Lightweight Failover Authentication Mechanism for IoT-Based Fog Computing Environment

Fog computing as an extension to the cloud computing infrastructure has been invaluable in enhancing the applicability of the Internet of Things (IoT) paradigm. IoT based Fog systems magnify the range and minimize the latency of IoT applications. However, as fog nodes are considered transient and they offer authenticated services, when an IoT end device loses connectivity with a fog node, it must authenticate freshly with a secondary fog node. In this work, we present a new security mechanism to leverage the initial authentication to perform fast lightweight secondary authentication to ensure smooth failover among fog nodes. The proposed scheme is secure in the presence of a current de-facto Canetti and Krawczyk (CK)-adversary. We demonstrate the security of the proposed scheme with a detailed security analysis using formal security under the broadly recognized Real-Or-Random (ROR) model, informal security analysis as well as through formal security verification using the broadly-used Automated Validation of Internet Security Protocols and Applications (AVISPA) software tool. A testbed experiment for measuring computational time for different cryptographic primitives using the Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL) has been done. Finally, through comparative analysis with other related schemes, we show how the presented approach is uniquely advantageous over other schemes.


Introduction
The adoption of Internet of Things (IoT) has been unprecedented. The concept has materialized into one of the most popular driver technology into the next generation of ubiquitous connectivity. As more applications of smart connectivity are realized even more applications are envisioned. The IoT paradigm aims to provide connectivity between the physical and the cyber worlds with the intention to enable greater economic welfare, accuracy, and efficiency with minimal human intervention [1,2]. IoT enables Industry 4.0, connectivity during a humanitarian crisis, and ushers in a more comfortable standard of living.
The IoT paradigm predicts an explosion of connected devices [3,4]. This, in spite of the distributed nature of IoT, put an unprecedented load on the existing centralized infrastructure. This issue is addressed with the fog computing paradigm and extension to cloud computing. Transient fog nodes can extend the connectivity of cloud computing infrastructure as well as reduce latency and pre-process data to reduce computational load [5]. Fog nodes, by design, form an intermediate layer between the cloud infrastructure and the IoT end devices. Figure 1 shows a fog architecture for edge-based IoT environment adapted form [6]. Fog nodes, by virtue of their deployment near the smart devices, offer location awareness, lower latency, capability for real-time interaction, and so forth. For example, in a smart vehicular network, fog nodes might be deployed regularly along the roadway. As vehicles pass by, they can communicate with the nearest fog node at that point. Thus, fog computing can provide added functionality to IoT systems.

Motivation
Fog nodes, as described in Figure 1, act as a bridge between the end device and the cloud infrastructure. The fog nodes are considered transient and consequently, they are not trusted. The end device (for example, a user or an IoT smart device) must be authenticated by the fog node before any service is provided. This authentication can involve the cloud server, but that introduces latency as well at overhead at the cloud server. Normally, authentication and session key establishment between an end device and the fog nodes rely on public-key cryptography. However, relatively speaking, this is rather computationally expensive. Fog nodes are considered transient in nature. This can be because the nodes go out of range or they go off-line for some other reasons. In such a scenario, the end-user must re-authenticate with a secondary fog node that will take over the role of the previous fog node. The main objective with this work is to achieve the failover re-authentication without using public-key cryptography. This can be achieved if the fog nodes pre-agree on some security tokens, that are made available to the end device after the initial authentication. These security tokens can be leveraged to make a fast authentication possible between the end device and the secondary fog node. Moreover, insecure communication among the end devices and the fog nodes may lead to open up with several security attacks like replay, impersonation, man-in-the-middle and denial of service (clogging) attacks, that can be launched by an adversary. In order to resist such attacks, the designed failover authentication mechanism in this paper has been proposed. The proposed scheme also maintain anonymity and untraceability properties.

Research Contributions
The primary contributions in this work are summarized as follows: • We present the architecture and threat model for the envisioned failover authentication model. • We define the proposed failover authentication model in detail with all its phases. • We present a detailed security analysis with both formal and informal security analysis, and also a formal security verification using the AVISPA software validation tool to prove the robustness of the proposed scheme against various known attacks. • A testbed experiment for measuring computational time for different cryptographic primitives using the MIRACL library has been provided. • Finally, through a detailed comparative study, we showcase the unique advantages of the proposed scheme.

