RDAF-IIoT: Reliable Device-Access Framework for the Industrial Internet of Things

Abstract

The Internet of Things (IoT) has experienced significant growth and is now a fundamental part of the next-generation Internet. Alongside improving daily life, IoT devices generate and collect vast amounts of data that can be leveraged by AI-enabled big data analytics for diverse applications. However, due to the machine-to-machine communication inherent in IoT, ensuring data security and privacy is crucial to mitigate various malicious cyber attacks, including man-in-the-middle, impersonation, and data poisoning attacks. Nevertheless, designing an efficient and adaptable IoT security framework poses challenges due to the limited computational and communication power of IoT devices, as well as their wide-ranging variety. To address these challenges, this paper proposes an Access Key Agreement (AKA) scheme called the “Reliable Device-Access Framework for the Industrial IoT (RDAF-IIoT)”. RDAF-IIoT verifies the user’s authenticity before granting access to real-time information from IIoT devices deployed in an industrial plant. Once authenticated at the gateway node, the user and IIoT device establish a session key for future encrypted communication. The security of the proposed RDAF-IIoT is validated using a random oracle model, while the Scyther tool is employed to assess its resilience against various security attacks. Performance evaluations demonstrate that the proposed scheme requires lower computational and communication costs compared to related security frameworks while providing enhanced security features.

1. Introduction

The Industrial Internet of Things (IIoT) is an emerging technology rapidly changing manufacturing and industrial terrain. IIoT leads to intermixing sensors, software, and other technologies into industrial processes to optimize and automate them [1,2,3]. With IIoT, devices and equipment are connected to the Internet, enabling them to intercommunicate real-time data and insights. This connectivity facilitates factories to monitor and examine their production processes, determine inefficiencies, and make data-driven decisions to improve their operations. The advantages of IIoT are myriad. IIoT can enable manufacturers to diminish expenses and enhance productivity by enhancing operational efficiency. In addition, IIoT also improves product quality, reducing downtime and enhancing worker safety [4,5,6].

With the integration of various devices, sensors, and systems, the Industrial Internet of Things (IIoT) presents numerous potential attack vectors that malicious actors can exploit. Among the primary concerns is the security of data. The vast amount of data generated by IIoT systems needs to be collected, processed, and stored securely. Unauthorized access to this data can have severe consequences, leading to significant economic and reputational damage. To mitigate these risks, robust security measures, including encryption and authentication, must be implemented in IIoT environments. In this paper, we propose an authentication and key agreement (AKA) scheme called “reliable device-access framework for the Industrial IoT (RDAF-IIoT)” to enable secure access to real-time information from devices deployed in IIoT environments. The proposed RDAF-IIoT scheme prioritizes computational efficiency by leveraging hash functions and symmetric encryption instead of computationally expensive operations.

2. Related Work

Within the existing literature, numerous AKA schemes or frameworks have been suggested to ensure secure access to real-time data for users. In this context, the authors of [7] introduced an AKA security framework for wireless sensor networks (WSNs) utilizing a hash function and XOR operation. Furthermore, they identified vulnerabilities in the scheme proposed by [8], including insider attacks, random parameters leakage (RPL), and perfect forward secrecy attacks. Another AKA framework for WSNs was proposed by the authors of [9], incorporating elliptic curve cryptography (ECC), hash function, and XOR. However, this framework is susceptible to man-in-the-middle (MITM), insider attacks, stolen smart card attacks, and RPL attacks. The authentication framework presented in [10] exhibits weaknesses against RPL, stolen smart cards, and password-guessing attacks. In the realm of IoT-enabled software-defined networks, an authentication framework using the symmetric encryption algorithm AES and ECC is proposed in [3]. The security of this scheme is validated using the random oracle model (ROM) and Scyther. Additionally, a user AKA scheme for WSNs based on symmetric encryption and ECC is devised in [11], with its security verified through ROM and AVISPA. However, the AKA scheme put forth in [11] can be compromised by malicious but valid users of the system. For the Internet of drones, a user authentication framework is provided in [12], designed using ECC and authenticated encryption. The security of this framework is demonstrated through Scyther and ROM. Similarly, an authenticated encryption and hash function-based AKA scheme is proposed in [2,13] for smart home and IIoT environments, with its security verified using ROM and Scyther. Lastly, an AKA scheme based on hyper-ECC is proposed in [14] for the Internet of drones environment.

In [15], a robust authentication scheme for WSNs based on temporal credentials is proposed. However, the AKA scheme presented in [16], which utilizes ECC and a hash function, exhibits weaknesses against denial-of-service (DoS), key compromise, and impersonation attacks. Similarly, ref. [17] introduces a multifactor AKA scheme employing AES and a hash function. Nevertheless, this scheme is vulnerable to DoS, replay, and de-synchronization attacks. In [18], a three-party AKA framework is proposed, but it lacks adequate user anonymity protection and does not offer an efficient method for password change. An anonymous AKA scheme constructed using the chaotic map and hash function is presented in [19], with its security validated using the Burrows–Abadi–Needham (BAN) logic model. However, vulnerabilities exist in an AKA scheme utilizing ECC and a hash function for the cloud-enabled IoT environment, as noted in [20]. The scheme involves four participants during the AKA phase and undergoes security validation using BAN logic and AVISPA. Furthermore, [12] proposes an AKA scheme based on AEAD and a hash function, and its security is demonstrated through ROM and Scyther. Lastly, an AKA scheme utilizing a hash function is presented in [21], which is susceptible to various security attacks, as highlighted in [20].

A secure AKA scheme based on ECC and a secure hash function is introduced in [22] for the IoT environment. The scheme’s security is validated using Scyther. However, the security framework proposed in [23], which utilizes ECC and a secure hash function, is vulnerable to stolen smart card attacks. Additionally, the security framework proposed in [24] fails to prevent DoS attacks, while the scheme presented in [25] is weak against DoS attacks as well. In the context of the IIoT environment, an AKA security framework is proposed in [17], but it is unable to withstand various security attacks. The scheme in [17] is constructed using symmetric encryption and a hash function. Various security frameworks are summarized in Table 1.

Table 1. Summary of User Authentication Frameworks.

Reference	Cryptographic Operations	Security Analysis	Environment
Ref. [13]	Hash + AEAD + XOR	Resource-efficient and secure.	IIoT
Ref. [12]	Hash + ECC + AEAD + XOR	Resistant to various attacks.	IIoT
Ref. [26]	Hash + CM + XOR	Weak against stolen smart card attacks.	TMIS
Ref. [27]	Hash + CM + XOR	Incapacitated against server/user impersonation.	MSE
Ref. [17]	Hash + AES + XOR	Weak against node capture, DoS, desynchronization, and replay attacks.	IIoT
Ref. [28]	Hash + AEAD + XOR	Unable to ensure the anonymity feature.	IoD
Ref. [29]	Hash + XOR	Vulnerable to stolen smart devices and traceability attacks.	IIoT
Ref. [30]	Hash + Rabin + XOR	Exposed to impersonation attack.	IIoT
Ref. [31]	Hash + AEAD + XOR	Incapacitated against server/user impersonation and session key disclosure attacks.	TMIS
Ref. [32]	Hash + AEAD + XOR	Complex and unable to ensure the anonymity feature.	IoT
Ref. [33]	Hash + ECC + XOR	Weak against desynchronization attack.	IIoT
Ref. [34]	Hash + ECC + XOR	Weak against desynchronization attack.	IIoT
Ref. [2]	Hash + AEAD + XOR	Resource-efficient and secure.	IoT
Ref. [35]	Hash + ECC + XOR	Weak against MITM and impersonation attacks.	IoT
Ref. [25]	Hash + ECC + XOR	Weak against impersonation and MITM attacks.	IoT
Ref. [36]	Hash + ECC + XOR	Secure against all well-known attacks.	IoT
Ref. [37]	Hash + ECC + XOR	Weak against temporary secret leakage and stolen smart card attacks.	VANETs
Ref. [38]	Hash + ECC + XOR	Secure against all well-known attacks.	ICS
Ref. [39]	Hash + AEAD + XOR	Resource-efficient and secure.	IoD
Ref. [40]	Hash + ECC + XOR	Weak against privileged insider, MITM, temporary secret leakage attacks.	TMIS
Ref. [41]	Hash + AEAD + XOR	Resource-efficient and secure.	IIoT
Ref. [42]	Hash + AEAD + XOR	Resource-efficient and secure.	IoD
Ref. [43]	Hash + ECC + XOR	Weak against MITM, impersonation, and stolen smart card attacks.	WSN
RADF-IIoT	Hash + CM + AEAD + XOR	Protection against various attacks.	IIoT

Note: CM: Chaotic Map; AEAD: Authenticated encryption with associated data; XOR: Exclusive-OR; IIoT: Industrial Internet of Things; TMIS: Telecare medical information system; MSE: Multi-server environment; VANETs: Vehicular ad hoc networks; ICS: Industrial control system; WSN: Wireless sensor networks.

