Provably Secure Lightweight Mutual Authentication and Key Agreement Scheme for Cloud-Based IoT Environments

A paradigm that combines cloud computing and the Internet of Things (IoT) allows for more impressive services to be provided to users while addressing storage and computational resource issues in the IoT environments. This cloud-based IoT environment has been used in various industries, including public services, for quite some time, and has been researched in academia. However, various security issues can arise during the communication between IoT devices and cloud servers, because communication between devices occurs in open channels. Moreover, issues such as theft of a user’s IoT device or extraction of key parameters from the user’s device in a remote location can arise. Researchers interested in these issues have proposed lightweight mutual authentication key agreement protocols that are safe and suitable for IoT environments. Recently, a lightweight authentication scheme between IoT devices and cloud servers has been presented. However, we found out their scheme had various security vulnerabilities, vulnerable to insider, impersonation, verification table leakage, and privileged insider attacks, and did not provide users with untraceability. To address these flaws, we propose a provably secure lightweight authentication scheme. The proposed scheme uses the user’s biometric information and the cloud server’s secret key to prevent the exposure of key parameters. Additionally, it ensures low computational costs for providing users with real-time and fast services using only exclusive OR operations and hash functions in the IoT environments. To analyze the safety of the proposed scheme, we use informal security analysis, Burrows–Abadi–Needham (BAN) logic and a Real-or-Random (RoR) model. The analysis results confirm that our scheme is secure against insider attacks, impersonation attacks, stolen verifier attacks, and so on; furthermore, it provides additional security elements. Simultaneously, it has been verified to possess enhanced communication costs, and total bit size has been shortened to 3776 bits, which is improved by almost 6% compared to Wu et al.’s scheme. Therefore, we demonstrate that the proposed scheme is suitable for cloud-based IoT environments.


Introduction
The Internet of Things (IoT) is a network in which Internet-enabled objects interact with each other through the internet [1,2].IoT objects collect data from their surroundings, provide web services to users, and communicate with each other.Therefore, IoT objects such as smart devices need significant resources to store data collected from sensors and perform real-time computations using limited hardware.Hence, addressing the limitations of storage and computing capacities is crucial for the formation of a network of IoT objects [3][4][5].However, cloud computing technology refers to the practice of moving computational power and storage space from individual devices to larger shared data centers [6].Cloud computing allows access to a shared pool of computing resources such as networks, servers, storage, and applications.By using cloud computing, it becomes possible to overcome the limitations inherent in IoT devices [7][8][9][10].The development and discussion of cloud-based IoT (CloudIoT) have been ongoing since before 2008 and continue to evolve.Figure 1 illustrates the structure of CloudIoT.This structure comprises three entities: user, cloud server, and control server.Users with IoT devices can access the resources provided by the cloud service provider's server anytime and anywhere through IoT objects.The cloud server collects user's requests and delivers the right service through IoT.The control server, acting as a trusted entity, generates the necessary parameters for communication between authenticated users and the cloud server through the registration process.Additionally, it monitors the key agreement phase to ensure that users and the cloud server establish the same session key for subsequent communications when needed.In 2022, Wu et al. [11] proposed a lightweight authentication protocol for IoT-enabled cloud computing environments.The authors argued that their scheme could resist various attacks, such as man-in-the-middle, insider, DDoS, and masquerade attacks, and provides privacy, traceability, and integrity.However, we identified several vulnerabilities in Wu et al.'s scheme, including susceptibility to insider attacks, verification table attacks, user impersonation, and cloud server impersonation.Furthermore, the scheme lacks user untraceability, allowing an attacker to track the same user across different sessions through message eavesdropping alone.To address these vulnerabilities, we propose a provably secure lightweight mutual authentication and key agreement (MAKA) scheme.In our proposed scheme, we protect crucial parameters stored in the user's IoT smart card using the user's biometric information to prevent attacks like user impersonation and offline password-guessing.We also enhanced security by adding a secret key to the cloud server, preventing attackers from exploiting leaked database values.Additionally, we reduced the communication and computation overhead by employing only hash functions and exclusive-OR operations.

