Provable Secure Authentication Protocol in Fog-Enabled Smart Home Environment

Abstract

People can access and obtain services from smart home devices conveniently through fog-enabled smart home environments. The security and privacy-preserving authentication protocol play an important role. However, many proposed protocols have one or more security flaws. In particular, almost all the existing protocols for the smart home cannot resist gateway compromised attacks. The adversary can not only know the user’s identity but also launch impersonation attacks. Designing a provable secure authentication protocol that avoids all known attacks on smart homes is challenging. Recently Guo et al. proposed an authentication scheme based on symmetric polynomials in the fog-enabled smart home environment. However, we found that their scheme suffers from gateway compromised attack, desynchronization attack, mobile device loss/stolen and attack, and has no untraceability and perfect forward secrecy. Therefore, we adopt a Physical Unclonable Function (PUF) to resist gateway compromised attack, adopt Elliptic Curve Diffie–Hellman (ECDH) key exchange protocol to achieve perfect forward secrecy, and propose a secure and privacy-preserving authentication protocol, which is provably secure under the random oracle model. According to the comparisons with some related protocols, the proposed protocol has better security and transmission efficiency with the same computation cost level.

1. Introduction

In recent years, with the iteration of communication technology and smart devices, the Internet of Things (IoT) has been gradually applied in many aspects, such as logistics, transportation, security, pollutants monitoring, smart home, etc. The smart home is one of the applications of IoT that connect the user and the devices in residence by using a common communication system and control technology [1,2], such as air conditioners, televisions, monitors, water heaters, etc. The new way of controlling devices provided by the smart home brings people safety, energy conservation, comfort, convenience, and healthcare [3].

Due to the smart devices having limited computation and storage, the smart home must have nodes that provide reliable computing services, storage services, and network services to build a communication system [4]. In general, the cloud is more suitable for resource nodes. However, real-time response is a requirement for some emergency applications in the smart home, so nodes also have to meet the requirements of high bandwidth and low latency. Cloud latency is often determined by physical distance, so real-time requirements cannot be met. To meet real-time requirements, distributing computation and storage to edge devices is an idea called fog computing [5].

Fog computing has the characteristics of low latency and high response, and it has been applied in healthcare and smart home [6,7,8,9]. Because the computing and storage resources of smart devices in the smart home are limited, they cannot afford much computation. A scheme is proposed in [9] which connects the sensor devices of the terminal based on the IoT controller as a gateway in the smart home. In the fog computing network, the fog layer composed of the smart gateways undertakes the message forwarding and the distributed computation and storage [10,11].

The fog-computing smart home enhances the user’s control over computation and storage nodes and provides more privacy. However, it is still vulnerable to malicious attacks because messages are transmitted on open channels. The data, after being maliciously attacked, will transmit false information, induce users to make wrong decisions, and directly affect residential security and privacy. There are great concerns about the security and privacy of remote access in emergencies and dangers. The security and privacy-preserving authentication protocol play an important role in the smart home.

Until now, many authentication protocols have been proposed. These authentication protocols have some shortcomings in terms of security, anonymity, and perfect forward secrecy [12]. Jeong et al. [13] proposed a user authentication (UA) protocol based on the one-time password (OTP) protocol. The scheme provides authentication of users and gateway, mainly used in remote access to the home network. In the smart home, secure communication between devices and gateways is essential. Xue et al. [14] proposed a temporal-credential-based scheme for Wireless Sensor Networks (WSN) using hash and XOR. Saqib et al. [15] indicated that Xue et al.’s scheme is not immune to smart card theft and server fraud attack. Shuai et al. [16] designed an anonymous authentication scheme based on Elliptic Curve Cryptography (ECC) for the smart home environment. The protocol avoided storing the validation table to reduce the harm caused by theft and resisted replay attacks and clock synchronization attacks. Unfortunately, Kaur et al. [17] pointed out that Shuai et al.’s scheme is vulnerable to offline password guessing attacks, insider attacks, replay attacks, gateway bypass attacks, and insecure session key agreement problems and proposed an improvement scheme for the smart home. However, the scheme is vulnerable to gateway compromised and replay attacks. Santoso et al. [18] proposed a scheme based on ECC for the smart home system. The scheme cannot provide anonymity and untraceability and cannot resist privileged-insider and smart card stolen attacks. Guo et al. [19] presented a new authentication mode based on a symmetric bivariate polynomial [20], which includes the edge negotiation phase and the authentication phase, and reduces communication consumption. The scheme has extremely low computational consumption, but we show it is vulnerable to gateway compromised attacks, desynchronization attacks, mobile device loss/stolen attacks, etc.

Some authentication schemes consider the gateway is trusted and store sensitive information. Wazid et al. [21] proposed a lightweight authentication protocol for the smart home environment based on XOR, symmetric cipher, and hash functions. The authentication table is stored in the gateway. Haseeb-ur-Rehman et al. [22] proposed a lightweight protocol for the smart home and declared that the gateway is trusted. Lee et al. [23] proposed a three-factor authentication protocol in an IoT environment; the gateway is also fully trusted and stores the long-term key. Gateway compromised attacks may lead to the disclosure of user identity, long-term secret values, and other information and lead to suffering impersonation attacks, privilege attacks, etc.

On the other hand, privacy-preserving is a necessary security requirement in the smart home. Yeh et al. [24] proposed an authentication scheme established on Elliptic Curve Cryptography (ECC) for WSN. The message in their scheme contains the real identity of the user, so it does not provide anonymity. In addition, the ECC multiplication is used many times, which makes the protocol have high computational complexity [15]. Yang et al. [25] proposed an ID-based authentication protocol for mobile devices, and the scheme has less computation time because it does not require users’ public keys. However, Islam et al. [26] stated that Yang et al.’s scheme has no anonymity.

Perfect forward secrecy (PFS) is an extremely harsh security condition; it is a security feature that can still maintain the confidentiality of previously transmitted messages even if long-term keys are leaked [12]. Although it will increase the computation costs, a better method is to use the Diffie–Hellman key exchange algorithm to design the protocol to guarantee PFS. However, many proposed protocols can not achieve PFS [16,17,19,21,25].

Physical capture attacks often have security implications, and PUF [27] is a way to provide physical device security. A PUF is a one-way function derived from the randomness of physical features caused by the manufacturing variation process. PUFs are unreproducible, unpredictable, and tamper-resistant and are widely used in security. Yi et al. [28] proposed an authentication protocol in WSN. The protocol introduced a PUF chip to provide the physical integrity of sensors. Yu et al. [29] proposed a physically secure privacy-preserving scheme in telecare medical information systems, and PUF is used to store long-term keys. The introduction of PUF to protect devices against physical capture attacks is effective.

Motivation and Contributions

According to the analysis of the existing protocols for smart homes, we found that most of them have one or more security flaws, which cannot achieve perfect forward secrecy, privacy protection, etc. In particular, almost all the existing protocols for a smart home cannot resist gateway compromised attacks. The adversary can not only know the user’s identity but also launch impersonation attacks. Designing a provable secure authentication protocol that avoids gateway compromised attacks for smart homes is challenging. The contributions of this paper are as follows:

• We pointed out that Guo et al.’s protocol in a fog-enabled smart home is vulnerable to smart gateway compromised attacks, desynchronization attacks, and mobile device lost/stolen attacks, and traceability has no perfect forward secrecy.
• We propose the first secure and privacy-preserving authentication protocol in fog-enabled smart homes to avoid a gateway compromised attack. We adopt PUF to resist gateway compromised attack, adopt ECDH key exchange protocol to achieve perfect forward secrecy, and redesign the process to provide privacy-preserving and makes it resistant to desynchronization attack and mobile device lost/stolen attack.
• We prove the security of the proposed protocol formally under the random oracle model. According to the comparisons with some related protocols, the proposed protocol has better security and transmission efficiency with the same computation cost level.

2. System and Attack Models

In this section, we introduce the system and attack models in a fog-enabled smart home environment.

2.1. System Model

Figure 1 shows the system model of Guo et al.’s scheme. The communication system consists of smart devices, users & mobile devices, a smart gateway, and the cloud. The smart device is connected to the smart gateway via the home network, such as Wi-Fi and wired network. The smart gateway is connected to the cloud via the internet, and users can access the smart gateway remotely. The smart gateway provides computing and storage resources in the communication system to ensure real-time data transmission. The smart gateway in this architecture is responsible for collecting from smart devices and processing user requests. The entity negotiation model is shown in Figure 2.

In the edge negotiation stage, the smart gateway and the smart device establish a persistent connection and re-establish the session after the session expires. After the session is established, the gateway can collect real-time data securely from the smart device and fast-forward commands to the smart device from the user.

