A Secure Lightweight Three-Factor Authentication Scheme for IoT in Cloud Computing Environment

With the development of cloud computing and communication technology, users can access the internet of things (IoT) services provided in various environments, including smart home, smart factory, and smart healthcare. However, a user is insecure various types of attacks, because sensitive information is often transmitted via an open channel. Therefore, secure authentication schemes are essential to provide IoT services for legal users. In 2019, Pelaez et al. presented a lightweight IoT-based authentication scheme in cloud computing environment. However, we prove that Pelaez et al.’s scheme cannot prevent various types of attacks such as impersonation, session key disclosure, and replay attacks and cannot provide mutual authentication and anonymity. In this paper, we present a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to resolve these security problems. The proposed scheme can withstand various attacks and provide secure mutual authentication and anonymity by utilizing secret parameters and biometric. We also show that our scheme achieves secure mutual authentication using Burrows–Abadi–Needham logic analysis. Furthermore, we demonstrate that our scheme resists replay and man-in-the-middle attacks usingthe automated validation of internet security protocols and applications (AVISPA) simulation tool. Finally, we compare the performance and the security features of the proposed scheme with some existing schemes. Consequently, we provide better safety and efficiency than related schemes and the proposed scheme is suitable for practical IoT-based cloud computing environment.


Introduction
With the recent advances in wireless sensor networks and embedded technologies, internet of things (IoT) connects objects and shares various useful data with internet through resource-constrained devices to provide convenient services for users such as smart home, healthcare, vehicle to everything and smart gird. However, a single server environment also is inefficient for IoT because an ocean of data is generated by resource-constrained devices such as microsensor, RFID tag and smart cards.
Cloud computing is a distributed computing mechanism for a large-scale data and allows sharing resources among all of the servers and users. The cloud computing provides five essential characteristics: on-demand self-services, ubiquitous network access, rapid elasticity, measured service and resource pooling [1,2]. On-demand self-service handles cloud services without human interaction and ubiquitous network access controls access service using standard protocols. Rapid elasticity and measured service optimize the resource usage. Resource pooling provides cloud service using homogeneous infrastructure among service users. The cloud computing deals with an ocean of data generated by devices and sensors and provides data managing service for users through these essential characteristics.
However, these services are vulnerable to potential attacks by malicious adversaries because they are provided through an open channel, including sensitive data of legitimate user about location, health, payment, etc. Therefore, a secure and efficient authentication for IoT environment has become essential security requirements to provide useful services to user.
In 1981, Lamport [3] proposed one factor user authentication scheme using passwords to ensure user's privacy. However, security of the password based authentication scheme is easily broken because its security only relies on the passwords. In 2002, Chien et al. proposed two factor authentication scheme to overcome this security flaw using password and smart cards. However, their scheme is vulnerable to smart card stolen attack as the data stored in smart cards can be extracted by power analysis attacks [4]. When a malicious adversary obtains smart cards and password, they can perform various attacks such as impersonation, replay and insider attacks. To overcome the above-mentioned security weaknesses, three-factor authentication schemes have been proposed [5][6][7]. Biometrics (e.g., face, retina, fingerprint, iris, etc.) have several important characteristics: they cannot be lost or forgotten; they are hard to forge, copy, share or distribute; and they are difficult to guess.
In 2019, Pelaez et al. [8] demonstrated that the previous scheme is vulnerable to insider, off-line guessing and disclosure attacks and proposed enhanced IoT-based authentication scheme in cloud computing environment. This paper demonstrates that Pelaez et al.'s scheme does not withstand impersonation, session key disclosure and replay attacks. We also show that their scheme does not achieve secure mutual authentication and anonymity. Moreover, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to resolve these security weaknesses, considering computational costs.

