# A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment

^{*}

## Abstract

**:**

## 1. Introduction

#### Contributions

## 2. Preliminaries

#### 2.1. Bilinear Pairing

#### 2.2. Related Mathematical Problems

#### 2.2.1. Discrete Logarithm Problem

#### 2.2.2. Computational Diffie–Hellman Problem

#### 2.3. Adversary Model

## 3. Review of He et al.’s Scheme

#### 3.1. Setup Phase

#### 3.2. User Registration Phase

- 1.
- ${U}_{i}$ chooses ${ID}_{{U}_{i}}$, ${PW}_{{U}_{i}},$ and a random number ${b}_{{U}_{i}}$ freely. Then, ${U}_{i}$ computers ${h}_{0}{(\mathrm{ID}}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})$. Finally, ${U}_{i}$ sends the registration message ${\{ID}_{{U}_{i}}{,h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\left)\right\}$ towards RC.
- 2.
- RC selects ${\omega}_{{U}_{i}}\in {Z}_{q}^{*}$ freely and computes ${g}_{{U}_{i}}{=g}^{{\omega}_{{U}_{i}}}$, ${\xi}_{{U}_{i}}{=h}_{1}\left({ID}_{{U}_{i}}{,g}_{{U}_{i}}\right)$, ${\tau}_{{U}_{i}}{=\omega}_{{U}_{i}}+\tau \xb7{\xi}_{{U}_{i}}$, ${\phi}_{{U}_{i}}{=\tau}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})$, ${\vartheta}_{{U}_{i}}{=h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\right){,\phi}_{{U}_{i}})$. Then, RC transmits ${\{g}_{{U}_{i}}{,\phi}_{{U}_{i}},{\vartheta}_{{U}_{i}}\}$ towards ${U}_{i}$.
- 3.
- ${U}_{i}$ writes ${\{g}_{{U}_{i}}{,\phi}_{{U}_{i}},{\vartheta}_{{U}_{i}}{,b}_{{U}_{i}}\}$ into ${SC}_{{U}_{i}}$.

#### 3.3. Cloud Server Registration Phase

- 1.
- ${S}_{j}$ transmits ${ID}_{{S}_{j}}$ to RC.
- 2.
- RC calculates ${D}_{{S}_{j}}=\frac{1}{\hat{\tau}+{h}_{2}\left({ID}_{{S}_{j}}\right)}$ and responses $\left\{{D}_{{S}_{j}}\right\}$ to ${S}_{j}$ via a private channel.
- 3.
- ${S}_{j}$ receives and stores ${D}_{{S}_{j}}$ safely.

#### 3.4. Login and Authentication Phase

- 1.
- ${U}_{i}$ inserts ${SC}_{{U}_{i}}$ to a reader, and inputs ${ID}_{{U}_{i}}$ and ${PW}_{{U}_{i}}$. ${SC}_{{U}_{i}}$ verifies the equality check for ${\vartheta}_{{U}_{i}}{?=h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\right){,\phi}_{{U}_{i}})$. If it holds true, ${SC}_{{U}_{i}}$ ensures that ${ID}_{{U}_{i}}$ and ${PW}_{{U}_{i}}$ are correct. Then, ${SC}_{{U}_{i}}$ randomly generates a number ${r}_{{U}_{i}}\in {Z}_{q}^{*}$ and calculates ${R}_{{U}_{i}}{=r}_{{U}_{i}}\xb7{(P}_{pub}{+h}_{2}{(ID}_{{S}_{j}})\xb7P)$, ${x=g}^{{r}_{{U}_{i}}}$. Finally, ${U}_{i}$ transmits a login request $\left\{{R}_{{U}_{i}}\right\}$ towards ${S}_{j}$.
- 2.
- ${S}_{j}$ receives ${R}_{{U}_{i}}$ and calculates ${x=e(R}_{{U}_{i}}{,D}_{{S}_{j}})$. Then, ${S}_{j}$ randomly chooses a number ${r}_{{S}_{j}}\in {Z}_{q}^{*}$ and calculates ${y=g}^{{r}_{{S}_{j}}}$, ${\alpha}_{{S}_{j}}{=h}_{3}{(R}_{{U}_{i}},x,y)$. Finally, ${S}_{j}$ responds $\{y,{\alpha}_{{S}_{j}}\}$ towards ${U}_{i}$.
- 3.
- ${U}_{i}$ receives ${\{y,\alpha}_{{S}_{j}}\}$ and checks the equality for ${\alpha}_{{S}_{j}}{?=h}_{3}{(R}_{{U}_{i}},x,y)$. If ${\alpha}_{{S}_{j}}\ne {h}_{3}{(R}_{{U}_{i}},x,y)$, ${U}_{i}$ terminates the session. Otherwise, ${U}_{i}$ calculates ${\theta}_{{U}_{i}}{=h}_{4}{(ID}_{{U}_{i}}{,R}_{{U}_{i}},x,y)$, ${\tau}_{{U}_{i}}{=\phi}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})$, ${\alpha}_{{U}_{i}}{=\tau}_{{U}_{i}}{+\theta}_{{U}_{i}}\xb7{r}_{{U}_{i}}$, the session key ${sk}_{{U}_{i}}{=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,y}^{{r}_{{U}_{i}}}),$ and ${C}_{{U}_{i}}{=h}_{6}\left(x\right)\u2a01{(ID}_{{U}_{i}}{,g}_{{U}_{i}}{,\alpha}_{{U}_{i}})$. Finally, ${U}_{i}$ transmits ${C}_{{U}_{i}}$ towards cloud server ${S}_{j}$.
- 4.
- ${S}_{j}$ receives ${C}_{{U}_{i}}$ and recovers ${ID}_{{U}_{i}}$, ${g}_{{U}_{i}}$, ${\alpha}_{{U}_{i}}$ via computing ${(ID}_{{U}_{i}}{,g}_{{U}_{i}}{,\alpha}_{{U}_{i}}{)=h}_{6}\left(x\right)\u2a01{C}_{{U}_{i}}$. Furthermore, ${S}_{j}$ calculates ${\xi}_{{U}_{i}}{=h}_{1}{(ID}_{{U}_{i}}{,g}_{{U}_{i}})$, ${\theta}_{{U}_{i}}{=h}_{4}{(ID}_{{U}_{i}}{,R}_{{U}_{i}},x,y)$ and checks the equality for ${g}^{{\alpha}_{{U}_{i}}}{?=g}_{{U}_{i}}\xb7{g}_{pub}^{{\xi}_{{U}_{i}}}\xb7{x}^{{\theta}_{{U}_{i}}}$. If it holds true, ${S}_{j}$ gets the session key ${sk}_{{S}_{j}}{=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,x}^{{r}_{{S}_{j}}})$.

