Introduction
The Internet of Things (IoT) is an intelligent technology and service that connects all things including sensors, smartphones, and home appliances to communicate information between people and things based on the Internet. Recently, various IoT applications have made it possible for users, through linkage with smart devices, to access, use, and process information collected from sensors. From this aspect, the smartphone, the most common device that is steadily increasing in performance, plays an important interface role in allowing users to access and control other devices in the IoT through Wi-Fi and cellular networks. 5G is becoming an active candidate for various IoT applications such as the smart home, smart city, smart health, and smart grid [1]. Owing to the commercialization of 5G, one of the cellular networks, IoT has penetrated into everyday life.
The wireless sensor network (WSN) is one of the core elements of the IoT and is responsible for collecting and delivering the physical phenomena and information using a number of heterogeneous and resource-constrained sensors. Therefore, the integration of WSN and 5G will be a key driver for successful IoT deployment. With WSNs and 5G-integrated IoT, more sensors and smart devices will surround us and reach deeper into our private lives. This increases connectivity and provides convenient services to us, but at the same time, it increases the number of attack surfaces. To protect IoT devices and their data and provide secure communication, user authentication and key establishment are the most basic security requirements.
IoT devices including sensors have various types of data, and the collected data in several IoT applications are privacy-sensitive. For example, personal health information collected from wearable and implanted medical devices and private information collected from home sensors are privacy-sensitive data. If these types of data are leaked or controlled by malicious people, they may pose serious threats, and these threats may be linked directly to human life. Anonymity with untraceability is a representative technique for stronger privacy preservation. Anonymity hides the identities of participants, including users, from third parties so that they do not know who accesses data at certain points in time. Untraceability disallows an adversary who wants to trace different sessions of a particular user from publicly exchanged messages. The authorization and access control mechanisms grant different access rights according to the data’s importance and privacy sensitivity, and verify whether a user has the corresponding privilege to access data. Therefore, authorization and access control mechanisms and privacy-preserving techniques are also essential for securing the IoT.
A. Related Works
Since Das et al. introduced a two-factor user authentication scheme for WSNs [2], a large number of two-factor user authentication schemes using passwords and smart cards have been proposed [3]–[8]. To address the security vulnerabilities associated with two-factor user authentication schemes and to improve their security strength, three-factor authentication, with biometrics as the third factor, has attracted attention from many researchers in recent years [9]–[16].
Park et al. proposed a security-enhanced authentication and key agreement scheme to overcome the security weaknesses of Chang et al.’s scheme [6] by using biometric information and an elliptic curve cryptogrphy (ECC) [10]. However, Wang et al. [17] and Maurya and Sastry [12] revealed that Park et al.’s scheme has security flaws. Moon et al. showed how an adversary can impersonate a legitimate user or a sensor node, and proposed an improved authentication scheme [18]. Das proposed a novel biometric-based user authentication scheme suitable for WSNs [19]. Unfortunately, in the same year, Maurya et al. pointed out that these two schemes including Park et al.’s scheme are insecure against various security attacks. Instead, Maurya et al. proposed a fuzzy extractor and ECC-based efficient authenticated session key establishment protocol for WSNs and IoT [12].
Amin et al. proposed a new secure three-factor authentication scheme that claimed to be secure against all known security attacks [11], but Jiang et al. found that Amin et al.’s scheme has security drawbacks [13]. Jiang et al. then proposed a three-factor authentication and key agreement scheme based on the Rabin cryptosystem for Internet-integrated WSNs. Wadiz et al. proposed a secure and lightweight three-factor authenticated key management scheme for the hierarchical IoT network as a special kind of generic IoT network [14]. All the abovementioned schemes have evolved by identifying and solving the security problems in the previous systems. However, they still have security drawbacks and do not support authorization to access control, which is one of the essential security requirements in WSNs for IoT.
Adavoudi-Jolfaei et al. [15] pointed out a security vulnerability in Gope and Hwang’s [7] two-factor authentication protocol for WSNs. To address this vulnerability, Adavoudi-Jolfaei et al. devised an enhanced scheme by employing biometrics with a fuzzy extractor and by providing access control as an additional desired security property for WSNs. They proved their scheme was secure against various attacks. However, as illustrated in Section II-B, we found that Adavoudi-Jolfaei et al.’s scheme still has several security flaws. Their scheme does not provide sensor node anonymity, and it is vulnerable to user collusion attacks in which malicious users collude with each other in order to access data that is inaccessible with their own privileges. In addition, it is also vulnerable to desynchronization attacks in which an attacker breaks the synchronization of the secret values that are shared between a server and a user and updated on a per session basis, thereby preventing the server from authenticating a legitimate user’s credentials [20].
B. Research Contributions
As discussed in Section I-A, the existing schemes for authentication and key establishment for WSNs and IoT still suffer from security attacks and fail to guarantee all desirable security features. In particular, most of them do not support authorization, another desirable security requirement. The contributions of our research to overcoming these drawbacks are as follows:
We analyze the recent lightweight and anonymous three-factor authentication and access control scheme of Adavoudi-Jolfaei et al. [15]. We show that their scheme does not provide sensor node anonymity and is vulnerable to user collusion and desynchronization attacks.
We introduce a system architecture suitable for WSNs in 5G-integrated IoT. Based on the system architecture, we design an ECC-based privacy-preserving authentication, authorization, and key agreement scheme. The proposed scheme provides three-factor user authentication and overcomes the security weaknesses of the Adavoudi-Jolfaei et al.’s scheme. In addition, the proposed scheme not only satisfies various security features, including authorization, but also withstands all known attacks.
We formally verify the security of the proposed scheme using both the widely used Burrows-Abadi-Needham (BAN) logic and a robust security verification tool, Automated Validation of Internet Security Protocols (AVISPA). We also informally analyze the security of the proposed scheme to show that it can satisfy the required security features and resist various attacks. We then compare the security of the proposed scheme with those of related schemes in terms of security features.
Through a performance evaluation, we compare the performance of the proposed scheme with those of related schemes in terms of computation and communication costs.
The remainder of the paper is organized as follows: Section II briefly reviews Adavoudi-Jolfaei et al.’s scheme and demonstrates its security weaknesses. Section III describes the details of the proposed scheme. Section IV conducts a formal and informal security analysis of the proposed scheme. Section V presents a performance evaluation of the proposed scheme and compares the performance with related schemes. Section VI concludes the paper.
C. Preliminaries
This section introduces the necessary mathematical preliminaries and system architecture for the proposed scheme.