2.1. Research Contributions

The main contributions of the paper are listed as follows.

• In this article, an AKA framework is proposed called RDAF-IIoT, which is constructed using “Advanced Encryption Standard in Cipher Block Chaining mode (AES-CBC)” and hash function. RDAF-IIoT enables users to achieve authentication with a gateway. In addition, RDAF-IIoT enables users and sensing devices to communicate securely after establishing a secure channel (session key) with the assistance of a gateway. RDAF-IIoT is a three-factor AKA security framework, which also enables the users to change the password without involving the gateway.
• The proposed RDAF-IIoT is corroborated informally to validate its resiliency against various security attacks, such as DoS, MITM, impersonation, and replay attacks. The security of the session key is corroborated using well known random oracle model. In addition, RDAF-IIoT is implemented using Scyther, and the analysis of Scyther shows that the RDAF-IIoT is secure.
• To evaluate the performance of the proposed RDAF-IIoT, RDAF-IIoT is compared with the state-of-the-art security frameworks, such as Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] regarding communication and computational costs. The proposed RDAF-IIoT requires [74.73% to 78.63%] low computational and [30.38% to 51.91%] low communication costs while rendering enhanced security functions than the related security frameworks.

2.2. Paper Organization

The remaining paper is organized as follows. Section 3 explicates the models, such as authentication and attack, used in the construction of the RDAF-IIoT. Section 4 provides the explanation of RDAF-IIoT. In Section 5, the informal, ROM, and Scyther-based security analyses are presented. Performance comparison is presented in Section 6. Concluding remarks are explicated in Section 7.

3. System Models

3.1. Authentication Model

The authentication model comprises the following components. Figure 1 shows the authentication model employed for the proposed RDAF-IIoT.

Figure 1. Smart IIoT environment.

Gateway: $\left(G{W}_y\right|y=1,2,3,\cdots N)$: The registration authority (RA) is liable for registering gateway nodes ($G{W}_y$), and $G{W}_y$ equips Internet functionality to the IIoT-enabled devices stationed in the IIoT circumstances. In addition, $G{W}_y$ keeps the private credentials associated with the users and sensing devices. The $G{W}_y$ can connect the users through cellular and other internet connectivity.

Smart Sensing Node: ($S{N}_z|z=1,2,3,\cdots ,N$): All $S{N}_z$ are equipped with sensing, storage, and processing modules; however, these resources are constricted. In addition, $S{N}_z$ are the resource-constricted devices employed to sense the surrounding IIoT environment. $S{N}_z$ can communicate with $G{W}_y$ using wireless communication protocols, such as WiFi/6LoWPAN/Zigbee communication protocols. Using these wireless channels, $S{N}_z$ sends the collected information to $G{W}_y$.

User: $\left(U_x\right|x=1,2,3,\cdots ,N)$: $U_x$ has the smart devices ($SM{D}_{U_x}$), fitted with the biometric sensor. $U_x$ can intercommunicate with $S{N}_z$ through $G{W}_y$ and with $G{W}_y$ using cellular communication technology or wired network. $U_x$ mandates obtaining the real-time data from $S{N}_z$ stationed in the IIoT environment. Thus, a secure channel establishment scheme is proposed for the IIoT environment to prevent authorized information access in this paper. Table 2 demonstrates the various symbols employed in this paper.

Table 2. Notations Used in RDAF-IIoT.

Notation	Description
$U_x$	Symbolizes the remote user
$S{D}_{U_x}$	Symbolizes IoT enabled smart device
$G{W}_y$	Symbolizes the gateway
$I{D}_{U_x}$	Symbolizes identity and password of $U_x$, respectively
$P{W}_{U_x}$	Symbolizes password of $U_x$,
$TI{D}^c$	Symbolizes current identities
$TI{D}^{old}$	Symbolizes old identities,
$TI{D}_{G{W}_y}$	Symbolizes gateway identities,
$TI{D}_x$	Symbolizes temporary identities,
$Tm{e}_1$, $Tm{e}_2$, $Tm{e}_3$	Symbolizes timestamps
$Tm{e}_d$	Symbolizes allowed time delay
$Tm{e}_r$	Symbolizes received time
$I{V}_x$	Symbolizes initialization vectors, where $x=1,2,3\cdots n$
$E_k\left(Pt\right)$, $D_k\left(Ct\right)$	Symbolizes encryption of string “Pt” and decryption “Ct” employing AES
$R_y$	Symbolizes random numbers
$P_i$	Symbolizes plaintext $i=1,2,3,4,5,6,7$
$C{t}_j$	Symbolizes ciphertext $j=1,2,3\cdots 7$
$Bi{o}_{U_x}$, $\gamma$	Symbolizes user biometric and key, respectively
$Gen(·)$, $hld$, $Rep(·)$	Symbolizes key generation, helper data, and reproduction algorithm, respectively
⊕	Symbolizes XOR
$\left|\right|$, $H(·)$	Symbolizes concatenation and hash-function

3.2. Attack Model

The “Dolev–Yao (DY) model” [14,44,45] is repeatedly employed to investigate the security of AKA schemes. According to DY Model, the attacker can effectuate the MITM and impersonation attacks by capturing and modifying all the communication in the AKA schemes. An attacker can obtain a valid user’s identity for the traceability attack. In addition, in the registration procedure, the RA and other participants interact with each other via a secure channel. However, $U_x$, $G{W}_y$, and $S{N}_z$ communicate using the insecure channel while executing AKA process. The “Canetti–Krawczyk (CK) model”, which constructs additional noteworthy speculation than the DY model, is also contemplated. A malicious adversary can procure secure data incorporating the master key, session private credentials, and private key, employing the CK model.

4. The Proposed RDAF-IIoT Framework

The RDAF-IIoT comprises the registration of sensing device, user, and AKA phases. All the phases are explicated in detail in the following subsections.

4.1. Registration of Sensing Device

In this phase, the registration of the sensing device is performed. RA is responsible for the registration of the sensing device by executing the following procedure.

4.1.1. Step RDS-1

The RA selects a unique identity $TI{D}_{G{W}_y}$ and long-term secret key $K_{G{W}_y}$ for the gateway.

4.1.2. Step RDS-2

The RA selects the unique identity $TI{D}_{SN}$ for the sensor device and computes the secret key for the sensing device as $SKN=H(TI{D}_{SN}\Vert K_{G{W}_y}\Vert TI{D}_{G{W}_y})$. Finally, RA stores the parameters {$TI{D}_{SN}$, $SKN$} in the memory of the sensing device.

4.2. Registration User

In this phase, RA registers a user before allowing him/her to access the resource of the IIoT environment. For the registration of the user, RA executes the following steps.

