A Secure Lightweight Three-Factor Authentication Scheme for IoT in Cloud Computing Environment

Abstract

With the development of cloud computing and communication technology, users can access the internet of things (IoT) services provided in various environments, including smart home, smart factory, and smart healthcare. However, a user is insecure various types of attacks, because sensitive information is often transmitted via an open channel. Therefore, secure authentication schemes are essential to provide IoT services for legal users. In 2019, Pelaez et al. presented a lightweight IoT-based authentication scheme in cloud computing environment. However, we prove that Pelaez et al.’s scheme cannot prevent various types of attacks such as impersonation, session key disclosure, and replay attacks and cannot provide mutual authentication and anonymity. In this paper, we present a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to resolve these security problems. The proposed scheme can withstand various attacks and provide secure mutual authentication and anonymity by utilizing secret parameters and biometric. We also show that our scheme achieves secure mutual authentication using Burrows–Abadi–Needham logic analysis. Furthermore, we demonstrate that our scheme resists replay and man-in-the-middle attacks usingthe automated validation of internet security protocols and applications (AVISPA) simulation tool. Finally, we compare the performance and the security features of the proposed scheme with some existing schemes. Consequently, we provide better safety and efficiency than related schemes and the proposed scheme is suitable for practical IoT-based cloud computing environment.

1. Introduction

With the recent advances in wireless sensor networks and embedded technologies, internet of things (IoT) connects objects and shares various useful data with internet through resource-constrained devices to provide convenient services for users such as smart home, healthcare, vehicle to everything and smart gird. However, a single server environment also is inefficient for IoT because an ocean of data is generated by resource-constrained devices such as microsensor, RFID tag and smart cards.

Cloud computing is a distributed computing mechanism for a large-scale data and allows sharing resources among all of the servers and users. The cloud computing provides five essential characteristics: on-demand self-services, ubiquitous network access, rapid elasticity, measured service and resource pooling [1,2]. On-demand self-service handles cloud services without human interaction and ubiquitous network access controls access service using standard protocols. Rapid elasticity and measured service optimize the resource usage. Resource pooling provides cloud service using homogeneous infrastructure among service users. The cloud computing deals with an ocean of data generated by devices and sensors and provides data managing service for users through these essential characteristics.

However, these services are vulnerable to potential attacks by malicious adversaries because they are provided through an open channel, including sensitive data of legitimate user about location, health, payment, etc. Therefore, a secure and efficient authentication for IoT environment has become essential security requirements to provide useful services to user.

In 1981, Lamport [3] proposed one factor user authentication scheme using passwords to ensure user’s privacy. However, security of the password based authentication scheme is easily broken because its security only relies on the passwords. In 2002, Chien et al. proposed two factor authentication scheme to overcome this security flaw using password and smart cards. However, their scheme is vulnerable to smart card stolen attack as the data stored in smart cards can be extracted by power analysis attacks [4]. When a malicious adversary obtains smart cards and password, they can perform various attacks such as impersonation, replay and insider attacks. To overcome the above-mentioned security weaknesses, three-factor authentication schemes have been proposed [5,6,7]. Biometrics (e.g., face, retina, fingerprint, iris, etc.) have several important characteristics: they cannot be lost or forgotten; they are hard to forge, copy, share or distribute; and they are difficult to guess.

In 2019, Pelaez et al. [8] demonstrated that the previous scheme is vulnerable to insider, off-line guessing and disclosure attacks and proposed enhanced IoT-based authentication scheme in cloud computing environment. This paper demonstrates that Pelaez et al.’s scheme does not withstand impersonation, session key disclosure and replay attacks. We also show that their scheme does not achieve secure mutual authentication and anonymity. Moreover, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to resolve these security weaknesses, considering computational costs.

1.1. Adversary Model

We present the Dolev–Yao (DY) model [9] to evaluate security of ours and previous schemes, which is widely accepted as security threat model. The detailed description of the DY model is as below:

• A malicious adversary can modify, intercept, delete or insert the transmitted messages via an open channel. A malicious adversary can obtain or steal the smart card of legitimate user and can extract the data stored in the smart card by using power-analysis [4].
• A malicious adversary can perform various attacks such as man-in-the-middle (MITM), replay, impersonation, and session key disclosure attack [10,11].

1.2. Our Contributions

Our contributions in this paper are as follows.

• We demonstrate that Pelaez et al.’s scheme is not secure against various attacks such as impersonation, session key disclosure and replay attacks and does not achieve secure mutual authentication and anonymity.
• We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to address the security shortcomings of Pelaez et al.’s scheme. The proposed scheme withstands impersonation, session key disclosure, and replay attacks and achieve secure mutual authentication and anonymity. Moreover, the proposed scheme is more efficient than Pelaez et al.’s scheme because it utilizes only bitwise exclusive or (XOR) and hash operations.
• We prove that the proposed scheme provides secure mutual authentication using the Burrows–Abadi–Needham (BAN) logic [12] and perform an informal security analysis to prove that our scheme is secure against various attacks such as MITM, impersonation, replay and session key disclosure attacks. Furthermore, we compare the security properties and performance of proposed protocol with other related schemes.
• We perform a formal security analysis using the automated validation of internet security protocols and applications (AVISPA) simulation tool to prove that the proposed protocol resists the MITM and replay attacks.

1.3. Organization

We introduce the related works and review Pelaez et al.’s scheme in Section 2 and Section 3. In Section 4 and Section 5, we cryptanalyze Pelaez et al.’s scheme and propose a lightweight IoT-based three-factor authentication scheme in cloud computing environment to enhance the security shortcomings of Pelaez et al.’s scheme. Section 6 and Section 7 prove the security of proposed scheme and present the simulation analysis using AVISPA. In Section 8, we compare the security properties and performances of proposed protocol with other related schemes. Finally, Section 9 concludes the paper.

2. Related Works

In last few decades, numerous authentication and key agreement schemes have been proposed to ensure privacy of user, considering resource-constrained environments such as wireless sensor networks, global mobility networks and vehicular networks [3,13,14,15,16,17,18,19]. In 1981, Lamport [3] firstly proposed a lightweight password based user authentication scheme to provide secure communication. However, Lamport’s scheme has low security level because its security only relies on passwords. In 2002, Chien et al. [13] presented a two-factor user authentication protocol using smart card and password to resolve this problem. Unfortunately, the two-factor authentication schemes using password and smart cards cannot ensure user’s privacy [13,14,15,16,17,18,19], when the data stored in token (e.g., smart card, mobile device, etc.) are compromised.