#### 3.5. Password Modification Phase

- 1.
- ${U}_{i}$ inputs ${ID}_{{U}_{i}}$, ${PW}_{{U}_{i}}$. ${SC}_{{U}_{i}}$ checks the equality ${\vartheta}_{{U}_{i}}{?=h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\right){,\phi}_{{U}_{i}})$.
- 2.
- If ${\vartheta}_{{U}_{i}}\ne {h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\right){,\phi}_{{U}_{i}})$, ${SC}_{{U}_{i}}$ rejects the modification request. Otherwise, ${U}_{i}$ inputs ${PW}_{{U}_{i}}^{*}$. ${SC}_{{U}_{i}}$ chooses a new random number ${b}_{{U}_{i}}^{*}$, calculates ${\phi}_{{U}_{i}}^{*}{=\phi}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}^{*}{,b}_{{U}_{i}}^{*})$, ${\vartheta}_{{U}_{i}}^{*}{=h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}^{*}{,b}_{{U}_{i}}^{*}\right){,\phi}_{{U}_{i}}^{*})$. Finally, SC replaces ${\{g}_{{U}_{i}}{,\phi}_{{U}_{i}},{\vartheta}_{{U}_{i}}{,b}_{{U}_{i}}\}$ with $\{{g}_{{U}_{i}},{\phi}_{{U}_{i}}^{*},{\vartheta}_{{U}_{i}}^{*},{b}_{{U}_{i}}^{*}\}$ and the new password is ${PW}_{{U}_{i}}^{*}$.

## 4. Cryptanalysis of He et al.’s Scheme

#### 4.1. Insider Attack

#### 4.1.1. Offline Password Guessing

- 1.
- $A$ guesses a candidate password ${PW}_{i}^{*}$.
- 2.
- $A$ calculates ${x=h}_{0}\left({ID}_{{U}_{i}}{,PW}_{i}^{*}{,b}_{{U}_{i}}\right)$.
- 3.
- $A$ checks whether ${x?=h}_{0}\left({ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}}\right)$ holds. If not, $A$ repeats Steps 1–3 until he acquires a true password. Otherwise, $A$ has already succeeded in getting the true password. The attack is finished.

#### 4.1.2. User Impersonation

- 1.
- $A$ randomly generates a number ${r}_{{U}_{i}}\in {Z}_{q}^{*}$ and calculates ${R}_{{U}_{i}}{=r}_{{U}_{i}}\xb7{(P}_{pub}{+h}_{2}{(ID}_{{S}_{j}})\xb7P)$, ${x=g}^{{r}_{{U}_{i}}}$. Afterwards, $A$ transmits the request ${R}_{{U}_{i}}$ to server ${S}_{j}$.
- 2.
- Upon receiving ${\{y,\alpha}_{{S}_{j}}\}$ from ${S}_{j}$, $A$ computes ${\theta}_{{U}_{i}}{=h}_{4}{(ID}_{{U}_{i}}{,R}_{{U}_{i}},x,y)$, ${\tau}_{{U}_{i}}{=\phi}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})$, where ${\phi}_{{U}_{i}}$ and ${h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}}{,b}_{{U}_{i}})$ were obtained before. Subsequently, $A$ calculates ${\alpha}_{{U}_{i}}{=\tau}_{{U}_{i}}{+\theta}_{{U}_{i}}\xb7{r}_{{U}_{i}}$, and gets the session key ${sk}_{{U}_{i}}{=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,y}^{{r}_{{U}_{i}}})$. Finally, $A$ sends ${C}_{{U}_{i}}{=h}_{6}\left(x\right)\u2a01{(ID}_{{U}_{i}}{,g}_{{U}_{i}}{,\alpha}_{{U}_{i}})$ to ${S}_{j}$.The information generated by $A$ is legal. The cloud server ${S}_{j}$ considers $A$ as the user ${U}_{i}$.

