sensors

Article
A Secure and Lightweight Authentication Protocol for
IoT-Based Smart Homes
JiHyeon Oh 1 , SungJin Yu 1,2 , JoonYoung Lee 1 , SeungHwan Son 1 , MyeongHyun Kim 1 and YoungHo Park 1,3, *

1 School of Electronic and Electrical Engineering, Kyungpook National University, Daegu 41566, Korea;
[email protected] (J.O.); [email protected] (S.Y.); [email protected] (J.L.);
[email protected] (S.S.); [email protected] (M.K.)
2 Electronics and Telecommunications Research Institute, Daejeon 34129, Korea
3 School of Electronics Engineering, Kyungpook National University, Daegu 41566, Korea
* Correspondence: [email protected]; Tel.: +82-53-950-7842

Abstract: With the information and communication technologies (ICT) and Internet of Things (IoT)
gradually advancing, smart homes have been able to provide home services to users. The user
can enjoy a high level of comfort and improve his quality of life by using home services provided
by smart devices. However, the smart home has security and privacy problems, since the user
and smart devices communicate through an insecure channel. Therefore, a secure authentication
protocol should be established between the user and smart devices. In 2020, Xiang and Zheng
presented a situation-aware protocol for device authentication in smart grid-enabled smart home
environments. However, we demonstrate that their protocol can suffer from stolen smart device,
impersonation, and session key disclosure attacks and fails to provide secure mutual authentication.
Therefore, we propose a secure and lightweight authentication protocol for IoT-based smart homes
to resolve the security flaws of Xiang and Zheng’s protocol. We proved the security of the proposed





 protocol by performing informal and formal security analyses, using the real or random (ROR) model,
Citation: Oh, J.; Yu, S.; Lee, J.; Son, S.;
Burrows–Abadi–Needham (BAN) logic, and the Automated Validation of Internet Security Protocols
Kim, M.; Park, Y. A Secure and and Applications (AVISPA) tool. Moreover, we provide a comparison of performance and security
Lightweight Authentication Protocol properties between the proposed protocol and related existing protocols. We demonstrate that the
for IoT-Based Smart Homes. Sensors proposed protocol ensures better security and lower computational costs than related protocols, and
2021, 21, 1488. https://dx.doi.org/ is suitable for practical IoT-based smart home environments.
10.3390/s21041488
Keywords: smart homes; IoT; authentication; BAN logic; ROR model; AVISPA
Academic Editor: Sara Comai

Received: 15 January 2021

Accepted: 13 February 2021
1. Introduction
Published: 21 February 2021
With the development of information and communication technologies (ICT) and
Internet of Things (IoT), smart home automation systems are receiving a lot of attention.
Publisher’s Note: MDPI stays neutral
with regard to jurisdictional claims in
The smart home is a networking environment that connects smart devices (e.g., IoT and
published maps and institutional affil-
sensors) to each other. Based on these smart devices, users can utilize various home
iations. services. When the user is inside the home, the user can control all smart devices with a
voice commands or applications, granting the user accesses to services such as turning the
TV on/off, choosing music, switching lights on/off, and so on. When the user is outside
the home, the user can monitor and control various smart devices by checking their status.
Thus, users can enjoy a high level of comfort and an increased quality of life through smart
Copyright: © 2021 by the authors.
home environments.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
Generally, smart home environments consist of the user, smart devices, a home gate-
distributed under the terms and
way, and a registration authority [1–3]. A remote user wants to use the data collected by
conditions of the Creative Commons smart devices. However, smart devices are resource limited in terms of computational
Attribution (CC BY) license (https:// power, amount of memory, and bandwidth [4]. For these reasons, smart devices communi-
creativecommons.org/licenses/by/ cate through the home gateway. The home gateway acts as a bridge between smart devices
4.0/). and remote users by providing short and long-distance wireless communication interfaces

Sensors 2021, 21, 1488. https://doi.org/10.3390/s21041488 https://www.mdpi.com/journal/sensors

Sensors 2021, 21, 1488 2 of 24

that maintain the connectivity with internal smart devices and remote users [5]. Users can
remotely operate smart devices with the help of a home gateway using Internet-enabled
mobile phones and tablets anytime and anywhere. Thus, the home gateway plays a crucial
role by controlling the data exchange. It manages the communication between internal and
external surroundings.
Unfortunately, the smart home has security and privacy problems because the sen-
sitive data collected by smart devices are exchanged through wireless networks. If an
adversary obtains the data, the adversary will abuse them for his own purposes. Thus,
security and privacy are essential elements to providing secure home services. In ad-
dition, the exchanged data should meet confidentiality, integrity, and availability stan-
dards. Asymmetric and symmetric key cryptosystems are inappropriate for applying
to low-capacity devices because they generate high computational costs. Thus, secure
and lightweight authentication protocols are necessary to provide security and privacy in
IoT-based smart homes.
In 2020, Xiang and Zheng [6] proposed a situation-aware protocol for device authenti-
cation in smart grid-enabled smart home environments. Xiang and Zheng claimed that
their protocol can withstand impersonation, man-in-the-middle (MITM), and replay attacks.
Xiang and Zheng also demonstrated that their protocol can provide data integrity and mu-
tual authentication. However, herein we prove that their protocol does not prevent stolen
smart device, impersonation, and session key disclosure attacks, and fails to ensure mutual
authentication. They also mentioned that their protocol concentrates on the security of
smart grid-enabled smart home environments. However, they proposed an authentication
protocol that is only for smart home environments. Thus, we focus on general smart home
environments and present a secure and lightweight authentication protocol for IoT-based
smart homes that deals with the security drawbacks of Xiang and Zheng’s protocol [6]. The
proposed protocol is efficient for resource-constrained smart devices because we use only
one-way hash functions and XOR operations.

1.1. Contributions
This paper has the following main contributions.
• We analyze the security vulnerabilities of Xiang and Zheng’s protocol [6]. To re-
solve the security drawbacks of their protocol, we propose a secure and lightweight
authentication protocol for IoT-based smart homes.
• We demonstrate that our protocol is secure against various kinds of known attacks by
reporting on an informal security analysis.
• We conducted formal analysis using the Automated Validation of Internet Security
Protocols and Applications (AVISPA) tool [7–9], Burrows–Abadi–Needham (BAN)
logic [10], and the real or random (ROR) model [11]. With the formal analysis, we
proved secure mutual authentication, the session key security, and the resistance
against MITM and replay attacks of our protocol.
• We provide a comparison of performance and security properties between our protocol
and related protocols. The results show that our protocol provides better security and
computational costs compared to related protocols.

1.2. Adversary Model

We adopted the widely-used Dolev–Yao (DY) threat model [12–14] and the Canetti
and Krawczyk (CK) adversary threat model [15,16] to evaluate the security of the proposed
protocol. The capabilities of an adversary A can be defined as follows.
• A can eavesdrop, intercept, inject, replay, and modify transmitted messages via a
public channel and then A can perform MITM, replay, impersonation attacks, etc. [17].
• A can steal the legal user’s mobile device or smart device and extract secret credentials
stored in the memory by performing the power analysis attack [18–21].
• A can access short-term keys, long-term keys, and session states of each party.
Sensors 2021, 21, 1488 3 of 24

In addition, we developed some assumptions for our protocol. A cannot feasibly

guess the identity and password of the mobile user simultaneously [22–24]. A cannot
extract the data stored in the home gateway’s database, since the home gateway has a
secure database.

1.3. Organization
The remaining parts of this paper are structured as follows. In Section 2, we briefly
discuss existing proposed protocols in IoT-based smart homes. We suggest the system
model of the proposed protocol in Section 3. We review Xiang and Zheng’s protocol in
Section 4 and analyze security weaknesses of Xiang and Zheng’s protocol in Section 5.
Section 6 proposes a secure and lightweight authentication protocol for IoT-based smart
homes to improve the security drawbacks of Xiang and Zheng’s protocol. Section 7 analyzes
the security of our protocol through informal and formal analyses with BAN logic, the
ROR model, and the AVISPA tool. In Section 8, we present the results of performance
and security property comparisons between the proposed protocol and related protocols.
Finally, we present the conclusion in Section 9.

