IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 18, NO.

11, NOVEMBER 2022 8039

An Efficient and Provably Secure Certificateless

Protocol for Industrial Internet of Things
Farva Rafique, Mohammad S. Obaidat , Life Fellow, IEEE, Khalid Mahmood ,
Muhammad Faizan Ayub , Javed Ferzund , and Shehzad Ashraf Chaudhry

Abstract—The Internet of Things (IoT) has a wide range Index Terms—Authentication protocol, industrial Internet
of applications that influence the life of people expedi- of Things (IIoT), key agreement, smart card.
tiously. In recent years, IoT becomes an emerging technol-
ogy in a number of fields. Different devices with divergent
functionality are applied in IoT to work in several domains.
These domains include smart home, smart farming, and
I. INTRODUCTION
Industrial Internet of Things (IIoT). Among these territories, HE Internet of Things (IoT) is composed of numerous
the IIoT obtains more attention. In an IIoT environment, a
legitimate user can control and access devices remotely.
Legitimate users can access real-time data and share con-
T sensing devices and controllers connected physically with
various functionality. Physical devices may include drones,
fidential information. The information is transmitted via sensors, cameras, vehicles, smart phones, and also they can
public communication channel, which can be vulnerable be virtual objects like books, agenda, wallets, or electronic
to security attacks. In this article, we present a provably tickets. These devices are interlinked through the network to
secure multifactor authenticated key agreement scheme to bestow copious services like data analysis, data acquisition, and
offer security regarding transmission of data in IIoT envi-
ronment. This scheme will support the legitimate user to re- real-time monitoring [1]. In IoT environment, the devices must
motely access the sensing devices. Our presented scheme be as smart as they are able to take decisions without intervention
uses only symmetric cryptographic, bitwise XOR operation, of human. IoT has numerous applications such as in agriculture,
and hash function to be resource-constrained. Our scheme medical treatment, surveillance, and housing. Moreover, IoT has
is found to be resource efficient through communication appreciable endowment to industrial field, which is also called
and computation analysis. The performance analysis illus-
trates that the cost of computation and communication of Industrial Internet of Things (IIoT) [2]. To upgrade the manufac-
our scheme is comparatively low as compared to other rel- turing efficiency and acquiring intelligent industrial production,
evant schemes. The formal and informal security analysis the IIoT allows us to control the industrial production, manage
proved that our scheme is secure and efficient as it can efficiently, and monitor automatically. The IIoT can be applied
withstand several known adversarial attacks. We have used in number of industries such as in utilities, metals and mining,
some cryptographic operations like XOR and hashing to
provide security and privacy to legitimate entities. manufacturing, gas, oil, logistics, aviation, and transportation.
IIoT is an imperitive part of the IoT environment that needs
more security for the communication and data transmission [3].
Generally, the data gathered through IoT devices are transmitted
Manuscript received 4 January 2022; revised 8 February 2022; ac- through an open channel that is unprotected and susceptible to
cepted 24 February 2022. Date of publication 7 March 2022; date of various attacks by illegitimate user. The illegitimate user can
current version 9 September 2022. Paper no. TII-21-6011. (Correspond-
ing author: Shehzad Ashraf Chaudhry.) access the sensing devices for real-time data and becomes the
Farva Rafique, Muhammad Faizan Ayub, and Javed Ferzund are with reason for challenges to privacy and security in IIoT [4], [5].
the Department of Computer Science, COMSATS University Islamabad, In IIoT-based environment, numerous authentication schemes
Sahiwal Campus 57000, Pakistan (e-mail: [email protected];
[email protected]; [email protected]). have been presented. In IIoT, there are three types of entities
Mohammad S. Obaidat is with the Indian Institute of Technology— (user, Gateway node), and IoT devices are usually used in
Dhanbad, Dhanbad 826004, India, with KAIS, University of Jordan, Am- these types of authentication schemes. Having limited storage,
man 11942, Jordan, and also with the PR of China Ministry of Education,
University of Science and Technology Beijing, Beijing 100083, China energy, and computing resources, IoT devices typically become
(e-mail: [email protected]). unreasonably resource-constrained to work with complex types
Khalid Mahmood is with the Future Technology Research Center, Na- of cryptographic primitives.
tional Yunlin University of Science and Technology, Yunlin 64002, Taiwan
with the Riphah School of Computing and Innovation (RSCI), Riphah Therefore, a lightweight and secure authenticated key agree-
International University, Lahore Campus, Lahore 55150, Pakistan, and ment protocol is needed to tackle security and privacy issues in
also with the Department of Mathematics, University of Padua, 35131 the IIoT. GWN can handle more computing operations than IoT
Padua, Italy (e-mail: [email protected]).
Shehzad Ashraf Chaudhry is with the Department of Computer Engi- devices because it has vigorous resources, which make it more
neering, Faculty of Engineering and Architecture, Nisantasi University, efficient [6], [7]. The legitimate user communicates to GWN
Istanbul 34398, Turkey (e-mail: [email protected]). using IoT devices via a public channel, which can be susceptible
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TII.2022.3156629. to security attacks. Furthermore, sensor nodes are capable of
Digital Object Identifier 10.1109/TII.2022.3156629 computing using limited storage space. These sensors collect
1551-3203 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
 8040 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 18, NO. 11, NOVEMBER 2022