Later, several authentication and key agreement schemes for IoT have been presented in various fields [20,21,22]. However, these environments are not suitable for IoT because it cannot handle a large number of data. In 2019, Zhou et al. [23] presented a lightweight IoT-based authentication scheme in cloud computing environment to overcome this issue. Zhou et al. claimed that their scheme can prevent various attacks such as insider, forgery and tracking attacks and provide secure mutual authentication and session key security. However, in 2019, Pelaez et al. [8] pointed out that Zhou et al.’s scheme [23] cannot withstand insider, off-line guessing and session key disclosure attacks and provide secure mutual authentication. To resolve these security problems, Pelaez et al. [8] presented a lightweight IoT-based authentication scheme in cloud computing environment. They also claimed that their scheme is secure against off-line password guessing, insider, impersonation and replay attacks.

3. Review of Pelaez et al.’s Scheme

We briefly review Pelaez et al.’s IoT based authentication scheme in cloud computing environment. Their scheme comprises of three processes: registration, authentication, and password change. These processes are presented as below (for details, see [8]).

3.1. User Registration Process

In Pelaez et al.’s scheme, a new user $U_i$ is registered from control server $CS$ via a secure channel. Figure 1 shows the user registration process of Pelaez et al.’s scheme. In Figure 1, $U_i$ sends the registration request to $CS$ and then $CS$ issues the smart cards.

Figure 1. User registration process of the Pelaez et al.’s scheme [8].

3.2. Cloud Server Registration Process

In Pelaez et al.’s scheme, a cloud server $S_j$ is registered from control server $CS$ via a secure channel. Figure 2 shows the cloud server registration process of the Pelaez et al.’s scheme. In Figure 2, $S_j$ sends the registration request to $CS$ and then $CS$ sends parameters $B_2$ and $B_3$ to $S_j$.

Figure 2. Cloud server registration process of the Pelaez et al.’s scheme [8].

3.3. Login Process

When $U_i$ wants to access the service, $U_i$ firstly sends login request message to $S_j$. In Figure 3, $U_i$ sends login request messages $\{T_U^{new},D_1,PI{D}_i,D_2\}$ to $S_j$, and then $S_j$ sends the messages $\{T_U^{new},D_1,PI{D}_i,D_2,T_S^{new},D_3,PSI{D}_j,D_4,D_5\}$ to $CS$ in order to check validation of $U_i$.

Figure 3. Login process of the Pelaez et al.’s scheme [8].

3.4. Authentication Process

After finishing the login process, $U_i$, $S_j$ and $CS$ perform mutual authentication with each entity, and then $U_i$ and $S_j$ can share the session key $S{K}_{U-S}$. Figure 4 shows the authentication process of the Pelaez et al.’s scheme.

Figure 4. Authentication process of the Pelaez et al.’s scheme [8].

4. Cryptanalysis of Pelaez et al.’s Scheme

In this section, we demonstrate that Pelaez et al.’s scheme does not resist replay, session key disclosure and impersonation attacks and show that their scheme does not achieve secure mutual authentication and anonymity.

4.1. Impersonation Attack

The impersonation attack is that a malicious adversary try to impersonate as a legitimate user. When a malicious adversary $U_{MA}$ may attempt to impersonate a legal user, $U_{MA}$ can easily generate the login request message of $U_i$. According to Section 1.1, $U_{MA}$ can obtain smart card of $U_i$ and can extract the data $\{PI{D}_i,C_2,C_3,C_4,h\left(n_U\right)\}$ stored in smart card. Furthermore, $U_{MA}$ intercepts the message transmitted via an open channel. Finally, $U_{MA}$ performs the impersonation attack as below:

Step 1:

A malicious adversary $U_{MA}$ can compute real identity $I{D}_i=C_2\oplus D_1$ of legitimate user $U_i$ and $h\left(n_U^{new}\right)=D_2\oplus C_3\oplus h(T_{MA}^{new}\left|\right|I{D}_i)$. Then, $U_{MA}$ generates timestamp $T_{MA}^{new}$ and random nonce $n_{MA}^{new}$, computes $D_{2MA}=C_3\oplus h(T_{MA}^{new}\left|\right|I{D}_i)\oplus h\left(n_{MA}^{new}\right)$, and sends $\{T_{MA}^{new},D_1,PI{D}_i,D_{2MA}\}$ to the $S_j$.

Step 2:

Upon getting the message from $U_{MA}$, the $S_j$ generates random nonces $T_S^{new}$ and $n_S^{new}$ and computes $D_3=B_2\oplus SI{D}_j$, $D_4=B_3\oplus h(T_S^{new}\left|\right|SI{D}_j)\oplus h\left(n_S^{new}\right)$ and $D_5=h(PI{D}_i\left|\right|T_{MA}^{new}\left|\right|SI{D}_j\left|\right|PSI{D}_j\left|\right|T_S^{new})$. Then, the $S_j$ sends $\{T_{MA}^{new},D_1,PI{D}_i,D_{2MA},T_S^{new},D_3,PSI{D}_j,D_4,D_5\}$ to the $CS$.

Step 3:

Upon getting the message from $S_j$, the $CS$ computes $C_2^{\ast }=h(PI{D}_i^{\ast }\left|\right|h(I{D}_{CS}\left|\right|x\left)\right|\left|h\right(I{D}_{CS}{\left|\right|y\left)\right)}^{\ast }\oplus h(I{D}_{CS}\left|\right|x)\oplus h(I{D}_{CS}\left|\right|y)$, $I{D}_i^{\ast }=h(PI{D}_i^{\ast }\left|\right|h(I{D}_{CS}\left|\right|x\left)\right|\left|h\right(I{D}_{CS}{\left|\right|y\left)\right)}^{\ast }\oplus h(I{D}_{CS}\left|\right|x)\oplus h(I{D}_{CS}\left|\right|y)\oplus D_1$ and $C_1^{\ast }=h(I{D}_i^{\ast }\left|\right|PI{D}_i)$. Then, the $CS$ checks whether $C_1^{\ast }\stackrel{?}{=}{C}_1$. If it is valid, the $CS$ authenticates $U_{MA}$. Then, the $CS$ computes $h{\left(n_{MA}^{new}\right)}^{\ast }=h(I{D}_i^{\ast }\left|\right|PI{D}_i^{\ast }\left|\right|h(I{D}_{CS}\left|\right|x\left)\right|\left|h\right(I{D}_{CS}{\left|\right|y\left)\right)}^{\ast }\oplus PI{D}_i^{\ast }\oplus h\left(x\right|\left|y\right)\oplus h(T_{MA}^{new}\left|\right|I{D}_i^{\ast }{)}^{\ast }\oplus D_2$. After that, the $CS$ computes $SI{D}_j^{\ast }=h(PSI{D}_j^{\ast }\left|\right|h(I{D}_{CS}\left|\right|z\left)\right|\left|h\right(I{D}_{CS}{\left|\right|y\left)\right)}^{\ast }\oplus h(I{D}_{CS}\left|\right|z)\oplus h(I{D}_{CS}\left|\right|y)\oplus D_3$ and $B_1^{\ast }=h(SI{D}_j^{\ast }\left|\right|PSI{D}_j^{\ast })$. Then, the $CS$ checks whether $B_1^{\ast }\stackrel{?}{=}{B}_1$. If it is valid, the $CS$ authenticate $S_j$. After that, the $CS$ recovers $h{\left(n_S^{new}\right)}^{\ast }=h(SI{D}_j^{\ast }\left|\right|PSI{D}_j^{\ast }\left|\right|h(I{D}_{CS}\left|\right|z\left)\right|\left|h\right(I{D}_{CS}{\left|\right|y\left)\right)}^{\ast }\oplus PSI{D}_j^{\ast }\oplus h\left(z\right|\left|y\right)\oplus h(T_S^{new}\left|\right|SI{D}_j^{\ast })\oplus D_4$. Then, the $CS$ computes $D_5^{\ast }=h(PI{D}_i^{\ast }\left|\right|T_{MA}^{new}\left|\right|SI{D}_j^{\ast }\left|\right|PSI{D}_j^{\ast }\left|\right|T_S^{new}{)}^{\ast }$ and checks whether $D_5^{\ast }\stackrel{?}{=}{D}_5$. If it is valid, the $CS$ have evidence of the connection attempt between $U_{MA}$ and $S_j$. To key agreement and mutual authentication, the $CS$ generates a random nonce $n_{CS}^{new}$ and computes the session key $S{K}_{MA-S}=h(h\left(n_{MA}^{new}\right)\oplus h\left(n_S^{new}\right)\oplus h(n_{CS}^{new}\left|\right|T_{CS}^{new}\left)\right)$. Then, the $CS$ computes $D_6=B_2\oplus h(T_S^{new}\left|\right|SI{D}_j)\oplus T_{CS}^{new}$, $D_{7MA}=h(n_{CS}^{new}\left|\right|T_{CS}^{new})\oplus h(SI{D}_j\left|\right|T_{CS}^{new})\oplus h\left(n_{MA}^{new}\right)$, $D_{8MA}=C_2\oplus h(T_{MA}^{new}\left|\right|I{D}_i)\oplus T_{CS}^{new}$, $D_9=h(n_{CS}^{new}\left|\right|T_{CS}^{new})\oplus h(I{D}_i\left|\right|T_{CS}^{new})\oplus h\left(n_S^{new}\right)$, $D_{10MA}=E_{SK}(h\left(n_{CS}^{new}\right)\oplus h(SI{D}_j\left|\right|PSI{D}_j\left|\right|B_2\left)\right)$ and $D_{11MA}=E_{SK}(h\left(n_{CS}^{new}\right)\oplus h(I{D}_i\left|\right|PI{D}_i\left|\right|C_2\left)\right)$. Finally, the $CS$ sends $\{D_6,D_{7MA},D_{10MA},D_{8MA},D_9,D_{11MA}\}$ to the $S_j$.

Step 4:

Upon getting the message from $CS$, the $S_j$ computes $T_{CS}^{new\ast }=B_2\oplus h(T_S^{new}\left|\right|SI{D}_j)\oplus D_6$, $h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast }\oplus h{\left(n_{MA}^{new}\right)}^{\ast }=h(SI{D}_j\left|\right|T_{cs}^{new})\oplus D_{7MA}$, $S{K}_{U-S}^{\ast }=h(h{\left(n_{MA}^{new}\right)}^{\ast }\oplus h\left(n_S^{new}\right)\oplus h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast })$ and decrypts $D_{SK\ast }\left(D_{10MA}\right)=h\left(n_{CS}^{new}\right)\oplus h(SI{D}_j\left|\right|PSI{D}_j\left|\right|B_2)=h{\left(n_{CS}^{new}\right)}^{\ast }$. After that, the $S_j$ sends $\{D_6,D_{7MA},D_{10MA},D_{8MA},D_9,D_{11MA}\}$ to the $U_{MA}$.

Step 5:

Upon getting the messages from $S_j$, the $U_{MA}$ computes $T_{CS}^{new\ast }=C_2\oplus h(T_{MA}^{new}\left|\right|I{D}_i)\oplus D_{8MA}$, $h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast }\oplus h{\left(n_S^{new}\right)}^{\ast }=h(I{D}_i\left|\right|T_{CS}^{new})\oplus D_9$, $S{K}_{MA-S}^{\ast }=h(h\left(n_U^{new}\right)\oplus h{\left(n_S^{new}\right)}^{\ast }\oplus h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast })$ and decrypts $D_{SK\ast }\left(D_{11MA}\right)=h\left(n_{CS}^{new}\right)\oplus h(I{D}_i\left|\right|PI{D}_i\left|\right|C_2)=h{\left(n_{CS}^{new}\right)}^{\ast }$. For mutual authentication with $S_j$, the $U_{MA}$ computes $M_{9MA}=$$\{E_{SK}\left(h\right(n_{CS}^{new}\left|\right|serverValue\left(challenge\right)\left)\right)\}$ and sends $M_{9MA}$ to the $S_j$.

Step 6:

Upon getting the messages from $U_{MA}$, the $S_j$ computes $D_{SK}\left(M_{9MA}\right)=h{\left(n_{CS}^{new}\right)}^{\ast }\left|\right|serverValue\left(challenge\right))$ and checks whether $h{\left(n_{CS}^{new}\right)}^{\ast }\stackrel{?}{=}h\left(n_{CS}^{new}\right)$. Finally, the $S_j$ computes $M_{10MA}=$$\{E_{SK}\left(serverValue\right(h\left(n_{CS}^{new}\right)\left|\right|T_{CS}^{new}\left)\right)\}$ and sends $M_{10MA}$ to the $U_{MA}$.

Step 7:

Upon getting the messages from $S_j$, the $U_{MA}$ computes $D_{SK}\left(M_{10MA}\right)$ = $serverValue\left(h\left(n_{CS}^{new}\right)\right|\left|T_{CS}^{new}\right)=$$h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast }$ and checks whether $h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast }\stackrel{?}{=}h(n_{CS}^{new}\left|\right|T_{CS}^{new})$.

$U_{MA}$ can successfully generates the login request message and session key between $U_{MA}$ and $S_j$. As a result, we show that Pelaez et al.’s scheme cannot withstand impersonation attack.

4.2. Session Key Disclosure Attack

The session key disclosure attack is that a malicious adversary can obtain the session key between $U_i$ and $S_j$. Pelaez et al. claimed that their scheme can ensure security of session key because a malicious adversary cannot obtain random nonce $n_U^{new}$, $n_S^{new}$, $n_{CS}^{new}$ and current timestamp $T_{CS}^{new}$. However, according to Section 1.1, a malicious adversary $U_{MA}$ can extract the data $\{PI{D}_i,C_2,C_3,C_4,h\left(n_U\right)\}$ stored in the smart card and can obtain the transmitted messages $D_1,D_2,T_U^{new},D_8,D_9$ via an open channel. Therefore, a malicious adversary $U_{MA}$ can easily compute session key $S{K}_{U-S}^{\ast }=h(h{\left(n_U^{new}\right)}^{\ast }\oplus h\left(n_S^{new}\right)\oplus h(n_{CS}^{new}\left|\right|T_{CS}^{new}{)}^{\ast })$.

