Next Article in Journal
Sensing with Femtosecond Laser Filamentation
Next Article in Special Issue
Enhancing Graph Routing Algorithm of Industrial Wireless Sensor Networks Using the Covariance-Matrix Adaptation Evolution Strategy
Previous Article in Journal
Enhanced Convolutional Neural Network for In Situ AUV Thruster Health Monitoring Using Acoustic Signals
Previous Article in Special Issue
UAV Enhanced Target-Barrier Coverage Algorithm for Wireless Sensor Networks Based on Reinforcement Learning
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices

1
School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Korea
2
Electronics and Telecommunications Research Institute, Daejeon 34129, Korea
3
School of Electronics Engineering, Kyungpook National University, Daegu 41566, Korea
*
Author to whom correspondence should be addressed.
Sensors 2022, 22(18), 7075; https://doi.org/10.3390/s22187075
Submission received: 16 August 2022 / Revised: 14 September 2022 / Accepted: 16 September 2022 / Published: 19 September 2022
(This article belongs to the Collection Wireless Sensor Networks towards the Internet of Things)

Abstract

:
In IoT-based environments, smart services can be provided to users under various environments, such as smart homes, smart factories, smart cities, smart transportation, and healthcare, by utilizing sensing devices. Nevertheless, a series of security problems may arise because of the nature of the wireless channel in the Wireless Sensor Network (WSN) for utilizing IoT services. Authentication and key agreements are essential elements for providing secure services in WSNs. Accordingly, two-factor and three-factor-based authentication protocol research is being actively conducted. However, IoT service users can be vulnerable to ID/password pair guessing attacks by setting easy-to-remember identities and passwords. In addition, sensors and sensing devices deployed in IoT environments are vulnerable to capture attacks. To address this issue, in this paper, we analyze the protocols of Chunka et al., Amintoosi et al., and Hajian et al. and describe their security vulnerabilities. Moreover, this paper introduces PUF and honey list techniques with three-factor authentication to design protocols resistant to ID/password pair guessing, brute-force, and capture attacks. Accordingly, we introduce PUFTAP-IoT, which can provide secure services in the IoT environment. To prove the security of PUFTAP-IoT, we perform formal analyses through Burrows Abadi Needham (BAN) logic, Real-Or-Random (ROR) model, and scyther simulation tools. In addition, we demonstrate the efficiency of the protocol compared with other authentication protocols in terms of security, computational cost, and communication cost, showing that it can provide secure services in IoT environments.

1. Introduction

The rapid development of wireless networks and the Internet of Things (IoT) has created opportunities to communicate with things over the Internet. Wireless sensor networks (WSN), a combination of wireless networks and IoT sensors, are garnering increasing attention worldwide as an exciting new paradigm of IoT in various fields, such as smart home, smart city, smart transportation, and smart agriculture [1,2,3]. In this IoT-based environment, data are collected through various sensors and sensing devices, and users can access them through a gateway node. Through WSN, users can use convenient services in real-time through IoT devices in an IoT-based environment. For example, with their IoT devices, users can remotely operate the lights in their house or sprinklers in their garden.
However, because this convenient service is provided through a wireless network, it is vulnerable to illegal access by malicious attackers [4,5]. This can harm the convenience of IoT, such as invasions of user privacy and eavesdropping on privacy. Malicious attackers can also be insiders or outsiders seeking to breach network security and falsify data integrity. Moreover, problems of node and link failures (i.e., cascading failures) can occur due to the limitations of resources and energy of IoT equipment [6,7]. To this end, the development of lightweight protocols that provide secure communication between nodes and that can overcome resource and energy limitations is ongoing.
Key agreement and authentication protocols are an integral part of addressing security vulnerabilities in WSN and IoT environments and are being studied continuously. Two-factor-based authentication protocols consisting of passwords and smart cards have been proposed for secure communication in IoT-based environments [8,9,10,11,12,13,14,15,16,17,18]. However, these two-factor-based authentication protocols are also vulnerable to smart card theft and guessing attacks, among other attacks. In addition, some researchers have argued that, in two-factor authentication protocols, an attacker can guess an ID/password pair as users create easy-to-remember ID/password pair for convenience [19,20,21]. Therefore, the researchers argued that attackers can guess an ID/password pair within polynomial time. Accordingly, to respond to various attacks, including ID/password pair guessing attacks, three-factor-based authentication protocols have been proposed, involving user’s biometric information [22,23,24,25,26,27,28].
Although the three-factor-based authentication protocol is more secure than the two-factor-based authentication protocol, some researchers have found that the three-factor authentication protocols proposed in WSN and IoT environments are also not secure against multiple attacks. Although three-factor-based authentication protocols can defend against ID/password pair guessing attacks, they are still vulnerable to attacks that can be performed with values obtained through device capture attacks. Additionally, the three-factor authentication protocol is still vulnerable to replay, impersonation, and session key disclosure attacks.
In this paper, we analyze the security of two-factor-based and three-factor-based authentication protocols to discover their vulnerabilities. Chunka et al.’s protocol [16] is vulnerable to known session-specific temporary information, ID/password pair guessing, and impersonation attacks. The protocol of Amintoosi et al. [18] is also vulnerable to ID/password pair guessing attacks, thus allowing impersonation attacks. The protocol of Hajian et al. [27] is vulnerable to device physical capture attacks, and through these attacks, device impersonation and session key disclosure attacks are possible.
This paper introduces the Physical Unclonable Function (PUF) [29], which can strengthen security against device capture attacks, and h o n e y l i s t [30,31], which can prevent off-line guessing and brute-force attacks from solving the vulnerabilities of three-factor-based authentication protocols. With h o n e y _ l i s t , the authentication protocol can be secure, even if two of three factors of the authentication protocol are leaked. In addition, we configure the authentication protocol with XOR and hash functions for real-time communication of sensing devices and prevention of system down.
Therefore, this study aims to solve the security vulnerabilities of the two-factor and three-factor-based WSN authentication protocols [16,18,27]. In addition, we propose PUFTAP-IoT, a secure protocol for IoT-based environments using the three factors that are safe against various attacks in the IoT environment.
We adopt two technologies for a secure protocol for sensing devices in the IoT environment. We also invoke h o n e y _ l i s t technology to defend against online-guessing and brute-force attacks and consider PUF to be safe against takeover attacks of sensors and sensing devices. The contributions of this paper are as follows:
  • We prove the vulnerabilities of protocols by Chunka et al. [16] and Amintoosi et al. [18], which are two-factor authentication protocols, and Hajian et al. [27], which is a three-factor authentication protocol.
  • PUFTAP-IoT adopts PUF [29] and h o n e y _ l i s t [30,31] technology to be safe against various attacks. In addition, to solve the resource problem of sensors and sensing devices, only XOR and hash functions excluding elliptic curve cryptography (ECC) functions are used to lighten the protocol.
  • Informal (non-mathematical) analysis and formal analysis are performed to prove the security of the proposed PUFTAP-IoT. Formal analysis uses the widely adopted Burrows Abadi Needham (BAN) logic [32] and Real-Or-Random (ROR) model [33]. We also use the scyther simulation tool [34] to show that PUFTAP-IoT is secure in networks over public channels.
  • We compare PUFTAP-IoT with other authentication protocols in terms of computation cost, communication cost, and security to analyze its efficiency.
The remainder of this paper is organized as follows: Section 2 reviews two-factor and three-factor-based authentication protocols in IoT and WSN environments. Section 3 outlines the proposed system model, attacker model, PUF, fuzzy extraction, and honey list. We analyze the protocols of Zou et al., Amintoosi et al., and Hajian et al. to demonstrate security vulnerabilities. Section 5 describes PUFTAP-IoT, and the safety of PUFTAP-IoT is analyzed in Section 6. We also analyze the efficiency of the protocol in Section 7. Finally, Section 8 concludes the paper.