2. Related Works
In the last few years, many researchers proposed authentication protocols to provide
secure communication between users and smart devices in smart home environments.
Santoso and Vun [25] proposed a secure authentication protocol using elliptic curve cryp-
tography (ECC) in IoT-based smart homes. Several authors [26,27] revealed that Santoso
and Vun’s protocol [25] is vulnerable to privileged-insider and stolen smart card attacks,
and fails to achieve user anonymity and untraceability. Dey and Hossian [28] presented
a secure session key establishment protocol for smart home environments using public
key cryptosystems. Dey and Hossian [28] proved that their protocol achieves resilience
against various attacks. Unfortunately, some researchers [29,30] pointed out that Dey
and Hossian’s protocol [28] has various security drawbacks, such as device compromised
and known-key attacks, and is unsuccessful in ensuring anonymity and confidentiality.
Shuai et al. [31] suggested an ECC-based anonymous authentication protocol for smart
home environments. These protocols [25,28,31] use asymmetric key cryptosystems such as
ECC for smart home security. However, in terms of costs, symmetric key cryptosystems are
more efficient than asymmetric key cryptosystems for deployment on resource-constrained
smart devices.
In view of the computational cost for low capacity devices, many authentication
protocols have been proposed using symmetric key cryptosystems in smart home envi-
ronments. Vaidya et al. [32] proposed a robust authentication protocol to provide secure
remote access in home environments using symmetric key cryptosystems. Vaidya et al. [32]
claimed that their protocol resists synchronization and stolen smart card attacks, and
provides forward secrecy and mutual authentication. However, Kim and Kim [33] demon-
strated that Vaidya et al.’s protocol [32] does not resist password guessing and smart card
loss attacks, and does not provide forward secrecy. To resolve the security problems in
Vaidya et al.’s protocol [32], Kim and Kim [33] proposed an improved authentication pro-
tocol. Wazid et al. [34] proposed a symmetric key-based secure remote user authentication
protocol to provide future secure communications. Wazid et al. [34] proved that their
protocol is secure against other possible known attacks. Lyu et al. [35] pointed out that
Wazid et al.’s protocol [34] is not secure against desynchronization and compromised
server attacks. Poh et al. [36] proposed a privacy-preserving authentication protocol to
support data confidentiality. Unfortunately, Irshad et al. [37] pointed out that Poh et al.’s
protocol [36] cannot maintain the privacy of authentication parameters. Although these
protocols [32–36] use symmetric key cryptosystems considering the low capacity devices,
symmetric key cryptosystems are still unacceptable for smart devices with limited resources
in terms of computational costs.
Sensors 2021, 21, 1488 4 of 24

Recently, several lightweight authentication protocols [6,38] have been proposed for
smart home environments to solve these problems. Banerjee et al. [38] presented an anony-
mous and robust authentication protocol for IoT-based smart homes using one-way hash
functions, XOR operations, and a fuzzy extractor. Banerjee et al. [38] proved that their
protocol resists various attacks. However, AL-Turjman and Deebak [39] pointed out that
Banerjee et al.’s protocol [38] does not provide identity protection, traceability, or session
secret key agreement. Xiang and Zheng [6] presented a situation-aware protocol for device
authentication in smart home environments. Xiang and Zheng [6] claimed that their proto-
col resists various security threats and ensures data integrity and mutual authentication.
However, we prove here that Xiang and Zheng’s protocol [6] cannot ensure secure mutual
authentication and is vulnerable to stolen smart device, impersonation, and session key
disclosure attacks. Therefore, we propose a secure and lightweight authentication protocol
for IoT-based smart homes to improve the security flaws of Xiang and Zheng’s protocol [6].

3. System Model
Xiang and Zheng [6] claimed that their protocol concentrates on the security of smart
grid-enabled smart home environments, but they proposed an authentication protocol that
is only for smart home environments. Therefore, we focus on the architecture of general
IoT-based smart home environments. The system model is shown in Figure 1.

Figure 1. System model for IoT-based smart homes.

The proposed system is composed of a mobile user (MU), a smart device (SD), a home
gateway (HGW), and a registration authority (RA). RA and HGW are trusted entities in
smart home environments. RA is responsible for initializing the system and registering
MU and SD. MU first needs to register at RA to utilize services. SD and HGW also need to
register at RA for providing home services. After receiving the registration request message
from MU and SD, RA stores the information of each entity in the mobile device of MU and
in the memory of SD. RA also stores all information required for the authentication of the
MU and SD in HGW’s database. Then, the MU and SD perform the mutual authentication
and session key agreement with the help of the HGW. With this session key, MU and SD
can utilize secure smart home services.

4. Review of Xiang and Zheng’s Protocol

This section reviews Xiang and Zheng’s protocol [6]. Xiang and Zheng proposed an
authentication protocol according to the security risk level in smart home environments.
Their protocol consists of smart device registration, and authentication and key agreement
phases. The notation of this paper is described in Table 1.
Sensors 2021, 21, 1488 5 of 24

4.1. Smart Device Registration Phase

At the registration phase, RA generates an identity IDSD and a random number
r RA for SD and computes Si = h( IDSD ||r RA ). Then, RA sends { IDSD , Si } to SD and
{ IDSD , r RA } to HGW through a secure channel.

Table 1. Notation.

Notation Description
MU Mobile user
HGW Home gateway
SD Smart device
RA Registration authority
ID MU Identity of MU
IDG Identity of HGW
IDSD Identity of SD
PID MU Pseudo identity of MU
PIDSD Pseudo identity of SD
PWMU Password of MU
K RA Master key of RA
KSD Secret key of SD
K MUG Shared secret key between MU and HGW
KGSD Shared secret key between HGW and SD
r MU , r RA , rSD , RNMU , RNG , RNSD Random number
SK Session key between MU and SD
h(·) One-way hash function
EK (·)/DK (·) Symmetric encryption/decryption using key K
⊕ XOR operation
|| Concatenation operation
T Timestamp
∆T Maximum transmission delay
HEi,L /HEi,H Message header at the low/low security risk

4.2. Authentication and Key Agreement Phase

After the registration, SD sends the message MSG1 = [ HE1 || IDSD ] to HGW in the
authentication and key agreement phase. HE1 =0 SD − AUTH 0 is a message header of
MSG1 . Upon getting MSG1 , HGW receives the current situation from the smart home
system regarding whether the security risk level is low or high. According to the security
risk level, the authentication phase is divided into low security risk and high security risk.

4.2.1. Low Security Risk

When HGW receives a low-security-risk level report, the authentication phase is
described below.

Step 1: HGW computes Si∗ = h( IDSD ∗ ||r

RA ) and extracts current timestamp T1 . Then
HGW calculates C1,L = ( IDG || T1 ) ⊕ Si∗ and C2,L = h( HE2,L || IDG || T1 ||Si∗ ). Finally,
HGW sends MSG2,L = [ HE2,L ||C1,L ||C2,L ] to SD, where HE2,L =0 HGW − LOW 0 is
the header of the message MSG2,L through an insecure channel.
Step 2: Upon receiving the message MSG2,L at timestamp T10 , SD knows the current
∗
security risk level is low from the message header. SD also computes C2,L =
?
∗ || ID ∗ || T ∗ || S ) and checks if | T 0 − T ∗ | ≤ ∆T and C ∗ = C . If it is not equal,
h( HE2,L G 1 i 1 1 2,L 2,L
the authentication process will be aborted. Then, SD computes Ai = h( IDG ∗ || h ( ID ||
SD
Si )) and extracts the current timestamp T2 . SD also computes C3,L = ( IDSD || T2 ) ⊕ Ai
and C4,L = h( HE3,L || IDSD || T2 || Ai ). Finally, SD sends MSG3,L = [ HE3,L ||C3,L ||C4,L ]
to HGW, where HE3,L =0 SD − LOW 0 is the header of the message MSG3,L . SD
computes the session key SK = h( T1∗ || T2 ||Si || Ai ) for the future data communication.
Sensors 2021, 21, 1488 6 of 24

Step 3: After receiving MSG3,H at timestamp T20 , HGW computes Ai∗ = h( IDG ||h( IDSD ||
∗ || T ∗ ) = C
Si∗ )), ( IDSD 2
∗ ∗ ∗ ∗ ∗ ∗
3,L ⊕ Ai , and C4,L = h ( HE3,L || IDSD || T2 || Ai ). Then, HGW
?
checks if | T20 − T2∗ | ≤ ∆T and C4,H ∗ =C
4,H . If it is correct, HGW computes the session
key SK = h( T1 || T2∗ ||Si∗ || Ai∗ ) and adds IDSD to the trusted device list.

4.2.2. High Security Risk

If HGW receives a situation report detailing that the current security risk level is high,
the authentication phase contains the following steps.