4.3. Replay Attack

Replay attack is that a malicious adversary try to obtain sensitive messages of user using the messages transmitted in previous and current session. Pelaez et al. claimed that their scheme can resist replay attack because a malicious adversary $U_{MA}$ cannot obtain random nonce and timestamp. However, $U_{MA}$ can calculate the random nonce and timestamp of legitimate user correctly. According to 4.1, $U_{MA}$ also impersonates a legitimate user $U_i$. Therefore, $U_{MA}$ can obtain $n_U^{new}$, $n_S^{new}$ and $n_{CS}^{new}$ and timestamp $T_U^{new},$$T_S^{new}$ and $T_{CS}^{new}$. As a result, Pelaez et al.’s scheme does not withstand replay attack.

4.4. Mutual Authentication

Pelaez et al claimed that their protocol allows secure mutual authentication among the user $U_i$, the cloud server $S_j$, and the control server $CS$. However, according to Section 3.1, their protocol does not withstand to impersonation attack, as a malicious adversary $U_{MA}$ can successfully generate authentication request message $D_2=C_3\oplus h(T_U^{new}\left|\right|I{D}_i)\oplus h\left(n_U^{new}\right)$. Therefore, Pelaez et al.’s scheme does not achieve secure mutual authentication.

4.5. Anonymity

Pelaez et al claimed that a malicious adversary $U_{MA}$ cannot obtain the real identity $I{D}_i$ of legitimate user. However, according to Section 1.1, a malicious adversary $U_{MA}$ can extract the secret parameter $C_2$ stored in the smart card and can intercept the transmitted message $D_1$ via an open channel. $U_{MA}$ can also compute $I{D}_i=C_2\oplus D_1$ and easily obtain real identity of legitimate user $U_i$. Therefore, Pelaez et al.’s scheme does not guarantee anonymity.

5. Proposed Scheme

In this section, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance security drawbacks of Pelaez et al.’s scheme. The proposed scheme consists of three processes: registration, login and authentication, and password change. The details of each process are presented below.

5.1. User Registration Process

A new user $U_i$ who requests the use of the IoT services must register with control server $CS$. Figure 5 shows the user registration process of proposed scheme and the detailed processes are as below.

Figure 5. User registration process of the proposed scheme.

Step 1:

The $U_i$ selects $I{D}_i$ and $P{W}_i$ and imprints biometric $BI{O}_i$. After that, $U_i$ computes $⟨R_i,P_i⟩$=$Gen\left(BI{O}_i\right)$, $RP{W}_i=h(P{W}_i\left|\right|R_i)$ and sends messages $\{I{D}_i,RP{W}_i\}$ to control server $CS$ via a secure channel.

Step 2:

After getting the messages from $U_i$, the $CS$ generates a random nonce $S_1$ and computes $RI{D}_i=h(I{D}_i\left|\right|h(S_1\left|\right|K_S\left)\right)$, $X_i=h(RI{D}_i\left|\right|K_S\left|\right|S_1)$, $A_i=X_i\oplus h(RI{D}_i\left|\right|RP{W}_i)$, and $B_i=h(X_i\left|\right|RP{W}_i)$. Then, the $CS$ stores $\left\{S_1\right\}$, $\{A_i,B_i\}$ in a database and smart card, respectively. The $CS$ sends $\left\{RI{D}_i\right\}$ and issues smart card to $U_i$ via a secure channel.

Step 3:

After getting the message and smart card from $CS$, the $U_i$ computes $Q_i=h(I{D}_i\left|\right|P{W}_i\left|\right|R_i)\oplus RI{D}_i$ and stores $\left\{Q_i\right\}$ in a smart card $SC$.

5.2. Cloud Server Registration Process

A cloud server $S_j$ must register with the control server $CS$ to provide IoT service to the users. Figure 6 shows the cloud server registration process of proposed scheme and the detailed processes are as below.

Figure 6. Cloud server registration process of the proposed scheme.

Step 1:

The cloud server $S_j$ selects $SI{D}_j$ and generates a random nonce $r_j$. After that, the $S_j$ sends messages $\{SI{D}_j,r_j\}$ to the $CS$ via a secure channel.

Step 2:

After getting the messages, the $CS$ generates a random nonce $S_2$ and computes $RSI{D}_j=h(SI{D}_j\left|\right|r_j\left|\right|K_S)$ and $S{I}_j=h(RSI{D}_j\left|\right|h(S_2\left|\right|K_S\left)\right)$. Then, the $CS$ stores $\left\{S_2\right\}$ in a database and sends messages $\{RSI{D}_j,S{I}_j\}$ to the $S_j$ via a secure channel.

Step 3:

After getting the messages, the $S_j$ stores $\{RSI{D}_j,S{I}_j\}$ in a database.

5.3. Login and Authentication Process

A user $U_i$ who requests access to IoT service must send a login request message to the $CS$. Figure 7 shows the login and authentication process of the proposed scheme. The detailed process is as below.

Figure 7. Login and authentication process of the proposed scheme.

Step 1:

The $U_i$ inputs $I{D}_i$, $P{W}_i$ and imprints biometric $BI{D}_i$. Then, the $U_i$ calculates $R_i=Rep(BI{O}_i,P_i)$, $RI{D}_i=h(I{D}_i\left|\right|P{W}_i\left|\right|R_i)\oplus Q_i$, $RP{W}_i=h(P{W}_i\left|\right|R_i)$, $X_i=A_i\oplus h(RI{D}_i\left|\right|RP{W}_i)$ and $B_i^{\ast }=h(X_i\left|\right|RP{W}_i)$. The $U_i$ checks whether $B_i^{\ast }\stackrel{?}{=}{B}_i$. If it is correct, the $U_i$ generates a random nonce $R{U}_i$. After that, the $U_i$ computes $M_1=R{U}_i\oplus X_i$, $CI{D}_i=I{D}_i\oplus h(X_i\left|\right|R{U}_i)$ and $M_2=h(I{D}_i\left|\right|X_i\left|\right|R{U}_i)$ and sends login request messages $\{M_1,M_2,CI{D}_i,RI{D}_i\}$ to the $S_j$ via an open channel.

Step 2:

Upon getting the messages from the $U_i$, the $S_j$ generates a random nonce $R{S}_j$ and computes $D_1=S{I}_j\oplus R{S}_j$, $CSI{D}_j=SI{D}_j\oplus h(S{I}_j\left|\right|R{S}_j)$ and $D_2=h(SI{D}_j\left|\right|S{I}_j\left|\right|R{S}_j)$. Then, the $S_j$ sends the messages $\{M_1,M_2,CI{D}_i,RI{D}_i,D_1,D_2,CSI{D}_j,RSI{D}_j\}$ to the $CS$ via an open channel.