4.2.1. Step RU-1

The user $U_x$ generates as random number $R_r$, unique identity $I{D}_{U_x}$, and password $P{W}_{U_x}$. In addition, $U_x$ has a smart device $SM{D}_{U_x}$ capable of sensing the biometric information $Bi{o}_{U_x}^{}$ of $U_x$. After sensing $Bi{o}_{U_x}^{}$, $SM{D}_{U_x}$ computes

$$\begin{array}{c}({\gamma }_1^{},hld)=Gen\left(Bi{o}_{U_x}^{}\right),\end{array}$$

(1)

$$\begin{array}{c}K{e}_1^{}=H({\gamma }_1^{}\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$$

(2)

$$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$$

(3)

$$\begin{array}{c}(C{t}_1^{},C{t}_2^{},C{t}_3^{})=E_{K{e}_1^{}}\{I{V}_1,P_1^{},P_2^{},P_3^{}\},\end{array}$$

(4)

$$\begin{array}{c}V{P}_1^{}=H(C{t}_1^{}\Vert C{t}_2^{}\Vert C{t}_3^{}\Vert {\gamma }_1^{}).\end{array}$$

(5)

In Equation (1), the biometric key ${\gamma }_1^{}$ and helper data $hld$ is computed by taking $Bi{o}_{U_x}^{}$ as the input parameter. The encryption key $K{e}_1^{}$ is computed in (2). In addition, $C{t}_1^{}$, $C{t}_2^{}$, and $C{t}_3^{}$ are computed by taking the $P_1^{}=I{D}_{U_x}$, $P_2^{}=P{W}_{U_x}$, and $P_3^{}={\gamma }_1^{}$ as the input parameters. Finally, $SM{D}_{U_x}$ derives the verification parameter $V{P}_1^{}$ in (5).

4.2.2. Step RU-2

Moreover, $SM{D}_{U_x}$ selects a unique pseudo identity $TI{D}_x$ and sends the credentials {$TI{D}_x$, $C{t}_3^{}$} to $G{W}_y$ using the secure channel. $G{W}_y$ stores the parameters {$TI{D}_x$, $C{t}_3^{}$} in its own database. In response, $G{W}_y$ sends the parameters, such as the list of the devices $TI{D}_{SN}$ and $TI{D}_{G{W}_y}$, to $SM{D}_{U_x}$ using a secure channel.

Remark 1.

In this paper, the fuzzy extractor (FE) is employed to derive the biometric key from the biometric information $Bi{o}_{U_x}^{}$ of the user. FE is the combination of two functions; one is a generator function dented by $Gen(.)$, and the other is a reproduction function $Rep(.)$. $Gen(.)$ function takes the $Bi{o}_{U_x}^{}$ and generate the biometric key and helper data. Moreover, the $Rep(.)$ function is used to reproduce the biometric key by taking the helper data and $Bi{o}_{U_x}^{}$. To reproduce the biometric key the condition $HD(Bi{o}_{U_x}^{{}^{\prime }},Bi{o}_{U_x}^{})\le errot$, where $errot$ is the error tolerance and $HD$ is the hamming distance.

4.2.3. Step RU-3

$SM{D}_{U_x}$, on receiving these parameters computes,

$$\begin{array}{c}{Z}_1=(TI{D}_{S{N}_z}\Vert C{t}_3)\oplus H(C{t}_2^{}\oplus C{t}_3^{})),\end{array}$$

(6)

$$\begin{array}{c}{Z}_2=(TI{D}_x\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^{}\oplus C{t}_3^{})).\end{array}$$

(7)

By performing the XOR operation between $(TI{D}_{S{N}_z}\Vert C{t}_3)$ and $H(C{t}_2^{}\oplus C{t}_3^{})$, the variable $Z_1$ is obtained. Similarly, $Z_2$ is obtained by performing XOR between $(TI{D}_x\Vert TI{D}_{G{W}_y})$ and $H(C{t}_2^{}\oplus C{t}_3^{})$. Subsequently, $SM{D}_{U_x}$ stores the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} in its own database.

4.3. Authenticated Key Agreement Phase

In this phase, the user $U_x$ and sensor node $S{N}_z$ establish a session key during the execution of AKA phase. For this purpose, the following steps are executed in AKA phase.

4.3.1. Step AKA-1

$U_x$ inserts its secret credentials, such as the identity $I{D}_{U_x}$ and $P{W}_{U_x}$ at the available interface of the smart device of the user $SM{D}_{U_x}$. In addition, $U_x$ imprints the biometric impression $Bi{o}_{U_x}^l$ on the biometric sensor deployed at $SM{D}_{U_x}$ and computes

$$\begin{array}{c}\left({\gamma }_1^l\right)=Rep(Bi{o}_{U_x}^l,hld),\end{array}$$

(8)

$$\begin{array}{c}K{e}_1^l=H({\gamma }_1^l\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$$

(9)

$$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$$

(10)

$$\begin{array}{c}(C{t}_1^l,C{t}_2^l,C{t}_3^l)=E_{K{e}_1^l}\{I{V}_1,P_1^l,P_2^l,P_3^l\},\end{array}$$

(11)

$$\begin{array}{c}V{P}_1^l=H(C{t}_1^l\Vert C{t}_2^l\Vert C{t}_3^l\Vert {\gamma }_1^l),\end{array}$$

(12)

$$\begin{array}{c}V{P}_1^l\stackrel{?}{=}V{P}_1,\end{array}$$

(13)

$$\begin{array}{c}(TI{D}_{S{N}_z}\Vert C{t}_3)=(Z_1\oplus H(C{t}_2^l\oplus C{t}_3^l)),\end{array}$$

(14)

$$\begin{array}{c}(TI{D}_x\Vert TI{D}_{G{W}_y})=(Z_2\oplus H(C{t}_2^l\oplus C{t}_3^l)).\end{array}$$

(15)

Equation (8) computes the biometric key using the input parameters $Bi{o}_{U_x}^l$ and $hld$, while Equation (9) calculates the encryption key for achieving encryption. Additionally, the initialization vector is determined in Equation (10). By following the encryption process outlined in Equation (11), the credentials, namely $C{t}_1^l$, $C{t}_2^l$, and $C{t}^{l}3$, can be obtained using $P_1^l=I{D}_{U_x}$, $P_2^l=P{W}_{U_x}$, and $P_3^l={\gamma }_1^l$ as the input parameters. To authenticate the user’s secret credentials locally, the verification parameter is computed in Equation (12) and validated in Equation (13). If the condition in Equation (13) is satisfied, $SMD{U}_x$/$U_x$ derives the parameters from $TI{D}_x$, $TI{D}_{G{W}_y}$, $TI{D}_{S{N}_z}$, and $C{t}_3$ as indicated in Equations (14) and (15).

$SD{U}_x/U_x$ picks randomly $R_1$ and timestamps $Tm{e}_1$, and computes

$$\begin{array}{c}I{V}_2=H(Tm{e}_1\Vert TI{D}_{G{W}_y}\Vert TI{D}_x),\end{array}$$

(16)

$$\begin{array}{c}(C{t}_a^{},C{t}_b^{})=E_{C{t}_3^{}}\{I{V}_2,TI{D}_{S{N}_j},R_1\},\end{array}$$

(17)

$$\begin{array}{c}V{P}_2^{}=H(TI{D}_{S{N}_j}\Vert R_1\Vert C{t}_3^{}\Vert C{t}_a^{}\Vert C{t}_b^{}),\end{array}$$

(18)

Equation (16) calculates the initialization vector, which plays a role in the encryption process. The encryption process itself is executed in Equation (17), utilizing the symmetric key $C{t}_3$. Furthermore, Equation (18) computes the verification parameter, which is employed to ensure data integrity. Lastly, $SD{U}_x/U_x$ constructs the message $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$ and transmits it to $G{W}_y$ through the open communication channel.

