You are on page 1of 15

computers & security 86 (2019) 132–146

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Anonymous authentication scheme for smart


home environment with provable security

Mengxia Shuai a,∗, Nenghai Yu a, Hongxia Wang b, Ling Xiong c


a CAS Key Laboratory of Electromagnetic Space Information, University of Science and Technology of China,
Hefei 230026, China
b College of Cybersecurity, Sichuan University, Chengdu 610065, China
c School of Computer and Software Engineering, Xihua University, Chengdu 610039, China

a r t i c l e i n f o a b s t r a c t

Article history: Smart home is an emerging paradigm of the Internet of Things (IoT), which facilitates an in-
Received 27 November 2018 dividual to operate the smart home appliances remotely through the internet. Since the user
Revised 14 May 2019 and the smart devices communicate over insecure communication channels, the transmit-
Accepted 5 June 2019 ted sensitive data collected by the smart devices may be intercepted and altered easily by a
Available online 12 June 2019 malicious adversary. Therefore, there is a great need to design an effective and anonymous
authentication scheme to guarantee secure communications in smart home environment.
Keywords: In the past decade, extensive research has been carried out on this security issue, but most
Smart home of them are not secure. As a step towards this direction, in this paper, we propose an ef-
Elliptic curve cryptography ficient and anonymous authentication scheme for smart home environment using Elliptic
Authentication Curve Cryptography (ECC). The proposed scheme avoids keeping the verification table for
Lightweight authentication purposes. In addition, random number method is adopted to resist replay
Provable security attack, and it can avoid the clock synchronization problem. The rigorous formal proof and
heuristic analysis show that the proposed scheme provides the desired security features
and resists against all the possible attacks. Compared with the most representative related
schemes, the proposed scheme achieves a delicate balance between security and efficiency,
and it is more suitable for realistic environments.

© 2019 Elsevier Ltd. All rights reserved.

tants. The interconnected smart devices in this context can be


1. Introduction lighting sensors, humidity sensors, occupancy sensors, tem-
perature sensors, and even monitoring equipments. Based on
With the rapid development of wireless communication and
these smart devices, different types of services can be pro-
sensor technology, smart home is emerging rapidly as an ex-
vided. For example, if the owner opens the door and enters
citing new paradigm of Internet of Things (IoT), and it has at-
the house, the light control system starts working and turns
tracted continuing attention from both academia and indus-
on the lights in the home. Then, the occupancy of the home
try field. In a smart home environment, advanced automation
can be sensed using smart meters (Jin et al., 2017) and envi-
systems are incorporated to provide the inhabitants with new
ronmental sensors like CO2 sensors, which can be integrated
smart functions and services, like reducing operational costs,
to trigger automatic responses for energy efficiency and build-
increasing comfort and guaranteeing the safety of the inhabi-
ing comfort applications (Jin et al., 2016). In addition, smart


Corresponding author.
E-mail addresses: smx12345@mail.ustc.edu.cn (M. Shuai), ynh@ustc.edu.cn (N. Yu), hxwang@scu.edu.cn (H. Wang),
lingdonghua99@163.com (L. Xiong).
https://doi.org/10.1016/j.cose.2019.06.002
0167-4048/© 2019 Elsevier Ltd. All rights reserved.
computers & security 86 (2019) 132–146 133

Fig. 1 – Typical architecture of smart home environment.

home can also provide the convenient and efficient health- thentication schemes are necessary. The characteristics of low
care delivery for the elderly and disabled people using smart arithmetic requirements, small key size and shorter operand
gadgets (Gomez and Paradells, 2010; Suryadevara et al., 2013). length indicate Elliptic Curve Cryptography (ECC) as a viable
Using any suitable device such as smart phone, the end user solution for guaranteeing secure communications in smart
can operate the smart home appliances remotely with no lim- home environment.
itations on space and time.
A typical architecture of smart home environment is de-
picted in Fig. 1, adapted from Kumar et al. (2015) and Wazid 1.1. Related work
et al. (2017). The network model consists of four entities
namely the smart devices in the home, gateway node (GWN), Until now, a large number of authentication schemes had been
the end user and registration authority (RA). The smart devices proposed for smart home environment. In 2008, Jeong et al.
are heterogeneous and resource-constrained mostly, and they (2008) proposed an one-time password (OTP) based user au-
can be used to enable a variety of use cases (Gomez and Pa- thentication scheme for home networks using smart cards, in
radells, 2010), such as lighting control, surveillance system, which the authors claimed that the scheme was lightweight
temperature control, etc. The GWN deployed in the home is and withstood various attacks. However, mutual authentica-
a powerful master node and serves as a bridge between the tion between GWN and the smart device was not provided,
user and the smart devices (Wazid et al., 2017; Xue et al., 2013). and user anonymity was also not achieved because the real
The user can control the heterogeneous smart home devices identity of the user was sent in plaintext. Furthermore, their
remotely as per their requirements. The RA has high computa- scheme suffered from privileged–insider attack and stolen
tion and communication capabilities and fully trusted by oth- smart card attack. In order to provide secure remote access in
ers. It is responsible for accomplishing the following tasks: (i) digital home network environments, Vaidya et al. (2011b) pre-
generating system parameters and assigning them to all in- sented a remote authentication scheme using lightweight
volved entities. (ii) The user and the smart devices registra- computation modules, such as low-cost smart card technol-
tion. (iii) Key management and maintenance. ogy, hashed one-time password and hash-chaining technique.
Although smart home brings great convenience to peo- They claimed that their scheme provided important secu-
ple’s lives, the security has always been a critical issue. Due rity features and was resistant to multiple types of attacks.
to the open feature of wireless channel, the transmitted mes- Unfortunately, Kim and Kim (2011) pointed out that Vaidya
sages may be intercepted and altered easily by a malicious et al.’s (2011b) scheme was not only vulnerable to password
adversary. Thus the exchanged information needs to satisfy guessing attack, but also failed to provide user anonymity
the requirements of confidentiality, integrity, and availability. and forward secrecy. In addition, mutual authentication be-
Moreover, authentication schemes only employing symmetric tween GWN and the smart device was also not provided. To
cryptographic operations, such as hash functions, symmetric strengthen the security, an improved authentication scheme
encryption and XOR operations, are unable to achieve some was proposed subsequently, in which all identified security
advanced security features like user anonymity. As deeply in- flaws in Vaidya et al.’s (2011b) scheme were eliminated. Later,
vestigated in the work (Wang and Wang, 2014b), public-key Vaidya et al. (2011a) also presented a device authentication
techniques are indispensable to resist against user anonymity mechanism for smart energy home area network using ECC.
violation attack under the non-tamper resistance assumption Soon after this scheme was proposed, it was found to pos-
of the smart cards. On the other hand, most of the smart de- sess some security weaknesses, such as privileged-insider at-
vices in the home are resource-constrained and have char- tack, password guessing attack and user impersonation at-
acteristics such as limited battery backup, limited computa- tack. In order to deliver the services to the user devices se-
tional and communication power. Therefore, the traditional curely, Pradeep and Singh (2012) designed a secure three way
public-key cryptosystems, such as Diffie–Hellman and Rivest– authentication method for ubiquitous computing devices, in
Shamir–Adleman (RSA), are not suitable and lightweight au- which the users or the service providers could check whether
134 computers & security 86 (2019) 132–146