2. Related Works

Lamport [35] first proposed a password-based authentication protocol in 1981. Since then, many related studies on password-based, two-factor authentication protocols have been proposed in various network environments to protect users’ privacy. In 2009, Das [8] proposed a two-factor authentication concept using a smart card with password in an IoT-based WSN environment. Das argued that the proposed scheme has a security advantage in that it uses only a hash function to reduce communication overhead and resist various attacks. However, He et al. [9] proved [8]’s authentication protocol is vulnerable to insider attacks along with impersonation attacks in 2010. In addition, He et al. presented an improved protocol as a countermeasure against these attacks. Unfortunately, it was found by Kumar and Lee [10] that He et al.’s protocol also does not guarantee mutual authentication and cannot generate a session key. Turkanović et al. proposed a new authentication and key agreement method in the WSN environment, focusing on heterogeneous IoT. The proposed scheme allows users to negotiate session keys securely with sensor nodes using the authentication protocol. However, Amin and Biswas [12] demonstrated that the protocol of Turkanović et al. is not secure against impersonation, identity guessing, and password guessing attacks. Moreover, they showed that their scheme has an inefficient authentication phase. Amin and Biswas proposed a protocol that compensated for these problems. However, Wu et al. [13] found that the protocol of Amin and Biswas are also vulnerable to sensor capture and guessing and spoofing attacks. Shuai et al. [14] suggested an authentication protocol for smart homes in 2019. In their protocol, they use Elliptic Curve Cryptography (ECC) for efficient and anonymous authentication. They demonstrate that their protocol is secure against a variety of attacks, including desynchronization and verification table stolen attacks. However, Zou et al. [15] proved Shuai et al.’s protocol is insecure against perfect forward secrecy, node capture attack, and impersonation attacks. Moreover, they proposed more secure user authentication schemes for smart homes. In 2021, Chunka et al. [16] point out the problems with the authentication protocol for WSN environment proposed by Kalra and Sood [17]. They pointed out that the protocol proposed by Kalra and Sood is vulnerable to sensor node capture attacks and cannot provide perfect forward secrecy. In 2022, Amintoosi et al. [18] proposed a two-authentication-based authentication and key agreement protocol to ensure the privacy and security of patients’ health-related data. They claim that their protocol is safe from various attacks and is a lightweight protocol using only hash and XOR functions.
According to [19,20], people tend to choose ID/password pairs that are easy to remember. As a result, ID and password pairs are chosen from a small dictionary space. This allows an attacker to guess a user’s ID and password in polynomial time [21]. Many researchers have proposed a secure three-factor authentication scheme to prevent simultaneous ID and password pair guessing attacks.
In 2016, Amin et al. [22] proposed a three-factor authentication protocol for WSN. They designed an anonymity-preserving authentication scheme for WSN and proved that their proposed protocol is secure against multiple attacks and is more efficient than other protocols. However, Jiang et al. [23] showed that the protocol of Amin et al. is insecure against replay attacks and does not provide complete forward secrecy. To solve this security flaw, Jiang et al. presented an authentication protocol based on the Rabin cryptosystem for WSN. However, Ostad-Sharif et al. [24] demonstrate that the Jiang et al. protocol also does not provide perfect forward secrecy. In 2019, Mo et al. [25] proposed a secure three-factor-based key agreement and user authentication protocol for WSN. They presented a protocol based on ECC. They demonstrated that their protocol is able to provide security against untraceability and user anonymity. However, Yu and Park [26] pointed out that the protocol of Mo et al. is not safe for impersonation, replay, and session key disclosure attacks. Unfortunately, Hajian et al. [27] proved that the protocol proposed by Ostad-Sharif et al. [24] and Yu et al. [26] is also vulnerable to some attacks. To prevent security problems, Hajian et al. proposed a lightweight authentication protocol for IoT environments. They argued that the proposed protocol can defend against multiple attacks. In 2022, Amintoosi et al. [18] pointed out the security vulnerabilities of the authentication protocol for e-health proposed by Aghili et al. [28]. They proposed a lightweight authentication protocol for smart healthcare services that solves the security vulnerabilities of Aghili et al.’s protocol.
However, we prove that some schemes [16,18,27] are vulnerable to security attacks. We found that Chunka et al. [16] protocol is vulnerable to known session-specific temporary information, ID/password pair guessing, and impersonation attacks. Additionally, we prove that Amintoosi et al.’s protocol [18] cannot withstand identity and password guessing attacks and smart card stolen attacks. Finally, Hajian et al.’s protocol [27] is vulnerable to device capture and session key disclosure attacks.

3. Preliminaries

This section introduces the PUFTAP-IoT system model and an adversary model for security analysis of authentication protocols. In addition, we briefly describe PUF, fuzzy extraction, and h o n e y _ l i s t , which are the security technologies adopted in the proposed IoT-TFBAP.

3.1. The Proposed System Model

The system model of PUFTAP-IoT is shown in Figure 1. PUFTAP-IoT consists of following three entities:
  • User: The user requests communication to the gateway to use the sensing device. Only registered users can use IoT services by requesting communication to the gateway.
  • Sensing device: Sensing devices are smart devices deployed in various IoT environments. Examples in Figure 1 include smart agriculture, vehicles, smart doors, and smart watches. They collect data and provide it to users, and users can use the data to execute any commands they want. Sensing devices also have limited computational power.
  • Gateway: All service users and sensing devices must be registered with the gateway. A gateway is a trusted entity that is responsible for the process and regulates authentication requests between users and sensing devices.
Users must first register with the gateway when they want to communicate with a sensing device. The gateway stores relevant data from users and sensing devices, and controls communication between users and sensing devices. PUFTAP-IoT consists of a registration phase, login and authentication phase, and password and biometrics update phase. In the registration phase, users and sensing devices are registered with the gateway through secure channels. During the login and authentication phase, the user, gateway, and sensing device authenticate each other and generate a session key for communication. In the future, the user can safely communicate with the sensing device using this session key. In the password and biometrics update phase, users can update their passwords and biometrics if desired. To defend against malicious adversaries’ ID/password guessing attacks and brute-force attacks, the gateway creates and stores h o n e y _ l i s t . In addition, the sensing devices have built-in PUF technology to protect them from physical capture attacks.

3.2. The Adversary Model

We adopt the “Dolev-Yao (DY) adversary model” [36] to analyze the proposed protocols [15,18,27] and the IoT-TFBAP. The DY adversary model is a widely adopted model to analyze the security of wireless networks and assumes the following:
  • The adversary can learn messages by intercepting messages delivered over insecure, public wireless channels. Through the learned message, the adversary can create a valid message and insert and modify it.
  • The adversary can obtain stored values by stealing a valid user’s smart card and sensing device [37].
  • The adversary can guess the user’s ID/password pair in polynomial time [21].
  • The adversary can perform guessing, impersonation, known session-specific temporary information, and session key disclosure attacks using the acquired values.

3.3. Physical Unclonable Function

We adopt PUF technology to securely store secret parameters in the sensing device. PUF can be described as “the representation of the unique, non-replicable, instance-specific functionality of a physical entity” [29]. The randomness and uncertainty in integrated circuit fabrication is less likely to create duplicates, making PUFs increasingly visible in the security realm. PUF receives the challenge C and obtains its response R through the physical properties of C and the integrated chip (IC). Since both the accepted C and the generated R are strings of bits, PUF is expressed as R = P U F ( C ) and can be considered as a one-way function. In an ideal situation, a one-to-one correspondence exists between a challenge–response pair and a PUF, where if a challenge is assigned to the same PUF multiple times, the generated response is the same, and when the same challenge is given to different PUFs, the response obtained is different. PUF also has the following characteristics:
  • It is impossible to clone PUF to create the same device [38].
  • Any attempt to change the device containing the PUF will change the PUF’s behavior and destroy the PUF [39].
  • In real-world manufacturing circuits, the difference between mapping input and output functions is fixed and unpredictable. In this respect, the hardware is equivalent to a one-way function [40].
However, due to environmental and circuit noise, PUFs always output varying responses with some margin of error in Cs. To solve this problem, PUF is being applied with fuzzy extractor technology [41].

3.4. Fuzzy Extraction

To solve the problem of noisy PUF, we introduce fuzzy extraction technology [41]. Moreover, we can use fuzzy extraction to solve the noise that can occur in the biometric input. The fuzzy extractor consists of the G E N function and the R E P function.
The G E N function is for generating key information corresponding to the entered value. Entering the data D i into the G E N function outputs the secret key data R i , which is a uniform random string. The G E N function also outputs the string P i , which helps to remove the noise and recover the key value.
The R E P function restores the secret key R i . Enter the data D i and the helper string P i into the R E P function. At this time, D i may generate noise. For this, P i helps to output the correct R i . To recover the same R i , the metric space distance between D i and D i must be within the specified tolerance.

3.5. Honey List

Assume that attackers attempt to obtain useful data by performing brute-force and online-guessing attacks. In this case, h o n e y _ l i s t prevents the algorithm “Honey Encryption (HE)” [30,31] from attempting to obtain data by guessing the password. If an adversary attempts attacks with the wrong password, HE uses an algorithm to generate fake valid messages, “Honey words”. [42] has more details on the honey word generation algorithm.
Various methods have been used to resist brute-force or online-guessing attacks using h o n e y _ l i s t at the login and authentication phase. Out of all of them, PUFTAP-IoT calls h o n e y _ l i s t by adopting the following method. If an attacker tries to login using the guessing password, the login proceeds as usual, but the gateway monitors the attacker’s login source for intrusion detection. The gateway also kills the session “when the number of entries in honey_list exceeds a predefined threshold” and notifies the user to update their password.

4. Cryptanalysis of Authentication Protocols

This section shows the analysis of various authentication protocols using sensor or sensing devices in an IoT environment. A review of each protocol is omitted, and for convenience of explanation, S (sensor) of Chunka et al. and Amintoosi et al. and S (sensing device) of Hajian et al. are all denoted as S D (sensing device). The rest of the notation is the same as that of each authentication protocol. Table 1 shows the notations used in this paper.

4.1. Cryptanalysis of Chunka et al.’s Protocol

We prove that Chunka et al.’s protocol [16] is not safe against known session-specific temporary information attacks and does not provide perfect forward secrecy.

4.1.1. Known Session-Specific Temporary Information Attacks

Suppose that the adversary A d v obtains a session-specific temporary information r 1 . Then, A d v is able to compute the legitimate session key. The detailed steps are as follows:
Step 1: A d v computes h ( α i k ) = r 1 M I D i , since M I D i is public parameter. Then, A d v can obtain P i , where P i is obtained through an insecure channel.
Step 2: A d v computes h ( P i | | h ( α i k ) | | r 1 ) = E j h ( r 1 r 2 r 3 ) via E j , which is transmitted to the public channel.
Step 3: Finally, A d v can compute the legitimate session key S K = h ( r 1 r 2 r 3 ) | | h ( P i | | h ( α i k ) | | r 1 ) .