treasured information and send it through insecure channel. numerous physical cyber-attacks. These attacks are specially
Many authentication schemes have been developed using ECC related to communication between third party and machine’s
in order to generate session key between IoT devices and legit- authorization and authentication process. Karati et al. [14] pre-
imate users securely [8]. Therefore, in this article, we propose sented a certificateless signature scheme in 2018. The scheme
lightweight authentication and key agreement scheme to reduce is presented to ensure the integrity of data in IIoT. Even so,
the computation and communication costs using fuzzy extractor Zhang et al. [16] claimed that the scheme of Karati et al. [14] is
algorithm in order to fulfill the requirements of resource con- susceptible to a signature forgery attack. Afterthat, to preserve
strained environment and to resist the known attacks. the reliability of IIoT data, Zhang et al. [16] presented a robust
CLS cloud-assisted scheme. The security analysis of the scheme
revealed that their scheme is resistant to signature forgery and
II. RELATED WORK four other CLS attacks. Rezaeibagha et al. [15] claimed that
Recently, numerous authentication and key agreement Karati et al. [14] scheme is also sensitive to signature forgery.
schemes have been presented for IoT environments. These Rezaeibagha suggested a new CLS scheme that is considered
schemes are designed to steer the privacy and security issues. It safe against both types of adversaries. Zhang et al. [15] claimed
is pivotal to protect the security and privacy of data while holding that Karati et al. [14] is unable to achieve the claimed security
up for security traits and avoid known attacks. Various factors goals. They proved their claim by presenting forgery attacks of
used in existing schemes such as smart cards, passwords, and four types on Karati et al. [14] CLS scheme. They presented a
biometrics to validate legitimate users. In industrial production robust certificateless signature scheme, which is devoid of ROM
monitoring, wireless sensor networks mainly act as a key factor and MTP to explain the challenges described in cloud-assisted
for IIoT. IIoT. They prove that their scheme is secure from these four types
Choudhary et al. [9] introduced key exchange model and a of attacks and robust in nature. Peng et al. [17] also proposed a
lightweight remote user’s mutual authentication for IIoT. Pro- novel certificateless online/offline signature scheme and design
posed scheme of Choudhary et al. [9] provides security features an efficient authentication protocol for the wireless body area
like integrity, data confidentiality, and identity anonymity. More- networks. Compared with related protocols, their protocol has
over, it provides security against popular attacks (modification the much less computation cost.
attack, replay attack, man in the middle attack, etc). However, To come up with more services of IoT, Yu et al. [18] combined
this scheme is still vulnerable to internal security threats of IIoT IoT with cloud computing. But, a number of known attacks are
networks. Fang et al. [10] go through numerous IIoT control there that threaten cloud user and server security. They pre-
systems and their issues as well as the security vulnerabilities sented an enhanced scheme for cloud computing environment
of IIoT control system in details. Existing endeavor are unable based on IoT, which is resistant to DoS attack and privileged
to establish an uniform security mechanism for IIoT control insider attack. By using BAN-logic automated verification of
systems due to diversity and complexity of the protocols. How- security, they proved security of their scheme. For IoT-based
ever, Fang et al. [10] has no proper framework and applicable WSN, Haseeb et al. [19] presented a stable as well as consistent
secure authentication scheme to prevent security threats. Gu sensor-cloud based architecture. It offers efficient and secure
et al. [11] introduced authentication mechanism for an active services of communication in smart cities to address the security
physical layer. This mechanism is for noncoherent SIMO-based vulnerability triggered by sensor node failure. In this article, an
IIoT system. This is the first work to demonstrate active PLA authenticated multifactor key agreement scheme is introduced,
to accomplish without using the channel estimation and pilot which is distinct from the numerous current schemes reported
signal. Furthermore, the suggested authentication scheme can in the literature. First, using a simple hash function along with
match the IIoT systems error rate and specific power require- XOR operation significantly reduced the computing complexity
ments. of accessing single and multiple devices. Second, they proposed
For secure communication between sensors and routers in a scheme that enables sensing devices seamlessly enter and exit
IIoT, Baruah et al. [12] introduced a secure authentication from IIoT network. It reduces communication costs to help users
scheme. Using AVISPA tool and BAN logic, the security of to access different sensing devices. On the other hand, it lacks
the proposed schemes are examined. The performance of the of robust security for multihop communication, lack of trusted
proposed schemes is studied and compared with state-of-the-art end-to-end routing delivery for longer regions and also have no
authentication schemes to establish its viability. This scheme still repudiation and playback network attacks.
has limitations regarding authentication of sensor and router in Table I summarizes several existing schemes with re-
IIoT. To broadcast scalable and secure M2M communications, spect to their cryptographic primitives used, benefits and
which is based on pub/sub paradigm, Amoretti et al. [13] pre- drawbacks/flaws.
sented a unique dynamic multibroker framework. In addition,
Amoretti et al. [13] aimed to put the proposed architecture
into a new context for challenging real world IIoT applications.
The scenarios of IIoT applications are cloud manufacturing and A. Article Organization
predictive maintenance. Regardless of their work, they still need The notations are provided in Table II. Section II presents the
to develop their framework to provide effectiveness regarding related work and Section III deals with the problem statement.