Step 3:

Upon getting the messages from the $S_j$, the $CS$ computes $X_i=h(RI{D}_i\left|\right|K_S\left|\right|S_1)$, $R{U}_i=M_1\oplus X_i$, $I{D}_i=CI{D}_i\oplus h(X_i\left|\right|R{U}_i)$, and $M_2^{\ast }=h(I{D}_i\left|\right|X_i\left|\right|R{U}_i)$ and checks whether $M_2^{\ast }\stackrel{?}{=}{M}_2$. If it is correct, the $CS$ computes $S{I}_j=h(RSI{D}_j\left|\right|h(S_2\left|\right|K_S\left)\right)$, $R{S}_j=h\left(D_1\right)\oplus S{I}_j$, $SI{D}_j=CSI{D}_j\oplus h(S{I}_j\left|\right|R{S}_j)$, and $D_2^{\ast }=h(SI{D}_j\left|\right|S{I}_j\left|\right|R{S}_j)$ and checks whether $D_2^{\ast }\stackrel{?}{=}{D}_2$. If it is valid, the $CS$ computes $M_3=R{S}_j\oplus h(I{D}_i\left|\right|R{U}_i)$, $D_3=R{U}_i\oplus h(SI{D}_j\left|\right|R{S}_j)$ and $Q_{CS}=h(R{U}_i\left|\right|R{S}_j\left|\right|S{I}_j)$. Then, the $CS$ updates $RI{D}_i$ to $RI{D}_i^{new}$ and replaces $\left\{RI{D}_i\right\}$ with $\left\{RI{D}_i^{new}\right\}$. Finally, the $CS$ sends messages $\{M_3,D_3,Q_{CS}\}$ to the $S_j$.

Step 4:

Upon getting the messages from the $CS$, the $S_j$ computes $R{U}_i=D_3\oplus h(SI{D}_j\left|\right|R{S}_j)$ and $Q_{CS}^{\ast }=h(R{U}_i\left|\right|R{S}_j\left|\right|S{I}_j)$ and checks whether $Q_{CS}^{\ast }\stackrel{?}{=}{Q}_{CS}$. If it is valid, the $S_j$ computes $S{K}_i=h(R{U}_i\left|\right|R{S}_j)$ and $Q_{CU}=h(R{U}_i\left|\right|R{S}_j\left|\right|S{K}_i)$ and sends messages $\{M_3,Q_{CU}\}$ to the $U_i$.

Step 5:

Upon getting the messages from the $S_j$, the $U_i$ computes $R{S}_j=M_3\oplus h(I{D}_i\left|\right|R{U}_i)$, $S{K}_i=h(R{U}_i\left|\right|R{S}_j)$ and $Q_{CU}^{\ast }=h(R{U}_i\left|\right|R{S}_j\left|\right|S{K}_i)$ and checks whether $Q_{CU}^{\ast }\stackrel{?}{=}{Q}_{CU}$. If it is correct, the $U_i$ computes $RI{D}_i^{new}=h(RI{D}_i\left|\right|h(R{U}_i\left|\right|R{S}_j\left)\right)$ and $RI{D}_i$ to $RI{D}_i^{new}$. After that, the smart card updates $A_i^{new}=X_i\oplus h(RI{D}_i^{new}\left|\right|RP{W}_i$) and $Q_i^{new}=h(I{D}_i\left|\right|P{W}_i\left|\right|R_i)\oplus RI{D}_i^{new}$ and replaces $\{A_i,Q_i\}$ with $\{A_i^{new},Q_i^{new}\}$. As a result, the $U_i$, $S_j$ and $CS$ achieve the mutual authentication successfully.

5.4. Password Change Process

When $U_i$ wants to update his/her password, the $U_i$ can freely update their password in the proposed scheme. Figure 8 shows the password change process of the proposed scheme. The detailed process is as below.

Figure 8. Password change process of the proposed scheme.

Step 1:

The $U_i$ chooses $I{D}_i^{\ast }$, $P{W}_i^{\ast }$ and imprints biometrics $BI{O}_i^{\ast }$. Then, the $U_i$ calculates $⟨R_i,P_i⟩$=$Gen\left(BI{O}_i^{\ast }\right)$, $RP{W}_i^{\ast }=h(P{W}_{MU}\left|\right|R_i)$ and sends $\{I{D}_{MU}^{\ast },RP{W}_i^{\ast }\}$ to the smart card $SC$.

Step 2:

After getting the message from $U_i$, the $SC$ computes $X_i^{\ast }=A_i^{\ast }\oplus h(I{D}_i^{\ast }\left|\right|RP{W}_i^{\ast })$ and $B_i^{\ast }=h(X_i^{\ast }\left|\right|RP{W}_i^{\ast })$ and checks whether $B_i^{\ast }\stackrel{?}{=}{B}_i$. If it is equal, the $SC$ sends the authentication message to the $U_i$.

Step 3:

Upon getting the message from the $SC$, the $U_i$ inputs a new password $P{W}_i^{new}$ and imprints a new biometrics $BI{O}_i^{new}$. $U_i$ computes $⟨R_i^{new},P_i^{new}⟩$=$Gen\left(BI{O}_i^{new}\right)$, $RP{W}_i^{new}=h(P{W}_i^{new}\left|\right|R_i^{new})$ and sends $\left\{RP{W}_i^{new}\right\}$ to the $SC$.

Step 4:

Upon getting the message from the $U_i$, the $SC$ computes $A_i^{new}=X_i^{\ast }\oplus h(I{D}_i^{\ast }\left|\right|RP{W}_i^{new})$, $B_i^{new}=h(X_i^{\ast }\left|\right|RP{W}_i^{new})$ and replaces $\{A_i,B_i\}$ with $\{A_i^{new},B_i^{new}\}$.

6. Security Analysis

To assess secure mutual authentication of the proposed scheme, we utilize the BAN logic, which is widely accepted formal security model. Furthermore, we perform an informal security analysis to assess the safety of proposed scheme against various types of attacks.

6.1. Informal Security Analysis

The security of the proposed scheme is accessed utilizing an informal security analysis. Our scheme can withstand against various types of attacks, including impersonation, replay, session key disclosure attacks, and allows secure mutual authentication and anonymity.

6.1.1. Impersonation Attack

When a malicious adversary $U_{MA}$ may attempt to impersonate a legitimate user, $U_{MA}$ must generate a login request message $M_2=h(I{D}_i\left|\right|X_i\left|\right|R{U}_i)$ correctly. However, $U_{MA}$ cannot compute it because $U_{MA}$ cannot obtain $U_i$’s random nonce $R{U}_i$, real identity $I{D}_i$, and secret parameter $X_i$. Therefore, our scheme is secure against the impersonation attack because $U_{MA}$ cannot calculate a login request message successfully.