Research Contributions
We review and conduct a security analysis of Wu et al.'s authentication scheme.We demonstrate that Wu et al.'s scheme is vulnerable to insider attacks, verification table leakage attacks privileged insider attacks, user impersonation, and cloud server imperson-ation.Additionally, we propose an MAKA for cloud-based IoT environments that leverages biometric information.The proposed scheme is tailored to the IoT environments, using only exclusive OR operations and hash functions to align with a lightweight architecture.Additionally, we use a Real-or-Random (RoR) model and Burrow-Abadi-Needham (BAN) logic to demonstrate formally the security and robustness of the proposed.Moreover, we substantiate the security of our scheme against different attacks, including insider attacks, impersonation attacks, reply and man-in-the-middle (MITM) attacks, privileged insider attacks, ephemeral security leakage, stolen verifier attacks, DoS attacks, and session key disclosure attacks.In addition, we confirmed that our scheme can provide user anonymity, user untraceability, perfect forward secrecy, and mutual authentication.Last, we evaluate the security features, communication costs, and computation costs of the proposed scheme with related schemes, including Wu et al.'s.

Organization
In Section 2, we introduce studies related to cloud-based IoT, IoT, and cloud computing.We present the system model and adversary model used in our proposed scheme in Section 3. Following that, we discuss Wu et al.'s scheme in Section 4. We then delve into the vulnerabilities we identified in Wu et al.'s scheme in Section 5.In Section 6, we introduce our proposed scheme, and in Section 7, we provide security analyses using tools such as BAN logic, and RoR model.Performance analyses, including security features, communication, and computation costs, are presented in Section 8. Finally, in Section 9, we conclude our paper and outline future plans.

Related Works
When providing services to users over the internet, application security is crucial in gaining user trust.To access various services, including storage services provided by cloud service providers, the environments should be well prepared to handle various attacks and security threats that may exist.Furthermore, in IoT environments, lightweight protocol computations are essential to provide users with a seamless real-time service anytime, anywhere.In the following sections, we will review the authentication protocols in the existing cloud-based IoT environments.
In 2019, Schouqi et al. [12] introduced an authentication protocol for IoT built on Nikooghadam et al.'s [13] protocol.The protocol of Nikooghadam et al. was developed as a responses to issues with the authentication protocol proposed by Kumari et al. [14].However, Nikooghadam et al.'s scheme has already been analyzed by researchers in the field, including Limbasiya et al., Chandrakar-Om, and Sharma-Kalra [15][16][17].These researchers raised concerns about its security, highlighting vulnerabilities to various attacks such as password-guessing, insiders, and modification attacks.They also indicated that the protocol lacked forward secrecy and did not provide session key verification and a biometric update phase.The author of the new scheme reviewed the security issues known in Nikooghadam et al.'s protocol and proposed enhancements based on these findings.
Prosanta and Biplab (Prosanta-Biplab) [18] proposed lightweight two-factor authentication scheme for IoT devices in 2019.They argued that two-factor authentication schemes that use a passwords and smartcards, often vulnerable to physical attacks.To overcome these security issues they suggested physically uncloneable functions(PUF) as an authentication factor for IoT devices.However, in 2020, Siddiqui et al. [19] demonstrated that the scheme is vulnerable to man-in-the-middle, impersonations, session-hijacking and conventional and differential template attacks.
In 2019, Zhou et al. [20] presented a lightweight two-factor authentication scheme for IoT devices available in the cloud environments.In the same year, Rafael et al. [21] indicated that Zhou et al.'s scheme has several security issues.Rafael et al. demonstrated that Zhou et al.'s scheme failed to provide mutual authentication, was unsuccessful in protecting the secret key, and was vulnerable to various attacks, including insider attacks and man-in-the-middle attacks.
In 2020, Alzahrani et al. [22] presented an authentication protocol for IoT environments based on self-certified public keys and elliptic curve cryptography (ECC).Alzahrani conducted research on protocols proposed by Islam-Biswas [23] and Mandal et al. [24], highlighting their failure to ensure user anonymity and vulnerability to impersonation attacks.Therefore, the author developed a protocol that guarantees anonymity among connected devices and addresses security vulnerabilities.However, this scheme does not guarantee security against physical attacks.
Chen et al. [25] proposed a lightweight user authentication and key-agreement scheme for IoT.Chen et al. utilized XOR operations, hash functions, and elliptical multiplication.Lee et al. [26] indicated that Chen et al.'s scheme did not provide a steal-resistant smartcard offline password, offline identity guessing and reply attack.Subsequently, in 2020, Ye et al. [27] proposed an authentication and key agreement scheme for IoT-based cloud computing environments by advancing the protocol developed by He et al. [28].Ye et al. addressed various security issues in the scheme proposed by He et al, such as failure to resist insider attacks, offline password-guessing, user impersonation, and potential DoS attacks.
Table 1, summarizes cryptographic technologies and limitations of various authentication schemes related to IoT, cloud-based IoT, and cloud computing environments.Related papers propose various protocols to provide users with secure and fast services in the CloudIoT environment.However, there are still vulnerabilities and challenges in fully supporting security features, as some attacks persist.Additionally, methods using symmetric keys like ECC may incur higher computation costs in IoT environments.Therefore, our goal is to design a lightweight protocol tailored for IoT environments using XOR and to achieve higher security in our scheme.

