A Secure Authentication and Key Agreement Scheme for IoT-Based Cloud Computing Environment

: The integration of Internet of things (IoT) and cloud computing technology has made our life more convenient in recent years. Cooperating with cloud computing, Internet of things can provide more e ﬃ cient and practical services. People can accept IoT services via cloud servers anytime and anywhere in the IoT-based cloud computing environment. However, plenty of possible network attacks threaten the security of users and cloud servers. To implement e ﬀ ective access control and secure communication in the IoT-based cloud computing environment, identity authentication is essential. In 2016, He et al. put forward an anonymous authentication scheme, which is based on asymmetric cryptography. It is claimed that their scheme is capable of withstanding all kinds of known attacks and has good performance. However, their scheme has serious security weaknesses according to our cryptanalysis. The scheme is vulnerable to insider attack and DoS attack. For overcoming these weaknesses, we present an improved authentication and key agreement scheme for IoT-based cloud computing environment. The automated security veriﬁcation (ProVerif), BAN-logic veriﬁcation, and informal security analysis were performed. The results show that our proposed scheme is secure and can e ﬀ ectively resist all kinds of known attacks. Furthermore, compared with the original scheme in terms of security features and performance, our proposed scheme is feasible.


Introduction
Internet of things (IoT) takes advantage of massive sensors, intelligent terminals, global positioning system, and other technologies to establish connections between people and things whenever and wherever, and realize intelligent control and management [1].For example, users can use smartphones to remotely control lamps, TVs, and refrigerators at home through the Internet of things.Internet of things makes people's lives more convenient, and also makes the social economy develop faster.However, limited by the low power and computation ability of embedded devices, applying the IoT in the real applications is still a critical issue.To settle the matter, researchers apply cloud computing to the Internet of things.
Cloud computing makes plentiful computing and storage resources accessible to all of the servers and users through the Internet.A cloud server has more resources and more powerful computation ability.Cooperating with the cloud server, IoT devices can provide a better quality of services for users [2].In a typical scenario of the IoT-based cloud computing environment as shown in Figure 1, IoT devices and sensors submit the IoT-releated data they collected to a cloud server via a wired/wireless network.Users can access the cloud servers to get the IoT-releated data from anywhere at any time.Furthermore, Users can send commands to the IoT devices through the cloud server for productive remote control.The IoT-based cloud computing environment combines the advantages of IoT and cloud computing, making the Internet of things more efficient and practical.based cloud computing environment.Since the first authentication scheme was put forward by Lamport in 1980 [4], the research on the authentication protocol has not stopped.Numerous schemes were proposed based on different cryptography technologies.Generally, the scheme using symmetric key cryptography [5][6][7][8][9][10][11][12][13][14] has better performance while it cannot achieve forward security.For the scheme using asymmetric cryptography [15][16][17][18][19][20][21][22][23], the balance between security and performance is a crucial problem.In 2016, He et al. presented an anonymous authentication protocol [24], which is based on asymmetric cryptography.They declared that their scheme is capable of withstanding various known attacks and has good performance.However, we found that their scheme is vulnerable to DoS attack and insider attack under our proposed adversary model.

Contributions
The main contributions of this article include: (1) we propose a new adversary model in Section 2.3.(2) In Section 4, we show that He et al.'s scheme is unable to defend against insider attack and DoS attack under our proposed adversary model.(3) In Section 5, we present an improved authentication and key agreement scheme for the IoT-based cloud computing environment.The proposed scheme modifies the registration and authentication phases, uses 'fuzzy verifier', and adds the validation in the side of cloud servers, so as to effectively resist insider attack and DoS attack.(4) It is proven that our proposed scheme is secure via an automated security verification tool ProVerif [25] in Section 6.1.Meanwhile, we present the proofs of BAN logic [26] verification in Section 6.2.As the cloud servers provide IoT services for users over an insecure public channel, the communications between users and cloud servers must be confidential [3].It is essential to authenticate each other in an IoT-based cloud computing environment.Only authorized users can access the cloud server to obtain the services of IoT devices.Figure 1 shows the assumed architecture for an IoT-based cloud computing environment.As a trusted third party, the registration center (RC) provides registration services for users and cloud servers.After that, users and cloud servers establish secure communication through mutual authentication.
Authentication and key agreement protocols are playing a crucial part in the security of an IoT-based cloud computing environment.Since the first authentication scheme was put forward by Lamport in 1980 [4], the research on the authentication protocol has not stopped.Numerous schemes were proposed based on different cryptography technologies.Generally, the scheme using symmetric key cryptography [5][6][7][8][9][10][11][12][13][14] has better performance while it cannot achieve forward security.For the scheme using asymmetric cryptography [15][16][17][18][19][20][21][22][23], the balance between security and performance is a crucial problem.
In 2016, He et al. presented an anonymous authentication protocol [24], which is based on asymmetric cryptography.They declared that their scheme is capable of withstanding various known attacks and has good performance.However, we found that their scheme is vulnerable to DoS attack and insider attack under our proposed adversary model.

