Sage Journals: Discover world-class research

Abstract

Authentication and privacy protection are important security mechanisms for keeping things safe in the Internet of Things environments. In particular, an anonymous authentication scheme is a privacy preserving authentication technique which provides both authentication and privacy preservation. An authentication scheme with anonymity in mobility networks was proposed recently. However, it was proven that it failed to provide anonymity against passive adversaries and malicious users and security against known session key attacks and side channel attacks. We propose an anonymous authentication scheme for intercommunication between the things in the Internet of Things environments. The proposed scheme provides not only anonymity and security, but also untraceability for the thing. Moreover, we only use low cost functions, such as hash functions and exclusive-OR operations in consideration of limited computing power of the thing.

1. Introduction

As the Internet of Things (IoT) market is expanding recently, the importance of trustworthy IoT products and services is increasing. Zhang et al. [1] discussed IoT security issues just in time. To preserve IoT security, authentication and privacy preservation are some of the major mechanisms and a few authentication schemes in IoT are proposed [2, 3]. And improvements and drawbacks of those schemes are presented [4–6]. Since a lot of systems and things in IoT environments are connected to the Internet for intercommunication, apparently they can be exposed to hacker's attacks anytime and anywhere.

Systems of IoT infrastructure, such as a computer, a gateway, and a server system, have high computing power, enough memory, and wide communication bandwidth. On the contrary, things like a tag, a sensor, and a device deployed at the end of IoT environments have limited computing capacity and resource. Therefore, the convergence of symmetric and asymmetric cryptosystems and lightweight cryptographic protocols is necessary to guarantee the whole IoT security. Various things interconnected in IoT environments produce a lot of transmitting data. These data may contain user's behavior, taste, and preference as well as private information. Hence, an adversary can abuse user's information or do some damage through tapping, leaking, modifying, and destroying them. It is clear that privacy protection is one of the most important issues of IoT security. Because only human beings can have privacy, privacy preservation is not originally applied to things. However, things also need to have security measures to prevent privacy invasion in case they deal with human beings' information. For such a reason, anonymity and anonymous authentication are essential to preserve privacy and security of all objects in IoT environments.

Many anonymous authentication schemes in wireless environments, proofs of weaknesses, and countermeasures have been proposed [7–14]. Particularly, Chang et al. [15] proposed an efficient authentication scheme with anonymity for roaming service in global mobility networks. Since their scheme only uses low cost functions, such as hash functions and exclusive-OR operations, it is suitable for battery-powered mobile devices. However, Youn et al. [16] showed that Chang et al.'s scheme does not provide anonymity and security in certain situations. In other words, it fails to preserve anonymity against passive adversaries and malicious users as well as security against known session key attacks and side channel attacks. Since then, to make up the security faults proven by Youn et al., a few enhanced schemes have been proposed [17–19]. Also, anonymous authentication schemes with unlinkability that guarantee not to link one user and his/her messages have been followed [20–22].

In this paper, we suppose that IoT components are a thing, a gateway, and a registration server. The thing senses, handles, and transmits various information. All things need to be registered for the registration server before being deployed in IoT environments. The registration server keeps and manages the thing's identity. Also, it maintains a trustworthy relationship with the gateway to response to gateway's request for authenticating the thing. No one but the thing and the registration server can know the thing's identity because the thing certainly knows its identity and the registration server takes the thing's identity when the thing registers for it. The gateway authenticates the thing in relation to the registration server without knowing the thing's identity. And it makes the thing be able to communicate with other things through a secure way. The thing accomplishes mutual authentication and key agreement with the gateway through an anonymous authentication method when it connects to the gateway for the first time. At this time, the gateway which does not know the thing's identity can authenticate the thing with the aid of the registration server. Centering around one gateway, a number of things consist of their own domain. Things in the same domain can do anonymous authentication and session key sharing through the same gateway.

We propose a novel authentication scheme that guarantees anonymity, security, and untraceability in IoT environments by remedying the defects of Chang et al.'s scheme which are shown by Youn et al. The proposed scheme makes the things in IoT environments communicate with each other safely. Also, it only uses low cost functions to reduce computing loads of the thing's side as Chang et al.'s scheme does.

The remainder of this paper is organized as follows. We review the related works in Section 2 and present our scheme in Section 3. In Section 4, we analyze security of our scheme. Finally, a concluding remark is given in Section 5.

2. Related Works

In this section, we review Chang et al.'s scheme and Youn et al.'s analysis. Table 1 denotes notations in Chang et al.'s scheme.

Table 1

Notations in Chang et al.'s scheme.

Notations	Descriptions
MN	Mobile user
HA	Home agent of a mobile user
FA	Foreign agent of a foreign network
${ID}_{X}$	Identity of an entity X
${PW}_{X}$	Password of an entity X
SID	Shadow identity
SK	Session key
x	Private key of HA
$K_{X Y}$	Common secret key shared between an entity X and an entity Y
$h ()$	Collision-free one-way hash function
∥	Concatenation
⊕	Exclusive-OR operation

2.1. Chang et al.'s Scheme

Chang et al.'s scheme consists of three phases: registration, authentication, and session key establishment. And three entities are involved: the mobile user $M N$ , the foreign agent $FA$ , and the home agent $H A$ in each phase. Their assumption is that each $F A$ and each $H A$ share and store a long term session key using any secure method, such as the Diffie-Hellman key agreement protocol.

2.1.1. Registration Phase

In the registration phase, $M N$ submits his/her identity ${I D}_{M N}$ and the selected password ${PW}_{M N}$ to $H A$ . $H A$ uses its private key x to compute the secret value R as follows: $\begin{matrix} R = h ({ID}_{M N} ∥ x) \oplus {P W}_{M N} . \end{matrix}$ (1) Then $H A$ issues a smart card containing ${{I D}_{M N}, {I D}_{H A}, R, h (x), h (\cdot)}$ and delivers it to $M N$ in a secure way.

2.1.2. Authentication Phase

It is assumed that $M N$ wants to take a roaming service from $F A$ . Before providing services, $F A$ tries to authenticate $M N$ through $H A$ . To achieve this, $M N$ , $F A$ , and $H A$ perform the authentication phase as follows. (1)

$M N$ inserts his/her smart card into the device and enters a password ${P W}_{M N}^{*}$ .

(2)

Smart card generates a nonce $n_{M N}$ randomly and computes the parameter C as shown in $\begin{matrix} C = (R \oplus {P W}_{M N}^{*}) \oplus n_{M N} . \end{matrix}$ (2)

(3)

$M N$ sends the login message $m_{1} = {Login request, n_{M N}, {I D}_{H A}}$ to $F A$ . “ $Login request$ ” is the header of the message to establish a new secure session between $M N$ and $F A$ .

(4)

Upon receiving $m_{1}$ , $F A$ stores $n_{M N}$ and generates a random nonce $n_{F A}$ to send the authentication request message $m_{2} = {Authenticaton request, n_{F A}, {I D}_{F A}}$ to $H A$ . The message header “ $Authenticaton request$ ” notifies $H A$ to authenticate $M N$ .

(5)

After receiving $m_{2}$ , $H A$ checks ${I D}_{F A}$ to see whether a trustworthy relationship between $H A$ and $F A$ is built or not. If ${I D}_{F A}$ is valid, $H A$ generates a nonce $n_{H A}$ randomly and sends the message $m_{3} = {n_{H A}, {I D}_{H A}}$ to $F A$ .

(6)

Upon receiving $m_{3}$ , $F A$ sends the message $m_{4} = {n_{H A}, n_{F A}, {I D}_{F A}}$ to $M N$ .