In addition, the smart gateway will also establish a temporary session with the user. The user negotiates a one-time session key with the gateway after identity verification, accepts the smart device data sent by the gateway, and quickly sends instructions to the smart device via the user’s portable mobile device. The above two stages achieve the user’s security management of smart devices.

2.2. Attack Model

We provide an attack model consistent with the original protocol; according to the Dolev-Yao [30] threat model and CK-adversary [31] model in wireless networks, the attacker can compromise information such as session key and session state.

• The attacker can eavesdrop, delay, modify, and delete the messages transmitted on public communication channels;
• The attacker can compromise temporary information such as session key and session state;
• The smart gateway is not considered fully trusted. And it can be compromised by the attacker;
• The smart devices are considered untrusted because the device can be physically lost or stolen, and all data can be extracted;
• The user’s mobile device considers an untrusted entity; the mobile device can be captured or compromised by the attacker; the user’s mobile devices can be obtained by the attacker;
• Registration authority (RA) is completely credible and cannot be compromised;
• The private channels are secure and cannot be controlled or eavesdropped on by attackers.

3. Review of the Guo et al.’s Scheme

In this section, we describe Guo et al.’s scheme. The scheme includes a registration phase, edge negotiation phase, and login authentication phase. The secret sharing of Guo et al.’s scheme is based on symmetric bivariate polynomials. For symmetric bivariate polynomial $func(x,y)$, there is $func(x,y)=func(y,x)$.

Table 1. Notations.

Notations	Descriptions
$U_i, GW, D_j, M{D}_{U_i}$	User, gateway, smart home device, and user’s mobile device
$I{D}_{U_i}, I{D}_{GW}, I{D}_{D_j}$	$\mathrm{Identities} \mathrm{of} U_i, GW, D_j$
$PI{D}_{U_i}, PI{D}_{GW}, PI{D}_{D_j}$	$\mathrm{Pseudo} \mathrm{identities} \mathrm{of} U_i, GW, D_j$
$TI{D}_{U_i}, TI{D}_{D_j}$	$\mathrm{Temporary} \mathrm{identities} \mathrm{of} U_i, D_j$
$R{T}_{U_i}, R{T}_{GW}, R{T}_{D_j}$	$\mathrm{Registration} \mathrm{timestamps} \mathrm{of} U_i, GW, D_j$
$T{C}_{U_i}, T{C}_{GW}, T{C}_{D_j}$.	$\mathrm{Token} \mathrm{of} U_i, GW, D_j$
$P{W}_{U_i}, BI{O}_{U_i}$	$U_i$’s password and biometric information
$f(·),g(·)$	Symmetric bivariate polynomial
$Rep(·),Gen(·)$	Reproduction and generation of fuzzy extractor
${\sigma }_{U_i}, {\tau }_{U_i}$.	$U_i$’s biometric private key and public key of fuzzy extractor
SK	Session key
$r_{GW},r_{U_i},r_{D_j}$	Random nonce
$RA$	Registration authority
$K$	$\mathrm{Private} \mathrm{key} \mathrm{of} RA$
$T, \Delta T$	Timestamp and maximum transmission delay time
$h(·)$	Hash function
$\oplus ,$$\parallel$	XOR operation and concatenation

shows the notations used in this paper.

3.1. Registration Phase

$RA$ generates a long-term private key $K$ and chooses two symmetric bivariate polynomials $f(x,y)$ and $g(x,y)$ over the finite field $GF(p)$.

The registration phase includes gateway registration, smart home device registration, and user registration.

(1)

Gateway registration

$RA$ chooses a unique identity $I{D}_{GW}$ for the gateway and computes a pseudo-identity $PI{D}_{GW}=h(I{D}_{GW}\parallel K)$, a token $T{C}_{GW}=h(I{D}_{GW}\parallel R{T}_{GW}\parallel K)$ and two polynomial functions $f(PI{D}_{GW},y),g(PI{D}_{GW},y)$. Finally, $GW$ stores $\{PI{D}_{GW},(TI{D}_{D_j}^{old}=null, TI{D}_{D_j}^{new}=TI{D}_{D_j}), PI{D}_{D_j}, TI{D}_{U_i}, T{C}_{GW}, f(PI{D}_{GW},y), g(PI{D}_{GW},y), h(·)\}$ in its memory, where $TI{D}_{D_j}^{new}$ is the latest temporary identity of $D_j$, and $TI{D}_{D_j}^{old}$ is the last temporary identity of $D_j$.

(2)

Smart home device registration

$RA$ chooses a unique identity $I{D}_{D_j}$, a temporary identity $TI{D}_{D_j}$ for a smart home device, and computes a pseudo-identity $PI{D}_{D_j}=h(I{D}_{D_j}\parallel K)$, the function $g(PI{D}_{D_j},y)$. Finally, $RA$ stores $\{TI{D}_{D_j}^{old}=null, TI{D}_{D_j}^{new}=TI{D}_{D_j}, PI{D}_{D_j}, g(PI{D}_{D_j},y), h(·)\}$ in the memory of $D_j$.

(3)

User registration

Step UR1: $U_i$ inputs a unique identity $I{D}_{U_i}$ and biological information $BI{O}_{U_i}$ into mobile device $M{D}_{U_i}$. $M{D}_{U_i}$ generates a nonce $r_{U_i}$, and computes a pseudo-identity $PI{D}_{U_i}=h(I{D}_{U_i}\parallel r_{U_i})$, $Gen(BI{O}_{U_i})=({\sigma }_{U_i}, {\tau }_{U_i})$ [32], $HP{W}_{U_i}=h(P{W}_{U_i}\parallel {\sigma }_{U_i}\parallel r_{U_i})$, $S=HP{W}_{U_i}\oplus {\sigma }_{U_i}\oplus r_{U_i}$. The message $\{PI{D}_{U_i}, S\}$ is sent to $RA$ via a private channel.

Step UR2: On receiving the message from $U_i$, $RA$ generates a nonce $R_{U_i}$ and a timestamp $R{T}_{U_i}$, then calculates a token $T{C}_{U_i}=h(PI{D}_{U_i}\parallel R{T}_{U_i}\parallel K)$, $A_{U_i}=T{C}_{U_i}\oplus S$, $B_{U_i}=R_{U_i}\oplus T{C}_{U_i}$, $C_{U_i}=PI{D}_{GW}\oplus S$. Then $RA$ picks a temporary identity $TI{D}_{U_i}$, calculates a function $f(PI{D}_{U_i},y)$, and sends a message $\{A_{U_i},B_{U_i},C_{U_i},TI{D}_{U_i},f(PI{D}_{U_i},y), h(·)\}$ to $U_i$ via a secure channel.

Step UR3: Once the message $\{A_{U_i}, B_{U_i}, C_{U_i}, TI{D}_{U_i}, f(PI{D}_{U_i},y), h(·)\}$ is received, $U_i$ computes $T{C}_{U_i}=A_{U_i}\oplus S$, $R_{U_i}=B_{U_i}\oplus T{C}_{U_i}$, $Aut{h}_{U_i}=h(T{C}_{U_i}\oplus R_{U_i}\oplus HP{W}_{U_i})$, $D_{U_i}=r_{U_i}\oplus h(I{D}_{U_i}\oplus P{W}_{U_i}\oplus {\sigma }_{U_i})$, $B_{U_i}^{*}=B_{U_i}\oplus HP{W}_{U_i}$, $PI{D}_{U_i}^{*}=PI{D}_{U_i}\oplus HP{W}_{U_i}$, $T{C}_{U_i}^{*}=T{C}_{U_i}\oplus HP{W}_{U_i}$, $C_{U_i}^{*}=C_{U_i}\oplus T{C}_{U_i}$. Finally, $U_i$ stores $\{TI{D}_{U_i}, Aut{h}_{U_i}, D_{U_i},B_{U_i}^{*},PI{D}_{U_i}^{*}, T{C}_{U_i}^{*}, C_{U_i}^{*}, f(PI{D}_{U_i}, y), {\tau }_{U_i}, Rep(·), Gen(·), h(·)\}$ in the memory of $M{D}_{U_i}$.

In this phase, the user can update password and biometrics information.

3.2. Edge Negotiation Phase

This phase establishes a session key between the gateway and the smart home device. The steps are as follows.

Step EN1: The smart device $D_j$ sends message $\{TI{D}_{D_j}, r_{D_j}, T_1\}$ to the smart gateway $GW$ via the public channel, where $T_1$ is current timestamp and $r_{D_j}$ is a random number.