Contributions
The main contributions of this article include: (1) we propose a new adversary model in Section 2.3.
(2) In Section 4, we show that He et al.'s scheme is unable to defend against insider attack and DoS attack under our proposed adversary model.(3) In Section 5, we present an improved authentication and key agreement scheme for the IoT-based cloud computing environment.The proposed scheme modifies the registration and authentication phases, uses 'fuzzy verifier', and adds the validation in the side of cloud servers, so as to effectively resist insider attack and DoS attack.(4) It is proven that our proposed scheme is secure via an automated security verification tool ProVerif [25] in Section 6.1.Meanwhile, we present the proofs of BAN logic [26] verification in Section 6.2.Furthermore, informal security analysis is put forward in Section 6.3.(5) In Section 7, we compare the proposed scheme with He et al.'s scheme in terms of security features and performance.

Bilinear Pairing
Let G 1 be a cyclic additive group with a large prime order q and G 2 a cyclic multiplicative group of the same order q.Let P and g be generators of G 1 and G 2 separately.A bilinear pairing is a map e : G 1 ×G 1 → G 2 and satisfies the following properties: (1) Bilinear: Give e (a (2) Non-degenerate: There exists P, Q ∈ G 1 such that e (P, Q) 1.
(3) Computable: There exists an efficient algorithm to calculate e (P, Q) for all P, Q ∈ G 1 in polynomial time.

Related Mathematical Problems
The mathematical problems for designing authentication protocols are as follows.

Discrete Logarithm Problem
Given X = τ•P (x = g τ , where X ∈ G 1 (x ∈ G 2 ), it is relatively easy to calculate X(x) given τ and P (τ and g), while it is relatively hard to determine τ given X and P (x and g).

Adversary Model
The adversary model makes clear assumptions about the adversary's ability in advance.The adversary model of remote authentication protocol always follows the classic Dolev-Yao model [27].Recently, Side-channel technology [28] enables attackers to extract information from smart cards, and the ability of the adversary is enhanced.In this paper, we improve the adversary models in literature [29] and literature [30], and propose a more rigorous (but practical) multi-factor authentication protocol adversary model (see Table 1).The adversary has a chance to capture an expired session key.
The adversary can obtain the long-term private keys of participants.

Capability 7.
An insider adversary can obtain user's registration information and capture user's smartcard (when evaluating insider attack).
In real life, when someone finds the lost smart card and the owner cannot be found, usually, the person who finds the smart card will give it to the insider to find the owner.Therefore, it is possible for insiders to obtain users' smart cards.Meanwhile, the insiders have the opportunity to obtain the user's registration information.Thus, Capability 7 is realistic.

Review of He et al.'s Scheme
This section briefly reviews the authentication scheme proposed by He et al.There are the following phases in their scheme.Table 2 shows the notations used herein.Then, it calculates g = e(P, P), g pub = g τ , P pub = τ•P as public keys.Furthermore, RC selects seven secure hash functions {h i }, i = 0-6 and publishes all public parameters.

1.
U i chooses ID U i , PW U i , and a random number b U i freely.Then,

2.
RC selects ω U i ∈ Z * q freely and computes

Cloud Server Registration Phase
1. S j transmits ID S j to RC.

2.
RC calculates and responses {D S j } to S j via a private channel.

3.
S j receives and stores D S j safely.

Login and Authentication Phase
1. U i inserts SC U i to a reader, and inputs ID U i and PW U i .SC U i verifies the equality check for

2.
S j receives R U i and calculates x = e (R U i , D S j ) .Then, S j randomly chooses a number r S j ∈ Z * q and calculates y = g r S j , α S j = h 3 (R U i , x, y).Finally, S j responds y, α S j } towards U i .

3.
U i receives y, α S j } and checks the equality for α S

4.
S j receives C U i and recovers If it holds true, S j gets the session key sk S j = h 5 (ID U i , ID S j , x, y, x r S j ) .