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
RAFIQUE et al.: EFFICIENT AND PROVABLY SECURE CERTIFICATELESS PROTOCOL FOR IIoT 8041

TABLE I
SUMMARIZING EXISTING SCHEMES IN IIoT

TABLE II
NOTATIONS AND DESCRIPTIONS

Sections IV presents registration phase, login phase, authen-

tication, and key agreement phase of proposed scheme. Sec-
tion V shows the detailed security analysis of our scheme. In
Section VI, the performance analysis of our scheme is explained.
Fig. 1. IIoT environment.
Section VII concludes this article.

B. Motivation and Contribution UA can also receive and transmit messages by impersonating
communication between Ui and SDj . In IIoT, the GWN is the
In recent years, numerous studies regarding security as well
most important factor. It is deemed completely trustworthy and
as privacy issues in IIoT environment have been reported [1].
can not be harmed by UA . First, in a protected environment
The communication of IIoT devices is done via public channel.
the GWN is physically secure. Second, the tamper-resistance
So, these communications are vulnerable to numerous attacks.
mechanism ensures that in GWN any stored information is not
As a result, illegitimate users can access sensitive information
accessible by the adversary [24]. The CK-adversary model not
regarding industrial production. So, to validate a user’s identity,
only shows the characteristics of an adversary in the DY model,
there is a need to establish a more secure mechanism. Further-
but it also exposes some session secrets between participants
more, in already existing schemes, users can access a sole IoT
who are communicating with each other [22]. As a result, if the
device simultaneously [21]. Users need to validate repeatedly to
previous temporary secrets or session keys are revealed during
get access to the numerous sensing devices. There is a need to
communication, the adversary can not violate the scheme’s
design a multifactor key agreement protocol, so that users can
security.
access numerous sensing devices at a time to create session keys
between them.
B. System Architecture
III. PROBLEM STATEMENT In system architecture of IIoT, the design is depicted in Fig. 1.
In this design, there are three types of entities.
The problem will be stated in this section using the three
1) Users: Using the smart card, the user can send request via
features, these are threat model, network model, and security
GWN to get access from sensing devices
goals.
2) Sensing devices: These devices are used in IIoT to in-
vestigate the collection of data and manufacturing status.
A. Threat Model
The information acquired by sensing devices can easily
In our scheme, UA is assumed to have the same capabilities be accessed in real-time by the user.
as the attacker used: CK-adversary [22] and Dolev–Yao (DY) 3) GWN: GWN is a fully trusted entity in our model, it is in
threat model [23]. In DY model, both users and sensing devices charge of registering between sensing devices and users.
are deemed untrustworthy, and any entity can send and receive In our presented scheme, the SDj s are registered through
messages via an open channel. Any two entities message can GWN and GWN stores some secret credentials into their mem-
be altered, eavesdropped, intercepted, and deleted by UA . UA ory. To gain access to sensing devices in IIoT, a user must be
can also counterfeit messages into a legal entity to deceive it. registered in GWN and store the credentials for authentication

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
 8042 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 18, NO. 11, NOVEMBER 2022