Paper Outline
The rest of the paper is sketched as follows. The relevant related work is provided in Section 2. In Section 3, the architecture and threat models are discussed for analyzing the proposed scheme. Various phases related to the proposed scheme are then discussed in Section 4. A detailed security analysis is provided in Section 5 including the formal security verification through AVISPA simulation in Section 6 to show the robustness of the proposed scheme. A testbed experiment for measuring computational time for different cryptographic primitives using the MIRACL library is demonstrated in Section 7. After comparative among the proposed scheme and other existing relevant schemes in Section 8, the paper is finally concluded in Section 9.

Related Work
Access control and authentication are two important security services to secure different networking environments, like IoT, "Internet of Drones (IoD)", "Internet of Vehicles (IoV)", "Wireless Sensor Networks (WSNs)", cyber-physical systems, smart grids, healthcare services, and so forth . Several existing works describe the procedure to secure establish an authenticated session key between the end devices, the fog nodes, and the cloud servers.
Wazid et al. [6] designed a "secure key management and user authentication scheme for fog computing environment, known as SAKA-FC". SAKA-FC establishes a common session key between a user, the fog node, and a smart device. The fog nodes could also establish a secure connection with the cloud. However, in their scheme, the cloud may act as a single point of failure. Though SAKA-FC is lightweight and offers several security and functionality features, it does not support failover authentication mechanism.
Roy et al. [9] proposed a user authentication for mobile cloud computing. It uses cryptographic hash, bitwise XOR, and fuzzy extractor as primitives. Though this scheme is secure and lightweight, it does not offer failover authentication mechanism. Similarly, there are other authentication schemes, such as the schemes proposed in [14,19,[22][23][24]28], which are efficient and also secure, but they do not offer failover authentication feature.
Gope [30] presented a scheme for an anonymous device to device (D2D) authentication for fog computing environment. In Gope's scheme [30], there are three scenarios: (1) LAAP1: It is for the "initial authentication protocol for device-to-device (D2D)-aided fog computing"; (2) LAAP2: It denotes the "subsequent authentication protocol with the cooperation of EDs in D2D-aided fog computing"; and (3) LAAP3: It corresponds to the "subsequent authentication protocol with the co-operation of NADs in D2D-aided fog computing", where ED is an "end device"; NAD means the "Network Access Devices" and CCS denotes "Centralized Cloud Servers". The initial authentication involves the end devices, fog nodes as well as the cloud server. Subsequently, D2D authentication could be operated with the involvement of the cloud server. If the fog node becomes unavailable, the initial authentication must be repeated with a new fog node. Thus, this scheme doe not provide the fog failover authentication process. In addition, this scheme does not protect the "Ephemeral Secret Leakage (ESL)" attack under the "Canetti and Krawczyk (CK)-adversary model" [31].
Concone et al. [32] presented a cloud-sensing scheme, called "secure protocol for mobile crowdsensing (SMCP)", for fog based applications that utilized signatures and did not involve the cloud server until the final update. SMCP is based on ECC, "extended triple Diffie-Hellman key agreement" and "symmetric cryptography". However, in their scheme, the ESL attack under the CK-adversary model is not addressed.
Basudan et al. [33] suggested an improved "certificateless aggregate signcryption scheme (CLASC)" approach for a "privacy-preserving vehicular crowdsensing-based road surface condition monitoring system" that applies bilinear pairing operations. Since the signcryption requires time-consuming pairing operations, Cui et al. [34] presented a scheme for road monitoring based on fog computing to reduce the computational complexity.
Guo et al. [35] then proposed a fog-centric authenticated key agreement scheme without involving the trusted parties. Their scheme is very attractive as it does not need the involvement of a trusted cloud server. Unfortunately, their scheme was designed with the DY-adversary model, and it is secure against the ESL attack under the CK-adversary model.
Ali et al. [36] presented a secure authentication scheme for fog computing specifically resistant against clogging attacks. However, the authentication process in their scheme requires the involvement of the cloud server.

System Models
This section details the network model envisioned for the proposed system as well as the threat model describing an adversary's capabilities that the scheme is designed to be resilient against various known attacks.

Network Model
The fog architecture envisioned for this work, as shown in Figure 1, has been adapted from [6]. The cloud infrastructure is pre-deployed and is considered to be semi-trusted. The fog nodes are deployed by a fully-trusted registration authority, say RA, which is a component of the trusted cloud infrastructure. Thus, the fog nodes can securely communicate with each other leveraging their trusts within the RA. The pre-processed data can be forwarded by the fog nodes to the cloud server(s). The end devices, which are the users' device or IoT endpoints, communicate with the fog nodes acting as the gateway nodes. The need for expensive direct communication between end device and cloud infrastructure can be avoided. This is specially usefully when two end devices need to establish secure communication. This architecture also precludes the need for key management mechanism at the cloud infrastructure as the services offered are available only after post-authentication through the fog nodes.
In this work, we focus only on the fog and IoT layers. We aim to avoid the involvement of the cloud server in the authentication to minimize the communication and computational overheads. Similarly, as described in the motivation section, we also aim to reduce the overheads for the end devices.