4.1.2. Off-Line Guessing Attacks

According to the adversary model in Section 3.2, the adversary A d v can guess the ID/PW pair in polynomial time. The detailed steps are as follows:
Step 1: A d v is able to obtain values { X i , Z i , Q i , R i , h ( · ) } stored on the smart card via smart card stolen attacks. Then, A d v picks I D a / P W a and computes r a = X i h ( I D a | | P W a ) .
Step 2: A d v calculates Z i a = h ( I D a | | P W a | | r a ) and checks if Z i a = Z i .
Step 3: If they are the same, A d v has successfully guessed the correct ID/password pair for the user. Otherwise, A d v repeats Steps 1 and 2.

4.1.3. Impersonation Attacks

After off-line guessing attacks, A d v can impersonate the valid user. The detailed steps are as follows.
Step 1: Through guessing attacks, A d v computes h ( I D i | | r ) . Then, A d v can compute h ( α i ) = Q i h ( I D i | | r ) and h ( α i k ) = R i h ( I D i | | r ) because R i and Q i are values stored in the smart card.
Step 2: Then, A d v generates a random nonce r 1 a and computes M i d a = h ( α i k ) r a , N a = h ( h ( α i k ) | | h ( α i ) | | r a ) .
Step 3: Finally, A d v sends the message { P i , M I D i , N i } . Thus, A d v can impersonate the legitimate user.

4.2. Cryptanalysis of Amintoosi et al.’s Protocol

This section shows that Amintoosi et al.’s protocol [18] is not secure to smart card stolen, off-line guessing, and impersonation attacks.

4.2.1. Off-line Guessing Attacks

The adversary A d v can obtain the sensitive information stored in the smart card. Then, A d v can guess the ID/password pair in polynomial time. The detailed steps are as follows:
Step 1: A d v can obtain values { b i , A i , B i , a i } stored on the smart card. Then, A d v picks I D a / P W a and computes p a = h ( I D a | | P W a | | a i ) , N a = A a p a , and b I D a = h ( b i | | I D a ) .
Step 2: A d v calculates M a = h ( b i | | I D a | | b I D a ) and B a = h ( M a | | I D a | | b I D a ) . Then, A d v checks if B a = B i .
Step 3: If they are the same, A d v has successfully guessed the correct ID/password pair for the user. Otherwise, A d v repeats Steps 1 and 2.

4.2.2. Impersonation Attacks

After guessing the legitimate user’s ID/password pair, the A d v computes { M 1 i , M 2 i , T 1 , b i , M 2 i } can be masquerading. The detailed steps are as following.
Step 1: After off-line guessing attacks, A d v obtains valid values M i and N i . Then, A d v can compute d i = M 1 i h ( M i | | N i | | T 1 ) to obtain d i , where M 1 i is transmitted to the public channel.
Step 2: Then, A d v also can compute M 2 i = h ( M i | | N i | | d i ) .
Step 3: Therefore, A d v can compute M 1 i , T 1 , b i , and M 2 i . This means that A d v can impersonate the valid user. So, we can say that Amintoosi et al.’s protocol is not secure against impersonation attacks.

4.3. Cryptanalysis of Hajian et al.’s Protocol

In this section, we show that Hajian et al.’s protocol [27] is vulnerable to device capture attacks, device impersonation attacks, and session key disclosure attacks.

4.3.1. Device Impersonation Attacks

The adversary A d v can obtain the { S I D j , x j , f j } stored in S D through a device capture attack. After that, A d v can impersonate as a valid S D by generating a message using the obtained values. After the device capture attacks, the detailed steps of the A d v ’s device impersonation attack are as follows:
Step 1: A d v obtains the values { M 2 , T 1 } via the message sent to the public channel. Then, A d v can obtain K j through computing K j = h ( x j | | f j | | T 1 ) M 2 .
Step 2: A d v can compute the legitimate V 2 = h ( S I D j | | ( x j | | f j ) | | K j | | T 1 ) . Finally, A d v can compute the valid response message { M 2 , V 2 } . Thus, we can say that A d v can conduct device impersonation attacks.

4.3.2. Session Key Disclosure Attacks

After A d v conducts device impersonation attacks, A d v obtains x j , f j , and K j . A d v can calculate the session key using these values. Therefore, an attacker can perform session key disclosure attacks, and the detailed steps are as follows:
Step 1: A d v can learn values M 1 and M 5 through the message sent over the open channel. Then, A d v can compute M 5 h ( T 1 | | f j x j ) M 1 = ( K i | | T I D i n e w ) .
Step 2: Then, A d v can obtain K i and T I D i n e w .
Step 3: Therefore, A d v can compute the session key S K i j = h ( K i K j | | S I D j | | T I D i n e w ) . Thus, we can say that Hajian et al.’s protocol is not secure against session key disclosure attacks.

5. The Proposed PUFTAP-IoT

In this section, we describe the proposed PUFTAP-IoT. In the proposed protocol, we adopt PUF technology to withstand device capture attacks. Additionally, we also apply the user’s biometrics and h o n e y _ l i s t to prevent online-guessing and brute-force attacks. Accordingly, our protocol is observed to be secure against various attacks. Finally, we propose a lightweight protocol using XOR and hash functions to consider the resource limitations of sensing devices and to prevent system down.

5.1. Registration Phase

In order for a service user to use IoT services through a sensing device in an IoT environment, first, he/she must register his/her information in the gateway. Moreover, the sensing device also registers its information in the gateway. The registration phase for service users and sensing devices is shown in Figure 2, and the detailed registration phase is described below.

5.1.1. Service User Registration Phase

Service users create their own information through ID, password, and biometric information and register it with the gateway, and the gateway issues a smart card. Here are the detailed steps:
Step 1: The service user U i inputs his/her identity I D , password P W i , and imprints his/her biometrics B i . Then, U i generates α and R u and computes G e n ( B i ) = ( R i , P i ) , H I D i = h ( I D i | | R i ) , and H P W i = h ( I D i | | P W i | | R u | | R i ) . U i sends H I D i , H P W i α to the gateway G W through a secure channel.
Step 2: After receiving the registration request message, G W checks the uniqueness of H I D i . If it has the uniqueness, G W generates a random nonce R g w and G W computes A i = h ( H I D i | | K g w | | R g w ) , B i = A i ( H P W i α ) , and C i = h ( A i | | H I D i ) . Then, G W generates the temporary service user’s identity T H I D i and stores { ( H I D i , T H I D i ) , R g w , h o n e y _ l i s t = n u l l } in its secure database. G W issues the smart card S C = B i , C i , T H I D i to U i via a secure channel.
Step 3: U i computes L i = h ( I D i | | P W i | | R i ) R u , B i = B i α = A i H P W i , and C i = h ( C i | | H P W i ) . Then, U i deletes B i and C i in S C and stores L i , B i , and C i in S C .

5.1.2. Sensing Device Registration Phase

The sensing device S D j utilizes the P U F function for registration and registers its own information with G W . The detailed registration steps are as follows:
Step 1: S D j picks its identity S I D j and P U F ’s challenge C j . S D j generates a random nonce R s d and computes R e q j = S I D j h ( R s d ) , R j = P U F ( C j ) , G e n ( R j ) = S D R j , S D P j , and H S I D j = h ( S I D j | | S D R j ) . After that, S D j transmits R e q j , R s d , H S I D j , C j to G W through a closed channel.
Step 2: G W computes S I D j = R e q j h ( R s d ) and G W generates a random secret key R K j . G W also computes P S I D j = h ( H S I D j | | R K j ) and S I j = h ( P S I D j | | h ( K g w | | R K j ) . Finally, G W stores { ( H S I D j , P S I D j ) , R K j , C j } in its database and transmits P S I D j , S I j to S D j through a closed channels.
Step 3: After receiving the message, S D j stores { S I D j , P S I D j , S I j , S D P j } .