into the memory of user devices. First, the Ui sends request to when user needs to reproduce the secret key from
GWN for authentication during the login and authentication key helping data and bios. Using the Ui credentials
agreement phase, after validating the authenticity of the user, as well as the information stored in the SCi , SCi
GWN sends the request message to sensing devices. After that, calculates RP Wi∗ ← h(P Wi IDi BKi∗ ), a∗ ← Di ⊕
to recreate the secret value, the sensing devices communicate h(IDi BKi∗ ) and A∗i ← Ai ⊕ a∗ . SCi , Vi∗ ←
their credentials with GWN. Sensing devices acquire the secret h(RP Wi∗ A∗i a∗ h(IDi BKi∗ ))modω. It checks
value from GWN and produce the shared session key before whether Vi ← Vi∗ to authenticate the identity of Ui .
transmitting messages to Ui . At last, the user can access data Step LP 2: As the authentication of Ui is success-
that is gathered via sensing devices and then use these sensing ful, SCi creates a random nonce ri and a times-
∗ 
devices to regulate the industrial production process. tamps T S1 . Then, SCi computes IDGW N ← Ci ⊕
h(IDi BKi ), M1 ← h(KEYGW N −Ui ⊕ ri ), M2 ←
∗
h(T IDi M1 IDGW N )ri T S1 and transfers the mes-
IV. PROPOSED SCHEME sage {T IDi , M1 , M2 , T S1 } to GW N .
In this section, we present the proposed protocol. Our protocol C. Authentication and Key Agreement Phase
consists of two phases, registration phase, login, and authentica- The complete process of authentication and key agree-
tion phase. First, registration phase is discussed and then login ment is described in Fig. 2.
and authentication phase is explained.
A. Registration Phase: When users require to access sensing
V. SECURITY ANALYSIS
devices securely, Ui must first register in a GWN via a
reliable channel. We explain the registration phase of Ui We will discuss the security analysis of the proposed au-
in steps which are given as follows: thentication scheme. As security analysis is done to check the
Step URP 1: Ui chooses a unique identity as IDi and robustness, invincibility, validity, and level of provided security
password as P Wi . Ui then imprints his/her biometric Bi of our scheme. It has been cleared that the security of presented
into the device. Then, using fuzzy extractor biometric scheme remains in diverse circumstances. We used the approach
key BKi is obtained and calculated variables will be of security analysis followed in [25]. There are basically two
(BKi , τi ) = Gen(Bi ), where Gen(.) is a function which sections of security analysis, which are formal and informal.
is called when user need to generate key from bios. Ui The formal security analysis is described as follows.
randomly generates a nonce of 128-bit and computes
T P Wi ← h({P Wi IDi BKi }) ⊕ a. After that, BKi
A. Formal Security Analysis Using Real or Random
securely sends message having values IDi , T P Wi to
GW N . Model
Step URP 2: When obtaining the request IDi , T P Wi , In this section, the formal security analysis of our scheme with
GW N generates randomly a secret key of 1024-bit as the help of a widely used ROR model is introduced. The main
KEYGW N and calculates KEYGW N −Ui ← h(IDi  motive is to assure the security of session key in this scheme
KEYGW N −Ui ), Ai ← KEYGW N −Ui ⊕ T P Wi , Ci ← under the ROR model. This model is given in theorem 1. This
IDGW N ⊕ T P Wi , T IDi for Ui as T IDi ← theorem uses one way cryptographic hash function with the IND-
EN CKEYGW N (IDi Ro ) . After that, GW N generates CPA. The description of ROR model is as follows:
SCi . SCi stores {T IDi , Ai , Ci , h()} for each Ui and ROR Model: In this network, there are three participants
passes the SCi to Ui . named as user Ui , gateway node GW N , and sensing device
Step URP 3: After receiving SCi , Ui calculates SDj . Moreover, there are different components of ROR model
RP Wi ← h(IDi P Wi BKi ), Ai ← Ai ⊕ T P Wi ⊕ described as follows.
RP Wi , Di ← a ⊕ h(IDi BKi ), Ci ← Ci ⊕ T P Wi ⊕ Participants: ΠtSDj , ΠuUi , ΠvGWN denote the instances t, u, v
h(IDi BKi ), Vi ← h(RP Wi Ai ah(IDi BKi )) of the participants SDj , Ui , and GW N , which are shown as
modω. It is calculated to validate the legal user’s oracles.
identity, whereas, ω is a medium integer. At last, Partnering: ΠUi of Ui is a partner of πSD t
j
of SDj and vice-
{T IDi , Ai , Ci , Vi , Di , Rep(.), h(.), Gen(.), ω, τi } is versa. The current session identity is unique as ΠuUi participates
stored in Ui ’s memory and already stored information is in it. It is also known as the partial transcription of all transmitted
discarded. messages among Ui and SDj .
D. Login Phase: Whenever Ui wants to get the data of Freshness: ΠuUi or ΠtSDj is called fresh if the {SK = SK ∗ }
SDj using his/her identity IDi , the following authenti- between Ui and SDj can not be disclosed by UA seeking the
cation and key agreement steps are performed among Ui , help of given reveal query (Πt )UA . In this model, UA can control
GW N , and SDj . The process for further communication all the communication in which reading and modifications of all
is given as follows: transmitted messages are included. These queries can easily be
Step LP 1: The Ui inserts the SCi and imprints the accessed by UA .
biometric Bi∗ into the card reader. Then input IDi Execute: This is useful for retrieving messages sent between
and P Wi . The SCi computes BKi∗ ← Rep(Bi∗ τ ), two legitimate participants. It is represented as the eavesdrop-
where Rep(.) is also a function which is called ping attack.

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
RAFIQUE et al.: EFFICIENT AND PROVABLY SECURE CERTIFICATELESS PROTOCOL FOR IIoT 8043

Fig. 2. Authentication and key agreement phase of proposed scheme.

Exchange (Πt , Msg): The exchange model is used to represent |Dicp |, Dicp , |Hsh|, len, qhsh , qexe , and qsnd show the pass-
an active attack. In this model, participant π t can receive, send, word range space along with its frequency distribution, the
and respond to the messages. number of sent oracles, size of Dicp , hash function with the
Reveal (Πt ) : In this query, UA gets session key, which is range space, the bit length of BKi , the number of executed
computed by Πt (and its partner). oracles and the number of hash oracle, respectively. Moreover
Corrupt (ΠtUi ): In this query, UA steals the Ui ’s smart card in PPT, the advantage of UA breaking the symbolic security of
SCi to extract secret credentials stored in it. P rb can be defined as follows:
Corrupt (ΠSDj , M AKA): In this mode, secret credentials
(IDSDj , sj , kj , fj ) of SDj are revealed to UA . 2
qhsh  
s qsnd
R,UA (K) ≤
AdvtMAKA + 2max B  .qsnd
Test (ΠtUi ): The SK follows the uniformity in ROR model. |Hsh| 2len
In the beginning of the experiment, a coin is flipped and only
2
UA knows the result. The output of test query is decided by UA . + .AdvtIND−CPA
R,UA (K). (1)
q
Semantic Security of the SK: In the ROR model, it is neces-
sary for UA to discriminate the real SK from the random key
instances. UA can create a number of test queries for ΠtSDj or Proof: The security proof of our scheme is in a way similar
to the one shown in [24]. In the scheme, there are five games
ΠuUi . Before termination of the game, UA guesses a bit a . We use
Gamen , n ← 0, 1, 2, 3, 4. If UA guesses successfully a bit b
ROR model to demonstrate the security aspects of our scheme.
before the game, then it is known as Succn . The complete
Theorem 1: It is supposed that in random oracle, UA is
definition of each Gamen is described as follows.
the adversary against our scheme P rb running in proba-
Game0 : The real attacks to our proposed authenticated
bilistic polynomial time. According to Zipf’s law [26], let
scheme P rb are modeled in this game. At the start of Game0 ,