Step EN2: On receiving the message, $GW$ generates the current timestamp $T_2$, checks the freshness of the timestamp $T_1$, chooses a random number $R_{D_j}$, and finds $PI{D}_{D_j}$ by $TI{D}_{D_j}$. Then $GW$ computes $g(PI{D}_{GW}, PI{D}_{D_j})$, $M_1=R_{D_j}\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel T_2)$, $M_2=h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{GW-D_j}=h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$, $M_3=h(S{K}_{GW-D_j}\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $TI{D}_{D_j}^{*}=TI{D}_{D_j}\oplus S{K}_{GW-D_j}$. Finally, $GW$ updates $TI{D}_{D_j}^{old}=TI{D}_{D_j}, TI{D}_{D_j}^{new}=TI{D}_{D_j}^{*}$ and sends $\{PI{D}_{GW}, M_1, M_2, M_3, T_2\}$ to $D_j$.

Step EN3: On receiving the message from $GW$, $D_j$ checks the freshness of the timestamp and calculates $g(PI{D}_{D_j}, PI{D}_{GW})$, $R_{D_j}=M_1\oplus h(g(PI{D}_{D_j}, PI{D}_{GW})\parallel r_{D_j}\parallel T_2),h(T{C}_{GW}\parallel T_2\parallel R_{D_j})=M_2\oplus h(g(PI{D}_{D_j}, PI{D}_{GW})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{D_j-GW}=h(g(PI{D}_{D_j}, PI{D}_{GW})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$, $M_3^{*}=h(S{K}_{D_j-GW}\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$. Then $D_j$ checks $M_3=M_3^{*}$. If yes, $D_j$ updates $TI{D}_{D_j}^{*}=TI{D}_{D_j}\oplus S{K}_{D_j-GW}$ in its memory.

3.3. Login Authentication Phase

When $U_i$ wants to access a smart home device, the user does the following steps.

Step LA1: $U_i$ inputs $I{D}_{U_i}$, $P{W}_{U_i}^{in}$ and $BI{O}_{U_i}^{in}$ into the mobile device $M{D}_{U_i}$.

Step LA2: $M{D}_{U_i}$ computes ${\sigma }_{U_i}^{\prime }=Rep(BI{O}_{U_i}^{in}, {\tau }_{U_i})$, $r_{U_i}^{\prime }=D_i\oplus h(I{D}_{U_i}\parallel P{W}_{U_i}^{in}\parallel {\sigma }_{U_i}^{\prime })$, $HP{W}_{U_i}^{\prime }=h(P{W}_{U_i}^{in}\parallel {\sigma }_{U_i}^{\prime }\parallel r_{U_i}^{\prime })$, $T{C}_{U_i}^{\prime }=T{C}_{U_i}^{*}\oplus HP{W}_{U_i}^{\prime }$, $B_{U_i}^{\prime }=B_{U_i}^{*}\oplus HP{W}_{U_i}^{\prime }$, $R_{U_i}^{\prime }=B_{U_i}^{\prime }\oplus T{C}_{U_i}^{\prime }$, $Aut{h}_{U_i}^{\prime }=h(T{C}_{U_i}^{\prime }\oplus R_{U_i}^{\prime }\oplus HP{W}_{U_i}^{\prime })$. If $Aut{h}_{U_i}^{\prime }=Aut{h}_{U_i}$, do the next step; otherwise, re-do the step LA1.

Step LA3: $M{D}_{U_i}$ generates a random number $n_{U_i}$ and current timestamp $T_3$ and calculates $PI{D}_{GW}=C_{U_i}^{*}\oplus T{C}_{U_i}^{*}\oplus HP{W}_{U_i}$, $f(PI{D}_{U_i}, PI{D}_{GW})$, $M_1=PI{D}_{U_i}\oplus h(PI{D}_{GW})$, $M_2=n_{U_i}\oplus h(f(PI{D}_{U_i}, PI{D}_{SG}))$, $M_3=h(M_2\parallel TI{D}_{U_i}\parallel n_{U_i}\parallel T_3)$, $M_4=h(T{C}_{U_i}\parallel T_3\parallel n_{U_i})$. Finally, $M{D}_{U_i}$ sends message $\{M_1, M_2, M_3, M_4, TI{D}_{U_i}, T_3\}$ to $GW$ publicly.

Step LA4: When $GW$ receives the message from $M{D}_{U_i}$, $GW$. checks the freshness of the timestamp $T_3$. Then $GW$ computes $PI{D}_{U_i}^{\prime }=M_1\oplus h(PI{D}_{GW})$, $n_{U_i}^{\prime }=M_2\oplus h(f(PI{D}_{GW}, PI{D}_{U_i}))$, $M_3^{\prime }=h(M_2\parallel TI{D}_{U_i}\parallel n_{U_i}^{\prime }\parallel T_3)$. If $M_3^{\prime }\ne M_3$, terminate. Otherwise, $GW$ generates a random number $N_{U_i}$ and current timestamp $T_4$, and computes $M_5=N_{U_i}\oplus h(f(PI{D}_{GW}, PI{D}_{U_i})\parallel TI{D}_{U_i}\parallel T_3)$, $M_6=h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\oplus h(f(PI{D}_{GW}, PI{D}_{U_i})\parallel M_4\parallel T_4)$, $S{K}_{GW-U_i}=h(TI{D}_{U_i}\parallel f(PI{D}_{GW}, PI{D}_{U_i})\parallel h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\parallel M_4\parallel T_4)$, $M_7=h(S{K}_{GW-U_i}\parallel n_{U_i}\parallel N_{U_i}\parallel T_3\parallel T_4)$. Subsequently, $GW$ chooses a new random number $TI{D}_{U_i}^{new}$ and computes $M_8=TI{D}_{U_i}^{new}\oplus h(TI{D}_{U_i}\parallel S{K}_{GW-U_i}\parallel n_{U_i}\parallel N_{U_i}\parallel T_3\parallel T_4)$. Finally, $GW$ sends $\{M_5, M_6, M_7, M_8, T_4\}$ to $M{D}_{U_i}$.

Step LA5: $M{D}_{U_i}$ checks the freshness of the timestamp $T_4$ after receiving the message, and calculates $N_{U_i}^{\prime }=M_5\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel TI{D}_{U_i}\parallel T_3)$, $h(T{C}_{GW}\parallel T_4\parallel N_{U_i})=M_6\oplus h(f(PI{D}_{U_i},PI{D}_{GW})\parallel M_4\parallel T_4)$, $S{K}_{U_i-GW}=h(TI{D}_{U_i}\parallel f(PI{D}_{U_i},PI{D}_{GW})\parallel h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\parallel M_4\parallel T_4)$, $M_7^{*}=h(S{K}_{U_i-GW}\parallel n_{U_i}\parallel N_{U_i}^{\prime }\parallel T_3\parallel T_4)$. $M{D}_{U_i}$ checks $M_7^{*}=M_7$. If yes, the authentication is successful, $M{D}_{U_i}$ updates $TI{D}_{U_i}^{new}=M_8\oplus h(TI{D}_{U_i}\parallel S{K}_{U_i-GW}\parallel n_{U_i}\parallel N_{U_i}\parallel T_3\parallel T_4)$.

4. Cryptanalysis of the Guo et al.’s Scheme

In this section, we show the weaknesses of Guo et al.’s scheme.

4.1. Smart Gateway Compromised Attack

In Guo et al.’s scheme, the smart gateway stores sensitive information and is not fully trusted. Suppose that an attacker compromises the smart gateway and steals information $\{PI{D}_{GW}, (TI{D}_{D_j}^{old}=null, TI{D}_{D_j}^{new}=TI{D}_{D_j}), PI{D}_{D_j}, TI{D}_{U_i}, T{C}_{GW}, f(PI{D}_{GW},y), g(PI{D}_{GW},y), h(·)\}$, each shared secret $g(PI{D}_{GW}, PI{D}_{D_j})$ between $D_j$ and $GW$ can be calculated from $g(PI{D}_{GW}, y)$ and $PI{D}_{D_j}$.

(1)

The attacker impersonates the smart device.

The attacker extracts $TI{D}_{D_j}$ from the stolen information and sends $TI{D}_{D_j}, r_{D_j}, T_1$ to $GW$ in Step EN1, where $r_{D_j}$ is a random number and $T_1$ is a current timestamp. In Step EN3, the attacker gets $PI{D}_{GW},M_1, M_2, M_3, T_2$ from $GW$, picks $PI{D}_{D_j}, g(PI{D}_{GW},y)$ from the stolen information and can calculate $g(PI{D}_{GW}, PI{D}_{D_j})$, $R_{D_j}=M_1\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel T_2)$, $h(T{C}_{GW}\parallel T_2\parallel R_{D_j})=M_2\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{GW-D_j}=h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$.

(2)

The attacker eavesdrops on the smart device.