Threat Model
The de-facto standard, known as the Dolev-Yao (DY) threat model [37] considers that an adversary, being a passive or an active adversary, has complete control over the communication media. Any message sent over the open channel is considered insecure. The adversary can eavesdrop on all messages transmitted. Additionally, the adversary can block, replay, or even modify any token transmitted over the channel. For this work, we adhere to another more stringent adversary model, known as the "Canetti and Krawczyk (CK)-adversary model" [31]. The CK-adversary not only has all capabilities of the DYadversary, but he/she can subvert secure information like ephemeral session states and secret keys through session hijacking attacks. Some end devices may be stolen or physically captured by the adversary, and he/she can learn the stored credentials from those devices through the differential power analysis attacks [38] and utilize the extracted credentials later for subsequent attacks on the system. The registration authority (RA) is a fully trusted entity, but the fog nodes are considered semi-trusted entities in the network.

Proposed Failover Authentication Scheme
This section details the proposed failover authentication scheme for an IoT-based fog computing environment.
The core idea behind the failover authentication is that if and when a fog node becomes unavailable, the end devices connected to it should be trivially able to switch over to a secondary fog node. The functionality provided by this scheme is a fast re-authentication with the secondary fog node without the need to go through an expensive public-key based authentication. The scheme has three per-requisite phases and the authentication phases. Before authentication, the system must be set up and the fog nodes must be enrolled and the end devices must register with the registration authority (RA). The inter-fog node pre-agreement must also be completed before fast authentication. Table 1 summarizes the important notations that are used in the proposed scheme, and their significance. The detailed description of each phase is provided in the following subsections.

Setup Phase
During the Setup, the registration authority (RA) selects a non-singular elliptic curve E p of the form: y 2 = x 3 + αx + β (mod p) over a prime finite field Z p , where p is a large prime and the condition for non-singularity 4α 3 + 27β 2 = 0 (mod p) is fulfilled. Then, the RA selects a generator G of an order n over E p such that n · G = O, the zero point or point at infinity, and n · G = G + G + · · · G (n times) represents an "elliptic curve point (scalar) multiplication". The RA also selects its own "elliptic curve cryptography (ECC)based private key" k R and computes the corresponding public key Q R = k R · G. Finally, the RA picks a "collision-resistant cryptographic one way hash function, h(·)" (for example, a Secure Hash Algorithm (SHA-1) [39]) and makes h(·), G and Q R as public.

Fog Node Enrollment Phase
After the Setup phase, the individual fog nodes may be enrolled with the registration authority (RA). A fog node, say Fog node x, selects its ECC-based private-public keys pair (k F x , Q F x ), where Q F x = k F x · G, and learns the list of public keys for the other fog nodes. During the enrollment, the RA also transmits a list containing the mapping between obscured end-devices identities EID u and their public keys Q u , for all registered end devices. The list is periodically updated to intimate the fog nodes of newly registered end devices and fog nodes.

End Device Registration
After Setup, the end device (user's access device or otherwise) is registered with the system.

•
The end device provides its identity (user's identity or otherwise), ID u and selects k U ∈ Z p as its private key. Then it computes its public key Q u = k U · Q R and securely transmits ID u , Q u to the RA.

•
On receiving the registration request, RA selects a x ∈ Z and computes the obscured end-device identity EID u = h(ID u ||x). RA securely transmits EID u to the end device saves ID u , EID u , Q u . • The credentials in the end device can be secured with multi-factor authentication, which is beyond the scope of the scheme. Figure 2 summarizes the end device registration. Note that, a secure channel is used as a conceptual term. For end devices, this can mean pre-deployment configuration and for end devices this referees to in-person registrations. After the initial registration, a variant of the registration, that does not require a secure channel, can be repeated periodically to update EID u and Q u .