Preliminaries 3.1. System Model
As shown in Figure 2, an IoT-enable cloud computing environment includes three entities: user, cloud server, and control server.Users can also use cloud computing provided by a cloud server, using IoT-enabled devices.Therefore, the user and cloud server should register and authenticate it through the control server.Finally, the user and cloud server share a session key for communication.The details are as follows

•
User (U i ): User uses IoT devices with cloud services.Communicates with the cloud servers, then the user should register with the control server.The user can use smart cards and biometric technology to store sensitive information or the user's identity and password.We assumed that the user is an untrusted entity, implying that the user can execute unauthorized or malicious attacks.• Cloud server (S j ): A cloud server provides cloud services to users using IoT devices.
To achieve this, the cloud server should be registered with the control server.As a semi-trusted entity, the cloud server can misbehave; however, it cannot directly collude or participate.• Control server (CS): This manages the registration of the user and cloud server, and helps generate the session key for authentication and subsequent communication.
As a semi-trusted entity, the control server can misbehave; however, it cannot directly collude or participate.

Adversary Model
We employ the widely used "Dolev-Yao (DY) model" [32] to define the capabilities of the adversary.The details are as follows: • Within the DY model, entities in the IoT environments are considered trustworthy, and the communication channel is also considered insecure.Consequently, the adversary can engage in various actions through the insecure channel, including resending, eavesdropping, blocking, and deleting any messages transmitted.

•
The adversary can extract sensitive information through power analysis attacks from stolen user smart cards.Additionally, because the control and cloud servers are semi-trusted entities, the adversary can also extract information from their databases.
Furthermore, the "Canetti-Krawczyk (CK) model" [33] assumes that stronger adversaries can also be adapted to our protocol.The adversaries in the CK model can obtain and use ephemeral values or long-term values, and using those, ephemeral leakage attacks can be performed.

Registration Phase
Before generating a session key for communication, the user and cloud server must go through the registration process via a secure channel.The detailed process is as follows.

User Registration Phase
Step 1: The U i enters ID i , PW i and imprints B i on the device.Then, calculates Gen(B i ) = σ i , τ i , HPW i = h(PW i ||σ i ) and sends ID i , HPW i to CS as a registration request message through a secure channel.
Step 2: CS checks if U i 's identity is new, and generates a random number n i to calculate Then, stores {TID i , HPW i } in its database, and stores {A 1 , ID CS } to smart card SC.After that, sends SC to U i through a secure channel.

Cloud Server Registration Phase
Step 1: S j selects SID j and random number n j and sends {SID j , n j } as a request message to CS through a secure channel.
Step 2: CS checks if S j 's identity is new, and chooses S j 's pseudo identity QID j , computes A 3 = h(SID j ||x ⊕ n j ), then stores {QID j , n j } in its database.Next, CS sends QID j , n j to S j through secure channel.