6.1.2. Replay Attack

If a malicious adversary $U_{MA}$ may attempt to impersonate legal user by resending messages transmitted in a previous session, $U_{MA}$ cannot utilize the previous messages because the $CS$ checks whether $M_2^{\ast }\stackrel{?}{=}{M}_2$ and $D_2^{\ast }\stackrel{?}{=}{D}_2$, respectively. Furthermore, our scheme can withstand replay attack by using dynamic random nonce $R{U}_i$ and $R{S}_j$ that are changed every session. Therefore, our scheme protects against replay attack.

6.1.3. Session Key Disclosure Attack

In our scheme, a malicious adversary $U_{MA}$ cannot compute session key $S{K}_i$ because $U_{MA}$ cannot obtain random nonce $R{U}_i$ and $R{S}_j$. In addition, $U_{MA}$ cannot obtain random nonce $R{U}_i$ and $R{S}_j$ without secret parameter $X_i$ and $S{I}_j$. Consequently, our scheme withstands the session key disclosure attack.

6.1.4. Smart card Stolen Attack

According to Section 1.1, we suppose that a $U_{MA}$ can obtain a smart card and extract the data $\{A_i,B_i,Q_i\}$ stored in the smart card. However, the $U_{MA}$ cannot obtain sensitive information $I{D}_i$ and $P{W}_i$ of legitimate user because the data stored in the smart card are protected $A_i=X_i\oplus h(RI{D}_i\left|\right|RP{W}_i)$, $B_i=h(X_i\left|\right|RP{W}_i)$ and $Q_i=h(I{D}_i\left|\right|P{W}_i\left|\right|R_i)\oplus RI{D}_i$ by using a hash function and XOR operation.

6.1.5. Mutual Authentication

In our scheme, after getting the request message $\{M_1,M_2,CI{D}_i,RI{D}_i\}$ from the $U_i$, the control server $CS$ checks whether $M_2^{\ast }\stackrel{?}{=}{M}_2$. If it is correct, $CS$ authenticates $U_i$. After getting the messages $\{D_1,D_2,CSI{D}_j,RSI{D}_j\}$ from cloud server $S_j$, the $CS$ checks whether $D_2^{\ast }\stackrel{?}{=}{D}_2$. If it is equal, $CS$ authenticates $S_j$. After getting the messages $\{M_3,D_3,Q_{CS}\}$ from the $CS$, the $S_j$ checks whether $Q_{CS}^{\ast }\stackrel{?}{=}{Q}_{CS}$. If it is correct, $S_j$ authenticates $CS$. After getting the messages $\left\{Q_{CU}\right\}$ from the $S_j$, the $U_i$ checks whether $Q_{CU}^{\ast }\stackrel{?}{=}{Q}_{CU}$. Finally, the $U_i$ authenticates $S_j$. As a result, our scheme achieve secure mutual authentication among $U_i$, $S_j$, and $CS$ because a malicious adversary $U_{MA}$ does not know secret parameters $X_i$ and $S{I}_j$.

6.1.6. Anonymity

A malicious adversary $U_{MA}$ cannot obtain the real identity $I{D}_i$ of legitimate user because it is masked by using hash function and XOR operation such as $CI{D}_i=I{D}_i\oplus h(X_i\left|\right|R{U}_i)$. In addition, the $U_{MA}$ cannot obtain secret parameter $X_i$ and random nonce $R{U}_i$. Consequently, our scheme provides anonymity.

6.2. Security Features

We shows the better security levels achieved by the proposed scheme compared with some existing schemes [8,23,24,25]. The existing schemes are insecure against various attacks, including impersonation, session key disclosure smart card stolen, and replay attacks and cannot provide mutual authentication and anonymity. Table 1 shows the analysis results of the security features.

Table 1. Security features comparison.

Security Features	Xue et al. [24]	Amin et al. [25]	Zhou et al. [23]	Pelaez et al. [8]	Ours
Impersonation attack	×	×	×	×	∘
Smart card stolen attack	×	×	∘	×	∘
Session key disclosure attack	×	∘	×	×	∘
Replay attack	∘	∘	×	×	∘
Anonymity	×	∘	∘	×	∘
Mutual authentication	×	∘	×	×	∘

∘, preserves the security features; ×, does not preserve the security features;

6.3. BAN Logic Based Authentication Proof

We performed security analysis utilizing the BAN logic to demonstrate the secure mutual authentication of the proposed scheme. We present the BAN logic notations in Table 2. Furthermore, we define the rules, the goals, the idealized form, and the assumptions for BAN logic analysis. We prove that the proposed scheme provides secure mutual authentication among $U_i$, $S_j$ and $CS$.

Table 2. Notations for BAN logic.

Notation	Description
$A|\equiv X$	Abelieves statement X
#X	Statement X is fresh
$A⊲X$	Asees statement X
$A|\sim X$	A once said X
$A\Rightarrow X$	A has got jurisdiction of X
$<X{>}_Y$	X is combined with Y
${\left\{X\right\}}_K$	X is encrypted under key K
$A\stackrel{K}{\leftrightarrow }B$	A and B may use shared key K to communicate
$SK$	Session key used in the current session

6.3.1. BAN Logic Rules

The rules of BAN logic are as below.

• Message meaning rule:

  $$\frac{A|\equiv A\stackrel{K}{\leftrightarrow }B,A⊲{\left\{X\right\}}_K}{A\left|\equiv B\right|\sim X}$$
• Nonce verification rule:

  $$\frac{A\left|\equiv \#\left(X\right),A\right|\equiv B|\sim X}{A\left|\equiv B\right|\equiv X}$$
• Jurisdiction rule:

  $$\frac{A\left|\equiv B\right|⟹X,A\left|\equiv B\right|\equiv X}{A|\equiv X}$$
• Freshness rule:

  $$\frac{A|\equiv \#(X)}{A|\equiv \#\left(X,Y\right)}$$
• Belief rule:

  $$\frac{A|\equiv \left(X,Y\right)}{A|\equiv X.}$$

6.3.2. Goals

To assess the BAN logic proof, we present the goals of the proposed scheme as below.

Goal 1:

$U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 2:

$S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 3:

$U_i\mid \equiv S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

Goal 4:

$S_j\mid \equiv U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

6.3.3. Idealized Forms

To assess the BAN logic proof, we define the assumptions of the proposed scheme as below.

Msg₁:

$U_i\to S_j$: ${(RI{D}_i,I{D}_i,R{U}_i)}_{X_i}$

Msg₂:

$S_j\to CS$: ${(RI{D}_i,I{D}_i,R{U}_i,RSI{D}_j,SI{D}_j,R{S}_j)}_{S{I}_j}$

Msg₃:

$CS\to S_j$: ${(I{D}_i,SI{D}_j,R{U}_i,R{S}_j)}_{S{I}_j}$

Msg₄:

$S_j\to U_i$: ${(I{D}_i,R{U}_i,R{S}_j,\left(U_i\stackrel{SK}{⟷}{S}_j\right))}_{X_i}$

6.3.4. Assumptions

We present the initial assumptions to assess the BAN logic proof.

