A Secure IoT-Based Authentication System in Cloud Computing Environment

The Internet of Things (IoT) is currently the most popular field in communication and information techniques. However, designing a secure and reliable authentication scheme for IoT-based architectures is still a challenge. In 2019, Zhou et al. showed that schemes pro-posed by Amin et al. and Maitra et al. are vulnerable to off-line guessing attacks, user tracking attacks, etc. On this basis, a lightweight authentication scheme based on IoT is proposed, and an authentication scheme based on IoT is proposed, which can resist various types of attacks and realize key security features such as user audit, mutual authentication, and session security. However, we found weaknesses in the scheme upon evaluation. Hence, we proposed an enhanced scheme based on their mechanism, thus achieving the security requirements and resisting well-known attacks.


Introduction
With the rapid development of computer science and network technology, the concept of the Internet of Things (IoT) has become a hot topic for research. A scientist named Ashton introduced this concept in 1991. In IoT, numerous sensors have the capability of collecting data and communicating with each other or providing data for human beings through the Internet.
Therefore, technology can be widely used in the smart power grid, smart home, and other fields. In a smart grid, sensors monitor electric energy consumption and time-of-use rates for power stations. Then, the stations can optimize power supply. In the intelligent transportation system, sensors monitor traffic to optimize navigation. In the smart home, users can control, monitor, and access items remotely. Though IoT is close to our lives, it suffers from security challenges due to the wireless nature of the communication channel [1].
In order to protect against those security challenges in IoT, authentication is indispensable. Authentication guarantees that the messages received by the receiver are from a legal message sender. It serves as the first line of defense against potential attackers. Authentication is considered the key requirement for IoT [2]. The cryptography in authentication falls into two broad categories: symmetric encryption and asymmetric encryption. Common asymmetric encryption includes elliptic-curve cryptography (ECC) and RSA encryption.
. U i sends the message Step 2: When S j receives M 1 , S j selects a new pseudo-identity PSID j new and a random number r s to calculate D 5 = B 1 ⊕r s , D 6 = h(r s ||PSID j ||ID cs )⊕SID j , D 7 = B 2 ⊕PSID j new ⊕h(r s ||PSID j ), and D 8 = h(SID j ||PSID j ||PSID j new ||r s ||D 7 ). S j sends the message M 2 = {M 1 , PSID j , D 5 , D 6 , D 7 , D 8 } to CS.
Step 3: When CS receives M 2 , CS calculates r u = D 1 ⊕h(PID i ||ID cs ||x), ID i = D 2 ⊕h(r u ||PID i ||ID cs ), and PIDi new = D 3 ⊕h(ID i ||x)⊕h(r u ||ID i ). CS checks whether ID i in the database and D 4 ? = h(ID i ||PID i ||PIDi new ||r u ||D 3 ). If ID i is in the database and D 4 = h(ID i ||PID i ||PIDi new ||r u ||D 3 ), it means that CS confirms U i is a legal user. Otherwise, the authentication process will be terminated. Then, CS calculates r s = D 5 ⊕h(PSID j ||ID cs ||x), SID j = D 6 ⊕h(r s ||PSID j ||ID cs ), and PSID j = D 7 ⊕h(SID j ||x)⊕h(r s ||SID j ). CS checks whether SID j is in database and D 8 = h(SID j ||PSID j ||PSID j new ||r s ||D 7 ). If SID j is in the database and D 8 = h(SID j ||PSID j ||PSID j new ||r s ||D 7 ), it means that CS confirms the S j is legal. Then, CS selects a random number r cs to calculate the session key SK = h(r u ⊕r s ⊕r cs ), D 9 = h(PSID j new ||ID cs ||x)⊕h(r s ||PSID j new ), D 10 = h(PSID j new ||r s ||PSID j )⊕(r u ⊕r cs ), D 11 = h(SK cs ||D 9 ||D 10 ||h(SID j ||x)), , and D 14 = h(SK cs ||D 12 ||D 13 ||h(ID i ||x)). CS sends the message M 3 = {D 9 , D 10 , D 11 , D 12 , D 13 , D 14 } to S j .
Step 4: When S j receives M 3 , S j calculates (r u ⊕r cs = D 10 ⊕h(PSID j new ||r s ||PSID j ). Hence, S j can compute SK = h(r u ⊕r s ⊕r cs ). Then, S j checks D 11 ? = h(SK s ||D 9 ||D 10 ||B 2 ) to confirm that CS is a legal control server or not. If CS is a legal control server, S j calculates A solution that provides anonymity must ensure that no one except the server knows the user's personal information. We assume that the attacker U A is a legitimate user. Hence, U A will obtain (C * 1 = h(PID A ||ID cs ||x), C * 2 = h(ID A ||x), ID cs ) from CS in the user registration phase. Once U A intercepts the message M 1 = {PID i , D 1 , D 2 , D 3 , D 4 } from U i and uses PID i as new pseudo-identity to restart an authentication session, U A can obtain the ID i of the user U i . Details of the process are as follows.
Step 1: First, U A chooses a random number r A to calculate Step 2: Therefore, Zhou et al.'s scheme cannot guarantee anonymity in the authentication phase.

Proposed Scheme
After we reviewed the shortcomings of Zhou et al.'s scheme, an improved scheme is put forward. The improvements include registration, authentication, and password modification.

Notations
The following is the introduction to the notations that will be used in our scheme. U i is the ith user. ID i is the ith user's identity. PW i is the ith user's password. n i is a random number. CS is the control server. PID i is the ith user's pseudo-identity. ID cs is the control server's identity. SID j is the jth server's identity. PSID j is the jth server's pseudo-identity.
x is the secret key of CS. h () is a one-way hash function. r u , r s, r cs are the random numbers selected by U i , S j , and CS. SK u , SK s, SK cs are the session keys for U i , S j , and CS. M 1 , M 2 , M 3 , M 4 are the messages in the authentication.

Registration Phase
This phase is divided into two parts: user registration and cloud server registration. When a user or a cloud server wants to join this system, he/she must run this phase first. After the user and the cloud server successfully finish this phase, they can connect with each other to start the authentication phase.

User Registration
User U i selects their own id ID i , password PW i , random number n i . He/she sends ID i to CS by the secure channel. When CS receives ID i , CS checks it for its validity. If it is invalid, CS will stop this phase; otherwise, CS selects a pseudo-identity PID i for U i and uses the secret key x to compute A i = h(PID i ||ID cs ||x) and B i = h(ID i ||x). CS stores ID i in its database and sends (A i , B i , PID i , ID cs ) to U i by the secure channel. Once U i obtains these parameters, , and C 4 = h(ID i ||PW i ||n i ) and then stores (C 1 , C 2 , C 3 , C 4 , PID i , ID cs ) in a smart card. The flowchart for user registration is shown in Figure 1.

Registration Phase
This phase is divided into two parts: user registration and cloud server registration. When a user or a cloud server wants to join this system, he/she must run this phase first. After the user and the cloud server successfully finish this phase, they can connect with each other to start the authentication phase.

User Registration
User Ui selects their own id IDi, password PWi, random number ni. He/she sends IDi to CS by the secure channel. When CS receives IDi, CS checks it for its validity. If it is invalid, CS will stop this phase; otherwise, CS selects a pseudo-identity PIDi for Ui and uses the secret key x to compute Ai = h(PIDi||IDcs||x) and Bi = h(IDi||x). CS stores IDi in its database and sends (Ai, Bi, PIDi, IDcs) to Ui by the secure channel. Once Ui obtains these parameters, Ui calculates C1 = Ai⊕h(IDi||ni), C2 = Bi⊕h(PWi||ni), C3 = ni⊕h(IDi||PWi), and C4 = h(IDi||PWi||ni) and then stores (C1, C2, C3, C4, PIDi, IDcs) in a smart card. The flowchart for user registration is shown in Figure 1.

Cloud Server Registration
A cloud server Sj sends its identity SIDj and a pseudo-identity PSIDj to CS by a secure channel. Then, CS uses the secret key x to compute Aj = h(PSIDj||IDcs||x) and Bj = h(SIDj||x), stores SIDj in its database, and sends (Aj, Bj, IDcs) to Sj by a secure channel. When Sj receives these parameters, Sj stores (Aj, Bj, SIDj, SPIDj, IDcs) in its memory. The flowchart of the cloud server registration phase is shown in Figure 2.

Cloud Server Registration
A cloud server S j sends its identity SID j and a pseudo-identity PSID j to CS by a secure channel. Then, CS uses the secret key x to compute A j = h(PSID j ||ID cs ||x) and B j = h(SID j ||x), stores SID j in its database, and sends (A j , B j , ID cs ) to S j by a secure channel. When S j receives these parameters, S j stores (A j , B j , SID j , SPID j , ID cs ) in its memory. The flowchart of the cloud server registration phase is shown in Figure 2.

Authentication Phase
When the user U i needs to retrieve services from the cloud server S j , this authentication must start to make sure of the legitimacy of both the user and the cloud server. After the authentication phase is completed, the user will negotiate a session key SK. By this session key, U i can connect with S j securely. The processes of the authentication phase are shown as follows and Figure 3.

Authentication Phase
When the user Ui needs to retrieve services from the cloud server Sj, this authentication must start to make sure of the legitimacy of both the user and the cloud server. After the authentication phase is completed, the user will negotiate a session key SK. By this session key, Ui can connect with Sj securely. The processes of the authentication phase are shown as follows and Figure 3. Step 1: When user Ui attempts to connect to cloud server Sj, he/she inserts the smart card into a reader machine and keys in IDi and PWi. Then, the smart card selects a random number ru and calculates ni = C3⊕h(IDi||PWi). Then, the smart card checks h(IDi||PWi||ni)? = C4 to verify the identity and password. If the verification passed, the smart card will calculate Ai = C1⊕h(IDi||ni), Bi = C2⊕h(PWi||ni), D1 = Ai⊕ru, D2 = h(ru||PIDi||IDcs)⊕IDi, and D3 = h(IDi||PIDi||ru). Finally, the smart card sends M1 = {PIDi, D1, D2, D3} to Sj.
Step  Step 1: When user U i attempts to connect to cloud server S j , he/she inserts the smart card into a reader machine and keys in ID i and PW i . Then, the smart card selects a random number r u and calculates n i = C 3 ⊕h(ID i ||PW i ). Then, the smart card checks h(ID i ||PW i ||n i )? = C 4 to verify the identity and password. If the verification passed, the smart card will calculate Step 2: When S j receives M 1 , S j selects a new pseudo-identity PSID j and a random number r s to calculate Step 3: Once CS receives M 2 , CS uses the secret key x to compute r u = D 1 ⊕h(PID i ||ID cs ||x) and ID i = D 2 ⊕h(r u ||PID i ||ID cs ) and then checks whether ID i is valid and D 3 ? = h(ID i ||PID i ||r u ) or not. If the ID i is in its database and D 3 = h(ID i ||PID i ||r u ), it means that U i is legal. For the cloud server S j , CS uses the sccret key x to compute r s = D 4 ⊕h(PSID j ||ID cs ||x), SID j = D 5 ⊕h(r s ||PSID j ||ID cs ), PSID j =D 6 ⊕h(SID j ||x)⊕h(r s ||SID j ), and then checks whether SID j is in the database and D 7 = h(SID j ||PSID j || PSID j ||r s ||D 6 ). If both conditions hold, it means that S j is legal. The processes of authentication phase will be stopped when any verification is wrong; otherwise, CS selects a random number r cs to compute the session key SK cs = h(r u ⊕r s ⊕r cs ) for this round. Subsequently, for S j , CS computes D 8 = h( PSID j ||ID cs ||x)⊕h(r s ||PSID j ), D 9 = h( PSID j ||r s ||PSID j )⊕(r u ⊕r cs ), and D 10 = h(SK cs ||D 8 ||D 9 ||h(SID j ||x)). For U i , CS selects a new pseudo-identity PID i to compute D 11 = PID i ⊕h(ID i ||x)⊕h(r u ||ID i ), D 12 = h(PID i ||ID cs ||x)⊕h(r u ||PID i ), D 13 = h(PID i ||r u ||PID i )⊕(r s ⊕r cs ), and D 14 = h(SK cs ||D 12 ||D 13 ||h(ID i ||x)). Finally, CS sends the message M 3 = {D 8 , D 9 , D 10 , D 11 , D 12 , D 13 , D 14 } to S j .
Step 4: While S j receives M 3 , S j uses PSID j and r s to extract (r u ⊕r cs ) from D 9 , i.e., r u ⊕r cs = D 9 ⊕h(PSID j ||r s ||PSID j ). Then, S j checks D 10 ? = h(SK s ||D 8 ||D 9 ||B j ), where SK s = h(r u ⊕r s ⊕r cs ). If this equation holds, it means that CS is legal; otherwise, this authentication process will be terminated. S j continues to calculate A j = D 8 ⊕h(r s || PSID j ) and updates A j and PSID j as A j and PSID j in the memory. At the end of this step, S j sends the message M 4 = {D 11 , D 12 , D 13 , D 14 } to U i .
Step 4: Once the smart card receives M 4 , the smart card uses B i , r u , and ID i to extract PID i and (r s ⊕r cs ) from D 11 and D 13 , respectively, i.e., PID i = B i ⊕D 11 ⊕h(r u ||ID i ) and (r s ⊕r cs ) = D 13 ⊕h( PID i ||r u ||PID i ). The smart card will check whether or not D 14 ? = h(SK u ||D 12 ||D 13 ||B i ), where SK u = h(r u ⊕r s ⊕r cs ). If this equation holds, it means that CS is legal; otherwise, this authentication process will be terminated. The smart card uses the new pseudo-identity PID i to calculate C 1 = D 12 ⊕h(r u || PID i )⊕h(ID i ||n i ) and updates C 1 and PID i as C 1 and PID i . Finally, the smart card sends h(SK u ) to S j .
Step 5: When S j receives h(SK u ), S j will check h(SK u )? = h(SK s ). If h(SK u ) = h(SK s ), this means that they already correctly negotiate the session key.

Password Change Phase
If the user U i needs to change the password, you may need to start the password change phase. First, we assume that the smart card of U i contains ( C 1 , C 2 , C 3 , C 4 , PID i , ID cs ). The U i inserts the smart card into the card reader for key verification in identity ID i and the original password PW i . The smart card will calculate n i = C 3 ⊕h(ID i ||PW i ) and check h(ID i ||PW i ||n i )? = C 4 . If the equation holds, U i can input the new password PW i . The smart card calculates C 2 = C 2 ⊕h(PW i ||n i )⊕h( PW i ||n i ), C 3 = C 3 ⊕h(ID i ||PW i )⊕h(ID i || PW i ), and C 4 = C 4 ⊕h(ID i ||PW i ||n i )⊕h(ID i || PW i ||n i ) and replaces (C 2 , C 3 , C 4 ) with (C 2 , C 3 , C 4 ). Finally, there are (C 1 , C 2 , C 3 , C 4 , PID i , ID cs ) in the smart card, and U i can use the new password PW i to perform the authentication phase in the next round. The flowchart of password modification phase is shown in Figure 4.

Security Analysis
In this section, we will analyze nine fundamental security requirements in which an authentication scheme should be achieved.

Security Analysis
In this section, we will analyze nine fundamental security requirements in which an authentication scheme should be achieved.

Mutual Authentication
As we discussed in Section 2.2.1., mutual authentication means that the identities of the two entities should be recognized before they connect. In our scheme, CS can be mutually authenticated with U i and S j , respectively.

CS Verifies the Identity of Ui through Checking D3? = h(IDi PIDi ru)
In the user registration phase, CS computes A i = h(PID i ||ID cs ||x) and B i = h(ID i ||x) for U i , and two parameters are only known by CS and U i . When U i uses A i to hide the random number r u in the authentication phase, i.e., D 1 = A i ⊕r u , CS can use h(PID i ||ID cs ||x) to extract r u . Finally, CS can verify the identity of U i by equation D 3 = h(ID i PID i r u ).

CS Verifies the Identity of Sj through Checking D7? = h(SIDj PSIDj PSIDj' rs D6)
In the cloud server registration phase, CS computes A j = h(PSID j ||ID cs ||x) and B j = h(SID j ||x) for S j , and two parameters are only known by CS and S j . When S j uses A j to hide the random number r s in the authentication phase, i.e., D 4 = A j ⊕r s , CS can use h(PSID j ||ID cs ||x) to extract r s . Finally, CS can verify the identity of S j by equation D 7 = h(SID j PSID j PSID j ' r s D 6 ).

Sj Verifies the Identity of CS through Checking D10? = h(SKs D8 D9 Bj)
Because B j is only shared between S j and CS, they only have the capability of computing h(SK s D 8 D 9 B j ). Therefore, S j can verify the identity of CS by equation

Session Key for All Entities
In the authentication phase, U i , S j , and CS generate r u , r s , and r cs , respectively. In addition, U i , S j , and CS obtain (r s ⊕r cs ), (r u ⊕r cs ), and (r u , r s ) from D 13 , D 9 , and (D 1 , D 4 ), respectively. Therefore, all entities can compute one same session key SK = SK cs = SK s = SK u = (r u ⊕r s ⊕r cs ) in one session.

User Anonymity
The attacker's use of user anonymity means that the user U i cannot be identified through the messages in the communication session [43]. In our authentication phase, U i 's identity ID i is protected by a hash function D 2 = h(r u ||PID i ||ID cs )⊕ID i . Therefore, if an attacker wants to obtain U i 's identity, he/she must compute h(r u ||PID i ||ID cs ). However, he/she cannot acquire the r u because he/she does not have the secret key x of CS to derive r u from D 1 = A i ⊕r u , where A i = h(PSID j ||ID cs ||x). Even if the attacker is a legal user, he/she still cannot obtain h(r u ||PID i ||ID cs ) by adopting the strategy shown in Section 2.2.2. Therefore, the attacker cannot identify U i 's identity; furthermore, it shows that our proposed scheme has user anonymity.

Resistance to Off-Line Guessing Attack
Off-line guesswork attacks happen when an attacker obtains all the information stolen from the user, pass through insecure channels, and store in smart CARDS. The attacker can use the information held to guess the user's identity and password. We assume that an attacker gets (C 1 , C 2 , C 3 , C 4 , PID i , ID cs ) that is stored in the user U i 's smart card and all messages (M 1 , M 2 , M 3 , M 4 ) that pass by a nonsecure channel in the last session. Then, the attacker wants to guess a pair (ID i , PW i ) from information. He/she can use the equation D 2 = h(r u ||PID i ||ID cs )⊕ID i to confirm her/his guess ID i . According to the above hypothesis, the attacker has PID i and D 2 from M 2 ; ID cs is from the smart card. Therefore, he/she needs to get r u . Then, r u can be derived by rearranging D 1 = A i ⊕r u to r u = A i ⊕D 1 . However, the attacker cannot compute A i = h(PSID j ||ID cs ||x) without the secret key x of CS. Therefore, he/she cannot successfully guess ID i . In addition, PW i only appears on C 2 = h(ID i ||x)⊕h(PW i ||n i ), C 3 = n i ⊕h(ID i ||PW i ), and C 4 = h(ID i ||PW i ||n i ). If the attacker wants to guess it, he/she needs to obtain ID i , x or n i first. However, the attacker cannot extract those values from intercepted messages. Therefore, he/she cannot successfully guess PW i . The results show that the scheme can resist offline guessing attack.

Resistance to Insider Attack
An insider attack means that an attacker is an inside member of the company of CS. He has the right to access the data stored in the CS's database, e.g., the registered users' identities and passwords. Then, he/she can use the information to simulate a legitimate user or cloud server. In our proposed scheme, only ID i and SID j are stored in CS for registration. There is no any other information for authentication stored in CS, i.e., A i , B i , A j , B j . Therefore, even if the inside attacker accesses the database of CS, he/she only can obtain the identity ID i of U i and SID j of S j ; besides, the inside attacker still cannot impersonate the user U i or the cloud server S j . Thus, the scheme is able to resist internal attack.

Resistance to Stolen Smart Card Attack
Stolen card attack points to an attacker who steals the user's smart card and extracts data stored in a smart card. Then, he/she uses these data to impersonate the user whose smart card was stolen. Here, we assume that an attacker already extracts the data (C 1 , C 2 , C 3 , C 4 , PID i , ID cs ) from user U i 's smart card. In our proposed scheme, if the attacker wants to impersonate user U i , he/she needs to perform the authentication phase. According to the description of Step 1 in Section 3.2., the attacker needs to key in the correct ID i and PW i for checking the equation h(ID i ||PW i ||n i )? = C 4 . However, he/she does not have ID i and PW i . Therefore, when the attacker initiates an authentication run, he/she cannot pass the check h(ID i ||PW i ||n i )? = C 4 in this step, then his/her authentication process will be terminated. The results show that the scheme can resist the attack of stolen smart cards.

Resistance to De-Synchronization Attack
An anti-synchronization attack means that an attacker interrupts and modifies the response message from the control server during the authentication phase, so that the authentication data between the client and the database of the control server are not synchronized [44]. Then, even if he/she is a legitimate user passing through the controlled server, all future authentication processes will fail.
In our proposed scheme, only users' identities are stored in the control server's database. In addition, those identities will not be changed in any phases, i.e., the authentication and password change phases. For the user, data changes occurred in the authentication stage and the last step of the password change phase. However, password change only needs to be involved on the user side; thus, the attacker cannot interfere. In the last step of the authentication phase, the data in the user's smart card will be updated (C 1 , PID i ) to (C 1 , PID i ) when authentication processes are successfully finished. If the update was interrupted, the user can still use the old data (C 1 , PID i ) to run a successful authentication process. It can be concluded that the scheme can resist synchronous attack.

Resistance to Forgery Attack
Counterfeit attack points to the attacker in the session is sent to the user, the cloud server and control server message, then the receiver will believe these messages are sent from a legal user, a cloud server, or the control server.
In our scenario, if an attacker wants to forge a user Ui, he/she would need to forge a message M1 to pass the equation D3? = h(IDi PIDi ru). However, the attacker cannot forge D 1 = A i ⊕r u because A i = h(PID i ||ID cs ||x) contains the secret key x of a control server. If the attacker wants to forge a cloud server, he/she needs to fabricate two messages, M 2 and M 4 . To pass the equation D 7 ? = h(SID j PSID j PSID j ' r s D 6 ) and D 14 ? = h(SK u D 12 D 13 B i ); however, he/she cannot forge D 4 = A j ⊕r s , D 6 = B j ⊕ PSID j ⊕h(r s ||PSID j ) and D 14 = h(SK cs ||D 12 ||D 13 ||h(ID i ||x)) because A j and B j both contain the secret key x of control server. If the attacker wants to forge the control server, he/she needs to make up a message M 3 to pass the equation D 10 ? = h(SK s D 8 D 9 B j ). However, he/she cannot forge D 8 = h( PSID j ||ID cs ||x)⊕h(r s || PSID j ) and D 10 = h(SK cs ||D 8 ||D 9 ||h(SID j ||x)) because those messages contain the secret key x of the control server. As a result, we provide a solution to staying away from forgery attacks.

Resistance to User Tracking Attack
In terms of user tracking attacks, when an attacker eavesdrops on the delivered messages in different sessions, and then the attacker can confirm that two messages are from a fixed user according to a stable pseudo-identity being used. In our proposed scenario, the user Ui's pseudo-identity would change in different sessions. Therefore, the attacker cannot ensure that any two messages are from the same user. The results show that the scheme can resist the user tracking attack.

Performance Evaluation
In this section, we will present the schemes of Maitra et al. [45], Amin et al. [36], Zhou et al. [42], and the performance evaluation of our schemes. Four authentication schemes only use a one-way hash operation, exclusive or operation, and concatenate operation. By comparing the execution time of an exclusive or operation to that of a one-way hash function or a symmetric algorithm, we ignored the execution time of an exclusive or operation., We chose SHA-2(256 bits) and AES as one-way hash functions and symmetric encryption/decryption algorithms, two of which are the most commonly used encryption methods in secure communications. Tables 1-3 show a comparison of the security properties, computation cost, and communication cost among four respective authentication schemes. In Table 1, "O" means that the scheme can achieve a security requirement or resist the attack; "X" means that the scheme cannot achieve a security requirement or resist the attack. In Table 2, "T h " is one computation time of one-way hash function operation, and "T s " is one computation time of symmetric encryption/decryption. The "T h " and "T s " s' values are 0.00517 ms and 0.02148 ms, respectively according to Zhou et al. [42].   Table 2 shows that our proposed scheme is in the middle regarding calculating costs. However, it is important to consider the trade-off between security and efficiency when we were designing a secure communication scheme. As can be seen from Table 1, the scheme proposed by us has better security than other schemes. We also assessed the communication costs of our scheme and other schemes, as shown in Table 3. The communication costs are the bits of parameters which passed during authentication. The Figure 5 shows the bar chart of the comparison of total calculation cost. Our scheme gets more cost than Zhou et al.'s [42] because we add an additional step at the last of the authentication phase to achieve mutual authentication. We only calculate the communication cost in the login and authentication phases due to the use of fewer number of times in the registration phase and password change phase. Therefore, in terms of security and efficiency, we can argue that our proposed scheme is more suitable for the Internet of Things environment than other related schemes.

Schemes
Communication Cost of L and A Amin et al.'s scheme [36] 4736 bits Maitra et al.'s scheme [45] 3072 bits Zhou et al.'s [42] 5760 bits Ours 6016 bits Note that the outputs of the one-way hash function and the AES algorithm are 256 bits, and identities, pseudo-identities, and random numbers are 128 bits.

Conclusions
In this paper, we demonstrated that Zhou et al.'s scheme is not fully secure. Mutual authentication and anonymity cannot be guaranteed in the authentication phase. Then, we designed Note that the outputs of the one-way hash function and the AES algorithm are 256 bits, and identities, pseudo-identities, and random numbers are 128 bits.

Conclusions
In this paper, we demonstrated that Zhou et al.'s scheme is not fully secure. Mutual authentication and anonymity cannot be guaranteed in the authentication phase. Then, we designed a new certification scheme to compensate for Zhou et al.'s scheme. The proposed scheme can resist common attacks and provide important features such as user anonymity and mutual authentication. We also added a new parameter in the first step of the authentication phase; moreover, it can detect whether or not the input identity and password are right at an early stage. Improved IoT-based authentication for cloud computing is also proposed, and the performance evaluation results show that the scheme has acceptable computation and good security. Therefore, we believe that this authentication scheme is applicable to real-world IoT devices.
In the future, we will investigate how to apply our IoT-based authentication mechanism in different computing environments, such as mobile environment and grid computing environment, etc. Furthermore, we are investigating how to make our system lightweight so that it can be widely used in the mobile computing world.