#### 4.2. Possible DoS Attack

## 5. Our Improved Scheme

#### 5.1. Setup Phase

#### 5.2. User Registration Phase

- 1.
- ${U}_{i}$ chooses ${ID}_{{U}_{i}}$, ${PW}_{{U}_{i}}$ and a number ${b}_{{U}_{i}}$ freely. Then, ${U}_{i}$ computers ${PWB=h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}||{b}_{{U}_{i}}{)modn,2}^{4}\le n\le {2}^{6}$. Note that $n$ is an integer that determines the capacity of $(ID,PW)$. Then, it transmits the registration message ${\{ID}_{{U}_{i}},PWB\}$ towards RC.
- 2.
- RC selects ${w}_{{U}_{i}}\in {Z}_{q}^{*}$ freely and computes ${g}_{{U}_{i}}{=g}^{{w}_{{U}_{i}}}$, ${f}_{{U}_{i}}{=h}_{1}\left({ID}_{{U}_{i}}{,g}_{{U}_{i}}\right)$, ${t}_{{U}_{i}}{=w}_{{U}_{i}}{+t}_{1}\xb7{f}_{{U}_{i}}$, ${d}_{{U}_{i}}{=t}_{{U}_{i}}\u2a01PWB$, ${v}_{{U}_{i}}{=h}_{0}{(PWB||d}_{{U}_{i}})modn$, ${m}_{{U}_{i}}{=h}_{0}{(h}_{0}{(ID}_{{U}_{i}}{)||h}_{0}{(t}_{3}\left)\right)$. Then, RC responses ${\{g}_{{U}_{i}}{,d}_{{U}_{i}}{,v}_{{U}_{i}}{,m}_{{U}_{i}}\}$ to ${U}_{i}$ via a private secure channel.
- 3.
- ${U}_{i}$ receives ${\{g}_{{U}_{i}}{,d}_{{U}_{i}}{,v}_{{U}_{i}}\}$ and computes ${k}_{{U}_{i}}{=d}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{,PW}_{{U}_{i}})$, ${M}_{{U}_{i}}{=m}_{{U}_{i}}\u2a01PWB$. Finally, ${U}_{i}$ writes ${\{g}_{{U}_{i}}{,k}_{{U}_{i}}{,v}_{{U}_{i}}{,M}_{{U}_{i}}{,b}_{{U}_{i}}\}$ into ${SC}_{{U}_{i}}$.

#### 5.3. Cloud Server Registration Phase

- 1.
- ${S}_{j}$ sends ${ID}_{{S}_{j}}$ to RC.
- 2.
- Upon reception of ${ID}_{{S}_{j}}$, RC calculates ${D}_{{S}_{j}}=\frac{1}{{t}_{2}+{h}_{2}{(ID}_{{S}_{j}})}\xb7P$ and sends ${\{D}_{{S}_{j}}{,h}_{0}{(t}_{3}\left)\right\}$ to ${S}_{j}$ via a private channel.
- 3.
- ${S}_{j}$ stores ${\{D}_{{S}_{j}}{,h}_{0}{(t}_{3}\left)\right\}$ in secret.