After checking the identities and exchanging nonces between $M N$ , $F A$ , and $H A$ , they accomplish the following steps for anonymous authentication.

(7)

$M N$ who receives $m_{4}$ computes the shadow identity $SID$ , the parameter $V_{1}$ , the session key $S K$ , and the parameter $V_{2}$ sequentially such that $\begin{matrix} SID = {ID}_{M N} \oplus h (h (x) ∥ n_{H A}), \\ V_{1} = h (n_{H A} ∥ C), \\ S K = h (h (x) ∥ {ID}_{M N} ∥ {ID}_{FA} ∥ n_{M N} ∥ n_{FA}), \\ V_{2} = S K \oplus h (n_{H A} ∥ {ID}_{M N}) . \end{matrix}$ (3)

(8)

$M N$ computes the following hashing value $S_{1}$ and sends the message $m_{5} = {SID, V_{1}, V_{2}, n_{M N}, S_{1}, {ID}_{H A}}$ to $FA$ : $\begin{matrix} S_{1} = h (n_{FA} ∥ SID ∥ V_{1} ∥ V_{2} ∥ n_{M N}) . \end{matrix}$ (4)

(9)

Upon receiving $m_{5}$ , $FA$ checks $S_{1}$ and computes the following hashing value $S_{2}$ . And then it sends the message $m_{6} = {SID, V_{1}, V_{2}, n_{M N}, S_{2}, {ID}_{FA}}$ to $H A$ : $\begin{matrix} S_{2} = h (K_{F H} ∥ n_{H A} ∥ SID ∥ V_{1} ∥ V_{2} ∥ n_{M N}) . \end{matrix}$ (5)

(10)

After receiving $m_{6}$ , $H A$ checks ID_FA and $S_{2}$ firstly. And it checks the format of $M N$ 's identity after computing ${ID}_{M N}$ as follows: $\begin{matrix} {ID}_{M N} = SID \oplus h (h (x) ∥ n_{H A}) . \end{matrix}$ (6)

(11)

$H A$ computes $C^{*}$ and ${V_{1}}^{*}$ as demonstrated in (7) to check whether ${V_{1}}^{*}$ is equal to $V_{1}$ . The equivalence between ${V_{1}}^{*}$ and $V_{1}$ implies that the selected ${P W}_{M N}$ in the registration phase is the same as the password ${P W}_{M N}^{*}$ that $M N$ enters in the authentication phase: $\begin{matrix} C^{*} = h ({I D}_{M N} ∥ x) \oplus n_{M N}, \\ {V_{1}}^{*} = h (n_{H A} ∥ C^{*}) . \end{matrix}$ (7)

(12)

$H A$ computes the parameter $K_{1}$ after obtaining the session key $S K$ from $V_{2}$ . And it computes the parameter $V_{3}$ and the hashing value $S_{3}$ to send the message $m_{7} = {K_{1}, V_{3}, S_{3}}$ to $FA$ . $S K$ , $K_{1}$ , $V_{3}$ , and $S_{3}$ are calculated such that $\begin{matrix} S K = V_{2} \oplus h (n_{H A} ∥ {I D}_{M N}), \\ K_{1} = S K \oplus h (K_{F H} ∥ n_{FA}), \\ V_{3} = h ({I D}_{FA} ∥ h (x) ∥ n_{M N}), \\ S_{3} = h (K_{F H} ∥ n_{FA} ∥ K_{1} ∥ V_{3}) . \end{matrix}$ (8)

2.1.3. Session Key Establishment Phase

After completing the authentication phase, $M N$ and $FA$ continue the following session key establishment phase. (1)

Upon receiving $m_{7}$ , $FA$ obtains the following session key $SK$ from $K_{1}$ after checking $S_{3}$ : $\begin{matrix} S K = K_{1} \oplus h (K_{F H} ∥ n_{FA}) . \end{matrix}$ (9)

And it computes the parameter $K_{2}$ as follows to send the message $m_{8} = {V_{3}, K_{2}}$ to $M N$ : $\begin{matrix} K_{2} = S K \oplus h (S K ∥ n_{M N}) . \end{matrix}$ (10)

(2)

After receiving $m_{8}$ , $M N$ computes the following ${V_{3}}^{*}$ and checks whether ${V_{3}}^{*}$ and $V_{3}$ are equal or not: $\begin{matrix} {V_{3}}^{*} = h ({I D}_{FA} ∥ h (x) ∥ n_{M N}) . \end{matrix}$ (11)

The fact that two values are equal means $M N$ confirms $FA$ as a valid foreign agent.

(3)

$M N$ computes ${S K}^{*}$ as follows: from $K_{2}$ to check the equivalence between ${S K}^{*}$ and $S K$ that $M N$ computes in the authentication phase: $\begin{matrix} {S K}^{*} = K_{2} \oplus h (S K ∥ n_{M N}) . \end{matrix}$ (12)

According to the sameness of two values, $M N$ confirms that he/she shares the authenticated session key with $FA$ .

(4)

Since then, $M N$ and $FA$ use $S K$ when they want to communicate with one another through a secure channel.

Figure 1 describes the authentication and the session key establishment phases in Chang et al.'s scheme.

Figure 1

Authentication and session key establishment phases in Chang et al.'s scheme.

2.2. Youn et al.'s Analysis

Youn et al. proved that Chang et al.'s scheme suffers from some specific attacks. Their assumptions are as follows. Anyone can eavesdrop transmitting messages between $M N$ , $FA$ , and $H A$ . And it is easy to perform a brute-force search of a valid identity since it is short and has a certain format. In addition, there exists an adversary who can execute side channel attacks.

2.2.1. Anonymity against Passive Adversaries

A passive adversary can obtain $V_{2}$ and $K_{2}$ by eavesdropping messages between $M N$ , $FA$ , and $H A$ . The adversary chooses a candidate identity ${I D}^{'}$ to compute ${S K}^{'}$ and $K_{2}^{'}$ as follows: $\begin{matrix} {S K}^{'} = V_{2} \oplus h (n_{H A} ∥ {I D}^{'}), \\ K_{2}^{'} = {S K}^{'} \oplus h ({S K}^{'} ∥ n_{M N}) . \end{matrix}$ (13) If $K_{2}^{'}$ and $K_{2}$ are equal, the adversary can recognize that the candidate identity is the same as $M N$ 's real identity. Therefore, the adversary can know $M N$ 's identity.

2.2.2. Anonymity against Malicious Mobile User

It is supposed that ${M N}^{'}$ is a malicious mobile user who has a valid smart card issued by $H A$ . ${M N}^{'}$ accomplishes the normal authentication phase with $H A$ to get the nonce $n_{H A}^{'}$ generated by $H A$ . And then he/she computes ${SID}^{'}$ using his/her identity ${I D}_{M N}^{'}$ as follows: $\begin{matrix} {SID}^{'} = {I D}_{M N}^{'} \oplus h (h (x) ∥ n_{H A}^{'}) . \end{matrix}$ (14) ${M N}^{'}$ replaces $n_{H A}$ included in the message $m_{4} = {n_{H A}, n_{FA}, {I D}_{FA}}$ between $M N$ and $FA$ with $n_{H A}^{'}$ . Then $M N$ who receives $m_{4}$ computes the following $SID$ to send it to $FA$ : $\begin{matrix} SID = {I D}_{M N} \oplus h (h (x) ∥ n_{H A}^{'}) . \end{matrix}$ (15) ${M N}^{'}$ eavesdrops $SID$ once again to compute ${I D}_{M N}$ using $SID$ and ${SID}^{'}$ . ${I D}_{M N}$ is calculated as follows: $\begin{matrix} {I D}_{M N} = SID \oplus {SID}^{'} \oplus {I D}_{M N}^{'} = {I D}_{M N} \oplus h (h (x) ∥ n_{H A}^{'}) \oplus {I D}_{M N}^{'} \oplus h (h (x) ∥ n_{H A}^{'}) \oplus {I D}_{M N}^{'} . \end{matrix}$ (16) Thus, a legal but malicious user can obtain other's identity.