1) Fuzzy Extractor
In recent years, the fuzzy extractor technique has been a useful tool that is widely accepted for biometric authentication [9], [15], [21]. The fuzzy extractor extracts biometric information as a uniformly random string with an error tolerance limit
: Given a biometric template$GEN(Bio_{i})=(B_{i},C_{i})$ as the input, this probabilistic algorithm outputs a secret biometric key$Bio_{i}$ and a helper string$B_{i}$ .$C_{i}$ : Given a noisy biometric$REP(Bio'_{i},C_{i})=(B_{i})$ and a helper string$Bio'_{i}$ as inputs, this deterministic algorithm reproduces the biometric key$C_{i}$ .$B_{i}$
2) Elliptic Curve Cryptography
Let
The Elliptic Curve Discrete Logarithm (ECDL) problem finds
when given a point$a$ , where$Q\in G_{p}$ and$a\in \mathbb {Z}^{*}_{p}$ .$Q=aP$ The Elliptic Curve Computational Diffie-Hellman (ECCDH) problem finds
when given$abP$ and$aP$ , where$bP$ .$a, b\in \mathbb {Z}^{*}_{p}$
3) System Architecture
Many researchers have proposed different layers of architecture for IoT, including three-layer, four-layer, and five-layer architectures [22]. However, in terms of operations related to WSNs, IoT architecture can be simply expressed as shown in Figure 1, where the information collected from a WSN in the perception layer is delivered to the cloud through the gateway in the network layer, processed and refined at the cloud computing of the support layer, and passed to the application layer.
The IoT is highly heterogeneous because it connects a variety of devices, including existing ones, to devices newly developed for the IoT. As IoT applications are deployed at different locations and evolve over time, it is very likely that the heterogeneous devices developed by different manufacturers will communicate through a variety of communication techniques such as IEEE 802.15.4, ZigBee, Wi-Fi, Bluetooth, and 4G/5G [23]. In addition, for IoT applications, multiple WSNs may be deployed in large numbers in various environments. Sensor nodes in WSNs are also heterogeneous, ranging from just various types of sensor motes to sensors embedded in IoT devices. Unlike traditional mobile communication networks and the Internet, WSNs primarily use short-distance communication between objects by constructing wireless networks in an ad hoc manner. Namely, it is difficult to directly connect WSNs and traditional communication networks and the Internet to each other because they lack uniform standardization in communication techniques, and the data from WSNs cannot be transmitted long distance given the limited transmission range of WSNs [24]. Thus, there are limitations to direct communication between heterogeneous sensor nodes and user mobile devices. Instead, they are more likely to communicate through a gateway that acts as a bridge between them.
Figure 1 describes a system architecture for WSNs and 5G-integrated IoT as an extension and generic version of the previously introduced architecture for 5G-integrated WSNs [8]. There are three types of participants: users, the authentication and authorization server (AAS), and gateways (GWs). AAS with IoT application servers and system administrators is responsible for registering users, issuing membership parameters including access rights based on personal credit information, deploying WSNs, and setting up identities and keys for gateways and sensor nodes. AAS also helps with authentication, authorization, and key establishment between a gateway and a user when the user tries to log into the WSN in real time. After registration, authentication, and authorization, through the 5G network or the Internet, a user with a mobile device usually accesses IoT application data in the cloud and directly accesses WSNs through gateways for real-time data acquisition. In general, an IoT gateway plays an important role in IoT applications: facilitating the seamless integration of WSNs and traditional mobile communication networks or the Internet, and managing and controlling WSNs [24]. Likewise, in our system architecture, a gateway usually collects data from the sensor nodes of the WSN and delivers it to the cloud, which serves as a bridge between the user’s mobile device and the sensor nodes for real-time data access. Among these, the proposed scheme focuses on user authentication, authorization, and key agreement when accessing WSNs in real time.
Review and Cryptanalysis of Adavoudi-Jolfaei $et~al.$
’s Scheme
In this section, we briefly review Adavoudi-Jolfaei et al.’s scheme [15] and show that it has security weaknesses.
A. Review of Adavoudi-Jolfaei $et~al.$
’s Scheme
Adavoudi-Jolfaei et al.’s scheme consists of four phases: registration, anonymous authentication and key exchange, password and biometric update, and dynamic node addition. We describe the first two phases in detail. The last two phases were omitted because they have little relevance to this work. Table 1 lists the notations used in Adavoudi-Jolfaei et al.’s scheme.
In both Gope et al.’s scheme and Adavoudi-Jolfaei et al.’s scheme, the sensor registration phase was missed, and thus we add it briefly according to their papers [7], [15]. Before WSN deployment,
1) Registration Phase
In this phase,
sends$U_{i}$ and a personal credential to$ID_{i}$ .$GW$ For
