MAKE-IT—A Lightweight Mutual Authentication and Key Exchange Protocol for Industrial Internet of Things

Continuous development of the Industrial Internet of Things (IIoT) has opened up enormous opportunities for the engineers to enhance the efficiency of the machines. Despite the development, many industry administrators still fear to use Internet for operating their machines due to untrusted nature of the communication channel. The utilization of internet for managing industrial operations can be widespread adopted if the authentication of the entities are performed and trust is ensured. The traditional schemes with their inherent security issues and other complexities, cannot be directly deployed to resource constrained network devices. Therefore, we have proposed a strong mutual authentication and secret key exchange protocol to address the vulnerabilities of the existing schemes. We have used various cryptography operations such as hashing, ciphering, and so forth, for providing secure mutual authentication and secret key exchange between different entities to restrict unauthorized access. Performance and security analysis clearly demonstrates that the proposed work is energy efficient (computation and communication inexpensive) and more robust against the attacks in comparison to the traditional schemes.


Introduction
The Industrial Internet of Things (IIoT) alias Industry 4.0 is the new era of the industrial revolution which uses the sensor and actuators for the enhancement of the production and manufacturing industrial process. IIoT is the 4th generation of the industrial development. The first generation (1.0) industries of 18th century made use of steam power to generate resources for their industry. The next revolution took place is industry 2.0 in the year 1870 where industries ran through electricity and assembly lines. Second revolution brought attention of engineers towards industrial development. The 3rd progress (3.0) in industrial development escalated the efficiency to a par level. It introduced the concept of computer and Programmable Logic Control (PLC) which was believed to be the first step towards automation of industries. The recent advancement of industry 4.0 uses additional infrastructure to connect industrial processes with the internet; thus permitting the engineers to control the machines remotely as well as allowing them to get instant access of the information through cloud