2.2.3. Security against Known Session Key Attacks

An adversary can get a user's identity when a former session key shared between $M N$ and $FA$ is revealed. The adversary obtains $V_{2}$ by eavesdropping and computes the verification value $F l g$ using $V_{2}$ and a revealed $S K$ such that $\begin{matrix} F l g = V_{2} \oplus S K . \end{matrix}$ (17) The adversary also computes another verification value ${F l g}^{'}$ after choosing a candidate identity ${I D}^{'}$ in the following manner: $\begin{matrix} {F l g}^{'} = h (n_{H A} ∥ {I D}^{'}) . \end{matrix}$ (18) If $F l g$ equals ${F l g}^{'}$ , the adversary can ensure that the guessed identity and the $M N$ 's real identity are consistent.

2.2.4. Security against Side Channel Attacks

Let us suppose that an adversary who can execute side channel attacks obtains a valid smart card issued by $H A$ . The adversary can acquire $h (x)$ from the smart card and take $SID$ and $n_{H A}$ from messages in the authentication phase. Then it is possible that the adversary discovers $M N$ 's identity by computing as follows: $\begin{matrix} {I D}_{M N} = SID \oplus h (h (x) ∥ n_{H A}) . \end{matrix}$ (19) Hence, Chang et al.'s scheme can be totally broken by side channel attacks.

3. Proposed Scheme

To provide anonymity and security, the proposed scheme that improves Chang et al.'s scheme makes up for the weak points shown by Youn et al. Also, it guarantees untraceability for things by using different anonymized identities all the time. Since it minimizes the number of transmitting messages and computations, it is suitable for IoT environments. Figure 2 presents IoT network environments applied to our scheme. A registration server and a gateway accomplish mutual communication through the Internet while they preserve a trustworthy relationship. The registration server maintains secret information of things. The gateway forms its own domain to combine the things that existed in its permissible range. And it makes the things link up with their registration server. The things collect and produce various information and exchange data one another if necessary. Depending on the number of things in a domain, several base stations are required to provide stable communication channel. Base stations do not participate in the join phase directly. They just act as mediators between the things and the gateway. If the stability of communications channel is guaranteed, a lot of things can work in one domain. It is because the thing only computes low cost functions, while relatively high cost computations are up to the gateway. In other words, a domain can be expanded regardless of the number of things.

Figure 2

IoT network environments in the proposed scheme.

The proposed scheme consists of three phases: registration, join, and communication. In each phase, the thing T, the gateway G, and the registration server R are involved. We assume R and G share a common secret key using a secure method, such as the Diffie-Hellman key agreement protocol in advance. And let us suppose that a time synchronization is established between T, G, and R.

In the registration phase, T registers for R in a safe way. T registered for R normally joins G's domain in the join phase. In that phase, G can authenticate T through R. The things that successfully joined G's domain cannot trust each other yet, whereas they already build a trustworthy relationship with G through sharing of a common secret key. When the things want to communicate with each other safely, they carry out authentication and session key establishment processes through G. Table 2 indicates additional notations used in our scheme. We use notations in both Tables 1 and 2.

Table 2

Additional notations in the proposed scheme.

Notations	Descriptions
T	Thing
R	Registration server
G	Gateway of a domain
${SID}_{X}$	Shadow identity of an entity X
${VID}_{X}$	Virtual identity of an entity X
$x_{X}$	Private key of an entity X
$t_{X}$	Timestamp generated by an entity X

3.1. Registration Phase

Firstly, T registers for R and R issues T's virtual identity. T receives secret information from R and stores them safely. Figure 3 shows the registration phase between T and R.

Figure 3

Registration phase in the proposed scheme.

(1)

T submits its identity ${I D}_{T}$ to R.

(2)

R generates T's private key $x_{T}$ and an initial timestamp $t_{I}$ . And it computes T's virtual identity ${VID}_{T}$ as follows: $\begin{matrix} {VID}_{T} = h ({I D}_{T} ∥ x_{T} ∥ t_{I}) . \end{matrix}$ (20) Due to the private key, the virtual identity hides the real identity perfectly. The registration server is supposed to use the virtual identity to verify the thing's real identity. The virtual identity is essential element to make the proposed scheme provide anonymity.

(3)

R stores T's secret information $[{I D}_{T}, {VID}_{T}, x_{T}, t_{I}]$ in its database secretly. It computes the hashing values $h (x_{T})$ of T's private key $x_{T}$ and $h (x_{R})$ of its private key $x_{R}$ . And it sends the secret information ${{I D}_{T}, {VID}_{T}, x_{T}, h (x_{T}), h (x_{R}), {I D}_{R}}$ to T.

(4)

T stores the secret information ${[I D}_{T}, {VID}_{T}, x_{T}, h (x_{T}), h (x_{R}), {I D}_{R}]$ safely.

3.2. Join Phase

Let us suppose T wants to join G's domain in order to take services from G. Then G tries to authenticate T through R to provide services. We define $K_{R G}$ as the common secret key shared between R and G in advance. T, G, and R perform the following authentication and key establishment steps. Figure 4 presents the join phase.

Figure 4

Join phase in the proposed scheme.

(1)

T generates a timestamp $t_{T}$ to compute the following shadow identity ${SID}_{T}$ using ${VID}_{T}$ and $h (x_{R})$ : $\begin{matrix} {SID}_{T} = {VID}_{T} \oplus h (h (x_{R}) ∥ t_{T}) . \end{matrix}$ (21)

The virtual identity already concealed the thing's real identity in the registration. In this step, the shadow identity hides the virtual identity again. While the shadow identity of Chang et al.'s scheme hides the real identity directly, our shadow identity contains the virtual identity instead of the real identity. It means the proposed scheme provides anonymity, even if the shadow identity is revealed.

(2)

T sends the join request message $m_{1} = {JoinReq ., {SID}_{T}, {I D}_{R}, t_{T}}$ to G, where the message header $JoinReq .$ means T requests R to authenticate G and to provide a common secret key for joining G.

(3)

After receiving $m_{1}$ , G checks $t_{T}$ and generates a timestamp $t_{G}$ . And it computes the hashing value $H_{1}$ using the preshared common secret $K_{R G}$ as follows: $\begin{matrix} H_{1} = h (K_{R G} ∥ {SID}_{T} ∥ t_{T} {∥ t}_{G}) . \end{matrix}$ (22)

And it sends the authentication request message $m_{2} = {AuthReq ., {SID}_{T}, {I D}_{G}, H_{1}, t_{T} {, t}_{G}}$ to R. The message header $AuthReq .$ indicates G requests R to authenticate T.

(4)

Upon receiving $m_{2}$ , R checks ${I D}_{G}$ to determine whether it is an ally or not and checks $t_{G}$ to verify the validity of time period. And it computes the following ${H_{1}}^{*}$ to check whether it is equal to $H_{1}$ : $\begin{matrix} {H_{1}}^{*} = h (K_{R G} ∥ {SID}_{T} ∥ t_{T} {∥ t}_{G}) . \end{matrix}$ (23)

If results are all valid, R generates a timestamp $t_{R}$ .