4.3.2. Step AKA-2

$G{W}_y$ validates the timeliness of the received message $ME{G}_1$ by checking the condition $Tm{e}_d\ge |Tm{e}_1-Tm{e}_r|$, where $Tm{e}_d$ represents the delay time, $Tm{e}_1$ is the generation time, and $Tm{e}_r$ is the received time of the message. If the message passes the validity check, $G{W}_y$ proceeds to verify $TI{D}_x\stackrel{?}{=}TI{D}_x^c$ and $TI{D}_x\stackrel{?}{=}TI{D}_i^{old}$. If there is no match found, $G{W}_y$ terminates the AKA process. Otherwise, it retrieves the parameter $C{t}_3^{}$ and performs further computations.

$$\begin{array}{c}I{V}_3=H(Tm{e}_1\Vert TI{D}_{G{W}_y}\Vert TI{D}_x),\end{array}$$

(19)

$$\begin{array}{c}(TI{D}_{S{N}_z},R_1)=D_{C{t}_3^{}}\{I{V}_3,C{t}_4^{},C{t}_5^{}\},\end{array}$$

(20)

$$\begin{array}{c}V{P}_3^{}=H(TI{D}_{S{N}_z}\Vert R_1\Vert C{t}_3^{}\Vert C{t}_a^{}\Vert C{t}_b^{}),\end{array}$$

(21)

$$\begin{array}{c}V{P}_3^{}\stackrel{?}{=}V{P}_2^{}.\end{array}$$

(22)

The initialization vector is computed in (19), which is used in the decryption process. In addition, from the decryption process, $G{W}_y$ obtains the plaintext $TI{D}_{S{N}_z}$ and $R_1$ and computes the verification parameter in (21). Finally, to ensure the integrity of the received message, $G{W}_y$ corroborates the condition in (22). If the condition does not hold, $G{W}_y$ stops the AKA process.

4.3.3. Step AKA-3

$G{W}_y$ generates $Tm{e}_2,R_2$, and pick new $TI{D}_x^{new}$ and computes

$$\begin{array}{c}{Z}_3=(C{t}_3\oplus R_1\oplus TI{D}_{G{W}_y}),\end{array}$$

(23)

$$\begin{array}{c}K{e}_2^{}=H(LGK\Vert TI{D}_{S{N}_z}),\end{array}$$

(24)

$$\begin{array}{c}I{V}_4=H(SI{D}_{S{N}_z}\oplus Tm{e}_2),\end{array}$$

(25)

$$\begin{array}{c}(C{t}_c^{},C{t}_d^{})=E_{K{e}_2^{}}\{I{V}_4,Z_3,TI{D}_x^{new}\},\end{array}$$

(26)

$$\begin{array}{c}V{P}_4^{}=H(SI{D}_{S{N}_z}\oplus Tm{e}_2\Vert Z_3\Vert TI{D}_x^{new}).\end{array}$$

(27)

Here, in (23), the plaintext is computed, and it will be encrypted using the encryption key $K{e}_2^{}$ derived in (24). In addition, the initialization vector is computed in (25), which is used in the encryption process to enhance the randomness of the ciphertext. Finally, $C{t}_c^{}$ and $C{t}_d^{}$ by performing the encryption, and the verification parameter is computed in (27). Moreover, $G{W}_y$ updates $TI{D}_x^c$ with $TI{D}_x^{new}$ and $TI{D}_i^{old}$ with $TI{D}_x^c$ in its own database. Finally, a message $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$ is constructed by $G{W}_y$ and transmitted to $S{N}_z$ using the public communication channel.

4.3.4. Step AKA-4

$ME{G}_2$ is received at $S{N}_z$ and its timeliness is validated through the condition $Tm{e}_d\ge |Tm{e}_2-Tm{e}_r|$. If the message is not replayed, then $S{N}_z$ computes

$$\begin{array}{c}I{V}_5=H(SI{D}_{S{N}_z}\oplus Tm{e}_2),\end{array}$$

(28)

$$\begin{array}{c}(Z_3,TI{D}_x^{new})=D_{SK{N}^{}}\{I{V}_5,C{t}_c^{},C{t}_d^{}\},\end{array}$$

(29)

$$\begin{array}{c}V{P}_5^{}=H(SI{D}_{S{N}_z}\oplus Tm{e}_2\Vert Z_3\Vert TI{D}_x^{new}),\end{array}$$

(30)

$$\begin{array}{c}V{P}_5^{}\stackrel{?}{=}V{P}_4^{}.\end{array}$$

(31)

If the condition in (31) holds, the message is considered to be a valid message.

4.3.5. Step AKA-5

To response $ME{G}_2$, $S{N}_z$ selects $Tm{e}_3$ and $R_3$ and computes

$$\begin{array}{c}I{V}_6=(Z_3\oplus SI{D}_{S{N}_z}),\end{array}$$

(32)

$$\begin{array}{c}{Z}_4=(Z_3\oplus SI{D}_{S{N}_z}\oplus R_3),\end{array}$$

(33)

$$\begin{array}{c}(C{t}_e^{},C{t}_f^{})=E_{Z_3}\{I{V}_6,Z_4,TI{D}_x^{new}\},\end{array}$$

(34)

$$\begin{array}{c}S{K}_{S{N}_Z}=H(SI{D}_{S{N}_z}\Vert Z_3\Vert Z_4\Vert Tm{e}_3),\end{array}$$

(35)

$$\begin{array}{c}V{P}_6^{}=H(Z_3\Vert Z_4\Vert S{K}_{S{N}_Z}\Vert Tm{e}_3\Vert SI{D}_{S{N}_z}),\end{array}$$

(36)

Finally, $S{N}_z$ constructs the message $ME{G}_3:\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ and transmitted the message to $U_x$ using the open communication channel.

4.3.6. Step AKA-6

$U_x$ validates the timeliness of the received message $ME{G}_3$ via the condition $Tm{e}_d\ge |Tm{e}_3-Tm{e}_r|$. The condition will be false if the message is replayed; otherwise, $ME{G}_3$ is considered as a valid message and $U_x$ computes

$$\begin{array}{c}{Z}_5=(C{t}_3^l\oplus R_1\oplus TI{D}_{G{W}_y}),\end{array}$$

(37)

$$\begin{array}{c}I{V}_7=(Z_5\oplus SI{D}_{S{N}_z}),\end{array}$$

(38)

$$\begin{array}{c}(Z_4,TI{D}_x^{new})=D_{Z_5}\{I{V}_7,C_e^{},C_f^{}\},\end{array}$$

(39)

$$\begin{array}{c}S{K}_{U_x}=H(SI{D}_{S{N}_z}\Vert Z_5\Vert Z_4\Vert Tm{e}_3),\end{array}$$

(40)

$$\begin{array}{c}V{P}_7^{}=H(Z_5\Vert Z_4\Vert S{K}_{S{N}_Z}\Vert Tm{e}_3\Vert SI{D}_{S{N}_z}),\end{array}$$

(41)

$$\begin{array}{c}V{P}_6^{}\stackrel{?}{=}V{P}_7^{}.\end{array}$$

(42)

The received message will be a valid message if the condition in (42) holds. Otherwise, $U_x$ drops the received message and stops the AKA phase. In addition, the validness of the condition (42) indicates both the session keys, which are derived at $U_x$ and $S{N}_z$, are the same, and mutual authentication successfully accomplished. Finally, $U_x$ computes $Z_2^{new}=(TI{D}_x^{new}\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^l\oplus C{t}_3^l)$ and updates $Z_2^{new}$ with $Z_2^{}$. The authentication process is summarized in Figure 2.

Figure 2. RDAF-IIoT AKA phase.

4.4. Bio-Metric/Password Change Phase

During this phase, the user has the option to change their password and update their biometric information. The following steps must be followed to successfully complete the bio-metric/password update phase.