A₁:

$S_j\mid \equiv \left(U_i\stackrel{X_i}{⟷}{S}_j\right)$

A₂:

$S_j\mid \equiv \#\left(R{U}_i\right)$

A₃:

$CS\mid \equiv \left(CS\stackrel{S{I}_j}{⟷}{S}_j\right)$

A₄:

$CS\mid \equiv \#\left(R{S}_j\right)$

A₅:

$S_j\mid \equiv \left(CS\stackrel{S{I}_j}{⟷}{S}_j\right)$

A₆:

$FA\mid \equiv \#\left(R{S}_j\right)$

A₇:

$U_i\mid \equiv \left(U_i\stackrel{X_i}{⟷}{S}_j\right)$

A₈:

$U_i\mid \equiv \#\left(R{S}_j\right)$

A₉:

$U_i\mid \equiv S_j\Rightarrow \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

A₁₀:

$S_j\mid \equiv U_i\Rightarrow \left(U_i\stackrel{SK}{⟷}{S}_j\right)$

6.3.5. Proof Using BAN Logic

The proof then proceeds as below.

Step 1:

According to $Ms{g}_1$, we could get

$$\left(S_1\right):S_j⊲{(RI{D}_i,I{D}_i,R{U}_i)}_{X_i}$$

Step 2:

Using the message meaning rule with $S_1$ and $A_1$, we get

$$\left(S_2\right):S_j\mid \equiv U_i\mid \sim {(RI{D}_i,I{D}_i,R{U}_i)}_{X_i}$$

Step 3:

From the freshness rule with $S_2$ and $A_2$, we obtain

$$\left(S_3\right):S_j\mid \equiv \#{(RI{D}_i,I{D}_i,R{U}_i)}_{X_i}$$

Step 4:

Using the nonce verification with $S_2$ and $S_3$, we get

$$\left(S_4\right):S_j\mid \equiv U_i\mid \equiv {(RI{D}_i,I{D}_i,R{U}_i)}_{X_i}$$

Step 5:

From the belief rule with $S_4$, we obtain

$$\left(S_5\right):S_j\mid \equiv U_i\mid \equiv {\left(R{U}_i\right)}_{X_i}$$

Step 6:

According to $Ms{g}_2$, we could get

$$\left(S_6\right):CS⊲{(RI{D}_i,I{D}_i,R{U}_i,RSI{D}_j,SI{D}_j,R{S}_j)}_{S{I}_j}$$

Step 7:

Using the message meaning rule with $S_6$ and $A_3$, we get

$$\left(S_7\right):CS\mid \equiv S_j\mid \sim {(RI{D}_i,I{D}_i,R{U}_i,RSI{D}_j,SI{D}_j,R{S}_j)}_{S{I}_j}$$

Step 8:

From the freshness rule with $S_7$ and $A_4$, we obtain

$$\left(S_8\right):CS\mid \equiv \#{(RI{D}_i,I{D}_i,R{U}_i,RSI{D}_j,SI{D}_j,R{S}_j)}_{S{I}_j}$$

Step 9:

Using the nonce verification rule with $S_7$ and $S_8$, we get

$$\left(S_9\right):CS\mid \equiv S_j\mid \equiv {(RI{D}_i,I{D}_i,R{U}_i,RSI{D}_j,SI{D}_j,R{S}_j)}_{S{I}_j}$$

Step 10:

According to $Ms{g}_3$, we could get

$$\left(S_{10}\right):S_j⊲{(I{D}_i,SI{D}_j,R{U}_i,R{S}_j)}_{S{I}_j}$$

Step 11:

Using the message meaning rule with $S_{10}$ and $A_5$, we get

$$\left(S_{11}\right):S_j\mid \equiv CS\mid \sim {(I{D}_i,SI{D}_j,R{U}_i,R{S}_j)}_{S{I}_j}$$

Step 12:

From the freshness rule with $S_{11}$ and $A_6$, we obtain

$$\left(S_{12}\right):S_j\mid \equiv \#{(I{D}_i,SI{D}_j,R{U}_i,R{S}_j)}_{S{I}_j}$$

Step 13:

Using the nonce verification rule with $S_{11}$ and $S_{12}$, we get

$$\left(S_{13}\right):S_j\mid \equiv CS\mid \equiv {(I{D}_i,SI{D}_j,R{U}_i,R{S}_j)}_{S{I}_j}$$

Step 14:

According to $Ms{g}_4$, we could get

$$\left(S_{14}\right):U_i⊲{(I{D}_i,R{U}_i,R{S}_j,\left(U_i\stackrel{SK}{⟷}{S}_j\right))}_{X_i}$$

Step 15:

Using the message meaning rule with $S_{14}$ and $A_7$, we get

$$\left(S_{15}\right):U_i\mid \equiv S_j\mid \sim {(I{D}_i,R{U}_i,R{S}_j,\left(U_i\stackrel{SK}{⟷}{S}_j\right))}_{X_i}$$

Step 16:

From the freshness rule with $S_{15}$ and $A_8$, we obtain

$$\left(S_{16}\right):U_i\mid \equiv \#{(I{D}_i,R{U}_i,R{S}_j,\left(U_i\stackrel{SK}{⟷}{S}_j\right))}_{X_i}$$

Step 17:

Using the nonce verification with $S_{15}$ and $S_{16}$, we get

$$\left(S_{17}\right):U_i\mid \equiv S_j\mid \equiv {(I{D}_i,R{U}_i,R{S}_j,\left(U_i\stackrel{SK}{⟷}{S}_j\right))}_{X_i}$$

Step 18:

From the belief rule with $S_{17}$, we obtain

$$\left(S_{18}\right):U_i\mid \equiv S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{3}\right)$$

Step 19:

Using the jurisdiction rule with $S_{18}$ and $A_9$, we get

$$\left(S_{19}\right):U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{1}\right)$$

Step 20:

Because of $SK=h\left(R{U}_i\right|\left|R{S}_j\right)$, from the $S_5$, $S_9$, $S_{13}$ and $S_{17}$ we could get

$$\left(S_{20}\right):S_j\mid \equiv U_i\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{4}\right)$$

Step 21:

Using the jurisdiction rule with $S_{19}$ and $A_{10}$, we obtain

$$\left(S_{21}\right):S_j\mid \equiv \left(U_i\stackrel{SK}{⟷}{S}_j\right)\left(\mathbf{Goal}\mathbf{2}\right)$$

Referring to Goals 1–4, we show that proposed scheme achieves secure mutual authentication among $U_i$, $S_j$ and $CS$.

