Geometric Authentication Mechanism for Enhancing Security in IoT Environment Geometric Authentication Mechanism for Enhancing Security in IoT Environment

: In the Internet of things (IoT) environment, many applications access services through remote methods. In this paper, we designed a new geometric authentication mechanism to enhance security. The solution is based on geometric characteristics to achieve rapid authentication at low computational cost. In addition, we use the user’s biometrics to improve the security level of the system. Our solution meets the following security features: anonymity, resistance to forgery attacks and replay attacks, fast error detection, resistance to ofﬂine password guessing attacks, resistance to server overload attacks, mutual authentication, session key agreement, and ﬂexibility in users choosing and changing their passwords easily. Abstract: In the Internet of things (IoT) environment, many applications access services through remote methods. In this paper, we designed a new geometric authentication mechanism to enhance security. The solution is based on geometric characteristics to achieve rapid authentication at low computational cost. In addition, we use the user ’ s biometrics to improve the security level of the system. Our solution meets the following security features: anonymity, resistance to forgery attacks and replay attacks, fast error detection, resistance to offline password guessing attacks, resistance to server overload attacks, mutual authentication, session key agreement, and flexibility in users choosing and changing their passwords easily.


Introduction
Wireless and mobile communication systems have become increasingly popular. Many service providers are beginning to propose convenient Internet of things (IoT) services and cloud applications for users. People usually use mobile devices to access all kinds of services, e.g., web-browsing, remote monitoring, and multimedia applications anytime and anywhere. Figure 1 shows an example where the user logs in to the IoT gateway (IGW) to access or control IoT devices remotely. There is no doubt that an authentication mechanism is essential to protect valid users against different types of attacks. Remote user authentication schemes are the easiest and most practical authentication mechanisms for nonsecure networks.

Introduction
Wireless and mobile communication systems have become increasingly popular. Many service providers are beginning to propose convenient Internet of things (IoT) services and cloud applications for users. People usually use mobile devices to access all kinds of services, e.g., web-browsing, remote monitoring, and multimedia applications anytime and anywhere. Figure 1 shows an example where the user logs in to the IoT gateway (IGW) to access or control IoT devices remotely. There is no doubt that an authentication mechanism is essential to protect valid users against different types of attacks. Remote user authentication schemes are the easiest and most practical authentication mechanisms for nonsecure networks. However, previous authentication schemes suffer from high computational cost and insufficient security. Some schemes use asymmetric cryptography, which results in high computational cost. Most schemes use ID/password-based authentication, but the security robustness of these schemes is insufficient. Therefore, we propose a new three-factor (i.e., smart device, biometrics, and password) remote user authentication scheme for improving the performance and enhancing security in the IoT environment in this paper.

•
Lightweight authentication: The computational performance of our scheme is better than the traditional authentication schemes (e.g., asymmetric or symmetric encryption scheme) because our scheme uses only a hash function and arithmetic. • Three-factor authentication: A higher-entropy password increases the difficulty in brute forcing it. Many papers have proven that the three-factor authentication scheme has better security (i.e., higher password entropy) and robustness. • Reduced IGW computing load: Many authentication methods require full participation of the IGW. However, in an IoT environment, the number of IoT devices is large. Therefore, previous schemes are not suitable for use in an IoT environment because the IGW easily suffers from the single-point failure problem due to a distributed denial-ofservice (DDoS) attack. In our scheme, GAME supports the fast error detection process on the client side. If the user access is illegal, the smartphone immediately detects an error event and then rejects the login. In this way, the computational load of the IGW can be effectively reduced.
The remainder of this paper is organized as follows. Section 2 describes some related work. In Section 3, we describe the proposed scheme in detail. The security analyses and comparisons are presented in Section 4. Then, in Section 5, we summarize our conclusions.

Related Work
This section includes three parts: user requirements, system requirements, and existing authentication schemes.

5.
No verification table: In most applications, the CA stores the user's password table, which can cause the verifier to be stolen. Therefore, the design solution should avoid maintaining password verification tables for users.