the device was compromised or not by the help of their en- tocols, is adopted to evaluate the security of the proposed
crypted pass-phrases method. scheme. Under this model, the communications between any
In order to deal with the security problem of smart home two communicating parties are over an insecure channel, and
energy management systems, a lightweight key establish- the endpoint entities should not be considered as trusted en-
ment protocol was proposed by Li (2013), and an initial session tities. Based on this threat model, an adversary A is supposed
key was established between the wireless nodes and control to have the following capacities:
center. Besides, the implementation and evaluation results of
the protocol were presented. However, Li’s scheme was not (1) A can fully control the open communication channel,
scalable since the management of a large number of keys and i.e., A can intercept, modify, insert and delete the trans-
certificates was required. Besides, the security analysis of their mitted messages over open channels.
scheme was very limited. Moreover, mutual authentication (2) When the mobile device of user was stolen or obtained
between user and wireless nodes as well as between user and by an attacker A , then the secret values stored in the
control center was not provided in their scheme. In the same mobile device can be revealed by A using side-channel
year, Han et al. (2013) presented a key agreement protocol to attacks (Alkhoraidly et al., 2012; Barenghi et al., 2009;
bring secure pairing process for radio frequency for consumer Kocher et al., 1999; Messerges et al., 2002; Mulder et al.,
electronics (RF4CE) ubiquitous smart home systems. In their 2005; Spreitzer et al., 2017).
scheme, the initial unique secure information was pre-shared (3) A is a probabilistic polynomial time attacker. In other
between consumer devices (targets) and manufacturers, and words, A can guess the low-entropy password and iden-
remote controller could receive the secret information of the tity information within polynomial time.
device by communication with the manufacturers. However, (4) The smart device equipped in smart home environment
their scheme was unrealistic because it required the manu- is not tamper-resistant and may be captured physically
facturers to keep always online. Similar to Li’s (2013) scheme, by A , and all the sensitive data stored in the smart de-
their scheme did not provide mutual authentication between vice can be extracted.
user and consumer devices as well as between user and re- (5) The registration authority is fully trusted, and it can not
mote controller. be compromised by A .
In 2015, Santoso and Vun (2015) proposed a secure au- (6) A may be a legitimate but malicious user.
thentication scheme for smart home system using ECC, in
which a wifi gateway was used as the center node of the 1.3. Security requirements
system to perform the mutual authentication between the
mobile user and the smart device. However, user anonymity Since all information in smart home environment is trans-
and untraceability were not provided in their scheme. Fur- mitted over open channels, the authentication scheme may
thermore, their scheme suffered from privileged–insider at- suffer from lots of attacks. To guarantee secure communica-
tack and stolen smart card attack. In the same year, Kumar tion, a secure, robust, and efficient authentication scheme is
et al. (2015) proposed a lightweight authentication and key needed. Based on previous works (Kumar et al., 2015; Wazid
agreement scheme for smart home environments. In their et al., 2017), we believe that authentication scheme for smart
scheme, a session key was established between GWN and home environment should meet the following security prop-
smart device by using a short authentication token. Unfor- erties.
tunately, it was found that the anonymity and untraceability
were not preserved. In addition, similar to Li’s (2013) scheme Mutual authentication. In order to allow only authorized users
and Han et al.’s (2013) scheme, mutual authentication be- to access smart device’s sensitive data as per their require-
tween user and smart device as well as between user and ments, mutual authentication among the user, GWN, and the
GWN was not provided in their scheme. To mitigate the afore- smart device is needed (He and Zeadally, 2015). This can be
mentioned issues, Wazid et al. (2017) proposed a new se- achieved with the help of GWN.
cure remote user authentication scheme for smart home en-
vironment. The scheme in Wazid et al. (2017) was efficient Session key agreement. After mutual authentication, the data
for resource-constrained smart devices because it used only transmitted between the user and the smart device should be
the lightweight cryptographic primitives, such as symmet- encrypted using the shared session key. Therefore, the pro-
ric encryption/decryption operations and one–way hash func- posed scheme should provide session key agreement.
tions. However, we found that their scheme suffered from de-
synchronization attack. In addition, a verification table was User anonymity. User anonymity is an important security fea-
kept in GWN side for the purpose of authentication, and it was ture of authentication scheme for smart home environment.
disastrous if the verification table was stolen by an adversary. If an adversary A gets the real identity of the user, the privacy
What’s more, the time stamp mechanism was used to avoid of the user will be violated.
replay attack in their scheme, and it might encounter clock
asynchronization problem. Untraceability. Authentication scheme for smart home envi-
ronment should not only provide user anonymity, but also
1.2. Adversary model achieve user untrackability. User untrackability guarantees
the adversary neither determining who the user is nor telling
The Dolev–Yao model (Dolev and Yao, 1983), which is widely apart whether two sessions are executed by the same user
used to prove properties of interactive cryptographic pro- (Wang and Wang, 2014a).
computers & security 86 (2019) 132–146 135

No verification table. In most of the previously proposed au-


Table 1 – Notations and abbreviations.
thentication schemes, GWN should keep a verification table
for authentication. It is disastrous if the verification table is Notation Descriptions
stolen by an adversary, so the proposed scheme should avoid ECC Elliptic curve cryptography
keeping the verification table for the purpose of authentica- Ui Remote user
tion. GWN Gateway node
SDk Smart device in the home
Avoid of clock synchronization problem. Since the clock syn- IDi Unique identity of Ui
chronization is a big challenge in smart home environment, PWi Password of Ui
DIDi Pseudonym identity of Ui
the proposed scheme should avoid using the time stamp to
GIDj Unique identity of GWN
resist replay attack. As can be seen from the existing literature
SIDk Unique identity of SDk
(Chuang and Lee, 2011; Esfahani et al., 2017; Xu et al., 2018), the RA Registration authority
random number method can be adopted to ensure the fresh- K Master secret key of GWN
ness of exchanged messages. SK Session key
R1 , R2 , R3 , a Random numbers
Quickly detection for unauthorized login. To avoid the waste of h(.) One-way hash function
computation and communication resources for invalid login, X||Y Concatenate operation
 XOR operation
it is necessary to check the correctness of the password in the
user login phase.

Attacks resistance. To ensure secure communication in smart


we present an efficient ECC-based authentication scheme for
home environment, the designed authentication scheme is
smart home environment. Security analysis and performance
able to resist various attacks, liking mobile device loss attack,
analysis of the proposed scheme are given in Section 4 and
replay attack, privileged-insider attack, man-in-the-middle
Section 5, respectively. Finally, Section 6 concludes this paper.
attack and impersonation attack.

1.4. Contributions
2. Preliminaries
The major contributions of this paper can be summarized as
follows: This section briefly describes elliptic curve cryptography and
the hash function.
(1) The network model, adversary model and security re-
quirements of authentication scheme for smart home 2.1. Notations
environment are depicted, which are the basis of the
authentication scheme and ignored by researchers usu- For convenience, all the notations mentioned in the proposed
ally. scheme are defined in Table 1.
(2) An efficient and anonymous authentication scheme for
smart home environment using ECC is proposed to con- 2.2. Elliptic curve cryptography
quer the drawbacks of the historical protocols. The pro-
posed scheme avoids keeping the verification table for ECC is a public key encryption method based on the alge-
authentication purposes and allows three types of mu- braic structure of elliptic curves over finite fields. Compared
tual authentications: (i) between the user and GWN, (ii) with previous conventional cryptographic techniques, such as
between GWN and the smart device, and (iii) between RSA and Diffie–Hellman, it has been proved that ECC is more
the user and the smart device. Finally, a symmetric ses- efficient cryptographic technique for security. Given a prime
sion key SK is established between the user and the number p, an elliptic curve E(Fp ) is defined by the equation
smart device, which is used for future secure commu- y2 = x3 + a · x + bmodp, in which a, b ∈ Fp and = 4a3 + 27b2 =
nications. 0modp. All the points on the elliptic curve E and the infinite
(3) The rigorous formal proof and detailed security analy- point O make up an additive group G with the order q. Given a
sis demonstrate that the proposed scheme can not only generator P of the group G, the scale multiplication operation
agree on a session key for future secure communica- is defined as n · P = P + P + ... + P (ntimes), where n ∈ Zp as a
tions, but also achieve more functional features and re- positive integer.
sist various kinds of known attacks. The following problem in the group G is suitable for design-
(4) The performance analysis shows that the proposed ing public key cryptography because there is no probabilistic
scheme achieves a delicate balance between security polynomial time algorithm that can effectively solve it.
and efficiency, and it is applicable to realistic environ- Elliptic Curve Discrete Logarithm Problem (ECDLP). Suppose
ments. x ∈ Z∗p is a positive integer and {X, P} ∈ G are two points on the
elliptic curve. Given the equation X = x · P, the Elliptic Curve
1.5. Organization of the paper Discrete Logarithm Problem (ECDLP) is to determine x given X
and P. It is computationally easy to calculate X given x and P,
The reminder of this paper is organized as follows. The pre- but it is infeasible to compute x given X and P, when the prime
liminary knowledge is introduced in Section 2. In Section 3, number p is large.
136 computers & security 86 (2019) 132–146

2.3. Hash function (2) Upon receipt of the registration message, RA first checks
whether IDi exists in the user information table. If yes,
Hash function is a one-way function which can be used to map RA asks Ui to submit a new identity. Otherwise, RA com-
data of arbitrary size to data of a fixed size. In order to ensure putes KGU = h(IDi ||K ), A1 = KGU  HPWi . After that, RA
the security, an one-way hash function X = h(x ) should have generates a random value TEMP to record the number of
the following properties: user login failures, and the value of TEMP is initialized to
0. Then, RA sends the data {A1 , TEMP} to Ui via a secure
(1) Given a message x of arbitrary-length, hash function h(x) channel.
produces a fixed-size output. (3) After receiving the data from RA, Ui computes A2 = a 
(2) For any given x, h(x) is relatively easy to compute. h(IDi ||PWi ), A3 = h(IDi ||HPWi ) and writes A2 , A3 into the
(3) For any given hash value X, it is computationally infea- mobile device. Then the mobile device contains {A1 , A2 ,
sible to find x making X = h(x ). A3 , TEMP}.
(4) For any given x, it is computationally infeasible to find
y = x with h(y ) = h(x ).
(5) It is computationally infeasible to find any pair (x, y) 3.2.2. The smart device registration phase
making h(x ) = h(y ). The procedure of the smart device’s registration is outlined as
follows:

3. The proposed scheme (1) The smart device SDk transmits the identity SIDk to RA
via a secure channel.
In this section, an efficient ECC-based authentication scheme (2) Upon receiving the identity SIDk , RA first checks
for smart home environment is presented, which not only whether SIDk exists in the smart device information ta-
withstands all know passive and active attacks, but also ble. If it exists, RA refuses the smart device registration
achieves the desirable functional features. The proposed request. Otherwise, RA computes KGS = h(SIDk ||K ) and
scheme includes five phases, i.e. initialization phase, regis- sends KGS to SDk via a secure channel.
tration phase, login and authentication phase, and password (3) Upon receiving the message from RA, SDk stores KGS into
change phase. its memory secretly.