Step 1: HGW computes Si∗ = h( IDSD ∗ ||r

RA ), and generates a random number RNG . After
that, HGW extracts a current timestamp T1 , and computes C1,H = ESi∗ ( IDG || T1 ||
RNG ) and C2,H = h( HE2,H || IDG || T1 || RNG ). Then, HGW sends the message
MSG2,H = [ HE2,H ||C1,H ||C2,H ] to SD, where HE2,H =0 HGW − H IGH 0 is the mes-
sage header of MSG2,H through a public channel.
Step 2: After getting MSG2,H at timestamp T10 , SD knows the security risk level is high
from the header of MSG2,H . SD then computes ( IDG ∗ || T ∗ || RN ∗ ) = D (C ∗ ) and
1 G Si 1,H
C2,H = h( HE2,H || IDG || T1 || RNG ). After that, SD checks whether | T10 − T1∗ | ≤ ∆T
∗ ∗ ∗ ∗

∗ ?
and C2,H = C2,H . If the check is failed, the authentication process will be termi-
nated. Otherwise, SD computes Ai = h( IDG ∗ || h ( ID || S )) and generates a random
SD i
number RNSD . Then, SD extracts the current timestamp T2 , and computes C3,H =
E Ai ( IDSD || T2 || RNSD ) and C4,H = h( HE3,H || IDSD || T2 || RNSD ). Finally, SD sends the
message MSG3,H = [ HE3,H ||C3,H ||C4,H ] to HGW, where HE3,H =0 SD − H IGH 0 is
the message header of MSG3,H , and computes the session key SK = h( T1∗ || T2 ||Si || Ai ||
RNSD || RNG∗ ).
Step 3: Upon receiving MSG3,H at timestamp T20 , HGW computes Ai∗ = h( IDG ||h( IDSD
||Si∗ )), ( IDSD
∗ || T ∗ || RN ∗ ) = D ∗ (C
2 SD Ai
∗ ∗ ∗ ∗ ∗
3,H ), and C4,H = h ( HE3,H || IDSD || T2 || RNSD ).
?
Then, HGW checks whether | T20 − T2∗ | ≤ ∆T and C4,H ∗ =C
4,H . If it is correct, HGW
computes the session key SK = h( T1 || T2∗ ||Si∗ || Ai∗ || RNSD
∗ || RN ) and adds ID
G SD to
the trusted device list.

5. Cryptanalysis of Xiang and Zheng’s Protocol

In this section, we discuss the security flaws of Xiang and Zheng’s protocol. We
demonstrate that their protocol is vulnerable to various attacks and does not perform
secure mutual authentication.

5.1. Stolen Smart Device Attack

We suppose that an adversary A can obtain secret credentials { IDSD , Si } of SD us-
ing the power analysis according to Section 1.2. Xiang and Zheng’s protocol sends the
authentication request message MSG1 = [ HE1 || IDSD ] as plaintext. A can obtain HE1 from
[ HE1 || IDSD ] of the previous session. Then, A can make the message MSG1 anytime and
perform various attacks with secret credentials. In conclusion, their protocol does not
prevent the stolen smart device attack.

5.2. Impersonation Attack

According to Section 1.2, A can perform an impersonation attack at low and low-
security-risk levels. The detailed processes are below.

5.2.1. Low Security Risk

A can perform the impersonation attack with the following steps.

Step 1: With the obtained secret credentials { IDSD , Si } from SD and HE1 from the previ-
ous session, A can send the message MSG1 = [ HE1 || IDSD ].
Sensors 2021, 21, 1488 7 of 24

Step 2: Upon getting MSG1 , HGW computes Si∗ = h( IDSD ∗ ||r

RA ) and extracts the cur-
rent timestamp T1 . After that, HGW computes C1,L = ( IDG || T1 ) ⊕ Si∗ and C2,L =
h( HE2,L || IDG || T1 ||Si∗ ), and sends the message MSG2,L = [ HE2,L ||C1,L ||C2,L ].
Step 3: After receiving MSG2,L , A computes ( IDG ∗ || T ∗ ) = C ∗ ∗
1 1,L ⊕ Si and C2,L = h ( HE2,L ||
∗ ∗ ∗ ∗
IDG || T1 ||Si ). Then, A verifies the validity of T1 and C2,L . If it is equal, A computes
Ai = h( IDG ∗ || h ( ID || S )) and generates the current timestamp T . After that, A
SD i 2
computes C3,L = ( IDSD || T2 ) ⊕ Ai and C4,L = h( HE3,L || IDSD || T2 || Ai ). Finally, A
sends the message MSG3,L = [ HE3,L ||C3,L ||C4,L ] to HGW and computes the session
key SK = h( T1∗ || T2 ||Si || Ai ).
Step 4: Upon getting MSG3,L , HGW computes Ai∗ = h( IDG ||h( IDSD ||Si∗ )), ( IDSD ∗ || T ∗ )
2
∗ ∗ ∗ ∗ ∗ ∗
= C3,L ⊕ Ai , and C4,L = h( HE3,L || IDSD || T2 || Ai ). After that, HGW checks the
validity of T2∗ and C4,L
∗ . If it is equal, HGW computes SK = h ( T || T ∗ || S∗ || A∗ ).
1 2 i i
Thus, A can impersonate SD successfully, and Xiang and Zheng’s protocol cannot
prevent the impersonation attack at the low-security-risk level.

5.2.2. High Security Risk

With the obtained secret credentials { IDSD , Si }, A can disguise as SD, and the detailed
steps are below.
Step 1: A can send MSG1 = [ HE1 || IDSD ] to HGW using obtained secret credentials
{ IDSD , Si } and HE1 .
Step 2: Upon getting MSG1 , HGW calculates Si∗ = h( IDSD ∗ ||r
RA ) and generates a ran-
dom number RNG . After that, HGW extracts the current timestamp T1 , and com-
putes C1,H = ESi∗ ( IDG || T1 || RNG ) and C2,H = h( HE2,H || IDG || T1 || RNG ). Then, HGW
sends MSG2,H = [ HE2,H ||C1,H ||C2,H ].
Step 3: After receiving MSG2,H , A computes ( IDG ∗ || T ∗ || RN ) = D (C ∗ ) and C ∗
1 G Si 1,H 2,H =
∗ ∗ ∗ ∗
h( HE2,H || IDG || T1 || RNG ). Then, A verifies the validity of T1∗ and C2,H ∗ . If all checks

pass, A computes Ai∗ = h( IDG ∗ || h ( ID || S )), generates a random number RN ,

SD i SD
and extracts the current timestamp T2 . After that, A computes C3,H = E Ai ( IDSD || T2 ||
RNSD ), C4,H = h( HE3,H || IDSD || T2 || RNSD ), and SK = h( T1∗ || T2 ||Si || Ai || RNSD || RNG∗ ).
Finally, A sends MSG3,H = [ HE3,H ||C3,H ||C4,H ] to HGW.
Step 4: Upon getting MSG3,H , HGW computes Ai∗ = h( IDG ||h( IDSD ||Si∗ )), ( IDSD ∗ || T ∗ ||
2
∗ ) = D ∗ (C ∗ ∗ ∗ ∗ ∗
RNSD Ai 3,H ), and C4,H = h ( HE3,H || IDSD || T2 || RNSD ). Then, HGW checks
the validity of T2∗ and C4,H
∗ . If it is equal, HGW computes SK = h ( T || T ∗ || S∗ || A∗ || RN ∗
1 2 i i SD
|| RNG ).
In conclusion, Xiang and Zheng’s protocol cannot prevent the impersonation attack at
the low-security-risk level because A can impersonate SD successfully.

5.3. Session Key Disclosure Attack

As mentioned in Section 1.2, A can extract secret credentials { IDSD , Si }. In addition,
according to Section 5.2, A can obtain the session key between SD and HGW at the both
low-security-risk and high-security-risk levels. With the obtained session key, A can
communicate with HGW and misinform HGW for A’s own purpose. Therefore, Xiang and
Zheng’s protocol is vulnerable to the session key disclosure attack.

5.4. Mutual Authentication

Xiang and Zheng claimed that their protocol supports the mutual authentication
between SD and HGW because Si and Ai cannot be obtained from the eavesdropped
messages. However, in accordance with Section 5.2, A can generate an authentication re-
quest message MSG1 = [ HE1 || IDSD ] and calculate session key SK = h( T1 || T2 ||Si || Ai ) and
SK = h( T1 || T2 ||Si || Ai || RNSD || RNG ) at low security and low security phases, respectively.
Thus, Xiang and Zheng’s protocol does not satisfy secure mutual authentication between
SD and HGW.
Sensors 2021, 21, 1488 8 of 24

6. Proposed Protocol
In this section, we present a secure and lightweight authentication protocol for IoT-
based smart homes to improve the security drawbacks of Xiang and Zheng’s protocol [6].
The proposed protocol consists of four phases: initialization, registration, authentication
and key agreement, and password update.

6.1. Initialization Phase

Before SD and HGW are deployed in the smart home, RA generates a master key K RA .
HGW has a unique identity IDG , and SD has a unique identity IDSD and secret key KSD .

6.2. Registration Phase

The detailed registration phases for the smart device and user are below.

6.2.1. Smart Device Registration Phase

To provide home services to MU, SD must register at RA. We indicate the registration
phase of SD and RA in Figure 2, and detailed steps are described below.

