Literature DB >> 34748568

A secure remote user authentication scheme for 6LoWPAN-based Internet of Things.

Ghulam Abbas^1,2, Muhammad Tanveer², Ziaul Haq Abbas³, Muhammad Waqas⁴, Thar Baker⁵, Dhiya Al-Jumeily Obe⁶.

Abstract

One of the significant challenges in the Internet of Things (IoT) is the provisioning of guaranteed security and privacy, considering the fact that IoT devices are resource-limited. Oftentimes, in IoT applications, remote users need to obtain real-time data, with guaranteed security and privacy, from resource-limited network nodes through the public Internet. For this purpose, the users need to establish a secure link with the network nodes. Though the IPv6 over low-power wireless personal area networks (6LoWPAN) adaptation layer standard offers IPv6 compatibility for resource-limited wireless networks, the fundamental 6LoWPAN structure ignores security and privacy characteristics. Thus, there is a pressing need to design a resource-efficient authenticated key exchange (AKE) scheme for ensuring secure communication in 6LoWPAN-based resource-limited networks. This paper proposes a resource-efficient secure remote user authentication scheme for 6LoWPAN-based IoT networks, called SRUA-IoT. SRUA-IoT achieves the authentication of remote users and enables the users and network entities to establish private session keys between themselves for indecipherable communication. To this end, SRUA-IoT uses a secure hash algorithm, exclusive-OR operation, and symmetric encryption primitive. We prove through informal security analysis that SRUA-IoT is secured against a variety of malicious attacks. We also prove the security strength of SRUA-IoT through formal security analysis conducted by employing the random oracle model. Additionally, we prove through Scyther-based validation that SRUA-IoT is resilient against various attacks. Likewise, we demonstrate that SRUA-IoT reduces the computational cost of the nodes and communication overheads of the network.

Entities: Chemical

Mesh：

Year: 2021 PMID： 34748568 PMCID： PMC8575280 DOI： 10.1371/journal.pone.0258279

Source DB: PubMed Journal: PLoS One ISSN： 1932-6203 Impact factor: 3.240

1 Introduction

Low-power wireless personal area networks (LoWPANs) have found numerous applications in the Internet of Things (IoT) [1]. LoWPAN devices are amenable with IEEE 802.15.4 and are constricted in power, communication, data rate, and storage resources [2]. IEEE 802.15.4-enabled LoWPAN devices are deployed in various real-world applications, such as home automation, healthcare systems, security surveillance, smart grids, and industrial motoring. To provide Internet connectivity to a large number of devices deployed in a particular IoT environment, the IPv6 protocol is considered the most accordant solution because of its larger address space to render a unique IP address to each sensor node. By using IPv6 addressing, sensor nodes can transmit sensed information to other devices or to a central location through the public Internet. To support large-scale connectivity for IoT, the Internet Engineering Task Force has designed IPv6-over-LoWPAN (6LoWPAN) adaptation layer to render packet fragmentation, reassembly, and encapsulation features for IEEE 802.15.4-based LoWPAN networks [3, 4]. Since LoWPAN devices collect information and send to a designated location via the public Internet, it is imperative for LoWPAN applications to provide security and privacy. However, the basic 6LoWPAN design does not provide security and privacy features to preclude an unauthorized network entity from procuring the collected information and to prevent illegitimate users from accessing the 6LoWPAN network resources [5-9]. 6LoWPANs encounter the same security attacks as the traditional networks. These include denial-of-service (DoS), replay, user/server impersonation (UI/SI), man-in-the-middle (MITM), identity guessing (IG), user anonymity (UA), user/device impersonation (UI/DI), stolen smart card/device (SSC/SSD), and ephemeral secret leakage (ESL) attacks. However, due to the resource-constricted nature of 6LoWPANs and the inadequacy of organized network architectures, securing 6LoWPAN becomes more challenging [10]. Authentication, availability, integrity, data freshness, and confidentiality are imperative security provisions in 6LoWPANs. Confidentiality guarantees secure data transmission between authorized users and servers. Authentication and key establishment (AKE) is the mechanism to identify devices’ and users’ legitimacy in 6LoWPANs [11] and to set up a secret session key (SK) for encrypted communication. Therefore, a lightweight AKE mechanism becomes imperative for securing the network [12-20].