Related Work
Esfahani et al. [2] have discussed the role of Machine to Machine (M2M) communication in implementation of IIoT networks. As the nodes in the IIoT are resource constrained, therefore authors only utilized XOR and hashing operations to build the algorithm of authentication. The authors declared that their scheme provisions mutual authentication, confidentiality, session key, and so forth and is also resilient to replay, impersonation, and modification attacks, and so forth. The scheme proposed is simple yet secure but the communication, message exchange, and computational cost is large enough to drain the resources of the IoT constrained devices. Hence it may pose as a hindrance to the networks with sensitive resource constrained devices.
Li et al. [3] emphasized on the need and challenges of security in IoT due to unsecured open wireless channel and resource constrained devices. The authors suggested a three factor user authentication protocol to combat against legitimacy threats. The proposed protocol is claimed to be energy efficient and resistant to replay, impersonation attacks, and so forth. Xu et al. [19] have also disclosed a scheme for authentication of multi gateway wireless sensor networks connected with IoT based on 3 factor mechanism. Formal analysis using ProVerif proved that scheme is resistant against many potential attacks. However, as per Reference [20], both the protocols drain a significant amount of precious energy reserves on accomplishment of 3 factor security. In addition, the discussed protocols [3,19] consumes a lot of communication and computational overhead, therefore imposing a restriction on its practical realization for WSN-IoT resource constrained use cases.
Rao et al. [21] investigated and found that most of the devices on the internet are vulnerable to unsecured channel which may lead to exploitation of privacy. Authors have presented a light weight hashing method for user authentication in IoT. They proposed a customized BLAKE2b hashing algorithm with some modified elliptic curve digital signature scheme (ECDSA). The authors have compromised with the security in order to lessen the expenditure of communication and computation. The protocol is not verified for its resistance against the most basic attacks mentioned in Dolev-Yao [22] attack model, thus response of this scheme against attacks is very much unpredictable.
Das et al. [23] raised the concern of security and privacy of the information exchanged over the unsecured medium. Additionally, the authors discovered that existing schemes cannot be deployed in all use cases of IIoT due to their heavy computation and communication overheads. To overcome the aforementioned issues, the authors introduced a new privacy preserving user authentication scheme for IIoT environment. The scheme utilizes biometrics, fuzzy extractors, one way hash function, and XOR, and so forth to accomplish the authentication between the entities. The scheme makes use of smart card and biometrics together for verifying the authenticity of the entities. The authors have verified the robustness of their approach using Real or Random (RoR) model and declare their scheme as resistant against attacks. The proposed scheme is implemented in NS2 for operational performance evaluation. Despite the advantages, the scheme is energy expensive due to size and quantity of the messages exchanged during the authentication phase.
Li et al. [24] discussed the various applications where Wireless Sensor Networks (WSN) and IIoT are integrated to perform the tasks. The motivation of the authors to introduce a new security protocol is the threat of sensor node being accessed by an illegitimate user. The authors introduced the Elliptic Curve Cryptography (ECC) based authentication protocol for IIoT networks to overcome the deficiency of user anonymity and other vulnerabilities of the existing protocols. Their proposed algorithm used biometrics, fuzzy extractor, one way hash, and XOR for accomplishing the aim of authentication. The authors claimed their approach as secure based on the formal security analysis performed using the random oracle model. Post analysis, the scheme is simulated in NS3 (Network Simulator) to understand the behavior of the approach in the WSN-IoT environment. Regardless of the advantages, the scheme has not been tested against the potential attacks (e.g., MITM, etc.) that may prove fatal for the protocol. The scheme also lacks in ensuring message freshness and data confidentiality for all shared information due to absentia of nonce and ciphering mechanisms, respectively. Paliwal in Reference [25] has highlighted the significance of WSN in gathering information from remote areas. The author emphasized the communication challenges due to the open nature of the channel and further advised the need for strong security protocols to preserve integrity and confidentiality. But it becomes a challenge in WSN, as the computing nodes have limited resources. The author has performed cryptanalysis on the existing techniques to prove the presence of vulnerabilities. A new mutual authentication and key exchange protocol has been proposed to address the deficits of the existing techniques. The new advised protocol exhibits various security features like integrity, conditional privacy, and so forth. The strength of the scheme against the attacks is analyzed using AVISPA (Automated Validation of Internet Security Protocols and Applications), RoR model, and informal analysis. The author claimed the scheme as robust and lightweight. Although the scheme exhibits various security attributes but still lacks in achieving overall privacy and identity anonymity. Besides the security attributes, substantial use of hash, and the large size of message overhead adds a burden on the overall scheme.
Chang et al. [26] demonstrated the weaknesses (e.g., inadequate secrecy, and impersonation attacks, etc.) of the existing security protocol through cryptanalysis. The authors introduced a new efficient and flexible smart card based authentication scheme for Ad hoc WSN to address the aforesaid security issues. The authors devised two protocols, wherein the Protocol (P 1 ) overcomes the deficiencies of the existing protocol under scanner, and the Protocol (P 2 ) provides secrecy to Ad hoc WSN with further modifications in P 1 . However, the P 1 does not protect from all threats but lightweight, whereas, P 2 is stronger but resource expensive. Therefore, the selection of either protocol for the IIoT applications is a compromise. Despite the two solutions, the desire of a strong security protocol with limited computations remains unachieved.
Gope et al. [27] pointed out the various constraints (e.g., coverage, connectivity, and security, etc.) in the implementation of Industrial WSN (IWSN). The authors gave more importance to the security and privacy aspect as the information is exchanged over the unsecured medium with little human Sensors 2020, 20, 5166 6 of 21 interventions. The real-time relaying of information in IWSN creates a requirement of a robust authentication protocol to protect the network from unauthorized abuses. The authors introduced a physically secure mutual authentication protocol for IWSN. The protocol uses hash, physically unclonable functions (PUF), and XOR as crypto primitives to accomplish the process of mutual authentication. The significant feature claimed by the authors is the protection of sensor nodes data even if it is physically captured by the adversary. The security features offered by the protocol are mutual authentication, and secure key exchange, and so forth. Nonetheless, the protocol exchange 6 large-sized messages during the authentication and key exchange phase. As IWSN make use of sensor nodes with limited resources, therefore deploying this protocol can reduce the active lifetime of the devices and network.
In the IoT domain, there are some standardization efforts to provide authenticated key exchange for constrained devices [28]; such as Ephemeral Diffie-Hellman Over COSE (EDHOC) [29] and Compact Transport Layer Security (CTLS)/Datagram Transport Layer Security (DTLS) v1.3 [30] handshake protocols. But it is investigated by the authors of Reference [31] that TLS (1.3) implementation errors can make the network vulnerable to Cache-like ATtacks (CATs), thus limiting its scope of utilization for sensitive networks for example, Industrial IoT. Also, the time sensitive information generated by manufacturing execution systems (SCADA, PLC, etc.) in Industrial IoT requires ultra low latency message exchanges. Therefore, industrial IoT network seeks a framework with limited number of layers and functionalities than TCP/IP [32]. Moreover, researchers argued that TCP/IP was originally developed for connecting mainframe computer to wired networks; therefore originally designed protocol stack of TCP/IP is not adequate enough to cater to the IoT architecture needs [33]. Internet Engineering Task Force (IETF) and researchers are trying to develop better alternatives. Due to inconclusive and inadequate standard architecture solutions, vendors are offering scalable, need specific (QoS, latency, etc.) and multipurpose IoT network architecture for private IIoT networks [34,35].
There are many alternatives proposed to TCP/IP protocol stack for Industrial IoT applications. Modbus Remote Terminal Unit (RTU) is an open standard used by the industries for performing the industrial tasks with critical timing requirements [36,37]. Similarly, Low powered wide area network (LPWAN) is recommended for Industrial networks (IIoT) because they are energy inexpensive and support long range communications [38][39][40][41][42][43][44]. Moreover, the latest version of LoRaWAN (v1.1) has shown to be secure against the vast majority of cyber-attacks and threats [45][46][47]. Hence, LoRaWAN is a secure and stable protocol that can be safely used not only for IoT applications but also for industrial ones. Various alliances and consortiums have been formed to build private LPWAN (open specifications) for various industrial applications, for example, DASH7 [48], LoRa [49], MIOTY [50,51], and Weightless [34], and so forth. DASH7, LoRa, and MIOTY, do not operate on TCP/IP stack rather operates on open protocol stack to provide flexibility to the IT administrator of the industry to choose the set of protocols based on application requirements (Quality of service (QoS), time sensitive, etc.) [52].
Recursive Internetwork Architecture (RINA) is also a good alternative to TCP/IP as it gives flexibility to manage the layered operations without interrupting the real time traffic. Moreover, RINA is claimed to be more secure than TCP/IP architecture as it secures the layers instead of protocols [53]. The review of available architectures   It is important to note that security scheme proposed in this paper is specifically devised for open architecture based private IIoT networks.

Our Contribution
1. To encounter the threats, we have proposed a lightweight mutual authentication and key exchange protocol for IIoT (MAKE-IT). 2. To strengthen the security measures and achieve robustness, asymmetric and symmetric key cryptography have been used along with other crypto primitives such as hash and XOR, and so forth. 3. MAKE-IT exhibits various security features like data confidentiality, identity anonymity, mutual authentication, and prevention from unauthorized access, and so forth. Formal and informal analysis of MAKE-IT proves its capability to resist against these attacks: replay, modification, MITM, and impersonation attack. 4. MAKE-IT accomplishes mutual authentication and secret key exchange with high computational and communicational efficiency in comparison to existing schemes [2,3,23-27].

System Model
The system model describes the relationship between User, Gateway (G W ), Authentication Server (AS), and IIoT nodes. Figure 3 illustrates their relationship with each other.

Smart Industrial Machines
Bi-directional communication

User
Gateway Figure 3. System model.

User
User could be industry manager, owner, administrator, and so forth who has privilege to control the machines, fetch the data from IIoT nodes, and so forth. User may access the network using any digital gadget like computer, laptop, and mobile, and so forth which has the capability to compute cryptography operations along with communication unit. User also requests the AS for generating the Sensors 2020, 20, 5166 8 of 21 security credentials. Later, user utilizes the obtained credentials to generate the secured session key with the G W .

Gateway
Gateway (G W ) provides the interface to user for getting connected to the IIoT network. The gateways are not necessarily powered up through mains, rather depends upon the use case of IIoT. The present system model is constructed considering those applications of IIoT where G W is also a resource constrained node, for example, an industrial network deployed near volcano for monitoring eruptions, and extracting volcanic minerals, and so forth. G W receives partial security credentials of user from AS which is later utilized by G W to verify the legitimacy of the request. As communication to all the nodes of IIoT network is possible via G W , any vulnerability in G W could compromise the whole network.

Authentication Server (AS)
AS is a trusted entity whose prime responsibility is to validate the users and other devices of the network. It is assumed that user IDs are stored offline in the AS. The users request for the security credentials from AS. Upon being validated, AS provides a random secret integer to the user which is further utilized by the user to generate secret key with the gateway. AS is considered to be tamper proof entity and has no resource constraints.

IIoT Nodes
Industrial machines are integrated with sensors (motion, proximity, vaccum, and pressure, etc.) and low power transceiver module (e.g., bluetooth, Zigbee, WiFi, etc.) for providing instant access to control and monitor the infrastructure of the industry. Legitimate users (manager, engineer, etc.) communicates to IIoT nodes via gateway. Note that this protocol is implemented to secure the network from external threats. Therefore, security considerations and message exchanges between user and gateway are only considered.

Adversary Model
MAKE-IT protocol has adopted the Dolev-Yao (DY) adversary model for evaluating the security performance under compromised conditions [22]. The threat model assumes that the attacker is competent enough to discover the vulnerabilities of the protocol; these vulnerabilities can be used by the attacker for mounting various attacks. Consider an industrial IoT network deployed near the volcano for monitoring eruptions and extracting volcanic minerals. Following the DY threat model, the user and the gateway (a network device communicating to autonomous mining machines, assembly lines, and driverless tipper trucks, etc.) are under threat in IIoT. Assume an attacker can eavesdrop all the communications happening between the user and the gateway. More precisely, an attacker can capture and replay the message for getting unauthorized access for example, machines, information, and so forth. In addition, an attacker can impersonate as an authorized user to steal precious information of volcanic minerals or locations where precious minerals are being kept. The adversary can try to modify the timestamp of the messages to get illegal access to the system to introduce malware for either disrupting or degrading the operations of the industry. The attacker can intercept the messages exchanged between the user and the gateway to extract the security parameters that are useful to approximate the future secret keys. The adversary can construct and inject new bogus messages to overwhelm the resources of the network device (gateway); as a result, the privileged user fails to deliver the messages to the gateway. Conclusively, the operational workflow of the industry will suffer and may result in financial and reputation loss.

Proposed Protocol: MAKE-IT
Assume a Industrial IoT environment where industrial machines are controlled and monitored over internet via gateway. Remote user can control and monitor the IIoT nodes after proving the legitimacy to gateway. Therefore, any vulnerability in authentication procedure could allow external attacker to access the network resources. In order to ensure legitimacy and avoidance of unauthorized access, we propose a light weight remote user authentication model. Note that in order to run the proposed protocol, we have assumed that gateway is resource constrained device and believe that all communications to industrial nodes happen via gateway. It is further assumed that clocks of all participating entities are synchronized to each other. The proposed protocol consist of two stages: User device registration phase, and Mutual Authentication & Secret Key Generation Phase. Table 1 presents the notations that are used to describe the working of the protocol. Note that some Greek symbols have been used to represent variables; besides storing values, the symbols do not have any mathematical perspectives. In this phase, User approaches Authentication Server (AS) to show his interest towards communication with Gateway. Users' device initially prepares its identity details, β (S U || P U || L U || M U || U ID ). In addition, user adds a timestamp (T 1 ) to message β, to prevent replay attacks. Finally user encrypts the message (β || T 1 ) and sends it to AS for obtaining security credentials (random secret). Figure 4 illustrates the complete process of user device registration with the AS.

User Device Registration Phase
AS receives the message ( ) from the user and decrypt it using private key, D(PR AS , ). AS verifies the lifetime of the request by compiling the timestamp values (T 2 − T 1 ), fresh messages are processed and expired/replayed messages are discarded. Post timestamp verification, AS compares the received user identity, U ID with the offline stored user identity, U IDS for verifying the authenticity of the request; the session is aborted if comparison is not true. AS computes hash of decrypted message (τ) to preserve integrity. Further AS splits the hashed message (O) into two equal parts: O 1 and O 2 . O 1 is utilized for processing of security credential request, whereas, O 2 is later utilized as a temporary key for securing the communications between AS and user. Afterwards, AS generates the random secret integer, R 1 and prepares the message (Σ = O 1 || R 1 || T 2 ) for gateway. Eventually Σ is encrypted with the public key of gateway, E(PU G , Σ) to safeguard confidentiality. The encrypted message, E(PU G , Σ) is then sent to G W .
Gateway receives E(PU G , Σ) from AS, decrypts using private key, D(PR G ) and forms λ. Before processing the message further, gateway verifies the timestamp of the message, T 3 − T 2 . Upon successful validation, gateway computes W = hash (S G || P G || L G || M G || G ID ). Gateway splits the hashed message (W) into two equal parts: W 1 and W 2 . W 1 is utilized for processing of request, whereas, W 2 is later utilized to securely exchange the random secret of G W with the user. Further, gateway computes W 1 ⊕ O 1 and concatenate timestamp T 3 to compose Ψ. Ψ is a useful component of protocol as it reflects a relationship between user and gateway. Additionally, Ψ is encrypted with the public key of AS, Θ = E(PU AS , Ψ) to attain data confidentiality. The encrypted message (Θ) is forwarded to AS for further processing.
A.S decrypts the message D(PR AS , Θ) using its private key. Upon successful decryption, freshness of the message is verified, T 4 − T 3 followed by generation of random secret integer, R 2 . AS computes Ω = O 1 ⊕ R 2 , assembles Ψ || Ω || T 4 , and encrypts the assembled message to form Y AS = E(O 2 , (Ψ || Ω || T 4 )). The encrypted message Y AS is sent to the user. AS has utilized a secure mechanism to share the random secret with the user. As no one else know O 1 , therefore only user is able to retrieve R 2 . User

Mutual Authentication and Secret Key Generation Phase
In this phase, User and G W mutually verifies the legitimacy of each other before finalizing the secret key. User initially retrieves W 1 (= Ψ ⊕ O 1 ) and constructs Z U (= E(W 1 , (Ω || T 5 )). The random secret integer R 2 (enclosed in Ω) is securely shared with the gateway through Z U .
Gateway decrypts the received message, Z G = D(W 1 , Z U ) and verifies the timestamp, T 6 − T 5 . Timestamp verification shunts out the bogus (expired) and suspicious (replayed) requests. Post verification, gateway prepares ρ 1 and ρ 2 for hiding the random secret integer R 1 , and parameter W 2 , respectively. Subsequently, G W computes the π G {= E(W 1 , (ρ 1 || ρ 2 || T 6 ))}, wherein ρ 1 carries hidden random secret integer (R 1 ), ρ 2 carries hidden parameter value (W 2 ) which is required by the user to retrieve the R 1 from ρ 1 , and T 6 carries the present timestamp of the gateway. Thereafter, the encrypted message, π G is sent to the user. Figure 5 illustrates the whole process of mutual authentication and secret key generation phase. The user decrypts the received message, π U = D(W 1 , (ρ 1 || ρ 2 || T 6 )) and verifies the time stamp, T 7 − T 6 . The connection is either terminated if the timestamp is stale or continues otherwise. Subsequently, user retrieves W 2 (= ρ 2 ⊕ W 1 ). The retrieved W 2 is a key element required to recover the hidden random secret integer, R 1 (= W 2 ⊕ ρ 1 ).
Successful decryption of π U and Z G results in mutual authentication between the user and G W , respectively. Upon succeeding in mutual authentication, user and G W initiates the process of secret key formation. The secret keys are generated using random secrets (R 1 and R 2 ) issued by AS. User and G W have already exchanged the secret values required to form the secret key. Finally, user and the gateway computes the secret key, SK = R 1 ⊕ R 2 . The lifetime of the key depends upon the sensitivity of the application and may vary from few days to couple of months.

Security Analysis
The robustness of the proposed MAKE-IT approach is tested through security analyzer tool and informal analysis. This section demonstrates the test procedure and also presents the analysis of the test results.

Formal Analysis
Following References [54,55], the performance of the proposed protocol has been tested under the compromised conditions using AVISPA (Automated Validation of Internet Security Protocols and Applications). AVISPA is a security analyzer tool used to find vulnerabilities in the security protocols. It works on HLPSL (High Level Protocol Specification Language) and use an interpreter, HLPSL2IF which translates HLPSL to an Intermediate Format (IF). IF is presented as an input to the various back ends of AVISPA (e.g., on-the-fly model-checker (OFMC), Constraint-Logic-based ATtack SEarcher (CL-AtSe), etc.). The back ends compile the results and declare the protocol as safe or unsafe.
We intentionally omitted the detailed discussion on the back ends of AVISPA, interested readers may refer to Reference [56].
The initial process is to script the subjected protocol into HLPSL language. The script begins with basic roles, followed by composition role, and ends with environment role. Basic roles declare the agents, crypto operations, compromised channel (dolev-yao), and various processes that are carried out locally by the agent. In contrast, composition roles declare the various legitimate entities that participate in the conversation. A very careful scripting of environment role is required as it may decide the effectiveness of this test. Environment role declares the global entities and constants. In addition, environment role describes the role and knowledge of intruder followed by various sessions that may exists during the communication. This role ends with the declaration of goals that defines the security attributes taken into consideration.
To assess the strength of the MAKE-IT protocol, the mutual authentication and key exchange phase has been scripted and examined on AVISPA. Note that notations used in HLPSL script is defined in Table 2. Initially basic roles of the user and G W are declared that comprises of local agents (U, G W ), crypto operations (hash), description of keys (SK, PU G , etc.) and details of the compromised channel (dy) used for communication. Additionally, it describes the various local constants and messages used and exchanged during the conversation, respectively. User device gets activated in State = 0 (RCV(start)) whereas in State':= 1 the user device generates a timestamp (T5 ), and computes W1 . Afterwards, user computes Zu = {Omega.T5}_W1 and forms the message, MI (= Zu ). The goal predicates set by the user is the privacy of the data (Omega and T5 ) along with the validation of the timestamp (T5) at Gw. The encrypted message (MI ) is sent to the G W as shown in Figure 6.
G W receives the MI in State = 1 and begins processing in State := 2. The foremost task performed by G W is the decryption of the received message, Zg = {Zu }_W1. Post decryption, gateway validates the timestamp (witness(Gw,U,user_gateway_t5,T5)) to avoid replay attacks. Upon successful validation, G W computes Rho1 (= xor(W2,R1)) and Rho2 (= xor(W1,W2)). Subsequently, G W generates a fresh timestamp (T6), and computes Pieg = {Rho1 .Rho2 .T6}_W1 and compiles a message MI I (= Pieg ). The goal predicates set by the Gw is the privacy of the data (Rho1 and Rho2 ) along with the validation of the timestamp (T6) at user. Thereafter, G W send the message to the user for extracting the required information to generate secret keys. Consequently, user decrypts the received message (MI I ), Pieu = {Rho1 .Rho2 .T6}_W1. Post decryption, user validates the timestamp (witness (U,Gw,gateway_user_t6,T6)). Successful decryption of Pieu and Zg results in mutual authentication. Finally, user and G W use the retrieved information to generate the secret keys, SK.
Session role demonstrates the various constants, variables used by the entities during the communication for example, User(U,Gw,Hash,Pug,Prg,SK,W1,SU,RU), G W (U,Gw,Hash,Pug,Prg,SK,W1, SGw,RGw). On the contrary, environment role is very prominent as it describes the constants and variables used globally by the agents. Furthermore, it describes the behaviour of the intruder{user, gateway,pug,prgi,ski,w1i,h}. Environment role also discusses the organizations of various sessions that may takes place between legitimate and illegitimate entities, for example, Session 1 (user,gateway,h,pug,prg,sk, w1), Session 2 (user,i,h,pug,prgi,ski,w1i), Session 3 (i,gateway,h,pug,prgi,ski,w1i).  Finally, the environment role ends with declaration of goals of interest. The goals established to evaluate the robustness of proposed protocol is depicted in Figure 7 and listed here: 1. Secrecy_of sub1 represents that {Omega; T5} are kept secret between user and gateway. 2. Authentication_on gateway_user_t6 states that the timestamp (i.e., T6) of the message {MI I } will be validated at the user. 3. Authentication_on user_gateway_t5 states that the timestamp (i.e., T5) of the message MI will be validated at the G W . 4. Secrecy_of sub2 represents that {Rho1; Rho2} are kept secret between gateway and user.
MAKE-IT approach has been tested on two back ends of AVISPA that is, OFMC and CL-AtSe as illustrated in Figure 8. The Output file (OF) of OFMC and CL-AtSe backend clearly demonstrates that no vulnerability has been identified and the protocol is declared safe to use in Internet of Things applications. Conclusively, the protocol can withstand all the attacks mentioned in DY model while still maintaining the data privacy, authenticity and integrity of communications. File: /home/span/Desktop/IoT HAN Modified/IIOT NEW/Sessionnew Page 1 of 1

Informal Analysis
The informal security analysis of MAKE-IT approach has been discussed in this sub-section.
Assume an attacker eavesdropped the message, M I (Ω || T 5 ) and replay later to G W for getting unauthorized access. The G W receives the replayed message and decrypts, D(W 1 , (Ω || T 5 ) . Post decryption, G W verifies the timestamp and analyse that received message contains old and expired timestamp, T 6 − T 5 > ∆T. The ∆T is usually kept very small to make it difficult for the adversary to replay the captured messages within ∆T. The G W instead of processing further discards the dishonest message. Additionally, the message M I is encrypted with the secret temporary session key W 1 , hence making it computationally infeasible for the adversary to modify the timestamp (T 5 ). Therefore, proposed protocol is resilient to replay attacks.

Theorem 2. Resilient to man in the middle (MITM) attack.
Proof of Theorem 2. In MITM attack, adversary modifies the captured messages in such a way that destination cannot differentiate the modified message from the original message. Assume an attacker performs MITM attack between user and the gateway by capturing and modifying the message M I (= E(W 1 , (Ω || T 5 ) ). These computations are hard for attacker due to non availability of temporary secret key (W 1 ) required for deciphering the captured message D(W * 1 , (Ω || T 5 )) followed by ciphering of modified message E(W * 1 , (Ω || T 5 ) ). Therefore, attacker fails to attempt MITM attack between the user and the gateway. Similarly, other messages M 1 , M 2 , M 3 , M 4 , and M I I are also encrypted and hence cannot be modified. Therefore, the proposed scheme is protected from MITM attacks. 1 , (ρ 1 || ρ 2 || T 6 ) * )}. However, it is computationally difficult for the attacker to make any changes as the information is encrypted with the temporary secret key, W 1 . Neither the key nor the security credentials (random secrets) are ever shared in plain text over the unsecured medium. Therefore, attacker does not find way to modify the content. Similarly, other messages M 1 , M 2 , M 3 , M 4 , and M I are ciphered to prevent modifications. Thus, proposed scheme is secured against modification attack. Secret key is formed using random secrets (R 1 , R 2 ) generated by trusted and tamper proof entity, AS. User shares R 2 with gateway through message M I (= Ω || T 5 ). Likewise, gateway shares R 1 with user through M I I (= ρ 1 || ρ 2 || T 6 ). Both G W and user retrieve R 2 & R 1 from M I and M I I , respectively. Finally, user and gateway generate a shared secret key, SK = R 1 ⊕ R 2 . As the keys are formed using random secrets which were never shared with anyone, therefore proposed protocol adheres to security measures while forming the secret key. The compliance to security measures ensures that secret key generated is not compromised and can be used for securing future communications. Theorem 5. Proposed scheme exhibits data confidentiality.
Proof of Theorem 5. Revealing of information to untrusted entities can pose serious threats to the existence of IIoT networks. Assume an attacker eavesdrop a message, M 3 (= E(PU AS , ψ)). In spite of successful eavesdropping, the attacker would not be able to interpret the information due to the non availability of the private key of AS, D(PR ? AS , ψ). The AS has never shared its private key (PR AS ) with anyone, therefore, the attacker remains unsuccessful in obtaining the information from the captured message, M 3 . In another instance, lets assume that attacker has captured, M I I {= E(W 1 , (ρ 1 || ρ 2 || T 6 ))}. The attacker has intentions to retrieve W 2 and R 1 from the captured message, M I I . Despite the successful capturing of M I I , the attacker would not be able to recover W 2 and R 1 from ρ 1 and ρ 2 , respectively as the attacker needs a temporary secret key (W 1 ) to decipher the information {= D(W ? 1 , (ρ 1 || ρ 2 || T 6 ))}; the temporary secret key (W 1 ) is shared amongst legitimate entities only. Similarly, the messages M 1 , M 2 , M 4 , and M I are also encrypted, therefore, confidentiality of the information is ensured at all levels of communication. The attacker does not have these keys, PR G , PR AS , O 2 , and W 1 , to recover the overall information exchanged between the IIoT network entities. The proposed scheme exhibits the security property of data confidentiality.

Theorem 6. MAKE-IT achieves identity anonymity.
Proof of Theorem 6. Identity anonymity is desirous to prevent the network from flooding based attacks, location aware attacks, and impersonation attacks, and so forth. MAKE-IT never discloses the identities of the network nodes to any unauthorized entity. Only AS has prepared an offline database of identities for verification purposes. AS is a trusted entity and stores the information in tamper proof memory, therefore any access or modification by the attacker is not possible. Even the parties involved in the communication does not know the real identities of each other, their identity details are hashed before being shared. Consider an attacker intercepted the message M 3 = E(PU AS , Ψ) containing the hashed identity details of the G W , still the attacker would not be able to interpret the identity due to hashing (W = hash (S G || P G || L G || M G || G ID )) and ciphering of information, E(PU AS ). The attacker does not have the private key of AS (PR AS ) to decipher the information. Therefore, MAKE-IT keeps the communication anonymous by not revealing the identities of user, gateway, and AS during the exchange of messages.

Performance and Comparative Analysis
In this section, we evaluate the performance of the proposed protocol in terms of storage overhead, computational and communication cost. This section also presents the comparison analysis of proposed MAKE-IT approach with the traditional schemes [2,3,[23][24][25][26][27] in terms of robustness against attacks and attainment of security features.
The storage cost requirement for implementing the proposed MAKE-IT approach is presented in Table 3. Total storage cost (all phases) of User, G W and AS are 264 bytes, 210 bytes, and 187 bytes, respectively. The storage space available in the CM5000 Telos B mote [57] (resource constrained device) is 1 MB, whereas the storage requirement to execute the proposed protocol (all phases) is just 0.02% of the total available memory space. The MAKE-IT approach achieves the goal of performing mutual authentication and key exchange with a small storage requirement. Apparently, the storage requirements are very nominal, thus making a way for its (MAKE-IT) applicability in all possible use cases of IIoT.  Table 4 demonstrates the computational cost spent by different entities (User, G W and AS) in all phases (user device registration, mutual authentication and key exchange) whereas Table 5 compares the computational cost requirements of proposed scheme with existing state of the art schemes. It can be clearly witnessed that the proposed scheme has less computations, thus imposing less burden on device processing, storage and battery resources. Note that we have only compared for mutual authentication and key exchange phase as the registration phase occurs once during initialization. Table 4. Computational cost of proposed protocol.
We have considered the Telos mote for calculating the communication cost of our scheme. Telos mote consumes 0.81 µJ and 0.72 µJ of energy for receiving and transmitting one bit, respectively [57]. Table 6 furnish the total communication cost spent by G W and User for performing mutual authentication and secret key generation. The results clearly signifies the efficiency of proposed scheme. The proposed protocol consumes only 385 µJ of energy whereas [2,3,[23][24][25][26][27], consumes 768 µJ, 749 µJ, 658 µJ, 739 µJ, 742 µJ, 698 µJ, and 1411 µJ of energy, respectively. Therefore, existing schemes are not suitable for resource constrained environment of IIoT.

Schemes
Resource Constrained Device [2] 7 * C H + C ran + 6 * C XOR [3] 4 * C E + 8 * C H [23] 9 * C H + 5 * C XOR [24] 9 * C H + C ran + 4 * C XOR [25] 15 * C H + 10 * C XOR [26] 10 * C H + C XOR [27] 12 * C H + 2 * C ran + 8 * C XOR MAKE-IT C E + C D + 4 * C XOR The robustness of the proposed protocol has been verified and presented in this section. The various security features offered by the proposed protocol accompanied with the list of attacks resisted by the protocol is presented in Table 7. It is observed from the Table that the proposed scheme exhibits strong protection against potential attacks and performs better in comparison to traditional schemes [2,3,[23][24][25][26][27].  Figure 9 illustrates the number of messages exchanged by the resource constrained device during mutual authentication and key exchange phase. It is found during analysis that proposed scheme exchanges only 2 messages in comparison to 3, 4, 3, 4, 3, 4, and 6 messages of scheme [2,3,[23][24][25][26][27], respectively. Less message exchanges in proposed scheme is a vital sign of efficient utilization of resources.

Conclusions & Future Scope
In this paper, we propose a lightweight remote user mutual authentication and key exchange model for IIoT. Industrial network can be protected from external threats if authenticity verification is performed before allowing any entity to access the network resources. The proposed scheme uses symmetric and asymmetric key cryptography, hash, timestamps, and so forth and various other crypto primitives to achieve secure mutual authentication and key exchange. The robustness of the scheme against attacks (replay attacks, modification attacks, and man in the middle attacks, etc.) is evaluated using formal and informal security analysis. The scheme proposed can withstand many popular attacks and offer many security features like data confidentiality, identity anonymity, integrity, and so forth. Further the proposed scheme is found to be resource efficient in terms of computation and communication. All these advantages of proposed protocol over existing schemes paves a path for its use in IIoT applications. The proposed scheme can further be extended in future to protect the industrial IoT networks from internal threats as well. Future work might also consider having a comparison of MAKE-IT protocol with TCP-UDP/IP security protocols under different network settings and parameters. Especially observing the performance comparison of our MAKE-IT protocol against others under the industrial network environment settings (where network delay is up most important) would be appealing.