#### 5.4. Login and Authentication Phase

- 1.
- ${U}_{i}$ inserts ${SC}_{{U}_{i}}$ to the reader and inputs ${ID}_{{U}_{i}}$ and ${PW}_{{U}_{i}}$. ${SC}_{{U}_{i}}$ calculates ${d}_{{U}_{i}}{=k}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}})$, ${PWB=h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}{||b}_{{U}_{i}})modn$ and verifies the equality check for ${v}_{{U}_{i}}{?=h}_{0}{(PWB||d}_{{U}_{i}})modn$. If ${v}_{{U}_{i}}\ne {h}_{0}{(PWB||d}_{{U}_{i}})modn$, ${SC}_{{U}_{i}}$ rejects the login request. Otherwise, it randomly chooses ${r}_{{U}_{i}}\in {Z}_{q}^{*}$ and calculates ${R}_{{U}_{i}}{=r}_{{U}_{i}}\xb7{(P}_{pub}{+h}_{2}{(ID}_{{S}_{j}})\xb7P)$, ${x=g}^{{r}_{{U}_{i}}}$, ${m}_{{U}_{i}}{=M}_{{U}_{i}}\u2a01PWB$, ${X}_{{U}_{i}}{=x}^{{m}_{{U}_{i}}}$, ${n}_{{U}_{i}}=x\xb7{h}_{0}{(ID}_{{U}_{i}})$. Finally, ${U}_{i}$ transmits login request ${\{R}_{{U}_{i}}{,X}_{{U}_{i}}{,n}_{{U}_{i}}\}$ towards ${S}_{j}$.
- 2.
- ${S}_{j}$ receives ${\{R}_{{U}_{i}}{,X}_{{U}_{i}}{,n}_{{U}_{i}}\}$ and calculates ${x=e(R}_{{U}_{i}}{,D}_{{S}_{j}})$, ${m}_{{U}_{i}}{=h}_{0}{\left(\right(n}_{{U}_{i}}\u2a01{x)||h}_{0}{(t}_{3}\left)\right)$. Then, ${S}_{j}$ verifies the equality check ${X}_{{U}_{i}}{?=x}^{{m}_{{U}_{i}}}$. If ${X}_{{U}_{i}}\ne {x}^{{m}_{{U}_{i}}}$, ${S}_{j}$ terminates the session. Otherwise, ${S}_{j}$ randomly selects ${r}_{{S}_{j}}\in {Z}_{q}^{*}$ and calculates ${y=g}^{{r}_{{S}_{j}}}$, ${a}_{{S}_{j}}{=h}_{3}{(R}_{{U}_{i}}{,x,y,n}_{{U}_{i}})$. Finally, ${S}_{j}$ transmits ${\{y,a}_{{S}_{j}}\}$ towards ${U}_{i}$.
- 3.
- Upon reception of ${\{y,a}_{{S}_{j}}\}$ from ${S}_{j}$, ${U}_{i}$ verifies the equality check ${a}_{{S}_{j}}{?=h}_{3}{(R}_{{U}_{i}}{,x,y,n}_{{U}_{i}})$. If ${a}_{{S}_{j}}\ne {h}_{3}{(R}_{{U}_{i}}{,x,y,n}_{{U}_{i}})$, ${U}_{i}$ terminates the session. Otherwise, ${U}_{i}$ calculates ${O}_{{U}_{i}}{=h}_{4}{(ID}_{{U}_{i}}{,R}_{{U}_{i}},x,y)$, ${t}_{{U}_{i}}{=d}_{{U}_{i}}\u2a01PWB$, ${a}_{{U}_{i}}{=t}_{{U}_{i}}{+O}_{{U}_{i}}\xb7{r}_{{U}_{i}}$, the session key ${sk}_{{U}_{i}}{=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,y}^{{r}_{{U}_{i}}})$ and ${C}_{{U}_{i}}{=h}_{6}\left(x\right)\u2a01{(ID}_{{U}_{i}}{||g}_{{U}_{i}}{||a}_{{U}_{i}}||y)$. Finally, ${U}_{i}$ transmits ${C}_{{U}_{i}}$ towards ${S}_{j}$.
- 4.
- ${S}_{j}$ receives ${C}_{{U}_{i}}$ and recovers ${ID}_{{U}_{i}}$, ${g}_{{U}_{i}}$ and ${a}_{{U}_{i}}$ via computing ${(ID}_{{U}_{i}}{||g}_{{U}_{i}}{||a}_{{U}_{i}}{||y)=h}_{6}\left(x\right)\u2a01{C}_{{U}_{i}}$. Furthermore, ${S}_{j}$ calculates ${f}_{{U}_{i}}{=h}_{1}{(ID}_{{U}_{i}}{,g}_{{U}_{i}})$, ${O}_{{U}_{i}}{=h}_{4}{(ID}_{{U}_{i}}{,R}_{{U}_{i}},x,y)$ and checks the equality for ${g}^{{a}_{{U}_{i}}}{?=g}_{{U}_{i}}\xb7{g}_{pub}^{{f}_{{U}_{i}}}\xb7{x}^{{O}_{{U}_{i}}}$. If it holds true, ${S}_{j}$ gets the session key ${sk}_{{S}_{j}}{=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,x}^{{r}_{{S}_{j}}})$.