Existing Authentication Schemes
Wu [3] first proposed a remote login authentication scheme based on geometric methods in 1995. However, some studies [4,5] found that Wu's scheme was vulnerable to replay attacks and offline password guessing attacks. Chien et al. [5] proposed a modified authentication scheme to solve these problems, but [6,7] showed that the modified scheme [5] was still vulnerable to offline password guessing attacks. In addition, it is easy for illegal users to forge valid login requests under the revised scheme. Later, [7] proposed an improved scheme to overcome these drawbacks. The common disadvantage of all the above schemes is that they do not consider user privacy. However, privacy issues are now receiving more and more attention from industry and academia. To this end, we propose an anonymous remote user authentication scheme based on geometric methods [8]. However, our previous work did not take into account session key agreement and mutual authentication.
Many studies [9][10][11][12][13][14][15][16][17][18] combined a user's biometrics with a password and a smart device to design a remote user authentication scheme to improve the security level (i.e., a secret key that has a value of high entropy [14]). In 2002, Lee et al. [9] proposed a fingerprint-based remote user authentication scheme using smart cards. However, a large number of subsequent studies [10][11][12] pointed out that this scheme cannot resist server spoofing attacks and masquerading attacks. Although Lin and Lai [12] combined password and fingerprint into super passwords and provided an offline password change scheme, Mitchell and Tang [13] proposed that the password change process is fragile because the smart card does not have enough information to check the correctness of the old passwords. Then, Fan and Lin [14] proposed a three-factor authentication scheme that combines a password with smart card and biometrics to provide high-security remote authentication. Khan et al. [15] proposed an improved scheme to enhance the security. However, this scheme was proven to be vulnerable to parallel session attacks [16,17], where an attacker who does not know the password of a legitimate user can pretend to be a user by eavesdropping on the communication between the user and the server to generate a valid login message in some way. Later, Li and Hwang [18] proposed an efficient biometric-based remote user authentication scheme using smart cards. Unfortunately, these biometric-based solutions [9][10][11][12][13][14][15][16][17][18] only support a single server environment, which is a limitation because there are multiple application servers on the Internet. Recently, Chuang and Chen [1] proposed a biometrics-based multi-server authentication scheme. However, Mishra et al. [19] revealed that the scheme in [1] is prone to masquerading, smart card theft, and server spoofing attacks. Afterward, Mishra et al. designed a more secure three-factor authentication scheme. Later, Lu et al. [20,21] pointed out that the solution [19] could be attacked by server masquerading and spoofing. Recently, many studies [22][23][24][25][26][27][28] proposed a lightweight authentication scheme for the IoT environment. However, these solutions still have weaknesses, especially in terms of computing and communication costs, which are higher than the solution we proposed. Banerjee et al. [29] proposed an anonymous and robust authentication scheme for IoT-based smart homes. However, [2] pointed out that Banerjee et al.'s scheme [29] does not ensure identity protection, traceability, or session secret key negotiation. Xiang and Zheng [30] presented a situation-aware device authentication scheme in smart home environments. They claimed that their solution can withstand various security threats and ensure mutual authentication and data integrity. However, Oh et al. [31] proved that this scheme cannot guarantee secure mutual authentication and is vulnerable to smart device theft, impersonation, and session key disclosure attacks.

Proposed Scheme
In this section, we describe our geometric authentication mechanism for enhancing security, called GAME, in an IoT environment. GAME is a lightweight authentication scheme. Moreover, we combine biometric technology and a password to enhance the level of security. The proposed geometric authentication mechanism involves four procedures: registration, login, authentication, and changing passwords. The notation used throughout this paper is listed in Table 1.

SK ij
The session key between i and j

Registration Procedure
Before logging in to access the service, the user must complete the registration process, which needs to be executed through a secure channel. Figure 2 shows the user registration procedure, while the steps are outlined below. vironments. They claimed that their solution can withstand various security threats and ensure mutual authentication and data integrity. However, Oh et al. [31] proved that this scheme cannot guarantee secure mutual authentication and is vulnerable to smart device theft, impersonation, and session key disclosure attacks.

Proposed Scheme
In this section, we describe our geometric authentication mechanism for enhancing security, called GAME, in an IoT environment. GAME is a lightweight authentication scheme. Moreover, we combine biometric technology and a password to enhance the level of security. The proposed geometric authentication mechanism involves four procedures: registration, login, authentication, and changing passwords. The notation used throughout this paper is listed in Table 1.