Inter-Fog Node Pre-Agreement
Before the fast authentication phase is possible, all pairs of (adjacent) fog nodes must agree to own two security tokens, namely YZ and ZY. The pre-agreement is a cooperative procedure and can be initialized by either of the participating nodes. We describe this phase with the assumption that Fog node 1 will act as an initiator and Fog node 2 will act as a responder. The following are the steps that are executed:

•
Fog node 1 selects a random secret y ∈ Z p and computes Q 12 = k F 1 · Q F 2 . Additionally, it calculates K y = Q 12 ⊕ y, sets TS 1 as the current timestamp and then computes On receiving the message M p 1 , Fog node 2 computes Q 12 = k F 2 · Q F 1 and verifies if V 1 is equal to h(K y ||Q 12 ||TS 1 ). Only if the verification holds, it proceeds ahead. It then recovers y = Q 12 ⊕ K y , selects a random secret z ∈ Z p and computes K z = Q 12 ⊕ z.
It also sets TS 2 as the current timestamp, computes V 2 = h(K z ||Q 12 ||TS 2 ) and transmits the message M p 2 = K z , V 2 , TS 2 to Fog node 1 via an open channel. Moreover, it computes the security tokens YZ = h(y||z) and ZY = h(z||y).
• On receiving the message M p 2 , Fog node 1 verifies if V 2 is equal to h(K z ||Q 12 ||TS 2 ). If it is valid, it recovers z = Q 12 ⊕ K z , and computes the security tokens YZ = h(y||z) and ZY = h(z||y). Figure 3 summarizes the inter-fog node pre-agreement phase. This phase can be repeated periodically to update the security tokens as well.

Initial Authentication
An end device must first authenticate with any one fog node by relying on the public key cryptography. In this case, we have applied ECC-based public key infrastructure. This section describes the initial authentication between an end device, say U and a fog node, say Fog node 1. The following are the executed steps: • The end device U selects a random secret a ∈ Z p and computes Q uF 1 = a · Q F 1 , Q a = a · Q R and QID = Q uF 1 ⊕ EID u . Additionally, it sets TS 1 as the current timestamp, computes V 1 = h(QID||Q uF 1 ||TS 1 ) and transmits a message M a 1 = QID, Q a , V 1 , TS 1 to Fog node 1 over an insecure channel. • On receiving the message M a 1 , the Fog node 1 computes Q uF 1 = k F 1 · Q a and verifies if V 1 is equal to h(QID||Q uF 1 ||TS 1 ). Only if the check holds, it proceeds ahead. It then recovers EID u = Q uF 1 ⊕ QID, looks up Q u from EID u , selects another random secret b ∈ Z p , and also computes  Figure 4 summarizes the initial authentication phase. After this authentication, Fog node 1 shares the security tokens for the nearby fog nodes that can operate as an failover. As these security tokens are transient, they must be periodically updated.

Fast Authentication
Once an end device U has learned the security token for the Fog node 2, if, for some reasons, the Fog node 1 becomes unavailable or it goes out of communication range, U can leverage the security token to authenticate with Fog node 2 without relying on the public key cryptography (as described in Section 4.5). This section describes the fast authentication between the end device U and the Fog node 2 with the help of the following steps: • The end device U selects a random secret a ∈ Z p and computes Q a = a ⊕ h(YZ||TS 1 ), Q uF 2 = h(a||ZY), Q a = a · h(YZ||TS 1 ) and QID = Q uF 2 ⊕ EID u , where TS 1 is the current timestamp. It then computes V 1 = h(QID||Q uF 2 ||TS 1 ) and transmits a message M f 1 = QID, Q a , V 1 , TS 1 to Fog node 1 via a public channel. • On receiving the message M a 1 , the Fog node 2 computes , U sets the session key shared with the Fog node 2 ass SK = SK . Figure 5 summarizes the fast authentication phase. After this authentication, the Fog node 2 must also periodically share the security tokens for the nearby fog nodes that can operate as its failover.

Remark 1.
After the enrollment in Section 4.2, the fog nodes must perform the mutual preagreement phase as described in Section 4.4 in order to support the fast authentication phase in Section 4.6. Similarity, an end device must be registered as described in Section 4.3, and it needs to perform the initial authentication and will be in an active session with a fog node. The end device may avail a fast authentication as described in Section 4.6 with an adjacent fog node based on necessity. Note that, the fast authentication is not possible if the device is not already in an active session because the fast authentication leverages the security of the initial authentication.

Security Analysis
An authentication scheme can be susceptible to several vulnerabilities that enable an adversary to subvert the scheme. In this section, we first analyze the proposed scheme for formal security using the widely recognized random oracle model, known as the "Real-Or-Random (ROR) model" [40]. We then informally discuss how the proposed scheme resists various known attacks. Additionally, we report the simulation results under the automated software validation tool, called the "Automated Validation of Internet Security Protocols and Applications (AVISPA)" [41] for the formal security verification and show that the proposed scheme is safe against passive/active attacks like "replay", "impersonation" and "man in the middle" attacks.

