Toward Designing a Secure Authentication Protocol for IoT Environments

Abstract

Authentication protocol is a critical part of any application to manage the access control in many applications. A former research recently proposed a lightweight authentication scheme to transmit data in an IoT subsystem securely. Although the designers presented the first security analysis of the proposed protocol, that protocol has not been independently analyzed by third-party researchers, to the best of our knowledge. On the other hand, it is generally agreed that no cryptosystem should be used in a practical application unless its security has been verified through security analysis by third parties extensively, which is addressed in this paper. Although it is an efficient protocol by design compared to other related schemes, our security analysis identifies the non-ideal properties of this protocol. More specifically, we show that this protocol does not provide perfect forward secrecy. In addition, we show that it is vulnerable to an insider attacker, and an active insider adversary can successfully recover the shared keys between the protocol’s entities. In addition, such an adversary can impersonate the remote server to the user and vice versa. Next, the adversary can trace the target user using the extracted information. Finally, we redesign the protocol such that the enhanced protocol can withstand all the aforementioned attacks. The overhead of the proposed protocol compared to its predecessor is only 15.5% in terms of computational cost.

1. Introduction

The Internet of Things (IoT) improves daily life by providing a communication link between various items. This communication allows us to monitor those things in real-time and take the necessary actions to improve the process. An IoT reference model [1], including several levels, started from devices/sensors for different purposes and from different technologies such as RFID and Bluetooth Low Energy (BLE) ended at symbolizing empowered individuals and corporate processes that use IoT-enabled data to drive action. However, information security risks can affect the data and communication in each conceptualization level of an IoT system as well as their connections. Hence, each device or subsystem must be secured.

Although IoT security requires a multi-tiered strategy [1], the bulk of data at the lower layer and also between this layer and the penultimate layer, which provides connectivity between the devices and the edge computing devices, is vulnerable to adversarial access. Various ways might be used to increase the security of the transmitted data. Among them, the authentication technique is a crucial method of differentiating between friends and foes. Various authentication schemes have been proposed by researchers and each of them has its own advantages and drawbacks. In recent research, Son et al. [2] independently analyzed the security of an authentication protocol that has been designed by Rajaram et al. [3]. Their investigation revealed that the examined scheme has some flaws and cannot provide the desired security for sensitive data, which is transferred in the edge layer of an IoT system. Furthermore, Rajaram et al.’s scheme employs bilinear pairing through protocol computations, which has a significant computational cost. To overcome that scheme’s drawbacks, Son et al. have introduced a new one-way cryptographic hash function-based two-factor authentication protocol. The proposed protocol also benefits from an updating system to address user anonymity. As a result, this scheme is more efficient by design compared with the Rajaram et al.’s scheme. They also evaluated its security against common attacks, e.g., replay and privileged insider attacks, besides support for perfect secrecy, user anonymity, and user untraceability. It demonstrates that Son et al.’s protocol is a good solution for many applications, particularly those with few participants, such as passive RFID tags, assuming that these security assertions are also supported by independent third-party security research. Hence, we opted to analyze the security of this system in this work because there has been no previous such security study for it.

1.1. Our Contributions

Our main findings in this paper are highlighted below:

• We conduct the first independent security analysis of a recently proposed scheme [2], to the best of our knowledge;
• We demonstrate that assuming an adversary accesses long-term secrets and also monitors the messages transferred over the secure channel; it can retrieve the shared key at the end of the session.
• We demonstrate that an adversary with access to the user’s smartcard and the publicly transferred data on n subsequent sessions can extract the session key of $n-2$ sessions and also trace the user.
• We efficiently redesign Son et al.’s protocol to overcome the mentioned security flaws. Our cost analysis shows that the overhead of the new protocol is just 15.5%.

1.2. Paper Organization

The required background, notations, a shallow survey of related works, and a brief background of cryptographic hash functions are described in Section 2. Next, we investigate the suggested protocol in a former study in Section 2.5. Then, a comprehensive security investigation of that protocol is given in Section 3. The improved protocol is included in Section 4. Finally, Section 6 provides concluding remarks.

2. Preliminaries

2.1. Notation

In this study, we employ the list of notations provided by

Table 1. The list of the used notations.

Symbol	Description
$U_X$	The user X
$RS$	The remote server
$I{D}_{{}_X}$	The unique identifier of $U_X$, of low entropy domain
$PW{}_X$	The secret password of $U_X$, of low entropy domain
$r,t$	The random numbers produced by $U_X$ and $RS$, respectively
$PW{D}_X$	A parameter that computed as $PW{D}_X=H(P{W}_x\parallel r)$ by $U_X$
$S{C}_X$	A smartcard of $U_X$, issued by $RS$
$TI{D}_X$	Temporary identifier of $U_X$
$PI{D}_X$	Temporary secret identifier of $U_X$
$H(·)$	A one-way cryptographic hash function
$a_x,b_x$	Fresh random numbers generated at each session, respectively by $U_X$ and $RS$
s	$RS$’s permanent secret key
$SK$	Shared key between $U_X$ and $RS$

.

2.2. Related Works

The three most critical principles in information security are confidentiality, integrity, and authenticity. Authentication protocols are a crucial component of the majority of security mechanisms that are used to perform essential access control linked to authenticity or key agreement to ensure confidentiality. Although authentication techniques such as TLS and SSL are commonly used on the internet, they cannot be employed in IoT systems, owing to numerous resource constraints. As a result, many attempts have been made to develop a suitable authentication scheme for IoT devices.

A cryptographic protocol should adhere to the confusion and diffusion properties, just like any other cryptographic primitive, to offer adequate protection against attackers. Most of the proposed authentication protocols can be categorized as ultralightweight, lightweight, or non-lightweight protocols from a high-level perspective regarding the components used. The foundation of ultralightweight protocols is bit-level operations such as Exclusive-or (XOR), Rotation, AND, and OR, for instance, SASI [4], RAPP [5], R${}^2$AP [6], RCIA [7], KMAP [8], SLAP [9], SecLAP [10], Eghdamian and Samsudin’s protocol [11], David-Prasad ultralightweight authentication protocol [12], and UMAPSS [13]. However, due to a lack of sufficient confusion and diffusion, nearly all protocols in this class have been severely degraded up to this point [14,15,16,17,18,19,20,21]. Precisely, Avoin et al. [15] demonstrates that a long-term key, which is shared between a reader and a tag in Eghdamian and Samsudin’s ultralightweight mutual authentication protocol [11], can be obtained by an adversary. In addition, Avoin et al. also in [14] offered guidelines to design a secure ultralightweight authentication protocol. A passive full secret disclosure attack on SASI was presented in [16]. Phan et al. proved in [17] that the SASI did not achieve one of its design goals, the non-traceability property. [18] presented a desynchronization attack and secret disclosure attack against the SASI. [20] provides powerful desynchronization, traceability and secret disclosure attack against RAPP. Barrero et al. [21] presented a Tango genetic attack that employs a genetic algorithm to facilitate the generation of automatic cryptanalysis of the proposed protocol in [12]. In particular, most of the ultralightweight protocols update the secret parameters to prevent traceability while shifting the expense of the session-dependent ephemeral keys to the server or reader side, for example, to lower the sensor side cost. However, Safkhani et al. demonstrated that all such protocols are vulnerable to a desynchronization attack, in which the adversary compels the server and the sensor to maintain inconsistent sharing data and prevents them from authenticating one another as a result [19].

Table 2. Summary of ultralightweight security protocols and their cryptanalysis.

Protocol	Protocol Class	Reference of Its Security Analysis
[4]	ultralightweight	[16,17,18,19]
[5]	ultralightweight	[19,20]
[6]	ultralightweight	[19]
[7]	ultralightweight	[19]
[8]	ultralightweight	[19]
[9]	ultralightweight	[19]
[10]	ultralightweight	[19]
[11]	ultralightweight	[15]
[12]	ultralightweight	[21]
[13]	ultralightweight	[19]

summarizes the ultralightweight authentication protocols and the security analysis reports that have been presented against them.

On the other hand, lightweight protocols are using lightweight yet reliable cryptographic primitives, e.g., block cipher [22,23], stream cipher [24], hash function [25,26,27,28], and authenticated encryption [29], to achieve acceptable security. They are symmetric by nature; however, if they are also scalable, they might not offer complete anonymity. Furthermore, if the protocol’s parties keep the shared parameters fixed, it will not guarantee perfect secrecy. It is important to note that backward secrecy and forward secrecy are two terms used in the field of security analysis. With forward secrecy, the adversary cannot obtain the session keys from earlier sessions even if the long-term secret values are disclosed.

It is intended to alleviate the shortcomings of lightweight protocols utilizing asymmetric components, such RSA [30,31], pairing [3,32,33] or ECC [34,35,36,37,38,39]. However, those primitives are time-consuming; therefore, they might not be the best option for devices with limited resources.

While most of the above-mentioned protocols rely on centralized servers for time-consuming computations and data storage, many other researchers recently target decentralized approaches, thanks to the recent advances in blockchain technology. Depending on the application, solutions are based on public blockchain [40], consortium blockchain [41] or private blockchain [42]. Each type of blockchain has its pros and cons and depending on the application it should be adopted. For instance, in a public blockchain, it should be possible for anyone to join the network to create blocks and read transactions. This could be a limitation in some applications with restrictions on the leaked data. In such applications, it may be better to use other types of blockchain.

The sensor nodes and edge devices in IoT systems are dispersed throughout the field and could be accessed by the adversary physically. Another class of protocols has been developed to include the device’s fingerprint throughout the authentication process to prevent such attacks. Such a fingerprint may be produced by a physically unclonable function(PUF) [43,44,45,46,47,48]. The security of such protocols may seem promising if the PUF being used behaves in an ideal manner (i.e., behave fully reliable and random); however, the PUF response relies on the environment and is not entirely random. Consequently, certain protocols could be the target of modeling attacks [49,50,51]. In a human-assisted protocol, employing user name and password along with a smartcard is an option [52,53,54,55] or the user biometrics [56,57,58,59]. However, the disadvantage of the user name and password is that they have low entropy (because they must be memorized), and the disadvantage of biometrics is that they are noisy and require a fuzzy extractor, which takes time. Additionally, many IoT devices, particularly detecting sensors, operate through processes without requiring user input. However, such a solution is useful for many applications, such as mobile devices. Son et al.’s protocol belongs to the smartcard-based protocols and its security against various attacks is not clear, which we investigate in this study.

Table 3. Classification of related work protocols based on their types.

Protocol	Protocol Class
[4,5,6,7,8,9,10,11,12,13]	Ultralightweight
[43,44,45,46,47,48]	PUF based
[52,53,54,55]	Smartcard based
[56,57,58,59]	Biometric based
[40,41,42]	Blockchain based

categorizes the protocols reviewed in this section according to their type.

2.3. Hash Function

A hash function is a frequently used primitive that converts a message of any length into a message digest of a specific length (n), such as $H(·):{\{0,1\}}^{*}\to {\{0,1\}}^n$. Most applications require $128\ne n\ne 512$. NIST has standardized three well-known hash functions: SHA-1, SHA-2, and SHA-3. However, SHA-1 is no longer secure due to known attacks [60]. Aside from those hash functions, some hash functions for constrained environments have been developed, such as Quark [61], SPONGNET [62] and PHOTON [63].

Any secure cryptographic hash function should meet the following requirements:

• Collision Resistance: the computational complexity expected to find a pair $(M,M^{\prime })$ such that $M\ne M^{\prime }$ and $H\left(M\right)=H\left(M^{\prime }\right)$ should be $2^{n/2}$.
• Preimage Resistance: given a message digest $Y\in {\{0,1\}}^n$, the expected computational complexity for finding a message M such that $H\left(M\right)=Y$ should be $2^n$.
• Second Preimage Resistance: given a message $M\in {\{0,1\}}^{*}$, the expected computational complexity to find a message $M^{\prime }\ne M$ such that $H\left(M\right)=H\left(M^{\prime }\right)$ should be $2^n$.

In practice, hash functions use compression functions to compute the hash digest of an arbitrary-length message, such as Sponge [64] and Merkle-Damgård [65], are used to process a message of any length. As a security metric, such a hash function should be indistinguishable from a random oracle [66].

2.4. System Model

The used system model includes these entities: the user(s), the remote server, and the attacker. The secure channel is used for system setup and registration, whereas the public channel is used for user authentication. A secure channel is a method of transmitting data that is impervious to monitoring and manipulation. Symmetric keys are used between two parties to encrypt data from beginning to end. An insecure channel, in contrast to a secure channel, is not encrypted and is vulnerable to monitoring and tampering. If the information to be communicated is encrypted before being transmitted, secure communications are possible over an insecure channel.

Following the assumption of the former study [2] and similar to [67,68,69], Dolev-Yao (DY) [70], for an active adversary, and Canetti and Krawczyk (CK) [71] adversary models for a stronger attacker that has more capabilities than in the DY model. All attackers are active and capable of listening in, stopping, altering, or beginning message delivery.

In this study, we also consider an insider adversary’s risk. This adversary could be the source of long-term secrets or privately transmitted data leakage. We consider perfect secrecy, for example, to assess the sustainability of the target protocol against the leakage of long-term secrets and its impact on the security of previous sessions. On the other hand, to assess the later risk, we consider the impact of an insider attack. As shown in Figure 1, such an adversary could access the exchanged messages during the registration phase, which is assumed to take place over a secure channel.

2.5. SPP Description

Son et al.’s scheme, which we call it SPP (the designers are Son, Park and Park), consists of five phases, i.e., initialization phase, registration phase, login phase, authentication phase, and password updating phase. For more details of these steps, we refer the interested reader to the original paper [2].

3. Security Analysis of SPP

SPP exceeds its predecessors regarding efficiency, although it is unclear how secure it is. As a result, a thorough security study can shed light on its particular security pros and downsides.

3.1. Insider Adversary

An insider attacker is a cyber-security danger that originates within a company. Access to the secret channel is a frequent advantage that an insider has over a regular adversary. If an insider attacker acquires a significant advantage in attacking a protocol as a result of this access, the target protocol becomes vulnerable to insider attack. In summary, an insider adversary is an authorized user in the system who can access the secure channels such as a registration channel.

An insider adversary has access to $I{D}_X$ and $PW{D}_X=H(P{W}_x\parallel r)$ and it is also given the content of the smartcard, i.e., $(A_X,B_X,C_X,Aut{h}_X)$, where:

$$\begin{array}{cc}\hfill A_X=& r\oplus H(I{D}_X\parallel P{W}_X)\hfill \\ \hfill B_X=& TI{D}_X\oplus H(I{D}_X\parallel P{W}_X\parallel r)\hfill \\ \hfill C_X=& PI{D}_X\oplus H(TI{D}_X\parallel r)\hfill \\ \hfill Aut{h}_X=& H(I{D}_X\parallel P{W}_X)modl\hfill \\ \hfill TI{D}_X=& H(I{D}_x\parallel t)\hfill \\ \hfill PI{D}_X=& H(TI{D}_x\parallel s)\hfill \end{array}$$

.

Apart from $TI{D}_X$ and timestamps $T_1$ and $T_2$, the following messages are transferred over the wireless channel:

$$\begin{array}{cc}\hfill M_1=& H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus a_X\hfill \\ \hfill M_2=& H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)\hfill \\ \hfill M_3=& H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus b_X\hfill \\ \hfill M_4=& PI{D}_X^{new}\oplus H(TI{D}_X^{new}\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X)\hfill \\ \hfill M_5=& H(SK\parallel PI{D}_X^{new}\parallel T_2)\hfill \end{array}$$

where,

$$\begin{array}{cc}\hfill SK=& H(PI{D}_X\parallel a_X\parallel b_X)\hfill \\ \hfill TI{D}_X^{new}=& TI{D}_X\oplus b_X\hfill \\ \hfill PI{D}_X^{new}=& H(TI{D}_X^{new}\parallel s)\hfill \end{array}$$

Consider a naive opponent who has access to $S{C}_X$ and the data exchanged over the public channel. Such an opponent can estimate both $I{D}_X$ and $P{W}_X$ simultaneously, and then use $A_X$ to extract r, and the provided $TI{D}_X$ from the public channel checks the accuracy of the guessed $I{D}_X$ and $P{W}_X$ using $B_x\oplus TI{D}_x=H(I{D}_X\parallel P{W}_X\parallel r)$. Assuming that the entropy of $I{D}_X$ and $P{W}_X$ is ${\mathcal{H}}_{ID}$ and ${\mathcal{H}}_{PW}$, respectively, the estimated complexity to drive $I{D}_X$ and $P{W}_X$ using the dictionary attack is $2^{{\mathcal{H}}_{ID}+{\mathcal{H}}_{PW}}$. An insider adversary with access to the sent data from $U_X$ at the registration process, on the other hand, knows $I{D}_X$ and $PW{D}_X=H(P{W}_X\parallel r)$. Given $I{D}_X$, the adversary guesses $P{W}_X$ to determine $r=A_X\oplus H(I{D}_X\parallel P{W}_X)$ and uses either $PW{D}_X=H(P{W}_x\parallel r)$ or $B_x\oplus TI{D}_x=H(I{D}_X\parallel P{W}_X\parallel r)$ to validate the guessed $P{W}_X$ value. The complexity of this attack is $2^{{\mathcal{H}}_{PW}}$, which is a significant advantage over $2^{{\mathcal{H}}_{ID}+{\mathcal{H}}_{PW}}$ for a naive attacker. Consider the case when ${\mathcal{H}}_{ID}={\mathcal{H}}_{PW}=32$. The insider adversary is thus required to execute $2\times 2^{32}$ calculations to extract $P{W}_X$, which can be conducted in seconds on a typical personal computer, but a naive adversary is anticipated to do $2\times 2^{64}$ computations, which is presently not doable even for a medium-sized corporation [60]. As a result, SPP is vulnerable to a privileged opponent who has access to the protocol’s registration step.

3.2. Key Recovery by an Insider Adversary

Consider an attacker with access to $I{D}_X$ and $PW{D}_X=H(P{W}_X\parallel r)$. Moreover, let the attacker intercepts the transmitted messages in three subsequent sessions, namely i, $i+1$, and $i+2$. In addition to $TI{D}_X^i$, $T_1^i$ and $T_2^i$, the messages exchanged in $j^{th}$ session, for $i\le j\le i+2$, are as follows:

$$\begin{array}{cc}\hfill M_1^j=& H(PI{D}_X^j\parallel H(I{D}_X\parallel PW{D}_X))\oplus a_X^j\hfill \\ \hfill M_2^j=& H(TI{D}_X^j\parallel PI{D}_X^j\parallel a_X^j\parallel T_1^j)\hfill \\ \hfill M_3^j=& H(PI{D}_X^j\parallel H(I{D}_X\parallel PW{D}_X))\oplus b_X^j\hfill \\ \hfill M_4^j=& PI{D}_X^{j+1}\oplus H(TI{D}_X^{j+1}\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X^j)\hfill \\ \hfill M_5^j=& H(SK\parallel PI{D}_X^{j+1}\parallel T_2^j)\hfill \end{array}$$

where

$$\begin{array}{cc}\hfill S{K}^j=& H(PI{D}_X^j\parallel a_X^j\parallel b_X^j)\hfill \\ \hfill TI{D}_X^{j+1}=& TI{D}_X^j\oplus b_X^j\hfill \\ \hfill PI{D}_X^{j+1}=& H(TI{D}_X^{j+1}\parallel s)\hfill \end{array}$$

Given this knowledge, the adversary does the following step-by-step computations for $i\le j\le i+1$:

$$\begin{array}{cc}\hfill b_X^j=& TI{D}_X^j\oplus TI{D}_X^{j+1}\hfill \\ \hfill H(PI{D}_X^j\parallel H(I{D}_X\parallel PW{D}_X))=& M_3^j\oplus b_X^j\hfill \\ \hfill a_X^j=& H(PI{D}_X^j\parallel H(I{D}_X\parallel PW{D}_X))\oplus M_1^j\hfill \\ \hfill PI{D}_X^{j+1}=& M_4^j\oplus H(TI{D}_X^{j+1}\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X^j)\hfill \\ \hfill M_2^j=& H(TI{D}_X^j\parallel PI{D}_X^j\parallel a_X^j\parallel T_1^j)\hfill \\ \hfill M_3^j=& H(PI{D}_X^j\parallel H(I{D}_X\parallel PW{D}_X))\oplus b_X^j\hfill \\ \hfill M_5^j=& H(SK\parallel PI{D}_X^{j+1}\parallel T_2^j)\hfill \end{array}$$

Following these computations, the adversary has $PI{D}_X^{i+1}$, $a_X^{i+1}$ and $b_X^{i+1}$, which are sufficient to calculate $S{K}^{i+1}=H(PI{D}_X^{i+1}\parallel a_X^{i+1}\parallel b_X^{i+1})$. If the adversary eavesdrops on $n\ge 3$ consequence sessions, it may identify the shared session key of $n-2$ sessions.

3.3. Impersonation by the Insider Adversary

Let us give the adversary access to the messages exchanged over the secure channel, i.e., $I{D}_X$ and $PW{D}_X=H(P{W}_x\parallel r)$. Following the stated assault in the preceding section, such an adversary can also access $PI{D}_X$ and $TI{D}_X$ from the channel. Hence, the attacker can compute the necessary information to be authenticated as a valid user by $RS$. To be more explicit, given this information, the adversary constructs $a_X\in Z_P$ and extracts $T_1$ to compute $M_1=H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus a_X$ and $M_2=H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)$, and transmits $(TI{D}_X,M_1,M_2,T_1)$ to $RS$. Obviously, $RS$ accepts this authentication message, and the attacker is authenticated as a real user.

Given $I{D}_X$ and $PW{D}_X=H(P{W}_X\parallel r)$ from the registration phase, $TI{D}_X$ from the channel, and $PI{D}_X$ from the attack outlined in Section 3.2, you may impersonate the server. The attacker can spoof the $U_X$ toward the $RS$. Next, once $U_X$ computed $M_1=H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus a_X$, $M_2=H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)$ and sends $(TI{D}_X,M_1,M_2,T_1)$ to $RS$, the adversary extracts $a_X=H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus M_1$, generates $b_X\in Z_P$, computes $TI{D}_X^{new}=TI{D}_X\oplus b_X$, $PI{D}_X^{new}=H(TI{D}_X^{new}\parallel s)$, $M_3=H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus b_X$, $M_4=PI{D}_X^{new}\oplus H(TI{D}_X^{new}\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X)$, $SK=H(PI{D}_X\parallel a_X\parallel b_X)$, and $M_5=H(SK\parallel PI{D}_X^{new}\parallel T_2)$. Finally, it sends $(M_3,M_4,M_5,T_2)$, which is approved, and the attacker is identified as a valid server.

3.4. The Lack of Perfect Secrecy

Backward secrecy and forward secrecy are two concepts used in security analysis. Forward Secrecy prevents an attacker from recovering previous session keys once the long-term secret value has been revealed. According to backward secrecy, future session keys cannot be obtained by an adversary even if the long-term secret value is revealed. Perfect secure is a term used to describe a protocol that possesses both forward secrecy and backward secrecy capabilities.

Exposing a protocol participant’s long-term secrets should have no effect on the security of the shared session keys in the past in order to provide forward secrecy [72]. In the registration process, $RS$ keeps $(TI{D}_X,H(I{D}_X\parallel PW{D}_X))$ for each user. While $TI{D}_X$ is changed after each successful protocol session, $H(I{D}_X\parallel PW{D}_X)$ is constant. As a result, it is vulnerable to long-term information leakage, which should not jeopardize the security of the previous session if provided to the adversary at any moment. However, if the adversary eavesdropped on $n\ge 3$ consequence sessions and is later supplied $H(I{D}_X\parallel PW{D}_X)$, it may use the proposed attack in Section 3.2 to recover $n-2$ shared session keys. As a result, SPP does not guarantee absolute forward secrecy.

Traceability and Anonymity

Given that a privileged insider has access to $TI{D}_X$, $PI{D}_X$ and $H(I{D}_X\parallel PW{D}_X)$, based on the arguments supplied in prior sessions, it may simply trace the modified values of $TI{D}_X$ and $PI{D}_X$ from one session to the next, providing it is monitoring all sessions. However, if it fails to synchronize, it only takes three subsequent successful sessions to synchronize and retrace the target user. As a result, SPP protocol is vulnerable to Traceability by a privileged insider opponent.

4. Enhanced Protocol

The Enhanced Protocol, like its predecessor, SPP, has five pahes, which are discussed in this section.

4.1. Initialization Phase

In the initialization phase run by the remote server $RS$, a large prime q is selected, a secret key $s\in Z_P^{*}$ is chosen and a hash function $H(·):{\{0,1\}}^{*}\to Z_P$. $RS$ keeps s securely and publishes $(q,H(·\left)\right)$ over the network.

4.2. Registration Phase

Any user $U_X$, which aims to participate in the communication network legitimately, should be registered to $RS$. To do so, $U_X$ chooses the identity and password $I{D}_X$ and $P{W}_X$, generates a random value $r\in Z_P^{*}$, computes $PW{D}_X=H(P{W}_x\parallel r)$ and $HI{D}_X=H(I{D}_x\parallel r)$ and sends $(HI{D}_X,PW{D}_X)$ to the remote server. The pseudo identifier $HI{D}_x$ should be unique, otherwise, the registration will be rejected by $RS$. Assuming $HI{D}_X$ is unique, $RS$ generates a random value $t\in Z_P^{*}$, computes $TI{D}_X=H(HI{D}_x\parallel t)$, $PI{D}_X=H(TI{D}_x\parallel s)$ and $(TI{D}_X,H(s\parallel TI{D}_x)\oplus H(HI{D}_X\parallel PW{D}_X))$ in its secure memory and stores $(TI{D}_X,PI{D}_X,H(·))$ in a smartcard $S{C}_X$ and sends it to $U_X$. Once received $S{C}_X$, the user computes $A_X=r\oplus H(I{D}_X\parallel P{W}_X)$, $B_X=TI{D}_X\oplus H(I{D}_X\parallel P{W}_X\parallel r)$, $C_X=PI{D}_X\oplus H(TI{D}_X\parallel r)$, and $Aut{h}_X=H(I{D}_X\parallel P{W}_X\parallel r\parallel PI{D}_X\parallel TI{D}_X)$ and stores them in the received $S{C}_X$.

4.3. Login and Authentication Phases

To share a session key $SK$, as it is depicted in Figure 2, the user should login successfully using its smartcard $S_X$ and also should be authenticated by the remote server. The required process is as follows:

1.

$U_X$ inputs $I{D}_X$ and $P{W}_X$ in $S{C}_X$. Then, $S{C}_X$ computes $r=A_X\oplus H(I{D}_X\parallel P{W}_X)$, $TI{D}_X=B_X\oplus H(I{D}_X\parallel P{W}_X\parallel r)$, $PI{D}_X=C_X\oplus H(TI{D}_X\parallel r)$, and checks $Aut{h}_X\stackrel{?}{=}H(I{D}_X\parallel P{W}_X\parallel r\parallel PI{D}_X\parallel TI{D}_X)$. If they are equal, $S{C}_X$ generates $a_X\in Z_P$ and extracts the current timestamp $T_1$, and computes $HI{D}_X=H(I{D}_x\parallel r)$, $M_1=H(PI{D}_X\parallel H(HI{D}_X\parallel PW{D}_X))\oplus a_X$ and $M_2=H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)$ and sends $(TI{D}_X,M_1,M_2,T_1)$ to $RS$.

2.

When $RS$ receives the authentication request message $(TI{D}_X,M_1,M_2,T_1)$, verifies timestamp $T_1$ based on the current timestamp $T_2$ and given $TI{D}_X$ retrieves $H(HI{D}_X\parallel PW{D}_X)$ from the stored $(TI{D}_X,H(s\parallel TI{D}_x)\oplus H(HI{D}_X\parallel PW{D}_X))$ in its memory and computes $PI{D}_X=H(TI{D}_X\parallel s)$ and $a_X=H(PI{D}_X\parallel H(HI{D}_X\parallel PW{D}_X))\oplus M_1$ to verify whether $M_2\stackrel{?}{=}H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)$. Assuming it is valid, it generates $b_X\in Z_P$, computes $TI{D}_X^{new}=H(HI{D}_X\parallel PW{D}_X)\oplus TI{D}_X\oplus b_X$, $PI{D}_X^{new}=H(TI{D}_X^{new}\parallel s)$, $M_3=H(H(HI{D}_X\parallel PW{D}_X)\parallel PI{D}_X)\oplus b_X$, $M_4=PI{D}_X^{new}\oplus H(TI{D}_X^{new}$$\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X)$, $SK=H(PI{D}_X\parallel a_X\parallel b_X)$, and $M_5=H(SK\parallel PI{D}_X^{new}\parallel T_2)$. Then it sends $(M_3,M_4,M_5,T_2)$ to the user. The server also labelled $(TI{D}_X,H(s\parallel TI{D}_x)\oplus H(HI{D}_X\parallel PW{D}_X))$ as old and stores $(TI{D}_X^{new},H(s\parallel TI{D}_x^{new})\oplus H(HI{D}_X\parallel PW{D}_X))$ as the latest record for $U_X$.

3.

$U_X$ verifies the received $T_2$ to compute $b_X=H(H(HI{D}_X\parallel PW{D}_X)\parallel PI{D}_X)\oplus M_3$, $TI{D}_X^{new}=H(HI{D}_X\parallel PW{D}_X)\oplus TI{D}_X\oplus b_X$, $PI{D}_X^{new}=M_4\oplus H(TI{D}_X^{new}\parallel H(HI{D}_X\parallel$$PW{D}_X)\parallel b_X)$, and $SK=H(PI{D}_X\parallel a_X\parallel b_X)$, and checks whether $M_5\stackrel{?}{=}H(SK\parallel PI{D}_X^{new}\parallel T_2)$. If they are equal, the session key is established. After that, $U_X$ computes $B^{new}=TI{D}^{new}\oplus H(HI{D}_X\parallel P{W}_X\parallel r)$, $C^{new}=PI{D}^{new}\oplus H(TI{D}^{new}\parallel r)$, and $Aut{h}^{new}=H(I{D}_X\parallel P{W}_X\parallel r\parallel PI{D}_X^{new}$$\parallel TI{D}_X^{new})$. Subsequently, $U_X$ updates $(B_X,C_X,Aut{h}_X)$ to $(B^{new},C^{new},Aut{h}^{new})$ in $S{C}_X$.

4.4. Password Change Phase

To change the current password, $U_X$ generates a new password $P{W}_X^{new}$ and a random number $r^{new}$, computes $PW{D}_X^{new}=H(P{W}_X^{new}\parallel r^{new})$, and sends a password change request message to $RS$ including $(I{D}_X,PW{D}_X^{new})$. After that, $RS$ updates $H(HI{D}_X\parallel PW{D}_X)$ to $H(HI{D}_X\parallel PW{D}_X^{new})$ and the password update is completed.

5. On the Security and Efficiency of the Enhanced Protocol

One method for avoiding dictionary attacks is to utilize a resource-intensive hash function to slow down the password search. As a result, specific hash algorithms for password hashing, such as bcrypt [73], have been suggested in the literature. However, if we suppose the user is a resource-constrained device such as a smart meter, such an approach may not be viable for IoT systems. Furthermore, if we provide the opponent with the content of the smartcard, it may perform an offline dictionary attack on a strong server, implying that the password’s hash would only slow down the genuine user and not the enemy. Hence, we assume that we will use a conventional hash function such as SHA2 [74] or a lightweight hash function, such as Quark [61] or PHOTON [63], which were designed for resource-constrained environments, but we will try to avoid the specific attack by involving salt in the computation and increasing the entropy space by the concatenation of $HI{D}_X\parallel PW{D}_X$.

In the amended protocol, in the registration phase $U_X$ computes $PW{D}_X=H(P{W}_x\parallel r)$ and $HI{D}_X=H(I{D}_x\parallel r)$ and sends $(HI{D}_X,PW{D}_X)$ to $RS$. Since the insider has no access to r and r is selected randomly, its advantage due to the direct access to $I{D}_X$ vanished in the enhanced protocol. On the other hand, the stored value on the remote server side is changed to $(TI{D}_X,H(s\parallel TI{D}_x)\oplus H(HI{D}_X\parallel PW{D}_X))$ from $(TI{D}_X,H(I{D}_X\parallel PW{D}_X))$. Since the insider has no access to the secret key of the server, it cannot compute $H(s\parallel TI{D}_x)$ to retrieve $H(I{D}_X\parallel PW{D}_X)$. Hence, the proposed protocol provides security against insider adversaries.

Son et al.’s protocol had been improved in the way that the adversary could better compute the exchanged messages, from the security point of view, as follows:

$$\begin{array}{cc}\hfill M_1=& H(PI{D}_X\parallel H(HI{D}_X\parallel PW{D}_X))\oplus a_X\hfill \\ \hfill M_2=& H(TI{D}_X\parallel PI{D}_X\parallel a_X\parallel T_1)\hfill \\ \hfill M_3=& H(H(HI{D}_X\parallel PW{D}_X)\parallel PI{D}_X)\oplus b_X\hfill \\ \hfill M_4=& PI{D}_X^{new}\oplus H(TI{D}_X^{new}\parallel H(I{D}_X\parallel PW{D}_X)\parallel b_X)\hfill \\ \hfill M_5=& H(SK\parallel PI{D}_X^{new}\parallel T_2)\hfill \end{array}$$

where

$$\begin{array}{cc}\hfill TI{D}_X^{new}=& H(HI{D}_X\parallel PW{D}_X)\oplus TI{D}_X\oplus b_X\hfill \\ \hfill PI{D}_X^{new}=& H(TI{D}_X^{new}\parallel s)\hfill \\ \hfill SK=& H(PI{D}_X\parallel a_X\parallel b_X)\hfill \end{array}$$

Compared to the SPP protocol, computation of $M_3$ and $TI{D}_X$ are modified; they were computed as $M_3=H(PI{D}_X\parallel H(I{D}_X\parallel PW{D}_X))\oplus b_X$ and $TI{D}_X^{new}=TI{D}_X\oplus b_X$ in SPP protocol.

This is because extracting $a_X$ or $b_X$ in the enhanced protocol requires at least $H(HI{D}_X\parallel PW{D}_X)$ and we already masked this value on the server side as $(TI{D}_X,H(s\parallel TI{D}_x)\oplus H(HI{D}_X\parallel PW{D}_X))$. Hence, in the proposed protocol, even an insider adversary cannot retrieve the shared key. It should be noted, in the CK and DY adversary models, that the insider adversary has no access to the server’s secret key.

The proposed protocol provides a better level of forward secrecy because the session key is computed as $SK=H(PI{D}_X\parallel a_X\parallel b_X)$ and the adversary is not able to determine $PI{D}_X$ if it loses a session between the observed session and the compromising session.

For a key compromise impersonation (KCI) resistant protocol, in which a client is in communication with a server, the attacker should not be able to impersonate the server (resp. the client) toward the client (resp. the server) given all of the secret parameters of the client (resp. the server). Since the enhanced protocol is also symmetric by nature because it uses $H(·)$ as the only source of diffusion and confusion, then this protocol also suffers from KCI. However, to do KCI against $U_X$ or $RS$ in the enhanced protocol, the adversary needs all the secret parameters of that party; however, in the SPP protocol, it is enough to access the $RS$ memory.

SPP and the enhanced version use $H(·)$ as the only nonlinear component and it is lightweight by nature, compared to asymmetric components such as the Elliptic Curve Cryptography (ECC). Hence, these protocols belong to lightweight protocols, although the enhanced version does two extra calls to that function in each side of the protocol. Hence, the enhanced protocol is not efficient yet. Consider an Arduino UNO R3 board with an ATmega328P microcontroller as the user and an Intel Xeon CPU E5-2650V2 with a 2.60 GHz frequency as the server. For this setup, the computational time of SHA2 in the server and the user side is, respectively, 0.04 (ms) and 3 (ms), while the computational time of a point multiplication is, respectively, 2.5 (ms) and 21 (ms) [75]. A comparison of the computational time on the user and server side is given in Table 4 and illustrated in Figure 3 which confirms our claim on the efficiency of the proposed protocol because the computational overhead of the proposed protocol is only 15.5%.

Table 4. Details of computational cost comparison of the revised protocol vs. [GKK+, 2019] [76], [BKC+, 2022] [75] and [SPP, 2021] [2]; if the protocol includes more than one user in each session we just considered the cost of the first user to be fair.

Protocol	User	Server
[GKK+, 2019] 76]	$3T_{mn}+4T_{hn}\approx 75\mathrm{ms}$	$6T_{ms}+8T_{hs}\approx 15.345\mathrm{ms}$
[BKC+, 2022] [75]	$3T_{mn}+6T_{hn}+2T_{PUFn}\approx 87\mathrm{ms}$	$3T_{ms}+8T_{hs}\approx 7.832\mathrm{ms}$
[SPP, 2021] [2]	$13T_{hn}\approx 39\mathrm{ms}$	$8T_{hs}\approx 0.32\mathrm{ms}$
Ours	$15T_{hn}\approx 45\mathrm{ms}$	$10T_{hs}\approx 0.4\mathrm{ms}$

Table 4. Details of computational cost comparison of the revised protocol vs. [GKK+, 2019] [76], [BKC+, 2022] [75] and [SPP, 2021] [2]; if the protocol includes more than one user in each session we just considered the cost of the first user to be fair.

Protocol	User	Server
[GKK+, 2019] 76]	$3T_{mn}+4T_{hn}\approx 75\mathrm{ms}$	$6T_{ms}+8T_{hs}\approx 15.345\mathrm{ms}$
[BKC+, 2022] [75]	$3T_{mn}+6T_{hn}+2T_{PUFn}\approx 87\mathrm{ms}$	$3T_{ms}+8T_{hs}\approx 7.832\mathrm{ms}$
[SPP, 2021] [2]	$13T_{hn}\approx 39\mathrm{ms}$	$8T_{hs}\approx 0.32\mathrm{ms}$
Ours	$15T_{hn}\approx 45\mathrm{ms}$	$10T_{hs}\approx 0.4\mathrm{ms}$

Figure 3. Computational cost comparison of the revised protocol vs. [GKK+, 2019] [76], [BKC+, 2022] [75] and [SPP, 2021] [2].

Figure 3. Computational cost comparison of the revised protocol vs. [GKK+, 2019] [76], [BKC+, 2022] [75] and [SPP, 2021] [2].

6. Conclusions and Future Works

In this paper, we presented the first third-party security analysis of a former study, which was a user authentication protocol for Internet of Things environments and applications. We highlighted its pros and cons and also we proposed an enhanced version of this protocol that is secure against various attacks.

One of the ways to grow and evolve the science of designing security protocols is to evaluate the security schemes provided by experts and researchers in this field. Hence, a suggestions for future work can be the analysis and evaluation of the security protocol proposed in this paper.