Step 1: SD generates a random number rSD and computes PIDSD = h( IDSD ||rSD ). Then,
SD sends { PIDSD , rSD } to RA through a secure channel.
Step 2: Upon getting the message, RA generates r RA and computes KGSD = h( PIDSD ||
K RA ||r RA ). Then, RA stores { PIDSD , KGSD , rSD } in HGW’s database and sends
{KGSD } to SD over a secure channel. After that, RA makes PIDSD public.
Step 3: After receiving the message, SD computes B1 = rSD ⊕ h( IDSD ||KSD ) and B2 =
KGSD ⊕ h(rSD ||KSD ). Then, SD stores { B1 , B2 , PIDSD } in the memory.

Smart device (SD ) Registration authority ( RA)

Generates rSD
Computes
PIDSD = h( IDSD ||rSD )
{ PIDSD ,rSD }
−−−−−−−−−−−−−−→
Generates r RA
Computes
KGSD = h( PIDSD ||K RA ||r RA )
Stores { PIDSD , KGSD , rSD } in HGW’s database
{KGSD }
←−−−−−−−−−−−−−−
Computes
B1 = rSD ⊕ h( IDSD ||KSD )
B2 = KGSD ⊕ h(rSD ||KSD )
Stores { B1 , B2 , PIDSD } in the memory

Figure 2. Smart device registration phase of the proposed protocol.

6.2.2. Mobile User Registration Phase

MU must register at RA to use the data transmitted from SD. Figure 3 shows the
registration phase of MU and RA. This phase is described as follows.

Step 1: MU selects identity and password { ID MU , PWMU } and generates a random num-
ber r MU . Then, MU computes PID MU = h( ID MU ||r MU ) and sends { PID MU } to RA
through a secure channel.
Step 2: Upon receiving the message, RA computes K MUG = h( PID MU ||K RA ||r RA ) and
RID MU = h( PID MU ||K MUG ). Then, RA stores { PID MU , RID MU , K MUG } in HGW’s
database and sends {K MUG , RID MU } to MU via a secure channel.
Step 3: After receiving the message, MU computes HPWMU = h( PWMU ||r MU ), A1 =
r MU ⊕ h( ID MU || PWMU ), A2 = h( ID MU || PWMU ||r MU || HPWMU ), A3 = RID MU ⊕
h(r MU || HPWMU ), and A4 = K MUG ⊕ h( RID MU || HPWMU ). Then, MU stores
{ A1 , A2 , A3 , A4 , PID MU } in the mobile device.
Sensors 2021, 21, 1488 9 of 24

Mobile user ( MU ) Registration authority ( RA)

Selects ID MU , PWMU
Generates a random number r MU
Computes PID MU = h( ID MU ||r MU )
{ PID MU }
−−−−−−−−−−−−−−→
Computes
K MUG = h( PID MU ||K RA ||r RA )
RID MU = h( PID MU ||K MUG )
Stores { PID MU , RID MU , K MUG } in HGW’s database
{K MUG ,RID MU }
←−−−−−−−−−−−−−−
Computes
HPWMU = h( PWMU ||r MU )
A1 = r MU ⊕ h( ID MU || PWMU )
A2 = h( ID MU || PWMU ||r MU || HPWMU )
A3 = RID MU ⊕ h(r MU || HPWMU )
A4 = K MUG ⊕ h( RID MU || HPWMU )
Stores { A1 , A2 , A3 , A4 , PID MU } in the mobile device

Figure 3. Mobile user registration phase of the proposed protocol.

6.3. Authentication and Key Agreement Phase

To utilize secure home services, MU and SD establish a session key with the help of
HGW. We indicate the detailed steps below, and a summarized version of this phase is in
Figure 4.

Step 1: MU inputs identity and password { ID MU , PWMU } and computes r MU = A1 ⊕

h( ID MU || PWMU ), HPWMU = h( PWMU ||r MU ), and A2∗ = h( ID MU || PWMU ||r MU ||
?
HPWMU ). Then, MU checks if A2∗ = A2 . If this condition is satisfied, MU generates
a random nonce RNMU and computes RID MU = A3 ⊕ h(r MU || HPWMU ), K MUG =
A4 ⊕ h( RID MU || HPWMU ), M1 = h( PID MU || RID MU ||K MUG ) ⊕ ( RNMU || PIDSD ),
C1 = h( ID MU || RNMU ) ⊕ h(K MUG || RNMU ), and VMU = h( PID MU || RID MU || RNMU ||
PIDSD ||K MUG ). After that, MU sends { PID MU , M1 , C1 , VMU } to HGW through a
public channel.
Step 2: Upon getting the message, HGW retrieves RID MU and K MUG corresponding to
∗ || PID ∗ ) = M ⊕ h ( PID
PID MU , and computes ( RNMU SD 1 MU || RID MU || K MUG ) and
∗ ∗ || PID ∗ || K ∗ ?
VMU = h( PID MU || RID MU || RNMU SD MUG ). HGW checks if VMU = VMU .
If it is equal, HGW retrieves KGSD and rSD corresponding to PIDSD . Then, HGW gen-
erates a random nonce RNG and computes M2 = h( RNMU || RNG ), M3 = h( PIDSD ||
KGSD ||rSD ) ⊕ M2 , h( ID MU || RNMU ) = C1 ⊕ h(K MUG || RNMU ), C2 = (h( ID MU ||
RNMU )||h( IDG || RNG )) ⊕ h(KGSD ||rSD ), and VMUG = h( PID MU || M2 ||KGSD ). Fi-
nally, HGW sends { PID MU , M3 , C2 , VMUG } to SD.
Step 3: After receiving the message, SD computes rSD = B1 ⊕ h( IDSD ||KSD ), KGSD =
B2 ⊕ h(rSD ||KSD ), M2∗ = M3 ⊕ h( PIDSD ||KGSD ||rSD ), and VMUG
∗ = h( PID MU || M2∗
∗ ?
||KGSD ). SD checks if VMUG = VMUG . If this condition is valid, SD generates a ran-
dom nonce RNSD . Then, SD computes (h( ID MU || RNMU )||h( IDG || RNG )) = C2 ⊕
h(KGSD ||rSD ), SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD )), M4 =
h( PIDSD ||KGSD ||rSD ) ⊕ h( IDSD || RNSD ), and VSD = h( PID MU || PIDSD || M2∗ ||
h( IDSD || RNSD )||KGSD ). Finally, SD sends { M4 , VSD } to HGW.
Step 4: Upon receiving the message, HGW computes h( IDSD || RNSD ) = M4 ⊕ h( PIDSD
∗ = h ( PID
||KGSD ||rSD ) and VSD MU || PIDSD || M2 || h ( IDSD || RNSD )|| K GSD ). HGW
?
∗ = V . Then, HGW computes SK = h ( h ( ID
checks if VSD SD MU || RNMU )|| h ( IDG || RNG )
|| IDSD || RNSD )), PID MU = h( PID MU || RNMU ), and RID new
new new
MU = h ( PID MU || K MUG ),
and computes M5 = h( RID MU || RNMU ) ⊕ (h( IDG || RNG )||h( IDSD || RNSD )|| PID new MU )
and VGSD = h( PID MU || RNMU ||h( IDG || RNG )||h( IDSD || RNSD )|| PID new
MU || K MUG ) .
HGW stores { PID MU , RID MU } with { PID new
MU , RID new } in HGW’s database. Finally,
MU
HGW sends { M5 , VGSD } to MU.
Step 5: After receiving the message, MU computes PID newMU = h ( PID MU || RNMU ), ( h ( IDG ||
RNG )||h( IDSD || RNSD )|| PID new ⊕ ∗
MU ) = M5 h ( RID MU || RNMU ) and VGSD = h ( PID MU
∗ ?
|| RNMU ||h( IDG || RNG )||h( IDSD || RNSD )|| PID new
MU || K MUG ). MU checks if VGSD =
VGSD . After that, MU computes SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD ||
Sensors 2021, 21, 1488 10 of 24

RNSD )). Then, MU updates RID new new new = RID new ⊕ h (r
MU = h ( PID MU || K MUG ), A3 MU MU ||
new new
HPWMU ), and A4 = K MUG ⊕ h( RID MU || HPWMU ). Then, MU replaces { A3 , A4 ,
PID MU } to { A3new , A4new , PID new
MU } in the mobile device. MU computes M6 = h ( SK ||
PID new
MU ) and sends M 6 to HGW.
Step 6: After receiving the message from MU, HGW computes M6∗ = h(SK || PID new
MU ) and
?
checks if M6∗ = M6 . If it is correct, HGW deletes {PID MU , RID MU } in the database.