Insider Attack
In our proposed adversary model, an insider adversary is able to acquire the user's registration information and smart card.Suppose an insider adversary A acquires the registration information Using this information, A can launch the following attacks through the following procedure.

Offline Password Guessing
Suppose an insider being an adversary A knows the registration information and extracts the values g U i , ϕ U i , ϑ U i and b U i .Using this information, A is able to launch an offline password guessing attack through following these steps:

1.
A guesses a candidate password PW * i .

2.
A calculates x = h 0 (ID U i , PW * i , b U i ).

3.
A checks whether x? = h 0 (ID U i , PW U i , b U i ) holds.If not, A repeats Steps 1-3 until he acquires a true password.Otherwise, A has already succeeded in getting the true password.The attack is finished.
The computational overhead of this offline password attack is T h * |D id | * |D pw |, where T h is the running time of one-way hash function, and D iD and D pw are the spaces of user identity and password, respectively.According to [31,32], we have |D iD | ≤ |D pw | ≤ 10 6 .According to experiment data in [33], we have T h ≈ 0.591µs.The adversary can obtain the true password in seven days.If using a high-performance cloud computing platform, the attack can be completed in a few hours.

1.
A randomly generates a number r U i ∈ Z * q and calculates R U i = r U i •(P pub +h 2 (ID S j )• P), x = g r U i .Afterwards, A transmits the request R U i to server S j .

2.
Upon receiving y, α S j } from S j , A computes θ

and gets the session key sk U
The information generated by A is legal.The cloud server S j considers A as the user U i .

Possible DoS Attack
In the authentication phase, S j doesn't validate the login request information until formula Even if the adversary sends illegal information, the cloud server still responds and completes the relevant calculations.This results in unnecessary communication costs and time costs and leads a possible DoS attack.

Our Improved Scheme
For overcoming the weaknesses above, we put forward an enhanced authentication and key agreement protocol.Figure 2 depicts our proposed scheme.still responds and completes the relevant calculations.This results in unnecessary communication costs and time costs and leads a possible DoS attack.

Our Improved Scheme
For overcoming the weaknesses above, we put forward an enhanced authentication and key agreement protocol.Figure 2 depicts our proposed scheme.{ , , , , } , ) ( , , , ) ) , , ) ( ) The conceptual architecture of our proposed protocol.

User Registration Phase
1. U i chooses ID U i , PW U i and a number b U i freely.Then, 4 ≤ n ≤ 2 6 .Note that n is an integer that determines the capacity of (ID, PW).Then, it transmits the registration message {ID U i ,PWB} towards RC.
2. RC selects w U i ∈ Z q * freely and computes

Cloud Server Registration Phase
1. S j sends ID S j to RC.
2. Upon reception of ID S j , RC calculates D S j = t 2 h 2 (ID S j ) •P and sends {D S j , h 0 (t 3 )} to S j via a private channel.

1.
U i chooses ID U i , PW U i and a number b U i freely.
Then, U i computers . Note that n is an integer that determines the capacity of (ID, PW).Then, it transmits the registration message {ID U i , PWB} towards RC.

2.
RC selects w U i ∈ Z * q freely and computes Finally, U i writes Symmetry 2020, 12, 150 7 of 16

Cloud Server Registration Phase
1. S j sends ID S j to RC.

2.
Upon reception of ID S j , RC calculates D S j = 1 t 2 +h 2 (ID S j ) •P and sends {D S j , h 0 (t 3 )} to S j via a private channel.

Login and Authentication Phase
1. U i inserts SC U i to the reader and inputs ID U i and PW U i .
Then, S j verifies the equality check X U i ?= x m U i .If X U i x m U i , S j terminates the session.Otherwise, S j randomly selects r S j ∈ Z * q and calculates y = g r S j , a S j = h 3 (R U i , x, y, n U i ) .Finally, S j transmits y, a S j } towards U i .

3.
Upon reception of y, a S j } from S j , U i verifies the equality check a S j ?
S j receives C U i and recovers ID U i , g U i and a U i via computing (ID x, y) and checks the equality for g a U i ?= g U i •g If it holds true, S j gets the session key sk S j = h 5 (ID U i , ID S j , x, y, x r S j ).

Security Verification Using ProVerif
ProVerif [25] is one of the most widely used automated security verification tools.The security validation of ProVerif works on applied π calculus, and ProVerif can verify the authentication and confidentiality of authentication protocol.We elaborate the design process and results of security validation using ProVerif in this section.
At last, we get the simulation result: According to RESULT 2 and RESULT 3, mutual authentication between U i and S j succeeded.Furthermore, RESULT 1 indicates that no adversary is capable of exposing the session key.