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
 8044 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 18, NO. 11, NOVEMBER 2022

the UA guesses the bit b. From the theorem SDj , secret credentials are not stored directly. So, UA will not
be able to get these secret credentials. UA can get any sensing
R,UA (Ki )
AdvtMAKA ← |2Pr [Succ0 ] − 1|. (2)
device to get secret share pair (fj , sj ) from its memory, but
Game1 : In this game, the man-in-the-middle attack is he cannot get (rGWN )to compute the secret values. The secret
launched by UA during the phase of login and authen- shared pair has forging probability 21 . So, it is shown as
tication of scheme. At the end of Game1 , UA tests or- 1
acles running as (π1t , π2t , π3t ). UA requires to differentiate |Pr [Succ3 ] − Pr [Succ4 ]| ≤ . AdvtIND−CPA
R,UA (K). (6)
q
either output of the test oracles is a random string or
a real SK. In our scheme, Ui and SDj calculate the In the last game, all the oracles have been modeled. If UA
session key as SK ∗ ← h(IDi rGWN ∗
IDGWN M9∗ h(rGWN ⊕ guesses the bit b successfully, then UA will win the game. So, it
KEYGWN−Ui )). And this session key includes {rGWN ∗
, is clear that
KEYGWN−Ui , and h(rGWN ⊕ KEYGW N −Ui )}. UA can not Pr [Succ4 ] ← .
1
compute the session key without knowing these secret cre- 2
dentials so, it is clear that UA has no access to these secret However, from (2) to (6) formula, we have
credentials. As a result, UA has no access for all transmitted 1
messages in PPT. The game winning advantage for UA is not R,UA (K) ← 2 . |Pr [Succ0 ] −
AdvtMAKA
2
increased. However, the probability of winning the Game0 and
Game1 is same for UA . So, it is clear from Game1 that = 2. |Pr [Succ1 ]

Pr [Succ0 ] ← Pr [Succ1 ]. (3) − Pr [Succ4 ]|. ≤ 2. (|Pr [Succ1 ]−

Game2 : In Game2 , an active attack is launched in Game1 by Pr [Succ2 ]|) + |Pr [Succ2 ] − Pr [Succ4 ]|
adding Hash and oracle. In Game2 , UA diverts the users so as ≤ 2. (|Pr [Succ1 ] − Pr [Succ2 ]|)
to convince them of the forged message sent from UA . To detect
the collision of the secret key, UA can make a number of hash + |Pr [Succ2 ] − Pr [Succ3 ]|
oracles. The use of timestamp, identity, long-term secrets, and + |Pr [Succ3 ] − Pr [Succ4 ]|+
the existing transmitted messages assure the randomness of the
2
message. After neglecting the running of sent oracles, collision 1 qhsh
. AdvtIND−CPA (K)). ≤ +
probability is guaranteed. However, it is clear from the birthday q R,UA
2. |Hsh|
paradox that  
s qsnd
2max B  . qsnd +
2
qhsh 2len
|Pr [Succ1 ] − Pr [Succ2 ]| ≤ . (4) 2
2.|Hsh| . AdvtIND−CPA (K)). (7)
R,UA
q
Game3 : This game models CorruptSD oracles. Using
side channel attack, UA can get the sensitive information B. Informal Security Analysis
{Vi , Ci , Ai , Di }, which is stored in the smart card. UA requires
random nonce a and bit length of biometric key BKi to get In security analysis, informal analysis is the way to check
secret credentials {Vi , Ci , Ai , Di }. In BKi = 0, 1len , the len the validity of any scheme considering the threat model. Here,
shows the bit length of biometric key BKi . Here, 21len is the the security of the presented scheme is analyzed properly. The
probability of guessing the BKi successfully. The benefit will be informal analysis demonstrates that the presented scheme can
over 21 for UA to get the low entropy password through Zipf’s law easily resist well-known adversarial attacks, which are described
when qsnd ← 107 or 108 . For guessing the low entropy password, as follows:
UA can use personal information of users. Furthermore, the 1) Stolen Verifier Attack: Assume that the trusted insider user
advantage of guessing the password successfully will be over of GW N acts as privilage attacker or UA . UA has the registration
1 6 information of Ui and GW N . Without knowing both IDi and
2 , when qsnd < 10 . There are limited attempts to input BKi
and P Wi . The guessing attacks are excluded, so the Game3 can KEYGWN−Ui of Ui , it is challenging for UA to guess either IDi
be acknowledged as ideal game. It is shown as or KEYGWN−Ui accurately form T IDi . This proves that our
  scheme is resistant to stolen verifier attack.
s qsnd
|Pr [Succ2 ] − Pr [Succ3 ]| ≤ max B  . qsnd (5) 2) Impersonation Attacks: If UA wants to impersonate on
2len behalf of legal entity and calculates its messages to get authen-
where the parameters (B  , s ) are defined in [26]. ticated; this is known as impersonation. Let us assume that UA
Game4 : By appending CorruptSD oracle, the Game3 wants to impersonate the Ui . UA intercepts the message on user’s
is converted to the final Game4 . In this game, UA can behalf and calculates the values. Correspondingly, UA can also
not get the session key directly from devices. Therefore, impersonate GW N or smart sensing device SDj . However,
to get secret credentials, UA can abduct numerous sens- in our proposed scheme, UA is not able to calculate the valid
ing devices through special attacks. UA needs secret creden- message because our messages contain secret credentials. So,
tials as {rGWN , KEYGWN−Ui } to get the session key SK ∗ = our scheme provides resilience against different impersonation
∗
h(IDi IDGWN rGWN M9∗ h(rGWN ⊕ KEYGWN−Ui )). As in attacks, which are described in following sections.

