\stackrel{M_2=\left\{C_5,V_2,T_2\right\}}{\to }$
		$|T-T_2|\leqq \Delta T$
		Compute $I{D}_i\oplus d_2=C_5\oplus h(SI{D}_j \Vert T_2)$
		$V_2^{\prime }=h(I{D}_i\oplus d_2 \Vert T_2)$
		Check $V_2^{\prime }\stackrel{?}{=}{V}_2$
		Select $T_3,d_3$
		$S{K}_{ji}=h(SI{D}_j\oplus d_3 \Vert I{D}_i\oplus d_2)$
		$C_6=d_3\oplus h(I{D}_i\oplus d_2 \Vert SI{D}_j)$
		$V_3=h(SI{D}_j \Vert T_3)$
		$V_4=h(S{K}_{ji} \Vert d_3 \Vert SI{D}_j)$
		$\stackrel{M_3=\left\{C_6,V_3,T_3,V_4\right\}}{\leftarrow }$
	$|T-T_3|\leqq \Delta T$
	Compute $V_3^{\prime }=h(SI{D}_j \Vert T_3)$
	Check $V_3^{\prime }\stackrel{?}{=}{V}_3$
	Selects $T_4$
	$\stackrel{M_4=\{C_6,V_4,T_4\}}{\leftarrow }$
$|T-T_4|\leqq \Delta T$
Computes $d_3=C_6\oplus h(I{D}_i\oplus d_2 \Vert SI{D}_j)$
$S{K}_{ij}=h(SI{D}_j\oplus d_3 \Vert I{D}_i\oplus d_2)$
$V_4^{\prime }=h(S{K}_{ij} \Vert d_3 \Vert SI{D}_j)$
Check $V_4^{\prime }\stackrel{?}{=}{V}_4$
if ture svaes the $S{K}_{ij}$ for future communication

.

(1)

$U_i$ enters $I{D}_i$, $P{W}_i$, $B_i$, calculates ${\sigma }_i=Rep(B_i,{\tau }_i)$, $Aut{h}_i^{\prime }=h(I{D}_i \Vert P{W}_i \Vert {\sigma }_i)$, and verifies $Aut{h}_i^{\prime }\stackrel{?}{=}Aut{h}_i$. If the verification passes, this shows that the $U_i$ is legitimate; Otherwise, the session terminates. $U_i$ selects $d_1,d_2,T_1$, computes $C_1=d_1·P$, $C_2=d_1·x$, $C_3=d_2\oplus C_2\oplus SI{D}_j$, $C_4=I{D}_i\oplus h(SI{D}_j \Vert d_2)$, $V_1=h(C_2 \Vert I{D}_i \Vert T_1)$. At last, $U_i$ transmits message $M_1=\{PI{D}_k,PI{D}_j,C_1,C_3,V_1,T_1\}$ to $GW$.

(2)

When the $GW$ obtains message $M_1$, it validates the timestamp’s correctness. Next, $GW$ sends $PI{D}_j,PI{D}_k$ to the SGX interface. SGX match $SI{D}_j$ and x according to $PI{D}_j,PI{D}_k$. Then, $GW$ computes $C_2^{\prime }=x·C_1$, $d_2^{\prime }=C_3\oplus C_2^{\prime }\oplus SI{D}_j$, $I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$, $V_1^{\prime }=h(C_2 \Vert I{D}_i \Vert T_1)$, and verifies $V_1^{\prime }\stackrel{?}{=}{V}_1$. If the verification passes, $GW$ selects $T_2$, computes $C_5=I{D}_i\oplus d_2\oplus h(SI{D}_j \Vert T_2)$, $V_2=h(SI{D}_j\oplus d_2\oplus T_2)$, and sends message $M_2=\left\{C_5,V_2,T_2\right\}$ to the $S_j$.