Symbol Description BIOi
Biometric information of user i IDi The public identification of a user i AIDi The alias of user i SIDj The public identification of an IGW j (x0,y0) A secret point stored in the IoT gateway (IGW) and the central authority The combination of strings PWi The password of user i P A large prime SKij The session key between i and j

Registration Procedure
Before logging in to access the service, the user must complete the registration process, which needs to be executed through a secure channel. Figure 2 shows the user registration procedure, while the steps are outlined below. Step 1: The user sends their registration information to the central authority (CA) through a secure communication channel. The registration information includes their identification IDi, password PWi, and biometric information BIOi. Step 1: The user sends their registration information to the central authority (CA) through a secure communication channel. The registration information includes their identification ID i , password PW i , and biometric information BIO i .
Step 2: After the CA receives the user's data, it selects a large prime number P, calculates V i = h 2 (PW i ⊕BIO i ) and defines two points (r iw and r io ), which are (0, h(PW i ⊕BIO i )) and (h(ID i )·h(x 0 ), h(ID i )·h(y 0 )). Next, the CA establishes a line L i through r iw and r io , and then calculates the midpoint between r iw and r io , which is represented by A i . The secret point (x 0 ,y 0 ) is a secret point stored in the trusted platform module (TPM) of the IGW and the CA. Note that the CA selects a different secret point for each IGW.
Step 3: The CA stores the parameters {h(ID i ), h( ), P, A i , V i } in the NFC-SIM card of the mobile phone and provides them to the user via a secure channel.

Login Procedure
The user logs in from the mobile phone. This login process is the first checkpoint. If the user access is illegal, the mobile phone immediately detects an error event (e.g., wrong user password or failed biometric identification), and then reports the error. When the number of input errors exceeds three, the card is locked, as shown in Figure 3. Step 2: After the CA receives the user's data, it selects a large prime number P, calculates Vi = h 2 (PWi⊕BIOi) and defines two points (riw and rio), which are (0, h(PWi⊕BIOi)) and (h(IDi)•h(x0), h(IDi)•h(y0)). Next, the CA establishes a line Li through riw and rio, and then calculates the midpoint between riw and rio, which is represented by Ai. The secret point (x0,y0) is a secret point stored in the trusted platform module (TPM) of the IGW and the CA. Note that the CA selects a different secret point for each IGW.
Step 3: The CA stores the parameters {h(IDi), h( ), P, Ai, Vi} in the NFC-SIM card of the mobile phone and provides them to the user via a secure channel.

Login Procedure
The user logs in from the mobile phone. This login process is the first checkpoint. If the user access is illegal, the mobile phone immediately detects an error event (e.g., wrong user password or failed biometric identification), and then reports the error. When the number of input errors exceeds three, the card is locked, as shown in Figure 3. Step 1: The user enters their IDi and PWi on the mobile phone. Then, the mobile phone scans their biometric information BIOi on the sensor.
Step 2: The mobile phone checks h(IDi) and verifies whether h 2 (PWi⊕BIOi) is equal to Vi. If this information is verified, the phone calculates riw = (0,h(PWi⊕BIOi)) and reconstructs the line Li through riw and Ai.
Step 3: The mobile phone calculates the point between riw and Ai, represented by Bi, generates a new point riT, which is equal to (0, h(h(PWi⊕BIOi)⊕h(T))), and then uses riT and Bi to generate a new line LWT.
Step 4: The mobile phone selects a point Ci on the LWT line, which is different from riT and Bi, generates a random number ri, and then calculates the alias AIDi, AIDi = ri•h(IDi).
Step 5: The user sends an authentication message {AIDi, Ai, Ci, T} to the IGW through a normal wireless network.