Login and Authentication Phase
In this phase, the control server first verifies the identities of the user and the cloud server.If both are confirmed, a shared session key for subsequent communication is generated.The detailed process is as follows and illustrated in Figure 3. Step 1: U i enters ID i , PW i and imprints B i , and calculates Rep(B i , = A2, U i can be verified as a legitimate user.If this is valid, U i selects a random number r i and timestamp TS 1 , then calculates Step 2: Upon receiving U i 's message, CS confirms timestamp |TS 1 − TS c | ∆T.If the timestamp is valid, S j chooses a random value r j and timestamp TS 2 .S j computes Step 3: After receiving the M 2 , S j confirms timestamp |TS 2 − TS c | ∆T.If the timestamp is successfully verified, CS uses TID i to find HPW i and performs the following computations: And by checking B 3 ?= B 3 , the CS confirms whether U i is the legitimate user.Next, CS utilizes the value of QID j to find n j and then performs the following computations: Step 6: S j calculates the equation B 12 = h(SK||r j ) and then checks B 12 ?= B 12 .If they match, S j stores SK for future communication.

Cryptanalysis of Wu et al.'s Scheme
Following the description of Section 3, adversary A can obtain important values from the user's smart card by using a power analysis attack.Furthermore, A can extract parameters from the cloud server and control server itself, because they are considered semi-trusted.With this information, various security attacks, including insider attack, verification table leakage attack, privileged insider attack, user impersonation, and cloud server impersonation, can be executed by A. Details are described below.

Insider Attack
An adversary A, who has undergone the registration process as a legitimate user, can obtain session keys from another user U i 's sessions or impersonate U i .The detailed process is as follows: Step 1: After completing the registration process, A obtains B 6 of M 3 during their AKA process.Subsequently, A calculates A 3 of S j using their own HPW a and r a .
Step 2: In another user U i 's session, A obtains message M 2 and uses B 4 and the previously acquired A 3 to deduce r j .
Step 3: From B 6 of M 3 , A calculates user U i 's r i and HPW i , and from B 7 , A calculates r k .
Step 4: Using the computed values, A can generate the session key SK = h(r i ⊕ HPW i ||r j ||r k ||SID j ) for another user U i and potentially disclose or exploit it.
Therefore, Wu et al.'s scheme cannot resist insider attacks.

Verification Table Leakage Attack
If A extracts verification table of cloud server, A can disclose session key.The following procedures are below: Step 1: A extracts the verification table to take {A * 3 , QID j } from S j .And also intercept message Step 2:

Privileged Insider Attack
A privileged insider can take important information like {ID j , HPW j } from the registration message and values stored in the user's smart card such as {A 1 , A 2 , ID cs , Gen(), Rep(), }.Through support from this privileged insider, a malicious A can generate a session key through the following: Step 1: ; therefore, A can extract parameters SID j , r i , and Step 2: A intercepts message M 4 = {B 9 , B 10 , TS 4 }.
Step 3: A calculates r j = h(n i ⊕ x||SID j ) ⊕ B 9 , and r k = h(HPW i ||r i ) ⊕ B 10 .Hence, A can compute session key SK = h(r i ⊕ HPW i ||r j ||r k ||SID j ) and disclose it.
Thus, Wu et al.'s scheme is insecure against privileged insider attacks.

Impersonation
When A obtains the table information {k n , SID n } of the control center, A can calculate (1) User impersonation: If the privileged insider described in Section 5.3 generates random number r i and time stamp TS 1 , A can forge message

Lack of Untraceability
If an attacker A continues to eavesdrop on M 1 = {TID i , A 1 , B 1 , B 2 , B 3 , TS 1 } and compares the value of TID i contained in M 1 , A can track the user U i .The reason is that the pseudo identity of U i , TID i , is a fixed value, and an attacker can easily obtain it through eavesdropping on the message.Indeed, by verifying whether the value of TID i matches the values from previous or subsequent communications, A can detect the user.In conclusion, Wu et al.'s scheme lacks anonymity and untraceability.

Impossibility of Offline Password Update
In the user registration phase in Wu et al.'s scheme, the value of HPW i is created by concatenating the user's password PW i with their biometric information σ i .Additionally, this HPW i is transmitted to the control server CS and undergoes the operation , and stored in the CS's database as A 1 .However, this design leads to a problem where users must communicate with the CS to update the A 1 value stored in the CS if they wish to change their password, because CS cannot create the HPW i on its own.Consequently, Wu et al.'s scheme does not support offline password updates.