4.4.1. Step BCP-1

$U_x$ need to provide the old biometric information and password and compute

$$\begin{array}{c}\left({\gamma }_1^o\right)=Rep(Bi{o}_{U_x}^o,hld),\end{array}$$

(43)

$$\begin{array}{c}K{e}_1^o=H({\gamma }_1^o\Vert I{D}_{U_x}\Vert P{W}_{U_x}^o),\end{array}$$

(44)

$$\begin{array}{c}I{V}_1^o=\left(R_1^o\right),\end{array}$$

(45)

$$\begin{array}{c}(C{t}_1^o,C{t}_2^o,C{t}_3^o)=E_{K{e}_1^o}\{I{V}_1^o,P_1^o,P_2^o,P_3^o\},\end{array}$$

(46)

$$\begin{array}{c}V{P}_1^o=H(C{t}_1^o\Vert C{t}_2^o\Vert C{t}_3^o\Vert {\gamma }_1^o),\end{array}$$

(47)

$$\begin{array}{c}V{P}_1^o\stackrel{?}{=}V{P}_1,\end{array}$$

(48)

$$\begin{array}{c}(TI{D}_{S{N}_z}\Vert C{t}_3)=(Z_1^{}\oplus H(C{t}_2^o\oplus C{t}_3^o)),\end{array}$$

(49)

$$\begin{array}{c}(TI{D}_x\Vert TI{D}_{G{W}_y})=(Z_2^{}\oplus H(C{t}_2^o\oplus C{t}_3^o)).\end{array}$$

(50)

If the condition (48) holds, a prompt message is generated to intimate $U_x$ to provide the new parameters.

4.4.2. Step BCP-2

$U_x$ after receiving the new parameters, such as $P{W}_{U_x}^n$ and $Bi{o}_{U_x}^n$. Moreover, $SM{D}_{U_x}$ picks $R_1^n$ computes

$$\begin{array}{c}\left({\gamma }_1^n\right)=Rep(Bi{o}_{U_x}^n,hl{d}^n),\end{array}$$

(51)

$$\begin{array}{c}K{e}_1^n=H({\gamma }_1^n\Vert I{D}_{U_x}\Vert P{W}_{U_x}^n),\end{array}$$

(52)

$$\begin{array}{c}I{V}_1^n=\left(R_1^n\right),\end{array}$$

(53)

$$\begin{array}{c}(C{t}_1^n,C{t}_2^n,C{t}_3^n)=E_{K{e}_1^n}\{I{V}_1^n,P_1^n,P_2^n,P_3^n\},\end{array}$$

(54)

$$\begin{array}{c}V{P}_1^n=H(C{t}_1^n\Vert C{t}_2^n\Vert C{t}_3^n\Vert {\gamma }_1^n),\end{array}$$

(55)

$$\begin{array}{c}{Z}_1^n=(TI{D}_{S{N}_z}\Vert C{t}_3)\oplus H(C{t}_2^n\oplus C{t}_3^n),\end{array}$$

(56)

$$\begin{array}{c}{Z}_2^n=(TI{D}_x\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^n\oplus C{t}_3^n).\end{array}$$

(57)

Finally, $U_x$ replaces the credentials {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} with {$Z_1^n$, $Z_2^n$, $R_r^n$, $V{P}_1^n$, $hl{d}^n$, $Gen(.)$, $Rep(.)$} in the memory of $SM{D}_{U_x}$.

5. Security Validation

The security strengths of the proposed RDAF-IIoT are validated through informal and formal security analysis. For the formal security analysis, the well-known mathematical method ROM is employed. In addition, Scyther, a software tool, is also used for the formal analysis.

5.1. Informal Security Analysis

In this section, the resiliency of the proposed RDAF-IIoT is corroborated against various attacks through informal (non-mathematical) analysis.

5.1.1. MITM Attack

There are three messages exchanged during the AKA phase. such as $ME{G}_1$:{$Tm{e}_1$, $TI{D}_x$, $C{t}_a^{}$, $C{t}_b^{}$, $V{P}_2^{}$}, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$. After capturing any of these communicated messages, $\mathcal{A}$ tries to modify the contents of messages. As $V{P}_2^{}$, $V{P}_4^{}$, and $V{P}_6^{}$ are validated at the receiving node to ensure the integrity of $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively. However, without knowing short-term and long-term secret credentials associated with $U_x$, $G{W}_y$, and $S{N}_z$, it is hard for $\mathcal{A}$ to compute $V{P}_2^{}$, $V{P}_4^{}$, and $V{P}_6^{}$ for the message $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively. In this way, the proposed RDAF-IIoT is resistant to MITM attack.

5.1.2. DoS Attack

The proposed RDAF-IIoT, $U_x$ achieves the local authentication by computing

$$\begin{array}{c}\left({\gamma }_1^{}\right)=Rep(Bi{o}_{U_x}^{},hld),\end{array}$$

(58)

$$\begin{array}{c}K{e}_1^{}=H({\gamma }_1^{}\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$$

(59)

$$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$$

(60)

$$\begin{array}{c}(C{t}_1^{},C{t}_2^{},C{t}_3^{})=E_{K{e}_1^{}}\{I{V}_1,P_1^{},P_2^{},P_3^{}\},\end{array}$$

(61)

$$\begin{array}{c}V{P}_1^{}=H(C{t}_1^{}\Vert C{t}_2^{}\Vert C{t}_3^{}\Vert {\gamma }_1^{}),\end{array}$$

(62)

$$\begin{array}{c}V{P}_1^l\stackrel{?}{=}V{P}_1.\end{array}$$

(63)

In the event that the condition stated in (63) is satisfied, $U_x$/$SM{D}_{U_x}$ transmits the AKA message to $G{W}_y$. Conversely, if the condition is not met, $U_x$/$SM{D}_{U_x}$ terminates the execution process. By employing a local authentication mechanism, the proposed RDAF-IIoT effectively safeguards against potential DoS attacks by thwarting the efforts of malicious yet legitimate $U_x$/$SM{D}_{U_x}$ entities attempting to flood $G{W}_y$ with a high volume of AKA messages.

5.1.3. Impersonation Attack

During the AKA phase, $U_x$ sends message, such as $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$ to $G{W}_y$ for further authentication of $U_x$. However, to impersonate as the valid $U_x$, $\mathcal{A}$ needs to generate a bogus $ME{G}_1^{{}^{\prime }}$ using random parameters. Moreover, without knowing the the parameters $TI{D}_{S{N}_j}$, $R_1$, and $C{t}_3^{}$, $\mathcal{A}$ cannot fabricate a valid $ME{G}_1^{}$. Similarly, $\mathcal{A}$ cannot generate a valid message, such as $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ without having the valid parameters used in the construction of these messages. Thus, the proposed scheme cannot provide protection against impersonation attacks.

5.1.4. Password Guessing Attack

After capturing $SM{D}_{U_x}$ of $U_x$, $\mathcal{A}$ obtains the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} through the power analysis attack. To perform the password-guessing attack, $\mathcal{A}$ selects the random secret credentials, such as $I{D}_{U_x}^{\mathcal{A}}$ and $P{W}_{U_x}^{\mathcal{A}}$, and $Bi{o}_{U_x}^{\mathcal{A}}$ and computes

$$\begin{array}{c}\left({\gamma }_1^{\mathcal{A}}\right)=Rep(Bi{o}_{U_x}^{\mathcal{A}},hld),\end{array}$$

(64)

$$\begin{array}{c}K{e}_1^{\mathcal{A}}=H({\gamma }_1^{\mathcal{A}}\Vert I{D}_{U_x}^{\mathcal{A}}\Vert P{W}_{U_x}^{\mathcal{A}}),\end{array}$$

(65)

$$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$$

(66)

$$\begin{array}{c}(C{t}_1^{\mathcal{A}},C{t}_2^{\mathcal{A}},C{t}_3^{\mathcal{A}})=E_{K{e}_1^{\mathcal{A}}}\{I{V}_1,P_1^{\mathcal{A}},P_2^{\mathcal{A}},P_3^{\mathcal{A}}\},\end{array}$$

(67)

$$\begin{array}{c}V{P}_1^{\mathcal{A}}=H(C{t}_1^{\mathcal{A}}\Vert C{t}_2^{\mathcal{A}}\Vert C{t}_3^{\mathcal{A}}\Vert {\gamma }_1^{\mathcal{A}}),\end{array}$$

(68)

$$\begin{array}{c}V{P}_1^{\mathcal{A}}\stackrel{?}{=}V{P}_1.\end{array}$$

(69)

In order to successfully change the password, the condition in (69) must hold. However, without knowing the valid secret parameters, such as $I{D}_{U_x}^{}$ and $P{W}_{U_x}^{}$, and $Bi{o}_{U_x}^{}$ or $({\gamma }_1^{}$ associated with the valid $U_x$, it hard for $\mathcal{A}$ to compute above computation. In this way, the proposed scheme is resistant to the password guessing attack.