5.2. Login and Authentication Phase

U i sends an authentication request message to G W after login through his/her smart card and credential information. After confirming this, G W sends an authentication message to the corresponding S D j , and each entity authenticates the response message. When authentication is completed, U i , G W , and S D j agree on a session key S k e y , and secure communication can be guaranteed later through S k e y . In addition, U i and G W update T H I D i to T H I D i n e w when authentication and key agreement are successful. The detailed formula is as follows, and the entire steps are summarized in Figure 3:
Step 1: The service user U i inserts S C and inputs I D i , P W i , and B i . Then, S C computes R e p ( B i , P i ) = R i , H I D i = h ( I D i | | R i ) , R u = L i h ( I D i | | P W i | | R i ) , H P W i = h ( I D i | | P W i | | R u | | R i ) , A i = B i H P W i , and C i * = h ( h ( A i | | H I D i | | H P W i ) . S C checks C i = C i * . If it is correct, S C generates a random nonce N u and timestamp T 1 . After that, S C computes M s g 1 = h ( h ( N u | | A i ) | | A i | | H I D i | | P S I D j ) , V 1 = h ( N u | | A i ) h ( H I D i | | A i | | T 1 ) . U i sends the message M s g 1 , V 1 , T 1 , T H I D i , P S I D j through an open channel.
Step 2: When G W receives the request message, G W checks | T 1 T 1 * | < Δ T . G W retrieves H I D i corresponding to T H I D i and G W computes A i = h ( H I D i | | K g w | | R g w ) , h ( N u | | A i ) = h ( H I D i | | A i | | T 1 ) V 1 , M s g 1 * = h ( h ( N u | | A i ) | | A i | | H I D i | | P S I D j ) . Then, G W checks if M s g 2 = M s g 2 * . If it is not same, G W inserts A i * into h o n e y _ l i s t . Otherwise, G W retrieves ( C j , R K j ) corresponding to P S I D j . G W generates a random nonce N g and timestamp T 2 and computes S I j = h ( P S I D j | | h ( K g w | | R K j ) ) , V 2 = C j h ( P S I D j | | S I j ) , V 3 = h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) h ( H S I D j | | C j | | S I j ) , and M s g 2 = h ( h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) | | T 2 | | H S I D j | | C j | | S I j ) . After computing, G W sends M s g 2 , V 2 , V 3 , T 2 ) to S D j via an open wireless channel.
Step 3: S D j checks | T 2 T 2 * | < Δ T . Then, S D j computes C j = V 2 h ( P S I D j | | S I j ) , P U F ( C j ) = R j , R e p ( R j , S D P j ) = S D R j , H S I D j = h ( S I D j | | S D R j ) , K g s ( = h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) ) = V 3 h ( H S I D j | | C j | | S I j ) , and M s g 2 * = h ( K G S | | T 2 | | H S I D j | | C j | | S I j ) . Then, S D j checks M s g 2 = M s g 2 * . If it is the same, S D j generates a random nonce N s d and timestamp T 3 and S D j computes a session key S k e y = h ( N s d | | K g s ) . S D j also computes V 4 = S k e y h ( H S I D j | | S I j | | C j | | T 3 ) and M s g 3 = h ( C j | | H S I D j | | S k e y ) . After that, S D j sends the response message M s g 3 , V 4 , T 3 to G W .
Step 4: G W computes the session key S k e y = V 4 ( H S I D j | | S I j | | C j | | T 3 ) , and computes M s g 3 * = h ( C j | | H S I D j | | S k e y ) . Then, G W checks if M s g 3 = M s g 3 * . If it verifies, G W computes T H I D i n e w = h ( h ( N u | | A i ) | | N g | | T H I D i ) , V 5 = S k e y h ( h ( N u | | A i ) | | H I D i ) , V 6 = T H I D i n e w h ( H I D i | | T H I D i | | h ( N u | | A i ) ) , and M s g 4 = h ( S k e y | | T H I D i n e w ) . After computing, G W transmits M s g 4 , V 5 , V 6 to U i through an insecure channel.
Step 5: After receiving the response message, U i computes a session key S k e y = V 5 h ( h ( N u | | A i ) | | H I D i ) . Additionally, U i also computes V 6 = T H I D i n e w h ( H I D i | | T H I D i | | h ( N u | | A i ) ) and M s g 4 * = h ( S k e y | | T H I D i n e w ) . Then, U i checks if M s g 4 = M s g 4 * . If it is correct, the session key is authentic, and U i and G W update T H I D i n e w .

5.3. Service User Password and Biometrics Update Phase

Assume that the service user U i wants to use S C to change to a new password and biometrics. Specifically, this phase runs locally without any additional connections to G W , reducing computation and communication overhead. The following steps are the password and biometrics update process:
Step 1: The service user U i inputs his/her identity I D and password P W i and imprints his/her biometrics B i . Then, S C computes R e p ( B i , P i ) = R i , H I D i = h ( I D i | | R i ) , R u = L i h ( I D i | | P W i | | R i ) , H P W i = h ( I D i | | P W i | | R u | | R i ) , A i = B i H P W i , a n d C i * = h ( h ( A i | | H I D i | | H P W i ) . S C checks C i = C i * . If it is valid, S C asks U i to enter the new password and biometrics.
Step 2: U i enters a new password P W i n e w and new biometrics B i n e w . S C proceeds to compute parameters G E N ( B i n e w ) = ( R i n e w , P i n e w ) , H P W i n e w = h ( I D i | | P W i n e w | | R u | | R i n e w ) , L i n e w = h ( I D i | | P W i n e w | | R i n e w ) R u , B i n e w = B i H P W i H P W i n e w , and C i n e w = h ( C i | | H P W i ) . Then, S C replaces L i , B i , and C i with L i n e w , B i n e w , and C i n e w .

6. Security Analysis

In this section, we analyze the security of PUFTAP-IoT. We first show that the protocol is safe against various attacks through informal analysis. In addition, we prove that mutual authentication and session key agreement of the protocol can be safely achieved through the universally used BAN logic and ROR model. Finally, we demonstrate the security of PUFTAP-IoT on a wireless network using the scyther simulation tool.

6.1. Informal Security Analysis

Here, we perform an informal (non-mathematical) security analysis to show that PUFTAP-IoT is safe against various attacks and also provides various security features.

6.1.1. Offline and Online-Guessing Attacks

Assume that the adversary A d v obtains the U i ’s S C and attempts an offline-guessing attack using parameters { L i , B i , C i , T H I D i } in S C . However, since A d v is the value that R i should be calculated as, the biometric of U i , R u = L i h ( I D i | | P W i | | R i ) could not be calculated. Moreover, A d v tries an online-guessing attack for obtaining U i ’s sensitive information. Unfortunately, the attacker does not know if the correct ID and password were guessed because of the h o n e y _ l i s t stored on the gateway system. Moreover, PUFTAP-IoT is safe from online-guessing attacks because the session is terminated when the threshold of h o n e y _ l i s t is exceeded. Therefore, PUFTAP-IoT is safe against offline- and online-guessing attacks.

6.1.2. Service User Anonymity

If A d v steals U i ’s S C and obtains values stored in S C , A d v tries to obtain U i ’s real identity, pseudo-identity or temporary identity. However, A d v cannot obtain the ID of U i and H I D i because H I D i is masked by the hash function and R i . Although T H I D i is transmitted through the public channel, T H I D i n e w is updated by G W when authentication and key agreement are successful. In addition, T H I D i n e w is masked with N u and N g , and these values change every session. Therefore, PUFTAP-IoT can safely guarantee the anonymity of service users.

6.1.3. Impersonation Attack

In order for A d v to disguise U i , G W , and S D j , A d v must be able to compute the messages sent to the public channel. Messages sent from PUFTAP-IoT to public channels change per session due to random values N u , N s , and N s d and timestamps. In addition, T H I D i is also updated to T H I D i n e w when the authentication is successful, so A d v cannot calculate the correct message. Therefore, PUFTAP-IoT is resistant to impersonation attacks.

6.1.4. Sensing Device Physical Capture Attack

When A d v performs a physical capture attack on S D j , A d v can obtain { S I D j , P S I D j , S I j , S D P j } stored in S D j . However, A d v cannot calculate the correct session key through these parameters. In order for A d v to calculate the session key, K g s ( = h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) ) = V 3 h ( H S I D j | | C j | | S I j ) must be calculated. However, since A d v cannot obtain R j , A d v cannot compute S D R j . Therefore, A d v is not able to compute H S I D j = h ( S I D j | | S D R j ) . This is because R j is a value created by the P U F function, and the P U F is a function that is a physically unclonable circuit and cannot be duplicated. Therefore, PUFTAP-IoT is safe against sensing device physical capture attacks.

6.1.5. Replay and Man-in-the-Middle Attack

We assume that A d v obtains messages transmitted over a public channel and information of U i ’s S C and S D j . However, A d v cannot compute U i ’s valid message as mentioned in Section 6.1.3. Additionally, A d v also cannot generate S D j ’s valid messages according to Section 6.1.4. Additionally, every message changes with N u , N g , a n d N s d and timestamps every session. Therefore, we can say that PUFTAP-IoT is secure against replay and man-in-the-middle attacks.

6.1.6. Stolen Verifier Attack

Suppose A d v obtains the G W verification tables { H I D i , T H I D i , R g w , h o n e y _ l i s t = n u l l } and { H S I D j , P S I D j , R K j , C j } to compute the session key S k e y or perform impersonation attacks. However, A d v cannot compute A i = h ( H I D i | | K g w | | R g w ) and S I j = h ( P S I D j | | h ( K g w | | R K j ) without G W ’s secret key K g w . Furthermore, due to the nature of the PUF function, A d v cannot compute R j = P U F ( C j ) . Therefore, A d v cannot perform session key and impersonation attacks. Accordingly, we can say that PUFTAP-IoT is resistant to stolen verifier attacks.

6.1.7. Perfect Forward Secrecy

Assuming that G W ’s secret key K g w , is leaked to A d v , A d v can try to calculate S k e y through K g w . However, since A i and S I j are masked with K g w as well as R g w and R K j which are secret keys generated for each entity, A d v cannot compute A i and S I j . Therefore, since A d v cannot calculate valid S k e y , PUFTAP-IoT can guarantee perfect forward secrecy.

6.1.8. Session-Specific Random Number Leakage Attack

Assume that N u , N g , a n d N s d , which are random nonces generated in the session, were leaked to A d v . With these values, A d v will try to compute S k e y . However, A d v cannot compute the session key S k e y = h ( N s d | | h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) ) . To calculate a valid S k e y , A i and S I j must be calculated, but as mentioned in the Sections above, A i and S I j cannot be calculated by A d v . Therefore, PUFTAP-IoT is safe against session-specific random number leakage attacks.

6.1.9. Session Key Disclosure Attack

A d v wants to compute the S k e y for obtaining sensitive information. However, as discussed in Section 6.1.6, Section 6.1.7 and Section 6.1.8, A d v cannot compute the valid S k e y because of the computationally infeasible problem. Thus, PUFTAP-IoT prevents session key disclosure attacks.