1.1 Related work

An overview of the existing AKE schemes for 6LoWPAN-based IoT networks and their limitations is presented in S1 Table, which shows that no existing scheme can withstand all known attacks. Pandi et al. [42] propounded an authentication scheme for vehicular ad-hoc networks (VANETs) to enable the network entities to communicate securely. The scheme presented by Pandi et al. is efficient in terms of certificate computation while preserving privacy of the entities. Pandi et al. [43] presented an AKE scheme for IoT-based wireless body area networks (WBANs), which is computationally less expensive and ensures secure communication. Azees et al. [44] propounded an anonymous authentication scheme for WBANs, which is capable of resisting various covert security attacks while requiring fewer resources. Azees et al. [45] presented a blockchain based authentication scheme for VANETs, which is capable of resisting different security attacks and renders secure communication in VANETs. The authors in [34] propounded a multi-factor AKE scheme for the IoT environment. The AKE scheme proffered in [34] uses a lightweight hash function along with advanced encryption standard (AES). However, the scheme is unable to restrain SSD, DoS, replay, and sensor node (SN) capture attacks. A Chinese remainder theorem-based authentication scheme is presented in [23], which cannot resist replay attack and does not provide strong privacy. In addition, a signature and certificate-based computationally efficient authentication scheme for VANETs is presented in [46]. The authors in [47] propounded a resource-efficient AKE scheme for the IoT environment by utilizing hash function and XOR operation. However, the AKE scheme presented in [47] is prone to SSD, stolen verifier, UI, and UA attacks and is unable to ensure SN’s anonymity. An AKE scheme is propounded in [48] for mobile networks. The scheme proposed in [48] is resource-efficient and is suitable for mobile networks. A cosine similarity-based AKE scheme for the IoT environment is proposed in [49]. Furthermore, to enable security and privacy in different IoT-based networks, various AKE schemes are reported in the exiting literature [19, 50–66]. Additionally, the security analysis of an eminent AKE scheme presented in [31] is given at S1 Appendix. We have thoroughly analyzed the scheme and demonstrate that it is unsafe against de-synchronization attack and does not provide a revocation phase (RP). In [31], gateway broadcasts the authentication message to all sensor nodes deployed in the network, and a user does not specify the sensor node from which it is going to procure the information. Thus, all the sensor nodes in the network process the received message, which causes an extra computational overhead for every node.

1.2 Research contributions

This paper presents a resource-efficient secure remote user authentication scheme for 6LoWPAN-based IoT networks (SRUA-IoT). The proposed scheme performs user authorization before procuring real-time data from sensors stationed in the 6LoWPAN-based IoT networks. The scheme employs a lightweight secure hash algorithm (SHA-160) and advanced encryption standard (AES-192) to accomplish the AKE process and makes the following contributions. SRUA-IoT is an AES and hash function based remote user AKE scheme for 6LoWPAN-based IoT networks, which renders user revocation and password change phases. Besides, SRUA-IoT ensures the legitimacy of remote users (RUs) to access real-time information from a sensor node while ensuring the privacy and anonymity of RUs. An RU indicates to the gateway a particular sensor node for procuring real-time information, which reduces the unnecessary computational overhead. SK’s security in SRUA-IoT is corroborated using random oracle model (ROM). Informal security validation illustrates that SRUA-IoT is protected against SSC, de-synchronization, replay, and DoS attacks. In addition, Scyther tool analysis illustrates that the proposed scheme is protected. We demonstrate that SRUA-IoT renders enhanced security functionalities aside from its low storage, computational, and communication costs, as compared to well-known AKE schemes.

1.3 Paper organization

The remainder of this paper is organized as follows. The system model is presented in Section 2. The proposed SRUA-IoT scheme is elaborated in Section 3. Security analysis is presented in Section 4. Performance evaluation of SRUA-IoT is detailed in Section 5. Finally, the paper is concluded in Section 6.