5.1.5. Identity Guessing Attack

$\mathcal{A}$ after capturing the messages, such as $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ cannot obtain the real identity of $U_x$. In addition, $\mathcal{A}$ from the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} cannot obtain the real identity of $U_x$. In this way, the proposed scheme is resistant to the identity guessing attack.

5.1.6. Replay Attack

All the communicated messages, such as $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$ during the AKA phase of the scheme are incorporated with the latest timestamps. The conditions $Tm{e}_d\ge |Tm{e}_1-Tm{e}_r|$, $Tm{e}_d\ge |Tm{e}_2-Tm{e}_r|$, and $Tm{e}_d\ge |Tm{e}_3-Tm{e}_r|$ are checked at the receiving node for $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively, to detect the if the particular message is replayed or not. If the received message is not within the allowed time delay, the receiving node drops the messages and considers the received message as the replayed message. Hence, the RDAF-IIoT is resistant to replay attacks.

5.1.7. RPL Attack

In RDAF-IIoT, the session key is generated as $S{K}_{S{N}_z}(=S{K}_{U_x})=H(SI{D}_{S{N}_z}\Vert Z_5\Vert Z_4\Vert Tm{e}_3),\mathrm{where}(Z_5=Z_3=(C{t}_3^{}\oplus R_1\oplus TI{D}_{G{W}_y})$, which the combination of both the long term and short term parameters. Without knowing both long-term and short-term parameters, it is hard for $\mathcal{A}$ to generate a valid session key. Thus, the proposed RDAF-IIoT is resistant to RPL attack.

5.2. ROM Based Validation

The security of RDAF-IIoT is examined formally by employing ROM. The components of the ROM are demonstrated in Table 3. Capabilities of $\mathcal{A}$ are examined in Section 3.2. In addition, $\mathcal{A}$ effectuates the queries presented in Table 4 to generate various attacks on RDAF-IIoT.

Table 3. ROM Components.

Component	Description
Freshness	$\mathcal{A}$ cannot publicize the session key, which is designated between ${\varphi }_{U_x}^{p1}$ and ${\varphi }_{S{N}_z}^{p3}$ during the secure Channel establishment phase.
Partnership	At the acceptance state, the instances ${\varphi }_{U_x}^{p1}$ and ${\varphi }_{S{N}_z}^{p3}$ become partners if they retain a shared session key.
Participants	There are three primary participants/parties in RDAF-IIoT, such as $U_x$, $G{W}_y$, and $S{N}_z$. symbolize the instances $p1$, $p2$, and $p3$ of $U_x$, $G{W}_y$, and $S{N}_z$ are symbolized as ${\varphi }_{U_x}^{p1}$, ${\varphi }_{G{W}_y}^{p2}$, and ${\varphi }_{S{N}_z}^{p3}$, which are functioned as oracles.

Table 4. ROM Queries.

Query	Description
Execute $({\varphi }_{U_x}^{p1},{\varphi }_{G{W}_y}^{p2},{\varphi }_{S{N}_z}^{p3})$	A passive attack is modeled using this query. Via this query, $\mathcal{A}$ can model the passive attack, and $\mathcal{A}$ can also acquire all the messages transmitted while running the secure channel establishment process of the RDAF-IIoT.
Test $\left({\varphi }^{p1}\right)$	$\mathcal{A}$ utilizes this query to review whether the speculated session key is a correct session key or an arbitrary outcome.
Reveal $\left({\varphi }^{p1}\right)$	This query facilitates $\mathcal{A}$ to obtain the SK sustained by oracle ${\varphi }^{p1}$.
Send $({\varphi }^{p1},MEG)$	An active attack is launched via this query. In addition, ${\varphi }^{p1}$ can transmit a message $MEG$ to ${\varphi }^{p1}$ and obtains a response consequently.
CorruptSMD $\left({\varphi }^{p1}\right)$	To obtain the long-term credentials accumulated in the memory of $S{D}_i$, $\mathcal{A}$ employs this query.

Theorem 1.

Let $HS{E}_q^2$, $S{E}_q^{}$, $\left|PDL\right|$, and $2^{LBK}$, $\left|HOL\right|$ denote hash and send queries, password dictionary space, length/space of bio-metric key, hash output length, respectively. ${Adv}_{AES}^{IND-CPA}$ denotes the advantage of $\mathcal{A}$ in breaking the security of AES. The advantage of polynomial time ($pt$) adversary $\mathcal{A}$ to compromise the security of the session key generated between $U_x$ and $S{N}_z$ can be determine as follows

$$\begin{array}{c}\hfill {Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)\le \frac{HS{E}_q^2}{\left|HOL\right|}+\frac{S{E}_q^{}}{2^{LBK-1}·\left|PDL\right|}\\ \hfill +2·{Adv}_{AES}^{IND-CPA}.\end{array}$$

(70)

Proof. 

The proof of the Theorem (1) is derived in the same way as performed in [41,46,47,48]. Under ROM, $\mathcal{A}$ interacts with instances attempts to guess the bit “b”. If $\mathcal{A}$ guesses the correct bit, then RDAF-IIoT fails to provide the desired security. For proving the security of the proposed RADF-IIoT, the four games $\left(G{M}_p\right|p=0,1,2,3)$ are contemplated, where the likelihood of $\mathcal{A}$ to calculate the correct bit “b” is represented by $Ad{v}^{GM}$. All the games under ROM are explained as follows.

$GM0$: This game corresponds to the real attack under the ROM. By definition, the following can be reached

$${Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)=|2·Ad{v}^{GM0}-1|.$$

(71)

$GM1$: $\mathcal{A}$ executes the Execute$({\varphi }_{U_x}^{p1},{\varphi }_{G{W}_y}^{p2},{\varphi }_{S{N}_z}^{p3})$ and Send$({\varphi }^{p1},MEG)$ queries to captures $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$. The objective of $\mathcal{A}$ after capturing these messages is to construct the session key, derived as $S{K}_{S{N}_z}(=S{K}_{U_x})=H(SI{D}_{S{N}_z}\Vert Z_5\Vert Z_4\Vert Tm{e}_3),$where$(Z_5=Z_3=(C{t}_3^{}\oplus R_1\oplus TI{D}_{G{W}_y})$. Moreover, $\mathcal{A}$ performs the Test$\left({\varphi }^{p1}\right)$ query to know whether the obtained session key is the real or arbitrary number. It is worth mentioning that the constructed session key is the amalgamation of both the long and short-term parameters, such as $R_1$, $R_2$, $R_3$, $TI{D}_x$, $TI{D}_{U_x}$, and $TI{D}_{S{N}_x}$. In addition, $\mathcal{A}$ cannot access the database of $G{W}_y$, and the biometric key cannot be extracted by $\mathcal{A}$. Thus, the eavesdropping attack does not enable $\mathcal{A}$ to obtain any advantage. Hence, both $GM0$ and $GM1$ are indistinguishable. So, the following can be reached.

$$Ad{v}^{GM1}=Ad{v}^{GM0}$$

(72)