Formal Security Analysis Using ROR Model
In this section, we utilize the Real-Or-Random (ROR) model proposed in [40] to analyze the semantic security of the proposed scheme. The important elements for the ROR model are given below.
Participants: Let π u U , π f 1 FN1 and π f 2 FN2 denote the u th , f th 1 and f th 2 instances corresponding to a user U , the fog nodes FN 1 and FN 2 , respectively [42,43]. These are also termed as the random oracles.

Partnering:
The instances π u U and π f FN are considered to be partnered when the following conditions are satisfied simultaneously: (1) they share a communication session id sid and (2) partial transcript of all message exchanged between them are unique.
Freshness: π u U and π f SD are fresh if the session key SK established between U and FN has not been revealed to an adversary A with the help of the Reveal query discussed below.
Adversary: The adversary A is assumed to have complete influence over the communication media. Thus, A can eavesdrop and also alter, delete and forge messages at will during communication. Additionally, A has the access to the following queries: • Execute(π u ): By this query, which models an eavesdropping attack, A can intercept all the transmitted messages among U , FN 1 and FN 2 . • Send(π f , m): This query models an as an active attack and enables A to send a message, say msg to its participating instance π f , and also to receive a response in reply. • Test(π u , π f ): This query utilizes the indistinguishability in the ROR model [40] to determine the semantic security of the session key SK established between U and FN. TO begin with, A performs an unbiased coin toss c. Its outcome decides the result of the Test query. If SK is fresh, π u or π f produces SK upon the satisfaction of the condition c = 1 or a random number for the fulfillment of the condition c = 0. Otherwise, it returns a null value. • Reveal(π u ): Through this query, A can learn the session key SK between U and FN 1 or between U and FN 2 .

Definition 1 (Semantic security of session key).
According to the ROR model, A must distinguish between an instance's actual session key and a random key. To this goal, A can repeat the Test(·) query to π u or π f , and save the results to bit c. A wins the game if c = c , where c is a randomly guessed bit. The advantage of A in breaking the semantic security of the proposed authenticated key agreement (AKE), say P in time t p is defined as where SUCCESS represents an event such that A wins the game, that is, Pr[SUCCESS] = Pr[c = c].
Random oracle: All communicating entities in the proposed scheme including A will have access to a "collision-resistant hash function, h(·)" that is modeled as a "random oracle, say HO". Definition 2 (Collision-resistant one-way cryptographic hash function [44]). Let h: {0, 1} * → {0, 1} l b be a "collision-resistant one-way hash function" which is a deterministic function. It takes a variable-length input x ∈ {0, 1} * and returns a fixed-length output, y = h(x) ∈ {0, 1} l b of l b bits. Assume that the "advantage of an adversary A in finding a hash collision" in time t p be denoted by Adv Hash A (t p ). Then,

Adv Hash
where the pair (ip 1 , ip 2 ) ∈ R A means that the input strings ip 1 and ip 2 are randomly picked by A. We say "an (η, t)-adversary A attacking the collision resistance of h(·)" means that the execution time taken by A is at most t and Adv Hash A (t p ) ≤ η.