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
RAFIQUE et al.: EFFICIENT AND PROVABLY SECURE CERTIFICATELESS PROTOCOL FOR IIoT 8045

3) User Impersonation Attack: If UA wants to imper- TABLE III

COMPUTATION COMPARISON
sonate Ui , it needs to generate the message {T IDi ,
M1 , M2 , T S1 } tuple. However, UA cannot generate the
valid {T IDi , M1 , M2 , T S1 }. The reason is that, M1 and
M1 contain secret credentials such as, KEYGWN−Ui . Even,
UA generates random nonce ri or current timestamp T S1 .
UA will not be able to compute M1 as M1 ← h(Ai ⊕
RP Wi∗ ) ⊕ ri ← h(KEYGWN−Ui ) ⊕ ri and M2 ← h(T IDi  each, hash value of 256 bits and the Encryption/Decryption of
∗
M1 IDGWN ri T S1 ) and also T IDi ← EN CKEYGWN 128 bits. The costs of communication for msg1, msg2. . . msg6
(IDi Ro ). The reason is that these values need secret credentials are 736, 704, 288, 512, 800, and 256 bits, respectively. The
for computation such as KEYGWN−Ui , IDi , T IDi , and Ro . So, communication cost between user, gateway node, and sensing
we can say that, UA will not be able to impersonate Ui in our devices for [1], [27]–[30] schemes are 2688, 2592, 960, 3456,
scheme. and 3456 bits, respectively.
4) GWN Impersonation Attack: If UA can generate valid
{M4 , M5 , M6 , T S2 }, then it can impersonate GW N . Neverthe- B. Computational Cost
less, in our scheme, UA is unable to calculate M4 ← rGWN × γ,
The computational cost of an authentication protocol counts
M5 ← EncrGWN (IDi , IDGWN , h(rGWN ⊕ KEYGWN−Ui )), and
the total execution time for each cryptographic operations. While
M6 ← h(IDi IDGWN M4 h(rGWN ⊕ KEYGWN−Ui )T S2 ).
calculating the computational cost of the proposed and related
To calculate these values, the following secret credentials
schemes, we examine cryptographic functions such as Th one-
{IDi , rGWN , KEYGWN−Ui } are needed. These credentials are
way hash function, TED symmetric Encryption/Decryption. The
secret and UA will not be able to get them. So, our scheme is
computational cost is computed at each end, i.e ., Ui , GW N ,
resilient against impersonation attack of GW N .
SD. The registration step of an authentication protocol is a
5) Sensing Device Impersonation Attack: Suppose UA tries
one-time activity, hence it is omitted in correlation. As a result,
to computes {M8 , T S3 }. Although, it can generate T S3 , UA can
the login, authentication and key agreement phases are the
compute the message only when it is able to calculate M8 ←
leading apprehensions for determining the computing costs. In
EncrGWN∗ (sj , fj , IDSDj ). But, UA will not be able to compute
the devised protocol, the execution of hash function is ten times
M8 , as it needs secret parameters {sj , fj , rGWN IDSDj } of the
and encryption/decryption is executed two times by Ui . Further-
smart sensing device. UA cannot get these values in our scheme.
more, the computational cost for Ui is (10 × 0.00097) + (2 ×
6) Sensing Device Capture Attack: Let UA intercepts the
0.00033) ≈ 0.01038 ms. Similarly, the encryption/decryption
message {M4 , M5 , M6 , T S2 } and then UA tries to impersonate
and hash function is executed four times and eight times at
SDj using parameters {IDSDj , sj , fj , kj }. These parameters
GW N . While encryption/decryption and hash function are ex-
are stored in SDj . It is clear that the IDSDj of SDj is anony-
ecuted two times and seven times for SD. The computational
mous. To guess IDi and IDSDj of user and sensing device or
cost of GW N and SD are (8 × 0.0.00187) + (4 × 0.00135) ≈
the corresponding shared secret key KEYGWN−Ui , it is compu-
0.02036 ms and (7 × 0.1.199) + (2 × 0.0.863) ≈ 10.119 ms,
tationally hard to find for UA , which is protected by hash. Thus
respectively. The overall cost of computation of our scheme is
our scheme is also secured against sensing device capture attack.
compared with the related competing schemes. Now consider
7) Desynchronization of Pesudoidentities: As UA is a capa-
that the Th , and TED represents the computational time needed
ble to block a message or there may be some packet loss. In these
for one-way hash function and encryption/decryption, respec-
situations user does not get new identity T IDinew . However,
tively. The computational costs of Th and TED for Ui , GW N , and
in our proposed scheme Ui is a legal user, whose identity is
SD are 0.00097, 0.00187, 1.199, and 0.00033, 0.00138, 0.863
already stored in GW N ; so legal user can continue the session
in ms, respectively. Furthermore, the total computational cost of
with GW N using previously stored identity IDi of the user.
our scheme is 10.14974 ms. The computational costs of all re-
Thus, the problem of desynchronization of pseudoidentity is not
lated competing protocols [1], [27]–[30] are measured similarly
possible.
and shown in Table III.
VI. PERFORMANCE ANALYSIS
C. Security Features
We discussed the detailed comparison of the performance as
To calculate the features and functionality of our authenticated
well as security features of the our scheme, with the following
key agreement scheme related to other competing schemes,
related competing schemes: Das et al. [1], Shuai et al. [27], Yang
we design evaluation metrics. In Table IV, comparison of the
et al. [28], Abdi Nasib et al. [29], and Vinoth et al. [30].
security features and functionality of our scheme among pre-
viously reported competing schemes is represented. According
A. Communication Cost
to this table, almost all the schemes are multifactor. Moreover,
The cost of communication for our scheme and related exist- these schemes are insecure against different adversarial attacks.
ing competing schemes is calculated. In this section, parameter’s Although some of these schemes claim that they can prevent
bit length is defined uniformly. We have considered the random numerous adverse alert acts like privilege-insider, man-in-the-
nonce, identity, timestamp, ECC, XOR, password of 160 bits middle attack, and the replay attack. They are unable to support