The attacker eavesdrops $TI{D}_{D_j}, r_{D_j}, T_1$ in Step EN1 and $PI{D}_{GW}, M_1, M_2, M_3, T_2$ in Step EN2, and picks $TI{D}_{D_j},PI{D}_{D_j}, g(PI{D}_{GW}, y)$ from the stolen information, then calculates $g(PI{D}_{GW}, PI{D}_{D_j})$, $R_{D_j}=M_1\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel T_2)$, $h(T{C}_{GW}\parallel T_2\parallel R_{D_j})=M_2\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$ and $S{K}_{GW-D_j}=h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$ in Step EN3. The attacker gets $S{K}_{GW-D_j}$ and $TI{D}_{D_j}^{*}=TI{D}_{D_j}\oplus S{K}_{GW-D_j}$ successfully. The attacker can also eavesdrop on the next session by $TI{D}_{D_j}^{*}$.

4.2. Desynchronization Attack

The attacker intercepts and modifies $r_{D_j}$ in Step EN1. In Step EN2, the smart gateway will receive the tampered $r_{D_j}$ and calculate $M_1=R_{D_j}\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel T_2)$, $M_2=h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\oplus h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{GW-D_j}=h(g\left(PI{D}_{GW}, PI{D}_{D_j}\right)\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$, $M_3=h(S{K}_{GW-D_j}\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $TI{D}_{D_j}^{*}=TI{D}_{D_j}\oplus S{K}_{GW-D_j}$ by the tampered $r_{D_j}$. In Step EN3, the smart device calculates $R_{D_j}=M_1\oplus h(g(PI{D}_{D_j}, PI{D}_{GW})\parallel r_{D_j}\parallel T_2), h(T{C}_{GW}\parallel T_2\parallel R_{D_j})=M_2\oplus h(g\left(PI{D}_{D_j}, PI{D}_{GW}\right)\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{D_j-GW}=h(g(PI{D}_{D_j}, PI{D}_{GW})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$, $M_3^{*}=h(S{K}_{D_j-GW}\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$ by the real $r_{D_j}$, so $M_3^{*}\ne M_3$ and $D_j$ won’t update $TI{D}_{D_j}$ in Step EN3.

4.3. Traceability

In the login authentication phase, $M_1=PI{D}_{U_i}\oplus h(PI{D}_{GW})$, where $PI{D}_{U_i}$ and $PI{D}_{GW}$ are constant, and $M_1$ doesn’t change. Therefore, the attacker can trace $U_i$ by eavesdropping on the constant value $M_1$.

4.4. Mobile Device Lost/Stolen Attack

Assuming that $U_i$’s mobile device is lost or stolen, all the information $\{TI{D}_{U_i}, Aut{h}_{U_i}, D_{U_i}, B_{U_i}^{*}, PI{D}_{U_i}^{*}, T{C}_{U_i}^{*}, C_{U_i}^{*}, f(PI{D}_{U_i}, y),{\tau }_{U_i}, Rep(·), Gen(·), h(·)\}$ stored in the mobile device will be obtained by the attacker. The attacker eavesdrops $PI{D}_{GW}$ in Step EN2 and $M_1$ in Step LA3, and computes $PI{D}_{U_i}=M_1\oplus h(PI{D}_{GW})$. The attacker can perform the following attacks.

(1)

The attacker impersonates the user.

The attacker picks $f(PI{D}_{U_i}, y)$, $TI{D}_{U_i}$. and $PI{D}_{GW}$, generates a random number $n_{U_i}$, a fake token $T{C}_{U_i}$, a current timestamp $T_3$, and calculates $f(PI{D}_{U_i}, PI{D}_{GW})$, $M_1=PI{D}_{U_i}\oplus h(PI{D}_{GW})$, $M_2=n_{U_i}\oplus h(f(PI{D}_{U_i}, PI{D}_{GW}))$, $M_3=h(M_2\parallel TI{D}_{U_i}\parallel n_{U_i}\parallel T_3)$ and $M_4=h(T{C}_{U_i}\parallel T_3\parallel n_{U_i})$. Finally, the attacker sends $M_1, M_2, M_3, M_4, TI{D}_{U_i}, T_3$ in Step LA3. In Step LA5, the attacker calculates $N_{U_i}^{\prime }=M_5\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel TI{D}_{U_i}\parallel T_3)$, $h(T{C}_{GW}\parallel T_4\parallel N_{U_i})=M_6\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel M_4\parallel T_4)$, $S{K}_{U_i-GW}=h(TI{D}_{U_i}\parallel f(PI{D}_{U_i}, PI{D}_{GW})\parallel h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\parallel M_4\parallel T_4)$.

(2)

The attacker eavesdrops on the user.

The attacker picks $f(PI{D}_{U_i},y)$, $TI{D}_{U_i}$ and $PI{D}_{GW}$ and intercepts $M_2, M_4, T_3$ in Step LA3, calculates $f(PI{D}_{U_i} ,PI{D}_{GW})$, $n_{U_i}=M_2\oplus h(f(PI{D}_{U_i}, PI{D}_{GW}))$. Then the attacker eavesdrops $M_5, M_6, M_8, T_4$ in Step LA4 and calculates $N_{U_i}=M_5\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel TI{D}_{U_i}\parallel T_3)$, $h(T{C}_{GW}\parallel T_4\parallel N_{U_i})=M_6\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel M_4\parallel T_4)$, $S{K}_{U_i-GW}=h(TI{D}_{U_i}\parallel f(PI{D}_{U_i},PI{D}_{GW})\parallel h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\parallel M_4\parallel T_4)$, $TI{D}_{U_i}^{new}=M_8\oplus h(TI{D}_{U_i}\parallel S{K}_{U_i-GW}\parallel n_{U_i}\parallel N_{U_i}\parallel T_3\parallel T_4)$ in Step LA5. The next session key can be calculated in the same way.

4.5. No Perfect Forward Secrecy

In Guo et al.’s scheme, $f(PI{D}_{U_i}, PI{D}_{GW})$ and $g(PI{D}_{GW}, PI{D}_{D_j})$ are long-term for the session key agreement.

In the login and authentication phase, if $f(PI{D}_{U_i}, PI{D}_{GW})$ leaks, the attacker can eavesdrop $M_2, M_4, T_3, TI{D}_{U_i}$ in Step LA3 and $M_5, M_6, M_8, T_4$ in Step LA4, then calculate $n_{U_i}=M_2\oplus h(f(PI{D}_{U_i}, PI{D}_{GW}))$, $N_{U_i}=M_5\oplus h(f(PI{D}_{U_i}, PI{D}_{GW})\parallel TI{D}_{U_i}\parallel T_3)$, $h(T{C}_{GW}\parallel T_4\parallel N_{U_i})=M_6\oplus h(f(PI{D}_{GW}, PI{D}_{U_i})\parallel M_4\parallel T_4)$, $S{K}_{GW-U_i}=h(TI{D}_{U_i}\parallel f(PI{D}_{GW}, PI{D}_{U_i})\parallel h(T{C}_{GW}\parallel T_4\parallel N_{U_i})\parallel M_4\parallel T_4)$. In the same way, the attacker can calculate the previous session key.

In the edge negotiation phase, If $g(PI{D}_{GW}, PI{D}_{D_j})$ leaks, the attacker can compute $R_{D_j}=M_1\oplus h(g(PI{D}_{GW},PI{D}_{D_j})\parallel r_{D_j}\parallel T_2)$, $h(T{C}_{GW}\parallel T_2\parallel R_{D_j})=M_2\oplus h(g(PI{D}_{GW},PI{D}_{D_j})\parallel r_{D_j}\parallel R_{D_j}\parallel T_2)$, $S{K}_{GW-D_j}=h(g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}\parallel h(T{C}_{GW}\parallel T_2\parallel R_{D_j})\parallel T_2)$, where $r_{D_j}$ can be obtained in Step EN1 and $M_1, M_2, T_2$ can be obtained in Step EN2. The previous session key can also be calculated in the same way.

5. The Proposed Scheme

In this section, we propose a security-enhanced scheme. The scheme consists of a system initialization phase, entity registration phase, edge negotiation phase, and login authentication phase.

In the proposed scheme, the PUF can improve security. PUF is a one-way function derived from complex physical and environmental characteristics. When a challenge stimulates the device, the device calculates a response from the complex physical functions, and the response is unpredictable and repeatable. The attackers cannot predict the response to the challenge and build the same PUF based on the same design and blueprint [27].

5.1. System Initialization Phase

$RA$ generates private key $K$ and two symmetric bivariate polynomials $f(x,y)$ and $g(x, y)$ with degree $\tau$ over the field $G{F}_p$, and selects the elliptic curve $E_p(a, b)$ over finite field $F_p$, $G$ is the base point.

5.2. Entity Registration Phase

In this phase, we use the PUF to protect the private data of the smart gateway and the smart devices. Figure 3, Figure 4 and Figure 5 describe the registration processes.

5.2.1. Smart Gateway Registration

Step GR1: The smart gateway $GW$ picks a $PUF$ and generates a challenge $C{h}_{GW}$, then computes $I{D}_{GW}=PUF(C{h}_{GW})$. The smart gateway sends the message $I{D}_{GW}$ to the $RA$ via the private channel.