Security proof:
By utilizing the definition of the "collision-resistant hash function" (defined in Definition 2), "elliptic curve decisional Diffie-Hellman problem (ECDDHP)" (defined in Definition 3) and the above described ROR model, Theorem 1 provides the semantic security of the proposed scheme against the adversary A the derive the session key during the communication.
Theorem 1. Let A be a polynomial time adversary running in time t p against the proposed scheme P under the ROR model. If Adv AKE P,A (t p ) denotes A's advantage in breaking P's semantic security in time t p in order to derive the session key between a legal registered end device U and an accessed fog node FN 1 or FN 2 , then where q h is the number of hash queries, |Hash| defines the range space of h(·) and Adv ECDDHP A (t p ) is the advantage of an adversary A in solving ECDDHP in polynomial time t p .
Proof. Our proof is analogous to the proofs that were presented in [45,46]. We define G 0 -G 2 as the three sequential games in which an event SUCCESS i denotes that the adversary A can successfully guess the bit c corresponding to the game G j , j ∈ [0, 2]. The details of these games are provided below.
• Game G 0 : This game models an actual (real) attack on the proposed scheme, P by A. Thus, the bit c is guessed at the beginning of G 0 . Therefore, the semantic security of the proposed scheme defined in Definition 1, it follows that • Game G 1 : This game models an eavesdropping attack, where A can query Execute oracle to intercept the messages M a 1 = QID, Q a , V 1 , TS 1 , M a 2 = B, V 2 , TS 2 , M f 1 = QID, Q a , V 1 , TS 1 , and M f 2 = B, V 2 , TS 2 during the initial and fast authentication processes. Afterwards, A can also query Test oracle and determine if the result is the actual session key SK or just simply a random number. Note that in the proposed scheme, SK = h(Q uF 1 ||Q b ) = h(Q uF 1 ||Q b ) = SK is the session key established between an end device U and fog node FN 1 during the initial authentication, and also SK = h(Q uF 2 ||Q b ) = h(h(a||ZY)||h(b||ZY||Q u )) = SK is the established session key between a user U and a fog node FN 2 during the fast authentication. In both cases, to compute SK, A must know the short term secrets (a and b) as well as long term secrets (k u , YZ and ZY) simultaneously. Thus, only the intended user U and fog nodes FN 1 and FN 2 can compute SK. Therefore, A's probability of wining the game G 1 is not increased form G 0 through an eavesdropping attack. Consequently, both the games G 0 and G 1 are indistinguishable, and we have the following result: • Game G 2 : Under this game, the Send and hash HO queries are simulated. This game is modeled as an active attack, where A can attempt to fool a legitimate participant into accepting a modified message. A is permitted to make repeated queries to the random oracles to examine the presence of hash collisions. However, since all the messages M a 1 , M a 2 , M f 1 and M f 2 contain unique single use values, hash coalition does not occur (see Definition 2) when A queries the Send oracle with the help of h(·). Moreover, to derive the session key SK = h(Q uF 1 ||Q b ) = h(Q uF 1 ||Q b ) = SK is the session key established between an end device U and fog node FN 1 during the initial authentication, the adversary A needs to solve the computational ECDDHP defined in Definition 2. It is worth noticing that both the games G 1 and G 2 are "indistinguishable" except the Send and hash queries are simulated in G 2 along with solving ECDDHP. Thus, by using the birthday paradox results and the advantage of A in solving ECDDHP, we have, Finally, to win the game G 2 , A needs to guess bit c after querying the Test oracle. Thus, it is clear that From Equations (1)-(4), we have By solving Equation (5), we obtain the required result:

Informal Security Analysis
In this section, through informal security analysis, we demonstrate the security features of the proposed scheme as well as its resilience against well-known attacks.

Mutual Authentication
In the proposed authentication scheme, the initial authentication is a standard public key-based authentication and the end device and the fog node authenticate each other with the public-private key pairs. For fast authentication, The participants are mutually authenticated with the pre-shared security tokens. Here for brevity, we have shown a single pair of secret tokens but for real implementations, these pair of secret tokens can be scaled up such that there is a one-to-one correspondence between a user and a token pair.

Anonymity and Untraceability
The messages exchanged during the initial or the subsequent fast authentications do not contain any plaintext identifiable values for the adversary to identify the participants with. Additionally, all the values are composed of nonce or timestamps, making tracing attacks infeasible. This the proposed scheme guarantees anonymity and untraceability.

Forward and Backward Secrecy
Assuming that the adversary can somehow learn the session key SK along with all its contributing secret values Q uF 2 and Q b under the CK-adversary model. No past or future sessions are compromised as all these values are independent and distinct across sessions. This is true for both the initial or the subsequent fast authentications. Similarly, if the security tokens are leaked, no existing or future sessions are compromised.

Ephemeral Secret Leakage (ESL) Attack
The session key SK is composed form both long and short-term keys. Thus the adversary cannot derive session key SK unless both short and long-term secrets are exposed at once. Thus, the proposed scheme is resilient against the "ESL attack".

Impersonation Attacks
The initial authentication is designed around the public key cryptography and thus the public keys (issued through the trusted RA) prevent impersonation attacks. For fast authentication, the security token is responsible for mutual authentication and if compromised can lead to successful impersonation. However. the mitigation strategies mention in the context of mutual authentication prevents such attacks.

Clogging Attacks
The fog nodes detect and terminate spurious authentication requests after a xor and one or two hash operations for initial and fast authentications receptively. Thus, denial of services through clogging attacks will be mostly ineffective against the proposed scheme.

Remark 2.
The scheme is designed to work in conjuncture with other systems to ensure security against stolen smart cards, privileged insiders, end device capture, and other similar attacks and are beyond the scope of this scheme. Thus, within its scope, the proposed scheme resists all known attacks.