Authentication Procedure
After the IGW receives the login request message, the IGW starts the authentication process to verify the user's request message, as shown in Figures 4 and 5. The steps of the certification process are described below.
Step 1: The IGW first checks the timestamp. It rejects the login message if the difference between T' and T is larger than the threshold. Step 1: The user enters their ID i and PW i on the mobile phone. Then, the mobile phone scans their biometric information BIO i on the sensor.
Step 2: The mobile phone checks h(ID i ) and verifies whether h 2 (PW i ⊕BIO i ) is equal to V i . If this information is verified, the phone calculates r iw = (0,h(PW i ⊕BIO i )) and reconstructs the line L i through r iw and A i .
Step 3: The mobile phone calculates the point between r iw and A i , represented by B i , generates a new point r iT , which is equal to (0, h(h(PW i ⊕BIO i )⊕h(T))), and then uses r iT and B i to generate a new line L WT .
Step 4: The mobile phone selects a point C i on the L WT line, which is different from r iT and B i , generates a random number r i , and then calculates the alias AID i , AID i = r i ·h(ID i ).
Step 5: The user sends an authentication message {AID i , A i , C i , T} to the IGW through a normal wireless network.

Authentication Procedure
After the IGW receives the login request message, the IGW starts the authentication process to verify the user's request message, as shown in Figures 4 and 5. The steps of the certification process are described below.
Step 4: The IGW uses riT and Ci to reconstruct the line LWT and computes the intersection point Di of Li and LWT.
Step 5: The IGW accepts the login request if the value of Di is equal to the middle point Bi of Ai and riw. Otherwise, the request is rejected.
Step 6: When the authentication is successful, the IGW can deduce r1 through rio and rij on the Li line.
Step 9: After the mobile phone receives the message, it calculates h(r1), takes out r2, and then checks whether h(SIDj||r2) is equal to M2. If it is correct, the session key SKij = h(r1||r2) is generated, and the encrypted message SKij⊕h(r2) is sent to the IGW.
Step 10: After the IGW receives the message, it uses the session key SKij to decrypt the encrypted message, obtains h(r2), and then verifies whether it is correct. If it is correct, the mutual authentication is completed. Otherwise, access is denied.

Password Change Procedure
In our method, when the user wants to change their password, they do not need the help of the CA. Figure 6 shows the lines and points used in the user password change procedure.
Step 1: The user keys in their IDi and PWi, and then the mobile phone scans their biometric feature BIOi at the sensor.
Step 2: The mobile phone checks h(IDi) and verifies whether h 2 (PWi⊕BIOi) is equal to Vi. If the information is verified, the user can key in their new password PWi * . The mobile phone sets the point riw = (0, h(PWi⊕BIOi)), calculates the point rio = 2Ai − riw, computes the new point riw * = (0, h(PWi * ⊕BIOi)), computes the new point Ai * = (riw * +rio)/2, and calculates the new Vi * = h 2 (PWi * ⊕BIOi). It then replaces the stored Ai and Vi with Ai * and Vi * , respectively.  Step 1: The IGW first checks the timestamp. It rejects the login message if the difference between T' and T is larger than the threshold.
Step 2: The IGW computes point r ij = (AID i ·h(x 0 ), AID i ·h(y 0 )) and then reconstructs the line L i by r ij and A i .
Step 3: The IGW computes the intersection point r iw of L i and the y-axis, defines r iw = (0, E i ), and then computes r iT = (0, h(E i ⊕h(T))).
Step 4: The IGW uses r iT and C i to reconstruct the line L WT and computes the intersection point D i of L i and L WT .
Step 5: The IGW accepts the login request if the value of D i is equal to the middle point B i of A i and r iw . Otherwise, the request is rejected.
Step 8: The IGW sends the message {SID j , M 1 , M 2 } to the user.
Step 9: After the mobile phone receives the message, it calculates h(r 1 ), takes out r 2 , and then checks whether h(SID j ||r 2 ) is equal to M 2 . If it is correct, the session key SK ij = h(r 1 ||r 2 ) is generated, and the encrypted message SK ij ⊕h(r 2 ) is sent to the IGW.
Step 10: After the IGW receives the message, it uses the session key SK ij to decrypt the encrypted message, obtains h(r 2 ), and then verifies whether it is correct. If it is correct, the mutual authentication is completed. Otherwise, access is denied.