2 System model

The network model consists of a gateway GW, a registration center (RC), and remoter users (RU|y = 1, 2, 3, ⋯, N). In the SH environment, sensor nodes (SN|x = 1, 2, 3, ⋯, n) are deployed to monitor various processes. SN collect critical information and forward to the server stationed at RC. RC is responsible for the deployment of SN and implementing various access control policies in SH. Before procuring real-time information from SN, it is necessary for RU to register with RC. After registration, RU can access the network resources and the allocated SN. It is assumed that all network nodes are time synchronized. The well-established Dolev Yao (DY) threat model [67] is employed, wherein an adversary can intercept communications between two network entities communicating via a public channel. can modify the intercepted messages or use the message for various malicious purposes. can procure the secret credentials stored in a sensor node’s memory. Furthermore, can obtain RU’s smart device SD and can extract secret credentials form SD to execute various security attacks. RU needs to communicate with SN to securely procure the real-time information collected by SN. Therefore, an AKE scheme is imperative for secure and reliable communications between RU and SN. To achieve reliable and secure communication, the following section presents an RU AKE scheme, called SRUA-IoT.

3 The proposed SRUA-IoT scheme

SRUA-IoT seeks to ensure reliable and secure access to 6LoWPAN network resources. The scheme first verifies the authenticity of RU and then establishes a secret SK for encrypted communication by employing a lightweight hash function and AES-192 during the AKE process. SHA is an irreversible function, which means that it is impossible to derive the input from the output of SHA-160. Moreover, SHA-160 is a collision resistance function, which means that the output of SHA-160 can never be the same for different inputs. AES-192 is used as the encryption and decryption scheme in SRUA-IoT. SRUA-IoT is composed of seven phases, which are presented in the following subsections. S2 Table lists the notations used in this paper.

3.1 Sensor node deployment phase

RC assigns various secret credentials to SN before its deployment in the 6LoWPAN network. Moreover, RC selects a GW’s secret Key (GK) of 512 bits and a unique identity ID. Both GK and ID are known only to GW. RC executes the following steps to accomplish the sensor node deployment (SND) phase.

3.1.1 Step SND-1

RC picks a unique and each of size 80 bits. Moreover, RC selects a random number R and computes a temporary secret (TS) for SN as A = H(GK ∥ R∥ ID), and , where and are two chunks of A, each of size 80 bits.

3.1.2 Step SND-2

RC stores the credentials {, , } in the memory of SN before its deployment.

3.2 Remote user registration phase

It is imperative for RC to register RU before providing access to the 6LoWPAN network resources. RC assigns different secret credentials and a list of SN to RU. RC executes the following steps to perform the remote user registration (RUR) phase.

3.2.1 Step RUR-1

RU selects a distinct identity and computes . Moreover, RU contrives a registration message and dispatches to RC via a protected channel.

3.2.2 Step RUR-2

RC selects a distinct pseudonym PID for RU and calculates A = H(GK ∥ ID), and A = H(HID ∥ ID ∥ GK). RC determines a TS credential for RU by dividing A into two equal parts, namely, and , each of size 80 bits, and computes . Moreover, RC computes the revocation parameter (ReP) as B = A ⊕ HID and , where and are two chunks of B. Besides, RC assigns a list of SN to be accessed by RU. Furthermore, RC computes encryption key as EK = (A ∥ [A]32), where [A]32 are the first 32 bits of A (to make the size of EK 192 bits). In addition, RC derives by using AES-192, and stores a list of credentials {PID, , } in GW’s memory. Finally, RC fabricates a message and sends to RU securely.

3.2.3 Step RUR-3

After procuring from RC, RU supplies its , password and at the interface of smart device SD and computes by using fuzzy extractor (FE). FE consist of two functions. The first one is Gen(.), which is a probabilistic function that takes bio-metric information of RU and produces two output parameters, namely, secret bio-metric key β and reproduction parameter Rp. The second function of FE is Rep(.), which is a deterministic function that takes Rp and to reproduce β. Moreover, SD calculates , , and encryption key EK = (Z ∥ [Z]32), where [Z]32 are the first 32 bits of Z to create EK of size 192 bits. Furthermore, SD calculates by using AES-192. In addition, SD computes authentication parameter as .

3.2.4 Step RUR-4

Finally, SD stores the list of credentials {CT, Auth, Rp, Gen(.), Rep(.), Et} in its memory and deletes all other parameters.

3.3 RU AKE phase

To access and communicate with the deployed 6LoWPAN based devices, it is necessary for RU to register itself with RC. RC allocates a list of secret credentials and devices to RU at the time of registration. After authorizing RU’s legitimacy, RC allows RU to access the specified devices deployed in the network. After getting authenticated by RC, RU and SN set up an SK for reliable and secure communication. The following steps elaborate RU AKE phase (RAP).