Formal Security Verification through AVISPA Simulation
In this section, we validate the security of the proposed scheme with the help of one of the most widely recognized automated software verification tools, known as the "Automated Validation of Internet Security Protocols and Applications (AVISPA)" [41]. AVISPA is a push-button tool for automatic verification of security protocols. It is widely accepted as the formal verification of a security scheme against the man-in-the-middle and replay attacks (also, indirectly impersonation attacks), and internally implements the Dolev-Yao (DY) threat model [37]. Thus, the adversary has not only capability to intercept the communicating messages, but also can delete, modify or insert fake messages during the communication.
To verify a security scheme with AVISPA, it must be specified in the High Level Protocol Specification Language (HLPSL) [47]. AVISPA distribution includes an inbuilt converter for conversion from HLPSL to IF, known as Intermediate Format (IF), for backends for evaluations. There are four backends in AVISPA, namely (1) On-the-fly Model-Checker (OFMC), which is responsible for "performing several symbolic techniques to explore the state space in a demand-driven way", (2) Constraint Logic based Attack Searcher (CL-AtSe), which provides "a translation from any security protocol specification written as transition relation in intermediate format into a set of constraints which are effectively used to find whether there are attacks on protocols", (3) SAT-based Model-Checker (SATMC), which builds "a propositional formula and then the formula is fed to a state-of-the-art SAT solver to verify whether there is an attack or not" and (4) Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP), which approximates the "intruder knowledge by using regular tree languages". Of these four backends, OFMC and CL-AtSe are widely used because they support implementation of various functions including bitwise XOR operations, whereas SATMC and TA4SP do not support the implementation of bitwise XOR operations. Finally, the IF is evaluated by these backends and the result is presented in the Output Format (OF). For more details regarding AVISPA and HLPSL [41] can be consulted.

Specifying the Roles
HLPSL is a role-based language and individual roles for end device, registration authority, and two fog nodes, primary and failover, are defined in addition to the compulsory session, environment, and goal roles. The basic roles for an end device, two fog nodes FN 1 and FN 2 , and the gateway node RA are defined in Figures 6-9, respectively. The compulsory roles for the session and goal and environment are defined in Figure 10. In the HLPSL implementation, secret credentials are kept secret by the secret declaration. The witness and request (authentication) are done by the witness and request declarations, respectively. The privacy and authentication goals are achieved through secrecy_of and authentication_on statements, respectively.  In order to check the replay attack protection, it is required to mention the following two statements in the environment role: The simulation started with end device registration, described the fog node enrollments, the pre-arrangement of the security tokens, initial authentication, and the fast authentication with the failover fog node.

Simulation Results and Discussion
We evaluated the HLPSL script with the "SPAN, the Security Protocol ANimator for AVISPA" software tool [48]. Figure 11 presents the simulation results in OF. The results demonstrate the proposed scheme is secure against replay, man-in-the-middle and impersonation attacks.

Testbed Experiments Using MIRACL
In this section, we measure the execution time needed for different cryptographic primitives with the help of the broadly recognized "Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)" [49].
The notations T senc /T sdec , T eca , T ecm , T f e , T h , T poly , T mul and T add denote the time needed for computing symmetric encryption/decryption (using Advanced Encryption Standard (AES) algorithm [50]), elliptic curve point addition, elliptic curve point (scalar) multiplication, fuzzy extractor operation [51], one-way hash operation (using Secure Hash Algorithm (SHA-1) [39]), evaluation of an t-degree polynomial over a finite field, multiplication in a finite field and addition in a finite field, respectively. If we use the Horner's rule [52], the evaluation of an t-degree uni-variate polynomial, say f (a, y) at y = b (that is, f (a, b)) needs t modular multiplications and t modular additions, where a and b are taken from a finite field. In other words, T poly = t(T mul + T add ).
We have considered two platforms for the testbed experiment. In each platform, we execute each cryptographic primitive for 100 trials in order to measure the average run time of primitives.
• Platform 1: This platform corresponds to a server setting under the environment: "Ubuntu 18.04.4 LTS, with 7.7 GiB memory, Intel Core i7 processor-8565U, CPU @ 1.80GHz × 8, 64-bit OS type and disk size 966.1 GB". The experimental results for different primitives are then measured using MIRACL library and then provided in Table 2. Note that under this platform, T poly = t(T mul + T add ) = 0.006 t milliseconds by considering average time. In addition, it is assumed that T f e ≈ T ecm [53].  Table 3, we have tabulated the experimental results of different cryptographic primitives. Note that under this platform, T poly = t(T mul + T add ) = 0.021t milliseconds by considering average time.