Password Change Procedure
In our method, when the user wants to change their password, they do not need the help of the CA. Figure 6 shows the lines and points used in the user password change procedure.
Step 1: The user keys in their ID i and PW i , and then the mobile phone scans their biometric feature BIO i at the sensor.
Step 2: The mobile phone checks h(ID i ) and verifies whether h 2 (PW i ⊕BIO i ) is equal to V i . If the information is verified, the user can key in their new password PW i * . The mobile phone sets the point r iw = (0, h(PW i ⊕BIO i )), calculates the point r io = 2A i − r iw , computes the new point r iw * = (0, h(PW i * ⊕BIO i )), computes the new point A i * = (r iw * +r io )/2, and calculates the new V i * = h 2 (PW i * ⊕BIO i ). It then replaces the stored A i and V i with A i * and V i * , respectively.

Definition
• A fragile key has a very low entropy value (e.g., only a password is used to protect access), and an attacker can guess the user's password within polynomial time. On the contrary, a strong key usually has a high entropy value (e.g., password plus biometric information and mobile phone), such that the attacker cannot guess the user password within polynomial time [14]. Additionally, any two people cannot have the same biometric information.

•
In this research, the hash function is a one-way collision-free hash function (e.g., SHA-512 [32]). When the value of x is given, this hash function can easily calculate h(x). However, if the value of h(x) is given, it is difficult to push back x without incurring a high computational cost.

•
During the login process, this secure hardware has retrial restrictions to prevent attackers from using brute force cracking techniques to guess the user's password.

1.
Higher security level: Many papers have already proven that the security of the three-factor authentication scheme is stronger than the security of the two-factor authentication scheme.

2.
Anonymity and identity protection: In the login procedure, the user's original name is converted into an alias (e.g., AID i = r i ·h(ID i )). The generation of the alias is based on a random number (i.e., Step 4 of the login procedure). The random number generated by each login process is different. Therefore, the attacker cannot know the original identity of the user without knowing the random number r i . In addition, our anonymity mechanism is a dynamic identity process. In the registration phase, the SIM card does not store the identity of the user. Therefore, the attacker cannot retrieve the user identity, even if the attacker obtains the SIM card. In GAME, we use a hash function to protect the identity of the user (i.e., h(ID i )).

3.
Resistance to replay attack: In the login procedure, the login request is rejected if an attacker resends {AID i , A i , C i , T } to the IGW. Since T is inconsistent with the T in C i , it is different from C i . Thus, our method can resist replay attacks. In the authentication procedure, GAME can still resist replay attacks since the message contains the random number. The random number generated is different each time. Therefore, the authentication process will not succeed if an attacker intercepts and replays the authentication message.

4.
Choose and change passwords easily: Users can select and modify passwords without participating in the CA, which is very convenient for users. Note that this procedure can still be considered a security issue. When users modify their passwords, they must succeed in verification before they execute the password change procedure.

5.
Fast error detection: In our method, the fast error detection process is performed only on the client side and does not require the IGW to assist in authentication. Therefore, this stage does not consume network transmission resources and IGW computing resources. In the login and password change process, if an attacker tries to guess the password or enters wrong biometric data, the mobile phone can immediately detect the input error (i.e., Step 2 in the login procedure and Step 2 in the password change procedure), and then perform error reporting and lock the card. 6.
Resistance to offline password guessing attacks: In previous studies, if an attacker captured consecutive login messages {AID i1 , A i , C i1 , T 1 } and {AID i2 , A i , C i2 , T 2 } at the time points of T 1 and T 2 , they could try to guess the user's PW i and use the retrieved information to verify their guess. Then, they may calculate the point r iw = (0,h(PW i ⊕BIO i )) and calculate the intermediate point B i between r iw and A i . In addition, the attacker can calculate this r iT1 = (0,h(h(PW i ⊕BIO i )⊕h(T 1 ))) and construct the line L WT1 passing through the two points of C i1 and r iT1 . Similarly, the attacker can calculate the point r iT2 and the construction line L WT2 . Next, they can compare B i with the intersection of L WT1 and L WT2 , B i . If the values are equal, this means that the password PW i guessed by the attacker is correct. However, in our method, the attacker cannot retrieve these values (i.e., r iw , r iT1 , and r iT2 ) because the attacker does not have the user's biometric BIO i . Thus, our method can resist offline password guessing attacks. 7.
Resistance to forgery attacks: Although the attacker can intercept the login message {AID i , A i , C i , T}, they cannot forge a valid login message {AID i , A i , C i , T } to pass the authentication process. This is because the attacker does not know h(PW i ⊕BIO i ) and, thus, cannot calculate the point B i and the corresponding point r iT = (0, h(h(PW i ⊕BIO i )⊕h(T ))). Of course, the attacker will not be able to correctly re-establish the line L WT . Therefore, our solution can resist forgery attacks. 8.
Resistance to stolen smart device: When the attacker steals the smart device of a user, the attacker still cannot be authenticated successfully. This is because the attacker cannot provide valid biometric identification in login phase. Moreover, the biometric information of the user is not directly stored on the smart device. 9.
Resistance to server overloading attacks: In previous methods, the entire authentication procedure was executed on the server, making the server vulnerable to overload attacks. Assuming that the user's mobile phone is stolen by an attacker, in the previous method, the attacker could deduce the user's identity through intercepted messages. Even if the attacker types in the wrong password, a large number of malicious authentication request messages can be generated on the server. These malicious authentication request messages will cause server computing overload. However, this situation cannot happen with our method, because (i) our method supports the authentication of biometric information, and (ii) our method supports fast error detection. Therefore, when the user enters the wrong ID, password, or biometric message, the mobile phone will not generate a malicious authentication request message to the server. 10. Mutual authentication: A mutual authentication procedure is supported by our authentication method. The server needs to verify that the user is legitimate, and the user also needs to ensure that the server is not forged. When mutual authentication is successful, the security of the overall system can be ensured. 11. Session key generation: After the authentication process, a session key is generated between the user and the IGW to provide secure communication. The IGW responds with a message {SID j , M 1 , M 2 } to the mobile phone. After the mobile phone receives the message, it calculates h(r 1 ), takes out r 2 , and then checks whether h(SID j ||r 2 ) is equal to M 2 . If it is correct, the session key SK ij = (r 1 ||r 2 ) is generated, and the encrypted message SK ij ⊕h(r 2 ) is sent to the IGW. The session key is generated from two random numbers through a hash function; thus, each session key is different and cannot be pushed back.

Comparison with Other Schemes
We compared our scheme with related existing schemes [28][29][30]. Table 2 shows the comparisons of security features. Obviously, the proposed scheme provides the most security properties.

Computation Analysis
We measured the computation time required for various operations. As hardware, we use the UP Board IoT gateway (Raspberry Pi compatible) developed by AAEON as the test platform [33], as shown in Figure 7. The operating system was a 64 bit Windows 10, the memory was 4 GB, and the CPU was an Intel Atom 1.44 GHz. Table 3 shows the measured calculation time of each operation. Since the proposed method only uses arithmetic operations, XOR operations, and hash functions, the calculation time is much shorter than the RSA authentication method. Table 4 compares the computational costs of the proposed scheme and those of other schemes. T m , T R , T h , T a , and T s denote the execution times of an ECC point multiplication, fuzzy extractor function, hash function, and an arithmetic and symmetric key encryption/decryption, respectively. The scheme in [30] featured the lowest computational cost, but it suffered from many attacks.

Conclusions
Since most of the authentication schemes are based on ID/password, security is obviously insufficient. In this paper, we proposed an anonymous remote user authentication mechanism based on geometric methods, whereby we used a combination of password and user's biometric information to provide a more secure authentication mechanism. Moreover, GAME only uses arithmetic operations and hash functions; thus, the computational complexity of the method is extremely low, and the calculation time is

Conclusions
Since most of the authentication schemes are based on ID/password, security is obviously insufficient. In this paper, we proposed an anonymous remote user authentication mechanism based on geometric methods, whereby we used a combination of password and user's biometric information to provide a more secure authentication mechanism. Moreover, GAME only uses arithmetic operations and hash functions; thus, the computational complexity of the method is extremely low, and the calculation time is much shorter than that of traditional asymmetric encryption authentication methods. Therefore, our method is very suitable for application services on mobile devices in an IoT environment. Lastly, the proposed method satisfies the following security properties: it is anonymous, can resist forgery attacks, can resist repeated attacks, can quickly detect errors, can resist offline password guessing attacks, can resist server overload attacks, and can enable easy selection and modification of the password.

Conflicts of Interest:
The authors declare no conflict of interest.