3.3.1 Step RAP-1

SD receives the secret credentials , , and , and computes and . In addition, SD computes the decryption key DK as DK = (Z ∥ [Z]32), where [Z]32 are the first 32 bits of Z to make DK of size 192 bits. Moreover, SD computes , where CT is the ciphertext stored in SD, and retrieves . Furthermore, SD calculates , and authentication parameter . Finally, SD checks Auth = Auth to perform local authentication. If the condition holds, SD continues the AKE process.

3.3.2 Step RAP-2

After performing the local authentication, SD chooses T of size 32 bits, and R1 of size 80 bits. SD calculates and . Furthermore, SD contrives a message ME: {T, PID, G1, Auth} and dispatches it to GW via an open communication channel.

3.3.3 Step RAP-3

Upon procuring ME from SD, GW verifies the validity of timestamp by validating the condition TD ≥ |Tr − T|, where TD is maximum tolerable packet time delay, Tr is the receiving time of ME, and T is fabrication time of ME. If ME receives at the GW within the maximum allowed time delay limit, GW considers ME to be a licit and fresh message and continues the AKE phase. GW picks PID from the received ME and looks up PID in GW’s memory. If found, GW extracts the list of credentials {PID, , } related to PID. In addition, GW calculates DK as M1 = H(GK ∥ ID) and DK = (M1 ∥ [M1]32). Moreover, GW computes by using AES-192, and procures secret credentials {, (, )} from PT1. Furthermore, GW obtains R1 and by computing . To validate the authenticity of ME, GW calculates and verifies the condition Auth = Auth. If the condition holds, GW continues the execution of the AKE process.

3.3.4 Step RAP-4

After validating the authenticity of ME, GW picks a timestamp T and random number R2, and computes , where W1 is obtained using hash of the parameters, including R1, , and PID. GW calculates the update parameter (UP) as , where and are obtained by dividing W1 into two equal chunks of 80 bits each. Besides, GW computes PID = UP ⊕ PID and stores both PID and PID in its memory to avoid the de-synchronization attack. Moreover, GW calculates , G2 = W1 ⊕ W2, G3 = (R2, R1) ⊕ W2, and . Finally, GW creates a message ME: { T, G2, G3, Auth} and sends it to SN via the public channel.

3.3.5 Step RAP-5

After procuring ME from GW, SN verifies the condition TD ≥ |Tr − T|. If the condition holds, SN computes , W1 = G2 ⊕ W3, and (R2, R1) = G3 ⊕ W3. Moreover, SN calculates . Furthermore, SN determines the integrity of ME by validating the condition Auth = Auth. If the condition holds, SN picks a timestamp T and a random number R2, and computes G4 = H(R1 ∥ R2 ∥ R3) ⊕ W1. For securing communication with RU, SN calculates . In addition, SN computes Auth = H(H(R1 ∥ R2 ∥ R3) ∥ R1 ∥ T ∥ SK). Finally, SN calculates a message ME: {T, G4, Auth} and sends it to RU via the public channel.

3.3.6 Step RAP-6

RU considers the received ME fresh if the condition TD ≥ |Tr − T| holds. If ME is valid, RU calculates , and H(R1 ∥ R2 ∥ R3) = G4 W4. For encrypted communication with SN, RU computes . Furthermore, RU computes Auth = H(H(R1 ∥ R2 ∥ R3) ∥ R1 ∥ T ∥ SK) and checks Auth = Auth. If the equation holds, RU considers ME as a valid message. Finally, RU computes and updates PID by calculating PID = PID ⊕ UP1. RU keeps both PID and PID in its memory to ensure resistance against de-synchronization attack. The user AKE phase of SRUA-IoT is summarized in S1 Fig.

3.4 Password change phase

In SRUA-IoT, an authorized user RU can change its password and update bio-metric information without involving RC. RU needs to perform the following steps to execute the password change phase (PCP).

3.4.1 Step PCP-1

RU provides its secret credentials, namely, , , and as inputs at the interface of SD. After procuring the inputs, SD computes the bio-metric key . Moreover, SD derives the decryption Key by computing , and . By using AES-192 decryption algorithm, SD calculates , where . Furthermore, SD computes , and verifies if the condition holds. If it holds, SD notifies RU to enter a new password and update bio-metric information . Otherwise, SD halts the AKE process.

3.4.2 Step PCP-2

Upon procuring and from RU, SD determines a new bio-metric key β by computing . Moreover, SD computes the encryption key as , , where are the first 32 bits of . Furthermore, SD calculates new plaintext by deriving . In addition, SD computes , and . Finally, by utilizing AES-192 encryption algorithm, SD calculates , replaces with {CT, Auth, Rp, Gen(.), Rep(.), Et} in SD’s memory, and deletes all other credentials in its memory. S2 Fig summarizes PCP.

3.5 Revocation phase

If a legitimate RU loses its SD, RU can obtain a new from RC. To obtain , it is necessary for RU to remember its . For proper RP, it is necessary to remove the previous data from GW’s memory. Most AKE schemes do not delete the old data from the memory of GW or server. RU needs to perform the succeeding steps to procure a new SC.

3.5.1 Step RP-1

Upon getting , SD computes , constructs a message , and forwards to RC. After getting from RU, RC computes B = H(GK ∥ ID) ⊕ HID, , and verifies if exists in its memory. If found, RC removes related record and informs RU for new registration by sending to RU.

3.5.2 Step RP-2

Upon getting the new registration request, RU picks new , , and computes . SD constructs a message and sends to RC.

3.5.3 Step RP-3

RC picks a new pseudonym for RU and computes . To issue a new to RU, RC computes the same computation as accomplished in Step RUR-2 of Section 3.2. Finally, RC contrives a message and sends to RU via a reliable channel.

3.5.4 Step RP-4

After receiving from RC, SD executes the same computation as excuted in Step RUR-3 of Section 3.2 Finally, SD stores a new list of parameters {CT, , Gen(.), Rep(.), Rp, Et} in SD’s memory. Moreover, RC stores a list of credentials {, , } in GW’s memory. The revocation phase is summarized in S3 Fig.

3.6 New SN deployment phase

RC can deploy a new SN (NSN) by performing the following steps.

3.6.1 Step NSN-1

RC picks a distinct and for NSN . In addition, RC picks and computes a new temporary secret for by calculating , and , where and are two chunks of , each of size 80 bits.

3.6.2 Step NSN-2

Finally, RC stores the credentials {, , } in ’s memory before its deployment.

4 Security analysis

In this section informal security analysis of SRUA-IoT is carried out to shows its resistance against various security attacks. The security of SK is validated by utilizing the well-known ROM. Scyther based security analysis is performed to validate SRUA-IoT’s resistance against replay and MITM attacks.

4.1 Informal security analysis

This subsection illustrates that the proposed scheme is protected against various attacks, namely, replay, MITM, UI, offline PG, PI, and impersonation attacks. Proposition 1 SRUA-IoT is resistant to replay attack. proof 4.1 There are three messages exchanged during the execution of the AKE phase, namely, ME. Proposition 2 SRUA-IoT is protected against DoS attack. proof 4.2 In SRUA-IoT, RU and check the condition Auth. Local verification will be successful if the condition holds. After local verification, SD. Proposition 3 SRUA-IoT ensures untraceability and anonymity of RU. proof 4.3 In SRUA-IoT, during the registration and the AKE phase, only pseudo identities are used, which do not provide any information about . For each new AKE session, RU utilizes the updated PID, and fresh random numbers R1, R2, and R3. During the AKE process, the communicated messages are different for each session. Therefore, cannot correlate the captured message from two different AKE sessions. Thus, SRUA-IoT renders the anonymity and untraceability of RU and SN. Proposition 4 SRUA-IoT is protected against MITM attack. proof 4.4 In SRUA-IoT, there are three messages exchanged, i.e., ME, ME, and ME. Let captures the the message ME: {T, PID, G1, Auth}, which is transmitted by RU, and tries to update the message content by selecting a random number and timestamp . For this, needs to compute and to pretend that is from a legitimate RU. However, cannot compute valid and without knowing the secret credentials, namely, , and , which are known only to RU. We can illustrate the same conditions for ME, and ME. Hence, SRUA-IoT is protected against MITM attack. Proposition 5 SRUA-IoT is immune to offline PG and SSC attacks. proof 4.5 In this case, can execute various attacks by procuring sensitive information stored on the stolen/lost smart card or device. Let obtains lost/stolen SD of RU and, by using power analysis attack, can procure the information, such as {CT, Auth, Rp, Gen(.), Rep(.), Et} stored in the memory of SD. From the obtained information, cannot retrieve secret credentials, which are used during the AKE process. Therefore, SRUA-IoT is protected against SSC attack. To update the password of RU, picks a random identity, password and bio-metric information to compute , , , and , retrieve , calculate , and check . However, without knowing the secret credentials of RU, such as , , and , it is not possible for to perform valid commutation as mentioned above. Therefore, SRUA-IoT is immune to offline PG attack. Proposition 6 SRUA-IoT is secure against impersonation attack. proof 4.6 SRUA-IoT considers the following three types of impersonation attacks. UI attack: Let tries to generate an AKE request message by selecting , and R1. However, to send an AKE request to RC, needs to known both the secret credentials, i.e., and , which are known only to RU. Moreover, and are stored in SD’s memory in the encrypted form. Therefore, SRUA-IoT is secure against UI attack. RC impersonation attack: In this case, picks , , and contrives a message } to pretend that this messages is from a legitimate RC. However, to generate , needs to know the secret parameters, such as and , which are stored in encrypted form. Therefore, without knowing these parameters, cannot fabricate a false massage to make SN believe that the message is created by a legal RC. Hence, SRUA-IoT is secure against RC impersonation attack. SN impersonation attack: can generate a fake message and send it to RU to make RU believe that the message is from a legal SN. However, to generate a valid , needs to know W1, R1, R2, R3, and . Without the knowledge of these secret credentials, it is impractical for to create a licit message . Hence, SRUA-IoT is secure against SN impersonation attack. Proposition 7 SRUA-IoT is resilient against SN capture attack. proof 4.7 In 6LoWPANs, SN are deployed in unattended environment. can capture an SN and can procure the sensitive information stored in the memory of SN. Since all the deployed SN contain distinct secret information, therefore, by capturing an SN cannot breach the security of the entire 6LoWPAN. Hence, SRUA-IoT is resilient against SN capture attack. Proposition 8 SRUA-IoT is immune to de-synchronization attack. proof 4.8 If the network entities are updating pseudonyms during the execution of the AKE process, can establish de-synchronization attack by dropping the captured message. In SRUA-IoT, GW and RU update PID to PID to accomplish anonymous communication. However, to avoid the de-synchronization attack, both GW and RU keep PID and PID in their memory. If halts the AKE process by dropping the authentication messages, RU can use old PID for the AKE process. Therefore, SRUA-IoT is immune to de-synchronization attack. Proposition 9 SRUA-IoT is resistant to ESL attack. proof 4.9 Proof In SRUA-IoT, both RU and SN compute SK as . It is obvious that the calculated SK is the concoction of ephemeral (short term) parameters R1, R2 and R3, and long term credential, , , and PID. needs to compromise both ephemeral and long term credentials to reveal SK. Therefore, SRUA-IoT is resistant to ESL attack. Proposition 10 SRUA-IoT ensures PFS. proof 4.10 From the discussion in Proposition 9, it is clear that SK is the concatenation of fresh ephemeral and long term secret credentials. If compromises SK of the previous AKE process but cannot compromise SK of the new AKE processes, then SRUA-IoT renders the PFS feature. Proposition 11 SRUA-IoT ensures secure MA. proof 4.11 In SRUA-IoT, RU achieves validation on RC after verifying the condition Auth = Auth. For this condition to hold, the knowledge of credentials GK, ID, and is required. To verify the condition at SN Auth = Auth, the knowledge of and is necessary. SN achieves authentication on by validating the condition Auth = Auth. Therefore, RU, SN, and GW mutually validate each other to achieve secure mutual authentication.

4.2 SK security validation using random oracle model

We employ ROM to corroborate SK’s security in SRUA-IoT. In ROM, consociates with kth instance of a participating entity EN, which is involved in executing SRUA-IoT. It can be a legitimate RU, GW or SN. Therefore, , , and are , , and instances of RU, GW, and SN, respectively. To simulate real attacks, ROM considers various queries, namely, Send, Test, Reveal, CorruptSD, and Execute. A description of these queries is presented in S3 Table. Furthermore, SHA is modeled as a random oracle HR (|HR| specifies the rage space of SHA output) and it is available for all SRUA-IoT executing entities including . By using the queries presented in S3 Table, the security of SK is proved in Theorem 4.12. Theorem 4.12 Suppose a polynomial-time is running against the proposed SRUA-IoT in time T. If QR, |HR| specifies the range space of SHA output, SQ indicates the send queries, lbk defines the length of β key, and |PD| refers to the password dictionary, the approximated advantage of in breaching the security of SRUA-IoT for procuring SK between RU and SN can be defined as proof 4.13 To prove this theorem, we consider the following four games (GM|x = 0, 1, 2, 3).

4.2.1 GM0

A real security attack is accomplished by against SRUA-IoT in GM0. picks c bits at GM0. Therefore, we can procure

4.2.2 GM1

In GM1, effectuates an eavesdropping attack and captures all the exchanged messages ME:{T, PID, G1, Auth}, ME:{T, G2, G3, Auth}, and ME:{T, G4, Auth} during the AKE process of SRUA-IoT by utilizing the execute query defined in S3 Table. To procure SK, executes the Reveal and Test queries and checks if the return key is a random string or real key at the completion of GM1. The constructed SK between RU and SN is . needs to know all the long-term secrets and other ephemeral numbers, which are known only to RU, SN, and RC. Hence by executing the eavesdropping attack, the chance of to win the game will not be enhanced. Therefore, it is evident that

4.2.3 GM2

In GM2, performs an active attack by simulating Send and Hash quires. All the exchanged messages ME effectuates the Send and Hash quarries. By birthday paradox, the following can be achieved.

4.2.4 GM3

This game effectuates the simulation of CorruptSD query. Typically, RU, tries to guess the password of RU, Auth}. also attempts to guess β from the information stored on SD ∈ [0, 1], where lbk is the length of β . Furthermore, in the communication system, only a limited number of wrong password attempts are allowed. Under these conditions, we have After executing the above queries, needs to guess bit c upon executing the Test query. Therefore, we have . By utilizing the triangular inequality and simplifying (2)–(5), the following is achieved: Hence, we get

4.3 Scyther analysis

We employ the well-known formal security validation tool, called Scyther [68], to validate the security properties and correctness of the proposed SRUA-IoT scheme. To that end, the security protocol description language (SPDL) is utilized to specify SRUA-IoT by employing the operational semantics ascertained in [68]. S4 Fig demonstrates that proclaims are satisfied, which are specified in the SPDL script. In S4 Fig, SRUA-IoT is the name of the devised protocol with the initiator RU and RC as the helper node and SN as the responder. The descriptions of Nisynch and secrecy are provided in [68]. Secrecy signifies that specific information is not disclosed to any attacker, even when the information is exchanged over a public network. Furthermore, Nisynch describes that any claim defined in the devised protocol specification will also appear in the trace. Moreover, SRUA-IoT analysis illustrates that the supplementary security characteristics produced by Scyther, namely, weak agreement (Weakagree), aliveness (Alive), and non-injective agreement (Niagree) are validated.

5 Performance evaluation

In this section, the performance of SRUA-IoT is compared with Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], Wazid et al. [35], and Chen et al. [27] in terms of computational cost, communication cost, security features, and storage cost. We use C/C++ based cryptographic library MIRACL and Raspberry PI-3 (RPI-3B) with Quad-core @1.2 GHz, 1BG of RAM, and Ubuntu 16.04 LTS for implementing the proposed SRUA-IoT and the relevant AKE schemes.

5.1 Security features

The proposed SRUA-IoT is compared with the relevant AKE scheme in terms of security functionalities and resistance against various attacks. S4 Table exhibits that Park et al. [69] is unprotected against UA, SSC, and PT attacks, Shuai et al. [36] is unsafe against de-synchronization attacks, Das et al. [30] cannot withstand SSC, PI, and UA attacks and does not ensure SK security, Shin et al. [31] is insecure against de-synchronization attack and does not provide revocation phase, Challa et al. [22] cannot withstand PI, SSC, UA, PG, and UI attacks, Srinivas et al. [33] fails to protect against UI, PI, and SSC attacks, Wazid et al. [35] is unsafe against UI, PI, and SSC attacks, and Chen et al. [27] cannot protect PI, PG, UA, UI, replay and DoS attacks and also does not ensure mutual authentication. Contrarily, SRUA-IoT is secure as compared to the relevant eminent AKE schemes, as shown in S4 Table.

5.2 Computational cost

In this subsection, the approximated computational overhead of SRUA-IoT and relevant AKE schemes is determined by using computational time of various cryptographic primitives presented in S5 Table. SRUA-IoT has a computational cost of 19T + 2T + ms, which is less than the benchmark schemes, as shown in S5 Fig and S6 Table. SRUA-IoT has 53.09%, 23.88%, 44.23%, 29.56%, 22.04%, 76.41%, 24.07%, and 38.93% less computational cost as compared to Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Srinivas et al. [33], Challa et al. [22], Wazid et al. [35], and Chen et al. [27], respectively. Furthermore, SRUA-IoT has a computational overhead of 5T ≈ 1.275ms at SN, which is less than the benchmark AKE schemes, as shown in S6 Fig and S6 Table. The computational overhead at GW increases with the number of users accessing the network resources. S7 Fig shows that SRUA-IoT requires low computational overhead while processing multiple AKE requests simultaneously. Although the security of SRUA-IoT is verified through formal and informal analyses in Section 4 where the scheme has been shown to resist various covert security attacks, however, an attack or some unexpected event can halt the execution of SRUA-IoT, which may occur at any step of the AKE phase. Under a specific attack, the execution time can be computed as where T denotes time required to accomplish the AKE phase and denotes the average time, which is procured after running SRUA-IoT 100 times, and T denotes the execution time required to complete the AKE phase under successful attack probability. S8 Fig demonstrates the time utilization of SRUA-IoT and other related schemes with attack success probability. Under various successful attack attempts, SRUA-IoT requires less time to complete its execution than the related AKE schemes.

5.3 Communication cost

The comparative analysis of communication cost is illustrated in this subsection. For SRUA-IoT, the size of timestamp is 32 bits, ECC point is 160 bits, SHA output size is 160 bits, random number size is 80 bits, different PID size is 80 bits, and AES key size is 192 bits. During the execution of the AKE phase, SRUA-IoT exchanges three message, namely, ME: {T, PID, G1, Auth}, ME: {T, G2, G3, Auth and ME: {T, G4, Auth}, of length {32 + 80 + 160 + 160} = 432 bits, {32 + 160 + 160 + 160} = 512 bits, and {32 + 160 + 160} = 412 bits, respectively. The aggregated communication overheads of SRUA-IoT is 1356 bits. S7 Table and S9 Fig demonstrate the comparison of SRUA-IoT and other related AKE schemes. SRUA-IoT has 75.92%, 21.53%, 11.72%, 29.28%, 46.36%, 11.72%, 20.05%, and 57.2% less communication cost as compared to Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], and Chen et al. [27], respectively.

5.4 Storage cost

This subsection provides the storage cost comparison of SRUA-IoT with other AKE schemes. In SRUA-IoT, RU, GW, and SN store {CT, Auth, Rp, Gen(.), Rep(.), Et}, {PID, PID, , }, and {, } of length {240 + 160 + 160 + 8} = 568 bits, {80 + 80 + 80 + 240} = 480 bits, and {80 + 80} = 160 bits, respectively. The total storage overhead can be calculated as {568 + 480 + 160} = 1208 bits. Besides, the storage costs of Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], Wazid et al. [35], and Chen et al. [27] are 1600 bits, 1776 bits, 3738 bits, 1160 bits, 4016 bits, 2888 bits, 4126 bits, and 1792 bits, respectively. SRUA-IoT has a slightly higher storage cost as compared to Shin et al. [31]. However, SRUA-IoT has less computational and communication cost during the AKE phase in contrast to Shin et al. [31]. S10 Fig illustrates the storage cost comparison of SRUA-IoT and the related AKE schemes.

6 Conclusion

Information security is critical in resource-constricted 6LoWPAN-based IoT networks. This paper has presented an AKE scheme called SRUA-IoT for resource-constricted 6LoWPAN devices to validate the legitimacy of remote users interacting in real-time with sensor nodes deployed in smart home networks. The scheme performs user authorization before procuring real-time data from sensors by employing a lightweight secure hash algorithm (SHA-160) and an advanced encryption standard (AES-192) to accomplish the AKE process. The proposed scheme is corroborated both formally and informally to explicate its resistance against various malicious security vulnerabilities. Moreover, numerical results in comparison with benchmarks reveal that SRUA-IoT requires low computational and communication resources in 6LoWPANs to accomplish the AKE phase. Our future work will explore authenticated encryption with associated data to devise a resource-efficient AKE scheme with reduced computational cost for resource-constricted IoT devices.

The user AKE phase of SRUA-IoT.