6.1.10. Mutual Authentication

In PUFTAP-IoT, all entities authenticate each other by verifying messages containing M s g 1 , M s g 2 , M s g 3 , and M s g 4 . Moreover, these messages are changed with random numbers and current timestamps. After all entities authenticate each other, they compute the same S k e y . Thus, PUFTAP-IoT guarantees mutual authentication.

6.2. BAN Logic

For proving that PUFTAP-IoT is able to provide secure authentication, we conduct BAN logic [32]. The notations used in BAN logic are shown in Table 2, and the five rules used are as follows [43,44,45]:
1. 
Jurisdiction rule:
χ ω ε , χ ω ε χ | ε
2. 
Message meaning rule:
χ | χ K ω , χ ε K χ B ε
3. 
Nonce verification rule:
χ # ( ε ) , χ ω | ε χ ω ε
4. 
Belief rule:
χ | ε , F χ | ε
5. 
Freshness rule:
χ | # ( ε ) χ | # ε , F
To implement BAN logic, we describe logical rules, goals, assumptions, and ideal forms, thereby proving that PUFTAP-IoT provides secure mutual authentication.

6.2.1. Goals

In order to prove that secure mutual authentication is achieved, the following goals must be achieved:
Goal 1: 
U i | ( U i S k e y G W )
Goal 2: 
U i | G W | ( U i S k e y G W )
Goal 3: 
G W | ( U i S k e y G W )
Goal 4: 
G W | U i | ( U i S k e y G W )
Goal 5: 
S D j | ( S D j S k e y G W )
Goal 6: 
S D j | G W | ( S D j S k e y G W )
Goal 7: 
G W | ( S D j S k e y G W )
Goal 8: 
G W | S D j | ( S D j S k e y G W )

6.2.2. Idealized Forms

The idealized forms are:
M 1 :
  U i G W : { h ( N u | | A i ) } H I D i
M 2 :
  G W S D j : { h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) } S I j
M 3 :
  S D j G W : { h ( N s d | | K g s ) } S I j
M 4 :
  G W U i : { h ( N s d | | K g s ) } H I D i

6.2.3. Assumptions

The following assumptions are generated for the initial state of PUFTAP-IoT to achieve the BAN logic proof:
A 1 :
  G W | U i H I D i G W
A 2 :
  G W | # ( N u )
A 3 :
  S D j | G W S I j S D j
A 4 :
  S D j | # ( N g )
A 5 :
  G W | G W S I j S D j
A 6 :
  G W | # ( N s d )
A 7 :
  U i | U i H I D i G W
A 8 :
  U i | # ( N g )
A 9 :
  U i | G W | ( U i S k e y G W )
A 10 :
  G W | U i | ( U i S k e y G W )
A 11 :
  S D j | G W | ( S D j S k e y G W )
A 12 :
  G W | S D j | ( S D j S k e y G W )

6.2.4. Proof

The main proof using the rules and assumptions of BAN logic is:
Step 1:
S 1 can be obtained from M 1 .
S 1 : G W { h ( N u | | A i ) } H I D i
Step 2:
S 2 can be obtained by applying the M M R with A 1 .
S 2 : G W | U i | { h ( N u | | A i ) } H I D i
Step 3:
S 3 can be gained from the F R with S 2 and A 2 .
S 3 : G W | # ( h ( N u | | A i ) )
Step 4:
S 4 can be acquired by applying the N V R with S 2 and S 3 .
S 4 : G W | U i | ( h ( N u | | A i ) )
Step 5:
S 5 can be obtained from M 2 .
S 5 : S D j { h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) } S I j
Step 6:
S 6 can be gained from M M R with S 5 and A 3 .
S 6 : S D j | G W | { h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) } S I j
Step 7:
S 7 can be obtained by applying F R with S 6 and A 4 .
S 7 : S D j | # ( h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) )
Step 8:
S 8 can be obtained from N V R with S 6 and S 7 .
S 8 : S D j | G W | ( h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) )
Step 9:
S 9 can be obtained from M 3 .
S 9 : G W { h ( N s d | | K g s ) } S I j
Step 10:
S 10 can be gained from M M R with S 9 and A 5 .
S 10 : G W | S D j | { h ( N s d | | K g s ) } S I j
Step 11:
S 11 can be obtained by applying F R with S 10 and A 6 .
S 11 : G W | # ( h ( N s d | | K g s ) )
Step 12:
S 12 can be obtained from N V R with S 10 and S 11 .
S 12 : G W | S D j | ( h ( N s d | | K g s ) )
Step 13:
S 13 can be obtained from M 4 .
S 13 : U i { h ( N s d | | K g s ) } H I D i
Step 14:
S 14 can be obtained from M M R with S 13 and A 7 .
S 14 : U i | G W | { h ( N s d | | K g s ) } H I D i
Step 15:
S 15 can be obtained from F R with S 14 and A 8 , since K g s = h ( h ( N u | | A i ) | | h ( N g | | S I j ) ) .
S 15 : U i | # ( h ( N s d | | K g s ) )
Step 16:
S 16 can be obtained from N V R with S 14 and S 15 .
S 16 : U i | G W | ( h ( N s d | | K g s ) )
Step 17:
S 17 and S 18 can be obtained from S 8 and S 12 since S k e y = h ( N s d | | K g s ) .
S 17 : S D j | G W | ( S D j S k e y G W ) ( Goal 6 )
S 18 : G W | S D j | ( S D j S k e y G W ) ( Goal 8 )
Step 18:
S 19 and S 20 can be obtained by applying J R from S 17 , S 18 , A 11 , and A 12 .
S 19 : S D j | ( S D j S k e y G W ) ( Goal 5 )
S 20 : G W | ( S D j S k e y G W ) ( Goal 7 )
Step 19:
S 21 and S 22 can be obtained from S 4 and S 16 since S k e y = h ( N s d | | K g s ) .
S 21 : U i | G W | ( U i S k e y G W ) ( Goal 2 )
S 22 : G W | U i | ( U i S k e y G W ) ( Goal 4 )
Step 20:
S 23 and S 24 can be obtained by applying J R from S 21 , S 22 , A 9 , and A 10 .
S 23 : U i | ( U i S k e y G W ) ( Goal 1 )
S 24 : G W | ( U i S k e y G W ) ( Goal 3 )
Therefore, we prove that PUFTAP-IoT can satisfy all goals of BAN logic. Accordingly, it can be said that PUFTAP-IoT can guarantee secure mutual authentication.

6.3. ROR

We use the ROR model [33] to describe the semantic security of PUFTAP-IoT. We demonstrate that session key security can be guaranteed through the ROR model [46,47,48]. This section briefly describes the ROR model and presents a proof of the protocol’s session key security in Theorem 1. PUFTAP-IoT in the ROR model has three participants P t , which are service user P U i t 1 , gateway m a t h c a l P G W t 2 , and sensing device P S j t 3 . Additionally, for each participant, tth represents an instance of the running participant. We assume that an attacker A d v can modify, remove, insert or learn messages sent during communication. In the ROR model, various queries are defined to simulate real-world attacks, E x e c u t e , C o r r u p t S C , R e v e a l , S e n d , and T e s t queries. A detailed description of the query follows:
  • E x e c u t e ( P U i t 1 , P G W t 2 , P S D j t 3 ) : A d v conducts E x e c u t e query to obtain messages sent over insecure channels between U i , G W , and S D j .
  • C o r r u p t S C ( P U i t 1 ) : C o r r u p t S C indicates that A d v can obtain information stored in the smart card of U i .
  • R e v e a l ( P t ) : R e v e a l ( P t ) is that A d v returns the session key S k e y between P U i t 1 , P G W t 2 , and P S D j t 3 . S k e y is safe if A d v reveals S k e y using the R e v e a l ( P t ) query.
  • S e n d ( P t , M ) : S e n d query allows A d v to transmit the M message to P t and receive a response.
  • T e s t ( P t ) : A fair coin f c is tossed before the game starts, and the result is known only to A d v . A d v uses this result to determine T e s t query. If A d v conducts this query and S k e y is fresh, P t will return S k e y for f c = 1 or a random nonce for f c = 0. Otherwise, P t returns a null (⊥).
After A d v conducts T e s t query on participants, A d v has to separate resulting values. A d v checks the consistency of the random bit f c through the output of the T e s t query. For A d v to win the game, the guessed bit f c must equal f c . Additionally, the collision-resistant one-way hash function h ( · ) is accessible to all participants. Model h ( · ) is a random oracle H a s h .