Mobile user ( MU ) Home gateway ( HGW ) Smart device (SD )

{ A1 , A2 , A3 , A4 , PID MU } {( PID MU , RID MU , K MUG ), ( PIDSD , KGSD , rSD ), IDG } { B1 , B2 , PIDSD }
Inputs ID MU , PWMU
Computes
r MU = A1 ⊕ h( ID MU || PWMU )
HPWMU = h( PWMU ||r MU )
A2∗ = h( ID MU || PWMU ||r MU || HPWMU )
?
Checks A2∗ = A2
Generates RNMU
Computes
RID MU = A3 ⊕ h(r MU || HPWMU )
K MUG = A4 ⊕ h( RID MU || HPWMU )
M1 = h( PID MU || RID MU ||K MUG ) ⊕ ( RNMU || PIDSD )
C1 = h( ID MU || RNMU ) ⊕ h(K MUG || RNMU )
VMU = h( PID MU || RID MU || RNMU || PIDSD ||K MUG )
{ PID MU ,M1 ,C1 ,VMU }
−−−−−−−−−−−−−−→
Retrieves RID MU and K MUG corresponding to PID MU
∗ || PID ∗ ) = M ⊕ h ( PID
( RNMU SD 1 MU || RID MU || K MUG )
∗ = h ( PID ∗ ∗
VMU MU || RID MU || RNMU || PIDSD || K MUG )
∗ =V ?
Checks VMU MU
Retrieves KGSD and rSD corresponding to PIDSD
Generates RNG
Computes
M2 = h( RNMU || RNG )
M3 = h( PIDSD ||KGSD ||rSD ) ⊕ M2
h( ID MU || RNMU ) = C1 ⊕ h(K MUG || RNMU )
C2 = (h( ID MU || RNMU )||h( IDG || RNG )) ⊕ h(KGSD ||rSD )
VMUG = h( PID MU || M2 ||KGSD )
{ PID MU ,M3 ,C2 ,VMUG }
−−−−−−−−−−−−−−→
Computes
rSD = B1 ⊕ h( IDSD ||KSD )
KGSD = B2 ⊕ h(rSD ||KSD )
M2∗ = M3 ⊕ h( PIDSD ||KGSD ||rSD )
∗
VMUG = h( PID MU || M2∗ ||KGSD )
∗ ?
Checks VMUG = VMUG
Generates RNSD
Computes
(h( ID MU || RNMU )||h( IDG || RNG )) = C2 ⊕ h(KGSD ||rSD )
SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD ))
M4 = h( PIDSD ||KGSD ||rSD ) ⊕ h( IDSD || RNSD )
VSD = h( PID MU || PIDSD || M2∗ ||h( IDSD || RNSD )||KGSD )
{ M4 ,VSD }
←−−−−−−−−−−−−−−
Computes
h( IDSD || RNSD ) = M4 ⊕ h( PIDSD ||KGSD ||rSD )
∗ = h ( PID
VSD MU || PIDSD || M2 || h ( IDSD || RNSD )|| K GSD )
∗ =V ?
Checks VSD SD
Computes
SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD ))
PID new
MU = h ( PID MU || RNMU )
RID new new
MU = h ( PID MU || K MUG )
M5 = h( RID MU || RNMU ) ⊕ (h( IDG || RNG )||h( IDSD || RNSD )|| PID new
MU )
VGSD = h( PID MU || RNMU ||h( IDG || RNG )||h( IDSD || RNSD )|| PID new
MU || K MUG )
Stores { PID MU , RID MU } with { PID new new
MU , RID MU } in HGW’s database
{ M5 ,VGSD }
←−−−−−−−−−−−−−−
Computes
PID new
MU = h ( PID MU || RNMU )
(h( IDG || RNG )||h( IDSD || RNSD )|| PID new
MU ) = M5 ⊕ h ( RID MU || RNMU )
∗ = h( PID MU || RNMU ||h( IDG || RNG )||h( IDSD || RNSD )|| PID new
VGSD MU || K MUG )
∗ ?
Checks VGSD = VGSD
Computes
SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD ))
Updates
RID new new
MU = h ( PID MU || K MUG )
A3new = RID new
MU ⊕ h (r MU || HPWMU )
A4new = K MUG ⊕ h( RID newMU || HPWMU )
Replaces { A3 , A4 , PID MU } to { A3new , A4new , PID new
MU } in the mobile device
Computes
new
M6 = h(SK || PID MU )
{ M6 }
−−−−−−−−−−−−−−→
Computes
M6∗ = h(SK || PID new
MU )
?
Checks M6∗ = M6
If it is correct, deletes { PID MU , RID MU } in the database

Figure 4. Authentication and key agreement phase of the proposed protocol.

6.4. Password Update Phase

MU can update the password individually. In Figure 5, we represent the password
update phase and the detailed steps are below.
old } to the mobile device over
Step 1: MU inputs identity and old password { ID MU , PWMU
a secure channel.
Step 2: Mobile device computes r MU = A1 ⊕ h( ID MU || PWMU old ), HPW old
MU = h ( PWMU ||
∗ old
r MU ), and A2 = h( ID MU || PWMU ||r MU || HPWMU ). Then, the mobile device checks
?
whether A2∗ = A2 . If this condition is met, the mobile device sends the authentication
message to MU.
new
Step 3: Upon receiving the authentication message, MU inputs the new password PWMU
to the mobile device.
Step 4: After getting the new password, the mobile device computes RID MU = A3 ⊕
∗∗ = h ( PW new ||r
h(r MU || HPWMU ), K MUG = A4 ⊕ h( RID MU || HPWMU ), HPWMU MU MU ),
Sensors 2021, 21, 1488 11 of 24

A1∗∗ = r MU ⊕ h( ID MU || PWMUnew ), A∗∗ = h ( ID

2
new ∗∗
MU || PWMU ||r MU || HPWMU ), A3 =
∗∗
∗∗ ∗∗ ∗∗
RID MU ⊕ h(r MU || HPWMU ), and A4 = K MUG ⊕ h( RID MU || HPWMU ). Finally, the
mobile device replaces { A1 , A2 , A3 , A4 , PID MU } with { A1∗∗ , A2∗∗ , A3∗∗ , A4∗∗ , PID MU }.

Mobile user ( MU ) Mobile device

old
Inputs ID MU , PWMU
{ ID MU ,PW old }
MU
−−−−−−−−−−−−−−
→
Computes
r MU = A1 ⊕ h( ID MU || PWMU old )

HPWMU = h( PWMU old ||r

MU )
A2∗ = h( ID MU || PWMU
old ||r
MU || HPWMU )
?
Checks A2∗ = A2
Authentication
←−−−−−−−−−−−−−−
new
Inputs PWMU
{ PW new }
MU
−−−−−−−−−−−−−−
→
Computes
RID MU = A3 ⊕ h(r MU || HPWMU )
K MUG = A4 ⊕ h( RID MU || HPWMU )
HPWMU ∗∗ = h ( PW new ||r
MU MU )
A1∗∗ = r MU ⊕ h( ID MU || PWMU new )

A2∗∗ = h( ID MU || PWMUnew ||r ∗∗

MU || HPWMU )
∗∗
A3 = RID MU ⊕ h(r MU || HPWMU ∗∗ )
∗∗
A4 = K MUG ⊕ h( RID MU || HPWMU ) ∗∗
Replaces { A1 , A2 , A3 , A4 , PID MU } with { A1∗∗ , A2∗∗ , A3∗∗ , A4∗∗ , PID MU }

Figure 5. Password update phase of the proposed protocol.

7. Security Analysis
This section shows informal and formal security analyses of our protocol using BAN
logic, the ROR model, and the AVISPA tool. Through theses analyses, we demonstrate that
the proposed protocol prevents various kinds of known attacks.

7.1. Informal Security Analysis

We performed informal analysis to describe how our protocol withstands various
attacks and supports perfect forward secrecy and mutual authentication.

7.1.1. Mobile User Impersonation Attack

According to Section 1.2, an adversary A can have the lost/stolen mobile device of
a legal user MU, and extract secret credentials { A1 , A2 , A3 , A4 , PID MU } using the power
analysis [18,19]. With these values, A can try to impersonate MU by intercepting transmit-
ted messages through an insecure channel. However, A cannot send a valid authentication
request message { M1 , C1 , VMU } because A cannot calculate { HPWMU , RID MU , K MUG }
without the knowledge of the MU’s real identity ID MU , password PWMU , and a random
nonce RNMU . Hence, the proposed protocol resists the mobile user impersonation attack.

7.1.2. Home Gateway Impersonation Attack

Suppose that an adversary A intercepts messages { PID MU , M3 , C2 , VMUG } and
{ M5 , VGSD } over an insecure channel. A can try to calculate the other valid messages
{ PID MU , M30 , C20 , VMUG
0 } and { M50 , VGSD
0 }. However, A cannot compute messages, be-
cause A has no knowledge of the MU’s real identity ID MU and a random nonce RNMU .
In addition, A does not know HGW’s real identity IDG , a random nonce RNG , and the
shared secret key KGSD . Thus, the proposed protocol withstands the home gateway imper-
sonation attack.