#### 5.5. Password Modification Phase

- 1.
- ${U}_{i}$ inputs ${ID}_{{U}_{i}}$, ${PW}_{{U}_{i}}$. ${SC}_{{U}_{i}}$ computes ${d}_{{U}_{i}}{=k}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}})$, ${PWB=h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}{||b}_{{U}_{i}})modn$ and checks the equality ${v}_{{U}_{i}}{?=h}_{0}{(PWB||d}_{{U}_{i}})modn$.
- 2.
- If ${v}_{{U}_{i}}\ne {h}_{0}{(PWB||d}_{{U}_{i}})modn$, ${SC}_{{U}_{i}}$ rejects the request. Otherwise, ${U}_{i}$ inputs ${PW}_{{U}_{i}}^{new}$. ${SC}_{{U}_{i}}$ randomly generates ${b}_{{U}_{i}}^{*}$ and calculates ${k}_{{U}_{i}}^{new}{=k}_{{U}_{i}}\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}})\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}{||b}_{{U}_{i}})\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}^{new}{||b}_{{U}_{i}}^{new})\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}^{new})$, ${v}_{{U}_{i}}^{new}{=h}_{0}{(h}_{0}\left({ID}_{{U}_{i}}{||PW}_{{U}_{i}}^{new}{||b}_{{U}_{i}}^{new}\right){,k}_{{U}_{i}}^{new}\u2a01{h}_{0}{(ID}_{{U}_{i}}{||PW}_{{U}_{i}}^{new}\left)\right)$. Finally, ${SC}_{{U}_{i}}$ replaces ${\{g}_{{U}_{i}}{,k}_{{U}_{i}}{,v}_{{U}_{i}}{,b}_{{U}_{i}}\}$ with ${\{g}_{{U}_{i}}{,k}_{{U}_{i}}^{new}{,v}_{{U}_{i}}^{new}{,b}_{{U}_{i}}^{new}\}$.

## 6. Security Analysis

#### 6.1. Security Verification Using ProVerif

#### 6.2. Formal Security Analysis Using BAN-Logic

#### 6.2.1. Idealized Form

#### 6.2.2. Verification Purposes

#### 6.2.3. Assumptions about Initial State

#### 6.2.4. Proofs

- 1.
- According to Message 2, we get the following: ${U}_{i}\u25c1(y,{\left({R}_{{U}_{i}},y,{n}_{{U}_{i}}\right)}_{{U}_{i}\stackrel{x}{\leftrightarrow}{S}_{j}})$.
- 2.
- According to Assumption 3 and the message-meaning rule, we get the following: ${U}_{i}|\equiv {S}_{j}|~({R}_{{U}_{i}},y,{n}_{{U}_{i}})$.
- 3.
- Based on Assumption 1 and the freshness–conjuncatenation rule, we can prove: ${U}_{i}|\equiv \u22d5\left({R}_{{U}_{i}},y,{n}_{{U}_{i}}\right)$.
- 4.
- From Step 2, Step 3, and the nonce-verification rule, we obtain the following: ${U}_{i}|\equiv {S}_{j}|\equiv \left({R}_{{U}_{i}},y,{n}_{{U}_{i}}\right)$.
- 5.
- According to Step 4 and believe rule, ${U}_{i}|\equiv {S}_{j}|\equiv \left({ID}_{{U}_{i}},{ID}_{{S}_{j}},y,{r}_{{U}_{i}}\right)$.
- 6.
- According to Step 5, Assumption 3 and ${sk=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,y}^{{r}_{{U}_{i}}})$, we prove that: ${U}_{i}|\equiv {S}_{j}|\equiv {(U}_{i}\stackrel{sk}{\leftrightarrow}{S}_{j})$ (
**Purpose 2**). - 7.
- Based on Step 6, Assumption 6, and jurisdiction rule, we prove that: ${U}_{i}|\equiv {(U}_{i}\stackrel{sk}{\leftrightarrow}{S}_{j})$ (
**Purpose 1**). - 8.
- From Message 3, we get: ${S}_{j}\u25c1{\left({ID}_{{U}_{i}},{g}_{{U}_{i}},{a}_{{U}_{i}},y\right)}_{{U}_{i}\stackrel{x}{\leftrightarrow}{S}_{j}}$.
- 9.
- Based on Assumption 4 and the message-meaning rule, we obtain the following: ${S}_{j}|\equiv {U}_{i}|~\left({ID}_{{U}_{i}},{g}_{{U}_{i}},{a}_{{U}_{i}},y\right)$.
- 10.
- From Assumption 2 and the freshness-conjuncatenation rule, we can obtain: ${S}_{j}|\equiv \u22d5\left({ID}_{{U}_{i}},{g}_{{U}_{i}},{a}_{{U}_{i}},y\right)$.
- 11.
- Based on Step 9, Step 10, and the nonce-verification rule, we obtain the following: ${S}_{j}|\equiv {U}_{i}|\equiv \left({ID}_{{U}_{i}},{g}_{{U}_{i}},{a}_{{U}_{i}},y\right)$.
- 12.
- According to Assumption 5, Step 11, ${y=g}^{{r}_{{S}_{j}}}$, and the believe rule, we obtain the following: ${S}_{j}|\equiv {U}_{i}|\equiv \left({ID}_{{U}_{i}},{ID}_{{S}_{j}},{r}_{{S}_{j}},y\right)$.
- 13.
- According to Step 12, Assumption 4, and ${sk=h}_{5}{(ID}_{{U}_{i}}{,ID}_{{S}_{j}}{,x,y,x}^{{r}_{{S}_{j}}})$, we prove that: ${S}_{j}|\equiv {U}_{i}|\equiv {(U}_{i}\stackrel{sk}{\leftrightarrow}{S}_{j})$ (
**Purpose 4**). - 14.
- According to Step 13, Assumption 7, and jurisdiction rule, we prove that: ${S}_{j}|\equiv {(U}_{i}\stackrel{sk}{\leftrightarrow}{S}_{j})$ (
**Purpose 3**).