Comparative Study
In this section, we compare the proposed scheme with the recent authentication schemes proposed by Gope [30], Guo et al. [35] and Ali et al. [36]. For the proposed scheme, we have considered three cases as follows: • Case 1: It denotes the "fog node pre-agreement" phase • Case 2: It corresponds to the "initial authentication" phase • Case 3: It represents the "fast authentication" phase In Gope's scheme [30], we have the following three scenarios: • LAAP1: It is for the "initial authentication protocol for device-to-device (D2D)-aided fog computing" • LAAP2: It denotes the "subsequent authentication protocol with the co-operation of EDs in D2D-aided fog computing" • LAAP3: It corresponds to the "subsequent authentication protocol with the cooperation of NADs in D2D-aided fog computing" where ED is an "end device"; NAD means the "Network Access Devices" and CCS denotes "Centralized Cloud Servers".

Computation Costs Comparison
We have used the average execution time for different cryptographic primitives for the server setting and Raspberry PI 3 setting as shown in Tables 2 and 3 as those for an end device and a fog node/cloud server, respectively. In Table 4, we have compared the computational costs needed for the entities, like end device, fog node and cloud server during various authentication phases among the proposed scheme and other schemes, such as the schemes of Gope [30], Guo et al. and Ali et al. During the fast authentication process (Case 3), in the proposed scheme the end device and the fog nodes need to perform 7T h ≈ 2.163 ms and 7T h ≈ 0.385 ms, respectively. The cloud server is not involved in the proposed scheme. From the comparative analysis, it is observed that the proposed scheme has comparable computation overheads for various entities as compared to those for other related competing schemes.

Communication Costs Comparison
For the communication overheads of different existing schemes, we assume that the hash digest, a random nonce (secret) and an identity to be 160 bits each. We additionally assume that a sequence number and a timestamp to be 32 bits long. In addition, AES-128 cipher [50] needs 128-bit plaintext/ciphertext block and an elliptic curve point needs (160 + 160) = 320 bits by assuming 160-bit ECC security remains the same level as that for 1024-bit RSA-based public key cryptosystem. In the proposed scheme, Case 1, Case 2 and Case 3 require 88 bytes, 148 bytes and 108 bytes, respectively, for exchange of 2 messages in each case. The communication overheads of the related schemes and the proposed scheme are compared in Table 5. We can clearly see that the proposed scheme has the lowest communication cost among the related existing schemes. Table 6 summarizes the security and functionality features of the proposed scheme and the related schemes. We can see all the compared schemes support anonymity preserving mutual authentication and resist the known attacks. Apart from Ali et al.'s scheme [36], all other schemes support authentication without the cloud server. The schemes in [30] and [35] are not secure against ESL attack under the CK-adversary model [31]. Finally, as per the design motivation, only the proposed scheme supports fast failover authentication for fog nodes failure. Overall, the proposed scheme provides the richest security and functionality features while having comparable computational costs and lowest communication overheads, as compared to other competing schemes. Note: LAAP1: "Initial authentication protocol for D2D-Aided fog computing"; LAAP2: "Subsequent authentication protocol with the co-operation of EDs in D2D-Aided fog computing"; LAAP3: "Subsequent authentication protocol with the co-operation of NADs in D2D-Aided fog computing"; Case 1: "Fog node pre-agreement"; Case 2: "Initial authentication"; Case 3: "Fast authentication".

Concluding Remarks and Future Works
In this work, we have highlighted the need for a fast authentication mechanism in case of fog nodes failure. To achieve this goal, we have presented a new lightweight failover authentication mechanism for fog computing environment. We have shown the robustness of the proposed scheme with a detailed security analysis along with the formal security analysis under the ROR random oracle model, informal security analysis and also the formal security verification under the widely-accepted software validation tool, known as AVISPA. In addition, the testbed experiments for measuring computational time needed for various cryptographic primitives under the MIRACL library have been provided. Finally, through a comparative study among the proposed scheme and other related recent schemes, we have demonstrated the advantage of the proposed approach in terms of the security and functionality features, and communication and computational overheads. In future, we have planned to integrate the proposed scheme into a more complete fog enabled IoT architecture and evaluate the same in a real-world testbed scenario.  Data Availability Statement: No new data were created or analyzed in this study. Data sharing is not applicable to this article.