,$U_{i}$ issues a smart card containing$GW$ , where$\{K_{ug}, (SID,~KEM_{ug}), Ts_{ug},G_{u},h(\cdot)\}$ ,$K_{ug} =h(ID_{i}||n_{g})\,\,\oplus ID_{G}, sid_{j}=h(ID_{i}||r_{j}||K_{ug}), SID =\{sid_{1},sid_{2},\,\,\cdots \},\,\,KEM_{ug}=\{KEM_{ug_{1}},KEM_{ug_{2}},\,\,\cdots \}, KEM_{ug_{j}}=h(ID_{i}||sid_{j}||r'_{j})$ , and$n_{g},r_{j}$ are random numbers, and$r'_{j}$ is a 64-bit random sequence number generated by$Ts_{ug}$ . For$GW$ ,$U_{i}$ finally saves$GW$ into the database, where$\langle Ts_{ug},(SID,KEM^{\#}_{ug}),K^{\#}_{ug},K^{\#}_{gs},~ID^{\#}_{i},G^{\#},APM^{\#}\rangle $ , and$KEM^{\#}_{ug} =KEM_{ug}\oplus h(ID_{G}||ID_{i}||w), K^{\#}_{ug}=K_{ug}\oplus h(ID_{G}||ID_{i}||w), ID^{\#}_{i}= ID_{i}\oplus h(ID_{G}||ID_{i}||w),\,\,G^{\#}_{j}=G_{j}\oplus h(ID_{G}||ID_{i}\,\,||w), G^{\#}=\{G^{\#}_{1}, G^{\#}_{2},\cdots \},\,\,APM^{\#}_{j}=APM_{j}\oplus h(ID_{G}||ID_{i}||w)$ .$APM^{\#}=\{APM^{\#}_{1},\,\, APM^{\#}_{2},\cdots \}$ inputs$U_{i}$ and$PW_{i}$ , then$Bio_{i}$ stores$SC$ in its memory, where$\langle K^{*}_{ug},f^{*}_{ug},~(SID^{*},KEM^{*}_{ug}),Ts_{ug},G^{*},C_{i}, GEN(\cdot),~REP(\cdot),~h(\cdot)\rangle $ .$GEN(Bio_{i})=(B_{i},C_{i}), K^{*}_{ug}=h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i})), KEM^{*}_{ug} =KEM_{ug}\oplus h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i})), SID^{*}=SID\oplus h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i})), G^{*}=G\oplus h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i})), f^{*}_{u}=h(h(K_{ug})\oplus h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i}))$
2) Anonymous Authentication and Key Exchange Phase
In both Gope et al.’s scheme and Adavoudi-Jolfaei et al.’s scheme, to speed up the authentication processes and to prevent any replay attacks, a 64-bit random sequence number,
inputs$U_{i}$ and biometrics$ID_{i},PW_{i}$ , then$Bio_{i}$ computes$SC$ , and$B_{i}=REP(Bio_{i},C_{i}), K_{ug}=K^{*}_{ug}\oplus h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i}))$ .$f_{u}=h(h(K_{ug})\oplus h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i}))$ checks$SC$ . If so, then$f_{u}\stackrel {?}{=}f^{*}_{u}$ computes$SC$ , where$N_{x}=K_{ug}\oplus N_{i}$ is a random number generated by$N_{i}$ ,$U_{i}$ and$G=G^{*}\oplus h(h(ID_{i})\oplus h(PW_{i})\oplus h(B_{i}))$ . Then,$AID_{i}=h(ID_{i}||K_{ug}||N_{i}||Ts_{ug})$ chooses an access group-ID$U_{i}$ from$G_{j}$ . Finally,$G$ computes$SC$ and$G'_{j}=G_{j}\oplus N_{i}$ . In case of loss of synchronization,$V_{1}=h(AID_{i}||G'_{j}||K_{ug}||N_{x}||SN_{id})$ chooses one of the unused pair of$U_{i}$ from$(sid_{j},KEM_{ug_{j}})$ and assigns$(SID^{*},KEM^{*}_{ug})$ as$sid_{j}$ and$AID_{i}$ as$KEM_{ug_{j}}$ .$K_{ug}$ sends a request message$SC$ (if req),$\langle AID_{i},G'_{j},N_{x},Ts_{ug}$ to$SN_{id}, V_{1}\rangle $ .$GW$ first checks the validity of$GW$ provided by$Ts_{ug}$ . If$U_{i}$ cannot find$GW$ in its database, then it terminates the connection. Otherwise,$Ts_{ug}$ selects the tuple related to$GW$ using$U_{i}$ .$Ts_{ug}$ decodes$GW$ and$ID_{i}$ , and checks the validity of$K_{ug}$ . If so, then$V_{1}$ computes$GW$ and$N_{i}=N_{x}\oplus K_{ug}$ , and checks$G_{j}=G_{j}\oplus N_{i}$ , where$AID'_{u}\stackrel {?}{=}AID_{i}$ . If so, then$AID'_{u}=h(ID_{i}||K_{ug}||N_{i}||Ts_{ug})$ computes$GW$ by finding$APM'_{j}=h(K_{gs})\oplus APM_{j}$ related to$APM_{j}$ , generates$G_{j}$ and a timestamp$SK$ , and finally sends the message by computing$T$ and$SK'=h(K_{gs})\oplus SK$ . In case of loss of synchronization,$V_{2}=h(AID_{i}||APM'_{j}||SK'||T||K_{gs})$ will resend the request message using$U_{i}$ and$AID_{i}=sid_{j}$ instead of using$K_{ug}=KEM_{j}$ . In this case,$Ts_{ug}$ will check the validity of$GW$ by comparing$AID_{i}$ with the entries in its database. If$sid_{j}$ can find it, then$GW$ derives the tuple associated with$GW$ and retrieves$sid_{j}$ .$KEM_{j}$ checks the validity of$GW$ with these values and sends a message$V_{1}$ to$\langle AID_{i},APM'_{j},SK', T, V_{2}\rangle $ .$GW_{j}$ first checks the freshness of$GW_{j}$ and verifies$T$ . If so, then$V_{2}$ computes$GW_{j}$ and generates a timestamp$APM_{j}=APM'_{j}\oplus h(K_{gs})$ .$T'$ then derives$GW_{j}$ and computes$SK=SK'\oplus h(K_{ug})$ . Finally,$V_{3}=h(SK||K_{gs}||SN_{id}||T')$ sends the response message$GW_{j}$ and updates$\langle T', SN_{id}, V_{3}\rangle $ , where$K_{gs}=K_{gs_{new}}$ .$K_{gs_{new}}=h(K_{gs}||SN_{id})$ first checks the freshness of$GW$ , generates a random number$T'$ , and computes$m$ , and$Ts_{ug_{new}}=m, Ts=h(K_{ug}||ID_{i}||N_{i})\oplus Ts_{ug_{new}}, SK''=h(K_{ug}||ID_{i}||N_{i})\oplus SK$ . Finally,$V_{4}=h(SK''||N_{i}||Ts||\,\,K_{ug})$ sends the response message$GW$ (if req)$\langle SK'', V_{4}, Ts, x$ and updates$\rangle $ and$K_{ug}=K_{ug_{new}}$ , where$K_{gs}=K_{gs_{new}}$ and$K_{ug_{new}}=h(K_{ug}||ID_{i}||Ts_{ug_{new}})$ . In the case of loss of synchronization, instead of the above update method,$K_{gs_{new}}=h(K_{gs}||SN_{id})$ randomly generates$GW$ and sends$K_{ug_{new}}$ with other parameters.$x=K_{ug_{new}}\oplus h(ID_{i}||KEM_{j})$ first checks$U_{i}$ . If so, then$V_{4}$ derives$U_{i}$ and updates$SK=SK''\oplus h(K_{ug}||ID_{i}||N_{i})$ and$Ts_{ug}=Ts_{ug_{new}}$ , where$K_{ug}=K_{ug_{new}}$ and$Ts_{ug_{new}}=h(K_{ug}||ID_{i}||N_{i})\oplus Ts$ . In the case of loss of synchronization,$K_{ug_{new}}=h(K_{ug}||ID_{i}||\,\,Ts_{ug_{new}})$ performs a different update to$U_{i}$ , where$K_{ug}=K_{ug_{new}}$ .$K_{ug_{new}}=h(ID_{i}||KEM_{j})\oplus x$
B. Security Flaws in Adavoudi-Jolfaei $et~al$
.’s Scheme
In this section, we discuss the cryptanalysis of Adavoudi-Jolfaei et al.’s scheme and the observation of several security weaknesses.
1) User Collusion Attacks
In access control systems, a user collusion attack is that two or more malicious users with different privileges deceive the system to obtain a service or data with higher privileges. In the systems, if there is no collusion of users possible, this may be a too strong assumption. Rather, users are more likely to try to get more data that requires higher privileges than their own at low cost [25]. In Adavoudi-Jolfaei et al.’s scheme, a user can have multiple access group IDs, and multiple users with similar privileges can share the same access group ID. As users’ access group IDs are given to users when they are in the registration phase, the users can exploit other users’ group IDs through user collusion to obtain sensor data that requires higher privileges. GW stores the group ID that a user has in the database but does not verify that the group ID presented by the user in the anonymous authentication and key exchange phase is the group to which the user belongs. Therefore, Adavoudi-Jolfaei et al.’s scheme is vulnerable to user collusion attacks. In addition, Adavoudi-Jolfaei et al.’s scheme does not provide access privilege updates.
2) Desynchronization Attack
Both Gope et al.’s scheme [7] and Adavoudi-Jolfaei et al.’s scheme [15] employ a transaction sequence number
Moreover, both schemes utilize a set of shadow IDs,
In addition, they have not specified how many
3) No Sensor Node Anonymity
Anonymity in WSNs means preventing a third party other than the message sender and receiver from knowing the identity of the two primary parties in communication. This includes the sender anonymity, receiver anonymity, and unlinkability between the sender and receiver [26]. Thus, the anonymity of the sensor node is as important as the user anonymity. In particular, sensor node anonymity means that no adversary can trace different sessions from a special sensor node and launch further attacks (e.g., a sensor node impersonation attack and sensor node capture attack) by hiding the sensor node’s identity. If the identity of a sensor node is exposed to the adversary in plain text in the transmitted messages, then the adversary can identify the frequently accessed sensor node by users. This means that the adversary can identify an important sensor node with more data of interest to users, and eventually, that sensor node is likely to be the adversary’s preferred target for attack.
In Adavoudi-Jolfaei et al.’s scheme,
Our Proposed Scheme
In this section, we propose an ECC-based anonymous authentication, authorization and key agreement scheme as an improved version of Adavoudi-Jolfaei et al.’s scheme. The proposed scheme remedies security vulnerabilities based on the system architecture in WSNs for 5G-integrated IoT. Figure 1 illustrates the system architecture of the proposed scheme. Our proposed scheme is split into five phases: (1) setup; (2) user registration; (3) authentication, authorization, and key agreement (AAK); (4) password and biometrics update; and (5) access privilege update. ECC is asymmetric key cryptography and provides similar security measures with smaller key sizes in comparison with other non-ECC-based asymmetric key cryptography methods such as RSA [27]. As WSNs are resource-constrained, techniques that are more lightweight, such as symmetric ones (XOR and hash computations, for example), are more appropriate [4]. However, efficient ECC implementations in resource-constrained sensor motes have continued to be proposed [28]–[30], thus increasing the feasibility and practicality of ECC in IoT devices. Moreover, although we employ ECC to address the security weaknesses found in Adavoudi-Jolfaei et al.’s scheme, ECC operations are performed by users, authentication and authorization servers, and gateways with fewer resource constraints than sensor nodes. Table 2 lists different and additional notations used in the proposed scheme.
A. System Setup Phase
This phase includes the initialization of the system parameters and gateway and sensor node registration before deployment.
chooses an elliptic curve$AAS$ over prime finite field$E$ and an additional subgroup$F_{q}$ of$G$ , which is generated by$E$ with a large prime order$P$ .$p$ then generates its private and public key pair$AAS$ , where$\{y,Q_{AAS}\}$ and$y\in \mathbb {Z}^{*}_{p}$ .$Q_{AAS}=yP$ also chooses its own identity$AAS$ , membership verification secret$ID_{AAS}$ , access privilege verification secret$\alpha $ , and secure one-way hash function$\beta $ .$h(\cdot)$ publishes the system parameters$AAS$ .$\{E, G, p, P\}$ According to authorization policies of the system,
generates indices of access privilege groups,$AAS$ , a unique random number,$(APG_{1},\cdots,~APG_{\ell }, \cdots, APG_{L})$ , and access privilege mask,$APR_{\ell }$ , for each group [15], where$APM_{\ell }$ is the number of access privilege groups.$L$ For each gateway
, where$GW_{j}$ and$1\leq j\leq J$ is the number of gateways,$J$ selects a unique identity$AAS$ and generates a shared secret key$GID_{j}$ between$K_{j}$ and$AAS$ . According to the WSN deployment plan,$GW_{j}$ divides and allocates all sensor nodes into$AAS$ gateways. For each sensor node$J$ , where$SN_{n}$ and$1\leq n\leq N$ is the total number of sensor nodes,$N$ selects a unique identity$AAS$ and generates a shared secret key$SID_{n}$ between$K_{GW_{j}SN_{n}}$ and$GW_{j}$ . Secure communication through these shared secret keys and data transmission between gateways and sensor nodes are out of the scope of this paper.$SN_{n}$ For each gateway
,$GW_{j}$ preloads$AAS$ ,$\langle ID_{AAS}, Q_{AAS}$ , identities of sensor nodes belonging to the corresponding gateway and secret keys shared with them, into$GID_{j}, K_{j}\rangle $ ’s memory. For each sensor node$GW_{j}$ ,$SN_{n}$ then preloads$AAS$ into$\langle GID_{j}, SID_{n}, K_{GW_{j}SN_{n}}\rangle $ ’s memory.$SN_{n}$ Finally,
stores all system parameters and generated values for gateways and sensor nodes in its database, and deploys WSNs in the target area.$AAS$
B. User Registration Phase
The user registration phase begins when a user
inputs an identity$U_{i}$ , a password$ID_{i}$ , and biometrics$PW_{i}$ into$Bio_{i}$ .$MD_{i}$ then selects a random number$U_{i}$ and computes$a$ , and$TID_{i}=h(ID_{i}||a), GEN(Bio_{i})=(B_{i},C_{i})$ . Finally,$HPW_{i}=h(PW_{i}||B_{i})$ sends a registration request with$U_{i}$ , and a personal credential to$TID_{i}, HPW_{i}$ over a secure channel.$AAS$ verifies$AAS$ ’s personal credential and computes a membership value$U_{i}$ , and$M_{i}=h(TID_{i}||ID_{AAS}||\alpha), HM_{i}=h(TID_{i}||HPW_{i})\oplus M_{i}$ .$CM_{i}=h(HPW_{i}||M_{i})$ selects access privilege groups (i.e.,$AAS$ -th and$\ell $ -th privileges) suitable for the user’s privileges and computes linking values between the membership$\ell +k$ and access privilege groups such that$M_{i}$ .$LMA^{i}_{\ell }=h(M_{i}||\beta ||APR_{\ell })$ then generates an$AAS$ for$AL_{i}=\{(APG_{\ell },LMA^{i}_{\ell }),(APG_{\ell +k},LMA^{i}_{\ell +2})\}$ and sends membership parameters$U_{i}$ to$\langle HM_{i},CM_{i}, AL_{i},~P,Q_{AAS},h(\cdot)\rangle $ over a secure channel.$U_{i}$ finally stores$AAS$ and$TID_{i},M_{i}$ in its database.$APGs_{i}=\{APG_{\ell },APG_{\ell +k},\cdots \}$ Upon receiving the membership parameters,
computes$U_{i}$ and stores$D_{i}=a\oplus h(ID_{i}||B_{i})$ into its memory.$\langle HM_{i}, CM_{i},AL_{i},C_{i},D_{i},P,Q_{AAS},GEN(\cdot),REP(\cdot),~h(\cdot)\rangle $
C. Authentication, Authorization, and Key Agreement (AAK) Phase
Whenever
To log into the WSN,
inputs an identity$U_{i}$ , password$ID_{i}$ , and biometrics$PW_{i}$ into$Bio_{i}$ . Using the stored values,$MD_{i}$ computes$MD_{i}$ , and$B_{i}=REP(Bio_{i},C_{i}), a=D_{i}\oplus h(ID_{i}||B_{i}), TID_{i}=h(ID_{i}||a), HPW_{i}=h(PW_{i}||B_{i}), M_{i}=HM_{i}\oplus h(TID_{i}||HPW_{i})$ and checks$CM^{*}_{i}=h(M_{i}\oplus h(TID_{i}||PW_{i}||B_{i}))$ . If this does not hold, then the login request is rejected by$CM^{*}_{i}\stackrel {?}{=}CM_{i}$ as at least one factor of the identity, password, or biometrics is invalid. Otherwise,$MD_{i}$ selects$MD_{i}$ and retrieves a proper access privilege group$GID_{j}$ and$APG_{\ell }$ from$LMA^{i}_{\ell }$ .$AL_{i}$ then generates a random value$MD_{i}$ and timestamp$x\in \mathbb {Z}^{*}_{p}$ .$T_{1}$ computes$MD_{i}$ , and$X_{i}=xP, Y_{i}=xQ_{AAS}, MID_{i}=TID_{i}\oplus h(X_{i}||Y_{i}), MGW_{i}=GID_{j}\oplus h(Y_{i}||T_{1}), MAPG^{i}_{\ell }=APG_{\ell }\oplus h(M_{i}||T_{1}), MLMA^{i}_{\ell }=LMA^{i}_{\ell } \oplus h(TID_{i}||T_{1})$ .$V_{1}=h(TID_{i}||GID_{n}||APG_{\ell }||M_{i}\,\,||X_{i}||Y_{i}||T_{1})$ sends a login request$MD_{i}$ to$\langle MID_{i},~MGW_{i},~MAPG^{i}_{\ell },~MLMA^{i}_{\ell },X_{i},V_{1},T_{1}\rangle $ .$AAS$ Upon receiving the login request,
checks the validity of timestamp$AAS$ .$T_{1}$ computes$AAS$ and$Y'_{i}=yX_{i}, TID'_{i}=MID_{i}\oplus h(X_{i}||Y'_{i})$ and retrieves$M'_{i}=h(TID'_{i}||ID_{AAS}||\alpha)$ ’s membership$U_{i}$ from the database using$M_{i}$ .$TID'_{i}$ checks whether$AAS$ is a member of$U_{i}$ by verifying$AAS$ . If this does not hold, then$M'_{i}\stackrel {?}{=}M_{i}$ rejects the$AAS$ ’s login request. Otherwise,$U_{i}$ computes$AAS$ , and$GID'_{j}=MGW_{i}\oplus h(Y'_{i}||T_{1}), APG'^{i}_{\ell }=MAPG^{i}_{\ell }\oplus h(M'_{i}||T_{1})$ and checks$V'_{1}=h(TID'_{i}||GID_{j}||APG'^{i}_{\ell }||M'_{i}||X_{i}||Y_{i}||T_{1})$ . If this does not hold, then$V'_{1}\stackrel {?}{=}V_{1}$ terminates the$AAS$ ’s login request. Otherwise,$U_{i}$ computes$AAS$ and checks whether the access privilege group$LMA'^{i}_{\ell }=MLMA^{i}_{\ell } \oplus h(TID'_{i}||T_{1})$ suggested by$APG'_{\ell }$ matches the data access privileges of the requested WSN in charge of$U_{i}$ . If so, then$GW_{j}$ retrieves$AAS$ , unique random number$APGs_{i}$ , and access privilege mask$APR_{\ell }$ regarding$APM_{\ell }$ .$APG'_{\ell }$ then checks that$AAS$ belongs to$APG'_{\ell }$ , computes$APGs_{i}$ , and checks$LMA''^{i}_{\ell }=h(M'_{i}||\beta ||APR_{\ell })$ to verify that$LMA''^{i}_{\ell }\stackrel {?}{=}LMA'^{i}_{\ell }$ actually has legitimate privileges of access privilege group$U_{i}$ . If this does not hold, then$APG'^{i}_{\ell }$ regards that$AAS$ does not have legitimate privilege and sends a message that it is inaccessible to the WSN to$U_{i}$ . Otherwise,$U_{i}$ generates a timestamp$AAS$ and computes$T_{2}$ , and$MID^{*}_{i}=h(TID'_{i}||GID'_{j}||Y'_{i}), MAPM_{\ell }=APM_{\ell }\oplus h(GID'_{j}||K_{j}||T_{2})$ .$V_{2}=h(MID^{*}_{i}||GID'_{j}||APM_{\ell }\,\,||X_{i}||K_{j}||T_{2})$ sends the message$AAS$ to$\langle MID^{*}_{i},~MAPM_{\ell },X_{i},V_{2},T_{2}\rangle $ .$GW_{j}$ Upon the receiving the message from
,$AAS$ checks the validity of timestamp$GW_{j}$ . If so, then$T_{2}$ computes$GW_{j}$ and$APM'_{\ell }=MAPM_{\ell }\oplus h(GID_{n}||K_{j}||T_{2})$ and checks$V'_{2}=h(MID^{*}_{i}||GID_{j}\,\,||APM_{\ell }||X_{i}||K_{j}||T_{2})$ . If this does not hold, then$V'_{2}\stackrel {?}{=}V_{2}$ terminates the session. Otherwise,$GW_{j}$ generates a random number$GW_{j}$ and timestamp$z$ and computes$T_{3}$ , and$Z_{j}=zP, SK=h(MID^{*}_{i}||SK),V_{3}=h(ID_{AAS}||GID_{j}||SK)$ .$V_{4}=h(MID^{*}_{i}||GID_{j}||Z_{j}||V_{3}||K_{j}\,\,||T_{3})$ finally sends the message$GW_{j}$ to$\langle Z_{j},V_{3},V_{4},T_{3}\rangle $ .$AAS$ Upon receiving the message from
,$GW_{j}$ checks the validity of timestamp$AAS$ . If so,$T_{3}$ computes$AAS$ and checks$V'_{3}=h(MID^{*}_{i}||GID_{j}||Z_{j}||V_{3}||K_{j}||T_{3})$ . If this does not hold, then$V'_{4}\stackrel {?}{=}V_{4}$ terminates the session. Otherwise,$AAS$ generates a timestamp$AAS$ and computes$T_{4}$ .$V_{5}=h(TID'_{i}||GID_{j}||M'_{i}||Z_{j}||V_{3}||Y'_{i}||T_{4})$ finally sends a response message$AAS$ to$\langle Z_{j}, V_{4},V_{5},T_{4}\rangle $ .$U_{i}$ Upon receiving the response message,
checks the validity of timestamp$MD_{i}$ . If so, then$T_{4}$ computes$MD_{i}$ , and$MID^{*}_{i}=h(TID_{i}||GID_{j}||Y_{i}), SK=h(MID^{*}_{i}||xZ_{j})$ and checks$V'_{3}=h(ID_{AAS}||GID_{j}||SK)$ . If this does not hold, then the session is terminated. Otherwise,$V'_{3}\stackrel {?}{=}V_{3}$ can be confident that$U_{i}$ is shared with the desired$SK$ .$GW_{j}$ , and then computes$MD_{i}$ and checks$V'_{5}=h(TID_{i}||GID_{j}||M'_{i}||Z_{j}||V_{3}||Y_{i}||T_{4})$ . If this does not hold, then the session is terminated. Otherwise,$V'_{5}\stackrel {?}{=}V_{5}$ and$AAS$ are authenticated by$GW_{j}$ , and$U_{i}$ shares a session key$U_{i}$ with$SK$ .$GW_{j}$
D. Password and Biometric Update Phase
This phase allows a user to update his/her own password
E. Access Privilege Update Phase
In most applications, there are often cases where a change in the access privileges given to a user is required owing to a change in policies, change in a user’s position, and so on. This phase is performed between
sends an update request with$AAS$ and new access privilege list$TID_{i}$ to$AL'_{i}$ to inform$MD_{i}$ that his/her access privileges need to be updated.$U_{i}$ Upon receiving the update request,
informs$MD_{i}$ .$U_{i}$ then inputs an identity$U_{i}$ , password$ID_{i}$ , and biometrics$PW_{i}$ into$Bio_{i}$ . Using the inputted user information and stored values,$MD_{i}$ then confirms$MD_{i}$ as in the login phase (step 1 in Section III-C) and replaces the stored$U_{i}$ with$AL_{i}$ . Finally,$AL'_{i}$ sends a message with the$MD_{i}$ that the access privilege list update is complete.$M_{i}$ After verifying the membership
of$M_{i}$ ,$U_{i}$ also replaces the stored$AAS$ with$APGs_{i}$ , including new access privilege groups for$APGs'_{i}$ .$U_{i}$
Security Analysis
In this section, we discuss the security of the proposed scheme by considering an informal and formal analysis. Using the widely accepted BAN logic [31], we prove that a session key can be correctly generated between
A. Authentication Proof Based on Ban Logic
We use BAN logic to prove the method in which a session key can be correctly generated between communicating parties during the AAK phase. The basic notations used in BAN logic are as follows:
:$P|\equiv X$ believes$P$ ,$X$ :$P\triangleleft X$ sees$P$ ,$X$ :$P|\sim X$ said$P$ ,$X$ :$P|\Rightarrow X$ has jurisdiction over$P$ ,$X$ :$\#(X)$ is fresh,$X$ :$P\stackrel {K}{\leftrightarrow }Q$ is the shared key between$K$ and$P$ ,$Q$ :$\langle X\rangle _{K}$ is combined with$X$ , and$K$ is usually a secret,$K$
Rule 1 (Message meaning rule)
: If$\frac {P|\equiv P\stackrel {K}{\leftrightarrow }Q,P\triangleleft \langle X\rangle _{K}}{P|\equiv Q|\sim X}$ believes that the$P$ is shared with$K$ and$Q$ sees$P$ combined with$X$ , then$K$ believes$P$ said$Q$ .$X$ Rule 2 (Nonce verification rule)
: If$\frac {P|\equiv \#(X),P|\equiv Q|\sim X}{P|\equiv Q|\equiv X}$ believes that$P$ is fresh and$X$ believes that$P$ said$Q$ , then$X$ believes that$P$ believes$Q$ .$X$ Rule 3 (Freshness conjuncation rule)
: If$\frac {P|\equiv \#(X)}{P|\equiv \#(X,Y)}$ believes that$P$ is fresh, then$X$ believes that$P$ is fresh.$(X,Y)$ Rule 4 (Jurisdiction rule)
: If$\frac {P|\equiv Q|\Rightarrow X,P|\equiv Q|\equiv X}{P|\equiv X}$ believes that$P$ has jurisdiction over$X$ and$X$ believes that$P$ believes$Q$ , then$X$ also believes$P$ .$X$
Goal 1:
$U_{i}|\equiv GW_{j}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ Goal 2:
$U_{i}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ Goal 3:
$GW_{j}|\equiv U_{i}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ Goal 4:
.$GW_{j}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$
:$M_{1}$ :$U_{i}\rightarrow AAS$ $\langle TID_{i}, GID_{j}, APG_{\ell }, LMA^{i}_{\ell }, X_{i}, ~T_{1}, U_{i}\stackrel {Y_{i}}{\longleftrightarrow } AAS\rangle _{M_{i}}$ :$M_{2}$ :$AAS\rightarrow GW_{j}$ $\langle GID_{j}, MID^{*}_{i}, APM_{\ell },X_{i}, T_{2}\rangle _{K_{j}}$ :$M_{3}$ :$GW_{j}\rightarrow AAS$ $\langle GID_{j}, MID^{*}_{i}, Z_{j}, V_{3}, T_{3}\rangle _{K_{j}}$ :$M_{4}$ :$AAS\rightarrow U_{i}$ .$\langle TID_{i}, GID_{j}, Z_{j}, V_{3}, T_{4}\rangle _{M_{i}}$
:$P_{1}$ $AAS|\equiv \#(T_{1})$ :$P_{2}$ $GW_{j}|\equiv \#(T_{2})$ :$P_{3}$ $AAS|\equiv \#(T_{3})$ :$P_{4}$ $U_{i}|\equiv \#(T_{4})$ :$P_{5}$ $U_{i}|\equiv (U_{i}\stackrel {M_{i}}{\longleftrightarrow }AAS)$ :$P_{6}$ $AAS|\equiv (U_{i}\stackrel {M_{i}}{\longleftrightarrow }AAS)$ :$P_{7}$ $GW_{j}|\equiv (GW_{j}\stackrel {K_{j}}{\longleftrightarrow }AAS)$ :$P_{8}$ $AAS|\equiv (GW_{j}\stackrel {K_{j}}{\longleftrightarrow }AAS)$ :$P_{9}$ $U_{i}|\equiv GW_{j}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ :$P_{10}$ .$GW_{j}|\equiv U_{i}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$
From
, we get$M_{1}$ :$V_{1}$ .$AAS\triangleleft \langle TID_{i}, GID_{j}, APG_{\ell },LMA^{i}_{\ell }, X_{i},T_{1}, ~U_{i}\stackrel {Y_{i}}{\longleftrightarrow } AAS\rangle _{M_{i}}$ Then, according to
, and Rule 1, we get$P_{6}, V_{1}$ :$V_{2}$ .$AAS|\equiv U_{i}|\sim \langle TID_{i}, GID_{j}, APG_{\ell },LMA^{i}_{\ell }, X_{i},~T_{1},U_{i}\stackrel {Y_{i}}{\longleftrightarrow } AAS\rangle $ According to
and Rule 3, we get$P_{1}$ :$V_{3}$ .$AAS|\equiv \#\langle TID_{i}, GID_{j}, APG_{\ell },LMA^{i}_{\ell }, X_{i},T_{1},~U_{i}\stackrel {Y_{i}}{\longleftrightarrow } AAS\rangle $ According to
, and Rule 2, we get$V_{2}, V_{3}$ :$V_{4}$ .$AAS|\equiv U_{i}|\equiv \langle TID_{i}, GID_{j}, APG_{\ell },LMA^{i}_{\ell }, X_{i},~T_{1},U_{i}\stackrel {Y_{i}}{\longleftrightarrow } AAS\rangle $ According to
, we get$M_{2}$ :$V_{5}$ .$GW_{j}\triangleleft \langle GID_{j}, MID^{*}_{i}, APM_{\ell },X_{i}, T_{2}\rangle _{K_{j}}$ According to
and Rule 1, we get$P_{7}$ :$V_{6}$ .$GW_{j}|\equiv AAS|\sim \langle GID_{j}, MID^{*}_{i}, APM_{\ell },X_{i}, T_{2}\rangle $ According to
and Rule 3, we get$P_{2}$ :$V_{7}$ .$GW_{j}|\equiv \#\langle GID_{j}, MID^{*}_{i}, APM_{\ell },X_{i}, T_{2}\rangle $ According to
, and Rule 2, we get$V_{6}, V_{7}$ :$V_{8}$ .$GW_{j}|\equiv AAS|\equiv \langle GID_{j}, MID^{*}_{i}, APM_{\ell },X_{i}, T_{2}\rangle $ According to
, we get$M_{3}$ :$V_{9}$ .$AAS\triangleleft \langle GID_{j}, MID^{*}_{i}, Z_{j}, V_{3}, T_{3}\rangle _{K_{j}}$ According to
and Rule 1, we get$P_{8}$ :$V_{10}$ .$AAS|\equiv |\sim \langle GID_{j}, MID^{*}_{i}, Z_{j}, V_{3}, T_{3}\rangle $ According to
and Rule 3, we get$P_{3}$ :$V_{11}$ .$AAS|\equiv \#\langle GID_{j}, MID^{*}_{i}, Z_{j}, V_{3}, T_{3}\rangle $ According to
, and Rule 2, we get$V_{10}, V_{11}$ :$V_{12}$ .$AAS|\equiv GW_{j}|\equiv \langle GID_{j}, MID^{*}_{i}, Z_{j}, V_{3}, T_{3}\rangle $ According to
, we get$M_{4}$ :$V_{13}$ .$U_{i}\triangleleft \langle TID_{i}, GID_{j}, Z_{j}, V_{3}, T_{4}\rangle _{M_{i}}$ According to
and Rule 1, we get$P_{5}$ :$V_{14}$ .$U_{i}|\equiv AAS|\sim \langle TID_{i}, GID_{j}, Z_{j}, V_{3}, T_{4}\rangle $ According to
and Rule 3, we get$P_{4}$ :$V_{15}$ .$U_{i}|\equiv \#\langle TID_{i}, GID_{j}, Z_{j}, V_{3}, T_{4}\rangle $ According to
, and Rule 2, we get$V_{14}, V_{15}$ :$V_{16}$ .$U_{i}|\equiv AAS|\equiv \langle TID_{i}, GID_{j}, Z_{j}, V_{3}, T_{4}\rangle $ As
and combining$SK=h(MID^{*}_{i}||xZ_{j})$ , we get$V_{12}, V_{16}$ :$V_{17}$ (Goal 1).$U_{i}|\equiv GW_{j}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ As
and combining$SK=h(MID^{*}_{i}||zX_{i})$ , we get$V_{4}, V_{8}$ :$V_{18}$ (Goal 3).$GW_{j}|\equiv U_{i}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ According to
and Rule 4, we get$P_{9},V_{17}$ :$V_{19}$ (Goal 2).$U_{i}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$ According to
and Rule 4, we get$P_{10},V_{18}$ :$V_{20}$ (Goal 4).$GW_{j}|\equiv (U_{i}\stackrel {SK}{\longleftrightarrow }GW_{j})$
B. Security Verification Using AVISPA
AVISPA is one of the widely accepted tools for semiautomated formal security analysis. AVISPA provides the High-Level Protocol Specification Language (HLPSL), a modular role-based expressive formal language, for specifying protocols and their security properties. The HLPSL specification of the protocols is translated into a lower-level description language using the HLPSL2IF translator [32], [33]. In AVISPA, the intruder is modeled using the Dolev-Yao model, and the output format (OF) is generated by applying one of four back ends: On-the-fly Model-Checker (OFMA), CL-based Attack Searcher (CL-AtSe), SAT-based Model-Checker (SATMC), or Tree-Automata-based Protocol Analyzer (TA4SP). The output describes precise information about the result and the conditions obtained.
The proposed scheme by AVISPA was simulated to evaluate its security. We first implemented the specifications in the HLPSL language for user
We executed the HLPSL specifications using the Security Protocol ANimator for AVISPA (SPAN) [34]. We chose the widely accepted OFMA and CL-AtSe back ends for the execution tests and a bounded number of session model checks. Figure 8 and 9 show the simulation results based on the OFMC and CL-AtSe back ends, respectively. The simulation results show that the proposed scheme is secure against passive and active attacks, such as the man-in-the-middle and replay attacks.
C. Informal Security Analysis
In this section, we show that the proposed scheme provides the desired security features and is also secure against well-known attacks.
1) Mutual Authentication
In steps 2) and 5) of Section III-C,
In steps 3) and 4) in Section III-C,
2) Anonymity and Untraceability
In the proposed scheme, the
In addition, for each session, every element of all messages during the AAK phase dynamically changes with random numbers and time stamps. Therefore, any adversary is unable to trace the different sessions of the specific user from the exchanged messages via public channels. Thus, the proposed scheme ensures the user anonymity with untraceability.
Further, the
3) Session Key Agreement, Known-Key Secrecy, and Forward and Backward Secrecy
During the AAK phase, a session key
Forward secrecy means that even if the long-term secret including the current session keys and all other long-term secret information is corrupted, then the past sessions are still secure. Backward secrecy is also referred to as future secrecy and guarantees the opposite direction of forward secrecy. In other words, this security property means that even if at some point the long-term secret information is corrupted, future messages can still be secure. As shown above, the session key
4) Resistance to Mobile Device Loss and Offline Password Guessing Attacks
If a mobile device
On the other hand, even if an adversary successfully extracts all information stored on
5) Resistance to Privileged Insider and Stolen Verifier Attacks
In a stolen verifier attack, an adversary steals or modifies the verification information (e.g., the plain texts of passwords, hashed passwords, biometric data, or hashed biometric key data) stored in the server’s database. However, in the proposed scheme,
6) Resistance to Impersonation Attacks
Assume that an adversary launches a user impersonation attack. The adversary may have the
Assume that an adversary with the intercepted messages of the previous session tries to impersonate
Assume that an adversary carries out a gateway impersonation attack. The adversary may have the intercepted messages of the previous session. For this attack, the adversary has to forge the message including a new timestamp transmitted from
7) Resistance to User Collusion Attacks
For authorization, in the registration phase,
Assume that a malicious user
8) Resistance to Desynchronization Attacks
In a desynchronization attack, an adversary breaks the synchronization of values shared between the server (or gateway) and users, making it impossible for users to log in and authenticate. In the proposed scheme, there is no need to update a temporal identity
D. Comparison of Security Features
In terms of security features, we compare the proposed scheme with recent three-factor authentication schemes [12]–[15] designed for IoT, except for Adavoudi-Jolfaei et al.’s scheme, which does not take IoT into account. Table 3 summarizes the comparison between the security features. From the results, we can see that the first three schemes do not support authorization. In addition, Maurya and Sastry’s scheme and Wadiz et al.’s scheme do not provide user anonymity or untraceability. In Maurya and Sastry’s scheme, a user’s identity is transmitted in plain text over the published channel, and Wadiz et al.’s scheme requires exhaustive searching to check whether the login user is the registered user. Jiang et al.’s scheme and Wadiz et al.’s scheme do not guarantee perfect forward secrecy, so both schemes risk exposing session keys if long-term secret information is compromised by an adversary. As we discussed in Section II-B, Adavoudi-Jolfaei et al.’s scheme does not provide sensor node anonymity, and it is insecure against user collusion and desynchronization attacks. However, the proposed scheme not only guarantees basic security requirements including authorization but can also resist most known attacks.
Performance Analysis
In this section, we summarize the performance of the proposed scheme and compare it with related schemes [12]–[15] in terms of the computation and communication costs. Table 4 summarizes the results of the performance comparison. As the proposed scheme employs a system model that is distinct from those of related schemes, for the proposed scheme, the performance of AAS and the gateway instead of that of the gateway and sensor node, respectively, are included and marked with square brackets.
A. Computation Cost
We analyze the computation cost of the proposed scheme and compare it with those of related schemes. We focus on the authentication and key agreement phase and do not consider XOR operations because the execution time is negligible. For a computation cost analysis, we define the execution time for the different cryptographic operations performed in two kinds of devices: a common PC and sensor mote. According to [5], for the user, server, and gateway, we use the execution time (
The comparison results imply that the computational costs are largely affected by the type of operations at the sensor node. Despite the use of ECC point multiplication, which is a high-cost operation, the computation cost of the proposed scheme was measured at its lowest because it uses a different system model. However, as mentioned earlier, the system model used in the proposed scheme is more suited and reasonable to a 5G-integrated IoT environment, so the proposed scheme can be said to be efficient while guaranteeing various security features including authorization.
B. Communication Cost
We analyze only the frequently performed authentication and key agreement phase and measure the communication costs in bits as the lengths of messages sent by each participant. For convenience, as with the previous computation cost analysis, we assume a one-way hash function, symmetric key encryption algorithm, and ECC elliptic curves as SHA-1, AES-128, and ECC sect163rl [43], respectively. In other words, we assume that the length of the hash digest is 160 bits, the block size of the encryption message is 128 bits, and the size of the elliptic curve point is 326 bits. In particular, for encryption messages, the ciphertext length is calculated as a multiple of the block size. The other values such as identities and random numbers except for timestamps, whose length is 32 bits, are often XORed with the hash digest, so we assume their lengths are 160 bits.
The communication cost analysis in Table 5 shows that Adavoudi-Jolfaei et al.’s scheme has the lowest total communication cost, and the communication costs of all schemes are lower than that of the proposed scheme. However, this can be justified as the proposed scheme provides better security and additional security features (e.g., authorization) compared with the related schemes.
Conclusion
In this paper, we analyzed the three-factor authentication and access control scheme of Adavoudi-Jolfaei et al. and showed its security weaknesses. Adavoudi-Jolfaei et al.’s scheme does not support sensor node anonymity as strongly as user anonymity in WSNs and IoT. Furthermore, the scheme suffers from user collusion attacks because all users have the same values for access control and the gateway node does not check whether the presented access privilege from the user is indeed the user’s privilege. To provide user anonymity and untraceability and to prevent a replay attack, the scheme uses a transaction sequence number as a one-time pseudonym, and it is updated for every session. However, this value becomes a target of desynchronization attacks.
We then introduced a system architecture suitable for WSNs in 5G-integrated IoT. Based on this architecture, we proposed an ECC-based three-factor authentication, authorization, and key agreement scheme. Through a formal and informal security analysis of the proposed scheme, we showed that our scheme is capable of withstanding all possible attacks, and that it supports various security features. We also evaluated the performance of the proposed scheme. By comparing the security and performance of the proposed scheme with those of related schemes, we demonstrated that the proposed scheme achieves all desired security features without largely worsening the communication costs.
In our future work, we expect to evaluate the performance of the proposed scheme either by simulating it using NS3 or conducting experiments on actual devices (e.g., smartphones and sensor motes) in WSNs for 5G-integrated IoT. Based on the experimental results, we plan to optimize the proposed scheme and improve its performance.