(5)

R computes ${VID}_{T}^{*}$ using received information and $h (x_{R})$ as follows: $\begin{matrix} {VID}_{T}^{*} = {SID}_{T} \oplus h (h (x_{R}) ∥ t_{T}) . \end{matrix}$ (24)

And it retrieves the secret information [ ${I D}_{T}, {VID}_{T}, x_{T}, t_{I}]$ from its database using ${V I D}_{T}^{*}$ as a keyword. If it is impossible to get ${VID}_{T}$ same as ${V I D}_{T}^{*}$ , then R rejects G's request for authentication and stops communication with G.

(6)

R computes T's new virtual identity ${V I D}_{T}^{'}$ as shown in (25) and stores it safely to substitute the existing virtual identity ${VID}_{T}$ : $\begin{matrix} {V I D}_{T}^{'} = h ({I D}_{T} ∥ x_{T} ∥ t_{R}) . \end{matrix}$ (25)

This step makes every virtual identity supposed to be used only once. In other words, it guarantees the freshness of all virtual identities and it finally provides unlinkability of the proposed scheme.

(7)

After the renewal of the virtual identity, R computes the common secret key supposed to be shared between G and T using T's private key $x_{T}$ . Also, it computes the verification values $V_{1}$ , $V_{2}$ , and $V_{3}$ for T and the verification value $V_{4}$ for G as follows: $\begin{matrix} K_{G T} = h (h (x_{T}) ∥ {I D}_{T} ∥ {I D}_{G} ∥ t_{T} ∥ t_{G}), \\ V_{1} = h (h (x_{T}) ∥ {{I D}_{G} ∥ t}_{T}), \\ V_{2} = h (K_{G T} ∥ {{I D}_{R} ∥ t}_{T}), \\ V_{3} = h ({V I D}_{T}^{'} ∥ {I D}_{R} ∥ t_{T}), \\ V_{4} = K_{G T} \oplus h (K_{R G} ∥ t_{G}) . \end{matrix}$ (26)

Since the common secret key $K_{G T}$ is derived from a secret hashing value $h (x_{T})$ and changing timestamps, the secrecy and the freshness of the common secret key are always guaranteed.

(8)

R computes the following hashing value $H_{2}$ and sends the message $m_{3} = {{I D}_{R}, V_{1}, V_{2}, V_{3}, V_{4}, H_{2}, t_{R}}$ to G: $\begin{matrix} H_{2} = h (K_{R G} ∥ V_{1} ∥ V_{2} ∥ V_{3} ∥ V_{4} ∥ t_{R}) . \end{matrix}$ (27)

(9)

After receiving $m_{3}$ , G checks $t_{R}$ and $H_{2}$ . If they are all valid, G computes the verification value $V_{5}$ after computing the common secret key $K_{G T}$ . And it sends the message $m_{4} = {{I D}_{G}, V_{1}, V_{2}, V_{3} {, V_{5}, t}_{G}, t_{R}}$ to T. $K_{G T}$ and $V_{5}$ are as shown in the following formulas: $\begin{matrix} K_{G T} = V_{4} \oplus h (K_{R G} ∥ t_{G}), \\ V_{5} = K_{G T} \oplus h (K_{G T} ∥ t_{T}) . \end{matrix}$ (28)

(10)

Upon receiving $m_{4}$ , T computes the following ${V_{1}}^{*}$ after checking $t_{G}$ : $\begin{matrix} {V_{1}}^{*} = h (h (x_{T}) ∥ {{I D}_{G} ∥ t}_{T}) . \end{matrix}$ (29)

The fact that ${V_{1}}^{*}$ is the same as $V_{1}$ implies that T recognizes the fact that R checked ${I D}_{G}$ .

(11)

T computes ${K_{G T}}^{*}$ and ${V_{2}}^{*}$ such that $\begin{matrix} {K_{G T}}^{*} = h (h (x_{T}) ∥ {I D}_{T} ∥ {I D}_{G} ∥ t_{T} ∥ t_{G}), \\ {V_{2}}^{*} = h ({K_{G T}}^{*} ∥ {{I D}_{R} ∥ t}_{T}), \end{matrix}$ (30)

to check the equivalence between ${V_{2}}^{*}$ and $V_{2}$ . The sameness of two values means that R trusted by T computes the common secret key which is supposed to be shared between G and T.

(12)

T computes the virtual identity ${V I D}_{T}^{'}$ and the verification value ${V_{3}}^{*}$ as follows: $\begin{matrix} {V I D}_{T}^{'} = h ({I D}_{T} ∥ x_{T} ∥ t_{R}), \\ {V_{3}}^{*} = h ({V I D}_{T}^{'} ∥ {I D}_{R} ∥ t_{T}) . \end{matrix}$ (31)

And it checks whether ${V_{3}}^{*}$ is equal to $V_{3}$ . The equality indicates R computes T's new virtual identity ${V I D}_{T}^{'}$ normally. And then T stores its new virtual identity ${V I D}_{T}^{'}$ securely. As a result, the virtual identity is renewed by replacing the existing ${VID}_{T}$ with the new ${V I D}_{T}^{'}$ .

(13)

T checks the equivalence between ${V_{5}}^{*}$ and $V_{5}$ after computing ${V_{5}}^{*}$ as shown in $\begin{matrix} {V_{5}}^{*} = {K_{G T}}^{*} \oplus h ({K_{G T}}^{*} ∥ t_{T}) . \end{matrix}$ (32)

The valid verification of ${V_{5}}^{*}$ implies that T and G share the common secret key successfully.

3.3. Communication Phase

The things located in G's domain authenticate each other and share session keys to communicate in a secure way. We assume that $T_{1}$ and $T_{2}$ already shared common secret keys called $K_{{G T}_{1}}$ and $K_{G T_{2}}$ , respectively, with G in the join phase. $T_{1}$ performs the following communication phase to share a session key with $T_{2}$ . The communication phase is presented in Figure 5.

Figure 5

Communication phase in the proposed scheme.

(1)

$T_{1}$ generates a timestamp $t_{T_{1}}$ and computes the new shadow identity ${S I D}_{T_{1}}^{'}$ as shown in $\begin{matrix} {S I D}_{T_{1}}^{'} = {VID}_{T_{1}} \oplus h (h (x_{R}) ∥ t_{T_{1}}) \end{matrix}$ (33)

to substitute the existing shadow identity ${SID}_{T_{1}}$ .

(2)

$T_{1}$ computes the verification value $V_{6}$ and the hashing value $H_{3}$ as follows: $\begin{matrix} V_{6} = {S I D}_{T_{1}}^{'} \oplus h (K_{{G T}_{1}} ∥ t_{T_{1}}), \\ H_{3} = h (K_{{G T}_{1}} ∥ {SID}_{T_{1}} ∥ V_{6} ∥ t_{T_{1}}) . \end{matrix}$ (34)

And it sends the communication request message $m_{5} = {CommReq ., {SID}_{T_{1}}, {I D}_{G}, V_{6}, H_{3}, t_{T_{1}}}$ to $T_{2}$ . The message header $CommReq .$ stands for $T_{1}$ 's request for communicating with $T_{2}$ .

(3)

Upon receiving $m_{5}$ , $T_{2}$ generates a timestamp $t_{T_{2}}$ after checking $t_{T_{1}}$ and computes its new shadow identity ${S I D}_{T_{2}}^{'}$ , the verification value $V_{7}$ , and the hashing value $H_{4}$ such that $\begin{matrix} {S I D}_{T_{2}}^{'} = {VID}_{T_{2}} \oplus h (h (x_{R}) ∥ t_{T_{2}}), \\ V_{7} = {S I D}_{T_{2}}^{'} \oplus h (K_{{G T}_{2}} ∥ t_{T_{2}}), \\ H_{4} = h (K_{{G T}_{2}} ∥ V_{6} ∥ V_{7} ∥ H_{3} ∥ {SID}_{T_{1}} ∥ {SID}_{T_{2}} ∥ t_{T_{1}} ∥ t_{T_{2}}) . \end{matrix}$ (35)

And it sends the authentication request message $m_{6} = {AuthReq ., {SID}_{T_{1}}, {SID}_{T_{2}}, V_{6}, V_{7}, H_{3}, H_{4}, t_{T_{1}}, t_{T_{2}}}$ to G. The message header $AuthReq .$ means that $T_{2}$ requests G to authenticate $T_{1}$ .

(4)

After receiving $m_{6}$ , G firstly checks $t_{T_{2}}$ , ${SID}_{T_{1}}$ , and ${SID}_{T_{2}}$ to confirm that $T_{1}$ and $T_{2}$ were authenticated by itself in the join phase. And then it checks that ${H_{3}}^{*}$ is equal to $H_{3}$ and ${H_{4}}^{*}$ is equal to $H_{4}$ after computing the following ${H_{3}}^{*}$ , ${H_{4}}^{*}$ : $\begin{matrix} {H_{3}}^{*} = h (K_{{G T}_{1}} ∥ {SID}_{T_{1}} ∥ V_{6} ∥ t_{T_{1}}), \\ {H_{4}}^{*} = h (K_{{G T}_{2}} ∥ V_{6} ∥ V_{7} ∥ H_{3} ∥ {SID}_{T_{1}} ∥ {SID}_{T_{2}} ∥ t_{T_{1}} ∥ t_{T_{2}}) . \end{matrix}$ (36)

(5)

If all the hashing values are verified successfully, G computes the new shadow identities of $T_{1}$ and $T_{2}$ using $V_{6}$ , $V_{7}$ , $K_{{G T}_{1}}$ , and $K_{{G T}_{2}}$ . The new shadow identities ${S I D}_{T_{1}}^{'}$ and ${S I D}_{T_{2}}^{'}$ are calculated from $\begin{matrix} {S I D}_{T_{1}}^{'} = V_{6} \oplus h (K_{{G T}_{1}} ∥ t_{T_{1}}), \\ {S I D}_{T_{2}}^{'} = V_{7} \oplus h (K_{{G T}_{2}} ∥ t_{T_{2}}) . \end{matrix}$ (37)

And it replaces the existing shadow identities ${SID}_{T_{1}}$ and ${SID}_{T_{2}}$ with ${S I D}_{T_{1}}^{'}$ and ${S I D}_{T_{2}}^{'}$ . It stores ${S I D}_{T_{1}}^{'}$ and ${S I D}_{T_{2}}^{'}$ securely in its database. According to this step, the freshness of all shadow identities is guaranteed. As a result, it preserves unlinkability of the proposed scheme.

(6)

G generates a timestamp $t_{G_{12}}$ and computes the session key $S K$ and the parameters $K_{1}$ and $K_{2}$ using $K_{{G T}_{1}}$ and $K_{{G T}_{2}}$ as follows: $\begin{matrix} S K = h (K_{{G T}_{1}} ∥ {K_{{G T}_{2}} ∥ SID}_{T_{1}} ∥ {SID}_{T_{2}} ∥ t_{T_{1}} ∥ t_{T_{2}}), \\ K_{1} = S K \oplus h (K_{{G T}_{1}} ∥ {SID}_{T_{2}} ∥ t_{T_{1}}), \\ K_{2} = S K \oplus h (K_{{G T}_{2}} ∥ {S I D}_{T_{1}} ∥ t_{T_{2}}) . \end{matrix}$ (38)

(7)

G computes the verification and the hashing values, such as $V_{8}$ , $V_{9}$ , $H_{5}$ , and $H_{6}$ as shown in $\begin{matrix} V_{8} = h (S K ∥ {I D}_{G} ∥ t_{T_{1}}), \\ V_{9} = h (S K ∥ {I D}_{G} ∥ t_{T_{2}}), \\ H_{5} = h (K_{{G T}_{1}} ∥ K_{1} ∥ V_{8} ∥ t_{G_{12}}), \\ H_{6} = h (K_{{G T}_{2}} ∥ K_{2} ∥ V_{9} ∥ t_{G_{12}}) . \end{matrix}$ (39)

And then it sends the messages $m_{7} = {{I D}_{G}, K_{2}, V_{9}, H_{6}, t_{G_{12}}}$ to $T_{2}$ and $m_{8} = \{{I D}_{G}, K_{1}, V_{8}, {H_{5}, t}_{G_{12}}\}$ to $T_{1}$ .

(8)

Upon receiving $m_{7}$ , $T_{2}$ checks $t_{G_{12}}$ and $H_{6}$ and computes the following session key ${S K}^{*}$ shared with $T_{1}$ using the common secret key $K_{{G T}_{2}}$ and the received $K_{2}$ : $\begin{matrix} {S K}^{*} = K_{2} \oplus h (K_{{G T}_{2}} ∥ {S I D}_{T_{1}} ∥ t_{T_{2}}) . \end{matrix}$ (40)

After that, it checks the equivalence between the computed ${V_{9}}^{*}$ and the received $V_{9}$ , where ${V_{9}}^{*}$ is calculated by the following equation: $\begin{matrix} {V_{9}}^{*} = h ({S K}^{*} ∥ {I D}_{G} ∥ t_{T_{2}}) . \end{matrix}$ (41)

If the result is valid, $T_{2}$ recognizes the fact that G computed the session key $S K$ .

(9)

Meanwhile, after receiving $m_{8}$ , $T_{1}$ also checks the validities of $t_{G_{12}}$ and $H_{5}$ at first. Then it computes the session key ${S K}^{*}$ using $K_{{G T}_{1}}$ and $K_{1}$ and the verification value ${V_{8}}^{*}$ using ${S K}^{*}$ as follows: $\begin{matrix} {S K}^{*} = K_{1} \oplus h ({S K}_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}), \\ {V_{8}}^{*} = h ({S K}^{*} ∥ {I D}_{G} ∥ t_{T_{1}}) . \end{matrix}$ (42)

$T_{1}$ confirms the sameness of ${V_{8}}^{*}$ and $V_{8}$ to check the session key $S K$ computed by G. Finally, $T_{1}$ shares the session key $S K$ with $T_{2}$ successfully.

4. Security Analysis

In this section, we prove the proposed scheme is secure against particular attacks. The assumptions are as follows: an adversary can eavesdrop any messages transmitted between T, G, and R and he/she can obtain a legitimate thing normally registered for R.

4.1. Anonymity

Our scheme provides anonymity against an adversary who acquires a valid thing.

4.1.1. Anonymity in Join Phase

An adversary can eavesdrop T's shadow identity ${S I D}_{T}$ and the timestamp $t_{T}$ from the message $m_{1}$ in the join phase. If the adversary obtains a valid thing $T^{'}$ registered for R, he/she can have a knowledge of the secret information $[{I D}_{T^{'}}, {VID}_{T^{'}}, x_{T^{'}}, h (x_{R}), {I D}_{R}]$ stored in $T^{'}$ . Thus, the adversary can get T's virtual identity ${VID}_{T}$ by computing ${VID}_{T} = {S I D}_{T} \oplus h (h (x_{R}) ∥ t_{T})$ using ${S I D}_{T}$ and $t_{T}$ from $m_{1}$ and $h (x_{R})$ from $T^{'}$ . To acquire T's real identity ${I D}_{T}$ from ${VID}_{T} (= h ({I D}_{T} ∥ x_{T} ∥ t_{I}))$ , the adversary guesses a candidate identity ${I D}_{T}^{'}$ firstly, and then he/she tries to check the equivalence between ${I D}_{T}^{'}$ and ${I D}_{T}$ . Since an identity is short and has a certain format, it is guessable. However, the adversary cannot check whether ${VID}_{T} = h ({I D}_{T}^{'} ∥ x_{T} ∥ t_{I})$ is satisfied or not without knowing T's private key $x_{T}$ and the timestamp $t_{I}$ . Therefore, it is impossible for the adversary to check whether the real identity is equal to the candidate identity or not.

4.1.2. Anonymity in Communication Phase

In the communication phase, an adversary can get $T_{1}$ 's shadow identity ${S I D}_{T_{1}}$ and its timestamp $t_{T_{1}}$ from the message $m_{5}$ or $m_{6}$ and $h (x_{R})$ from a legitimate thing $T^{'}$ . By using them, the adversary can gain $T_{1}$ 's virtual identity ${VID}_{T_{1}} (= {S I D}_{T_{1}} \oplus h (h (x_{R}) ∥ t_{T_{1}}))$ as he/she does in the join phase. Then the adversary tries to confirm whether ${VID}_{T_{1}} = h ({I D}_{T_{1}}^{'} ∥ x_{T_{1}} ∥ t_{I_{1}})$ is satisfied or not by guessing a candidate identity ${I D}_{T_{1}}^{'}$ . Unfortunately, the adversary cannot check the equivalence between the real identity and the candidate identity without knowing $x_{T_{1}}$ and $t_{I_{1}}$ . For that reason, the adversary gets no information related to $T_{1}$ 's identity.

4.2. Untraceability

The proposed scheme provides untraceability for a thing. Because all transmitting messages always include the unique shadow and virtual identities in the join and the communication phases, an adversary cannot know the fact that all messages are originated from the same thing.

4.2.1. Untraceability in Join Phase

If a common secret key shared between T and G is renewed periodically or T tries to join many different Gs, an adversary can collect all shadow identities from T's join request messages in every session by eavesdropping. Besides, the adversary who has a valid thing can obtain T's virtual identity ${VID}_{T}$ by computing ${VID}_{T} = {S I D}_{T} \oplus h (h (x_{R}) ∥ t_{T})$ because he/she can know ${S I D}_{T}$ , $h (x_{R})$ , and $t_{T}$ . Meanwhile, if the shadow identity or the virtual identity always has a same value in every session, the adversary can recognize that one thing sends the join request message repeatedly while he/she cannot know that thing's real identity. In other words, the adversary can trace the fact that a certain thing requests to join continuously. However, the whole shadow identities are all different, since they include a unique timestamp. And the registration server always issues the new virtual identity to renew the old one in every session. Therefore, the join request message sent by the thing includes the different shadow identity all the time. It means the proposed scheme guarantees untraceability for the thing.

4.2.2. Untraceability in Communication Phase

The shadow identity in the communication phase also includes a unique timestamp. And everything always computes the new shadow identity and sends it to the gateway when they request to communicate. The gateway stores this new shadow identity to use it in the next session only if it checks that the old shadow identity is valid. Thus, shadow identities in every session have a uniqueness. Due to this, an adversary cannot trace the action of the thing in the communication phase.

4.3. Replay Attacks

Although an adversary resends past transmitting messages after collecting them in a certain session, participants involved in the join and the communication phases can detect a retransmission and stop to communicate with each other.

4.3.1. Replay Attacks in Join Phase

In the join phase, an adversary can gather the messages $m_{1}$ , $m_{2}$ , $m_{3}$ , and $m_{4}$ between T, G, and R. When the adversary resends the old message $m_{1} = {JoinReq ., {S I D}_{T}, {I D}_{R}, t_{T}}$ to G, G checks a time interval between a current time and $t_{T}$ . And it rejects the join request if the time interval exceeds a predefined value. In addition, R can also recognize the old message $m_{2} = {AuthReq ., {S I D}_{T}, {I D}_{G}, H_{1}, t_{T} {, t}_{G}}$ sent by the adversary by checking the time period between a current time and $t_{G}$ . In this case, R absolutely breaks a connection.

4.3.2. Replay Attacks in Communication Phase

An adversary who collects the messages $m_{5}$ , $m_{6}$ , $m_{7}$ , and $m_{8}$ in the communication phase sends $m_{5}$ to $T_{2}$ and $m_{6}$ to G. After receiving the message, $T_{2}$ and G can know whether the message is resent or not by checking a timestamp and a current time. As a result, resending old messages is always detectable.

4.4. Forgery Attacks

In our scheme, an adversary cannot forge messages to perform the valid join and communication phases.

4.4.1. Forgery Attacks in Join Phase

When the message $m_{1}^{'} = {JoinReq ., {S I D}_{T}^{'}, {I D}_{R}, t_{T}}$ forged from $m_{1}$ by an adversary is sent to G in the join phase, G makes $m_{2}^{'} = {AuthReq ., {S I D}_{T}^{'}, {I D}_{G}, H_{1}^{'}, t_{T} {, t}_{G}}$ and sends it to R. Then R computes ${V I D}_{T}^{*} = {S I D}_{T}^{'} \oplus h (h (x_{R}) ∥ t_{T})$ using $h (x_{R})$ that is the hashing value of its private key $x_{R}$ and tries to search T's secret information using ${V I D}_{T}^{*}$ as a keyword. Since there is no matched virtual identity in R's database, R stops to communicate with G after recognizing that $m_{2}^{'}$ is originated from the forged message.

4.4.2. Forgery Attacks in Communication Phase

An adversary sends the message $m_{5}^{'} = {CommReq ., {S I D}_{T_{1}}^{'}, {I D}_{G}, V_{6}^{'}, H_{3}^{'}, t_{T_{1}}}$ to $T_{2}$ after forging $T_{1}$ 's message $m_{5}$ in the communication phase. Upon receiving $m_{5}^{'}$ , $T_{2}$ sends $m_{6}^{'} = {AuthReq ., {S I D}_{T_{1}}^{'}, {S I D}_{T_{2}}, V_{6}^{'}, V_{7}, H_{3}^{'}, H_{4}, t_{T_{1}}, t_{T_{2}}}$ to G. Then G can easily know that no shadow identity equals to ${S I D}_{T_{1}}^{'}$ in its database. Finally, G rejects $T_{2}$ 's request.

4.5. Impersonation Attacks

The proposed scheme is secure against attacks that an adversary who obtains a shadow identity of the thing impersonates that thing.

4.5.1. Impersonation Attacks in Join Phase

An adversary who tries to impersonate the valid thing T easily obtains T's shadow identity ${S I D}_{T}$ from the message $m_{1}$ in the join phase. The adversary makes the message $m_{1}^{'} = {JoinReq ., {S I D}_{T}, {I D}_{R}, t_{T}^{'}}$ using the obtained ${S I D}_{T}$ and a timestamp $t_{T}^{'}$ generated by him/her in a new session. And he/she sends $m_{1}^{'}$ to G. After receiving $m_{1}^{'}$ , G decides $m_{1}^{'}$ is a valid request message because $t_{T}^{'}$ and $H_{1}^{'}$ are verified successfully. And then G sends the message $m_{2}^{'} = {AuthReq ., {S I D}_{T}, {I D}_{G}, H_{1}^{'}, t_{T}^{'}, t_{G}^{'}}$ to R. Checking $t_{G}^{'}$ , ${I D}_{G}$ , and $H_{1}^{'}$ by R is also successful. R computes ${VID}_{T}^{*}$ from the received ${S I D}_{T}$ by computing the equation ${VID}_{T}^{*} = {S I D}_{T} \oplus h (h (x_{R}) ∥ t_{T}^{'}) = {VID}_{T} \oplus h (h (x_{R}) ∥ t_{T}) \oplus h (h (x_{R}) ∥ t_{T}^{'})$ . There is no equivalent virtual identity to ${VID}_{T}^{*}$ in its database. Surely, R recognizes it is an abnormal case and rejects G's request.

4.5.2. Impersonation Attacks in Communication Phase

An adversary gets ${S I D}_{T_{1}}$ from $m_{5}$ in the communication phase. To impersonate $T_{1}$ , the adversary generates a new timestamp $t_{t_{1}}^{'}$ , makes the message $m_{5}^{'} = {CommReq ., {S I D}_{T_{1}}, {I D}_{G}, V_{6}^{'}, H_{3}^{'}, t_{T_{1}}^{'}}$ , and sends $m_{5}^{'}$ to $T_{2}$ in a new session. Here, the adversary cannot compute the valid $V_{6}^{'}$ and $H_{3}^{'}$ because he/she does not know $T_{1}$ 's common secret key $K_{{G T}_{1}}$ . After receiving $m_{5}^{'}$ , $T_{2}$ makes the message $m_{6}^{'} = {AuthReq ., {S I D}_{T_{1}}, {S I D}_{T_{2}}, V_{6}^{'}, V_{7}^{'}, H_{3}^{'}, H_{4}^{'}, t_{T_{1}}^{'}, t_{T_{2}}^{'}}$ and sends it to G. G verifies that all $t_{t_{2}}^{'}$ , ${S I D}_{T_{1}}$ , ${S I D}_{T_{2}}$ , and $H_{4}^{'}$ are valid but it detects that ${H_{3}^{'}}^{*} (= h (K_{{G T}_{1}} ∥ {S I D}_{T_{1}} ∥ V_{6}^{'} ∥ t_{T_{1}}^{'}))$ and the received $H_{3}^{'}$ are not equal. As a result, G recognizes $T_{1}$ is an invalid thing and refuses $T_{2}$ 's request.

4.6. Known Session Key Attacks

Disclosure of a common secret key in the join phase or a session key in the communication phase does not affect revelations about the thing's identity, other common secret keys, and other session keys.

4.6.1. Known Session Key Attacks in Join Phase

A common secret key shared between T and G is computed using a timestamp in the join phase. Because a timestamp always has a different value, every common secret key is unique. Although an adversary knows $K_{G T} (= h (h (x_{T}) ∥ {I D}_{T} ∥ {I D}_{G} ∥ t_{T} ∥ t_{G}))$ , he/she cannot obtain the thing's identity and the common secret key in other sessions. The reasons are as follows. Firstly, the adversary still cannot get thing's identity ${I D}_{T}$ from $K_{G T}$ without knowing T's secret information $h (x_{T})$ . Moreover, let us suppose the adversary tries to get other common secret keys $K_{G T}^{'}$ in the next session after computing $h (K_{R G} ∥ t_{G}) = V_{4} \oplus K_{G T}$ using $V_{4}$ and $K_{G T}$ . In that next session, the adversary eavesdrops $V_{4}^{'} (= K_{G T}^{'} \oplus h (K_{R G} ∥ t_{G}^{'}))$ and computes $K_{G T}^{'} \oplus h (K_{R G} ∥ t_{G}^{'}) \oplus h (K_{R G} ∥ t_{G}) = V_{4}^{'} \oplus h (K_{R G} ∥ t_{G})$ using $V_{4}^{'}$ and $h (K_{R G} ∥ t_{G})$ . Due to the difference of $t_{G}$ and $t_{G}^{'}$ , $h (K_{R G} ∥ t_{G}^{'}) \oplus h (K_{R G} ∥ t_{G})$ is not eliminated in the above equation and the adversary cannot get $K_{G T}^{'}$ . As a result, it is impossible to calculate the new session key even though the former is revealed.

4.6.2. Known Session Key Attacks in Communication Phase

All session keys in the communication phase are independent since all of them include their own unique timestamps. If the session key $S K$ shared between $T_{1}$ and $T_{2}$ is revealed to an adversary in a certain session, he/she can compute $h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}) = K_{1} \oplus S K$ using $K_{1}$ and the revealed $S K$ . In the next session, the adversary eavesdrops $K_{1}^{'} (= {S K}^{'} \oplus h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}^{'}))$ and tries to compute ${S K}^{'} \oplus h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}^{'}) \oplus h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}) = K_{1}^{'} \oplus h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}})$ using $K_{1}^{'}$ and $(K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}})$ . Since $t_{T_{1}}$ is not equal to $t_{T_{1}}^{'}$ , $h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}}^{'})$ and $h (K_{{G T}_{1}} ∥ {S I D}_{T_{2}} ∥ t_{T_{1}})$ are not erased. Therefore, there is no way to obtain the new session key ${S K}^{'}$ from the old session key $S K$ .

5. Performance Analysis

This section partially compares the performance of our scheme with those of Chang et al.'s and Lee's [22] schemes. Since the environment, the component, and the composition of ours and others' are all different, we firstly select similar factors in all schemes and evaluate them. Table 3 shows the performance comparison results. In Table 3, Hash denotes a hash operation, XOR denotes an exclusive-OR operation, and rounds denote communication rounds. We evaluate the number of hash and exclusive-OR operations. We compare the join phase of our scheme and the authentication and session key establishment phases of other schemes, because each phase has similar purpose and procedure. In addition, we only focus on the operations on the part of the limited computing power devices, such as a thing and a mobile user. Since the performance of the whole scheme depends on the capability of those devices, we do not compare the whole operations.

Table 3

Performance comparisons.

Scheme	Ours	Chang et al.'s	Lee's
Join phase
Hash	7	7	7
XOR	2	5	2
Rounds	4	8	7
Communication phase
Hash	5	N/A	N/A
XOR	3	N/A	N/A
Rounds	3	N/A	N/A

As Table 3 shows, our scheme requires less or the same exclusive-OR operations in the join phase. Namely, the computation complexity of ours is a little better than others'. Our communication rounds in the join phase are reduced by half in comparison with Chang et al.'s and less than that in Lee's. Considering the wireless environments, reducing the communication cost is meaningful. Meanwhile, there is no corresponding phases of Chang et al.'s and Lee's schemes to the communication phase of our scheme. So we only show the number of operations and communication rounds of our scheme in Table 3. Definitely, hash operations and communication rounds in the communication phase are less than those in the join phase. The thing accomplishes the communication phase more often than the join phase, so the less number of operations and communication rounds in the communication phase is remarkable. As a result, our scheme provides advantages of the communication complexity as well as the computation complexity.

6. Conclusions

In this paper, we propose a novel anonymous authentication scheme that ensures the things in IoT environments can communicate with one another safely. The proposed scheme uses the virtual identity of the thing to make it be anonymized and authenticated at the same time. To provide untraceability, we keep the uniqueness of all shadow and virtual identities. Namely, duplicated shadow and virtual identities are never used in every session through the renewal process. Even if the valid virtual identity issued by the registration server is revealed, an adversary cannot obtain the real identity from that virtual identity. It is impossible for an adversary to perform replay, forgery, and impersonation attacks. Moreover, he/she cannot know the valid common secret key shared between the registration server, the gateway, and the thing, even though a specific common secret key is exposed. The valid session key shared between two things is also safe when a particular session key is disclosed to an adversary. We only use low cost functions, such as hash functions and exclusive-OR operations in consideration of fast computation and low energy consumption of the thing. In conclusion, our scheme is suitable for IoT environments as a secure and efficient authentication mechanism.

Footnotes

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgment

This work was supported by Institute for Information & communications Technology Promotion (IITP) Grant funded by the Korea government (MSIP) (no. R0126-15-1111,The Development of Risk-based Authentication·Access Control Platform and Compliance Technique for Cloud Security).

References

Zhang

Z.-K.

Cho

M. C. Y.

Wang

C.-W.

Hsu

C.-W.

Chen

C.-K.

Shieh

IoT security: ongoing challenges and research opportunities

Proceedings of the 7th IEEE International Conference on Service-Oriented Computing and Applications (SOCA '14)

November 2014

Matsue, Japan

IEEE

230 234

10.1109/soca.2014.58

2-s2.0-84920514918

Liu

Xiao

Chen

C. P.

Authentication and access control in the Internet of things

Proceedings of the 32nd IEEE International Conference on Distributed Computing Systems Workshops (ICDCSW '12)

June 2012

Macau, China

IEEE

588 592

10.1109/icdcsw.2012.23

2-s2.0-84866349735

Alcaide

Palomar

Montero-Castillo

Ribagorda

Anonymous authentication for privacy-preserving IoT target-driven applications

Computers & Security 2013 37 111 123

10.1016/j.cose.2013.05.007

2-s2.0-84879815746

Ndibanje

Lee

H. J.

Lee

S. G.

Security analysis and improvements of authentication and access control in the Internet of things

Sensors 2014 14 8 14786 14805

10.3390/s140814786

Zhu

Wang

R.-C.

Malekian

Lin

Q.-M.

An efficient authentication and access control scheme for perception layer of internet of things

Applied Mathematics and Information Sciences 2014 8 4 1617 1624

10.12785/amis/080416

2-s2.0-84894059526

Lin

X.-J.

Sun

Insecurity of an anonymous authentication for privacy-preserving IoT target-driven applications

Computers & Security 2015 48 142 149

10.1016/j.cose.2014.08.002

2-s2.0-84915804332

Zhu

A new authentication scheme with anonymity for wireless environments

IEEE Transactions on Consumer Electronics 2004 50 1 231 235

10.1109/tce.2004.1277867

2-s2.0-1942487780

Lin

C. H.

Lee

C. Y.

Cryptanalysis of a new authentication scheme with anonymity for wireless environments

Proceedings of the 2nd International Conference on Advances in Mobile Multimedia

2004

399 402

Lee

C.-C.

Hwang

M.-S.

Liao

I.-E.

Security enhancement on a new authentication scheme with anonymity for wireless environments

IEEE Transactions on Industrial Electronics 2006 53 5 1683 1687

10.1109/tie.2006.881998

2-s2.0-33750133438

10.

C.-C.

Lee

W.-B.

Tsaur

W.-J.

A secure authentication scheme with anonymity for wireless communications

IEEE Communications Letters 2008 12 10 722 723

10.1109/lcomm.2008.080283

2-s2.0-54949140749

11.

Lee

J.-S.

Chang

J. H.

Lee

D. H.

Security flaw of authentication scheme with anonymity for wireless communications

IEEE Communications Letters 2009 13 5 292 293

10.1109/lcomm.2009.090074

2-s2.0-67649184080

12.

Chang

C.-C.

Lee

C.-Y.

Lee

W.-B.

Cryptanalysis and improvement of a secure authentication scheme with anonymity for wireless communications

Proceedings of the 5th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP '09)

September 2009

Kyoto, Japan

IEEE

902 904

10.1109/iih-msp.2009.172

2-s2.0-73649108883

13.

Feng

Security flaws in authentication protocols with anonymity for wireless environments

ETRI Journal 2009 31 4 460 462

10.4218/etrij.09.0209.0026

2-s2.0-68949149518

14.

Jeon

Kim

Nam

Lee

Won

An enhanced secure authentication scheme with anonymity for wireless environments

IEICE Transactions on Communications 2012 95 7 2505 2508

10.1587/transcom.e95.b.2505

2-s2.0-84863463143

15.

Chang

C.-C.

Lee

C.-Y.

Chiu

Y.-C.

Enhanced authentication scheme with anonymity for roaming service in global mobility networks

Computer Communications 2009 32 4 611 618

10.1016/j.comcom.2008.11.032

2-s2.0-59649101587

16.

Youn

T.-Y.

Park

Y.-H.

Lim

Weaknesses in an anonymous authentication scheme for roaming service in global mobility networks

IEEE Communications Letters 2009 13 7 471 473

10.1109/lcomm.2009.090488

2-s2.0-68349157387

17.

Zhou

Provable secure authentication protocol with anonymity for roaming service in global mobility networks

Computer Networks 2011 55 1 205 213

10.1016/j.comnet.2010.08.008

2-s2.0-78651364381

18.

Chen

Chan

Gao

Fan

Lightweight and provably secure user authentication with anonymity for the global mobility network

International Journal of Communication Systems 2011 24 3 347 362

10.1002/dac.1158

2-s2.0-79952059658

19.

Mun

Han

Lee

Y. S.

Yeun

C. Y.

Choi

H. H.

Enhanced secure anonymous authentication scheme for roaming service in global mobility networks

Mathematical and Computer Modelling 2012 55 1-2 214 222

10.1016/j.mcm.2011.04.036

MR2865109

2-s2.0-82755161699

20.

Kun

Anna

Fei

Lee

D. H.

Anonymous authentication with unlinkability for wireless environments

IEICE Electronics Express 2011 8 8 536 541

10.1587/elex.8.536

2-s2.0-79955450537

21.

Tsai

J.-L.

N.-W.

T.-C.

Secure anonymous authentication protocol with unlinkability for mobile wireless environment

Proceedings of the International Conference on Anti-Counterfeiting, Security and Identification (ASID '12)

August 2012

Taipei, Taiwan

IEEE

1 5

10.1109/icasid.2012.6325334

2-s2.0-84870602974

22.

Lee

T.-F.

User authentication scheme with anonymity, unlinkability and untrackability for global mobility networks

Security and Communication Networks 2013 6 11 1404 1413

10.1002/sec.734

2-s2.0-84886296019

Anonymous Authentication Scheme for Intercommunication in the Internet of Things Environments

Abstract

1. Introduction

2. Related Works

2.1. Chang et al.'s Scheme

2.1.1. Registration Phase

2.1.2. Authentication Phase

2.1.3. Session Key Establishment Phase

2.2. Youn et al.'s Analysis

2.2.1. Anonymity against Passive Adversaries

2.2.2. Anonymity against Malicious Mobile User

2.2.3. Security against Known Session Key Attacks

2.2.4. Security against Side Channel Attacks

3. Proposed Scheme

3.1. Registration Phase

3.2. Join Phase

3.3. Communication Phase

4. Security Analysis

4.1. Anonymity

4.1.1. Anonymity in Join Phase

4.1.2. Anonymity in Communication Phase

4.2. Untraceability

4.2.1. Untraceability in Join Phase

4.2.2. Untraceability in Communication Phase

4.3. Replay Attacks

4.3.1. Replay Attacks in Join Phase

4.3.2. Replay Attacks in Communication Phase

4.4. Forgery Attacks

4.4.1. Forgery Attacks in Join Phase

4.4.2. Forgery Attacks in Communication Phase

4.5. Impersonation Attacks

4.5.1. Impersonation Attacks in Join Phase

4.5.2. Impersonation Attacks in Communication Phase

4.6. Known Session Key Attacks

4.6.1. Known Session Key Attacks in Join Phase

4.6.2. Known Session Key Attacks in Communication Phase

5. Performance Analysis

6. Conclusions

Footnotes

Conflict of Interests

Acknowledgment

References