Security Proof

Theorem 1.
A d v can obtain information by breaking the session key security. Mark the advantage of A d v running in polynomial time as A d v t . Then, we obtain:
A d v t q h 2 | H a s h | + q p 2 | P U F | + 2 m a x { C · q s s , q s 2 l D }
Here, q h , q p , and q s are the number of H a s h , P U F , and S e n d queries, respectively. | H a s h | and | P U F | are the range space of the hash function h ( · ) and P U F function P U F ( · ) , respectively. In addition, C and s denote Zipf’s parameters, and l D is the number of bits in the biometric B i of U i .
Proof. 
We run four sequence games G M i to prove session key security, where i [ 0 , 4 ] . S u c c A d v , i represents the event that A d v wins G M i by correctly guessing any bit f c . The advantage of A d v winning the game G M i is denoted by P r [ S u c c A d v , G M i ] . Each game is described below.
  • G M 0 : A d v can execute a real attack on PUFTAP-IoT through this game. A d v selects f c at the beginning of G M 0 . Then, according to this game, we obtain:
    A d v t = | 2 P r [ S u c c A d v , G M 0 ] 1 |
  • G M 1 : A d v conducts the E x e c u t e ( P U i t 1 , P G W t 2 , P S D j t 3 ) query through this game and eavesdrops transmitted messages < M s g 1 , V 1 , T 1 , T H I D i , P S I D j > , < M s g 2 , V 2 , V 3 , T 2 > , < M s g 3 , V 4 > , and < M s g 4 , V 5 , V 6 > . A d v then checks whether the derived S k e y is real to execute R e v e a l and T e s t queries. In PUFTAP-IoT, the session key consists of S k e y = h ( N s d | | K g s ) . To derive S k e y , A d v must know the ID and random numbers of U i , G W , and S D j . As a result, A d v never increases the probability of winning G M 1 . Thus, G M 0 and G M 1 can be considered indistinguishable, and we obtain:
    P r [ S u c c A d v , G M 1 ] = P r [ S u c c A d v , G M 0 ]
  • G M 2 : To obtain S k e y , A d v conducts H a s h and S e n d queries. A d v can modify exchanged messages to carry out active attacks. However, all exchanged messages are protected using the one-way hash function h ( · ) and consist of secret credentials and random numbers. Moreover, it is difficult for A d v to derive secret credentials and a random nonce because it is a computationally infeasible problem depending on the properties of h ( · ) . So, using the birthday paradox, we obtain:
    | P r [ S u c c A d v , G M 2 ] P r [ S u c c A d v , G M 1 ] | q h 2 2 | H a s h |
  • G M 3 : It is similar to G M 2 . A d v conducts S e n d and P U F queries. As described in Section 3.3, P U F ( · ) has security properties. So, we can obtain the following result:
    | P r [ S u c c A d v , G M 3 ] P r [ S u c c A d v , G M 2 ] | q p 2 2 | P U F |
  • G M 4 : In G M 4 , A d v can try to obtain S k e y with the C o r r u p t S C query. By the C o r r u p t S C query, A d v can extract sensitive values { L i , B i , C i , T H I D i } stored on the smart card of U i . L i , B i , and C i are expressed as L i = h ( I D i | | P W i | | R i ) R u , B i = B i α = A i H P W i , and C i = h ( C i | | H P W i ) . Since A d v has no knowledge of identity I D i and password P W i , A d v must guess these parameters from the extracted values. However, it is computationally infeasible for A d v to guess ID, password, and B i simultaneously. Thus, G M 3 and G M 4 are indistinguishable. By utilizing Zipf’s law, we can obtain:
    | P r [ S u c c A d v , G M 4 ] P r [ S u c c A d v , G M 3 ] | m a x { C · q s e n d s , q s 2 l D }
    Now that all the games were run, A d v has to guess the bit to win the game. Thus, we can obtain following results:
    P r [ S u c c A d v , G M 4 ] = 1 2
    From Equations (1) and (2), we obtain the result as follows:
    1 2 A d v t = | P r [ S u c c A d v , G M 0 1 2 ] | = | P r [ S u c c A d v , G M 1 1 2 ] | .
    With Equations (5) and (6), we derive the below equation:
    1 2 A d v t = | P r [ S u c c A d v , G M 1 ] P r [ S u c c A d v , G M 4 ] | .
    Using the trigonometric inequality, we can obtain the results of Equations (4), (5), and (7).
    1 2 A d v t = | P r [ S u c c A d v , G M 1 ] P r [ S u c c A d v , G M 4 ] | | P r [ S u c c A d v , G M 1 ] P r [ S u c c A d v , G M 3 ] | + | P r [ S u c c A d v , G M 3 ] P r [ S u c c A d v , G M 4 ] | | P r [ S u c c A d v , G M 1 ] P r [ S u c c A d v , G M 2 ] | + | P r [ S u c c A d v , G M 2 ] P r [ S u c c A d v , G M 3 ] | + | P r [ S u c c A d v , G M 3 ] P r [ S u c c A d v , G M 4 ] | q h 2 2 | H a s h | + q p 2 2 | P U F | + m a x { C · q s e n d s , q s 2 l D }
    Finally, multiply both sides of Equation (8) by 2 to obtain the desired result.
    A d v t q h 2 | H a s h | + q p 2 | P U F | + 2 m a x { C · q s e n d s , q s 2 l D }
Therefore, we prove Theorem 1. □

6.4. Scyther Tool Simulation

In this section, we simulate IoT-PUFTAP using the scyther tool [34]. The scyther tool is a push-button tool to verify and analyze various security protocols. It supports unbounded model checking and multi-protocol analysis and provides a graphical user interface (GUI) to trace security vulnerabilities [49]. We validated the proposed protocol using the scyther tool according to the specifications below:
  • Scyther tool checks security attack classes and possible protocol behaviors of the proposed protocol based on a pattern refinement algorithm.
  • Scyther tool traces the most efficient and optimal security attacks through the “Find best attacks” setting.
  • Scyther tool analyzes the security of the proposed protocol using claim events, including “Secret”, “Alive”, “Weakagree”, “Niagree”, and “Nisynch”.
  • To support multiple executions of protocols in the scyther tool, the “Maximum number of run” and “Maximum number of patterns per claim” parameters are set to 5 and 10, respectively.
To simulate IoT-PUFTAP, we write code in “Security Protocol Description Language (SPDL)”. After that, the scyther tool simulates the “Secret”, “Alive”, “Weakagree”, “Niagree”, and “Nisynch” claim events under the DY model. Note that the claim event “Secret” means that the parameter can ensure confidentiality during the authentication phase. The claim event “Alive” denotes that the participants are alive and running the protocol in same session. “Weakagree” can be satisfied when participants actually communicate with a legal participant. “Niagree” can be guaranteed when participants agree on the exchanged parameters. “Nisynch” is the non-injective synchronization claim event, which means that messages are exchanged from legal participants in appropriate sequence. We conducted simulation on a Ubuntu 20.04.2 LTS virtual machine with an Intel Core i3-8100 3.60 GHz CPU and 16.0 GM of RAM.

6.4.1. Scyther Framework

Figure 4 shows the basic framework of the scyther tool. Firstly, we describe the proposed protocol into the scyther GUI according to the syntax of SPDL. Then, the scyther command-line tool performs the security validation using claim events. Finally, the command-line tool outputs the summary reports and trace class graphs. When the protocol satisfies each claim event, the result window displays the “OK” message and “No attacks” comment.

6.4.2. SPDL Specification

Figure 5 shows the PUFTAP-IoT written in SPDL code. In PUFTAP-IoT, there are three roles: user U I , gateway G W N , and sensing device S D J . The user U I sends an authentication request message { M s g 1 , V 1 , T 1 , T H I D i , P S I D j } to the G W N using the s e n d 1 function. Then, G W N receives the message using the r e c v 1 function and sends { M s g 2 , V 2 , V 3 , T 2 } to the S D J . The S D J computes the session key S k e y and returns { M s g 3 , V 4 , T 3 } . The G W N transmits { M s g 4 , V 5 , V 6 } to the U I .

6.4.3. Simulation Result

Figure 6 indicates the simulation result of PUFTAP-IoT. The result shows that each role is not exposed to security attacks and ensures the “Secret”, “Alive”, “Weakagree”, “Niagree”, and “Nisynch” claim events. Therefore, we can demonstrate that PUFTAP-IoT can resist security vulnerabilities and ensure mutual authentication between each participant.

7. Efficiency Analysis

In this section, we compare computation cost, communication cost, and security aspects with other relevant papers to prove the efficiency of PUFTAP-IoT.

7.1. Security and Functionality Features Comparison

In this section, we compare PUFTAP-IoT with the related existing protocols in terms of speculation, replay and man-in-the-middle, spoofing, guessing, known session-specific temporary information (KSSTI), device capture, device impersonation, and session key disclosure attacks and security features such as anonymity, forward secrecy, and secure mutual authentication. Table 3 indicates that the existing protocols do not meet all security requirements. On the other hand, PUFTAP-IoT meets all essential security requirements for communication in IoT environment.

7.2. Computation Cost Comparison

We cited [50,51] to compare and analyze computation cost with other authentication protocols. Accordingly, we hypothesized notations and times for cryptographic functions and functional functions as follows: T h , T r g , T p u f , and T f as the execution time needed for hash function, random nonce generation, PUF function, and fuzzy extraction, where T h , T r g , T p u f , and T f are 0.23 ms, 53.9 ms, 12ms, and 2.68 ms, respectively. Table 4 briefly shows the comparison results.

7.3. Communication Cost Comparison

In this section, we compare the cost of communication with other authentication protocols. We assume that each value according to [52]: SHA-1 hash digest, entities’ identity, random nonce, and timestamp is 160, 160, 128, and 32 bits, respectively. Based on this assumption, the communication cost of PUFTAP-IoT is analyzed. Messages { M s g 1 , V 1 , T 1 , T H I D i , P S I D j } , { M s g 2 , V 2 , V 3 , T 2 } , { M s g 3 , V 4 , T 3 } , and { M s g 4 , V 5 , V 6 } require (160 + 160 + 32 + 160 + 160 = 592), (160 + 160 + 160 + 32 = 512), (160 + 160 + 32 = 352), and (160 + 160 + 160 = 480) bits, respectively. Thus, the total communication cost requires 592 + 512 + 253 + 480 = 1837 bits. Table 5 is the analysis of the communication cost consumption of different protocols.