Proposed Protocol 6.1. Registration Phase
Before generating a session key for communication, the user and the cloud server must go through the registration process with the control server via a secure channel.In this phase, users register the information, such as identity, password, and biometrics, with the control server.The detailed process is as follows and illustrated in Figure 4.
User registration phase of proposed scheme.

User Registration Phase
Step 1: The U i enters ID i , PW i and imprints B i on the device.Then, calculates Gen(B i ) = σ i and sends ID i to CS as a registration request message through a secure channel.
Step 2: CS checks if U i 's identity is new, and generates a random number n i to calculate Then, stores {PID i , SID * i , n i } in its database, and sends {PID i , ID cs , k i , SID i } to U i through secure channel.

Cloud Server Registration Phase
In this phase, cloud servers register the information with the control server.The detailed process is as follows and illustrated in Figure 5.
Step 1: S j selects SID j and sends {ID j } as a request message to CS through a secure channel.
Step 2: CS checks if S j 's identity is new, and chooses random number n j , computes k j = h(ID j ||n j ||x cs ).Then, stores {ID j , n j } in its database.Next, CS sends k j to S j through secure channel.
Step 3: S j computes A 3 = k j ⊕ x j , and stores {A 3 }.
Cloud Server S j Control Server CS Cloud server registration phase of proposed scheme.

Login and Authentication Phase
In this phase, the control server first verifies the identities of the user and the cloud server.If both are confirmed, a shared session key for subsequent communication is generated.The detailed process is as follows and illustrated in Figure 6.
Step 1: U i enters ID i , PW i , imprints B i , and calculates Rep(B i , Step 2: Upon receiving U i 's message, CS confirms timestamp |TS 1 − TS c | ∆T.If thetimestamp is valid, S j chooses a random value r j and timestamp TS 2 .S j computes Step 3: After receiving the M 2 , S j confirms timestamp |TS 2 − TS c | ∆T.If the timestamp is successfully verified, CS uses PID i to find {SID * i , n i } and performs the following computations: the CS confirms whether U i is the legitimate user. Step 4: Next, CS calculates ID j = B 2 ⊕ h(ID CS ||SID i ||r i ) and utilizes the value of ID j to find n j .Then, it performs the following computations: k j = h(ID j ||n j ||x CS ), Step 5: CS then selects r k , TS 3 , computes , TS 3 } and sends to S j through an open channel.
Step 7: Upon receiving M 3 , S j checks timestamp |TS 3 − TS c | ∆T.If the timestamp is valid, S j calculates following computations: (r Step 8: . AKA phase of proposed scheme.

Offline Password and Biometric Template Update
In this phase, an authenticated user U can locally change their password and biometrics without a connection to CS. U must perform the login process on the IoT device before updating data offline.A logged-in user can update their password or biometric template.The detailed process is as follows and illustrated in Figure 7.
Step 1: U i enters ID i , PW i and imprint B i on the device.Compute Rep(Bio i , τ i ) = σ i and check RPW i = h(ID i ||PW i ||σ i ) for login phase and confirm user.
Step 2: Then, ask U i to change password and biometric data.U i select new password PW new i , and compute ). Subsequently, update RPW i , A 1 , and A 2 with new data to change the password.

Security Analysis 7.1. ROR Model
In this section, we conduct an analysis of session key security using the ROR model [34].To apply the proposed protocol to the ROR model, we first define participants, especially SJ , and U i 3 CS as user, cloud server, and control server, respectively.Note that i k (k = 1, 2, 3) is an instance for each participant.In ROR model, the adversary can eavesdrop, delete, intercept, and send messages through the public channel.Moreover, the adversary can extract secret parameters from the user U i 1 US .These actions of the adversary can be defined as queries in the ROR model.
CS ): This query is an eavesdropping attack that the adversary can obtain messages transmitted via a public channel.Thus, this query can be defined as a passive attack.

•
CoUD(U i 1 US ): In this query, the adversary extracts secret parameters using the smart device of U i 1 US .Therefore, we can define the query CoUD is an active attack.
• Sn(U i p ): The adversary sends messages to legal participants through open channels.This query is an active attack.