**Purposes 1–4**, ${U}_{i}$ and ${S}_{j}$ believe that the session key has been established between them successfully.

#### 6.3. Informal Security Analysis

#### 6.3.1. Anonymity and Untraceability

#### 6.3.2. Forward Secrecy

#### 6.3.3. Two-Factor Security

#### 6.3.4. Session Key Agreement

#### 6.3.5. Resistance of Other Attacks

## 7. The Comparisons of Security and Performance

## 8. Conclusions

## Author Contributions

## Funding

## Conflicts of Interest

## References

- Yang, H.; Kumara, S.; Bukkapatnam, S.T.S.; Tsung, F. The internet of things for smart manufacturing: A review. IISE Trans.
**2019**, 51, 1190–1216. [Google Scholar] [CrossRef] - Dang, L.M.; Piran, M.; Han, D.; Min, K.; Moon, H. A Survey on Internet of Things and Cloud Computing for Healthcare. Electronics
**2019**, 8, 768. [Google Scholar] [CrossRef] [Green Version] - Grobauer, B.; Walloschek, T.; Stocker, E. Understanding cloud computing vulnerabilities. IEEE Secur. Priv.
**2010**, 9, 50–57. [Google Scholar] [CrossRef] - Lamport, L. Password authentication with insecure communication. Commun. ACM
**1981**, 24, 770–772. [Google Scholar] [CrossRef] - Wang, B.; Ma, M. A smart card based efficient and secured multi-server authentication scheme. Wirel. Pers. Commun.
**2013**, 68, 361–378. [Google Scholar] [CrossRef] - Sahoo, J.; Das, A.K.; Goswami, A. An efficient approach for mining association rules from high utility itemsets. Expert Syst. Appl.
**2015**, 42, 5754–5778. [Google Scholar] [CrossRef] - Lu, Y.; Li, L.; Yang, X.; Yang, Y. Robust biometrics based authentication and key agreement scheme for multi-server environments using smart cards. PLoS ONE
**2015**, 10, e0126323. [Google Scholar] [CrossRef] - Zhou, L.; Li, X.; Yeh, K.H.; Su, C.; Chiu, W. Lightweight IoT-based authentication scheme in cloud computing circumstance. Future Gener. Comput. Syst.
**2019**, 91, 244–251. [Google Scholar] [CrossRef] - Li, X.; Wen, Q.; Li, W.; Zhang, H.; Jin, Z. A biometric-based password authentication with key exchange scheme using mobile device for multi-server environment. Appl. Math. Inf. Sci.
**2015**, 9, 1123. [Google Scholar] - Amin, R.; Islam, S.K.H.; Gope, P.; Choo, K.K.R.; Tapas, N. Anonymity preserving and lightweight multi-medical server authentication protocol for telecare medical information system. IEEE J. Biomed. Health Inform.
**2018**, 23, 1749–1759. [Google Scholar] [CrossRef] - Lwamo, N.M.R.; Zhu, L.; Xu, C.; Sharif, K.; Liu, X.; Zhang, C. SUAA: A Secure User Authentication Scheme with Anonymity for the Single & Multi-server Environments. Inf. Sci.
**2019**, 477, 369–385. [Google Scholar] - Cui, J.; Zhang, X.; Cao, N.; Zhang, D.; Ding, J.; Li, G. An improved authentication protocol–based dynamic identity for multi-server environments. Int. J. Distrib. Sens. Netw.
**2018**, 14, 1550147718777654. [Google Scholar] [CrossRef] - Renuka, K.; Kumar, S.; Kumari, S.; Chen, C.M. Cryptanalysis and Improvement of a Privacy-Preserving Three-Factor Authentication Protocol for Wireless Sensor Networks. Sensors
**2019**, 19, 4625. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Amin, R.; Islam, S.K.H.; Kumar, N.; Choo, K.K.R. An untraceable and anonymous password authentication protocol for heterogeneous wireless sensor networks. J. Netw. Comput. Appl.
**2018**, 104, 133–144. [Google Scholar] [CrossRef] - Mohit, P.; Amin, R.; Karati, A.; Biswas, G.P.; Khan, M.K. A standard mutual authentication protocol for cloud computing based health care system. J. Med. Syst.