$GM2$: An active attack is established by $HS{E}_q^2$ and Send$({\varphi }^{p1},MEG)$ queries. As in RDAF-IIoT, the hash function generates SK on $U_x$ and $S{N}_z$. In addition, the parameter $V{P}_2^{}$, $V{P}_4^{}$, and $V{P}_6^{}$ are also computed using the hash function. $\mathcal{A}$ strives to locate the collision by making $HOL$ queries to compromise the security of SK. However, the likelihood of collision occurrence is nominal. Thus, by the birthday paradox.

$$\begin{array}{c}\hfill Ad{v}^{GM3}-Ad{v}^{GM2}\le \frac{S{E}_q^{}}{2^{LBK}·\left|PDL\right|}.\end{array}$$

(73)

$$Ad{v}^{GM2}-Ad{v}^{GM1}\le \frac{HS{E}_q^2}{2\left|HOL\right|}.$$

(74)

$GM3$: $CorruptSMD\left({\varphi }^{p1}\right)$ is used by $\mathcal{A}$ to generate an passive attack in this game. The purpose of $CorruptSMD\left({\varphi }^{p1}\right)$ is to obtain the data, such as {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, and $Rep(.)$} stored in the memory of the smart device of the user. The objective of $\mathcal{A}$ is the update the password and biometric information of the user. However, the biometric key is of length $\frac{1}{2^{LBK}}$, where the $LBK$ is the length of the biometric key and the probability of guessing the biometric key is $\frac{1}{2^{LBK}}$, which is nominal. In addition, $U_x$ is allowed to perform only a few wrong passwords tries. Under these conditions, the following can be reached.

$GM4$: An active attack is effectuated by $\mathcal{A}$ in this game. The objective of $\mathcal{A}$ is to retrieve the sensitive and secret parameters from $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$. As all the communicated messages are encrypted using symmetric encryption (AES). AES is secure to use, so to obtain the sensitive credentials from the $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, it is necessary for $\mathcal{A}$ to break the security of AES in polynomial time. It is hard for $\mathcal{A}$ to break the security of AES in polynomial time. Hence, the following can be reached

$$\begin{array}{c}\hfill Ad{v}^{GM4}-Ad{v}^{GM3}\le {Adv}_{AES,\mathcal{A}}^{IND-CPA}\left(pt\right).\end{array}$$

(75)

As all the games $\left(G{M}_p\right|p\in [0,3])$ are completed by $\mathcal{A}$, in repose $\mathcal{A}$ receives no significant advantage to obtain correct bit “b”. Thus, following can be reached

$$Ad{v}^{GM4}=1/2$$

(76)

From (71) and (72), following can be achieved

$${Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)=|2·Ad{v}^{GM0}-\frac{1}{2}|.$$

(77)

From (77), following can be achieved

$$\frac{1}{2}·{Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)=|Ad{v}^{GM0}-Ad{v}^{GM4}|.$$

(78)

By using (76) and (78), following can be achieved

$$\frac{1}{2}·{Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)=|Ad{v}^{GM1}-Ad{v}^{GM4}|$$

(79)

Upon considering the triangular inequality, the following can be reached.

$$\begin{array}{c}\hfill |Ad{v}^{GM1}-Ad{v}^{GM4}|\le |Ad{v}^{GM1}-Ad{v}^{GM2}|\\ \hfill +|Ad{v}^{GM2}-Ad{v}^{GM4}|\\ \hfill \le |Ad{v}^{GM1}-Ad{v}^{GM2}|+|Ad{v}^{GM2}-Ad{v}^{GM3}|\\ \hfill +|Ad{v}^{GM3}-Ad{v}^{GM4}|.\end{array}$$

(80)

By using (74), (75), and (80), following can be achieved

$$\begin{array}{c}\hfill {Adv}_{\mathcal{A}}^{RDAF-IIoT}\left(pt\right)\le \frac{HS{E}_q^2}{\left|HOL\right|}+\frac{S{E}_q^{}}{2^{LBK-1}·\left|PDL\right|}\\ \hfill +2·{Adv}_{AES,\mathcal{A}}^{IND-CPA}\left(pt\right).\end{array}$$

(81)

□

5.3. Scyther-Based Security Verification

Scyther serves as a user-friendly tool for verifying, falsifying, and analyzing security protocols. It stands out among other advanced tools by offering several novel components. By employing a pattern refinement algorithm, Scyther efficiently generates concise representations of trace sets, aiding in the examination of attack categories and potential protocol behaviors. Extensively used in research, Scyther is a freely available security protocol verification tool. The proposed implementation of the RDAF-IIoT employs the security protocol description language (SPDL). The SPDL script defines three prominent roles: $U_x$, $G{W}_y$, and $S{N}_z$. Each role is associated with specific claims outlined within the SPDL script. Scyther verifies all the claims, as demonstrated in Table 5 and Figure 3.

Table 5. Scyther Claim Verification.

Claims	For ${\mathbf{SMD}}_{{\mathit{U}}_{\mathit{x}}}/{\mathit{U}}_{\mathit{x}}$	Attack Status
Claim-i	$claim(UX,Secret,SK)$	No attack found
Claim-j	$claim(UX,Alive)$	No attack found
Claim-k	$claim(UX,Niagree)$	No attack found
Claim-l	$claim(UX,Nisynch)$	No attack found
Claim-m	$claim(UX,Weakagree)$	No attack found
Claims	For $G{W}_y$	Attack Status
Claim-i	-	No attack found
Claim-j	$claim(GWY,Alive)$	No attack found
Claim-k	$claim(GWY,Niagree)$	No attack found
Claim-l	$claim(GWY,Nisynch)$	No attack found
Claim-m	$claim(GWY,Weakagree)$	No attack found
Claims	For  $S{N}_z$	Attack Status
Claim-i	$claim(SNZ,Secret,SK)$	No attack found
Claim-j	$claim(SNZ,Alive)$	No attack found
Claim-k	$claim(SNZ,Niagree)$	No attack found
Claim-l	$claim(SNZ,Nisynch)$	No attack found
Claim-m	$claim(SNZ,Weakagree)$	No attack found

Figure 3. Scyther analysis of the device access phase of RDAF-IIoT.

6. Performance Comparison

The proposed RDAF-IIoT is compared with Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] regarding computational and communication costs. In addition, the security functionality is also considered as a performance measure. To compute the computational time, a system with “Intel(R) Core(TM) i5-2400 CPU @ 3.10 GHz”, operating system “Ubuntu,” and RAM 8 GB is used to simulate as $G{W}_y$. In addition, a system with “CPU Quad Core 1.2 GHz, BCM2837, operating system Ubuntu, and RAM 1 GB RAM’ (Raspberry Pi-3 (RPI3))’ is used to simulate the smart sensing device and smart device of the user. All the cryptographic primitives are implemented using the cryptographic library called “Pycrypto” and each cryptographic primitive is executed 100 times to estimate the average computational time. Table 6 tabulates the computational complexities of various cryptographic primitives.

Table 6. Computational Time Cryptographic Functions and Size of Various Parameters.

Cryptographic Function	RPI3	${\mathbf{GW}}_{\mathit{y}}$	Size of Parameters
Computational time of ECC multiplication ($T_{pm}$)	3.67 ms	0.85 ms	ECC = (320 bits)
Computational time of Symmetric Encryption (private key) ( $T_{enc}$)	0.454 ms	0.07 ms	Identity = (128 bits)
Computational time of ECC Addition ($T_{pa}$)	0.212 ms	0.00221 ms	Random parameters = (128 bits)
Computational time of hash function (SHA-256) ($T_h$)	0.37 ms	0.051 ms	hash output (256 bits)
Computational time of $FE$-based key generation($T_{bi}\approx T_{pm}$)	3.67 ms	0.85 ms	Timestamp size (32 bits)

6.1. Security Comparison

The proposed RDAF-IIoT is contrasted with Wazid et al. [34], Srinivas et al. [35], and Challa et al. [25] regarding the security features and functions. The scheme of Wazid et al. [34] is not secure against the identity de-synchronization attack. Srinivas et al. [35] yields a security strategy weak against identity guessing, MITM, and user and device impersonation attacks. In addition, the authentication strategy suggested in [35] has a design defect, due to which the authentication procedure cannot be accomplished. The security framework suggested in Challa et al. [25] user anonymity, privilege insider, password guessing, and stolen smart card attack. Nevertheless, the security framework RDAF-IIoT is more secure and reliable than the contrasted security framework, as shown in Table 7.