•
Ts(U i p ): In this query, the adversary flips an unbiased coin.When the result of the flipped coin is 0, the session key is not fresh.When the result of the flipped coin is 1, we can demonstrate that the session key is fresh.Otherwise, the result outputs NULL (⊥).
Theorem 1.We take a definition of P AD , H A, q H A , and q Sn as the possibility of breaking session key, range space of hash function, number of hash functions, and number of send queries, respectively.Moreover, we define that s and C are the Zipf's parameters [35].From that, the adversary tries to reveal the session key of the proposed protocol in polynomial time.Following [36][37][38], the ROR model analysis of the proposed protocol is composed of four games (GAME m , m = 0, 1, 2, 3) and the winning possibility of the adversary is PW GAME m for each game GAME m .
• GAME 0 : In this game, the adversary has no knowledge about the session key.Thus, the adversary picks a random bit B.
• GAME 1 : The adversary conducts EX query to collect the messages transmitted via public channels.Thus, the adversary obtains , TS 3 }, and {B 8 , V 5 , TS 4 }.After that, the adversary flips an unbiased coin to execute the Ts query.However, the adversary has no knowledge of the session key SK = h(C 1 r i r j r k ) because it is composed of random numbers r i , r j and r k and masked in the hash functions.For these reasons, the adversary can obtain the following: • GAME 2 : The adversary conducts H A and Sn queries to reveal session key in this game.However, the session key is composed of fresh random numbers and a cryptographic hash function.Therefore, the adversary cannot make hash collisions to calculate the session key.
Applying the birthday paradox [39], we obtain the following: • GAME 3 : In the last game, the adversary conducts CoUD query to obtain the secret parameters {PID i , ID CS , RPW i , A 1 , A 2 , Gen(.), Rep(.), τ i }.However, the adversary cannot decrypt the secret parameters because these parameters are encrypted using the identity ID i , password PW i , and biometrics B i .Since simultaneously guessing ID i , PW i , and B i is a computationally infeasible task, the adversary has no advantage in this game.We obtain the following using Zipf's law [35].
When all the games end, the adversary becomes a random bit B.
We obtain the inEquation (10) which is the same as (1).It means that the adversary cannot distinguish random nonce and the session key using various security attacks, such as EX, CoUD, and Sn.Thus, we can prove the session key security of the proposed protocol.

BAN Logic
We analyze the mutual authentication of the proposed protocol using BAN logic [40].Following [41][42][43], we define basic notations and descriptions of BAN logic in Table 2.

Notation Description
A i and A j have a shared key SH

Goals
In our protocol, each participant authenticate the communication partner by establishing session key SK.Thus, goals of the proposed protocol can be shown as follows: To analyze these messages, we convert them into idealized forms.

Assumptions
In the proposed protocol, participants agree on the freshness of the random number and secret parameters.Therefore, we show the assumptions to analyze the proposed authentication phase.

BAN Logic Proof
Step 1: We obtain P 1 using MSG 2 .
Step 2: We use S 5 , S 6 , and MMR to obtain P 2 and P 3 from P 1 .
Step 6: We use S 7 and MMR to obtain P 9 from P 8 .P 9 : SJ| ≡ CS| ∼ (r k , r i , C 1 , TS 3 ) Step 7: From P 9 , we use S 2 and FR to obtain P 10 .
Step 8: From P 9 and P 10 , we use NVR to obtain P 11 .
P 11 : SJ| ≡ CS| ≡ (r k , r i , C 1 , TS 3 ) Step 9: Using P 7 and P 11 , CS and SJ computes the session key SK = h(C 1 r i r j r k ).
Thus, we obtain the following: Step 10: Using JR into P 12 and P 13 , We obtain the following goals: Step 11: We obtain P 16 using MSG 4 .
P 16 : U I {r j , r k , TS 4 } r i Step 12: We use S 8 and MMR to obtain P 17 from P 16 .

Ephemeral Security Leakage Attack
To prevent adversary A from carrying out valid attacks, such as obtaining the session key through this attack scenario, it is essential to ensure that the session key is preserved even if the random values used in the session are exposed.Therefore, assuming A knows the values of r i , r j , r k , it is postulated here that even with this knowledge, A cannot calculate SK without knowing SID i , SID j .Additionally, valid attacks like impersonating the user or cloud server using random values are not possible.Therefore, the proposed scheme is secure against ESL attacks.