**2017**, 41, 50. [Google Scholar] [CrossRef] - Xu, G.; Qiu, S.; Ahmad, H.; Xu, G.; Guo, Y.; Zhang, M.; Xu, H. A multi-server two-factor authentication scheme with un-traceability using elliptic curve cryptography. Sensors
**2018**, 18, 2394. [Google Scholar] [CrossRef] [Green Version] - Chandrakar, P.; Om, H. A secure and robust anonymous three-factor remote user authentication scheme for multi-server environment using ECC. Comput. Commun.
**2017**, 110, 26–34. [Google Scholar] [CrossRef] - Ying, B.; Nayak, A. Lightweight remote user authentication protocol for multi-server 5G networks using self-certified public key cryptography. J. Netw. Comput. Appl.
**2019**, 131, 66–74. [Google Scholar] [CrossRef] - Hou, J.L.; Yeh, K.H. Novel authentication schemes for IoT based healthcare systems. Int. J. Distrib. Sens. Netw.
**2015**, 11, 183659. [Google Scholar] [CrossRef] - Tomar, A.; Dhar, J. An ECC Based Secure Authentication and Key Exchange Scheme in Multi-server Environment. Wirel. Pers. Commun.
**2019**, 107, 351–372. [Google Scholar] [CrossRef] - Qi, M.; Chen, J. Anonymous biometrics-based authentication with key agreement scheme for multi-server environment using ECC. Multimed. Tools Appl.
**2019**, 78, 27553–27568. [Google Scholar] [CrossRef] - Tseng, Y.M.; Huang, S.S.; Tsai, T.T.; Ke, J.H. List-free ID-based mutual authentication and key agreement protocol for multiserver architectures. IEEE Trans. Emerg. Top. Comput.
**2015**, 4, 102–112. [Google Scholar] [CrossRef] - Wang, H.; Guo, D.; Zhang, H.; Wen, Q. Robust Multiple Servers Architecture Based Authentication Scheme Preserving Anonymity. Sensors
**2019**, 19, 3144. [Google Scholar] [CrossRef] [PubMed] [Green Version] - He, D.; Zeadally, S.; Kumar, N.; Wu, W. Efficient and anonymous mobile user authentication protocol using self-certified public key cryptography for multi-server architectures. IEEE Trans. Inf. Forensics Secur.
**2016**, 11, 2052–2064. [Google Scholar] [CrossRef] - Blanchet, B.; Smyth, B.; Cheval, V.; Sylvestre, M. ProVerif 2.00: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial. 2018. Available online: https://prosecco.gforge.inria.fr/personal/bblanche/proverif (accessed on 9 January 2020).
- Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. Proc. R. Soc. Lond. A Math. Phys. Sci.
**1989**, 426, 233–271. [Google Scholar] [CrossRef] - Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory
**1983**, 29, 198–208. [Google Scholar] [CrossRef] - Veyrat-Charvillon, N.; Standaert, F.X. Generic side-channel distinguishers: Improvements and limitations. In Proceedings of the Annual Cryptology Conference, Santa Barbara, CA, USA, 14–18 August 2011; Springer: Berlin/Heidelberg, Germany, 2011; pp. 354–372. [Google Scholar]
- Wang, D.; He, D.; Wang, P.; Chu, C.H. Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Trans. Dependable Secur. Comput.
**2014**, 12, 428–442. [Google Scholar] [CrossRef] - Huang, X.; Xiang, Y.; Chonka, A.; Zhou, J.; Deng, R.H. A generic framework for three-factor authentication: Preserving security and privacy in distributed systems. IEEE Trans. Parallel Distrib. Syst.
**2010**, 22, 1390–1397. [Google Scholar] [CrossRef] - Das, M.L.; Saxena, A.; Gulati, V.P. A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron.
**2004**, 50, 629–631. [Google Scholar] [CrossRef] [Green Version] - Das, M.L. Two-factor user authentication in wireless sensor networks. IEEE Trans. Wirel. Commun.
**2009**, 8, 1086–1090. [Google Scholar] [CrossRef] - Wang, D.; Gu, Q.; Cheng, H.; Wang, P. The request for better measurement: A comparative evaluation of two-factor authentication schemes. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, Xi’an, China, 30 May–3 June 2016; ACM: New York, NY, USA, 2016; pp. 475–486. [Google Scholar]