Step GR2: After receiving the message $I{D}_{GW}$, $RA$ generates the current timestamp $R{T}_{GW}$, and computes $PI{D}_{GW}=h(I{D}_{GW}\parallel R{T}_{GW}\parallel K)$. $RA$ returns a response $PI{D}_{GW},R{T}_{GW}$ via a private channel.

Step GR3: After receiving the response, the smart gateway calculates $SI{D}_{GW}=PI{D}_{GW}\oplus h(C{h}_{GW}\parallel I{D}_{GW})$ and stores $SI{D}_{GW}, C{h}_{GW}, R{T}_{GW}, PUF, h, G$ in the memory.

5.2.2. Smart Device Registration

Step DR1: The smart device $S{D}_j$ sends a unique identity $I{D}_{D_j}$ to $RA$ via the private channel.

Step DR2: After receiving the message, $RA$ generates a random number $TI{D}_{D_j}$, current registration timestamp $R{T}_{D_j}$, then calculates $PI{D}_{D_j}=h(I{D}_{D_j}\parallel R{T}_{D_j}\parallel K)$ and two functions $g(PI{D}_{GW},y), g(PI{D}_{D_j}, y)$ from the symmetric bivariate polynomial $g(x, y)$, $PI{D}_{GW}$ and $PI{D}_{D_j}$. Then $RA$ sends the message <$TI{D}_{D_j}, g(PI{D}_{D_j}, y)$> to $GW$ and the message $\langle g(PI{D}_{GW},y), PI{D}_{D_j}, R{T}_{D_j}, TI{D}_{D_j}\rangle$ to $S{D}_j$ via the private channel.

Step DR3: $GW$ stores the message <$TI{D}_{D_j},g(PI{D}_{D_j}, y)$> in its memory.

Step DR4: The smart device $S{D}_j$ chooses a $PUF$ and generates a challenge $C{h}_{D_j}$, and computes $DI{D}_{D_j}=PI{D}_{D_j}\oplus h(PUF(C{h}_{D_j}))$. Finally, $S{D}_j$ stores $\{TI{D}_{D_j}, DI{D}_{D_j}, C{h}_{D_j}, g(PI{D}_{GW},y), PUF, h, G\}$ in its memory.

5.2.3. User Registration

Step UR1: $U_i$ selects a unique identity $I{D}_{U_i}$, a random number $r_{U_i}$, computes $PI{D}_{U_i}=h(I{D}_{U_i}\parallel r_{U_i})$, and sends $PI{D}_{U_i}$ to $RA$ via the private channel.

Step UR2: $RA$ generates a random $TI{D}_{U_i}$, a current registration timestamp $R{T}_{U_i}$, two functions $f(PI{D}_{U_i}, y)$ and $f(PI{D}_{GW}, y)$ by the symmetric bivariate polynomial $f(x,y)$, and computes $T{C}_{U_i}=h(PI{D}_{U_i}\parallel R{T}_{U_i}\parallel K)$. Then $RA$ sends <$TI{D}_{U_i}, f(PI{D}_{U_i}, y)$> to $GW$ and $TI{D}_{U_i},T{C}_{U_i}, f(PI{D}_{GW}, y)$ to $U_i$ via the private channel.

Step UR3: $GW$ stores <$TI{D}_{U_i},f(PI{D}_{U_i},y)$> in its memory.

Step UR4: $U_i$ inputs $BI{O}_{U_i}$, $P{W}_{U_i}$, and computes $({\sigma }_{U_i}, {\tau }_{U_i})=Gen(BI{O}_{U_i})$, where $BI{O}_{U_i}$ is $U_i$’s biological information. Later $U_i$ computes $HP{W}_{U_i}=h(I{D}_{U_i}\parallel P{W}_{U_i}\parallel {\sigma }_{U_i}\parallel r_{U_i})$, $B_{U_i}=r_{U_i}\oplus h(P{W}_{U_i}\parallel {\sigma }_{U_i})$, where $P{W}_{U_i}$ is the password. Finally, $U_i$ stores $\{B_{U_i}, TI{D}_{U_i}, T{C}_{U_i}, {\tau }_{U_i}, HP{W}_{U_i}, f(PI{D}_{GW},y),Rep, Gen, h, G\}$ in the memory of a mobile device.

5.3. Edge Negotiation Phase

In the edge negotiation phase, the session key is negotiated between the smart gateway and the smart devices. Figure 6 describes the executive process.

Step EN1: The smart device $S{D}_j$ generates a random number $r_{D_j}$, current timestamp $T_1$, and computes $PI{D}_{D_j}=DI{D}_{D_j}\oplus h(PUF(C{h}_{D_j}))$, the secret value $g(PI{D}_{GW}, PI{D}_{D_j})$, $M_1=r_{D_j}·G$, $V_1=h(M_1\parallel TI{D}_{D_j}\parallel g(PI{D}_{GW}, PI{D}_{D_j})\parallel T_1)$, and sends $\{TI{D}_{D_j},M_1, V_1, T_1\}$ to $GW$ via the public channel, where $G$ is the base point.

Step EN2: On receiving the request, $GW$ checks the freshness of the timestamp $T_1$. After that, $GW$ finds the function $g(PI{D}_{D_j}, y)$ by $TI{D}_{D_j}$, and calculates $I{D}_{GW}=PUF(C{h}_{GW})$, $PI{D}_{GW}=SI{D}_{GW}\oplus h(C{h}_{GW}\parallel I{D}_{GW})$, the secret value $g(PI{D}_{D_j}, PI{D}_{GW})$, $V_1^{\prime }=h(M_1\parallel TI{D}_{D_j}\parallel g(PI{D}_{D_j}, PI{D}_{GW})\parallel T_1)$. If $V_1=V_1^{\prime }$, the request is integrity. Then $GW$ generates a random number $R_{D_j}$ and timestamp $T_2$, and calculates $M_2=R_{D_j}·G$, $S{K}_{GW-D_j}=h(TI{D}_{D_j}\parallel g(PI{D}_{D_j},PI{D}_{GW})\parallel R_{D_j}·M_1\parallel T_1\parallel T_2)$, $TI{D}_{D_j}^{new}=h(TI{D}_{D_j}\parallel g(PI{D}_{D_j},PI{D}_{GW})\parallel R_{D_j}·M_1\parallel T_2)$, $V_2=h(TI{D}_{D_j}^{new}\parallel T_1)$. Then $GW$ returns $M_2, V_2, T_2$ via the public channel. It is worth noting that the $GW$ does not immediately update $TI{D}_{D_j}$ at the time, and updates $TI{D}_{D_j}=TI{D}_{D_j}^{new}$ after a secure session is established. Even if the session establishment fails, it will not cause the smart device $S{D}_j$ to get out of sync.

Step EN3: On receiving the response, the smart device $S{D}_j$ checks the freshness of timestamp $T_2$. Then $S{D}_j$ calculates $S{K}_{D_j-GW}=h(TI{D}_{D_j}\parallel g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}·M_2\parallel T_1\parallel T_2)$, $V_2^{\prime }=h(TI{D}_{D_j}^{new}\parallel T_1)$. If $V_2=V_2^{\prime }$, the negotiation is successful, and $S{D}_j$ calculates $TI{D}_{D_j}^{new}=h(TI{D}_{D_j}\parallel g(PI{D}_{GW}, PI{D}_{D_j})\parallel r_{D_j}·M_2\parallel T_2)$, updates $TI{D}_{D_j}=TI{D}_{D_j}^{new}$ and sends a secure message to notify the $GW$ to update $TI{D}_{D_j}$.

5.4. Login and Authentication Phase

When the user needs to access the smart home, Figure 7 describes the executive process.

Step LA1: The user $U_i$ inputs identity information $I{D}_{U_i}^{in}, P{W}_{U_i}^{in}$ and biometric information $BI{O}_{U_i}^{in}$ into the mobile device, the mobile device computes ${\sigma }_{U_i}^{\prime }=Rep(BI{O}_{U_i}^{in}, {\tau }_{U_i})$, $r_{U_i}^{\prime }=B_{U_i}\oplus h(P{W}_{U_i}^{in}\parallel {\sigma }_{U_i}^{\prime })$, $HP{W}_{U_i}^{\prime }=h(I{D}_{U_i}^{in}\parallel P{W}_{U_i}^{in}\parallel {\sigma }_{U_i}^{\prime }\parallel r_{U_i}^{\prime })$. If $HP{W}_{U_i}^{\prime }\ne HP{W}_{U_i}$, login failed. Otherwise, the mobile device generates a random number $n_{U_i}$ and current timestamp $T_3$, computes $PI{D}_{U_i}=h(I{D}_{U_i}\parallel r_{U_i})$, $M_3=n_{U_i}·G$, $V_3=h(M_3\parallel TI{D}_{U_i}\parallel f(PI{D}_{GW}, PI{D}_{U_i})\parallel T_3)$. Then the mobile device sends $TI{D}_{U_i},M_3, V_3, T_3$ to the $GW$ via the public channel.