7.1.3. Smart Device Impersonation Attack

An adversary A can try to impersonate SD using the exchanged message { M4 , VSD }.
According to Section 1.2, A can extract stored values in the lost/stolen smart device.
However, A cannot compute the message because A does not know the SD’s unique
identity IDSD , secret key KSD , and a random nonce RNSD . Therefore, our protocol prevents
the smart device impersonation attack.
Sensors 2021, 21, 1488 12 of 24

7.1.4. Session Key Disclosure Attack

In accordance with Section 1.2, an adversary A can extract secret credentials
{ A1 , A2 , A3 , A4 , PID MU } and { B1 , B2 , PIDSD } of MU and SD, respectively. To calculate
the session key, A should know real identities and random nonces of MU, HGW, and SD.
However, A cannot obtain { ID MU , IDG , IDSD } and { RNMU , RNG , RNSD } from transmit-
ted messages because these are encrypted with secret keys {K MUG , KGSD , KSD }. Thus, the
proposed protocol withstands the session key disclosure attack.

7.1.5. Replay and MITM Attack

We assume that an adversary A intercepts and resends the previous authentication
request message { PID MU , M1 , C1 , VMU } to HGW for the purpose of disguising MU. HGW
detects RNMU is not fresh by checking the validity of VMU . In addition, even if A tries to
modify the authentication request message, A cannot modify { M1 , C1 , VMU } without the
knowledge of the MU’s real identity ID MU , password PWMU , a random nonce RNMU , and
shared secret key K MUG . In conclusion, our protocol prevents replay and MITM attacks.

7.1.6. Offline Guessing Attack

After extracting the information from the MU’s mobile device, A can obtain A1 =
r MU ⊕ h( ID MU || PWMU ), A2 = h( ID MU || PWMU ||r MU || HPWMU ), A3 = RID MU ⊕ h(r MU ||
HPWMU ), and A4 = K MUG ⊕ h( RID MU || HPWMU ). All of these values are encrypted with
ID MU and PWMU . If A wants to compromise the security of our protocol, A needs to
guess both ID MU and PWMU . However, it is a computationally infeasible problem to A
according to Section 1.2. As a result, our protocol resists the offline guessing attack.

7.1.7. Stolen Smart Device Attack

Assume that an adversary A obtains SD and extracts secret credentials { B1 , B2 , PIDSD }
stored in the memory through the power analysis attack [20,21]. Although A obtains these
values, A cannot get sensitive information of SD because all information stored in the
memory is masked with SD’s unique identity IDSD and secret key KSD . Thus, the proposed
protocol withstands the stolen smart device attack.

7.1.8. Privileged-Insider Attack

In this attack, a privileged-insider adversary A is able to get PID MU during the
MU’s registration phase. Then, A can extract secret credentials { A1 , A2 , A3 , A4 , PID MU }
stored in the mobile device. However, since A does not know the MU’s real identity
ID MU , password PWMU , and a random number r MU , A cannot calculate the session key
SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD )). Hence, our protocol prevents
the privileged-insider attack.

7.1.9. Known Session-Secret Temporary Information Attack

An adversary A can obtain session specific random nonces { RNMU , RNG , RNSD } to
conduct the known session-secret temporary information attack under the CK-adversary
model. Even if A knows these secrets, A cannot calculate the session key SK = h(h( ID MU ||
RNMU )||h( IDG || RNG )||h( IDSD || RNSD )), because SK consists of MU, HGW, and SD’s
identities. Thus, our protocol withstands the known session-secret temporary informa-
tion attack.

7.1.10. Desynchronization Attack

A desynchronization attack is when an adversary A can modify and block the trans-
mitted messages to make MU, HGW, and SD unable to authenticate in the future. Assume
that A tries to modify the messages for desynchronizing the next session. However, as
mentioned in Section 7.1.5, A cannot modify the exchanged messages because A has
no knowledge about MU’s secret credentials. In addition, we assume that A blocks the
transmitted messages to disturb the synchronization. HGW calculates PID new
MU , generates
Sensors 2021, 21, 1488 13 of 24

a verification message { M5 , VGSD } using PID new

MU , and sends it to MU. HGW stores the
PID new
MU with PID MU , and MU checks VGSD . If the VGSD is correct, MU updates PID new
MU .
MU sends the message M6 to HGW to describe that authentication is complete. Then,
HGW checks the validation of M6 . If M6 is validated, HGW deletes the old PID MU and
RID MU . Otherwise, HGW stores them. Through these things, MU and HGW always
have synchronized values. Consequently, a desynchronization attack is impossible in
our protocol.

7.1.11. Perfect Forward Secrecy

We assume that an adversary A knows long-term secret keys {K RA , K MUG , KGSD , KSD }.
A can try to calculate the session key SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD ||
RNSD )). However, A cannot affect on the confidentiality of past communications because
SK is composed of the random nonces { RNMU , RNG , RNSD } which is generated for each
session. Thus, the proposed protocol provides the perfect forward secrecy.

7.1.12. Mutual Authentication

At the authentication and key agreement phase, MU, HGW, and SD check the mes-
∗ , HGW verifies V ∗ = V ? ∗ ?
sage validity. MU checks the validity of VGSD MU MU and VSD = VSD ,
∗ ?
and SD checks whether VMUG = VMUG . If the values are correct, each entity authenticates
each other. Therefore, our protocol achieves the mutual authentication.

7.1.13. Anonymity and Untraceability

An adversary A can obtain exchanged messages in the authentication and key agree-
ment phase. However, A cannot obtain real identities of MU, HGW, and SD because
these are dependent on {r MU , RNG , rSD }. In addition, MU and HGW update PID MU to
PID new
MU = h ( PID MU || RNMU ) for every session. It makes all messages are dynamic at every
session. Consequently, the proposed protocol provides anonymity and untraceability.

7.2. BAN Logic

We performed the formal security analysis with BAN logic to evaluate the secure
mutual authentication of the proposed protocol [10,40]. We present the notation of BAN
logic in Table 2.

Table 2. BAN logic notation.

Notation Description
skey Secret key
W| ≡ S W believes statement S
#S Statement S is fresh
W/S W receives statement S
W| ∼ S W once said S
W⇒S W controls statement S
< S >T Statement S is combined with secret statement T
{S}skey Statement S is masked by skey
skey
W ←→ N W and N share skey to communicate with each other
skey
W N skey is known only to W, N, and trusted principals of W and N

7.2.1. Rules
We describe the rules of BAN logic in the following.
• Message meaning rule (MMR):

skey
W | ≡ W ←→ N, W / {S}skey
W| ≡ N| ∼ S
Sensors 2021, 21, 1488 14 of 24

• Nonce verification rule (NVR):

W | ≡ #( S ), W | ≡ N | ∼ S
W| ≡ N| ≡ S

• Jurisdiction rule (JR):

W | ≡ N | ⇒ S, W | ≡ N | ≡ S
W| ≡ S
• Freshness rule (FR):
W | ≡ #( S )
W | ≡ #(S, T )
• Belief rule (BR):
W | ≡ (S, T )
W| ≡ S

7.2.2. Goals
The following are the main goals to demonstrate that our protocol satisfies the secure
mutual authentication.
SK
Goal 1: MU | ≡ ( MU ←→ SD ).
SK
Goal 2: MU | ≡ SD | ≡ ( MU ←→ SD ).
SK
Goal 3: SD | ≡ ( MU ←→ SD ).
SK
Goal 4: SD | ≡ MU | ≡ ( MU ←→ SD ).

7.2.3. Assumptions
We assume the following to initiate states of the proposed protocol.
SK
A1 : HGW | ≡ ( MU ←→ HGW )
A2 : HGW | ≡ #( RNMU )
KGSD
A3 : SD | ≡ ( HGW ←→ SD )
A4 : SD | ≡ #( RNG )
KGSD
A5 : HGW | ≡ ( HGW ←→ SD )
A6 : HGW | ≡ #( RNSD )
K MUG
A7 : MU | ≡ ( MU ←→ HGW )
A8 : MU | ≡ #( RNG )
h( IDG || RNG )||h( IDSD || RNSD )
A9 : MU | ≡ HGW | ⇒ MU SD
h( ID MU || RNMU )||h( IDG || RNG )
A10 : SD | ≡ HGW | ⇒ ( MU SD )
SK
A11 : MU | ≡ SD | ⇒ ( MU ←→ SD )
SK
A12 : SD | ≡ MU | ⇒ ( MU ←→ SD )

7.2.4. Idealized Forms

We present ideal forms of our protocol as below.
M1 : MU → HGW : ( PID MU , RID MU , RNMU )K MUG
M2 : HGW → SD : ( PID MU , h( ID MU || RNMU ), h( IDG || RNG ), PIDSD , rSD )KGSD
M3 : SD → HGW : ( PID MU , PIDSD , h( ID MU || RNMU ), h( IDSD || RNSD ))KGSD
M4 : HGW → MU : ( RID MU , h( ID MU || RNMU ), h( IDG || RNG ), h( IDSD || RNSD ))K MUG
Sensors 2021, 21, 1488 15 of 24

7.2.5. Proof
We conducted the BAN logic test, and detailed steps are described as follows.

Step 1: From M1 , we can obtain S1 .