7.4. Results of Comparison

The results of the comparative analysis of PUFTAP-IoT and other papers in terms of security, computation cost, and communication cost are as follows. Although PUFTAP-IoT has a higher computational cost compared with authentication protocols in other papers, the communication cost is similar or lower. Moreover, from a security point of view, PUFTAP-IoT is safe against a variety of attacks and can provide security for guessing, brute-force, and device capture attacks using three-factor, PUF, h o n e y _ l i s t , etc. Therefore, PUFTAP-IoT can provide very secure services to service users in the IoT environment, even though the computation cost is higher than other authentication protocols.

8. Conclusions

With the development of WSN and IoT, areas using IoT are gradually expanding. Therefore, a secure authentication protocol is required to provide secure IoT services. In this paper, we analyze the security vulnerabilities of two-factor and three-factor authentication protocols in various IoT-based environments. To compensate for the security vulnerabilities of these protocols, we proposed PUFTAP-IoT, which applied PUF, h o n e y _ l i s t , and three-element technology. We used BAN logic to prove that PUFTAP-IoT can provide secure mutual authentication. We also demonstrated that PUFTAP-IoT can achieve Sean key security through the ROR model. In addition, the scyther simulation tool was used to show that the proposed protocol is safe against various attacks in a wireless network environment. In addition, as a result of the performance analysis of the protocol, it was found that it provides a more secure service in the IoT environment compared with other authentication protocols. In conclusion, PUFTAP-IoT is safer for real-world applications in IoT environments than other related technologies. In the future, based on the proposed protocol, we will analyze the network delay and through put of the protocol through programming and simulation and apply the developed protocol to the real environment to develop better protocols.

Author Contributions

Conceptualization, J.L.; formal analysis, J.L., D.K. and J.O.; methodology, J.L. and Y.P.; software M.K., D.K. and J.O.; validation, S.Y. and N.-S.J.; writing—original draft, J.L.; writing—review and editing, S.Y. and N.-S.J.; supervision, Y.P. All authors have read and agreed to the published version of the manuscript.

Funding

This research was supported in part by the National Research Foundation of Korea (NRF) funded by the Ministry of Education under grant 2020R1I1A3058605 and in part by the Electronics and Telecommunications Research Institute (ETRI) grant funded by the Korean Government (20ZR1300, Core Technology Research on Trust Data Connectome).