Symbol | Description |
---|---|

$\mathrm{Capability}1$. | The adversary can enumerate all elements of $|{D}_{ID}|\ast |{D}_{PW}|$ offline. |

$\mathrm{Capability}2$. | The adversary can obtain user ID (The user ID should be assumed to be sensitive information when evaluating the anonymity of the protocol). |

$\mathrm{Capability}3$. | The adversary can eavesdrop, intercept, insert, delete, or block messages flowing through the public channel. |

$\mathrm{Capability}4$. | For the n-factor protocol, the adversary can obtain n-1 of the n authentication factors simultaneously. |

$\mathrm{Capability}5$. | The adversary has a chance to capture an expired session key. |

$\mathrm{Capability}6$. | The adversary can obtain the long-term private keys of participants. (when evaluating forward secrecy). |

$\mathrm{Capability}7$. | An insider adversary can obtain user’s registration information and capture user’s smartcard (when evaluating insider attack). |

Symbol | Description | Symbol | Description |
---|---|---|---|

$RC$ | Registration Center | ${U}_{i}$ | User |

$\tau ,\hat{\tau}$ | Private key of $RC$ | ${ID}_{{U}_{i}}$ | Identification of ${U}_{i}$ |

$P$ | Large prime | ${PW}_{{U}_{i}}$ | Password of ${U}_{i}$ |

$q$ | prime order | ${SC}_{{U}_{i}}$ | Smart card of ${U}_{i}$ |

${G}_{1}$ | Additive group | ${S}_{j}$ | Cloud Server |

${G}_{2}$ | Multiplicative group | ${ID}_{{S}_{j}}$ | Identification of ${S}_{j}$ |

${g}_{pub},{P}_{pub}$ | Public key of $RC$ | ${D}_{{S}_{j}}$ | Private key of ${S}_{j}$ |

$e(*,*)$ | Bilinear pairing | $\u2a01$ | XOR operation |

${h}_{0}{-h}_{6}$ | Hash function | ${sk}_{{U}_{i}},{sk}_{{S}_{j}}$ | Session key of ${U}_{i}$ and ${S}_{j}$ |

Symbol | Description |
---|---|

$P|\equiv X$ | $P$ believes $X$. |

$P\u25c1X$ | $P$ sees $X$. |

$P|~X$ | $P$ sends $X$. |

$P\Rightarrow X$ | $P$ has jurisdiction over $X$. |

$\u22d5\left(X\right)$ | $X$ is fresh. |

$(X,Y)$ | $X$ or $Y$ is part of $(X,Y)$. |

${\left(X\right)}_{K}$ | Use key $K$ to compute $X$. |

$P\stackrel{K}{\leftrightarrow}Q$ | $P$ and $Q$ achieve the shared key $K$ for communication. |

Rule | Description |
---|---|

Message-meaning rule | $\frac{P|\equiv (P\stackrel{K}{\leftrightarrow}Q),P\u25c1{\left(X\right)}_{K}}{P|\equiv Q|~X}$ |

Freshness-conjuncatenation rule | $\frac{P|\equiv \u22d5\left(X\right)}{P|\equiv \u22d5\left(X,Y\right)}$ |

Nonce-verification rule | $\frac{P|\equiv \u22d5\left(X\right),P|\equiv Q|~X}{P|\equiv Q|\equiv X}$ |

Jurisdiction rule | $\frac{P|\equiv Q|\Rightarrow X,P|\equiv Q|\equiv X}{P|\equiv X}$ |

Believe rule | $\frac{P|\equiv Q|\equiv \left(X,Y\right)}{P|\equiv Q|\equiv X},\frac{P|\equiv X,P|\equiv Y}{P|\equiv \left(X,Y\right)}$ |

Security Features and Defensible Attacks | He et al.’s | Ours |
---|---|---|

Anonymity | $\surd $ | $\surd $ |

Un-traceability | $\surd $ | $\surd $ |

Two-factor security | $\surd $ | $\surd $ |

Forward Secrecy | $\surd $ | $\surd $ |

Session key agreement | $\surd $ | $\surd $ |

Insider attack | $\u2a01$ | $\surd $ |

Cloud server spoofing attack | $\surd $ | $\surd $ |

Replay attack | $\surd $ | $\surd $ |

DoS attack | $\u2a01$ | $\surd $ |

User impersonation attack | $\surd $ | $\surd $ |

Offline password guessing attack | $\u2a01$ | $\surd $ |

Smart card stolen attack | $\surd $ | $\surd $ |

**Table 6.**The running time of related operations based on [24].

User | Cloud Server | |
---|---|---|

${T}_{pm}$ | 13.405 ms | 2.165 ms |

${T}_{pa}$ | 0.081 ms | 0.013 ms |

${T}_{exp}$ | 2.249 ms | 0.339 ms |

${T}_{h}$ | 0.056 ms | 0.007 ms |

${T}_{bp}$ | 32.713 ms | 5.427 ms |

He et al.’s | Ours | |
---|---|---|

User | ${2\times T}_{pm}{+T}_{pa}{+2\times T}_{exp}{+7\times T}_{h}\approx 31.781ms$ | ${2\times T}_{pm}{+T}_{pa}{+3\times T}_{exp}{+9\times T}_{h}\approx 34.142ms$ |

Cloud server | ${T}_{bp}{+5\times T}_{exp}{+5\times T}_{h}\approx 7.157ms$ | ${T}_{bp}{+6\times T}_{exp}{+6\times T}_{h}\approx 7.503ms$ |

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Yu, Y.; Hu, L.; Chu, J.
A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment. *Symmetry* **2020**, *12*, 150.
https://doi.org/10.3390/sym12010150

**AMA Style**

Yu Y, Hu L, Chu J.
A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment. *Symmetry*. 2020; 12(1):150.
https://doi.org/10.3390/sym12010150

**Chicago/Turabian Style**

Yu, Yicheng, Liang Hu, and Jianfeng Chu.
2020. "A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment" *Symmetry* 12, no. 1: 150.
https://doi.org/10.3390/sym12010150