S1 : HGW / ( PID MU , RID MU , RNMU )K MUG

Step 2: Using S1 and A1 with MMR, we can get S2 .

S2 : HGW | ≡ MU | ∼ ( PID MU , RID MU , RNMU )K MUG

Step 3: S3 can obtained using S2 and A2 with FR.

S3 : HGW | ≡ #( PID MU , RID MU , RNMU )K MUG

Step 4: Using S2 and S3 with NVR, we can get S4 .

S4 : HGW | ≡ MU | ≡ ( PID MU , RID MU , RNMU )K MUG

Step 5: We can obtain S5 from M2 .

S5 : SD / ( PID MU , h( ID MU || RNMU ), h( IDG || RNG ), PIDSD , rSD )

Step 6: S6 can obtained using S5 and A3 with MMR.

S6 : SD | ≡ HGW | ∼ ( PID MU , h( ID MU || RNMU ), h( IDG || RNG ), PIDSD , rSD )KGSD

Step 7: Utilizing S6 and A4 with FR, we can get S7 .

S7 : SD | ≡ #( PID MU , h( ID MU || RNMU ), h( IDG || RNG ), PIDSD , rSD )KGSD

Step 8: For obtaining S8 , we can use S6 and S7 with NVR.

S8 : SD | ≡ HGW | ≡ ( PID MU , h( ID MU || RNMU ), h( IDG || RNG ), PIDSD , rSD )KGSD

Step 9: From M3 , we can obtain S9 .

S9 : HGW / ( PID MU , PIDSD , h( ID MU || RNMU ), h( IDSD || RNSD ))KGSD

Step 10: For getting S10 , we can utilize S9 and A5 with MMR.

S10 : HGW | ≡ SD | ∼ ( PID MU , PIDSD , h( ID MU || RNMU ), h( IDSD || RNSD ))KGSD

Step 11: For obtaining S11 , we can use A6 and S10 with FR.

S11 : HGW | ≡ #( PID MU , PIDSD , h( ID MU || RNMU ), h( IDSD || RNSD ))KGSD

Step 12: Using S10 and S11 with NVR, we can get S12 .

S12 : HGW | ≡ SD | ≡ ( PID MU , PIDSD , h( ID MU || RNMU ), h( IDSD || RNSD ))KGSD

Step 13: We can get S13 from M4 .

S13 : MU / ( RID MU , h( ID MU || RNMU ), h( IDG || RNG ), h( IDSD || RNSD ))K MUG

Sensors 2021, 21, 1488 16 of 24

Step 14: S14 can obtained using S13 and A7 with MMR.

MU | ≡ HGW | ∼ ( RID MU , h( ID MU || RNMU ), h( IDG || RNG ), h( IDSD || RNSD ))K MUG

Step 15: S15 can obtained using S14 and A8 with FR.

S15 : MU | ≡ #( RID MU , h( ID MU || RNMU ), h( IDG || RNG ), h( IDSD || RNSD ))K MUG

Step 16: Using S14 and S15 with NVR, we can get S16 .

S16 : MU | ≡ HGW | ≡ ( RID MU , h( ID MU || RNMU ), h( IDG || RNG ), h( IDSD || RNSD ))K MUG

Step 17: Since the session key is SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD )),
we can obtain S17 from S12 , S16 , and A9 .
SK
S17 : MU | ≡ SD | ≡ ( MU ←→ SD ) (Goal 2)

Step 18: From S4 , S8 , and A10 , we can get S18 .

SK
S18 : SD | ≡ MU | ≡ ( MU ←→ SD ) (Goal 4)

Step 19: S19 can obtained from S17 and A11 .

SK
S19 : MU | ≡ ( MU ←→ SD ) (Goal 1)

Step 20: S20 can obtained using S18 and A12 .

SK
S20 : SD | ≡ ( MU ←→ SD ) (Goal 3)

Therefore, MU, HGW, and SD can perform the secure mutual authentication in
our protocol.

7.3. ROR Model

The session key security of the proposed protocol is demonstrated using the ROR
model [11]. We interpret the ROR model before proving the session key security of the
proposed protocol. In the authentication and key agreement phase of the proposed protocol,
t1 t2
we have three participants P t , which are mobile user P MU , home gateway P HGW , and
t3
smart device PSD . These are instances t1 , t2 , and t3 for MU, HGW, and SD, respectively. A
can eavesdrop, intercept, or modify transmitted messages through an insecure channel. In
addition, A can simulate active and passive attacks by executing various queries defined
in the ROR model, such as Execute, CorruptMD, Reveal, Send, and Test queries. Detailed
instructions of the queries are below.
t t2 t 3
• Execute(P MU 1
, P HGW , PSD ): A performs this query to obtain transmitted messages
over a public channel between MU, HGW, and SD.
t1
• CorruptMD (P MU ): This query represents that A can extract sensitive information
stored in the mobile device of MU.
t1
• Reveal (P t ): This query is that A reveals the current session key SK between P MU
t3 t1 t3
and PSD . If an adversary A cannot reveal the session key SK between P MU and PSD
using the Reveal (P t ) query, then SK is secure.
• Send(P t , M ): With this query, A can send the message M to P t and receive a re-
sponse message.
• Test(P t ): Before the start of the game, a fair coin f c is tossed and the result becomes
only known to A. A uses this result to make a decision of the Test query. If A runs
Sensors 2021, 21, 1488 17 of 24

the Test query and the session key SK is fresh, P t returns SK for f c = 1 or a random
number for f c = 0. Otherwise, it returns a null (⊥).
After A performs the Test query on P t , A must distinguish the result value. A uses
the output of the Test query for checking the consistency of the random bit f c. A wins the
game when the guessed bit f c0 is equal to f c. Moreover, all participants have access to a
collision-resistant cryptographic one-way hash function h(·). We model h(·) as a random
oracle, Hash.

7.3.1. Security Proof

We prove the session key security of the proposed protocol using Zipf’s law [41].

Theorem 1. A can break the session key security of the proposed protocol. We denote the advantage
of A running in polynomial time as AdvA . Then, we obtain the following.

q2h
AdvA ≤ + 2{C · qssend }
| Hash|

Here, qh is the number of Hash queries, | Hash| is the range space of the hash function h(·), and
qsend is the number of Send queries. In addition, C and s denote Zipf’s parameters [41].

Proof. The proof of Theorem 1 is similar as presented in [42,43]. We prove the session key
security through a sequence of four games, GMi , where i ∈ [0, 3]. SuccA,i indicates the
event that A wins GMi by guessing the random bit f c correctly. We denote the advantage
of A winning the game GMi as Pr [SuccA,GMi ]. In the following, we describe each game.
• GM0 : This game allows A to execute the real attack against the proposed protocol. A
chooses a random bit f c at the beginning of GM0 . Then, we obtain the following in
accordance with this game.

AdvA = |2Pr [SuccA,GM0 ] − 1| (1)

t t2 3 t
• GM1 : In this game, A runs the Execute(P MU 1
, P HGW , PSD ) query and eavesdrops
transmitted messages { PID MU , M1 , C1 , VMU }, { PID MU , M3 , C2 , VMUG }, { M4 , VSD },
and { M5 , VGSD }. Then, A executes Reveal and Test queries to validate whether the
derived session key is real or not. In our protocol, the session key is constructed
as SK = h(h( ID MU || RNMU )||h( IDG || RNG )||h( IDSD || RNSD )). To derive the session
key, A needs to know the identities and random nonces of MU, HGW, and SD.
Consequently, there are no instances in which A increases GM1 ’s winning probabil-
ity. Therefore, GM0 and GM1 turn out to be indistinguishable, and we can obtain
the following.
Pr [SuccA,GM1 ] = Pr [SuccA,GM0 ] (2)
• GM2 : To obtain the session key, A performs Hash and Send queries in this game.
A can perform an active attack by modifying exchanged messages. However, all
exchanged messages are constructed with secret credentials and random nonces, and
protected using one-way hash function h(·). In addition, A is difficult to derive secret
credentials and random nonces because it is a computationally infeasible problem
according to the property of h(·). Hence, we can get the following result through the
use of birthday paradox [44].

q2h
| Pr [SuccA,GM2 ] − Pr [SuccA,GM1 ]| ≤ (3)
2| Hash|

• GM3 : In the final game GM3 , A can try to get the session key with the CorruptMD
query. By the CorruptMD query, A can extract sensitive values { A1 , A2 , A3 , A4 }
stored in the mobile device of MU. Sensitive values are expressed as A1 = r MU ⊕
Sensors 2021, 21, 1488 18 of 24

h( ID MU || PWMU ), A2 = h( ID MU || PWMU ||r MU || HPWMU ), A3 = RID MU ⊕ h( PID MU

|| HPWMU ), and A4 = K MUG ⊕ h( RID MU || HPWMU ). Since A has no knowledge of
ID MU and PWMU , A cannot derive secret values r MU and K MUG from the extracted
values. Besides, it is a computationally infeasible task for A to guess ID MU and
PWMU simultaneously. In conclusion, GM2 and GM3 are indistinguishable. By utiliz-
ing Zipf’s law, the following result can be obtained.

| Pr [SuccA,GM3 ] − Pr [SuccA,GM2 ]| ≤ C · qssend (4)

As all games have been run, A must guess the bit for winning the game. Therefore,
we can obtain the following result.