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.
 8046 IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, VOL. 18, NO. 11, NOVEMBER 2022

TABLE IV [9] K. Choudhary, G. S. Gaba, I. Butun, and P. Kumar, “Make-it-a lightweight

COMPARISON ON SECURITY FEATURES mutual authentication and key exchange protocol for industrial Internet of
Things,” Sensors, vol. 20, no. 18, 2020, Art. no. 5166.
[10] L. Fang, H. Zhang, M. Li, C. Ge, L. Liu, and Z. Liu, “A secure
and fine-grained scheme for data security in industrial IoT platforms
for smart city,” IEEE Internet Things J., vol. 7, no. 9, pp. 7982–7990,
Sep. 2020.
[11] Z. Gu, H. Chen, P. Xu, Y. Li, and B. Vucetic, “Physical layer authentication
for non-coherent massive SIMO-based industrial IoI communications,” in
Proc. IEEE Wireless Commun. Netw. Conf., 2020, pp. 1–6.
[12] B. Baruah and S. Dhal, “An efficient authentication scheme for secure
communication between industrial IoT devices,” in Proc. 11th Int. Conf.
Comput., Commun. Netw. Technol., 2020, pp. 1–7.
the smart devices in terms of security. In short, our proposed [13] M. Amoretti, R. Pecori, Y. Protskaya, L. Veltri, and F. Zanichelli, “A
scheme is more robust and secure than previously reported scalable and secure publish/subscribe-based framework for industrial IoI,”
competing schemes. IEEE Trans. Ind. Informat., vol. 17, no. 6, pp. 3815–3825, Jun. 2021.
[14] A. Karati, S. H. Islam, and M. Karuppiah, “Provably secure and lightweight
certificateless signature scheme for IIoT environments,” IEEE Trans. Ind.
VII. CONCLUSION Informat., vol. 14, no. 8, pp. 3701–3711, Aug. 2018.
[15] F. Rezaeibagha, Y. Mu, X. Huang, W. Yang, and K. Huang, “Fully secure
In this article, we presented a provable secure and robust lightweight certificateless signature scheme for IIoT,” IEEE Access, vol. 7,
multifactor authenticated key agreement scheme for the IIoT pp. 144 433–144 443, 2019.
[16] Y. Zhang, R. H. Deng, D. Zheng, J. Li, P. Wu, and J. Cao, “Efficient and
environment. This scheme is proposed to improve the production robust certificateless signature for data crowdsensing in cloud-assisted
efficiency in industries. It also helps to tackle the production industrial IoT,” IEEE Trans. Ind. Informat., vol. 15, no. 9, pp. 5099–5108,
issues rapidly. Our scheme only uses XOR operation, symmet- Sep. 2019.
[17] C. Peng, M. Luo, L. Li, K.-K. R. Choo, and D. He, “Efficient certificateless
ric cryptography, and hash function. Furthermore, to calculate online/offline signature scheme for wireless body area networks,” IEEE
the features and functionality of our authenticated and key Internet Things J., vol. 8, no. 18, pp. 14 287–14 298, Sep. 2021.
agreement scheme related to competing schemes, we design [18] Y. Yu, L. Hu, and J. Chu, “A secure authentication and key agreement
scheme for IoT-based cloud computing environment,” Symmetry, vol. 12,
evaluation metrics. Our presented scheme can resist numerous no. 1, 2020, Art. no. 150.
known attacks easily. It works comparatively at a low cost [19] K. Haseeb, A. Almogren, I. Ud Din, N. Islam, and A. Altameem, “SASC:
when compared to the previously reported competing schemes Secure and authentication-based sensor cloud architecture for intelligent
Internet of Things,” Sensors, vol. 20, no. 9, 2020, Art. no. 2468.
as it resists several adversarial attacks. The proposed scheme [20] D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication
is designed as resource efficient regarding communication and schemes for real-time data access in industrial wireless sensor net-
computation cost. It supports the joining and revocation of works,” IEEE Trans. Ind. Informat., vol. 14, no. 9, pp. 4081–4092,
Sep. 2018.
sensing devices dynamically. Furthermore, we plan to explore [21] J. Seto, Y. Wang, and X. Lin, “User-habit-oriented authentication