Step LA2: After receiving the message, $GW$ checks the freshness of the timestamp $T_3$. Then $GW$ extracts the information $I{D}_{GW}=PUF(C{h}_{GW})$, $PI{D}_{GW}=SI{D}_{GW}\oplus h(C{h}_{GW}\parallel I{D}_{GW})$, gets $f(PI{D}_{U_i}, y)$ by $TI{D}_{U_i}$ and calculates the secret value $f(PI{D}_{U_i}, PI{D}_{GW})$. Similarly, the $GW$ calculates $V_3^{\prime }=h(M_3\parallel TI{D}_{U_i}\parallel f(PI{D}_{U_i}, PI{D}_{GW})\parallel T_3)$. If $V_3\ne V_3^{\prime }$, terminate. Otherwise, $GW$ generates random number $N_{U_i}$ and current timestamp $T_4$, calculates $M_4=N_{U_i}·G$, $S{K}_{GW-U_i}=h(TI{D}_{U_i}\parallel f(PI{D}_{U_i}, PI{D}_{GW})\parallel N_{U_i}·M_3\parallel T_3\parallel T_4)$, $TI{D}_{U_i}^{new}=h(TI{D}_{U_i}\parallel f(PI{D}_{U_i}, PI{D}_{GW})\parallel N_{U_i}·M_3\parallel T_4)$, $V_4=h(TI{D}_{U_i}^{new}\parallel T_3)$, and updates the $TI{D}_{U_i}$ with $TI{D}_{U_i}^{new}$ after the session is established. Finally, $GW$ sends the message $M_4, V_4, T_4$ to $U_i$ via the public channel.

Step LA3: On receiving the response, the user $U_i$’s mobile device checks the freshness of the timestamp $T_4$. And the mobile device computes $S{K}_{U_i-GW}=h(TI{D}_{U_i}\parallel f(PI{D}_{GW}, PI{D}_{U_i})\parallel n_{U_i}·M_4\parallel T_3\parallel T_4)$, $V_4^{\prime }=h(TI{D}_{U_i}^{new}\parallel T_3)$, $TI{D}_{U_i}^{new}=h(TI{D}_{U_i}\parallel f(PI{D}_{GW},PI{D}_{U_i})\parallel n_{U_i}·M_4\parallel T_4)$. If $V_4=V_4^{\prime }$, the authentication succeeded, and the mobile device updates $TI{D}_{U_i}$ with $TI{D}_{U_i}^{new}$ and securely informs the smart gateway $GW$ to update $TI{D}_{U_i}$.

6. Formal Security Proof

6.1. Random Oracle Model

Definition 1 (Participants & partnering).

The participants are composed of User ($U$), Smart Device ($SD$), and Gateway ($GW$). In the i-th instance, the participants are denoted as $I{n}_{Ui}^i$, $I{n}_{SDj}^i$, and $I{n}_{GW}^i$, respectively. The state $Accept$ represents that an oracle receives a correct message.

If two oracles are in $Accept$ and the session keys have been agreed upon, the oracles get their session identities and participant identities. The oracles can be considered partners if the following conditions are satisfied:

Their session keys are the same;

Their session identities are the same;

The participant’s identity is equal to each other’s identity.

Definition 2 (Queries).

The queries simulate the capabilities of attackers.

$Execute(I{n}_{Ui}^i, I{n}_{GW}^i, I{n}_{SDj}^i)$: All the messages transmitted openly can be intercepted by the adversary $A$.

$Send(I{n}_{Ui}^i, I{n}_{GW}^i, I{n}_{SDj}^i, m)$: $A$ forges and sends the message $m$ to $I{n}_{Ui}^i$, $I{n}_{GW}^i$, or $I{n}_{SDj}^i$, if $m$ is correct, $I{n}_{Ui}^i$, $I{n}_{GW}^i$, or $I{n}_{SDj}^i$ responses $A$.

$Reveal(I{n}_{Ui}^i, I{n}_{GW}^i, I{n}_{SDj}^i)$: $A$ can get the current session key between $I{n}_{Ui}^i$, $I{n}_{GW}^i$, and $I{n}_{SDj}^i$.

$Test(I{n}_{Ui}^i, I{n}_{GW}^i, I{n}_{SDj}^i, r)$: This query is allowed to be executed at most once, which generates a random bit $r$, if $r=1$, the real session key is returned.

$CorruptUser(I{n}_{Ui}^i)$: Which simulates the side-channel attack on the user’s device and returns the stored information $\{B_{U_i}, TI{D}_{U_i}, T{C}_{U_i}, {\tau }_{U_i}, HP{W}_{U_i}, f(PI{D}_{GW}, y), Rep, Gen, h, G\}$.

$CorruptDevice(I{n}_{SDj}^i)$: Which simulates the attack of capturing a smart device and returns the stored information $\{TI{D}_{D_j}, DI{D}_{D_j}, C{h}_{D_j}, g(PI{D}_{GW}, y), PUF, h, G\}$.

$CorruptGateway(I{n}_{GW}^i)$: Which simulates the attack of capturing the smart gateway and returns the stored information $\{SI{D}_{GW}, T{C}_{GW}, C{h}_{GW}, R{T}_{GW}, PUF, h, G\}$, <$TI{D}_{D_j}, g(PI{D}_{D_j}, y)$>, and <$TI{D}_{U_i}, f(PI{D}_{U_i}, y)$>.

Definition 3 (Freshness).

An instance can be regarded as fresh if it satisfies:

$I{n}_{Ui}^i$,$I{n}_{GW}^i$, and$I{n}_{SDj}^i$are in$Accept$.

The query$Reveal(I{n}_{Ui}^i, I{n}_{GW}^i, I{n}_{SDj}^i)$has not been executed.

The queries$Corrupt$have been executed at most once.

Definition 4 (Semantic security).

$A$ is allowed to execute at most once $Test(I{n}_{Ui}^i,I{n}_{GW}^i,I{n}_{SDj}^i,r)$ and multiple other queries to determine the correctness of the return value of $Test(I{n}_{Ui}^i,I{n}_{GW}^i,I{n}_{SDj}^i,r)$. That is $A$ guesses the random bit $r$ generated by $Test$. The possibility is $Ad{v}_P^A=\left|2Pr\left[suc(A)\right]-1\right|$, $Ad{v}_P^A<\eta$ represents the protocol is secure, where $\eta$ is sufficiently small.

6.2. Formal Security Proof under the Random Oracle Model

Theorem 1.

The advantage of obtaining the session key in polynomial time by $A$ is $Ad{v}_P^A\le \frac{q_{HA}^2}{2^{l_{HA}}}+\frac{{(q_{SE}+q_{EX})}^2}{n}+\frac{q_{SE}}{2^{l_{bio}-1}}+2q_{SE}Ad{v}_{PUF}^A+2Ad{v}_{ECDLP}^A\cdot Ad{v}_{SBP}^A$.

Where$q_{HA}$,$q_{SE}$, and$q_{EX}$represents the times of executing Hash, Send, and Execute, respectively.$l_{HA}$,$n$, and$l_{bio}$are the length of hash, transcripts, and biological key, respectively. The advantage of breaking PUF, ECDLP, and the symmetric bivariate polynomial by$A$are$Ad{v}_{PUF}^A$,$Ad{v}_{ECDLP}^A$, and$Ad{v}_{SBP}^A$, respectively.

Proof. 

The games $Gam{e}_i(0\le i\le 4)$ are defined to simulate the attacks launched by $A$. $Wi{n}_i(0\le i\le 4)$ means $A$ guesses the random bit $r$ in the $Gam{e}_i$. The games are defined as:

$Gam{e}_0$: This game simulates the real attack first launched by $A$. According to the definition, we get:

$$Ad{v}_P^A=\left|2Pr\left[Wi{n}_0\right]-1\right|$$

(1)

$Gam{e}_1$: This game simulates the eavesdropping attack. $A$ gets all the messages transmitted publicly. Then, $A$ guesses the random bit $r$. However, because of the ECDLP, the attacker cannot judge the association between the captured messages and the session keys. Therefore, we get:

$$Pr\left[Wi{n}_0\right]=Pr\left[Wi{n}_1\right]$$

(2)

$Gam{e}_2$: This game simulates the collision attack on the transcripts and hash results according to the definition of the birthday paradox, the probability of hash collision is less than $\frac{q_{HA}^2}{2^{l_{HA}+1}}$, and the collision probability of other transcripts is less than $\frac{{(q_{SE}+q_{EX})}^2}{2n}$. Therefore, we have:

$$Pr\left[Wi{n}_2\right]-Pr\left[Wi{n}_1\right]\le \frac{q_{HA}^2}{2^{l_{HA}+1}}+\frac{{(q_{SE}+q_{EX})}^2}{2n}$$

(3)

$Gam{e}_3$: This game simulates $A$ executes $CorruptUser(I{n}_{Ui}^i)$, $CorruptDevice(I{n}_{SDj}^i)$, and $CorruptGateway(I{n}_{GW}^i)$ to obtain the stored information $\{B_{U_i},TI{D}_{U_i},T{C}_{U_i},{\tau }_{U_i}, HP{W}_{U_i}, f(PI{D}_{GW}, y),Rep,Gen,h,G\}$ in the user’s device, $\{TI{D}_{D_j}, DI{D}_{D_j}, C{h}_{D_j}, g(PI{D}_{GW}, y), PUF, h, G\}$ in the smart device, and $\{SI{D}_{GW}, T{C}_{GW}, C{h}_{GW}, R{T}_{GW}, PUF, h, G\}$, <$TI{D}_{D_j}, g(PI{D}_{D_j}, y)$>, and <$TI{D}_{U_i}, f(PI{D}_{U_i}, y)$> in the smart gateway. Where $r_{U_i}^{\prime }=B_{U_i}\oplus h(P{W}_{U_i}^{in}\parallel {\sigma }_{U_i}^{\prime })$, $PI{D}_{U_i}=h(I{D}_{U_i}\parallel r_{U_i})$, ${\sigma }_{U_i}^{\prime }$ is the biometric key, $PI{D}_{D_j}=DI{D}_{D_j}\oplus h(PUF(C{h}_{D_j}))$, $PI{D}_{GW}=SI{D}_{GW}\oplus h(C{h}_{GW}\parallel PUF(C{h}_{GW}))$, $PI{D}_{U_i}$, $PI{D}_{D_j}$, and $PI{D}_{GW}$ are used for verification and session key agreement. If $A$ wants to obtain the valuable parameters, $A$ must guess ${\sigma }_{U_i}^{\prime }$ or break PUF. Suppose the probability of breaking PUF by $A$ is $Ad{v}_{PUF}^A$. Therefore, we have:

$$Pr\left[Wi{n}_3\right]-Pr\left[Wi{n}_2\right]\le q_{SE}(\frac{1}{2^{l_{bio}}}+Ad{v}_{PUF}^A)$$

(4)

$Gam{e}_4$: $A$ can obtain $M_1=r_{D_j}·G$, $M_2=R_{D_j}·G$, $M_3=n_{U_i}·G$, and $M_4=N_{U_i}·G$ publicly, the session key agreements are based on ECDLP and the symmetric bivariate polynomial. This game simulates that $A$ calculates the session keys according to the transcripts. We have:

$$Pr\left[Wi{n}_4\right]-Pr\left[Wi{n}_3\right]\le Ad{v}_{ECDLP}^A\cdot Ad{v}_{SBP}^A$$

(5)

The session keys are generated independently and randomly. Hence, the advantage of guessing $r$ is equal to guessing the session key. We have:

$$Pr\left[Wi{n}_4\right]=\frac{1}{2}$$

(6)

Combining the above formulas, we have:

$$\frac{1}{2}Ad{v}_P^A=\left|Pr\left[Wi{n}_0\right]-\frac{1}{2}\right|$$

$$\le \frac{q_{HA}^2}{2^{l_{HA}+1}}+\frac{{(q_{SE}+q_{EX})}^2}{2n}+\frac{q_{SE}}{2^{l_{bio}}}+q_{SE}Ad{v}_{PUF}^A+Ad{v}_{ECDLP}^A\cdot Ad{v}_{SBP}^A$$

That is:

$$Ad{v}_P^A\le \frac{q_{HA}^2}{2^{l_{HA}}}+\frac{{(q_{SE}+q_{EX})}^2}{n}+\frac{q_{SE}}{2^{l_{bio}-1}}+2q_{SE}Ad{v}_{PUF}^A+2Ad{v}_{ECDLP}^A\cdot Ad{v}_{SBP}^A$$

□

7. Informal Security Analysis

7.1. Anonymity and Untraceability

In our proposed scheme, all messages are calculated from random numbers, and the temporary identities are changed in each session. Therefore, the proposed scheme is anonymous and untraceable.

7.2. Perfect Forward Secrecy

In our proposed scheme, the session key negotiation is based on long-term shared secrets and ECDLP. Even if the long-term key $g(PI{D}_{D_j}, PI{D}_{GW})$, $f(PI{D}_{U_i}, PI{D}_{GW})$ and the current session key is leaked, the attacker cannot get the random number and cannot calculate the previous or later session key. Therefore, the protocol has perfect forward secrecy.

7.3. Impersonation Attack

If an attacker wants to impersonate $S{D}_j$, stealing the secret $g(PI{D}_{GW}, PI{D}_{D_j})$ is a precondition. The attacker can’t get the $PI{D}_{D_j}$ because of the security features of PUF, and the secret will not be revealed even if the gateway is compromised, so the attacker can’t impersonate $S{D}_j$.

If an attacker wants to impersonate $U_i$. Calculating $PI{D}_{U_i}=h(I{D}_{U_i}\parallel r_{U_i})$, where $I{D}_{U_i}$ is public. But calculating $r_{U_i}=B_{U_i}\oplus h(P{W}_{U_i}\parallel {\sigma }_{U_i})$ is difficult because of the biological key ${\sigma }_{U_i}$, so it is impossible to impersonate $U_i$.

If an attacker wants to impersonate $GW$ negotiate with $S{D}_j$ or communicate with $U_i$, the attacker needs to know the $PI{D}_{GW}$ to calculate the secret $g(PI{D}_{D_j},PI{D}_{GW})$ or $f(PI{D}_{U_i}, PI{D}_{GW})$. However, the $PI{D}_{GW}$ of the smart gateway also needs to be calculated by the PUF, so the attacker can’t impersonate $GW$.

7.4. Replay Attack

If an attacker captures previous data transmitted on the public channel and resends it, the data recipient will verify the freshness of timestamp. The integrity of the message is combined with the timestamps. The modified timestamp cannot pass the verification.

7.5. Mobile Device Loss/Stolen Attack

If an attacker gets the user’s mobile device, all the information is extracted in the $U_i$’s mobile device. Because the secret value $r_{U_i}$ is calculated from the $U_i$’s bioinformatic features ${\sigma }_{U_i}$, the attacker cannot calculate $PI{D}_{U_i}$ and secret value $f(PI{D}_{U_i}, PI{D}_{GW})$. Therefore, the scheme can resist the mobile device loss/stolen attack.

7.6. Smart Device Captured Attack

Suppose an attacker captures the smart device $S{D}_j$ and extracts the information stored in it. Due to the security features of PUF, the attacker cannot calculate $PUF(C{h}_{D_j})$, $PI{D}_{D_j}$ and $g(PI{D}_{GW}, PI{D}_{D_j})$. So, the attacker cannot impersonate $S{D}_j$, and it is impossible to affect other smart devices.

7.7. Smart Gateway Compromised Attack

Suppose an attacker compromises the smart gateway; he can get the information $\{SI{D}_{GW}, T{C}_{GW}, C{h}_{GW}, R{T}_{GW}, PUF, h, G, \langle TI{D}_{D_j}, g(PI{D}_{D_j}, y)\rangle , \langle TI{D}_{U_i}, f(PI{D}_{U_i}, y)\rangle \}$ stored in the memory. Because of the features of PUF, the attacker cannot calculate $PI{D}_{GW}$, $g(PI{D}_{D_j}, PI{D}_{GW})$, $g(PI{D}_{D_j}, PI{D}_{GW})$. Therefore, the scheme can resist the smart gateway compromised attack.

7.8. Man-in-the-Middle Attack

Since an attacker can neither impersonate $GW$, nor $U_i$ and $S{D}_j$, which is described in the Impersonation Attack. Therefore, the scheme can resist the man-in-the-middle attack.

7.9. Desynchronization Attack

The reason our protocol can resist the desynchronization attack is that $TI{D}_{D_j}$ is updated after passing the authentication and establishing the session key.

7.10. The Ephemeral Secret Leakage (ESL) Attack

Suppose an attacker gets an ephemeral secret during a negotiation, such as $r_{D_j}$, $R_{D_j}$, $n_{U_i}$, $N_{U_i}$. However, the session key calculation requires the long-term key $g(PI{D}_{D_j}, PI{D}_{GW})$ or $f(PI{D}_{U_i}, PI{D}_{GW})$. Therefore, the scheme is resistant to the ephemeral secret leakage (ESL) attack.