Formal Security Analysis Using BAN-Logic
Burrows-Abadi-Needham logic [26] is a modal logic based on belief, which is proposed by Burrows et al.We use BAN-logic to prove that user U i and server S j have succeeded in session key agreement.Table 3 is the BAN-logic notations and the basic BAN-logic rules are shown in Table 4.
Use key K to compute X. P K ↔ Q P and Q achieve the shared key K for communication.
According to RESULT 2 and RESULT 3, mutual authentication between U i and S j succeeded.Furthermore, RESULT 1 indicates that no adversary is capable of exposing the session key.

Formal Security Analysis Using BAN-Logic
Burrows-Abadi-Needham logic [26] is a modal logic based on belief, which is proposed by Burrows et al.We use BAN-logic to prove that user U i and server S j have succeeded in session key agreement.Table 3 is the BAN-logic notations and the basic BAN-logic rules are shown in Table 4.
Use key K to compute X. P K ↔ Q P and Q achieve the shared key K for communication.

Rule Description
Message-meaning rule Nonce-verification rule According to Message 2, we get the following: ).

Two-Factor Security
It is obviously less difficult for adversary to break through the user's password than for smart cards.In the proposed scheme, the process of SC U i verification is a fuzzy verification process, ) guessed by the adversary has passed the verification of the smart card, it still needs to go through the online login authentication process to determine whether it is correct.Specifically, an adversary needs to log in online |D id |•|D pw |/2 6 times to get the correct password, about 2 34 times, the cloud server can easily resist this attack.

Session Key Agreement
In the proposed scheme, U i and S j reach a session key for future communication after the login and authentication phase is completed, sk U i = h 5 (ID U i , ID S j , x, y, y r U i ) = h 5 (ID U i , ID S j , x, y, x r S j ) = sk S j .

Resistance of Other Attacks
Insider attack: In our proposed adversary model, an insider can acquire user's registration information {ID U i , PWB} and smart card parameter g U i , k U i , v U i , b U i .Since PWB is generated by modulo operation, the insider adversary cannot directly acquire PW U i via offline password guessing.On the other hand, when the insider adversary wants to authenticate with the cloud server S j as U i , he cannot compute d U i = k U i h 0 (ID U i ||PW U i .Therefore, no effective attack can be launched.Cloud Server Spoofing Attack: If the adversary wants to complete authentication with user U i as cloud server S j , he needs to generate legal response information; however, only when the adversary gets D S j can he generate legal login request information.Therefore, the attack is unfeasible.
Replay attack: In the improved scheme, the change of random number r U i and r S j will affect the login request information and cloud server response information.As a result, the replay attack cannot be launched.DoS attack: Different from He et al.'s scheme, S j verifies U i 's login request before subsequent operations in the improved scheme X U i ?= x m U i .Only legitimate users could generate legitimate login information, so the improved scheme is capable of withstanding DoS attack.
According to the above analysis, we know that an insider adversary cannot guess the user's password offline and impersonate a user, even if he obtains the user's smart card and registration information.As a result, offline password guessing attack, stolen smart card attack, and user impersonation attack are unfeasible.

The Comparisons of Security and Performance
We compare the proposed protocol with [24] in terms of security features.The comparisons are demonstrated in Table 5.
We compare the proposed protocol with [24] in terms of time complexity.Since RC is usually regarded as a powerful device, our efficiency analysis focuses on users and servers.For the sake of convenience, we define T bp , T pm , T pa , T exp , T h to represent time of bilinear paring operation, point scalar multiplication operation, point addition operation, exponentiation operation, and hash function respectively.
The XOR operation, concatenate operation, the modular multiplication, and modular operation are neglected while comparing with the related operation mentioned above.Based on the experiments conducted on a Quad-core 2.45G processor with 2 GB memory and an I5-4460S 2.90GHz processor with 4 GB memory in [24], we get the running time of above operations in Table 6.

Figure 1 .
Figure 1.Proposed model of an IoT-based cloud computing environment.

Figure 1 .
Figure 1.Proposed model of an IoT-based cloud computing environment.

Figure 2 .
Figure 2. The conceptual architecture of our proposed protocol.

Table 1 .
The capabilities of adversaries.
j Session key of U i and S j 3.1.Setup Phase RC selects G 1 , G 2 , e( * , * ) and chooses his private keys τ, τ ∈ Z * q .