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

References

  1. Zhang, Y.; Zhao, H.; Xiang, Y.; Huang, X.; Chen, X. A key agreement scheme for smart homes using the secret mismatch problem. IEEE Internet Things J. 2019, 6, 10251–10260. [Google Scholar] [CrossRef]
  2. Rashid, B.; Rehmani, M.H. Applications of wireless sensor networks for urban areas: A survey. J. Netw. Comput. Appl. 2016, 60, 192–219. [Google Scholar] [CrossRef]
  3. Pierce, F.J.; Elliott, T.V. Regional and on-farm wireless sensor networks for agricultural systems in Eastern Washington. Comput. Electron. Agric. 2008, 61, 32–43. [Google Scholar] [CrossRef]
  4. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.P.C.; Park, Y. AKM-IoV: Authenticated key management protocol in fog computing-based Internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [Google Scholar] [CrossRef]
  5. Kwon, D.; Yu, S.; Lee, J.; Son, S.; Park, Y. WSN-SLAP: Secure and lightweight mutual authentication protocol for wireless sensor networks. Sensors 2021, 21, 936. [Google Scholar] [CrossRef]
  6. Fu, X.; Wang, Y.; Yang, Y.; Postolache, O. Analysis on cascading reliability of edge-assisted Internet of Things. Reliab. Eng. Syst. Saf. 2022, 223, 108463. [Google Scholar] [CrossRef]
  7. Fu, X.; Pace, P.; Aloi, G.; Li, W.; Fortino, G. Cascade Failures Analysis of Internet of Things under Global/Local Routing Mode. IEEE Sensors J. 2021, 22, 1705–1719. [Google Scholar] [CrossRef]
  8. Das, M.L. Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun. 2009, 8, 1086–1090. [Google Scholar] [CrossRef]
  9. He, D.; Gao, Y.; Chan, S.; Chen, C.; Bu, J. An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sensor Wirel. Netw. 2010, 10, 361–371. [Google Scholar]
  10. Kumar, P.; Lee, H.J. Cryptanalysis on two user authentication protocols using smart card for wireless sensor networks. In Proceedings of the Wireless Advanced, London, UK, 20–22 June 2011; pp. 241–245. [Google Scholar]
  11. Turkanović, M.; Brumen, B.; Hölbl, M. A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw. 2014, 20, 96–112. [Google Scholar] [CrossRef]
  12. Amin, R.; Biswas, G.P. A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw. 2016, 36, 58–80. [Google Scholar] [CrossRef]
  13. Wu, F.; Xu, L.; Kumari, S.; Li, X.; Shen, J.; Choo, K.R.; Wazid, M.; Das, A.K. An efficient authentication and key agreement scheme for multi-gateway wireless sensor networks in IoT deployment. J. Netw. Comput. Appl. 2017, 81, 72–85. [Google Scholar] [CrossRef]
  14. Shuai, M.; Yu, N.; Wang, H.; Xiong, L. Anonymous authentication scheme for smart home environment with provable security. Comput. Secur. 2019, 86, 132–146. [Google Scholar] [CrossRef]
  15. Zou, S.; Cao, Q.; Wang, C.; Huang, Z.; Xu, G. A Robust Two-Factor User Authentication Scheme-Based ECC for Smart Home in IoT. IEEE Syst. J. 2021, 16, 4938–4949. [Google Scholar] [CrossRef]
  16. Chunka, C.; Banerjee, S.; Goswami, R.S. An efficient user authentication and session key agreement in wireless sensor network using smart card. Wirel. Pers. Commun. 2021, 117, 1361–1385. [Google Scholar] [CrossRef]
  17. Kalra, S.; Sood, S.K. Advanced password based authentication scheme for wireless sensor networks. J. Inf. Secur. Appl. 2015, 20, 37–46. [Google Scholar] [CrossRef]
  18. Amintoosi, H.; Nikooghadam, M.; Shojafar, M.; Kumari, S.; Alazab, M. Slight: A lightweight authentication scheme for smart healthcare services. Comput. Elec. Eng. 2022, 99, 107803. [Google Scholar] [CrossRef]
  19. He, D.; Kumar, N.; Chen, J.; Lee, C.-C.; Chilamkurti, N.; Yeo, S.-S. Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimedia Syst. 2015, 21, 49–60. [Google Scholar] [CrossRef]
  20. Wu, F.; Xu, L.; Kumari, S.; Li, X. An improved and anonymous twofactor authentication protocol for health-care applications with wireless medical sensor networks. Multimedia Syst. 2017, 23, 195–205. [Google Scholar] [CrossRef]
  21. Wang, C.; Xu, G.; Li, W. A secure and anonymous two-factor authentication protocol in multiserver environment. Secur. Commun. Netw. 2018, 2018, 1–15. [Google Scholar] [CrossRef]
  22. Amin, R.; Islam, S.H.; Biswas, G.; Khan, M.K.; Leng, L.; Kumar, N. Design of an anonymity-preserving three-factor authenticated key exchange protocol for wireless sensor networks. Comput. Netw. 2016, 101, 42–62. [Google Scholar] [CrossRef]
  23. Jiang, Q.; Zeadally, S.; Ma, J.; He, D. Lightweight three-factor authentication and key agreement protocol for internet-integrated wireless sensor networks. IEEE Access 2017, 5, 3376–3392. [Google Scholar] [CrossRef]
  24. Ostad-Sharif, A.; Arshad, H.; Nikooghadam, M.; Abbasinezhad-Mood, D. Three party secure data transmission in IoT networks through design of a lightweight authenticated key agreement scheme. Future Gener. Comput. Syst. 2019, 100, 882–892. [Google Scholar] [CrossRef]
  25. Mo, J.; Chen, H. A lightweight secure user authentication and key agreement protocol for wireless sensor networks. Secur. Commun. Netw. 2019, 2019, 1–17. [Google Scholar] [CrossRef]
  26. Yu, S.; Park, Y. SLUA-WSN: Secure and lightweight three-factor-based user authentication protocol for wireless sensor networks. Sensors 2020, 20, 4143. [Google Scholar] [CrossRef]
  27. Hajian, R.; Erfani, S.H.; Kumari, S. A lightweight authentication and key agreement protocol for heterogeneous IoT with special attention to sensing devices and gateway. J. Supercomput. 2022, 1–43. [Google Scholar] [CrossRef]
  28. Aghili, S.F.; Mala, H.; Shojafar, M.; Peris-Lopez, P. LACO: Lightweight three-factor authentication, access control and ownership transfer scheme for e-health systems in IoT. Future Gener. Comput. Syst. 2019, 96, 410–424. [Google Scholar]
  29. Maes, R. Physically unclonable functions: Properties. In Physically Unclonable Functions; Springer: Berlin/Heidelberg, Germany, 2013; pp. 49–80. [Google Scholar]
  30. Juels, A.; Ristenpart, T. Honey encryption: Encryption beyond the brute-force barrier. IEEE Secur. Privacy 2014, 12, 59–62. [Google Scholar] [CrossRef]
  31. Juels, A.; Ristenpart, T. Honey encryption: Security beyond the brute-force bound. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, 11–15 May 2014; pp. 293–310. [Google Scholar]
  32. Burrows, M.; Abadi, M.; Needham, R. A logic of authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [Google Scholar]
  33. Abdalla, M.; Fouque, P.-A.; Pointcheval, D. Password-based authenticated key exchange in the three-party setting. In Lecture Notes in Computer Science, Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC’05), Les Diablerets, Switzerland, 23–26 January 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 65–84. [Google Scholar]
  34. Scyther Tool—Cas Cremers. Available online: https://people.cispa.io/cas.cremers/scyther/ (accessed on 23 July 2022).
  35. Lamport, L. Password authentication with insecure communication. Commun. ACM 1981, 24, 770–772. [Google Scholar] [CrossRef]
  36. Dolev, D.; Yao, A.C. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [Google Scholar] [CrossRef]
  37. Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology; Springer Science+Business Media: Berlin, Germany; New York, NY, USA, 1999; pp. 388–397. [Google Scholar]
  38. Aman, M.N.; Chua, K.C.; Sikdar, B. Mutual authentication in IoT systems using physical unclonable functions. IEEE Internet Things J. 2017, 4, 1327–1340. [Google Scholar] [CrossRef]
  39. Frikken, K.B.; Blantonm, M.; Atallahm, M.J. Robust authentication using physically unclonable functions. In Proceedings of the International Conference on Information Security, Pisa, Italy, 7–9 September 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 262–277. [Google Scholar]
  40. Chatterjee, U.; Chakraborty, R.S.; Mukhopadhyay, D. A PUF-based secure communication protocol for IoT. ACM Trans. Embedded Comput. Syst. 2017, 16, 1–25. [Google Scholar] [CrossRef]
  41. Dodis, Y.; Reyzin, L.; Smith, A. Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In Lecture Notes in Computer Science, Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 523–540. [Google Scholar]
  42. Juels, A.; Rivest, R.L. Honeywords: Making password cracking detectable. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany, 4–8 November 2013; pp. 145–160. [Google Scholar]
  43. Lee, J.; Yu, S.; Park, K.; Park, Y.; Park, Y. Secure three-factor authentication protocol for multi-gateway IoT environments. Sensors 2019, 19, 2358. [Google Scholar] [CrossRef]
  44. Son, S.; Lee, J.; Park, Y.; Park, Y.; Das, A.K. Design of blockchain-based lightweight V2I handover authentication protocol for VANET. IEEE Trans. Netw. Sci. Eng. 2022, 9, 1346–1358. [Google Scholar] [CrossRef]
  45. Oh, J.; Yu, S.; Lee, J.; Son, S.; Kim, M.; Park, Y. A secure and lightweight authentication protocol for IoT-based smart homes. Sensors 2021, 21, 1488. [Google Scholar] [CrossRef]
  46. Yu, S.; Park, Y. A Robust Authentication Protocol for Wireless Medical Sensor Networks Using Blockchain and Physically Unclonable Functions. IEEE Internet Things J. 2022. [Google Scholar] [CrossRef]
  47. Kim, M.; Lee, J.; Oh, J.; Park, K.; Park, Y.; Park, K. Blockchain based energy trading scheme for vehicle-to-vehicle using decentralized identifiers. Appl. Energy 2022, 322, 119445. [Google Scholar] [CrossRef]
  48. Lee, J.; Kim, G.; Das, A.K.; Park, Y. Secure and efficient honey list-based authentication protocol for vehicular ad hoc networks. IEEE Trans. Netw. Sci. Eng. 2021, 8, 2412–2425. [Google Scholar] [CrossRef]
  49. Cremers, C.J. The scyther tool: Verification, falsification, and analysis of security protocols. In Proceedings of the International Conference on Computer Aided Verification, Princeton, NJ, USA, 7–14 July 2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 414–418. [Google Scholar]
  50. Kilinc, H.H.; Yanik, T. A survey of SIP authentication and key agreement schemes. IEEE Commun. Surv. Tutor. 2013, 16, 1005–1023. [Google Scholar] [CrossRef]
  51. Gope, P.; Sikdar, B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J. 2019, 6, 580–589. [Google Scholar] [CrossRef]
  52. Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Rodrigues, J.J.; Park, Y. Physically secure lightweight anonymous user authentication protocol for internet of things using physically unclonable functions. IEEE Access 2019, 7, 85627–85644. [Google Scholar] [CrossRef]
Figure 1. PUFTAP-IoT’s system model.
Figure 1. PUFTAP-IoT’s system model.
Sensors 22 07075 g001
Figure 2. Registration phase.
Figure 2. Registration phase.
Sensors 22 07075 g002
Figure 3. Login and authentication phase.
Figure 3. Login and authentication phase.
Sensors 22 07075 g003
Figure 4. Basic framework of the scyther tool.
Figure 4. Basic framework of the scyther tool.
Sensors 22 07075 g004
Figure 5. PUFTAP-IoT written in SPDL code.
Figure 5. PUFTAP-IoT written in SPDL code.
Sensors 22 07075 g005
Figure 6. Scyther tool simulation result of PUFTAP-IoT.
Figure 6. Scyther tool simulation result of PUFTAP-IoT.
Sensors 22 07075 g006
Table 1. Notation.
Table 1. Notation.
NotationsMeanings
U i i-th user
S D j j-th sensing device
G W Gateway node
SCSmartcard
I D i Identity of U i
S I D j Identity of S D j
P W i Password of U i
H P W i The hidden password of i-th user
B i Biometrics of U i
P U F The Physical Unclonable Function
C j , R j The challenge/response pair
G E N , R E P Generation and reproduction algorithm of fuzzy extractor
K g w Secret key of G W
R x , N x Random nonces
T x Timestamps
H I D i , P S I D j Pseudo-identity of U i and S D j
T H I D i Temporary user identity U i
S k e y Session key
| | Data concatenation operator
Bitwise exclusive-or operator
h ( * ) Collision-resistant one-way hash function
Table 2. The basic notations of BAN logic.
Table 2. The basic notations of BAN logic.
NotationsDescription
S k e y The session key in PUFTAP-IoT
# ε The statement S is fresh
χ | ε χ believes the statement ε
χ ε χ sees the statement ε
χ | ε χ once said  ε
< ε > F ε is combined with formula F
{ ε } K e y Encrypt ε with K e y
χ ε χ controls ε
χ K e y ω χ and ω shard and use K e y for communication
Table 3. Security properties comparison.
Table 3. Security properties comparison.
Security PropertiesPUFTAP-IoTChunka et al. [16]Amintoosi et al. [18]Hajian et al. [27]
Replay attackoooo
Man-in-the-middle attackoooo
Guessing attackoxxo
Impersonation attackoxxx
KSSTI attackoxox
Smart card stolen attackoxxo
Device capture attackooox
Anonymityoxxo
Perfect forward secrecyoooo
Using three factorsoxxo
Using PUFoxxx
Using h o n e y _ l i s t oxxx
Secure mutualoxxx
authentication
x: insecure against an attack; o: secure against an attack.
Table 4. Computation cost of login and authentication phase.
Table 4. Computation cost of login and authentication phase.
ProtocolUserGateway/SeverSensing Device/SensorTotal Cost
Chunka et al. [16]6 T h + 1 T r g 5 T h + 1 T r g 10 T h + 1 T r g 21 T h + 3 T r g ( 166.53 ms )
Amintoosi et al. [18]8 T h + 1 T r g 10 T h + 1 T r g 10 T h + 1 T r g 23 T h + 3 T r g ( 169.06 ms )
Hajian et al. [27] 12 T h + 1 T r g + 1 T f 10 T h 5 T h + 1 T r g 27 T h + 2 T r g + 1 T f ( 116.69 ms )
Ours 11 T h + 1 T r g + 1 T f 16 T h + 1 T r g 7 T h + 1 T r g + 1 T p u f + 1 T f 34 T h + 3 T r g + 1 T p u f + 2 T f ( 186.88 ms )
Table 5. Communication cost of login and authentication phase.
Table 5. Communication cost of login and authentication phase.
ProtocolTotal Communication CostsNo. of Messages
Chunka et al. [16]2560 bits4
Amintoosi et al. [18]1664 bits4
Hajian et al. [27]2144 bits5
Ours1837 bits4
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Lee, J.; Oh, J.; Kwon, D.; Kim, M.; Yu, S.; Jho, N.-S.; Park, Y. PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices. Sensors 2022, 22, 7075. https://doi.org/10.3390/s22187075

AMA Style

Lee J, Oh J, Kwon D, Kim M, Yu S, Jho N-S, Park Y. PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices. Sensors. 2022; 22(18):7075. https://doi.org/10.3390/s22187075

Chicago/Turabian Style

Lee, JoonYoung, JiHyeon Oh, DeokKyu Kwon, MyeongHyun Kim, SungJin Yu, Nam-Su Jho, and Youngho Park. 2022. "PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices" Sensors 22, no. 18: 7075. https://doi.org/10.3390/s22187075

APA Style

Lee, J., Oh, J., Kwon, D., Kim, M., Yu, S., Jho, N. -S., & Park, Y. (2022). PUFTAP-IoT: PUF-Based Three-Factor Authentication Protocol in IoT Environment Focused on Sensing Devices. Sensors, 22(18), 7075. https://doi.org/10.3390/s22187075

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop