Fortifying Smart Home Security: A Robust and Efficient User-Authentication Scheme to Counter Node Capture Attacks

In smart home environments, the interaction between a remote user and devices commonly occurs through a gateway, necessitating the need for robust user authentication. Despite numerous state-of-the-art user-authentication schemes proposed over the years, these schemes still suffer from security vulnerabilities exploited by the attackers. One severe physical attack is the node capture attack, which allows adversaries to compromise the security of the entire scheme. This research paper advances the state of the art by conducting a security analysis of user-authentication approaches regarding their vulnerability to node capture attacks resulting in revelations of several security weaknesses. To this end, we propose a secure user-authentication scheme to counter node capture attacks in smart home environments. To validate the effectiveness of our proposed scheme, we employ the BAN logic and ProVerif tool for verification. Lastly, we conduct performance analysis to validate the lightweight nature of our user-authentication scheme, making it suitable for IoT-based smart home environments.


Introduction
The Internet of Things (IoT) has rapidly expanded, with many interconnected physical nodes exchanging data and information [1]. The growth of IoT devices is expected to reach approximately 38.6 billion connections by 2025 [1]. These devices find applications in both consumer and industrial domains, and the smart home environment is emerging as a prominent usecase [2][3][4]. Smart homes have numerous interconnected devices that enable remote users to manage and control their home appliances.
As the number of devices within IoT networks continues to increase, it becomes crucial to address management and security concerns for remote users. Security, in particular, poses a significant challenge for IoT networks, necessitating secure information exchange with attributes such as confidentiality, integrity, and availability to resist potential security attacks [5,6]. Among the security challenges in IoT, ensuring data privacy, authentication, authorization, and access control are critical [7,8]. Authentication, a fundamental security requirement, is especially challenging in smart home environments due to the resourceconstrained nature of the devices [9,10].
To overcome these challenges and achieve secure user authentication, numerous userauthentication schemes for IoT-based smart home environments have been proposed in the literature. However, these authentication schemes often focus on general security The contributions of this paper are as follows, emphasizing the innovation brought forth by our study: • We comprehensively analyze prevailing authentication mechanisms vulnerable to node capture attacks in IoT-based smart home environments. Our assessment identifies the shortcomings and security gaps present in these mechanisms. • We introduce a novel user-authentication scheme designed to counter node capture attacks and fortify the security posture of IoT-based smart homes. This scheme is a pioneering response to the evolving threats in this domain. • Our proposed scheme undergoes rigorous formal and informal analyses to validate its security strength. This ensures that our solution meets the stringent security requirements expected in smart home environments. • We demonstrate a marked improvement in computation and communication costs compared to existing approaches through meticulous performance analysis. This efficiency enhancement is a significant advancement in IoT-based smart home security.
Paper Organization: The rest of the paper is organized as follows: Section 2 provides an overview of the existing literature on the topic. Section 3 explains the fundamental idea behind our proposed authentication scheme, emphasizing its lightweight nature. Section 4 discusses the underlying threat model for conducting formal and informal security analyses. Section 5 performs a security analysis of the suggested scheme to evaluate its robustness against potential attacks using BAN logic and ProVerif. Section 6 presents an informal security analysis of the proposed authentication scheme, further exploring its strengths and weaknesses. Section 7 reports on the performance evaluation of our approach, focusing on computation and communication costs. Section 8 summarizes our major findings and discusses potential future research directions.

Related Work
Many user-authentication schemes have surfaced in the literature in IoT-based smart home environments. These schemes share the goal of providing robust authentication mechanisms, although they exhibit varying effectiveness and security vulnerabilities. In this section, we explore the notable contributions in the field and present a meticulous comparative analysis of their respective schemes.
Vaidya et al. [11] proposed a password-based authentication protocol for smart homes, employing HMAC-based one-time passwords and smart card technology. They claim mutual authentication features and forward secrecy, which prevents the exploitation of stolen smart cards and clock-synchronization attacks. However, further analysis revealed vulnerabilities in their scheme, including susceptibility to password-guessing and userimpersonation attacks. Kim et al. [12] studied and analyzed these security vulnerabilities and proved that Vaidya et al.'s protocol is vulnerable to password-guessing and userimpersonation attacks. They proposed a solution incorporating hash-based one-time password algorithms and hash chaining to address these weaknesses. However, the Kim et al. scheme is still vulnerable to the same issues identified in Vaidya et al.'s protocol.
Li [13] proposed a key establishment scheme for secure smart home energy management systems. This scheme manages and stores multiple keys and certificates, enabling secure device communication. However, the scheme suffers from computation overhead due to the large number of keys and certificates it handles. Additionally, it lacks the crucial feature of mutual authentication between the user device and smart devices, leaving it susceptible to impersonation attacks. Similarly, Santoso et al. [14] designed an elliptic curve cryptography (ECC)-based user-authentication scheme for IoT-based smart home systems and addressed the issues of mutual authentication. Their protocol achieves mutual authentication between IoT devices and mobile users with the help of a central gateway node (GWN). However, their scheme does not provide user anonymity and untraceability features, making it vulnerable to insider attacks like smart card theft.
Similarly, Kumar et al. [15] also proposed a lightweight authentication and session key establishment protocol for IoT-based smart home systems. Their scheme claims resistance against notable attacks like key-stolen attacks. However, it does not provide mutual authentication between the mobile user and smart device and lacks user anonymity and untraceability features. The mutual authentication issues have been further addressed. Wazid et al. [16] designed a lightweight remote user-authentication protocol suitable for resource-constrained IoT-based smart home systems devices. The weakness in their scheme is reliance on a verification table on the GWN node for authentication purposes. This introduces other vulnerabilities that make the scheme susceptible to synchronization attacks. All the above schemes lack user anonymity and untraceability features. Table 1 presents a comparative analysis of the discussed user-authentication schemes for IoT-based smart home systems. The table includes an evaluation of each scheme based on mutual authentication, user anonymity, untraceability, and identified vulnerabilities.
The comparative analysis shows that the existing user-authentication schemes for IoT-based smart home systems have various vulnerabilities and lack essential security features. Therefore, there is a need for an improved user authentication protocol that addresses these flaws and provides a higher level of security. In the following sections, we propose a novel and improved user-authentication scheme for IoT-based smart home systems, which mitigates identified vulnerabilities and enhances overall security. We also perform a detailed security analysis of our proposed scheme.

Threat Model
The threat model is an essential component of the security analysis, providing a clear understanding of the attacker's assumptions and capabilities within the protocol's context. In this section, we define the threat model based on the Dolev-Yao model [17] and outline the assumptions made regarding the adversary, referred to as Eve.

•
Communication Interception: Eve can intercept, inject, remove, or send new messages when two participants communicate over the public channel. This means that any information exchanged over the public channel is susceptible to manipulation or eavesdropping by Eve. • Parameter Understanding: Eve can understand all the parameters exchanged over the public channel. This implies that Eve can analyze and comprehend the content of the messages transmitted between participants. • Attacker Identity: Eve can be an outsider or a dishonest participant within the system. This encompasses the possibility of external attackers attempting to compromise the system's security and internal attackers with insider knowledge or unauthorized access. • Gateway Security: The gateway, which plays a crucial role in the protocol, is assumed to be a secure entity. This means Eve cannot compromise the gateway or gain unauthorized access to its resources or sensitive information. • Secret Parameter Protection: Eve cannot access the secret parameters used in the protocol. These secret parameters are assumed to be securely transmitted between the relevant parties and are not accessible or known to Eve.
By outlining these assumptions, the threat model provides a clear understanding of the capabilities and limitations of the attacker within the proposed protocol. It helps identify potential vulnerabilities and design appropriate security measures to mitigate them.

Proposed User-Authentication Scheme
The proposed protocol follows a general network model used in smart home environments, as depicted in Figure 1. Based on the analysis of state-of-the-art solutions, we have designed a user-authentication scheme to address the identified security vulnerabilities. Figure 2 presents the proposed user authentication protocol. Additionally, Table 2 provides a guide to the notations and abbreviations used in the protocol.  Table 2. Notation guide of proposed protocol.

Notations Description
Temporary Identity

K UG Shared Keys between Gateway and Mobile User
K GS Shared Keys between Gateway and Smart Device k Secret key of Gateway t Timestamp L C Current Location X n History of Location

Assumptions
• During the pre-deployment phase of smart devices in the network, it is assumed that the gateway has shared its identity credential and the hash of the shared key h(K GS ) with the smart devices. • Each smart device has a unique identity and a shared key K GS established between the device and the gateway. • The identity of the gateway (ID GW ) is known to all participants. • Every mobile user knows the identities of the smart devices. • The gateway is considered a trusted entity within the smart home network. • Both tamper-resistant and non-tamper-resistant smart devices are in the smart home network. Tamper-resistant devices are secure against node capture attacks, while non-tamper-resistant devices are vulnerable.
• The registration stage of the proposed protocol is carried out over a secure channel. • The mobile user has the mechanism to extract and calculate location information and is capable of storing location history.

Stages of the Proposed Protocol
The proposed user authentication protocol consists of two stages:

Registration Stage
In the registration stage, the gateway issues security credentials to mobile devices. When a new mobile user (U i ) attempts to access a smart device, they must register the mobile device with the gateway. The registration process, illustrated in Figure 3, involves the following steps: Step 1: The new mobile user (U i ) submits their unique ID U i to the gateway.
Step 2: The gateway generates two random numbers (N H and r u i ) and computes the shared secret key (K UG ) shared between the user and the gateway. The gateway also computes the temporary identity TID U i by encrypting the user's identity (ID U i ) concatenated with the random number (r u i ) using the secret key (k).
Step 3: The gateway stores and sends the message (M 2 ) to the requesting user (U i ).
After receiving the message (M 2 ) from the gateway, the user stores it on their mobile device.

Authentication Stage
A registered mobile user can access a smart device after successful mutual authentication and establishing a session key with the smart device through the gateway. This stage, illustrated in Figure 4, involves the following steps: At the Mobile User Side: Step 1: The mobile device generates a random number (N v ) and calculates the parameter (N y ).
Step 2: The mobile device obtains its current location (L C ) and computes the parameter (N C ). With this parameter, the gateway can easily derive the current location using the shared secret key (K UG ) stored at the gateway. The mobile user also manages the session's location history (X n ).
Step 3: The mobile user selects a smart device (SID j ) and computes the parameter (SD q ). The parameter Y n is the hash of the user's location parameters and the entities' identities.
Step 4: The mobile user computes the verification parameter (V 1 ) after generating the timestamp (T 1 ). Then, the mobile user sends the message (M 1 ) to the gateway.

Message M 1 Passed from Remote User to Gateway
At the Gateway Side: Step 1: Upon receiving the message (M 1 ), the gateway generates the timestamp (T 2 ). It checks the condition T 2 − T 1 ≤ ∆T and verifies the TID U i using its secret key (k) and the shared key (K UG ) derived from the parameter N y . The gateway also checks the verification parameter (V 1 ).
Step 2: After successfully verifying V 1 , the gateway derives the current location from the parameter N C and recalculates the location history (X n ) using the previous location history value stored on the gateway from the previous session.
Step 3: The gateway calculates the parameter Y n and compares the calculated value with the derived parameter Y n (from the user's parameter U G ) to verify the mobile user based on their location parameters. Then, the targeted smart device identity is extracted from SD q .
Step 4: After the above conditions are satisfied, the gateway computes the verification parameter V 2 .

Message (M 2 ) Passed from Gateway to Smart Device
At the Smart Device Side: Step 1: The smart device generates the timestamp (T 3 ) and compares it with the receiving time (T 2 ) of the message (M 2 ). It also verifies the verification parameter (V 2 ). All smart devices store their identities and the hash of their shared secret keys.
Step 2: After successfully verifying V 2 , the smart device computes the verification parameter V 3 and sends message M 3 to the gateway.

Message Passed from Smart Device to Gateway
At the Gateway Side: Step 1: Upon receiving the message M 3 , the gateway checks the condition T 4 − T 3 ≤ ∆T.
It verifies the timestamp and the verification parameter V 3 . If the verification fails, the session is terminated.
Step 2: If the above conditions are satisfied, the gateway updates the temporary identity by encrypting the saved user identity (ID U i ) with its secret key (k) along with a new random number (r new ).
Step 3: The gateway computes the parameter Z n and the verification parameter V 4 . It then sends the message (M 4 ) to the mobile user.

Message Passed from Gateway to Mobile User
At the Mobile User Side: Step 1: The mobile user generates the timestamp (T 5 ) and compares it to the timestamp (T 4 ).
Step 2: The mobile user extracts the value of the new temporary identity (TID U i(new) ) from the parameter Z n and verifies the verification parameter V 4 .
Step 3: If the condition TID U i(new) = TID U i is satisfied, the session is terminated. Otherwise, it implies that the mobile user has successfully authenticated the smart device. Finally, the mobile user updates the temporary identity.

Security Analysis of the Proposed Scheme
The security analysis of the proposed protocol is conducted to assess its strength and resilience against various attacks. The analysis is performed by considering a threat model (defined in Section 3) and employing BAN logic [18,19] and ProVerif [20,21].

Security Analysis with BAN Logic
BAN logic provides a set of defined rules for the formal analysis of authentication protocols [18]. It applies various logical rules to determine whether a protocol achieves its authentication goals [19]. The BAN logic notations are shown in Table 3. In the proposed scheme, eight goals are derived using BAN logic, as outlined below: Table 3. Notation Guide for Ban Logic.

Notations Description
P| ≡ X P believes on X P X P sees that X P| ∼ X P once said X P ⇒ X P has total jurisdiction on X #(X) X is updated and fresh (X, Y) x,y is component of formula(x,y) (X) k Hash of message X using a key K < X > y X is combined with y P k ←→ Q P and Q are using shared key K for communication process TID U i Session key TID U i is used one time in a current session

Part 2: Assumptions
The following assumptions are considered for the analysis: Using the BAN logic rules, the analysis proceeds as follows: Message 1: M-1: U i →GWN: TID U i , N y :< N v > KUG, SD q :< Y n , SID j , X n >, T 1 is U i 's timestamp By applying the Seeing rule, the following is obtained: By applying the Message Meaning rule and S-1, the following is obtained: By applying the Freshness Concatenation rule and S-2, the following is obtained: By applying the Jurisdiction rule and S-3, the following is obtained: By applying S-4 and the Session Key rule, the following is obtained: By applying the Nonce Verification rule, the following is obtained: Message 2: M-2: GW N → SID j : TID U i , T 2 , V 2 . T 2 is the timestamp of GW N By applying the Seeing rule, the following is obtained: By applying the Message Meaning rule and S-7, the following is obtained: By applying the Freshness Concatenation rule and S-8, the following is obtained: By applying the Jurisdiction rule and S-9, the following is obtained: • S-10: SID j | ≡ r i By applying S-10 and the Session Key rule, the following is obtained: By applying the Nonce Verification rule and S-11, the following is obtained: Message 3: M-3: SID j →GWN: V 3 , T 3 , T 3 is the timestamp of SID j By applying the Seeing rule, the following is obtained: By applying the Message Meaning rule and S-13, the following is obtained: By using S-14 and the Freshness Concatenation rule, the following is obtained: By applying the assumption S-15 and the Jurisdiction rule, the following is obtained: By applying S-16 and the Session Key rule, the following is obtained: By applying the Nonce Verification rule, the following is obtained: Message 4: M-4: GW N → U i : V 4 , T 4 , Z n :< TID U i (new) > KUG, T 4 is the timestamp of GW N By applying the Seeing rule, the following is obtained: By applying the Message Meaning rule and S-19, the following is obtained: By applying S-20 and the Freshness Concatenation rule, the following is obtained: By applying the Jurisdiction rule and S-21, the following is obtained: By applying the Session Key rule, the following is obtained: By applying the Nonce Verification rule, the following is obtained: After analyzing the scheme using BAN logic, it can be concluded that the proposed protocol achieves mutual authentication and securely establishes session key agreement.

Security Analysis with ProVerif
ProVerif is an automatic tool used for analyzing the security of cryptographic protocols [20]. It verifies that an attacker cannot extract sensitive data from encrypted messages as long as the key remains secret [21]. The detailed process of all queries and their respective results can be found in Table 4.
The following is the interpretation of the query-wise result of the ProVerif analysis. The ProVerif analysis confirms that the proposed protocol is secure and achieves the intended security properties of secrecy and authentication.

Informal Security Analysis
This section presents a security requirements analysis for user authentication protocols, focusing on the resistance to node capture attacks. Both general and specific functional and security requirements have been utilized to achieve the intended security properties of the schemes. Our proposed approach achieves all the security requirements, especially resistance to known attacks and node capture attacks, by comparing with the existing approaches [15,16,[22][23][24], as shown in Table 5. Therefore, the rest of the discussion primarily focuses on how the proposed scheme withstands node capture attacks.

Resistance to Node Capture Attack
To evaluate the proposed user authentication protocol's resilience against node capture attacks, we adopt the approach presented by Wang et al. [25]. The detailed explanation of each attack target is as follows: 6.1.1. Mobile User (Attack Target) Exploited Vulnerabilities → Attack Consequences

• Insecure Identity Transmission
Attack −→ Break User Anonymity In the proposed protocol, the mobile user does not use its original identity but instead employs a temporary identity updated by the gateway in each session.

• Insecure Transmission of Secret Key
Attack −→ Obtain Secret Key The mobile user does not directly transmit its shared secret key K UG in the exchanged messages. Instead, K UG is used to encrypt various parameters (N Y , N C , U G , V 1 ) with the help of random numbers and other secret parameters. Therefore, the key K UG remains secure and cannot be extracted by an adversary. Target) • Improper Distribution of Secret Key Attack −→ Obtain Secret Key of All Target Smart Devices Each smart device possesses a unique shared secret key with the gateway. If a node capture attack compromises a smart device (SID j ), the adversary cannot compromise the shared secret key of other smart devices.

Exposure of User's Secret Parameter
Attack −→ Impersonate the User During the authentication phase, the mobile user's secret parameters are not forwarded in exchanged messages. These secret parameters encrypt the parameters exchanged over the public channel and a random number. If a compromised smart device attempts to compute the user's secret parameters, it will fail to extract any relevant information. Hence, an adversary cannot impersonate the mobile user in the proposed protocol.

• Mobile User Fails to Identify Smart Devices
Attack −→ Impersonation of All Smart Devices During the authentication phase, the mobile user selects the smart device to authenticate mutually. The mobile user possesses knowledge of the identities of all the smart devices connected to the network. Suppose the user fails to identify the smart device correctly based on its identity. In that case, it indicates that an adversary has either changed the identity of the smart device or the smart device is unresponsive when receiving authentication messages from the gateway. However, impersonating a compromised smart device does not lead to the impersonation of all smart devices within the system. This is due to each smart device's unique shared secret keys. Target) • Insecure Transmission of Secret Key k Attack −→ Break User Anonymity, Obtain Secret k The gateway, considered a secure entity in the proposed scheme, does not transmit its secret key k but uses it only for session key K UG computation. For the computation of exchanged messages, the gateway employs the shared secret keys (K UG , h(K GS )). −→ Obtain Previous Session Key of SID j The proposed scheme achieves forward secrecy, as discussed in the security requirements above. An adversary cannot derive the session key computation from a previous session since only the trusted entity, the gateway, can compute the session key.

• Improper Distribution of Smart Device Secret Keys
Attack −→ Obtain Previous Session Key of All Smart Devices With its unique identity, each smart device must be registered with the gateway before joining the environment. The gateway distributes a unique secret key corresponding to each smart device's identity. Additionally, the session key is updated during each session. Consequently, even if an adversary manages to capture a node and obtain the session key, it does not compromise the security of the entire system. The gateway entity updates the session key using its secret key. The new session key (TID U i (new) ) is transmitted to the user by encrypting it with the shared secret key (K UG ). Only the user can obtain the session key by decrypting it with K UG . As a result, an adversary cannot access or modify the updated session key, ensuring its integrity.

Performance Analysis of the Proposed Protocol
This section compares the proposed protocol with previously proposed security protocols [15,16,[22][23][24] in terms of communication and computation costs [26].

Communication Costs Analysis
The comparison of communication cost is shown in Table 6. Communication cost refers to the number of bits and messages exchanged during a single scheme transaction. The bits and messages are calculated based on the approximate values of functions and parameters used in the proposed protocol [27]. The following are the values of the functions and parameters: ECC point value: 320 bits, hash digest (SHA-1) value: 160 bits, nonce/identities value: 128 bits, timestamp value: 32 bits, random number value: 64 bits. In the proposed protocol, four messages are exchanged: message M 1 transmitted with 160 bytes, message M 2 transmitted with 40 bytes, message M 3 transmitted with 36 bytes, and message M 4 transmitted with 47.
The proposed protocol exhibits lower communication costs than the mentioned protocols, except for the Fakroon et al. [24] scheme. Although Fakroon et al. have lower communication costs than the proposed protocol, they fail to provide the required general security requirements. In contrast, the proposed protocol satisfies the necessary security requirements for IoT smart home systems.

Computation Costs Analysis
The comparison of computation cost is shown in Table 7. The computation costs of the protocols are calculated for each party involved, including the smart user, gateway, and smart device. The computation cost of the proposed protocol is calculated as follows: Table 8 shows the computation cost of proposed approaches compared to the state-of-the-art approaches [15,16,[22][23][24].
The computation time experiment by Kilinc and Yanik [28] is used to calculate computational time. The experiment was conducted on the Ubuntu operating system with an Intel dual-core Pentium processor, with specifications including a 2.20GHz processor and 2048MB RAM. According to the experiment, the computational time of different cryptographic primitives is as follows: time for hash (T h ) is 0.0023 ms, time for bilinear function (T B ) is 5.811 ms, time for MAC (T MAC ) is 0.0046 ms, time for modular exponentiation (T me ) is 3.8500 ms, and time for encryption/decryption (T k ) is 0.0046 ms.
The execution/running time of the proposed protocol is 0.0299 ms. The comparison of the computational cost of the proposed approach with respect to the state-of-the-art approaches [15,16,[22][23][24] is given in Table 8. According to the experimental results, the proposed approaches outperform all the previous approaches. Table 7. Comparison of computation costs of the protocols.

Conclusions and Future Work
This paper comprehensively analyzed state-of-the-art user-authentication schemes in the context of smart home systems. Our analysis identified several limitations and security vulnerabilities in existing schemes, highlighting the need for an improved solution. To address these shortcomings, we propose a secure and enhanced user-authentication scheme tailored for smart home environments. We performed a thorough security analysis of our protocol using formal computational models such as BAN logic and ProVerif tools. The evaluation demonstrated that our scheme effectively mitigates various security vulnerabilities, providing robust protection against attacks. Furthermore, we conducted a performance analysis to assess the computational and communication costs of the proposed scheme. The results indicated that our protocol achieves efficiency in resource utilization, making it suitable for deployment in IoT-based smart home environments.
Our future work will primarily focus on the dynamic aspects of user authentication within smart home environments. This entails exploring adaptive authentication mechanisms capable of accommodating changes in user profiles, roles, and permissions within the smart home system. Additionally, we plan to investigate techniques to improve the scalability and interoperability of user-authentication schemes, facilitating seamless integration with a diverse array of smart home devices and platforms. By addressing these areas, our objective is to bolster the security, usability, and flexibility of user authentication in smart homes. Ultimately, we aim to contribute to developing robust and efficient authentication solutions for future IoT applications, thereby safeguarding the privacy and security of smart home users.