8. Comparisons

In this section, we compared the security features and performance between our protocol and some related schemes [16,17,19,21]. The performance evaluation consists of communication and computation costs.

In terms of computational consumption, TI MSP430 microcontrollers are widely used in measurement and control equipment, so we take them to carry the TMP36 sensor to simulate the calculation consumption of the smart device. The mobile device chip uses ARM Cortex-A9 MPCore@890 Mhz CPU, and the smart gateway uses Intel Core [email protected] GHz. To ensure the consistency of statistical methods, we adopt the conversion method of [19], $T_h\approx T_{mac}\approx T_{hmac},T_{epm}\approx T_{me},T_p\approx 16T_{mac}$, where $T_h$ is the time of the hash function, $T_e$ is the time of symmetric key encryption or decryption, $T_p$ is the time of symmetric polynomial, $T_{epm}$ is the time of ECC point multiplication, $T_{mac}$ is the time of message authentication code (MAC), $T_{hmac}$ is the time of hashed MAC and $T_{me}$ the time of is modular exponentiation; the notations are shown in

Table 2. Notations.

Symbol	Algorithm
$T_h$	Hash function
$T_e$	Symmetric key encryption or decryption
$T_p$	Symmetric polynomial
$T_{epm}$	ECC point multiplication
$T_{mac}$	Message authentication code (MAC)
$T_{hmac}$	Hashed MAC
$T_{me}$	Modular exponentiation

. According to the smart device simulation result, $T_h\approx 1.42 \mathrm{ms}$, $T_e\approx 2.18 \mathrm{ms}$, $T_{epm}\approx 21.82 \mathrm{ms}$. According to the mobile device simulation, $T_h\approx 0.067 \mathrm{ms}$, $T_e\approx 0.085 \mathrm{ms}$, $T_{epm}\approx 13.56 \mathrm{ms}$. According to the smart gateway simulation, $T_h\approx 0.037 \mathrm{ms}$, $T_e\approx 0.055 \mathrm{ms}$, $T_{epm}\approx 8.77 \mathrm{ms}$. The result is shown in

Table 3. Algorithm execution time (ms).

Device	Th	Te	Tepm
Mobile device	0.067	0.085	13.56
Smart device	1.42	2.18	21.82
Gateway	0.037	0.055	8.77

.

In terms of communication consumption, the length of the output, such as random number, identity, timestamp, hash, MAC, symmetric encryption block, and ECC point are 128 bits, 128 bits, 32 bits, 256 bits, 256 bits, 128 bits, and 1024 bits, respectively.

Table 4. Security features.

Features	[16]	[17]	[21]	[19]	Ours
Offline password-guessing attack	✗	✗	✓	✓	✓
Mobile device stolen attack	⊘	⊘	✓	✗	✓
Smart device captured attack	✓	✓	✓	✓	✓
Gateway compromised attack	✗	✗	⊘	✗	✓
Replay attack	✗	✗	✓	✓	✓
User impersonation attack	✓	✓	✓	✓	✓
Smart device impersonation attack	✓	✓	✓	✓	✓
Gateway impersonation attack	✓	✓	✓	✓	✓
User anonymity	✓	✓	✓	✓	✓
Un-traceability	✓	✓	✓	✗	✓
Man-in-the-middle attack	✓	✓	✓	✓	✓
Mutual authentication	✓	✓	✓	✓	✓
Desynchronization attack	⊘	⊘	✗	✗	✓
Key agreement	✓	✓	✓	✓	✓
Perfect forward secrecy	✗	✗	✗	✗	✓

✓: secure; ✗: insecure; ⊘: not applicable.

is the comparison of the security features, and the comparison of the computation and communication consumptions are shown in

Table 5. Computation costs (ms).

Scheme	Mobile Device	Smart Device	Gateway	Total
[16]	$6T_h+2T_{epm}\approx 27.52$	$3T_h\approx 4.26$	$7T_h+T_{epm}\approx 9.03$	40.81
[17]	$6T_h+2T_{epm}\approx 27.52$	$3T_h\approx 4.26$	$7T_h+T_{epm}\approx 9.03$	40.81
[19]	$27T_h\approx 1.81$	-	$24T_h\approx 0.89$	2.7
[21]	$8T_h+T_e\approx 0.62$	$6T_h+T_e\approx 10.7$	$10T_h+2T_e\approx 0.48$	11.8
Ours	$21T_h+2T_{epm}\approx 28.53$	-	$19T_h+2T_{epm}\approx 18.24$	46.77

and

Table 6. Communication costs (bits).

Scheme	Total Messages	Communication Cost
[16]	4	4480
[17]	4	4608
[21]	4	4000
[19]	2	2112
Ours	2	2752

.

In the scheme [16], the user inputs the identity and the password to achieve verification. When facing the offline password guessing attack, the password will no longer be secure. In addition, the gateway stores the long-term keys, the keys of users and devices will be leaked when the gateway is compromised, which threatens the security of communication data and session keys. The protocol cannot resist the gateway compromised attack and has no perfect forward secrecy. In addition, there is no timestamp verification in the authentication process; messages can be replayed.

In terms of communication consumption, the scheme [16] performs a total of 4 transmissions, the message sent by the user is 2560 bits (1024 + 1024 + 256 + 256), the gateway sent to the device is 768 bits (512 + 256), the returned message from the device is 512 bits (256 + 256), and the gateway sends to the user is 640 bits (384 + 256), so a total consumption is 4480 bits (2560 + 768 + 512 + 640).

In scheme [17], protocol is improved based on [16]. However, it can not resist the offline password-guessing attack and the replay attack. Similarly, because the gateway stores keys and sensitive data, the protocol does not provide perfect forward secrecy and cannot resist the gateway compromised attack. On the communication consumption, this protocol makes 4 transmissions. The user sends to the gateway 2592 bits (1024 + 1024 + 256 + 256 + 32), the gateway sends to the device 800 bits (512 + 256 + 32), the device returns 544 bits (256 + 256 + 32) message, then the gateway returns 672 bits (384 + 256 + 32) message to the user, the total consumption is 4608 bits (2592 + 800 + 544 + 672).

The scheme [21] stores the keys in the gateway, and the authors claimed that the gateway is fully trusted and cannot be compromised. So, the gateway compromised attack does not apply to this scheme. The biometric information and password are used for user verification, which can resist offline password guessing attacks and mobile device stolen attacks. A temporary identifier is used in the scheme to provide anonymity, which brings the issue of updating the temporary identifier. If the attacker intercepts the last message, the temporary identifier will be out of sync. In addition, the session key is built based on the shared secret key, so the scheme has no perfect forward secrecy. The data transmission communication consumptions in the protocol are 672 bits (128 + 256 + 256 + 32), 1056 bits (768 + 256 + 32), 800 bits (256 + 256 + 256 + 32), 1472 bits (896 + 256 + 256 + 32 + 32) respectively, so the total communication consumption is 4000 bits (672 + 1056 + 800 + 1472). The scheme [21] is based on symmetric encryption, and the shared key is preset in the gateway, so the calculation is fast.

We have pointed out that Guo et al.’s scheme [19] is not immune to the mobile device stolen attack, the gateway compromised attack, and the desynchronization attack. There is traceability and no perfect forward secrecy. In terms of communication consumption, access to the smart home requires 2 message transfers, consuming 1056 bits (256 + 128 + 256 + 256 + 128 + 32), 1056 bits (256 + 256 + 256 + 256 + 32), respectively, so total consumption is 2112 bits (1056 + 1056).

Our proposed scheme can support all security features. In terms of communication, our authentication requires 2 message transfers, sending 1440 bits (128 + 1024 + 256 + 32) and 1312 bits (1024 + 256 + 32), respectively, so total consumption is 2752 bits (1440 + 1312).

Table 2 and Table 5 show that our protocol has better security and transmission efficiency. To achieve perfect forward secrecy (PFS), it needs at least four times elliptic curve point multiplication. Since only our scheme achieves PFS, the computation cost of our scheme is a little more than others but at the same computation cost level.

9. Conclusions

In this paper, we first pointed out that many existing authentication protocols for a smart home have one or more security flaws. It further showed that almost all these protocols may suffer from gateway compromised attacks. Then we described that Guo et al.’s protocol in a fog-enabled smart home is vulnerable to smart gateway compromised attacks, desynchronization attacks, and mobile device lost/stolen attacks and has no perfect forward secrecy and untraceability. To overcome the shortcomings of Guo et al.’s protocol, we adopt PUF to resist gateway compromised attacks, adopt ECDH to achieve perfect forward secrecy, and propose a secure and privacy-preserving authentication protocol that avoids gateway compromised attacks in fog-enabled smart homes, and formally prove the security of the proposed protocol under random oracle model. Finally, we compare our protocol with some related protocols. The proposed protocol has better security and transmission efficiency with the same computation cost level.