1
Pr [SuccA,GM3 ] = (5)
2
From Equations (1) and (2), we obtain the result as follows.

1 1 1
AdvA = | Pr [SuccA,GM0 − ]| = | Pr [SuccA,GM1 − ]|. (6)
2 2 2
With Equations (5) and (6), we derive the below equation.

1
AdvA = | Pr [SuccA,GM1 ] − Pr [SuccA,GM3 ]|. (7)
2
By using the triangular inequality, we can have the following result with Equations (4),
(5), and (7).

1
AdvA = | Pr [SuccA,GM1 ] − Pr [SuccA,GM3 ]|
2
≤ | Pr [SuccA,GM1 ] − Pr [SuccA,GM2 ]|
+ | Pr [SuccA,GM2 ] − Pr [SuccA,GM3 ]|
q2h
≤ + C · qssend (8)
2| Hash|

Finally, by multiplying both sides of Equation (8) by two, we can obtain the required
result.
q2h
AdvA ≤ + 2{C · qssend } (9)
| Hash|
Therefore, we prove Theorem 1.

7.4. AVISPA Tool

We utilized the AVISPA tool [7–9] to verify the security of our protocol against MITM
and replay attacks. The AVISPA tool uses a role based language, High-Level Protocols
Specification Language (HLPSL), to specify actions of each protocol participant [45]. For
the security analysis, the HLPSL is entered and translated into the Intermediate Format (IF)
in the AVISPA tool. If the IF becomes the input of the back-end, the back-end outputs the
security analysis result as the Output Format (OF). The back-end of the AVISPA tool consists
of four components, including SAT-based Model-Checker (SATMC), Tree-Automata-based
Protocol Analyzer (TA4SP), On-the-Fly-Model-Checker (OFMC), and CL-based Attack
Searcher (CL-AtSe). If the OF is SAFE for the back-end, the proposed protocol prevents
MITM and replay attacks. We use OFMC and CL-AtSe for the proposed protocol, since
SATMC and TA4SP do not support XOR operations.
Sensors 2021, 21, 1488 19 of 24

7.4.1. Specifications of the Proposed Protocol

We set up the session, environment, and security goals using the HLPSL language.
Details of these are shown in Figure 6. In session and environment, we specify instances of
each role and construct the whole protocol session. In addition, we state the security goals
of the proposed protocol. secrecy is used to check secret values are explicitly undisclosed
and authentication is used to verify the validity of secret values between entities. Through
secrecy and authentication, we can confirm that the proposed protocol is resistant to MITM
and replay attacks.

Figure 6. Roles of session, environment, and security goals.

As shown in Figure 7, if the registration process is started at state 0, MU gener-

ates identity ID MU and password PWMU , and calculates PID MU at state 1. Then, MU
sends the registration request message { PID MU } to RA. After receiving secret values
{K MUG , RID MU } from RA, MU updates the state from 1 to 2. Then, MU stores secret
values encrypted with the ID MU and PWMU in the mobile device. Then, MU transmits
the authentication request message { PID MU , M1 , C1 , VMU } to HGW. Upon receiving the
∗ ?
message { M5 , VGSD } in state 2, MU updates the state from 2 to 3 and checks VGSD = VGSD .
If the condition is met, MU authenticates HGW successfully. Then, MU computes M6 and
sends it to HGW. The roles of HGW, SD, and RA are similar to the roles of MU.
Sensors 2021, 21, 1488 20 of 24

Figure 7. Roles of MU.

7.4.2. Result of AVISPA

We use OFMC and CL-AtSe for XOR operations to show the security analysis result.
The OFMC estimates that the proposed protocol withstands the MITM attack, and CL-AtSe
assesses our protocol is resistant to the replay attack. Figure 8 shows the OF of OFMC and
CL-AtSe back-ends for the proposed protocol. The output shows that the proposed protocol
is SAFE in OFMC and CL-AtSe back-ends. Thus, our protocol successfully satisfies the
specified security goals. In other words, our protocol withstands MITM and replay attacks.

Figure 8. Results of analysis using OFMC and CL-AtSe.

8. Performance and Security Analyses

This section shows the comparison results of the proposed protocol with similar proto-
cols [6,31,34,38], including computational and communication costs, and security properties.
Sensors 2021, 21, 1488 21 of 24

8.1. Computational Costs

The computational costs are analyzed for our protocol and related existing
protocols [6,31,34,38]. For comparison, we refer to the work [46]. Tm , TR , Th , and Ts denote
the execution times of an ECC point multiplication (≈7.3529 ms), fuzzy extractor function
(≈7.3529 ms), a hash function (≈0.0004 ms), and symmetric key encryption/decryption
(≈0.1303 ms), respectively. Table 3 contains the result of the computational costs com-
parison. Although the proposed protocol has a slightly higher computational cost than
the low-security-risk path of Xiang and Zheng’s protocol [6], our protocol provides more
robust security. Moreover, the proposed protocol has a lower computational cost compared
with the other related protocols, except for the low-security-risk path of Xiang and Zheng’s
protocol [6].

Table 3. Computational costs comparison.

Protocol Total Computational Costs

Shuai et al. [31] 3Tm + 16Th 22.0651 ms
Wazid et al. [34] 25Th + 1TR + 4Ts 7.8841 ms
Banerjee et al. [38] 26Th + 1TR 7.3633 ms
Low-security risk: 11Th 0.0044 ms
Xiang and Zheng [6]
High-security risk: 11Th + 4Ts 0.5256 ms
Ours 42Th 0.0168 ms

8.2. Communication Costs

The communication cost of our protocol is compared to those costs of other related
protocols [6,31,34,38]. Referring to the paper [31], we define that an ECC point, symmetric
key encryption/decryption, hash function, random number, identity, and timestamp are
320, 256, 160, 160, 128, and 32 bits. We estimate the message header as Internet Protocol
version 4 (IPv4) packet header, 4 bits. In the authentication and key agreement phase of the
proposed protocol, exchanged messages { PID MU , M1 , C1 , VMU }, { PID MU , M3 , C2 , VMUG },
{ M4 , VSD }, { M5 , VGSD }, and M6 need 640, 640, 320, 20, and 160 bits, respectively. Conse-
quently, our protocol has 2080 bits as the total communication cost. In Table 4, we show
the results of the communication costs comparison. Although our protocol has a higher
communication cost than some of the existing protocols [6,31,38], it provides more efficient
computational costs and security.

Table 4. Communication costs comparison.

Protocol Communication Costs Number of Messages

Shuai et al. [31] (960 + 320 + 320 + 320) = 1920 bits 4
Wazid et al. [34] (480 + 960 + 512 + 1408) = 3360 bits 4
Banerjee et al. [38] (448 + 320 + 320 + 320) = 1408 bits 4
Low-security risk: (132 + 324 + 324) = 780 bits 3
Xiang and Zheng [6]
High-security risk: (132 + 676 + 676) = 1484 bits 3
Ours (640 + 640 + 320 + 320 + 160) = 2080 bits 5

8.3. Security Properties

In Table 5, we present security properties of the proposed protocol and those of models
by Shuai et al. [31], Wazid et al. [34], Banerjee et al. [38], and Xiang and Zheng [6]. In
contrast with the other protocols [6,31,34,38], our protocol prevents more attacks. Thus,
the proposed protocol meets more security requirements compared to related protocols.
Sensors 2021, 21, 1488 22 of 24

Table 5. Security properties.

Security Properties [31] [34] [38] [6] Ours

Impersonation attack ◦ ◦ ◦ × ◦
Session key disclosure attack ◦ ◦ ◦ × ◦
Replay attack ