Sage Journals: Discover world-class research

Abstract

Home-based multi-sensor Internet of Things, as a typical application of Internet of Things, interconnects a variety of intelligent sensor devices and appliances to provide intelligent services to individuals in a ubiquitous way. As families become more and more intelligent, complex, and technology-dependent, there is less and less need for human intervention. Recently, many security attacks have shown that Internet home-based Internet of Things have become a vulnerable target, leading to personal privacy problems. For example, eavesdroppers can acquire the identity of specific devices or sensors through public channels, which is not secure, to infer individual public life in the home area network. Authentication is the essential portion of many secure systems processing of verifying and declaring identity. Before providing confidential information, home-based-Internet of Things service authenticates users and devices. The communication and processing capabilities of intelligent devices are limited. Therefore, in home-based Internet of Things, lightweight authentication and key agreement technology are very important to resist known attacks. This article proposes an anonymous authenticated key agreement protocol using pairing-based cryptography. The protocol proposed in this article provides lightweight computation and ensures the security of communication between home-based multi-sensor Internet of Things network and Internet network.

Keywords

Multi-sensor Internet of Things home-based Internet of Things anonymous authentication key agreement

Introduction

As an important application of Internet of Things (IoT), home-based IoT is the technology and concept of monitoring and managing household appliances through intelligent, coordinated network and technology. In general, home-based IoT is composed of numbers of heterogeneous intelligent devices, such as cameras, actuators, and smart appliances. This development leads people’s lives into a new era of science and technology. All household appliances became controllable through the Internet, so that people can enjoy the services brought about by the development of IoT, like home temperature control, energy management, telemedicine, remote devices control, and other similar services.¹ In addition, with the continuous development of consumer IoT, the number of intelligent systems will be greatly increased. As a result, individuals will increasingly rely on intelligent systems.

However, the internal network of the intelligent home area includes many differences in wireless network communication technologies. For example, Z-Wave and ZigBee² are the most commonly used low-power wireless communication technologies. As a multi-network convergence technology, many intelligent devices or sensors in the home area network (HAN) are always connected to the Internet using wireless communication. However, considering the insecurity of the Internet, connecting intelligent devices or sensors through the Internet will make a device vulnerable to malicious attacks. If the network of connecting intelligent devices (such as cameras and smart appliances) in HAN is inadequate, users of home-based IoT will face a more extensive security threat, including identity theft and device forgery. Because the information in home-based IoT environment is directly related to the user’s safety and vital interests, the security of information in the home-based IoT field is very demanding. However, home-based IoT products contain many security issues, so how to ensure the security of home-based IoT devices and services in the insecure environment of IoT is an urgent problem to solve. In addition, fine-grained data generated by sensor devices (SDs) and transmitted through unsafe wireless channels in HAN will raise two major security issues: (1) how to authenticate SDs in HAN in an unrecognizable situation (i.e. anonymity), and (2) how to access SDs through public networks without distinguishing home-based IoT devices.

To solve the above problems, using secure and efficient anonymous authentication, key exchange protocol is the best solution. The key point of designing anonymous authentication communication protocol for home-based IoT environment is to provide mutual authentication and key agreement for preventing illegal users from stealing information from HAN. Also, to ensure the efficiency and safety of the authentication method, the security scheme needs to satisfy the following conditions: (1) anonymity: hiding the identity of devices or sensors and activities of collecting data to prevent unauthorized tracking—even if malicious devices exist, they should not be able to reveal the identity and relationship of the devices communicating in the HAN; (2) low consumption: the processing and communicating ability of battery-powered SDs is often seriously limited by low resources—therefore, communication and computing efficiency should be considered in the scheme; and (3) security: the protocol should be able to withstand possible attacks (e.g. replay attacks, simulated attacks) for application in real home environments.

Related work

Information encryption is an important solution to security problems. The transmission process of information in an unsafe open network has always attracted the attention of researchers. Authentication and key agreement are effective solutions to this problem. It allows identity authentication among communication agents and establishes communication keys to encrypt communication information. Usually, user identity, password, and portable devices that store user information published by trusted servers are key elements for authentication. Therefore, there are many researchers focusing on designing anonymous authentication key agreement schemes for a wireless network environment with lightweight.

In 2011, Vaidya et al.³ proposed an authentication scheme using an implicit certificate for home-based IoT area network. In their paper, the implicit certificate as a public key for each device is made by the certification authority. After running the authentication step, the scheme established a session key between two related entities where the identity of the device is transmitted as plain text. They claim that their scheme is effective, but the security analysis of the scheme does not provide detailed information. Later, Chakravorty et al.⁴ proposed a framework for maintaining the security and privacy for smart homes. However, they paid attention to data security rather than device anonymity. Another data access control scheme for home-based IoT is proposed by Ryu et al.⁵ Their scheme authenticated all devices which had registered to the server and provided safe access control of the data. Moreover, many traditional authentication protocols^6–9 are proposed with two- or three-factor authentication. However, these authentication schemes used password and/or biological features to ensure the security of the schemes. The difference between these protocols^6–9 and protocols for home-based IoT is that those authentication schemes for home-based IoT need to be automatically run by the devices in HAN.

Hoang et al. proposed an anonymous communication method based on the Onion Router (Tor) to protect intelligent appliances.¹⁰ In their method, users use Tor to run as an anonymous browser where those surfing activities are run anonymously, but authentication is not performed. In addition, the public key encryption technology used in their scheme is too computational extensive for devices with limited resources. In the same year, Santoso et al. proposed a strong security authentication system using Elliptic Curve Cryptography (ECC).¹¹ Because pre-shared secret keys are utilized, their scheme did not need public key infrastructure. When the identity authentication is completed, both parties can create a shared key for the subsequent symmetric encryption. Kumar et al.¹² claimed that their session key establishment scheme for home-based IoT with authentication token was efficient and could withstand number of popular attacks such as the denial of service and eavesdropping attacks. However, the security of their scheme mainly relied on the secret keys stored by the devices, and their scheme did not consider anonymity and non-linkability.

Lu et al.¹³ and Jung et al.¹⁴ proposed anonymous authentication protocols for wireless sensor network (WSN) user, respectively. At that time, Xiong et al. found that the schemes of Lu et al.¹³ and Jung et al.¹⁴ are vulnerable to smart card loss attacks and cannot provide perfect forward security and unrealistic gateway node (GWN) search operation.¹⁵ An improved scheme was proposed. Wang et al.¹⁶ summarized the advantages and disadvantages of eight basic wireless sensor system architectures, attacker models, and 12 evaluation criteria for evaluating the security of wireless sensor systems. In addition, Wang et al. analyzed the authentication protocol proposed by Wu et al.¹⁷ and Srinivas and Mukhopadhyay,¹⁸ and found that they had the following security problems: they could not resist smart card loss attacks—user counterfeiting attacks, could not achieve user anonymity, and could not detect the wrong password in time.

Scott proposed an authenticated ID-based key exchange and remote log-in scheme with two factors.¹⁹ In his scheme, a special pairing is used to reduce computation. Such a scheme is open to the next active insider attack. Similarly, Yu et al.²⁰ published a remote registration scheme for mobile networks, also with the special pairing, but in their scheme, the key agreement protocol is not considered.

Our contribution

The contributions of this article are as follows:

An anonymous authentication key agreement scheme based on pairing-based cryptography is proposed in which we guarantee the efficiency and security for home-based IoT area networks.

The security analysis of our protocol is discussed using a logic proposed by Burrows, Abadi and Needham (BAN logic). In addition, the performance analysis of the scheme is given.

Organization of the article

In this part, the organization of this article is shown as follows. The “Preliminaries” section presents the preliminaries of this article. The “Proposed key agreement protocol” section introduces the proposed anonymous authentication key agreement. Discussions are provided in the “Security and performance analysis” section. Finally, the “Conclusion” section concludes this article.

Preliminaries

Notations

The network mode for home-based IoT is shown in Figure 1. This mode includes three types of participants, that is, the home server (HS), SDs, and external user (U). The HS is rich in resources like a PC or a server station working in the HAN. The SDs are resource-constrained devices placed at home. The external users are those with mobile phones who want to access HAN from the Internet. For convenience, some notations used in this article are described in Table 1.

Figure 1.

A network model for home-based IoT network.

Table 1.

Notations.

Symbol	Description
$A_{u}$	ID of the users
$A_{SD}$	ID of the smart devices in HAN
$A_{HS}$	ID of the home server in HAN
$T_{i}$	Timestamps for authentication phase
$Δ T$	Legal delay time interval
$H (\cdot)$	One-way hash function
⊕	XOR operation
\|\|	Concatenation operation
$SK$	Session key established in the protocol

HAN: home area network.

BAN logic

BAN logic is a logic to analyze the security of authentication protocols. This logic uses the protocol’s initial assumptions and inference rules to infer other facts in order to achieve authentication goals. The basic notation for BAN logic is shown in Table 2.

Table 2.

The basic notation for BAN logic.

Notation	Description
$A \| \equiv S$	A believes the statement S
$A ◃ S$	A sees the statement S
$A \| ~ S$	A once said S
$A \| \Rightarrow S$	A has jurisdiction over S
$# (S)$	S is a fresh statement
$A \overset{k}{\leftrightarrow} B$	k is a shared secret key between A and B
${S}_{K}$	S is encrypted with key K
$(S)_{K}$	S is hashed with key K
$(S, Y)$	S or Y is one part of the formula $(S, Y)$
$\overset{k}{\to} P$	k is P’s public key
$A \overset{X}{⇄} B$	Formula X is a secret known only to both A and B
$S_{X}$	This represents S combined with formula X;it is intended that X to be a secret and thepresence of X authenticates whoever utters $S_{X}$

The logic rules used in this security verification are as follows.

1. Message-meaning rule

For public keys

$\frac{A ◃ {S}_{K}, A | \equiv \overset{K}{\to} B}{A | \equiv B | ~ S}$ (1)

For shared keys

$\frac{A ◃ {S}_{K}, A | \equiv A \overset{K}{\leftrightarrow} B}{A | \equiv B | ~ S}$ (2)

For shared secrets

$\frac{A ◃ S_{X}, A | \equiv A ⇌ B}{A | \equiv B | ~ S}$ (3)

2. Nonce-verification rule

$\frac{A | \equiv # (S), A | \equiv B | ~ S}{A | \equiv B | \equiv S}$ (4)

3. Jurisdiction rule

$\frac{A | \equiv B | \Rightarrow S, A | \equiv B | \equiv S}{A \equiv S}$ (5)

4. Session key rule

$\frac{A | \equiv # (K), A | \equiv B | \equiv S}{A | \equiv A \overset{K}{\leftrightarrow} B}$ (6)

Bilinear maps

A type-3 pairing is a mapping $G_{1} \times G_{2} \to G_{T}$ , where $G_{1}$ , $G_{2}$ , and $G_{T}$ are within the same prime order working on a special pairing friendly elliptic curve.¹⁹ This pairing has the following useful properties:

$e (aP, bQ) = e (P, Q)^{ab}$ for all $a, b \in F_{r}$ (bilinearity),

$e (P, Q) = 1$ , where $P$ and $Q$ are generators of $G_{1}$ and $G_{2}$ , respectively, and $1$ is a unitary element on $G_{T}$ .

Proposed key agreement protocol

This section puts forward a new anonymous authentication key agreement scheme for home-based IoT based on pairing-based cryptography. Our scheme consists of three steps: initialization step, anonymous registration step, and anonymous authentication key agreement step. The initialization step is performed by the HS. The anonymous registration step is performed by all SDs and legal users for obtention private keys. Finally, anonymous authentication key agreement step is run for generating session key by all the participants.

Initialization setup

The HS needs to initialize some parameters for the whole system, including public parameters and secret parameters. First, the server will randomly produce a master secret $s$ from $F_{q}$ . Moreover, the server keeps the master secret itself. Then, a user’s private key could be computed as the form $s H_{ID} (ID)$ , where $ID$ is the identity of user or smart device and $H_{ID} (\cdot)$ is a hash function which maps to a point on $G_{1}$ . Here we assume that the hash function is modeled as a random oracle $H (ID) = r_{ID} P_{1}$ , where $r_{ID} \in F_{q}$ is a hash value generated by the ID and $P_{1}$ is a generator of $G_{1}$ . The server will be issued with $P_{Pub} = s P_{2}$ , where $P_{2}$ is a generator of $G_{2}$ .

Registration

In this part, legal users and smart devices could communicate with the HS to get their private key. So, all the legal users and smart devices can store the tokens in mobiles or devices without fear of private key leakage. Generally, it is assumed that the registration can be performed through a secure channel to get the private key. But sometimes there may be no conditions to establish such a secure channel. In order to make the scheme universal, we refer to the design of registered communication scheme through public network. For a new user or device to register with the server, they must prove the ID and some temporary parameters. In return, the user or device is supplied with the private key as shown in Figures 2 and 3.

Figure 2.

User registration algorithm.

Figure 3.

The smart device registration algorithm.

For a mobile user:

The user picks a random number $x_{U}, r_{U} \in Z_{q}^{*}$ , and computes $U_{U} = x_{U} P_{Pub}$ and $A_{I D_{U}} = r_{U} A_{U}$ in which $A_{U} = H_{ID} (I D_{U}) \in G_{1}$ . Then, the user sends the messages $A_{I D_{U}}$ and $U_{U}$ to the HS. Here the user need not wait for the answer of the server. He or she could get a session key by computing $K = H_{k} (G_{U} | | A_{I D_{U}})$ , where $G_{U}$ is obtained from $G_{U} = e (x_{U} A_{I D_{U}}, P_{Pub})$ .

The HS gets the $A_{U}$ and $U_{U}$ of a user. Then, the server could compute private key for the user with the following steps:

The server computes the private key with a master key for the user as $s A_{I D_{U}}$ ;

To ensure safe transfer of the private key to the user, the server needs to compute a session key to encrypt the private key. First, compute $V_{U} = s^{- 1} U_{U}$ and $G = e (s A_{I D_{U}}, V_{U})$ . After that, the server computes session key as $K = H (G_{U} | | A_{I D_{U}})$ . Now encrypt the private key using symmetric cryptographic, like advanced encryption standard (AES).

Getting the cipher from the server, the user could decrypt the information and obtain the message $s A_{I D_{U}}$ . Then, the user saves the private key $PI V_{U} = r_{U}^{- 1} s A_{I D_{U}} = s A_{U}$ . To resist impersonation attacks, we employ PIN to hide private keys in order to authenticate user identities, as shown in Yu et al.’s²⁰ scheme. So, user saves the token $TOK = PI V_{U} + H_{ID} (PIN)$ in the smart phone.

For a smart device:

Same as the phase of the user registration, smart device chooses a random number $x_{SD}, r_{SD} \in Z_{q}^{*}$ , and computes $U_{SD} = x_{SD} P_{Pub}$ and $A_{SD} = r_{SD} A_{I D_{SD}}$ in which $A_{I D_{SD}} = H_{ID} (I D_{SD}) \in G_{1}$ . Then, the device sends the message $A_{SD}$ and $U_{SD}$ to the HS. Here, the device need not wait for the answer of the server. It could get a session key by computing $K = H (G_{SD} | | A_{SD})$ , where $G_{SD}$ is obtained from $G_{SD} = e (x_{SD} A_{SD}, P_{Pub})$ .

The HS gets the $A_{SD}$ and $U_{SD}$ of a user. Then, the server could compute private key for the device with the following steps:

The server computes the private key with a master key for the device as $s A_{SD}$ ;

To ensure safe transfer of the private key to the device, the server needs to compute a session key to encrypt the private key. First, compute $V_{SD} = s^{- 1} U_{SD}$ , and $G_{SD} = e (s A_{SD}, V_{SD})$ . After that, the server computes session key as $K = H (G_{SD} | | A_{SD})$ . Now encrypt the private key using symmetric cryptographic, like AES.

Getting the cipher from the server, the device could decrypt the information and obtain the message $s A_{SD}$ . Then, the device saves the private key $PI V_{SD} = r_{SD}^{- 1} s A_{SD} = s A_{I D_{SD}}$ .

Authentication and key agreement

In this part, legal users with mobiles from the Internet can communicate with smart devices in the HAN with the help of HS. The detailed process is shown in Figure 4.

The user with smart mobile has got the private key from TOK with input PIN as $PI V_{U} = TOK - H_{ID} (PIN)$ , and picks a random number $k_{1}, r_{1} \in Z_{q}^{*}$ , and computes $U_{1} = k_{1} A_{U}$ and $V_{1} = k_{1} s A_{U}$ in which $A_{U} = H_{ID} (I D_{U}) \in G_{1}$ . Then, the user runs the hash function for getting the hash value $h_{1} = H (V_{1} | | T_{1})$ in which $T_{1}$ is the timestamp. Then, the user sends the messages $U_{1}$ , $h_{1}$ , and $T_{1}$ to the HS.

The smart device wanted by the user has got the private key $PI V_{SD} = s A_{SD}$ , and picks a random number $k_{2}, r_{2} \in Z_{q}^{*}$ , and computes $U_{2} = k_{2} A_{SD}$ and $V_{2} = k_{2} s A_{SD}$ in which $A_{SD} = H_{ID} (I D_{SD}) \in G_{1}$ . Then, the smart device runs the hash function to get the hash value $h_{2} = H (V_{2} | | T_{2})$ in which $T_{2}$ is the timestamp. Then, the user sends the messages $(U_{2}, h_{2}, T_{2})$ to the HS.

The HS holds that the system secret key checks the timestamp received from the user and smart device with the following steps:

After getting the message from the user, it checks the functions $T_{1} - T_{1}^{'} < ? Δ T$ and $h_{1}^{'} = H (s U_{1} | | T_{1}) = ? h_{1}$ . After that, HS chooses a random number $k_{3}, r_{3} \in Z_{q}^{*}$ , and computes $U_{3} = r_{3} A_{HS}$ , $h_{3} = H (T_{3} | | s U_{1})$ , $C_{1} = k_{3} h_{3}$ , and $C_{2} = (h_{3} \oplus H (C_{1})) U_{3}$ , where $T_{3}$ is the timestamp. Then, it runs the hash function for getting the hash value $h_{5} = H (T_{3} \oplus C_{1} \oplus C_{2} \oplus h_{3})$ . After calculating all the values, HS sends the messages $(C_{1}, C_{2}, T_{3}, h_{5})$ back to the user.

After getting the message from the smart device, it checks the functions $T_{2} - T'_{2} < ? Δ T$ and $h'_{2} = H (s U_{2} | | T_{1}) = ? h_{2}$ . After that, HS computes $h_{4} = H (T_{4} | | s U_{2})$ , $C_{3} = k_{3} h_{4}$ , and $C_{4} = (h_{4} \oplus H (C_{3})) U_{3}$ , where $T_{4}$ is the timestamp. Then, it runs the hash function for getting the hash value $h_{6} = H (T_{4} \oplus C_{3} \oplus C_{4} \oplus h_{4})$ . After calculating all the values, HS sends the messages $(C_{3}, C_{4}, T_{4}, h_{6})$ back to the smart device.

The HS holds that the system secret key checks the timestamp received from the user as $T_{1} - T'_{1} < ? Δ T$ . After that, HS chooses a random number $k_{3}, r_{3} \in Z_{q}^{*}$ and computes $U_{3} = r_{3} A_{HS}$ , $h_{1} = H (T_{3} | | s U_{1})$ , $C_{1} = k_{3} h_{3}$ , and $C_{2} = (h_{3} \oplus H (C_{1})) U_{3}$ , where $T_{3}$ is the timestamp. Then, it runs the hash function for getting the hash value $h_{5} = H (T_{3} \oplus C_{1} \oplus C_{2} \oplus h_{3})$ . After calculating all the values, HS sends the messages $(C_{1}, C_{2}, T_{3}, h_{5})$ back to the user.

After checking the timestamp and the hash value receiving from the HS as $T_{3} - T'_{3} < ? Δ T$ and $h'_{5} = H (T_{3} \oplus C_{1} \oplus C_{2} \oplus h'_{3}) = ? h_{5}$ , where $h'_{3}$ is $H (r_{1} V_{1} | | T_{3})$ , the user computes $C_{5}$ , $V_{3}$ , $W_{1}$ , and $U_{4}$ as

$U'_{3} = ({h'}_{3} \oplus H (C_{1}))^{- 1} C_{2}, k_{3} = ({h'}_{3})^{- 1} C_{1}$ (7)

$C_{5} = r_{1} k_{3} A_{u}, V_{3} = (k_{1} + r_{1} k_{3}) s A_{u}$ (8)

$W_{1} = r_{1} k_{1} U'_{3}$ (9)

$U_{4} = H (V_{3} | | T_{5} | | C_{5} | | W_{1}) U'_{3}$ (10)

After checking the timestamp and the hash value receiving from the HS as $T_{4} - T'_{4} < ? Δ T$ and $h'_{6} = H (T_{4} \oplus C_{3} \oplus C_{4} \oplus h_{4}^{'}) = ? h_{6}$ , where $h'_{4}$ is $H (r_{2} V_{2} | | T_{4})$ , the user computes $C_{6}$ , $V_{4}$ , $W_{2}$ , and $U_{5}$ as

${U^{'}}_{3} = {({h^{'}}_{4} \oplus H (C_{3}))}^{- 1} C_{4}, k_{3} = {({h^{'}}_{4})}^{- 1} C_{3}$ (11)

$C_{6} = r_{2} k_{3} A_{sn}, V_{4} = (k_{2} + r_{2} k_{3}) s A_{sn}$ (12)

$W_{2} = r_{2} k_{2} U'_{3}$ (13)

$U_{5} = H (V_{4} | | T_{6} | | C_{6} | | W_{2}) U'_{3}$ (14)

Then, the HS checks the timestamp receiving from the user and the smart device with the following steps:

After getting the message from the user, it checks the functions $T_{5} - T'_{5} < ? Δ T$ , $U'_{4} = H (V_{3} | | T_{5} | | C_{5} | | W_{1}) U_{3} = ? U_{4}$ , and $e (- V_{3}, Q) e (U_{1} + C_{5}, sQ) = ? 1$ . Then, HS computes $C_{7} = s U_{2} + U_{3}$ and $W_{3} = W_{2} + U_{3}$ . Then, it runs the hash function for getting the hash value $h_{7} = H (s U_{2} | | s U_{1} | | T_{7} | | W_{3})$ , where $T_{7}$ is the timestamp. After calculating all the values, HS sends the messages $C_{7}, T_{7}, W_{3}, h_{7}$ back to the user.

After getting the message from the smart device, it checks the functions $T_{6} - T'_{6} < ? Δ T$ , ${U^{'}}_{5} = H (V_{4} | | T_{6} | | C_{6} | | W_{2}) U_{3} = ? U_{5}$ , and $e (- V_{4}, Q) e (U_{2} + C_{6}, sQ) = ? 1$ . Then, HS computes $C_{8} = s U_{1} + U_{3}$ and $W_{4} = W_{1} + U_{3}$ . Then, it runs the hash function for getting the hash value $h_{8} = H (s U_{2} | | s U_{1} | | T_{8} | W_{4})$ , where $T_{8}$ is the timestamp. After calculating all the values, HS sends the messages $C_{8}, T_{8}, W_{4}, h_{8}$ back to the smart device.

After checking the timestamp and the hash value receiving from the HS as $T_{7} - T'_{7} < ? Δ T$ and $h'_{7} = H (T_{7} | | V_{1} | | s U_{2}) = ? h_{7}$ , where $s U_{2}$ is computed as $s U_{2} = C_{7} - U_{3}$ , the user computes session key $SK$ as

$W_{2} = W_{3} - U_{3}$ (15)

$SK = H (V_{1} \oplus s U_{2} \oplus r_{1} k_{1} W_{2})$ (16)

After checking the timestamp and the hash value receiving from the HS as $T_{8} - T_{8}^{'} < ? Δ T$ and $h_{8}^{'} = H (T_{8} | | V_{2} | | s U_{1}) = ? h_{8}$ , where $s U_{1}$ is computed as $s U_{1} = C_{8} - U_{3}$ , the smart device computes session key $SK$ as

$W_{1} = W_{4} - U_{3}$ (17)

$SK = H (V_{2} \oplus s U_{1} \oplus r_{2} k_{2} W_{1})$ (18)

Figure 4.

Anonymous authentication and key agreement.

Security and performance analysis

Security analysis

In this section, we will analyze the proposed protocol with BAN logic to prove that our protocol is secure. Through analysis, it is known that the communication between users and servers and between SDs and servers is secure in our protocol. And the communication between the user and the SD is also secure with the help of the server. At first, the messages sent over the unsecured channel in the proposed scheme are

Message 1: $U \to H S : {〈 U \overset{V_{1}}{\leftrightarrow} S D, U \overset{W_{1}}{\leftrightarrow} S D, T_{5} 〉}_{U_{4}}$

Message 2: $S D \to H S : {〈 S D \overset{V_{2}}{\leftrightarrow} U, S D \overset{W_{2}}{\leftrightarrow} U, T_{6} 〉}_{U_{5}}$

Message 3: $HS \to U : {〈 SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U), SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U), T_{7} 〉}_{h_{7}}$

Message 4: $H S \to S D : {〈 U | \equiv (U \overset{V_{1}}{\leftrightarrow} S D), U | \equiv (U \overset{W_{1}}{\leftrightarrow} S D), T_{8} 〉}_{h_{8}}$

Following security, goals must be satisfied by using BAN logic to prove that the proposed protocol is practical and valid

Goal 1: $U | \equiv (U \overset{SK}{\leftrightarrow} SD)$

Goal 2: $SD | \equiv (U \overset{SK}{\leftrightarrow} SD)$

Goal 3: $SD | \equiv (U \overset{V_{1}}{\leftrightarrow} SD)$

Goal 4: $SD | \equiv U | \equiv (U \overset{V_{1}}{\leftrightarrow} SD)$

Goal 5: $U | \equiv (SD \overset{V_{2}}{\leftrightarrow} U)$

Goal 6: $U | \equiv SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U)$

Goal 7: $U | \equiv (SD \overset{W_{2}}{\leftrightarrow} U)$

Goal 8: $U | \equiv SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U)$

Goal 9: $SD | \equiv (SD \overset{W_{1}}{\leftrightarrow} U)$

Goal 10: $SD | \equiv U | \equiv (SD \overset{W_{1}}{\leftrightarrow} U)$

Next, some necessary assumptions about original messages are presented

A1: $U | \equiv (U \overset{U_{4}}{\leftrightarrow} HS)$

A2: $HS | \equiv (U \overset{U_{4}}{\leftrightarrow} HS)$

A3: $HS | \equiv # (T_{i})$

A4: $U | \equiv # (T_{i})$

A5: $SD | \equiv # (T_{i})$

A6: $SD | \equiv (SD \overset{U_{5}}{\leftrightarrow} HS)$

A7: $HS | \equiv (SD \overset{U_{5}}{\leftrightarrow} HS)$

A8: $HS | \equiv (U \overset{h_{7}}{\leftrightarrow} HS)$

A9: $U | \equiv (U \overset{h_{7}}{\leftrightarrow} HS)$

A10: $HS | \equiv (SD \overset{h_{8}}{\leftrightarrow} HS)$

A11: $SD | \equiv (SD \overset{h_{8}}{\leftrightarrow} HS)$

A12: $U | \equiv HS | \Rightarrow (SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U))$

A13: $U | \equiv HS | \Rightarrow (SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U))$

A14: $SD | \equiv HS | \Rightarrow (U | \equiv (U \overset{V_{1}}{\leftrightarrow} SD))$

A15: $SD | \equiv HS | \Rightarrow (U | \equiv (U \overset{W_{1}}{\leftrightarrow} SD))$

A16: $U | \equiv SD | \Rightarrow (U \overset{V_{2}}{\leftrightarrow} SD)$

A17: $U | \equiv SD | \Rightarrow (U \overset{W_{2}}{\leftrightarrow} SD)$

A18: $SD | \equiv U | \Rightarrow (U \overset{V_{1}}{\leftrightarrow} SD)$

A19: $SD | \equiv U | \Rightarrow (U \overset{W_{1}}{\leftrightarrow} SD)$

Now, we are ready to prove the scheme using BAN logic as follows. From message 1, A2, and message-meaning rule, we get

P1: $HS | \equiv U | ~ (SD \overset{V_{1}}{\leftrightarrow} U)$

P2: $HS | \equiv U | ~ (SD \overset{W_{1}}{\leftrightarrow} U)$

From P1, P2, A3, and Nonce-verification rule, we get

P3: $HS | \equiv U | \equiv (SD \overset{V_{1}}{\leftrightarrow} U)$

P4: $HS | \equiv U | \equiv (SD \overset{W_{1}}{\leftrightarrow} U)$

As the same way, we can get

P5: $HS | \equiv SD | ~ (SD \overset{V_{2}}{\leftrightarrow} U)$

P6: $HS | \equiv SD | ~ (SD \overset{W_{2}}{\leftrightarrow} U)$

P7: $HS | \equiv SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U)$

P8: $HS | \equiv SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U)$

P9: $U | \equiv HS | ~ (SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U))$

P10: $U | \equiv HS | ~ (SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U))$

P11: $U | \equiv HS | \equiv (SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U))$

P12: $U | \equiv HS | \equiv (SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U))$

P13: $SD | \equiv HS | ~ (U | \equiv (U \overset{V_{1}}{\leftrightarrow} SD))$

P14: $SD | \equiv HS | ~ (U | \equiv (U \overset{W_{1}}{\leftrightarrow} SD))$

P15: $SD | \equiv HS | \equiv (U | \equiv (U \overset{V_{1}}{\leftrightarrow} SD))$

P16: $SD | \equiv HS | \equiv (U | \equiv (U \overset{W_{1}}{\leftrightarrow} SD))$

From P11, P12, A12, A13, and Jurisdiction rule, we get

P17: $U | \equiv SD | \equiv (SD \overset{V_{2}}{\leftrightarrow} U)$ → (Goal 6)

P18: $U | \equiv SD | \equiv (SD \overset{W_{2}}{\leftrightarrow} U)$ → (Goal 8)

From P15, P16, A14, A15, and Jurisdiction rule, we get

P19: $SD | \equiv U | \equiv (U \overset{V_{1}}{\leftrightarrow} SD)$ → (Goal 4)

P20: $SD | \equiv U | \equiv (U \overset{W_{1}}{\leftrightarrow} SD) s$ → (Goal 9)

From P17, P18, A16, A17, and Jurisdiction rule, we get

P21: $U | \equiv (SD \overset{V_{2}}{\leftrightarrow} U)$ → (Goal 5)

P22: $U | \equiv (SD \overset{W_{2}}{\leftrightarrow} U)$ → (Goal 7)

From P19, P20, A18, A19, and Jurisdiction rule, we get

P23: $SD | \equiv (SD \overset{V_{1}}{\leftrightarrow} U)$ → (Goal 3)

P24: $SD | \equiv (SD \overset{W_{1}}{\leftrightarrow} U)$ → (Goal 10)

From P17, P18, P19, P20, session key rule, and freshness rule, we get

P23: $U | \equiv (SD \overset{SK}{\leftrightarrow} U)$ → (Goal 1)

P24: $SD | \equiv (SD \overset{SK}{\leftrightarrow} U)$ → (Goal 2)

Informal security analysis

User impersonation attack

Suppose an attacker $A$ tries to create a valid log-in request. For this, $A$ has to enter PIN to get the private key of a user. As the user’s PIN is not shared anywhere, it is computationally infeasible for an attacker $A$ to guess PIN in a polynomial time. Therefore, the scheme is secure against user impersonation attack.

Anonymity and untraceability

The proposed scheme supports strong user anonymity and untraceability because the mobile user and the SD send their identity encrypted with the random number for each session. Thus, the HS can only get the masked identities of the mobile users and SDs.

Key forward secrecy

The proposed scheme supports key forward secrecy. Even if an eavesdropper gets the private key of the mobile user and the SD, the eavesdropper cannot get $r_{1}$ , $r_{2}$ , $k_{1}$ , or $k_{2}$ because the mobile user and SD send $r_{1}$ , $r_{2}$ , $k_{1}$ , and $k_{2}$ using Diffie–Hellman key agreement. So, the eavesdropper cannot get the session key. Moreover, $r_{1}$ , $r_{2}$ , $k_{1}$ , and $k_{2}$ are different for each session. Thus, the session key is secure even when the secret key of the mobile user and the HS is known to an adversary.

Strong key establishment

The mobile user and the SD establish a secure session key using authenticated Diffie–Hellman key exchange. Thus, the session key is known only to the mobile user and the SD, and equally contributed by both the mobile user and the SD.

Insider attack

In the proposed scheme, the mobile user and the SD send $(U_{1}, h_{1}, T_{1})$ and $(U_{2}, h_{2}, T_{2})$ to the HS for establishment session key. So, the insider cannot get the private keys to impersonate the mobile user and the SD. Thus, insider attack is not possible in the proposed scheme.

Replay attack

The proposed scheme is secure against the replay attack because the mobile user, the SD, and the HS use timestamp to avoid the replay attack. If a message is replayed by the adversary, all the three entities can check the replayed message by verifying the timestamp. If the timestamp is not valid, they can discard the message.

No verifier table at HS

The HS does not maintain verifier tables for the mobile users and the SD. Therefore, the proposed scheme is free from stolen verifier attack. An adversary cannot impersonate the mobile user and the foreign server due to the absence of stolen verifier attack.

Performance analysis

The computation cost of the scheme will be discussed in detail. Before the analysis, we give some symbol definitions, as shown in Table 3. At the registration stage of our scheme, the computation of the user or SD is $3 T_{G_{mul}^{1}} + T_{G_{mul}^{2}} + T_{p} + T_{H} + T_{D}$ , and the computation of the HS is $T_{G_{mul}^{2}} + T_{p} + T_{H} + T_{E}$ . At the authentication key agreement stage, the computation of the user or SD is $8 T_{G_{mul}^{1}} + 7 T_{H} + 2 T_{G_{add}^{1}}$ , and the computation of the HS is $7 T_{G_{mul}^{1}} + 10 T_{H} + 4 T_{G_{add}^{1}} + 4 T_{p}$ .

Table 3.

The parameter definitions.

Symbol	Descriptions
$T_{G_{mul}^{1}}$	The time of multiplication on $G_{1}$
$T_{G_{add}^{1}}$	The time of addition on $G_{1}$
$T_{G_{mul}^{2}}$	The time of multiplication on $G_{2}$
$T_{p}$	The time of pairing operation
$T_{H}$	The time of hash operation
$T_{D}$ / $T_{E}$	The time of symmetric decryption or encryption

Now we will compare the performance and functionality of our scheme with other related schemes. To accurately estimate the running time, we use the MIRACL library to perform the cryptographic primitives for 1000 executions and take the arithmetic mean based on 120 MHz ARM chip. The detailed analysis results are shown in Table 4.

Table 4.

The performance analysis.

	Scott¹⁹	Wu et al.¹⁷	Xiong and Peng¹⁵	SrinivasMukhopadhyay¹⁸	The proposed
Whole scheme cost	2.1 s	1.22 s	1.05 s	0.37 s	3.1 s
End cost	1.1 s	0.29 s	0.49 s	0.18 s	0.8 s
Support registration	×	√	√	√	√
Support authentication	√	√	√	√	√
Support key agreement	√	√	√	√	√
Non-deterministic polynomial problem	Bilinear Diffie–Hellman	Elliptic curve discretelogarithm problem	Hash function	Hash function	Bilinear Diffie–Hellman
Verifier table	No	Yes	Yes	Yes	No

Conclusion

In this article, a new anonymous authentication key agreement scheme with pairing-based cryptography for home-based IoT has been proposed that ensures secure communication between SDs and users. In the HAN environment, devices collect personal and sensitive information from users and have the characteristic of having low power, low cost, and being lightweight. So, we have used a special pairing to reduce the amount of calculation. The proposed protocol masks the identity of the devices and the user. Finally, we have proved the scheme with the BAN logic. Moreover, performance analysis shows that our protocol is efficient for home-based IoT endpoints.

Footnotes

The authors thank the editor and anonymous reviewers for their helpful comments and valuable suggestions.

Handling Editor: Zehong Cao

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research,authorship,and/or publication of this article: Thanks to the support from National Key R&D Plan of China under Grant No. 2017YFA0604500,National Sci-Tech Support Plan of China under Grant No. 2014BA H02F00,National Natural Science Foundation of China under Grant No. 61701190,Youth Science Foundation of Jilin Province of China under Grant Nos 20160520011JH and 20180520021JH,Youth Sci-Tech Innovation Leader and Team Project of Jilin Province of China under Grant No. 20170519017JH,Key Technology Innovation Cooperation Project of Government and University for the Whole Industry Demonstration under Grant No. SXGJSF2017-4,Key Scientific and Technological R&D Plan of Jilin Province of China under Grant No. 20180201103GX,and Project of Jilin Province Development and Reform Commission (No. 2019FGWTZC001).

ORCID iD

Hongtu Li

References

Tsai

. Secure anonymous key distribution scheme for smart grid. IEEE Trans Smart Grid 2016; 7(2): 906–914.

Odelu

Das

Wazid

, et al. Provably secure authenticated key agreement scheme for smart grid. IEEE Trans Smart Grid 2018; 7(2): 1900–1910.

Vaidya

Makrakis

Mouftah

. Device authentication mechanism for smart energy home area networks. In: Proceedings of the IEEE international conference on consumer electronics (ICCE), Las Vegas, NV, 9–12 January 2011, pp.787–788. New York: IEEE.

Chakravorty

Wlodarczyk

Rong

. Privacy preserving data analytics for smart homes. In: Proceedings of the IEEE security and privacy workshops, San Francisco, CA, 23–24 May 2013, pp.23–27. New York: IEEE.

Ryu

Kwak

. Secure data access control scheme for smart home. In: Park

Chao

Jeong

, et al. (eds) Advances in computer science and ubiquitous computing. New York: Springer, 2015, pp.483–488.

Banerjee

Dutta

Bhunia

. An improved smart card based anonymous multi-server remote user authentication scheme. Int J Smart Home 2015; 9(5): 11–22.

Braeken

. Efficient anonym smart card based authentication scheme for multi-server architecture. Int J Smart Home 2015; 9(9): 177–184.

Wen

Guo

. An improved anonymous authentication scheme for telecare medical information systems. J Med Syst 2014; 38(5): 1–11.

Chuang

Chen

. An anonymous multi-server authenticated key agreement scheme based on trust computing using smart cards and biometrics. Expert Syst Appl 2014; 41(4): 1411–1418.

10.

Hoang

Pishva

. A TOR-based anonymous communication approach to secure smart home appliances. In: Proceedings of the 17th international conference on advanced communication technology (ICACT), Seoul, 1–3 July 2015, pp.517–525. New York: IEEE.

11.

Santoso

Vun

. Securing IoT for smart home system. In: Proceedings of the international symposium on consumer electronics (ISCE), Madrid, 24–26 June 2015, pp.1–2. New York: IEEE.

12.

Kumar

Gurtov

Iinatti

, et al. Lightweight and secure session-key establishment scheme in smart home environments. IEEE Sensor 2016; 16(1): 254–264.

13.

Peng

, et al. An energy efficient mutual authentication and key agreement scheme preserving anonymity for wireless sensor networks. Sensors 2016; 16(6): 837–857.

14.

Jung

Kim

Choi

. An anonymous user anonymity user authentication and key agreement scheme based on a symmetric cryptosystem in wireless sensor networks. Sensors 2016; 16(8): 1299–1328.

15.

Xiong

Peng

. A lightweight anonymous authentication protocol with perfect forward secrecy for wireless sensor networks. Sensors 2017; 17(11): 2681.

16.

Wang

. Measuring two-factor authentication schemes for real-time data access in industrial wireless sensor networks. IEEE T Ind Inform 2018; 14(9): 4081–4092.

17.

Kumari

, et al. A new and secure authentication scheme for wireless sensor networks with formal proof. Peer Peer Netw Appl 2015; 10(1): 1–15.

18.

Srinivas

Mukhopadhyay

. Secure and efficient user authentication scheme for multi-gateway wireless sensor networks. Ad Hoc Netw 2017; 54: 147–269.

19.

Scott

. Authenticated ID-based key exchange and remote log-in with simple token and PIN number. Cryptology, 2002, pp.1–9, https://eprint.iacr.org/2002/164.pdf

20.

Chu

, et al. Remote registration and log-in scheme for mobile networks with PIN number. In: Luo

(ed.) Advanced science and industry research center. Beijing, China: Atlantis Press, 2017, pp.1–4.