Table 7. Security Comparison.

Framework/Scheme	SC-I	SC-J	SC-K	SC-L	SC-M	SC-N	SC-O	SC-P
Wazid et al. [34]	✓	✓	✓	✓	✓	✓	×	✓
Srinivas et al. [35]	✓	×	✓	✓	✓	×	✓	✓
Challa et al. [25]	×	×	✓	✓	✓	✓	✓	✓
Irshad et al. [3]	✓	✓	✓	✓	✓	✓	✓	✓
RDAF-IIoT	✓	✓	✓	✓	✓	✓	✓	✓

SC-I: Privilege insider Attack, SC-J: Anonymity/Un-traceability, SC-K: Mutual Authentication, SC-L: MITM Attack, SC-M: Drone capture Attack, SC-N: Impersonation Attack, SC-O: De-Synchronization Attack, SC-P: Temporary Secret Leakage Attack, ✓: indicates the availability of feature; ×: represents non-availability of the feature.

6.2. Computational Cost

In this subsection, the computational cost of the proposed RDAF-IIoT is estimated. The computational time of ECC, ECC point addition, hash operation, symmetric encryption, and FE-based key generation is denoted by $T_{ecc}$, $T_{eca}$, $T_h$, $T_{enc}$, and $T_b$, respectively. To derive the computational cost of the proposed RDAF-IIoT, computational complexities listed in Table 6 are employed. Total computational cost of RDAF-IIoT is $18T_h+7T_{enc}+T_b\approx 11.145$ ms, which is 78.63%, 74.73%, 77.36%, and 75.58% better than Srinivas et al. [35], Challa et al. [25], and Wazid et al. [34]. Figure 4, Figure 5 and Figure 6 and Table 8 show the computational cost comparison at $U_x$, $G{W}_y$, and $S{N}_z$. Moreover, Figure 7 exhibits that with increasing the number, the proposed RDAF-IIoT requires less computational resources than Srinivas et al. [35], Challa et al. [25], and Wazid et al. [34].

Figure 4. Comparisons of computational cost at $U_x$ {[3,25,34,35]}.

Figure 5. Comparisons of computational cost at $G{W}_y$ {[3,25,34,35]}.

Figure 6. Comparisons of computational cost at $S{N}_z$ {[3,25,34,35]}.

Table 8. Computational Cost.

Scheme	Computational Cost at ${\mathit{U}}_{\mathit{x}}$ Side	Computational Cost at ${\mathbf{GW}}_{\mathit{y}}/\mathbf{RA}$ Side	Computational Cost at ${\mathbf{SN}}_{\mathit{z}}$ Side	Total Time (ms)
Srinivas et al. [35]	$16T_h+6T_{ecc}+2T_{eca}+T_b\approx$32.034 ms	$11T_h+2T_{ecc}+2T_{eca}\approx$2.26 ms	$8T_h+4T_{ecc}+T_{eca}\approx$17.852 ms	$35T_h+12T_{ecc}+5T_{eca}+T_b\approx$52.15 ms
Challa et al. [25]	$5T_h+5T_{ecc}+T_b\approx$23.870 ms	$4T_h+5T_{ecc}\approx$4.45 ms	$3T_h+4T_{ecc}\approx$15.79 ms	$12T_h+14T_{ecc}+T_b\approx$44.11 ms
Wazid et al. [34]	$19T_h+4T_{ecc}+T_{eca}+T_b\approx$25.59 ms	$T_h+5T_{ecc}+T_{eca}\approx$4.303 ms	$12T_h+4T_{ecc}+T_{eca}\approx$19.33 ms	$32T_h+13T_{ecc}+3T_{eca}+T_b\approx$49.22 ms
Irshad et al. [3]	$15T_h+4T_{ecc}+3T_{eca}+T_b\approx$24.53 ms	$9T_h+2T_{ecc}+2T_{eca}+2T_{enc}\approx$2.303 ms	$10T_h+4T_{ecc}+2T_{eca}\approx$18.80 ms	$34T_h+8T_{ecc}+7T_{eca}+T_b\approx$45.64 ms
RDAF-IIoT	$9T_h+3T_{enc}+T_b\approx$8.36 ms	$5T_h+2T_{enc}\approx$0.395 ms	$4T_h+2T_{enc}\approx$2.388 ms	$18T_h+7T_{enc}+T_b\approx$11.145 ms

Figure 7. Total computational cost required to complete the AKA phase {[3,25,34,35]}.

6.3. Communication Cost

To calculate the communication, which is required to accomplish the AKA phase, the parameters presented in Table 6 are used. There are three messages, such as $ME{G}_1$: $\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$: {$Tm{e}_3$, $C{t}_e^{}$, $C{t}_f^{}$, $V{P}_6^{}$} communicated during the AKA phase of the proposed RDAF-IIoT. The size of $ME{G}_1$, $ME{G}_2$, $ME{G}_3$ is {32 + 128 + 128 + 128 + 256} = 672 bits, {32 + 128 + 128 + 256} = 544 bits, and {32 + 128 + 128 + 128+ 256 } = 544 bits, respectively. Cumulative communication of the proposed RDAF-IIoT is {672 + 544 + 544 } = 1760 bits. The security framework of Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] require 2656 bits, 2528 bits, 3660 bits, and 3040 bits, respectively. Table 9 and Figure 8 show the communication efficiency of the proposed security framework than the relevant state of the security scheme.

Table 9. Communication Cost.

Framework	No. of Factors	Communication Cost	No. of Exchanged Messages
Srinivas et al. [35]	3F	2656 bits	3
Challa et al. [25]	3F	2528 bits	3
Wazid et al. [34]	3F	3660 bits	3
Irshad et al. [3]	3F	3040 bits	3
RDAF-IIoT	3F	1760 bits	3

Figure 8. Communication cost required to accomplish AKA phase {[3,25,34,35]}.

6.4. Discussion

The proposed RADF-IIoT adopts a resource-efficient approach by utilizing XoR operations, hash functions, and symmetric encryption, rather than relying on complex and computationally intensive public key cryptosystems. This design choice enables RADF-IIoT to minimize the computational resources required compared to other related security frameworks. By leveraging these lightweight cryptographic primitives, RADF-IIoT achieves efficient and effective security measures while reducing computational overhead.

Furthermore, in the proposed RADF-IIoT, the AKA process involves the exchange of a small number of parameters with small message sizes. This characteristic contributes to a reduced communication overhead in the RDAF-IIoT while still maintaining robust security features. By minimizing the amount of data transmitted during the authentication and key agreement process, the proposed RADF-IIoT optimizes communication efficiency without compromising the overall security of the system.

7. Conclusions

A security scheme to set up a session key between the user and the IIoT device is proposed in this paper called RDAF-IIoT. Moreover, during the AKA phase of RADF-IIoT, the established session key is used to achieve encrypted communication to avert various security attacks. It is through the informal security analysis proved that RDAF-IIoT is resistant to MITM and impersonation attacks. ROM is employed to corroborate the security of the session key generated in AKA phase of the proposed RDAF-IIoT. In addition, Scyther is utilized to corroborate that RDAF-IIoT is protected. Furthermore, the performance analysis illustrates that the proposed RDAF-IIoT required [74.73% to 78.63%] lower computational and [30.38% to 51.91%] lower communication costs than the related security schemes while providing enhanced security features.