3.3. Login and authentication phase


3.1. Initialization phase

If the user Ui wants to access the real time data of the smart
The initialization phase is done by the RA securely. First of
device SDk with identity SIDk , mutual authentication between
all, RA selects an elliptic curve E based on a finite field Fp
all parties (i.e. Ui , GWN and SDk ) should be performed, and
and chooses an additive group G of E with order q, and P is
a session key SK is established between the user Ui and the
a generator of G. After that, RA generates the system private
smart device SDk for future secure communications. As shown
key x ∈ Z∗q and calculates the system public key X = x · P.
in Fig. 3, the procedure of login and authentication phase is
Then, RA chooses a long-term secret key K and a hash function
described as follows:
h(. ) : {0, 1}∗ → Z∗q . Further, RA stores x and K into the memory
of GWN secretly and publishes the parameters {E(Fp ), G, P, X,
(1) Ui provides the identity IDi and the password PWi into
h(.)}. At last, RA selects a random number SIDk as the unique
the terminal of mobile device. Then the mobile device
identity of the smart device SDk and stores it into the memory
computes a∗ = A2  h(IDi ||PWi ), HPWi∗ = h(PWi ||a∗ ),
of SDk . It should be noted that the parameters {E(Fp ), G, P, X,
A∗3 = h(IDi ||HPWi∗ ) and checks if A∗3 = A3 . If it is not
h(.)} are known by all users and preloaded into GWN and all
hold, the mobile device rejects the login request and
the smart devices.
sets TEMP to be T EMP + 1. If the value of TEMP exceeds
a predetermined threshold, such as 3, the mobile device
3.2. Registration phase has been considered to be breached, and it is suspended
till Ui re-registers. Otherwise, the mobile device gener-
The registration phase of the proposed scheme contains two ates two random numbers R1 and w ∈ Z∗n , and Ui chooses
parts, i.e., user registration phase and the smart device regis- the smart device SDk with the identity SIDk that he/she
tration phase. wants to access. After that, the mobile device computes
KGU = A1  HPWi , A4 = w · P, A5 = w · X, DIDi = IDi  A5 ,
3.2.1. User registration phase M1 = (R1 ||SIDk )  KGU , V1 = h(IDi ||R1 ||KGU ||M1 ). Then, Ui
To access the sensitive data collected by smart devices, each transmits the login message {DIDi , A4 , M1 , V1 } to GWN
user has to register with RA firstly. Fig. 2 shows the user regis- through a public channel.
tration phase. (2) When receiving the login request, GWN first computes
A∗5 = x · A4 using the stored secret value x. Then, GWN
(1) A new user Ui selects the identity IDi , the password PWi , computes ID∗i = DIDi  A∗5 , KGU = h(ID∗i ||K ), R∗1 ||SIDk =
and generates a random nonce a. Then the user Ui com- M1  KGU , V1∗ = h(ID∗i ||R∗1 ||KGU ||M1 ), and checks if V1∗ = V1 .
putes HPWi = h(PWi ||a ) and sends {IDi , HPWi } to RA via a If it is not hold, GWN terminates the session. Other-
secure channel. wise, GWN believes the legitimacy of the user Ui . Then,
computers & security 86 (2019) 132–146 137

Fig. 2 – The user registration phase of the proposed scheme.

Fig. 3 – Login and authentication phase of the proposed scheme.

GWN generates a random number R2 and computes generates a random number R3 and computes
KGS = h(SIDk ||K ), M2 = (IDi ||GID j ||R1 ||R2 )  KGS , V2 = SK = h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ), M3 = R3  KGS ,
h(IDi ||GID j ||KGS ||R1 ||R2 ). Finally, GWN sends the message V3 = h(R3 ||KGS ||SK). Then, SDk transmits the message
{M2 , V2 } to the smart device SDk via public channel. {M3 , V3 } to GWN through a public channel.
(3) Upon receiving the message, SDk com- (4) After getting the message from SDk , GWN computes
putes (IDi ||GID j ||R1 ||R2 ) = M2  KGS , V2∗ = R3 = M3  KGS , SK = h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ), V3∗ =
h(IDi ||GID j ||KGS ||R1 ||R2 ), and checks if V2∗ = V2 . SDk h(R3 ||KGS ||SK), and checks if V3∗ = V3 . The session is ter-
terminates the session if V2∗ = V2 . Otherwise, SDk minated if V3∗ = V3 . Otherwise, GWN computes M4 =
138 computers & security 86 (2019) 132–146

u v 
(GID j ||R2 ||R3 )KGU , V4 = h(KGU ||SK||R2 ||R3 ) and sends the Protocol participants. Let U , GWN and tSD be the in-
i k
message {M4 , V4 } to Ui . stances u, v and t of Ui , GWN and SDk , respectively.
(5) When getting the message from GWN, Ui Accepted state. If the last expected protocol message is re-

computes (GID j ||R2 ||R3 ) = M4  KGU , SK = ceived, an instance t goes into an accepted state. The or-
h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ), V4∗ = h(KGU ||SK||R2 ||R3 ) dered concatenation of all communicated (sent and received)
 
and checks if V4∗ = V4 . The session is terminated if messages by t forms the session identification of t for the
V4∗ = V4 . Otherwise, SDk is authenticated by Ui , and a current session.
 
session key SK is established between the user Ui and Partnering. Two instances t1 and t2 are called partnered
the smart device SDk . if the following three conditions are fulfilled simultaneously:
   
(i) both t1 and t2 are in accepted state; (ii) both t1 and t2
3.4. Password change phase authenticate each other mutually, and the identical session
 
identification is shared; and (iii) t1 and t2 are mutual part-
In this section, the user Ui can change his/her password with- ners of each other.
out any interaction with GWN by performing the following op- Freshness. If the session key SK between Ui and SDk has not

erations. revealed to an adversary A using the Reveal( t ) query given
u t
below, the instance U or SD is fresh.
i k
(1) Ui provides the identity IDi and the password PWi into Adversary. As described in Section 1.2, it is assumed that an
the terminal of mobile device. adversary A has fully control over all the communications in
(2) The mobile device computes a∗ = A2  h(IDi ||PWi ), smart home environment. In the random oracle model, A can
HPWi∗ = h(PWi ||a∗ ), A∗3 = h(IDi ||HPWi∗ ) and checks if operate the simulator and execute some queries to break the
A∗3 = A3 . If it is not hold, the mobile device rejects the security of authentication messages and session keys. These
password change request. Otherwise, the mobile device queries are as follows:
  
believes the legitimacy of Ui and allows Ui to input a new Execute( u , v , t ): A can execute this query to simu-
password PWinew . late the entire authentication process, and the messages ex-
(3) The mobile device computes HPWinew = h(PWinew ||a∗ ), changed among the participants Ui , GWN and SDk can be ob-
Anew = KGU  HPWinew = A1  HPWi  HPWinew , Anew = tained.
1 2 

a  h(IDi ||PWinew ), Anew = h(IDi ||HPWinew ). At last, Anew Send( t , m): This query means that A can send a message
3 1 , 
Anew and Anew are stored in the mobile device to replace m and launch an active attack on a participating instance t .
2 3 t
A1 , A2 and A3 , respectively. If m is appropriate and has no problem to receive it, accord-

ing to P, the simulator will give an answer which t should
produce. Otherwise, the simulator ignores the query.

Reveal( t ): This query means that the current session key
4. Security analysis of the proposed scheme 
SK generated by t (and its partner) is revealed to an adversary
A.
In this section, we first give the formal proof of the proposed u
CorruptMobileDevice( U ): A can run this query to acquire
scheme under random oracle model. After that, we conduct i
all sensitive data stored in the mobile device of the user.
a formal security analysis using Burrows–Abadi–Needham 
CorruptSmartDevice( tSD ): This query means that A can ac-
(BAN) logic to demonstrate that the proposed scheme achieves k
quire the sensitive values stored in the smart device.
mutual authentication successfully. Then, we demonstrate t
Test( ): This query models the semantic security of the
that the proposed scheme provides mutual authentication
session key, in which the indistinguishability in the Real-Or-
and session key security using automatic cryptographic pro-
Random (ROR) model (Abdalla et al., 2005) is taking into con-
tocol verifier tool ProVerif (Blanchet, 2001). In addition, we 
sideration. A runs this query to do a challenge. Here may
demonstrate that the proposed scheme can resist all known
be the Ui or SDk . The query begins with the tossing of an un-
attacks and provide the desired security features. Further-
biased coin b, and only A knows the result which is used to
more, we compare the functionality and security features 
decide the output of the Test query. If Test( t ) does not reach
among the proposed scheme and four prior related schemes, 
accept, the result ⊥ (null) appears. Otherwise, Test( t ) returns
i.e., Kumar et al.’s (2015) scheme, Wazid et al.’s (2017) scheme,
the real session key SK if b = 1. On the contrary, A gets a ran-
Li’s (2013) scheme and Han et al.’s (2013) scheme.
dom string which has the same length with the real session
key if b = 0;
4.1. Formal security analysis using random oracle model Semantic security of session key. As can be seen from the re-
quirements of the ROR model (Abdalla et al., 2005), the adver-
In this subsection, we give the formal proof of the proposed sary A needs to distinguish between the real session key of
scheme under the widely-accepted random oracle model an instance and a random number. In particular, A may run
(Abdalla et al., 2005). u 
several Test queries to either U or tSD , and the result of
i k
these queries must be consistent with the random bit b. At
4.1.1. Basic knowledge of formal proof the end of the experiment, a guessed bit b∗ is returned, and
There are three participants in the proposed scheme P, one A wins the game if the condition b = b∗ is met. Let WIN de-
user Ui , one gateway node GWN, and one smart device SDk . notes an event that A wins the game, let P be the proposed
Each participant has many instances, and each instance is authenticated key agreement (AKE) scheme, and let AdvAKE P
treated to be an oracle. denotes the advantage of A in breaking the semantic secu-
computers & security 86 (2019) 132–146 139