(3)

Upon receiving the $M_2$, $S_j$ verifies the timestamp $|T-T_2|\leqq \Delta T$, then computes $I{D}_i\oplus d_2=C_5\oplus h(SI{D}_j \Vert T_2)$, $V_2^{\prime }=h(I{D}_i\oplus d_2 \Vert T_2)$, and verifies $V_2^{\prime }\stackrel{?}{=}{V}_2$. If the verification is successful, it selects $T_3,d_3$, and computes $S{K}_{ji}=h(SI{D}_j\oplus d_3 \Vert I{D}_i\oplus d_2)$, $C_6=d_3\oplus h(I{D}_i\oplus d_2 \Vert SI{D}_j)$, $V_3=h(SI{D}_j \Vert T_3)$, $V_4=h(S{K}_{ji} \Vert d_3 \Vert SI{D}_j)$, and transmits the $M_3=\left\{C_6,V_3,T_3,V_4\right\}$ to $GW$.

(4)

When $GW$ receives the $M_3$, it verifies the $T_3$. Next, $GW$ computes $V_3^{\prime }=h(SI{D}_j \Vert T_3)$, and verifies $V_3^{\prime }\stackrel{?}{=}{V}_3$. If the verification is successful, it proves that $S_j$ is a legitimate device. Then it selects the timestamp $T_4$, and then send $M_4=\{C_6,V_4,T_4\}$ to the $U_i$.

(5)

After receiving the message $M_4$, $U_i$ computes $d_3=C_6\oplus h(I{D}_i\oplus d_2 \Vert SI{D}_j)$, $S{K}_{ij}=h(SI{D}_j\oplus d_3 \Vert I{D}_i\oplus d_2)$, $V_4^{\prime }=h(S{K}_{ij} \Vert d_3 \Vert SI{D}_j)$, and verifies $V_4^{\prime }\stackrel{?}{=}{V}_4$. If the two values are the same, $U_i$ will use the $S{K}_{ij}$ to transmit information with $S_j$.

4. Security Analysis

4.1. Formal Analysis

We use RoR model to formally analyze the scheme to prove the security of the proposed scheme. The steps of proof will be described in detail below.

RoR Model

RoR model [46,47] simulates the probability of an attacker cracking the scheme in polynomial time through different rounds of games and judges the security of the proposed scheme by whether the attacker can calculate the session key.

Our proposed agreement has three participants: $U_i$, $GW$, and $D_j$. We define ${\Pi }_{U_i}^x$, ${\Pi }_{gw}^y$, and ${\Pi }_{d_j}^z$ to represent the user instance, the gateway instance, and the smart device instance, respectively. Based on the ROR model, $\mathcal{A}$ needs to follow the following capabilities in each game.

(1)

$Execute\left(O\right)$: This query is a passive attack and can enable $\mathcal{A}$ to eavesdrop on messages sent by entities, where O = {${\Pi }_{U_i}^x$, ${\Pi }_{GW}^y$,${\Pi }_{D_j}^z$}.

(2)

$Send(O,M_i)$: $\mathcal{A}$ can send the message $M_i$ send it to O and obtain the response from O.

(3)

$Hash\left(string\right)$: This query means that $\mathcal{A}$ can obtain the hash of a certain string.

(4)

$CorruptMobiledevice\left({\Pi }_{U_i}^x\right)$: $\mathcal{A}$ executing this query can obtain data in the mobile device.

(5)

$Test\left(O\right)$: $\mathcal{A}$ flips a coin c to guess the real session key. In the case of $c=1$, the $\mathcal{A}$ can obtain the session key, otherwise the attacker obtains a random string.

Theorem 1.

In RoR model, $\mathcal{A}$ can break the proposed scheme in polynomial time is $Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)\le =\frac{q_h^2}{\left|Hash\right|}+2Ad{v}_{\mathcal{A}}^{ECDHP}\left(\xi \right)+\frac{q_s}{2^{l-1}\left|D\right|}$. Here, $\left|Hash\right|$ indicates the range space of the hash function; $Ad{v}_{\mathcal{A}}^{ECDHP}\left(\xi \right)$ indicates the advantage of cracking elliptic curve Diffie-Hellman problem (ECDHP); $q_s$ refers to the $Send$ query; l indicates the bit length of biological information; $\left|D\right|$ refers to the space size of the password dictionary.

Proof. 

We defined 4 games $G{M}_0$-$G{M}_3$ to simulate $\mathcal{A}$’s attack process. During the proof process, $suc{c}_A^{G{M}_i}\left(\xi \right)$ is defined as the probability that $\mathcal{A}$ can successfully compute the session key in each game, $Ad{v}_{\mathcal{A}}^{\mathcal{P}}$ indicates that the $\mathcal{A}$ can break the advantage of scheme $\mathcal{P}$. The following is the specific process of the game.

$G{M}_0$: In $G{M}_0$, $\mathcal{A}$ needs to select a bit c to start the game simulating the real attack. So we have

$$Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)=|2Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)\right]-1|.$$

(1)

$G{M}_1$: $G{M}_1$ adds the $Execute\left(\right)$ query to $G{M}_0$. At $G{M}_1$, $\mathcal{A}$ intercepts the $M_1=\{PI{D}_k,PI{D}_j,C_1,C_3,C_4,V_1,T_1\}$, $M_2=\{C_5,V_2,T_2\}$, $M_3=\{C_6,V_3,V_4,T_3\}$ and $M_4=\{C_6,V_4,T_4\}$. When this query ends, $\mathcal{A}$ will execute $Test\left(\right)$ query to compute the session key $S{K}_{ij}=\{SI{D}_j\oplus d_3 \Vert I{D}_i\oplus d_2\}$. $SI{D}_j,d_3,I{D}_i$ and $d_2$ are confidential to $\mathcal{A}$. Therefore, there is no difference between $G{M}_1$ and $G{M}_0$.

$$Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)\right]=Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)\right].$$

(2)

$G{M}_2$: $G{M}_2$ adds $Send\left(\right)$ and $Hash\left(\right)$ operations to the game. $\mathcal{A}$ wants to tamper with the message stolen on the public channel, but the authentication values $V_1,V_2,V_3,V_4$ are all based on hash functions, and the authentication values are composed of random numbers and dot product. Since random numbers are different, hash functions do not collide. In addition, since the $\mathcal{A}$ cannot obtain the x of $GW$ and cannot solve the ECDHP, the $\mathcal{A}$ cannot calculate $C_2^{*}=x·C_1$. Therefore, based on $Ad{v}_{\mathcal{A}}^{ECDHP}\left(t\right)$ and birthday paradox, we can obtain

$$\begin{array}{c}\hfill |Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)\right]|\le \frac{q_h^2}{2\left|Hash\right|}+Ad{v}_{\mathcal{A}}^{ECDHP}\left(t\right).\end{array}$$

(3)

$G{M}_3$: $G{M}_3$ adds $CorruptMobiledevice\left(\right)$ operation, which can be used by $\mathcal{A}$ to obtain user information $\{V_1,HI{D}_i,{\tau }_i\}$. In addition, $\mathcal{A}$ selects a low entropy password based on the password dictionary to guess the correct password of $U_i$, and the probability that $\mathcal{A}$ would correctly predict the biological key is $\frac{1}{2}$. Suppose the system allows the $\mathcal{A}$ to enter a limited number of wrong passwords, we have

$$\begin{array}{c}\hfill |Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_2}\left(\xi \right)\right]|\le \frac{q_s}{2^l\left|D\right|}.\end{array}$$

(4)

Finally, $\mathcal{A}$ guesses bit b through the $Test\left(\right)$ operation to win the game. So we can obtain

$$Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]=\frac{1}{2}.$$

(5)

According to $G{M}_0-G{M}_3$, we have

$$\begin{array}{cc}\hfill \frac{Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)}{2}& =|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)\right]-\frac{1}{2}|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_0}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]|\hfill \\ \hfill & =|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_1}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_3}\left(\xi \right)\right]|\hfill \\ \hfill & \le \sum _{i=0}^2|Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_{i+1}}\left(\xi \right)\right]-Pr\left[Suc{c}_{\mathcal{A}}^{G{M}_i}\left(\xi \right)\right]|\hfill \\ \hfill & =\frac{q_h^2}{2\left|Hash\right|}+Ad{v}_{\mathcal{A}}^{ECDHP}\left(\xi \right)+\frac{q_s}{2^l\left|D\right|}\hfill \end{array}$$

(6)

Therefore, we can obtain

$$Ad{v}_{\mathcal{A}}^{\mathcal{P}}\left(\xi \right)\le =\frac{q_h^2}{\left|Hash\right|}+2Ad{v}_{\mathcal{A}}^{ECDHP}\left(\xi \right)+\frac{q_s}{2^{l-1}\left|D\right|}$$

(7)

□

4.2. Informal Analysis

4.2.1. Impersonation Attack

Suppose that $\mathcal{A}$ attempts to impersonate a legitimate user and communicate with other entities communicate to establish a session key. Because $RA$ is only responsible for registration and does not store any entity information, he cannot impersonate users by obtaining $RA$ information. If $\mathcal{A}$ obtains the information $\{PI{D}_k,PI{D}_j\}$ stored in the gateway and intercepts the information $\{PI{D}_k,PI{D}_j,C_1,C_3,V_1,T_1\}$ on the public channel to compute $V_1=h(C_2 \Vert I{D}_i \Vert T_1)$, but because it cannot obtain $\{x,SI{D}_j\}$, he cannot compute $C_2^{\prime }=x·C_1$, and $I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$, so he cannot successfully compute $V_1$, and he cannot be authenticated through the gateway. Therefore, $\mathcal{A}$ cannot impersonate a legitimate user. In the same way, $\mathcal{A}$ tries to become a legitimate smart device, but because he cannot obtain the $SI{D}_j$, he cannot compute the $V_3=h(SI{D}_j \Vert T_3)$, so he cannot successfully compute $V_3$, and he cannot be authenticated through the gateway. So our scheme is immune to impersonate attack.

4.2.2. Session Key Disclosure (SKD) Attack

Suppose $\mathcal{A}$ intercepts the messages $M_1-M_4$, and attempts to calculate $SK=h(SI{D}_j\oplus d_3 \Vert I{D}_i \Vert d_2)$, but the $x,SI{D}_j$ are private and $\mathcal{A}$ cannot obtain these values. Therefore, $\mathcal{A}$ cannot compute $C_2=x·C_1$, $d_2=C_3\oplus C_2^{\prime }\oplus SI{D}_j$, and $I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$ through values of $PI{D}_j,C_1,C_6$. Obviously, he cannot calculate $SK$. Thus, our scheme is immune to SKD attack.

4.2.3. Smart Device Stolen (SDS) Attack

Suppose $\mathcal{A}$ obtains the $PSI{D}_j$ stored in the smart home device, intercepts $C_1$ and $C_4$, and tries to compute $C_2=x·C_1$, $I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$, because the smart device only stores the pseudo identity $PI{D}_j$ of the device, the attacker cannot obtain $x,d_2$, so he cannot compute $C_2,I{D}_i$, so he cannot calculate the $SK=h(SI{D}_j\oplus d_3 \Vert I{D}_i \Vert d_2)$. Thus, our scheme can resist the SDS attack.

4.2.4. Privacy and Anonymity

$\mathcal{A}$ can identify the real identity of $U_i$ and $D_j$ according to the intercepted public channel information. In our proposed scheme, we use hash function and random number to hide the real identity of $U_i$ and $D_j$, thus providing anonymity for them. In each session, because the random number is different, even if $\mathcal{A}$ can intercept the pseudo identity of $U_i$ and $D_j$, he cannot identify the real identity of their real identities. Therefore, our scheme can protect the entity’s privacy from being disclosed.

4.2.5. Mutual Authentication

The gateway authenticates user and smart device using $V_1$ and $V_3$, respectively. Although $\mathcal{A}$ can eavesdrop on these two values, $\mathcal{A}$ cannot correctly compute and change the verification value because he cannot obtain $x,SI{D}_j$, and cannot compute $C_2=x·C_1$, $I{D}_i=C_4\oplus h(SI{D}_j \Vert d_2)$. Similarly, although the verification value $V_3$ is transmitted on the public channel, $\mathcal{A}$ cannot obtain the $SI{D}_j$. He cannot correctly calculate and change $V_3$. As long as a changes any of the verification values, it will be detected immediately and the session will be terminated. So our scheme can realize mutual authentication.

5. Security and Performance Comparison

We use the proposed scheme to compare the existing schemes [13,17,48] in terms of security, computing cost and communication cost, and the detailed introduction and comparison results are described below.

5.1. Security Comparison

The proposed scheme is compared with the three schemes regarding security, and the comparison results are listed in

Table 4. Comparisons of security.

Security Properties	Shuai et al. [13]	Kaur et al. [19]	Yu et al. [17]	Zou et al. [18]	Ours
Impersonation attack	✓	×	✓	✓	✓
Temporary value disclosure attack	✓	✓	✓	✓	✓
OPG attack	×	✓	✓	✓	✓
Insider attack	×	✓	✓	✓	✓
SDS attack	✓	✓	✓	✓	✓
SKD attack	×	✓	✓	✓	✓
Mutual authentication	✓	×	×	✓	✓

. Shuai et al.’s scheme [13] is unable to withstand OPG, insider, and SKD attacks. The scheme of Yu et al. [17] cannot realize mutual authentication; Kaur et al. [19] cannot withstand impersonation attack and violated mutual authentication. The proposed scheme and Zou et al.’s scheme [18] can resist common attack.

5.2. Computation Costs Comparison

We use an IQOO9 mobile phone to emulate $U_i$ and $S_j$ and a Lenovo desktop computer to emulate the $GW$. The mobile phone’s processor is a snapdragon 8-core processor with 12G of running memory and the Lenovo desktop computer’s CPU is the Intel(R) Core(TM)i5-8500 CPU@ 3.00 GHz with 16G of running memory. The software used on the computer is IntelliJ idea 2020.3, and the program is written using JAVA and cryptographic library JPBC-2.0.0 [49]. In

Table 5. Computation costs of complex operations.

Operations	Symbolic	Mobile Phone (ms)	Computer (ms)
Hash function	$T_h$	0.0023	0.00103
Point scalar multiplication	$T_m$	0.6349	0.545
Symmetric Decryption	$T_{de}$	0.0612	0.0127
Symmetric Encryption	$T_{en}$	1	0.1833

, we select four main operations: hash function $T_h$, point scalar multiplication $T_m$, symmetric decryption $T_{de}$, and symmetric encryption $T_{dn}$. We ran various operations 100 times on the mobile phone and computer to take the average running time. In

Table 6. Computation costs.

Scheme	${\mathit{U}}_{\mathit{i}}$ (ms)	${\mathit{S}}_{\mathit{j}}$ (ms)	$\mathit{GW}$ (ms)
Shuai et al. [13]	$6T_h+2T_m=1.2836$	3$T_h=0.0069$	7$T_h+T_m=0.5522$
Kaur et al. [19]	$6T_h+2T_m=1.2836$	3$T_h=0.0069$	7$T_h+T_m=0.5522$
Yu et al. [17]	$T_{de}+T_m+12T_h=1.0888$	$7T_h=0.0161$	$11T_h=0.0113$
Zou et al. [18]	$6T_h+3T_m=1.9185$	$5T_h+2T_m=1.2813$	6$T_h+T_m=0.5518$
Ours	$7T_h+2T_m=1.2859$	6$T_h=0.0138$	5$T_h+T_m=0.5501$

, we based on the results in Table 5 to show the comparison of computation costs between our and recently proposed schemes [13,17,18,19]. For example, our scheme requires $7T_h+2T_m$ for $U_i$. The cost is $7\times 0.0023+2\times 0.6349=1.2859$ ms.

In Table 6, and Figure 3, the costs of [13,17,19] for $U_i$ are less than our scheme. Our scheme requires an additional $0.1971$ ms than [17] and $0.0023$ ms than [13,19]. In fact, the two values are reasonable in practice. More importantly, the three schemes have some security weaknesses mentioned in Table 4. Overall, our scheme provides both security and efficiency for $U_i$.

In Table 6, and Figure 4, the costs of [13,17,19] for $S_j$ are less than our scheme. Our scheme requires an additional $0.0069$ ms than [13,19] and $0.0023$ ms than [17]. In fact, the two values are reasonable in practice. More importantly, the three schemes have some security weaknesses mentioned in Table 4. Overall, our scheme provides both security and efficiency for $S_j$.

5.3. Communication Costs Comparison

In

Table 7. Communication costs.

Scheme	Communication Costs (bits)	Length (bits)
Shuai et al. [13]	$3|Z_p^{*}|+4|H|+|G|$	1824
Kaur et al. [19]	$5|Z_p^{*}|+4|H|+|G|+3|T|$	2400
Yu et al. [17]	$4|Z_p^{*}|+4|H|+3|T|$	2048
Zou et al. [18]	$3\left|ID\right|+3\left|G\right|+2|Z_p^{*}|+3|T|+10|H|$	3944
Ours	$2\left|ID\right|+\left|G\right|+5|Z_p^{*}|+3|T|+5|H|$	2848

, we show the communication costs between our and recently proposed schemes [13,17,18,19]. Note that the lengths of symmetric encryption and decryption $\left|E\right|$, hash functions $\left|H\right|$, timestamp T, integer $|Z_p^{*}|$, identify $\left|ID\right|$ and ECC $\left|G\right|$ are defined by 256 bits, 256 bits, 128 bits, 160 bits, 32 bits, and 320 bits, respectively. Here, the total communication costs of our scheme are computed by $2\left|ID\right|+\left|G\right|+5|Z_p^{*}|+3|T|+5|H|=2\times 32+320+5\times 160+3\times 128+5\times 256=2348$ bits. The communication costs of Shuai et al.’s scheme [13] requires $3|Z_p^{*}|+4|H|+|G|=3\times 128+4\times 256+5\times 320=1824$ bits, Kaur et al.’s scheme [19] requires $5|Z_p^{*}|+4|H|+|G|+3|T|=5\times 128+4\times 256+320+3\times 128=2400$ bits, Yu et al.’s scheme [17] requires $4|Z_p^{*}|+4|H|+3|T|=4\times 128+4\times 256+3\times 128=2048$ bits, Zou et al.’s scheme [18] requires $3\left|ID\right|+3\left|G\right|+2|Z_p^{*}|+3|T|+10|H|=3\times 32+3\times 320+2\times 160+3\times 128+10\times 256=3944$ bits. Finally, the results in Table 7 are depicted in Figure 5. It can be seen that Zou et al.’s scheme [18] has the highest communication cost, Shuai et al.’s scheme [13] has the lowest communication cost, and our scheme is lower than Zou et al.’s scheme [18], slightly higher than Kaur et al.’s scheme [19].

6. Conclusions

As the foundation of smart cities, smart homes are closer to people’s lives, so ensuring the security of data transfers between entities is critical. In this paper, we propose an AKA scheme suitable for smart home environments and use the combination of SGX and gateway to prevent insider attacks effectively. Moreover, we also prove the proposed scheme’s security through informal security analysis and the RoR model. Finally, we compare the proposed scheme with existing schemes regarding security, computation, and communication costs. Based on the comparison results, our scheme performs better and is more suitable for this environment. In the future, smart home authentication schemes should incorporate multiple approaches such as multi-factor authentication and biometrics. Additionally, users should set strong passwords for smart home devices and limit the number of people who can access smart devices. We will continue to improve the smart home authentication scheme to meet the growing security needs.