Stolen Verifier Attack
We can assume that a malicious A, upon obtaining {A 3 } from the cloud server's database, attempts to calculate the session key SK = h(C 1 ||r i ||r j ||r k ) or impersonate the cloud server.However, without the cloud server's secret key x j , A cannot deduce the value of k j from the stored A 3 , nor can A determine the randomly generated values r i , r j , or r k .Therefore, A is unable to compute the session key or impersonate the cloud server.Consequently, the proposed scheme is secure against verification table leakage attacks.

DoS Attack
The adversary A may intentionally attempt to send the message TS 1 } repeatedly.However, to generate message M 1 , A must go through the login process and pass the verification RPW i ?= RPW i .However, to create a valid RPW i = h(ID i ||PW i ||σ i ), A cannot have the required ID i , PW i , σ i .Therefore, A cannot create and repeatedly send the message M 1 , making the proposed scheme secure against DoS attacks.

User Anonymity and Untraceability
Due to the use of PID i as a pseudo identity, the user's identity ID i cannot be deduced by an adversary A. Additionally, the PID i is updated as a new value with random elements for each session, making it impossible for A to compare PID i values between previous and current sessions to compromise the user's untraceability.Therefore, the proposed scheme provides user anonymity and untraceability.

Session Key Disclosure Attack
To calculate the session key SK = h(C 1 ||r i ||r j ||r k ), adversary A needs to have access to the values of SID i , SID j , r i , r j , and r k .However, for A to discover SID i , SID j , they would need access to the secret key x cs and the random values n i and r k .Additionally, random values like r i , r j , r k are used temporarily and exist only within a single session.Therefore, the proposed scheme is secure against session key disclosure attacks.

Perfect Forward Secrecy
If the control server's secret key x cs is compromised, adversary A may attempt to calculate the session key SK for a previous session.However, since SK = h(C 1 ||r i ||r j ||r k ) does not contain x cs and the values of r i , r j , r k are random and cannot be deduced, A cannot perform the calculation.Furthermore, without n i through x cs , A cannot compute SID i .Therefore, the proposed scheme ensures perfect forward secrecy.

Mutual Authentication
In the login and authentication phases, the messages {PID i , B 1 , B 2 , V 1 , TS 1 } and {M 1 , B 3 , V 2 , TS 2 } included can be used by the control server to verify the legitimacy of the user and the cloud server through the transmitted V 1 and V 2 .Additionally, messages {B 6 , B 7 , B 8 , B 9 , V 3 , V 4 , TS 3 } and {B 8 , B 9 , V 4 , TS 4 } allow both the user and the cloud server to validate each other's identity using V 3 and V 4 .Due to the unavailability of SID i , kj values, and random values to adversaries through the open channel, the transparency of authentication is ensured.Therefore, the provided scheme offers mutual authentication.

Performance Analysis 8.1. Security Features Comparison
We visually compare the safety elements of the proposed scheme and related schemes [11,21,[44][45][46][47][48] and record them in Table 3, which includes various types of safety elements such as "insider attack", "impersonation attack", "stolen verification attack", "ESL attack", "privileged attack", "perfect forward secrecy", "reply attack", "offline passwordguessing attack", "session key disclosure", "mutual authentication", "DoS attack", "user anonymity", and "untraceability".Ultimately, the proposed scheme offers more security features compared to Wu et al.'s scheme, and it exhibits fewer features that are either unidentified or not provided, even when compared to the schemes of other related works.

Computation Costs Comparison
We conducted a comparative analysis of computation costs for the AKA phase of the proposed scheme and related schemes [11,21,[44][45][46][47][48].Based on [49], we designed the environment for computing costs.The experimental environment and the performance of operation costs, including the minimum, maximum, and average values, are summarized in Table 5.We represent hash function as T h and encryption/decryption operations of AES-256 as T e .Using these values, we conducted a comparison of computation costs as shown in Table 6 and Figure 9.We can observe that the computational costs for users using the proposed scheme and users using Wu et al.'s scheme are the same.Next, we calculated the computational costs of the cloud server and control server for the proposed scheme and related schemes based on the environments provided in [49] as well.Table 7 represents the calculated computational costs for the proposed scheme and related schemes.When comprehensively examining the results of the comparison with related schemes, we can elaborate as follows.Our proposed scheme offers more security elements compared to other schemes and is secure against various attacks such as insider attacks, impersonation attacks, stolen verification attacks, ESL attacks, privileged insider attacks, reply attacks, and offline password-guessing attacks.Simultaneously, it maintains reasonable userside computation cost and communication cost suitable for the CloudIoT environment.However, it is noteworthy that to provide such robust security, additional computation operations on the server side have been introduced.

Conclusions
This study analyzed the key agreement protocol between cloud-enabled IoT devices and cloud servers as proposed by Wu et al.The scheme proposed by Wu et al. was found to be vulnerable to insider, privileged insiders, impersonation, and verification table leakage attacks and lacks user untraceability.In addition, it is inconvenient for users to update their passwords offline.To overcome these vulnerabilities and inconveniences, this study proposed a provably secure lightweight MAKA protocol for the cloud-based IoT environments.
The proposed protocol ensures safety against various attacks by preventing the exposure of critical parameters using user biometric information, and the cloud server's secret key.Furthermore, user untraceability was ensured by updating the user's pseudonym in every session and convenience was enhanced by adding an offline user password change and biometric template update phase.The safety of mutual authentication and the resulting session key was verified using the RoR model and BAN logic.Moreover, informal analysis was conducted to verify safety against attacks such as insider attacks, impersonation attacks, privileged attacks, ESL attacks, stolen verifier attacks and DoS attacks, while confirming security features such as user anonymity, untraceability, and perfect forward secrecy.The security features, communication costs, and computation costs of the proposed scheme were compared.This comparison demonstrated that the proposed scheme is rational in terms of communication and computation amounts in the cloud-based IoT environments, while being verified for safety.
In conclusion, the proposed scheme demonstrated robust safety and the ability to provide users with real-time services securely.Future research will focus on integrating the proposed scheme into real-world environments and various industrial settings where cloud-based IoT is applied.

Figure 3 .
Figure 3. AKA phase of Wu et al.'s scheme.

Figure 7 .
Figure 7. Offline password and biometric template update of proposed scheme.
B 9 , B 10 , B 11 , TS 3 } and sends to S j through an open channel.Upon receiving M 3 , S j checks timestamp |TS 3 − TS c | ∆T.If the timestamp is valid, S j calculates following computations: (r i ⊕ HPW i ) = B 6 ⊕ A 3 , SK = h(r i ⊕ HPW i ||r j ||r k ||SID j ), and B 8 = h(r j ||r k ||SK||TS 3 ), and confirms B 8 ?= B 8 .If it confirms, S j generates message M 4 = {B 9 , B 10 , TS 4 } to U i via open channel.U i verifies timestamp |TS 4 − TS c | ∆T.If the timestamp is valid, U i calculates r j = h(n i ⊕ x||SID j ) ⊕ B 9 , r k = h(HPW i ||r i ) ⊕ B 10 , SK = h(r i ⊕ HPW i ||r j ||r k ||SID j ), U i computes B 12 = h(SK||r j ) and generates M 5 = {B 12 } and sends to S j .
Therefore, Wu et al.'s scheme cannot resist verification table leakage attacks.
In addition, by A to take message M 4 = {B 9 , B 10 , TS 4 } from an unsecured public channel, A can generate session key and rj.Thus, A can send message M 5 = {B12} impersonates user.(2) Cloud server impersonation: According to the previous verification table attack in Section 5.2, A generates random number r j and time stamp TS 2 , and A can send M 2 = {M 1 , QID j , B 4 , B 5 , TS 2 }.Second, A can generate M 4 = {B 9 , B 10 , TS 4 } after intercept message M 3 = {B 6 , B 7 , B 8 , B 9 , B 10 , B 11 , TS 3 }.Hence A can impersonate cloud server.
Therefore, Wu et al.'s scheme cannot resist user and cloud impersonation attack.
RPW i , U i can be verified as a legitimate user.If this is valid, U i selects a random number r i and timestamp TS 1 then calculates B 1 ?=

Table 3 .
Security and functionality features(SFF) comparison.

Table 4 .
Comparison analysis of communication costs.

Table 5 .
Hardware software enviroment and operation costs.

Table 6 .
Comparison analysis of user side computation costs.

Table 7 .
Comparison analysis of cloud server side control server side computation costs.