7. Simulation for Security Verification with the AVISPA tool

We performed a formal security verification of the proposed scheme utilizing AVISPA simulation tool [26,27] to evaluate the safety of the authentication protocol against MITM and replay attacks, which is widely accepted for formal security analysis [28,29,30,31]. To perform AVISPA simulation tool, the environment and the session of security protocol must be implemented using the High Level Protocols Specification Language (HLPSL).

7.1. HLPSL Specifications

We considered three basic roles: user $U_i$, cloud server $S_j$, and control server $CS$. Then, we present $session$ and $environment$ utilizing HLPSL in Figure 9, which contains the security goals. The role specifications of $U_i$, $S_j$, and $CS$ are as shown in Figure 10, Figure 11 and Figure 12.

Figure 9. Role for environment and session in HLPSL.

Figure 10. Role specification for user $U_i$.

Figure 11. Role specification for cloud server $S_j$.

Figure 12. Role specification for control server $CS$.

The $U_i$ receives the initial message and updates the updates the state value from 0 to 1. The $U_i$ then sends the registration request messages $\{I{D}_i,RP{W}_i\}$ to the $CS$ via a secure channel and receives $\{RI{D}_i,Smartcard\}$ from the $CS$. The $U_i$ updates the state value from 1 to 2. In the login and authentication phase, the $U_i$ declares $witness(UA,CS,ua\_sn\_rui,R{U}_i^{\prime })$ from the $S_j$, and then updates the state value from 2 to 3. Finally, the $U_i$ receives the authentication messages $\{M_3,Q_{CU}\}$ from the $S_j$. The $U_i$ checks whether $Q_{CU}^{\ast }\stackrel{?}{=}{Q}_{CU}$. If it is valid, the $U_i$ authenticates the $S_j$ successfully. The role specification for $S_j$ is similarly defined.

7.2. AVISPA Simulation Result

We show the AVISPA results to verify the safety of the proposed scheme using OFMC and CL-AtSe. The OFMC checks whether the proposed scheme is safe from MITM attack. In addition, the CL-AtSe demonstrates the safety of the protocol against replay attack. Consequently, Figure 13 shows that the proposed scheme is secure against MITM and replay attacks though AVISPA simulation.

Figure 13. Analysis of AVISPA simulation using OFMC and CL-AtSe.

8. Performance Analysis

We compared the computation cost, communication cost and security features of the proposed scheme with some existing schemes [8,23,24,25]. We show that the proposed scheme provides better efficiency and security features.

8.1. Computation Cost

We compared the computation overheads of the proposed scheme with some existing schemes [8,23,24,25]. To analyze of computation cost, we estimated using the following parameters. Table 3 shows the analysis results of computation cost and the detailed total cost are as below.

Table 3. A comparative summary: computation costs.

Schemes	User	Cloud Server	Control Server	Total	Total Cost (Case 1)	Total Cost (Case 2)
Xue et al. [24]	$12T_h$	$6T_h$	$18T_h$	$36T_h$	0.18612 ms	0.0011808 ms
Amin et al. [25]	$12T_h$	$4T_h$	$14T_h$	$30T_h$	0.1551 ms	0.000984 ms
Zhou et al. [23]	$13T_h$	$7T_h$	$23T_h$	$43T_h$	0.22231 ms	0.0014104 ms
Pelaez et al. [8]	$9T_h+3T_s$	$6T_h+3T_s$	$33T_h+2T_s$	$48T_h+8T_s$	0.42 ms	0.1730824 ms
Ours	$12T_h$	$6T_h$	$16T_h$	$34T_h$	0.17578 ms	0.0011152 ms

T_h, hash function; T_s, symmetric key cryptography operation using AES algorithm

The total computation cost for the proposed scheme and Pelaez et al.’s scheme are 34$T_h$ and 48$T_h$ + 8$T_s$, respectively. We provide better efficiency than some existing schemes because the proposed scheme uses only hash and XOR operations. Therefore, our scheme is secure and efficient for practical IoT-based cloud computing environment.

• $T_h$ denotes the time for the hash function (Case 1 $\approx 0.00517$ ms [23] and Case 2 $\approx 0.0000328$ ms [32]).
• $T_s$ denotes the time for the symmetric key cryptography operation using AES algorithm (case 1 $\approx 0.02148$ ms [23] and Case 2 $\approx 0.0214385$ ms [32]).
• The XOR operation was not included because it is negligible compared to the other operations.

8.2. Communication Cost

We compared the communication overhead of the proposed scheme with some existing schemes [8,23,24,25]. In authentication phase of the proposed scheme, the transmitted messages $\{M_1,M_2,CI{D}_i,RI{D}_i\}$, $\{M_1,M_2,CI{D}_i,RI{D}_i,D_1,D_2,CSI{D}_j,RSI{D}_j\}$, $\{M_3,D_3,Q_{CS}\}$ and $\{M_3,Q_{CU}\}$ require (128 + 128 + 128 + 128 = 512 bits), (128 + 128 + 128 + 128 + 128 + 128 + 128 + 128 = 1024 bits), (128 + 128 + 128 = 384 bits), and (128 + 128 = 256 bits), respectively. Table 4 shows the analysis results of communication cost. Consequently, the proposed scheme is thus more efficient than other related schemes [8,23,24,25] because the total communications cost are 2176 bits (Case 1) and 4352 bits (Case 2).

Table 4. A comparative summary: communication costs.

Schemes	Message Length	Total Cost (Case 1)	Total Cost (Case 2)
Xue et al. [24]	30	3840 bits	7680 bits
Amin et al. [25]	27	3456 bits	6912 bits
Zhou et al. [23]	34	4352 bits	8704 bits
Pelaez et al. [8]	34	4352 bits	8704 bits
Ours	25	2176 bits	4352 bits

• Case 1 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 128 bits, respectively.
• Case 2 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 256 bits, respectively.
• The block length for symmetric encryption is 128 bits.

9. Conclusions

This paper shows that Pelaez et al.’s scheme does not defend various attacks such as impersonation, session key disclosure and replay attacks. Furthermore, we show that Pelaez et al.’s scheme cannot allow mutual authentication and anonymity. We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance the security drawbacks of Pelaez et al.’s scheme. Our scheme can withstand various types of attacks, including impersonation, session key disclosure and replay attacks, and can provide mutual authentication and anonymity. Then, we demonstrate that our scheme allows secure mutual authentication among $U_i$, $S_j$, and $CS$ utilizing BAN logic analysis. We also performed a formal security verification analysis of the proposed scheme utilizing the AVISPA simulation tool. In addition, we compared the security features and performance of the proposed scheme with some existing schemes. We show that our scheme provides better safety and efficiency than related schemes. Therefore, our scheme can be suitable for practical IoT-based cloud computing environment because it is more secure and lightweight than the previous schemes.