Adversary Model
We present the Dolev-Yao (DY) model [9] to evaluate security of ours and previous schemes, which is widely accepted as security threat model. The detailed description of the DY model is as below: • A malicious adversary can modify, intercept, delete or insert the transmitted messages via an open channel. A malicious adversary can obtain or steal the smart card of legitimate user and can extract the data stored in the smart card by using power-analysis [4].

•
A malicious adversary can perform various attacks such as man-in-the-middle (MITM), replay, impersonation, and session key disclosure attack [10,11].

Our Contributions
Our contributions in this paper are as follows.
• We demonstrate that Pelaez et al.'s scheme is not secure against various attacks such as impersonation, session key disclosure and replay attacks and does not achieve secure mutual authentication and anonymity.

•
We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to address the security shortcomings of Pelaez et al.'s scheme. The proposed scheme withstands impersonation, session key disclosure, and replay attacks and achieve secure mutual authentication and anonymity. Moreover, the proposed scheme is more efficient than Pelaez et al.'s scheme because it utilizes only bitwise exclusive or (XOR) and hash operations.

•
We prove that the proposed scheme provides secure mutual authentication using the Burrows-Abadi-Needham (BAN) logic [12] and perform an informal security analysis to prove that our scheme is secure against various attacks such as MITM, impersonation, replay and session key disclosure attacks. Furthermore, we compare the security properties and performance of proposed protocol with other related schemes.

•
We perform a formal security analysis using the automated validation of internet security protocols and applications (AVISPA) simulation tool to prove that the proposed protocol resists the MITM and replay attacks.

Organization
We introduce the related works and review Pelaez et al.'s scheme in Sections 2 and 3. In Sections 4 and 5, we cryptanalyze Pelaez et al.'s scheme and propose a lightweight IoT-based three-factor authentication scheme in cloud computing environment to enhance the security shortcomings of Pelaez et al.'s scheme. Sections 6 and 7 prove the security of proposed scheme and present the simulation analysis using AVISPA. In Section 8, we compare the security properties and performances of proposed protocol with other related schemes. Finally, Section 9 concludes the paper.

Related Works
In last few decades, numerous authentication and key agreement schemes have been proposed to ensure privacy of user, considering resource-constrained environments such as wireless sensor networks, global mobility networks and vehicular networks [3,[13][14][15][16][17][18][19]. In 1981, Lamport [3] firstly proposed a lightweight password based user authentication scheme to provide secure communication. However, Lamport's scheme has low security level because its security only relies on passwords. In 2002, Chien et al. [13] presented a two-factor user authentication protocol using smart card and password to resolve this problem. Unfortunately, the two-factor authentication schemes using password and smart cards cannot ensure user's privacy [13][14][15][16][17][18][19], when the data stored in token (e.g., smart card, mobile device, etc.) are compromised.
Later, several authentication and key agreement schemes for IoT have been presented in various fields [20][21][22]. However, these environments are not suitable for IoT because it cannot handle a large number of data. In 2019, Zhou et al. [23] presented a lightweight IoT-based authentication scheme in cloud computing environment to overcome this issue. Zhou et al. claimed that their scheme can prevent various attacks such as insider, forgery and tracking attacks and provide secure mutual authentication and session key security. However, in 2019, Pelaez et al. [8] pointed out that Zhou et al.'s scheme [23] cannot withstand insider, off-line guessing and session key disclosure attacks and provide secure mutual authentication. To resolve these security problems, Pelaez et al. [8] presented a lightweight IoT-based authentication scheme in cloud computing environment. They also claimed that their scheme is secure against off-line password guessing, insider, impersonation and replay attacks.

Review of Pelaez et al.'s Scheme
We briefly review Pelaez et al.'s IoT based authentication scheme in cloud computing environment. Their scheme comprises of three processes: registration, authentication, and password change. These processes are presented as below (for details, see [8]).

User Registration Process
In Pelaez et al.'s scheme, a new user U i is registered from control server CS via a secure channel. Figure 1 shows the user registration process of Pelaez et al.'s scheme. In Figure 1, U i sends the registration request to CS and then CS issues the smart cards.

Cloud Server Registration Process
In Pelaez et al.'s scheme, a cloud server S j is registered from control server CS via a secure channel. Figure 2 shows the cloud server registration process of the Pelaez et al.'s scheme. In Figure 2, S j sends the registration request to CS and then CS sends parameters B 2 and B 3 to S j .
Control server (CS) Cloud server (S j ) Control server (CS) Generates secret key y, z Computes

Login Process
When U i wants to access the service, U i firstly sends login request message to S j . In Figure 3, U i sends login request messages {T new U , D 1 , PID i , D 2 } to S j , and then S j sends the messages Inputs identity ID i and password PW i

Authentication Process
After finishing the login process, U i , S j and CS perform mutual authentication with each entity, and then U i and S j can share the session key SK U−S . Figure 4 shows the authentication process of the Pelaez et al.'s scheme.

Cryptanalysis of Pelaez et al.'s Scheme
In this section, we demonstrate that Pelaez et al.'s scheme does not resist replay, session key disclosure and impersonation attacks and show that their scheme does not achieve secure mutual authentication and anonymity.

Impersonation Attack
The impersonation attack is that a malicious adversary try to impersonate as a legitimate user. When a malicious adversary U MA may attempt to impersonate a legal user, U MA can easily generate the login request message of U i . According to Section 1.1, U MA can obtain smart card of U i and can extract the data {PID i , C 2 , C 3 , C 4 , h(n U )} stored in smart card. Furthermore, U MA intercepts the message transmitted via an open channel. Finally, U MA performs the impersonation attack as below: Step 1: A malicious adversary U MA can compute real identity Step 2: Upon getting the message from U MA , the S j generates random nonces T new S and n new S and computes D 3 If it is valid, the CS have evidence of the connection attempt between U MA and S j . To key agreement and mutual authentication, the CS generates a random nonce n new CS and computes the session key Step 4: Upon getting the message from CS, the S j computes T new * Step 5: Upon getting the messages from S j , the U MA computes T new * CS ||serverValue(challenge)))} and sends M 9MA to the S j . U MA can successfully generates the login request message and session key between U MA and S j . As a result, we show that Pelaez et al.'s scheme cannot withstand impersonation attack.

Session Key Disclosure Attack
The session key disclosure attack is that a malicious adversary can obtain the session key between U i and S j . Pelaez et al. claimed that their scheme can ensure security of session key because a malicious adversary cannot obtain random nonce n new U , n new S , n new CS and current timestamp T new CS . However, according to Section 1.1, a malicious adversary U MA can extract the data {PID i , C 2 , C 3 , C 4 , h(n U )} stored in the smart card and can obtain the transmitted messages D 1 , D 2 , T new U , D 8 , D 9 via an open channel. Therefore, a malicious adversary U MA can easily compute session key SK *

Replay Attack
Replay attack is that a malicious adversary try to obtain sensitive messages of user using the messages transmitted in previous and current session. Pelaez

Mutual Authentication
Pelaez et al claimed that their protocol allows secure mutual authentication among the user U i , the cloud server S j , and the control server CS. However, according to Section 3.1, their protocol does not withstand to impersonation attack , as a malicious adversary U MA can successfully generate authentication request message . Therefore, Pelaez et al.'s scheme does not achieve secure mutual authentication.

Anonymity
Pelaez et al claimed that a malicious adversary U MA cannot obtain the real identity ID i of legitimate user. However, according to Section 1.1, a malicious adversary U MA can extract the secret parameter C 2 stored in the smart card and can intercept the transmitted message D 1 via an open channel. U MA can also compute ID i = C 2 ⊕ D 1 and easily obtain real identity of legitimate user U i . Therefore, Pelaez et al.'s scheme does not guarantee anonymity.

Proposed Scheme
In this section, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance security drawbacks of Pelaez et al.'s scheme. The proposed scheme consists of three processes: registration, login and authentication, and password change. The details of each process are presented below.

User Registration Process
A new user U i who requests the use of the IoT services must register with control server CS. Figure 5 shows the user registration process of proposed scheme and the detailed processes are as below.
Step 1: The U i selects ID i and PW i and imprints biometric BIO i . After that, U i computes R i , P i =Gen(BIO i ), RPW i = h(PW i ||R i ) and sends messages {ID i , RPW i } to control server CS via a secure channel.
Step 2: After getting the messages from U i , the CS generates a random nonce S 1 and computes Then, the CS stores {S 1 }, {A i , B i } in a database and smart card, respectively. The CS sends {RID i } and issues smart card to U i via a secure channel.
Step 3: After getting the message and smart card from CS, the U i computes Q i = h(ID i ||PW i ||R i ) ⊕ RID i and stores {Q i } in a smart card SC.

Cloud Server Registration Process
A cloud server S j must register with the control server CS to provide IoT service to the users. Figure 6 shows the cloud server registration process of proposed scheme and the detailed processes are as below.
Step 1: The cloud server S j selects SID j and generates a random nonce r j . After that, the S j sends messages {SID j , r j } to the CS via a secure channel.
Step 2: After getting the messages, the CS generates a random nonce S 2 and computes RSID j = h(SID j ||r j ||K S ) and SI j = h(RSID j ||h(S 2 ||K S )). Then, the CS stores {S 2 } in a database and sends messages {RSID j , SI j } to the S j via a secure channel.
Step 3: After getting the messages, the S j stores {RSID j , SI j } in a database.

Cloud server (S j ) Control server (CS)
Selects SID j Generates a random nonce r j {SID j , r j } Generates a random nonce S 2 Computes

Login and Authentication Process
A user U i who requests access to IoT service must send a login request message to the CS. Figure 7 shows the login and authentication process of the proposed scheme. The detailed process is as below.
Step 1: The U i inputs ID i , PW i and imprints biometric BID i . Then, the U i calculates If it is correct, the U i generates a random nonce RU i . After that, the U i computes M 1 = RU i ⊕ X i , CID i = ID i ⊕ h(X i ||RU i ) and M 2 = h(ID i ||X i ||RU i ) and sends login request messages {M 1 , M 2 , CID i , RID i } to the S j via an open channel.
Step 2: Upon getting the messages from the U i , the S j generates a random nonce RS j and computes D 1 = SI j ⊕ RS j , CSID j = SID j ⊕ h(SI j ||RS j ) and D 2 = h(SID j ||SI j ||RS j ). Then, the S j sends the messages {M 1 , M 2 , CID i , RID i , D 1 , D 2 , CSID j , RSID j } to the CS via an open channel.
Step 3: Upon getting the messages from the S j , the CS computes X i = h(RID i ||K S ||S 1 ), If it is correct, the CS computes SI j = h(RSID j ||h(S 2 ||K S )), RS j = h(D 1 ) ⊕ SI j , SID j = CSID j ⊕ h(SI j ||RS j ), and D * 2 = h(SID j ||SI j ||RS j ) and checks whether D * Step 4: Upon getting the messages from the CS, the S j computes RU i = D 3 ⊕ h(SID j ||RS j ) and Q * CS = h(RU i ||RS j ||SI j ) and checks whether Q * CS ? = Q CS . If it is valid, the S j computes SK i = h(RU i ||RS j ) and Q CU = h(RU i ||RS j ||SK i ) and sends messages {M 3 , Q CU } to the U i .
Step 5: Upon getting the messages from the S j , the U i computes RS j = M 3 ⊕ h(ID i ||RU i ), As a result, the U i , S j and CS achieve the mutual authentication successfully.

Password Change Process
When U i wants to update his/her password, the U i can freely update their password in the proposed scheme. Figure 8 shows the password change process of the proposed scheme. The detailed process is as below.
Step 1: The U i chooses ID * i , PW * i and imprints biometrics BIO * i . Then, the U i calculates R i , P i =Gen(BIO * i ), RPW * i = h(PW MU ||R i ) and sends {ID * MU , RPW * i } to the smart card SC.
Step 2: After getting the message from U i , the SC computes  Figure 8. Password change process of the proposed scheme.

Security Analysis
To assess secure mutual authentication of the proposed scheme, we utilize the BAN logic, which is widely accepted formal security model. Furthermore, we perform an informal security analysis to assess the safety of proposed scheme against various types of attacks.

Informal Security Analysis
The security of the proposed scheme is accessed utilizing an informal security analysis. Our scheme can withstand against various types of attacks, including impersonation, replay, session key disclosure attacks, and allows secure mutual authentication and anonymity.

Impersonation Attack
When a malicious adversary U MA may attempt to impersonate a legitimate user, U MA must generate a login request message M 2 = h(ID i ||X i ||RU i ) correctly. However, U MA cannot compute it because U MA cannot obtain U i 's random nonce RU i , real identity ID i , and secret parameter X i . Therefore, our scheme is secure against the impersonation attack because U MA cannot calculate a login request message successfully. = D 2 , respectively. Furthermore, our scheme can withstand replay attack by using dynamic random nonce RU i and RS j that are changed every session. Therefore, our scheme protects against replay attack.

Session Key Disclosure Attack
In our scheme, a malicious adversary U MA cannot compute session key SK i because U MA cannot obtain random nonce RU i and RS j . In addition, U MA cannot obtain random nonce RU i and RS j without secret parameter X i and SI j . Consequently, our scheme withstands the session key disclosure attack.

Smart card Stolen Attack
According to Section 1.1, we suppose that a U MA can obtain a smart card and extract the data {A i , B i , Q i } stored in the smart card. However, the U MA cannot obtain sensitive information ID i and PW i of legitimate user because the data stored in the smart card are protected = Q CU . Finally, the U i authenticates S j . As a result, our scheme achieve secure mutual authentication among U i , S j , and CS because a malicious adversary U MA does not know secret parameters X i and SI j .

Anonymity
A malicious adversary U MA cannot obtain the real identity ID i of legitimate user because it is masked by using hash function and XOR operation such as CID i = ID i ⊕ h(X i ||RU i ). In addition, the U MA cannot obtain secret parameter X i and random nonce RU i . Consequently, our scheme provides anonymity.

Security Features
We shows the better security levels achieved by the proposed scheme compared with some existing schemes [8,[23][24][25]. The existing schemes are insecure against various attacks, including impersonation, session key disclosure smart card stolen, and replay attacks and cannot provide mutual authentication and anonymity. Table 1 shows the analysis results of the security features.

BAN Logic Based Authentication Proof
We performed security analysis utilizing the BAN logic to demonstrate the secure mutual authentication of the proposed scheme. We present the BAN logic notations in Table 2. Furthermore, we define the rules, the goals, the idealized form, and the assumptions for BAN logic analysis. We prove that the proposed scheme provides secure mutual authentication among U i , S j and CS.

Notation
Description A and B may use shared key K to communicate

SK
Session key used in the current session

BAN Logic Rules
The rules of BAN logic are as below.

Goals
To assess the BAN logic proof, we present the goals of the proposed scheme as below.

Idealized Forms
To assess the BAN logic proof, we define the assumptions of the proposed scheme as below.

Assumptions
We present the initial assumptions to assess the BAN logic proof.

Proof Using BAN Logic
The proof then proceeds as below.
Step 1: According to Msg 1 , we could get Step 2: Using the message meaning rule with S 1 and A 1 , we get Step 3: From the freshness rule with S 2 and A 2 , we obtain Step 4: Using the nonce verification with S 2 and S 3 , we get Step 5: From the belief rule with S 4 , we obtain Step 6: Step 18: From the belief rule with S 17 , we obtain Step 19: Using the jurisdiction rule with S 18 and A 9 , we get Step 20: Because of SK = h(RU i ||RS j ), from the S 5 , S 9 , S 13 and S 17 we could get Step 21: Using the jurisdiction rule with S 19 and A 10 , we obtain Referring to Goals 1-4, we show that proposed scheme achieves secure mutual authentication among U i , S j and CS.

Simulation for Security Verification with the AVISPA tool
We performed a formal security verification of the proposed scheme utilizing AVISPA simulation tool [26,27] to evaluate the safety of the authentication protocol against MITM and replay attacks, which is widely accepted for formal security analysis [28][29][30][31]. To perform AVISPA simulation tool, the environment and the session of security protocol must be implemented using the High Level Protocols Specification Language (HLPSL).

HLPSL Specifications
We considered three basic roles: user U i , cloud server S j , and control server CS. Then, we present session and environment utilizing HLPSL in Figure 9, which contains the security goals. The role specifications of U i , S j , and CS are as shown in Figures 10-12.   The U i receives the initial message and updates the updates the state value from 0 to 1. The U i then sends the registration request messages {ID i , RPW i } to the CS via a secure channel and receives {RID i , Smartcard} from the CS. The U i updates the state value from 1 to 2. In the login and authentication phase, the U i declares witness(U A, CS, ua_sn_rui, RU i ) from the S j , and then updates the state value from 2 to 3. Finally, the U i receives the authentication messages {M 3 , Q CU } from the S j . The U i checks whether Q * CU ? = Q CU . If it is valid, the U i authenticates the S j successfully. The role specification for S j is similarly defined.

AVISPA Simulation Result
We show the AVISPA results to verify the safety of the proposed scheme using OFMC and CL-AtSe. The OFMC checks whether the proposed scheme is safe from MITM attack. In addition, the CL-AtSe demonstrates the safety of the protocol against replay attack. Consequently, Figure 13 shows that the proposed scheme is secure against MITM and replay attacks though AVISPA simulation.

Performance Analysis
We compared the computation cost, communication cost and security features of the proposed scheme with some existing schemes [8,[23][24][25]. We show that the proposed scheme provides better efficiency and security features.

Computation Cost
We compared the computation overheads of the proposed scheme with some existing schemes [8,[23][24][25]. To analyze of computation cost, we estimated using the following parameters. Table 3 shows the analysis results of computation cost and the detailed total cost are as below. The total computation cost for the proposed scheme and Pelaez et al.'s scheme are 34T h and 48T h + 8T s , respectively. We provide better efficiency than some existing schemes because the proposed scheme uses only hash and XOR operations. Therefore, our scheme is secure and efficient for practical IoT-based cloud computing environment.

•
The XOR operation was not included because it is negligible compared to the other operations.

•
Case 1 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 128 bits, respectively. • Case 2 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 256 bits, respectively.

•
The block length for symmetric encryption is 128 bits.

Conclusions
This paper shows that Pelaez et al.'s scheme does not defend various attacks such as impersonation, session key disclosure and replay attacks. Furthermore, we show that Pelaez et al.'s scheme cannot allow mutual authentication and anonymity. We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance the security drawbacks of Pelaez et al.'s scheme. Our scheme can withstand various types of attacks, including impersonation, session key disclosure and replay attacks, and can provide mutual authentication and anonymity. Then, we demonstrate that our scheme allows secure mutual authentication among U i , S j , and CS utilizing BAN logic analysis. We also performed a formal security verification analysis of the proposed scheme utilizing the AVISPA simulation tool. In addition, we compared the security features and performance of the proposed scheme with some existing schemes. We show that our scheme provides better safety and efficiency than related schemes. Therefore, our scheme can be suitable for practical IoT-based cloud computing environment because it is more secure and lightweight than the previous schemes.