rity of P . Then, P against deriving the session key is given by Game GM3 : The difference between GM3 and GM2 is that
u
AdvAKE
P = |2Pr[WIN]−1|. Therefore, P is secure in the ROR sense we add the simulations of the CorruptMobileDevice( U ) oracle
i
if AdvAKE
P ≤ θ , where θ > 0 is a sufficiently small number. and model the mobile device lost attack. Using the dictionary
Random oracle. All the participants in the proposed scheme attack, the adversary A tries to acquire the user’s password
and the adversary A will have access to a collision-resistant PWi from the extracted information in the mobile device. It
one-way hash function h(.), which is further modeled as the is also assumed that the number of wrong password inputs
Hash oracle. should be limited by the system. Thus, we have the following
result,
4.1.2. Procedure of formal proof
qsend
|Pr[WIN3 ] − Pr[WIN2 ]|  (5)
Theorem 1. Let P be the the proposed authentication scheme stated |D|
in Section 3. Let A be an adversary against the proposed scheme P
in polynomial time t in the random oracle. Let D be an uniformly dis- Game GM4 : Game GM4 is a modification of GM3 , and it is the
tributed password dictionary. The advantage of A in breaking se- last game. This game models the attack wherein the adversary
mantic security of the proposed scheme P is estimated as: A has compromised the smart device SDk by simulating the

CorruptSmartDevice( tSD ) oracle. In this game, A can acquire
k
q2hash 2qsend the sensitive information {SIDk , KGS } stored in the smart device
AdvAKE
P  + + 2AdvECDLP (t) (1)
|Hash| |D| SDk . In addition, A can eavesdrop all the exchanged messages
{DIDi , A4 , M1 , V1 }, {M2 , V2 }, {M3 , V3 } and {M4 , V4 }. However, A can
where qhash , |Hash|, qsend , |D| and AdvECDLP (t) denote the number not decrypt M1 and M4 because the necessary information KGU
of hash queries, the range space of the one-way hash function, is unknown to him/her. In order to obtain KGU , A has to solve
the number of send queries, the size of D, and the advantage the problem of ECDLP. Let AdvECDLP (t) be the advantage of A in
of A in breaking the ECDLP problem, respectively. breaking the ECDLP problem. Thus, we have,
Proof. Five different games, say GMi (i = 0, 1, 2, 3, 4), are shown
to describe the whole process. Let WINi denote an event where |Pr[WIN4 ] − Pr[WIN3 ]|  AdvECDLP (t) (6)
A guesses the bit b in the game GMi and then wins that
game.  In GM4 , all the random oracles are simulated, and A has no
advantage in guessing the bit b. This leads to the following:
Game GM0 : This game simulates the real attack under ran-
dom oracles environment. The bit b is chosen at the beginning 1
Pr[WIN4 ] = (7)
of GM0 . Hence, it follows that: 2

AdvAKE = |2Pr[WIN0 ] − 1| (2) From Eqs. (2) and (3), we have,


P

Game GM1 : This game simulates the adversary’s eavesdrop- 1 1 1


   AdvAKE
P = |Pr[WIN0 ] − | = |Pr[WIN1 ] − | (8)
2 2 2
ping attacks by querying Execute( u , v , t ) oracle. At the end
of this game, the adversary A queries Test oracle to determine
Using Eqs. (3)–(6) and the triangular inequality, we have,
whether it is the actual session key SK or a random value. The
session key SK = h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ) contains Ui ’s con- |Pr[WIN1 ] − Pr[WIN4 ]|
tribution IDi , R1 , and GWN’s contribution GIDj , R2 , and SDk ’s
= |Pr[WIN1 ] − Pr[WIN2 ] + Pr[WIN2 ] − Pr[WIN4 ]|
contribution SIDk , R3 . Thus, the adversary cannot compute SK
= |Pr[WIN1 ] − Pr[WIN2 ] + Pr[WIN2 ] − Pr[WIN3 ]
from the transcripts because these sensitive values are un-
known to him/her. Therefore, the chance of winning the game + Pr[WIN3 ] − Pr[WIN4 ]|
GM1 for A is not increased by eavesdropping attack. Hence, we  |Pr[WIN1 ] − Pr[WIN2 ]| + |Pr[WIN2 ] − Pr[WIN3 ]|
have
+ |Pr[WIN3 ] − Pr[WIN4 ]|
q2hash qsend
Pr[WIN1 ] = Pr[WIN0 ] (3)  + + AdvECDLP (t) (9)
2|Hash| |D|
Game GM2 : On the basis of GM1 , we add the simulations of Using Eqs. (7) and (9), we have
the Send and the Hash oracles, and it is called GM2 . This game
models an active attack in which the adversary A tries to 1 q2hash q
fool a participant to accept a modified message. In this game, |Pr[WIN1 ] − | + send + AdvECDLP (t) (10)
2 2|Hash| |D|
A queries the Hash oracle repeatedly to find collisions. Since
all the exchanged messages {DIDi , A4 , M1 , V1 }, {M2 , V2 }, {M3 , Using Eqs. (8) and (10), we have the required result,
V3 } and {M4 , V4 } contain the identity of the participant and
random nonce, there is no collision when the Send oracle is q2hash 2qsend
AdvAKE  + + 2AdvECDLP (t) (11)
queried by A . Using the results from the birthday paradox, we P
|Hash| |D|
have
This result means A has no extra advantage to win the
q2hash game and the theorem is finally deduced. Therefore, the pro-
|Pr[WIN2 ] − Pr[WIN1 ]|  (4)
2|Hash| posed scheme is secure under random oracle model.
140 computers & security 86 (2019) 132–146

{< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK }


Table 2 – Notations in BAN logic.
Second, some initial assumptions about the proposed
Notation Implications scheme are listed below:
PX Principal P sees message X A1: GWN |≡ #(R1 )
P| ≡ X Principal P believes message X A2: SDk |≡ #(R2 )
P|⇒X Principal P has jurisdiction over message X A3: GWN |≡ #(R3 )
P|X Principal P once said message X xw·P
A4: Ui |≡ Ui ←→ GWN
#(X) Message X is fresh wx·P
(X, Y) Message X or Y is one part of message (X, Y) A5: GW N |≡ GW N ←→ Ui
h(SIDk ||K )
<X>K Message X is encrypted with the key K A6: GW N |≡ GW N ←→ SDk
(X)K Message X is hashed with the key K h(SIDk ||K )
K A7: SDk |≡ SDk ←→ GWN
P ←→ Q Principal P and principal Q communicate with the
A8: Ui | ≡ SDk |⇒{R3 , SIDk , SK}
shared key K
A9: Ui | ≡ GWN|⇒{R2 , GIDj , SK, wx · P}
A10: GWN| ≡ Ui |⇒{R1 , IDi , SK, xw · P}
A11: GWN| ≡ SDk |⇒{R3 , SIDk , SK}
4.2. Formal security analysis using BAN logic A12: SDk | ≡ Ui |⇒{R1 , Ui , SK}
A13: SDk | ≡ GWN|⇒{R2 , GIDj , SK}
BAN logic is a set of rules for defining and analyzing authen- Third, based on the BAN logic rules and assumptions, the
tication protocols, which is widely-used in many works, such main proofs are performed as follows:
as (Baruah and Dhal, 2018; Challa et al., 2017; Hsieh and Leu, According to the Msg1, we get:
2012). In BAN logic, the exchanged information is first as- S1: GWN  {< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) ,
sumed to be happen on channels which are vulnerable to tam- (IDi ||R1 )h(IDi ||K ) }
pering and public monitoring. After that, the postulates and Based on Assumption A5, S1 and message-meaning rule,
definitions, such as the axiomatic systems, are used to ana- we have:
lyze authentication protocols. Then, the trustworthiness and S2: GWN| ≡ Ui |
security of the exchanged information is confirmed with the {< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) , (IDi ||R1 )h(IDi ||K ) }
help of the BAN logic. Therefore, a typical BAN logic sequence From A1 and freshness-conjuncatenation rule, we get:
includes three steps, i.e. verification of message origin, ver- S3: GWN |≡ #{< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) ,
ification of message freshness and verification of the origin’s (IDi ||R1 )h(IDi ||K ) }
trustworthiness. For convenience, all the notations used in the From S3, S2 and nonce-verification rule, we get:
BAN logic are given in Table 2: S4: GWN| ≡ Ui | ≡
Basic rules of BAN logic are as follows: {< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) , (IDi ||R1 )h(IDi ||K ) }
P|≡P←→Q,PXK
K According to the Msg2, we get:
Message-meaning rule: P|≡Q|X S5: SDk  {< IDi , GID j , R1 , R2 >h(SIDk ||K ) ,
P|≡#(X),P|≡Q|X
Nonce-verification rule: P|≡Q|≡X (IDi , GID j , R1 , R2 )h(SIDk ||K ) }
Jurisdiction rule: P|≡Q|⇒P|≡X
X,P|≡Q|≡X
From A7, S5 and message-meaning rule, we have:
P|≡#(X)
Freshness-conjuncatenation rule: P|≡#(X,Y ) S6: SDk | ≡ GWN|
P|≡(X),P|≡(Y ) {< IDi , GID j , R1 , R2 >h(SIDk ||K ) ,
Belief rule: P|≡(X,Y )
P|≡#(X),P|≡Q|≡X
(IDi , GID j , R1 , R2 )h(SIDk ||K ) }
Session keys rule: K From A2 and freshness-conjuncatenation rule, we get:
P|≡P←→Q
The proposed scheme needs to satisfy the following eight S7: SDk |≡ #{< IDi , GID j , R1 , R2 >h(SIDk ||K ) ,
goals: (IDi , GID j , R1 , R2 )h(SIDk ||K ) }
SK
Goal1: Ui |≡ (Ui ←→ SDk ) From S6, S7 and nonce-verification rule, we get:
SK
Goal2: Ui |≡ SDk |≡ (Ui ←→ SDk ) S8: SDk | ≡ GWN| ≡ {< IDi , GID j , R1 , R2 >h(SIDk ||K ) ,
SK (IDi , GID j , R1 , R2 )h(SIDk ||K ) }
Goal3: SDk |≡ (Ui ←→ SDk )
SK According to the Msg3, we get:
Goal4: SDk |≡ Ui |≡ (Ui ←→ SDk )
SK
S9: GWN  {< R3 >h(SIDk ||K ) ,
Goal5: GW N |≡ (GW N ←→ Ui ) (R3 )h(SIDk ||K ),SK }
SK
Goal6: GWN |≡ Ui |≡ (GWN ←→ Ui ) From A6, S9 and message-meaning rule, we have:
SK
Goal7: GW N |≡ (GW N ←→ SDk ) S10: GWN |≡ SDk | {< R3 >h(SIDk ||K ) , (R3 )h(SIDk ||K ),SK }
SK From A3 and freshness-conjuncatenation rule, we get:
Goal8: GWN |≡ SDk |≡ (GWN ←→ SDk )
First, the messages exchanged in the proposed scheme can S11: GWN |≡ #{< R3 >h(SIDk ||K ) , (R3 )h(SIDk ||K ),SK }
be transformed into idealized forms as follows. From S10, S11 and nonce-verification rule, we get:
Msg1: Ui → GWN: {DIDi , A4 , M1 , V1 }: S12: GWN |≡ SDk |≡ {< R3 >h(SIDk ||K ) , (R3 )h(SIDk ||K ),SK }
{< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) , (IDi ||R1 )h(IDi ||K ) } According to the Msg4, we get:
Msg2: GWN → SDk : {M2 , V2 }: S13: Ui  {< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK }
{< IDi , GID j , R1 , R2 >h(SIDk ||K ) , (IDi , GID j , R1 , R2 )h(SIDk ||K ) } From A4, S13 and message-meaning rule, we have:
Msg3: SDk → GWN: {M3 , V3 }: S14: Ui |≡ GWN | {< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK }
{< R3 >h(SIDk ||K ) , (R3 )h(SIDk ||K ),SK } From A1, A2, A3 and freshness-conjuncatenation rule, we
Msg4: GWN → Ui : {M4 , V4 }: get:
computers & security 86 (2019) 132–146 141

S15: Ui |≡ #{< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK } the public channel between GWN and the smart device. After
From S14, S15 and nonce-verification rule, we get: that, the basic types of variables are defined, and the cryp-
S16: Ui |≡ GWN |≡ {< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK } tographic functions are modelled. Moreover, four values sval-
From S4, A5, A10 and jurisdiction rule, we get: ueA, svalueB, svalueC, svalueD are used to verify the secrecy
S17: GWN |≡ {< IDi >w·X , w · P, < R1 ||SIDk >h(IDi ||K ) , of session key SK. In order to verify mutual authentication
(IDi ||R1 )h(IDi ||K ) } of the proposed scheme, eight events are declared as fol-
From S3, S4, S17 and session keys rule, we get: lows. event UGbegin(entity), event UGend(entity), event GUbe-
SK
S18: GWN |≡ Ui |≡ (GWN ←→ Ui ) (Goal6) gin(entity), event GUend(entity), event GSbegin(entity), event
From S18, A10 and jurisdiction rule, we get: GSend(entity), event SGbegin(entity), event SGend(entity).
SK
S19: GW N |≡ (GW N ←→ Ui ) (Goal5) Then, the processes of the user, GWN and the smart device
From S12, A11 and jurisdiction rule, we get: are demonstrated, respectively. Finally, we model the entire
S20: GWN |≡ {< R3 >h(SIDk ||K ) , (R3 )h(SIDk ||K ),SK } program. The ProVerif scripts associated with the analysis in
From S11, S12, S20 and session keys rule, we get: this paper are available online: https://github.com/smx12345/
SK code/blob/master/home.pv, and the simulation results using
S21: GWN |≡ SDk |≡ (GWN ←→ SDk ) (Goal8)
the version 1.96 of ProVerif are demonstrated in Fig. 4.
From S21, A11 and jurisdiction rule, we get:
SK The results demonstrate that the proposed scheme can ful-
S22: GW N |≡ (GW N ←→ SDk ) (Goal7)
fill the secrecy of session key and achieve mutual authentica-
From S8, A13 and jurisdiction rule, we get:
tion successfully.
S23: SDk |≡ {< IDi , GID j , R1 , R2 >h(SIDk ||K ) ,
(IDi , GID j , R1 , R2 )h(SIDk ||K ) }
From S7, S8, S23 and session keys rule, we get: 4.4. Further security analysis of the proposed scheme
SK
S24: SDk |≡ GWN |≡ (GWN ←→ SDk )
In this section, the security and functional features of the pro-
From S24, A13 and jurisdiction rule, we get:
SK posed scheme are discussed.
S25: SDk |≡ (GWN ←→ SDk )
From S16, A9 and jurisdiction rule, we get:
4.4.1. Mutual authentication
S26: Ui |≡ {< GID j , R2 , R3 >h(IDi ||K ) , (R2 , R3 )h(IDi ||K ),SK }
In the proposed scheme, the user Ui and the smart device SDk
From S15, S16, S26 and session keys rule, we get:
SK authenticate each other with the help of the GWN. In partic-
S27: Ui |≡ GWN |≡ (Ui ←→ GWN)
ular, Ui and GWN authenticate each other by checking V1 and
From S27, A9 and jurisdiction rule, we get:
SK V4 , respectively. Similarly, GWN and SDk authenticate each
S28: Ui |≡ (Ui ←→ GWN) other by checking V2 and V3 , respectively. Therefore, the pro-
From S18 and S24, we get: posed scheme achieves mutual authentication successfully.
SK
S29: Ui |≡ SDk |≡ (Ui ←→ SDk ) (Goal2)
From S21 and S27, we get:
SK
4.4.2. Session key agreement
S30: SDk |≡ Ui |≡ (Ui ←→ SDk ) (Goal4) In the proposed scheme, the session key SK =
From S29, A9 and jurisdiction rule, we get: h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ) is established between the user Ui
SK
S31: Ui |≡ (Ui ←→ SDk ) (Goal1) and the smart device SDk , which is used for future commu-
From S30, A12 and jurisdiction rule, we get: nications. The session key SK contains Ui ’s contribution IDi ,
SK
S32: SDk |≡ (Ui ←→ SDk ) (Goal3) R1 , and GWN’s contribution GIDj , R2 , and SDk ’s contribution
Therefore, the above BAN logic analysis formally proves SIDk , R3 . Any third party can not predetermine the session
that the proposed scheme achieves mutual authentication key. Therefore, the proposed scheme provides session key
successfully, and the session key SK is established between the agreement.
user and the smart device with the assistance of GWN.
4.4.3. User anonymity and untraceability
4.3. Formal security validation using ProVerif User anonymity is an important security feature of authen-
tication scheme, which mainly comprises two meanings. The
ProVerif (Blanchet, 2001) is an automatic cryptographic proto- first meaning is user identity-protection which means the real
col verifier in the formal model (so called Dolev-Yao model), identity of the user cannot be figured out by the adversary,
which is widely applied in many works, such as Wu et al. and the second meaning is user untraceability which guaran-
(2018), Wu et al. (2016) and Xiong et al. (2017). ProVerif sup- tees the adversary neither determining who the user is nor
ports many different cryptographic primitives, including hash telling apart whether two sessions are executed by the same
functions, symmetric and asymmetric cryptography, Diffie– user (Wang and Wang, 2014a). In the proposed scheme, an at-
Hellman key agreements, digital signatures, etc. With the help tacker A cannot get the user’s identity IDi from the commu-
of ProVerif, the security properties of authentication proto- nication messages directly since the plaintext of user’s real
col, such as mutual authentication, secrecy, equivalences be- identity IDi does not contain in any messages. On the con-
tween processes, can be checked successfully. In this section, trary, the identity IDi is implied in messages DIDi , M1 , V1 , M2
we conduct a formal security validation using the tool Proverif. and V2 . Without knowing GWN’s secret keys x and K, A cannot
In order to analyze the security of the proposed scheme, two retrieve the user’s real identity IDi from the communication
public channels ch1, ch2 are defined, where ch1 represents messages. In addition, the user generates the random num-
the public channel between the user and GWN, ch2 expresses bers w and R1 randomly in each session, and the transmitted
142 computers & security 86 (2019) 132–146

Fig. 4 – The simulation results for the ProVerif.

messages in current session are also different from other ses- cryptosystem, such as Elliptic Curve Cryptosystems, Pairing-
sions. Therefore, the proposed scheme can not only protect Based Cryptography and RSA Cryptosystem. In Section 4.4.4,
user’s real identity, but also achieve user untraceability. we demonstrate that the proposed scheme is robust even if
the mobile device is lost or stolen and the stored secret values
4.4.4. Resist mobile device loss attack are retrieved using fault analysis attacks (Alkhoraidly et al.,
Research shows that the secret values stored in smart card 2012; Barenghi et al., 2009). Now, we discuss the fault analy-
or mobile device can be retrieved by using side-channel at- sis attack during the implementation of the scheme. In the
tacks (Spreitzer et al., 2017), such as power analysis attack proposed scheme, even if the random numbers w and R1 gen-
(Kocher et al., 1999; Messerges et al., 2002), electromagnetic erated in the process of authentication are obtained by the
analysis attack (Mulder et al., 2005) and fault analysis at- attacker A using fault analysis attacks, and A further com-
tacks (Alkhoraidly et al., 2012; Barenghi et al., 2009). There- putes the session key SK = h(IDi ||GID j ||SIDk ||R1 ||R2 ||R3 ). Since
fore, the mobile device loss attack should be taken into the random numbers R1 , R2 , R3 are different for each session,
consideration when design an authentication scheme using the compromise of a session key in one session has no help
mobile device. In the proposed scheme, the mobile device of to compromise previous established and future session keys.
the user contains the secret parameters {A1 , A2 , A3 , TEMP}, Therefore, the proposed scheme is robust even if the fault
where A1 = KGU  HPWi = h(IDi ||K )  h(PWi ||a ), A2 = a  analysis attack is considered.
h(IDi ||PWi ), A3 = h(IDi ||HPWi ) = h(IDi ||h(PWi ||a )). Suppose that
an attacker A picks up or steals the mobile device and obtains 4.4.6. Resist replay attack
the stored secret values {A1 , A2 , A3 , TEMP}, A cannot get the In the proposed scheme, the random number method is
correct identity and password without knowing the Ui ’s secret adopted to resist replay attack. In each session, random num-
random integer a and GWN’s secret key K, and then A cannot bers R1 , R2 and R3 are generated by the user Ui , GWN and the
impersonate as the user. Therefore, the proposed scheme is smart device SDk , respectively. These random numbers are
robust even if the mobile device is lost or stolen. used to ensure the freshness and independence of exchanged
messages. Therefore, the proposed scheme is secure from re-
4.4.5. Fault analysis attack play attack.
Fault analysis attack is a powerful tool to extract the secret
information partially or fully by exploiting faults occurred in 4.4.7. Resist privileged insider attack
the implementation of the cryptosystem. Fault analysis at- When Ui registers to RA as a valid user in the proposed
tack targets the implementation weaknesses rather than the scheme, Ui sends the registration request message {IDi , HPWi }
mathematical structure, and it is mainly used for attacking to RA. A malicious privileged insider attacker cannot obtain
computers & security 86 (2019) 132–146 143

Ui ’s password PWi from HPWi since it is shielded by the ran- Kumar et al. (2015), Li (2013) and Han et al. (2013) lacks the
dom number a and protected by the one-way hash function. mutual authentication between user and GWN as well as be-
Therefore, the proposed scheme can withstand the privileged tween user and smart device. Besides, the anonymity and un-
insider attack. traceability properties are also not provided in Kumar et al.’s
scheme, and it may face the clock synchronization problem
4.4.8. Quickly detection for unauthorized login because the time stamp has been adopted to resist the re-
Detection mechanism for unauthorized login allows the mo- play attack. Moreover, Wazid et al.’s (2017) scheme suffers from
bile device to quickly detect and reject unauthorized login de-synchronization attack, and forward security is also not
when the user inputs wrong information, and it saves unnec- provided. In their scheme, GWN should keep a verification
essary communication and computation cost in the beginning table for authentication, and it is disastrous if the verifica-
of login and authentication phase. In the proposed scheme, tion table is stolen by an adversary. Similar to Kumar et al.’s
the parameter A3 stored in the mobile device is used to verify (2015) scheme, their scheme may also face the clock synchro-
the correctness of user information, where A∗3 = h(IDi ||HPWi∗ ), nization problem. Furthermore, Li’s (2013) scheme was not
HPWi∗ = h(PWi ||a∗ ), a∗ = A2  h(IDi ||PWi ). If an attacker inputs scalable since the management of a large number of keys
wrong identity IDi and password PWi , the values A∗3 and A3 and certificates is required, and the scheme in Han et al.
are not equal. Then, the mobile device rejects the Ui ’s login (2013) is unrealistic because it requires the manufacturers to
request. Therefore, the proposed scheme provides quickly de- keep always online. Compared with the most representative
tection for unauthorized login. related schemes in recent years, the proposed scheme can re-
sist against various kinds of known attacks and provide the
4.4.9. Resist de-synchronization attack desirable functional features.
In the proposed scheme, the same secret data is not stored in
the endpoint entities. In addition, the endpoint entities do not
need to update any information when a session is completed. 5. Performance comparison
Therefore, the de-synchronization attack is impossible.
In this section, we first compare the computational costs of
4.4.10. Resist impersonation attacks the proposed scheme with four prior related schemes, i.e.,
In the proposed scheme, if an attacker A wants to imperson- Kumar et al.’s (2015) scheme, Wazid et al.’s (2017) scheme, Li’s
ate the user, he/she must knows the user’s identity IDi and (2013) scheme and Han et al.’s (2013) scheme. Then, the com-
password PWi . However, as discussed in resisting mobile de- parisons of the communication overheads and communica-
vice loss attack, A can not get the correct identity and pass- tion energy costs are presented, respectively.
word even if he/she obtains the user’s mobile device. Thus,
the proposed scheme is secure from user impersonation at- 5.1. Computation cost
tack. Besides, the secret value x and the secret key K are held
by GWN only, A can not generate valid communication mes- In the performance analysis, the computation cost of a
sages without them. Therefore, the proposed scheme is secure scheme is evaluated according to all the computations re-
from GWN impersonation attack. quired in the scheme (Hsieh and Leu, 2012). For the con-
venience of computation analysis, we define TED , Texp , Tfe ,
4.4.11. Resist man-in-the-middle attack Tmac , Thmac and Th as the time cost of symmetric encryp-
According to the analysis in Sections 4.2, 4.3 and 4.4.1, the tion/decryption, an ECC point multiplication, fuzzy extractor
proposed scheme can provide mutual authentication success- generation/reproduction procedure, message authentication
fully. Besides, the transmitted messages are protected by the code (MAC) and hashed MAC, and a hash operation, respec-
secret values KGU and KGS , and anyone without them cannot tively. According to the simulation results of Wu et al. (2016),
forge legal authentication messages. Therefore, the proposed TED , Texp and Th are 0.0215 ms, 0.4276 ms and 0.0052 ms, re-
scheme can resist the man-in-the-middle attack. spectively. The simulation is achieved on an Intel(R) Core TM
i7-4710HQ 2.50GHz machine with the 64-bit Windows 8 oper-
4.4.12. Forward secrecy ating system and 8 GB memory. Moreover, the fuzzy extractor
In the proposed scheme, the established session key SK in- in Wazid et al.’s (2017) scheme can be constructed from uni-
cludes Ui ’s contribution IDi , R1 , and GWN’s contribution GIDj , versal hash functions or error-correcting codes that require
R2 , and SDk ’s contribution SIDk , R3 . The random numbers R1 , only lightweight operations (Dodis et al., 2004), so it is as-
R2 , R3 are randomly generated for each session. So if the long- sumed that the time for executing a fuzzy extractor is the
term keys are compromised by an attacker A , it can not af- same as an ECC point multiplication at most (He et al., 2014).
fect the confidentiality of past communications. Therefore, It is further assumed that Tmac and Thmac are equal to Th ap-
forward secrecy is provided in the proposed scheme. proximately. Table 4 shows the comparison results of compu-
tational costs between the proposed scheme and other related
4.5. Security comparisons schemes (Han et al., 2013; Kumar et al., 2015; Li, 2013; Wazid
et al., 2017).
The comparison results of security features among the pro- As shown in Table 4, the computation cost of the proposed
posed scheme and four prior related schemes (Han et al., 2013; scheme is slightly higher than Kumar et al.’s (2015) scheme,
Kumar et al., 2015; Li, 2013; Wazid et al., 2017) are shown Wazid et al.’s (2017) scheme and Han et al.’s (2013) scheme.
in Table 3. From Table 3, we can see that the schemes in However, as is demonstrated in Section 4.5, the proposed
144 computers & security 86 (2019) 132–146

Table 3 – Security attributes comparison.

Security attributes Kumar et al. Wazid et al. Li (2013) Han et al. Ours
(2015) (2017) (2013)
Suitable for
realistic environments No No No No Yes
Mutual authentication No Yes No No Yes
Session key agreement Yes Yes Yes Yes Yes
User anonymity No Yes Yes Yes Yes
Untraceability No Yes Yes Yes Yes
Avoid of clock
synchronization problem No No Yes Yes Yes
No verification table Yes No Yes Yes Yes
Forward security Yes No Yes Yes Yes
De-synchronization attack Yes No Yes Yes Yes
Unauthorized login detection No Yes No No Yes
Mobile device loss attack Yes Yes Yes Yes Yes
Privileged insider attack Yes Yes Yes Yes Yes
Impersonation attack Yes Yes Yes Yes Yes
Replay attack Yes Yes Yes Yes Yes
Man-in-the-middle attack Yes Yes Yes Yes Yes
Formal proof No Yes No No Yes
Formal verification Yes Yes Yes No Yes

Table 4 – Comparison of computational costs. Table 5 – Comparison of communication overheads.

Authentication Total cost Rough Authentication scheme Total Total cost


scheme estimation messages (Bits)
Kumar et al.’s (2015) 2TED + Tmac + Thmac + 2Th 0.0638 ms Kumar et al.’s (2015) scheme 3 Messages 1376
scheme Wazid et al.’s (2017) scheme 4 Messages 2082
Wazid et al.’s (2017) 4TED + T f e + 22Th 0.628 ms Li’s (2013) scheme 4 Messages 1216
scheme Han et al.’s (2013) scheme 6 Messages 2272
Li’s (2013) scheme 4Texp + 2TED + 2Tmac + 2Th 1.7742 ms The proposed scheme 4 Messages 1728
Han et al.’s (2013) 6TED + 12Tmac + 10Th 0.2434 ms
scheme
The proposed 3Texp + 16Th 1.366 ms
scheme
head of the proposed scheme is 1728 bits. Similarly, the to-
tal communication overheads of Kumar et al.’s (2015) scheme,
Wazid et al.’s (2017) scheme, Li’s (2013) scheme and Han et al.’s
scheme supports more functionality and security features. (2013) scheme are 1376 bits, 2082 bits, 1216 bits, 2272 bits, re-
Therefore, from Tables 3 and 4, it can be concluded that the spectively. Although there is a slightly advantage in the com-
proposed scheme achieves a delicate balance between secu- munication overhead of Kumar et al.’s (2015) scheme and Li’s
rity and efficiency. (2013) scheme, their scheme fails to provide mutual authen-
tication between user and GWN as well as between user and
5.2. Communication overhead smart device. Therefore, the proposed scheme is effective and
more suitable for realistic environments.
Table 4 shows the comparison of communication overheads
between the proposed scheme and four prior related schemes 5.3. Energy consumption cost
(Han et al., 2013; Kumar et al., 2015; Li, 2013; Wazid et al.,
2017). In order to achieve a convincing comparison, we assume In this section, the consumption model used in Das et al.
that the length of user’s identity, user’s pseudonym identity, (2016) and Kumar et al. (2018) is adopted to compute the en-
user’s password, sensor’s identity, the time stamp, the secret ergy consumption cost. According to the literature (Shnayder
key, the random number, the ECC point multiplication, the ci- et al., 2004), the energy costs of transmitting and receiving
phertext block in symmetric encryption/decryption, the out- a bit are 4.602 and 2.34 mJ/bit, respectively. Table 6 shows
put of hash function and MAC are 128 bits, 128 bits, 128 bits, the comparison of energy consumption cost between the pro-
128 bits, 32 bits, 160 bits, 160 bits, 320 bits, 256 bits, 160 bits, posed scheme and four prior related schemes (Han et al., 2013;
160 bits, respectively. In the proposed scheme, the transmit- Kumar et al., 2015; Li, 2013; Wazid et al., 2017). In the pro-
ted messages {DIDi , A4 , M1 , V1 }, {M2 , V2 }, {M3 , V3 } and {M4 , V4 } posed scheme, the total transmission energy for all the en-
require (128+320+160+160) = 768 bits, (160+160) = 320 bits, tities is 7216 mJ. Similarly, the total transmission energy of
(160+160) = 320 bits, (160+160) = 320 bits, respectively. Com- Kumar et al.’s (2015) scheme, Wazid et al.’s (2017) scheme, Li’s
bining the above four values, the total communication over- (2013) scheme and Han et al.’s (2013) scheme are 6774 mJ,
computers & security 86 (2019) 132–146 145

Table 6 – Comparison of energy consumption cost. Acknowledgments


Transmission
Authentication Total transmission energy for smart The authors would like to thank the reviewers for their in-
scheme energy (mJ) device (mJ) sightful comments and helpful suggestions.
Kumar et al.’s (2015) 6774 2651
scheme
R E F E R E N C E S
Wazid et al.’s (2017) 10,907 2798
scheme
Li’s (2013) scheme 4418 1473
Han et al.’s (2013) 8689 2209 Abdalla M, Fouque PA, Pointcheval D. Password-based
scheme authenticated key exchange in the three-party setting, 153;
The proposed scheme 7216 1473 2005. p. 65–84. doi:10.1007/978-3-540-30580-4_6.
Alkhoraidly A, Dominguez-Oviedo A, Hasan M. Fault attacks on
elliptic curve cryptosystems. Fault analysis in cryptography, 1.
Springer Berlin Heidelberg; 2012. p. 137–55.
10907 mJ, 4418 mJ and 8689 mJ, respectively. From comparison Barenghi A, Bertoni G, Parrinello E, Pelosi G. Low voltage fault
in Table 6, it is noted that the total transmission energy of the attacks on the rsa cryptosystem, 1; 2009. p. 23–31.
proposed scheme is less than the schemes (Han et al., 2013; doi:10.1109/FDTC.2009.30.
Baruah B, Dhal S. A two-factor authentication scheme against
Wazid et al., 2017), and it is slightly higher than the schemes
FDM attack in IFTTT based smart home system. Comput
(Kumar et al., 2015; Li, 2013). However, the proposed scheme
Secur 2018;77:21–35. doi:10.1016/j.cose.2018.03.004.
has the least transmission energy for the smart device. There- Blanchet B. An efficient cryptographic protocol verifier based on
fore, compared with four prior related schemes (Han et al., prolog rules, 1; 2001. p. 82–96. doi:10.1109/CSFW.2001.930138.
2013; Kumar et al., 2015; Li, 2013; Wazid et al., 2017), the pro- Challa S, Das AK, Odelu V, Kumar N, Kumari S, Khan MK,
posed scheme is one of the most energy efficient schemes for Vasilakos A. An efficient ECC-based provably secure
resource constrained smart devices in smart home environ- three-factor user authentication and key agreement protocol
for wireless healthcare sensor networks. Comput Electr Eng
ment.
2017;PP. doi:10.1016/j.compeleceng.2017.08.003. 1–1
Chuang MC, Lee JF. Team: Trust-extended authentication
mechanism for vehicular ad hoc networks, 8(3); 2011.
6. Conclusion p. 1758–61. doi:10.1109/CECNET.2011.5768376.
Das AK, Sutrala AK, Kumari S, Odelu V, Wazid M, Li X. An efficient
Security and privacy issues are major obstacles that hinder multi-gateway-based three-factor user authentication and key
the large-scale applications of smart home. In previous re- agreement scheme in hierarchical wireless sensor networks.
search, there are almost no comprehensive authentication Secur Commun Netw 2016;9:2070–92. doi:10.1002/sec.1464.
schemes suitable for smart home environment. As a step Dodis Y, Reyzin L, Smith A. Fuzzy extractors: how to generate
strong keys from biometrics and other noisy data, 38; 2004.
towards this direction, in this paper, we have presented a
p. 523–40. doi:10.1137/060651380.
lightweight and secure two-factor anonymous authentication Dolev D, Yao ACC. On the security of public key protocols. IEEE
scheme using ECC. The proposed scheme allows a legal user Trans Inf Theory 1983;29(2):198–208. doi:10.1109/SFCS.1981.32.
mutually authenticate with the smart device with the help of Esfahani A, Mantas G, Matischek R, Saghezchi FB, Rodriguez J,
GWN. At the end of successful mutual authentication, a sym- Bicaku A, Maksuti S, Bastos J. A lightweight authentication
metric session key SK is established between the user and the mechanism for m2m communications in industrial. IEEE Inter
smart device for future secure communications. The security Things J 2017;PP:1–8. doi:10.1109/JIOT.2017.2737630.
Gomez C, Paradells J. Wireless home automation networks: a
of the proposed scheme is proved by rigorous formal proof
survey of architectures and technologies. IEEE Commun Mag
using random oracle model and broadly-accepted BAN logic. 2010;48(6):92–101. doi:10.1109/MCOM.2010.5473869.
Moreover, the formal security verification using the widely ac- Han K, Kim J, Shon T, Ko D. A novel secure key paring protocol for
cepted tool ProVerif demonstrate that the proposed scheme rf4ce ubiquitous smart home systems. Person Ubiq Comput
can fulfill the secrecy of session key and achieve mutual au- 2013;17:945–9. doi:10.1007/s00779-012-0541-2.
thentication successfully. Through the heuristic way, the secu- He D, Kumar N, Lee JH, Sherratt RS. Enhanced three-factor
security protocol for USB mass storage devices. IEEE Trans
rity and functional features are discussed, and it has proven
Consum Electron 2014;60(1):30–7.
that the proposed scheme is robust to resist various of at-
doi:10.1109/TCE.2014.6780922.
tacks and achieves some ideal features. Furthermore, we com- He D, Zeadally S. Authentication protocol for an ambient assisted
pared the proposed scheme with four representative related living system. IEEE Commun Mag 2015;53:71–7.
schemes in security and performance aspects, and the com- doi:10.1109/MCOM.2015.7010518.
parison results illustrate that the proposed scheme is secure Hsieh WB, Leu JS. Anonymous authentication protocol based on
and more suitable for smart home environment. elliptic curve Diffie–Hellman for wireless access networks.
Wirel Commun Mobile Comput 2012;14(10):995–1006.
doi:10.1002/wcm.2252.
Jeong J, Chung MY, Choo H. Integrated otp-based user
Declaration of competing interest
authentication scheme using smart cards in home networks,
294; 2008. p. 1–7. doi:10.1109/HICSS.2008.208.
The authors declare that they have no known competing fi- Jin M, Bekiaris-Liberis N, Weekly K, Spanos CJ, Bayen AM.
nancial interests or personal relationships that could have ap- Occupancy detection via environmental sensing. IEEE Trans
peared to influence the work reported in this paper. Autom Sci Eng 2016;15:443–55. doi:10.1109/TASE.2016.2619720.
146 computers & security 86 (2019) 132–146

Jin M, Jia R, Spanos C. Virtual occupancy sensing: using smart Wazid M, Das AK, Odelu V, Kumar N, Susilo W. Secure remote
meters to indicate your presence. IEEE Trans Mobile Comput user authenticated key establishment protocol for smart
2017;16:3264–77. doi:10.1109/TMC.2017.2684806. home environment. IEEE Trans Depend Secure Comput
Kim HJ, Kim HS. Auth hotp–hotp based authentication scheme 2017;PP:1–15. doi:10.1109/TDSC.2017.2764083.
over home network environment, 6784; 2011. p. 622–37. Wu F, Li X, Sangaiah AK, Xu L, Kumari S, Wu L, Shen J. A
doi:10.1007/978-3-642-21931-3_48. lightweight and robust two-factor authentication scheme for
Kocher P, Jaffe J, Jun B. Differential power analysis, 1666; 1999. personalized healthcare systems using wireless medical
p. 388–97. doi:10.1007/3-540-48405-1_25. sensor networks. Future Gen Comput Syst 2018;82:727–37.
Kumar D, Chand S, Kumar B. Cryptanalysis and improvement of doi:10.1016/j.future.2017.08.042.
an authentication protocol for wireless sensor networks Wu F, Xu L, Kumari S, Li X, Das AK, Khan MK, Karuppiah M,
applications like safety monitoring in coal mines. J Ambient Baliyan R. A novel and provably secure authentication and key
Intell Hum Comput 2018;10:641–60. agreement scheme with user anonymity for global mobility
doi:10.1007/s12652-018-0712-8. networks. Secur Commun Netw 2016;9(16):3527–42.
Kumar P, Gurtov A, Iinatti J, Ylianttila M, Sain M. Lightweight and doi:10.1002/sec.1558.
secure session-key establishment scheme in smart home Xiong L, Peng D, Peng T, Liang H, Liu Z. A lightweight anonymous
environments. IEEE Sensors J 2015;16:254–64. authentication protocolwith perfect forward secrecy for
doi:10.1109/JSEN.2015.2475298. wireless sensor networks. Sensors 2017;17:2681–709.
Li Y. Design of a key establishment protocol for smart home doi:10.3390/s17112681.
energy management system, PP; 2013. p. 88–93. Xu J, Xue K, Yang Q, Hong P. Psap: Pseudonym-based secure
doi:10.1109/CICSYN.2013.42. authentication protocol for NFC applications. IEEE Trans
Messerges T, Dabbish E, Sloan R. Examining smart-card security Consum Electron 2018;64(1):83–91.
under the threat of power analysis attacks. IEEE Trans Comput doi:10.1109/TCE.2018.2811260.
2002;51:541–52. doi:10.1109/TC.2002.1004593. Xue K, Ma C, Hong P, Ding R. A temporal-credential-based mutual
Mulder ED, Buysschaert P, Ors B, Delmotte P, Preneel B, authentication and key agreement scheme for wireless sensor
Vandenbosch GAE, Verbauwhede I. Electromagnetic analysis networks. J Netw Comput Appl 2013;36(1):316–23.
attack on an FPGA implementation of an elliptic curve doi:10.1016/j.jnca.2012.05.010.
cryptosystem, 2; 2005. p. 1879–82.
doi:10.1109/EURCON.2005.1630348. Mengxia Shuai received the B.S. and M.S. degrees from Fuzhou
Pradeep H, Singh S. Privacy preserving and ownership University, Fuzhou, China. Currently, he is pursuing the Ph.D. de-
authentication in ubiquitous computing devices using secure gree at University of Science and Technology of China. His research
three way authentication, PP; 2012. p. 107–12. interests include cryptography and information security.
doi:10.1109/INNOVATIONS.2012.6207712.
Nenghai Yu received his B.S. degree in 1987 from Nanjing Univer-
Santoso FK, Vun NCH. Securing IoT for smart home system, PP;
sity of Posts and Telecommunications, M.E. degree in 1992 from Ts-
2015. p. 1–2. doi:10.1109/ISCE.2015.7177843.
inghua University and Ph.D. degree in 2004 from University of Sci-
Shnayder V, Hempstead M, rong Chen B, Allen W, Welsh M.
ence and Technology of China, where he is currently a professor.
Simulating the power consumption of large-scale sensor
His research interests include multimedia security, multimedia in-
network applications. In: Proceedings of the second
formation retrieval, video processing, information hiding and se-
international conference on embedded networked sensor
curity, privacy and reliability in cloud computing.
systems; 2004. p. 188–200.
Spreitzer R, Moonsamy V, Korak T, Mangard S. Systematic
Hongxia Wang received the B.S. degree from Hebei Normal Univer-
classification of side-channel attacks: a case study for mobile
sity, Shijiazhuang, China, in 1996, and the M.S. and Ph.D. degrees
devices. IEEE Commun Surv Tutor 2017;PP:1–24.
from University of Electronic Science and Technology of China,
doi:10.1109/COMST.2017.2779824.
Chengdu, China, in 1999 and 2002, respectively. She pursued post-
Suryadevara N, Mukhopadhyay S, Wang R, Rayudu R. Forecasting
doctoral research with Shanghai Jiao Tong University, Shanghai,
the behavior of an elderly using wireless sensors data in a
China, from 2002 to 2004 and was a visiting scholar with North-
smart home. Eng Appl Artif Intell 2013;26(10):2641–52.
ern Kentucky University, Highland Heights, KY, USA, from 2013 to
doi:10.1016/j.engappai.2013.08.004.
2014. She is currently a professor with the college of cybersecurity,
Vaidya B, Makrakis D, Mouftah HT. Device authentication
Sichuan University, Chengdu. She has authored over 90 research
mechanism for smart energy home area networks, 10(11);
papers in refereed journals and conferences, and holds nine au-
2011a. p. 787–8. doi:10.1109/ICCE.2011.5722864.
thorized patents. Her research interests include multimedia infor-
Vaidya B, Park JH, Yeo SS, Rodrigues J. Robust one-time password
mation security, digital forensics, information hiding, and digital
authentication scheme using smart card for home network
watermarking.
environment. Comput Commun 2011b;34:326–36.
doi:10.1016/j.comcom.2010.03.013. Ling Xiong received the M.S. and Ph.D. degrees from Southwest
Wang D, Wang P. On the anonymity of two-factor authentication Jiaotong University, Chengdu, China. She is currently a lecturer
schemes for wireless sensor networks: attacks, principle and with the school of computer and software engineering, Xihua Uni-
solutions. Comput Netw 2014a;73:41–57. versity, Chengdu. Her research interests include the formal anal-
doi:10.1016/j.comnet.2014.07.010. ysis of cryptographic protocol, the security and privcy in cloud
Wang D, Wang P. Understanding security failures of two-factor computing services environment and wireless sensor networks
authentication schemes for real-time applications in environment.
hierarchical wireless sensor networks. Ad Hoc Netw
2014b;20:1–15. doi:10.1016/j.adhoc.2014.03.003.

You might also like