our scheme of authentication and key agreement to improve model: Toward secure, user-friendly authentication for mobile devices,”
security issues present in diffierent IoT-based environments. IEEE Trans. Emerg. Topics Comput., vol. 3, no. 1, pp. 107–118,
Mar. 2015.
[22] R. Canetti and H. Krawczyk, “Analysis of key-exchange protocols and
REFERENCES their use for building secure channels,” in Proc. Int. Conf. Theory Appl.
Cryptogr. Techn., 2001, pp. 453–474.
[1] A. K. Das, M. Wazid, N. Kumar, A. V. Vasilakos, and J. J. Rodrigues, [23] D. Dolev and A. Yao, “On the security of public key protocols,” IEEE
“Biometrics-based privacy-preserving user authentication scheme for Trans. Inf. Theory, vol. 29, no. 2, pp. 198–208, Mar. 1983.
cloud-based industrial Internet of Things deployment,” IEEE Internet [24] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure
Things J., vol. 5, no. 6, pp. 4900–4913, Dec. 2018. remote user authenticated key establishment protocol for smart home
[2] C. Yin, J. Xi, R. Sun, and J. Wang, “Location privacy protection based on environment,” IEEE Trans. Dependable Secure Comput., vol. 17, no. 2,
differential privacy strategy for Big Data in industrial Internet of Things,” pp. 391–406, Mar./Apr. 2020.
IEEE Trans. Ind. Informat., vol. 14, no. 8, pp. 3628–3636, Aug. 2018. [25] F. Wen and X. Li, “An improved dynamic id-based remote user authenti-
[3] W. Ali, I. U. Din, A. Almogren, M. Guizani, and M. Zuair, “A cation with key agreement scheme,” Comput. Elect. Eng., vol. 38, no. 2,
lightweight privacy-aware IoT-based metering scheme for smart industrial pp. 381–387, 2012.
ecosystems,” IEEE Trans. Ind. Informat., vol. 17, no. 9, pp. 6134–6143, [26] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law in pass-
Sep. 2021. words,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 11, pp. 2776–2791,
[4] S. A. Chaudhry, “Correcting “palk: Password-based anonymous Nov. 2017.
lightweight key agreement framework for smart grid,”” Int. J. Elect. Power [27] M. Shuai, L. Xiong, C. Wang, and N. Yu, “A secure authentication
Energy Syst., vol. 125, 2021, Art. no. 106529. scheme with forward secrecy for industrial Internet of Things using rabin
[5] P. Vijayakumar, M. S. Obaidat, M. Azees, S. H. Islam, and N. Kumar, cryptosystem,” Comput. Commun., vol. 160, pp. 215–227, 2020.
“Efficient and secure anonymous authentication with location privacy [28] Z. Yang, J. He, Y. Tian, and J. Zhou, “Faster authenticated key agreement
for IoT-based WBANs,” IEEE Trans. Ind. Informat., vol. 16, no. 4, with perfect forward secrecy for industrial internet-of-things,” IEEE Trans.
pp. 2603–2611, Apr. 2020. Ind. Informat., vol. 16, no. 10, pp. 6584–6596, Oct. 2020.
[6] Z. Ali, S. A. Chaudhry, K. Mahmood, S. Garg, Z. Lv, and Y. B. Zikria, [29] H. A. N. Far, M. Bayat, A. K. Das, M. Fotouhi, S. M. Pournaghi, and
“A clogging resistant secure authentication scheme for fog computing M.-A. Doostari, “LAPTAS: Lightweight anonymous privacy-preserving
services,” Comput. Netw., vol. 185, 2021, Art. no. 107731. three-factor authentication scheme for WSN-based IIoT,” Wireless Netw.,
[7] S. A. Chaudhry et al., “A lightweight authentication scheme for 6G-IoT vol. 27, no. 2, pp. 1389–1412, 2021.
enabled maritime transport system,” IEEE Trans. Intell. Transp. Syst., to [30] R. Vinoth, L. J. Deborah, P. Vijayakumar, and N. Kumar, “Secure multi-
be published, doi: 10.1109/TITS.2021.3134643.. factor authenticated key agreement scheme for industrial IoT,” IEEE
[8] B. Liang, M. Obaidat, X. Liu, H. Zhou, and M. Dong, “Resource schedul- Internet Things J., vol. 8, no. 5, pp. 3801–3811, Mar. 2021.
ing based on priority ladders for multiple performance requirements in
wireless body area networks,” IEEE Trans. Veh. Technol., vol. 70, no. 7,
pp. 7027–7036, Jul. 2021.

Authorized licensed use limited to: INTERNATIONAL ISLAMIC UNIVERSITY. Downloaded on November 02,2022 at 11:02:38 UTC from IEEE Xplore. Restrictions apply.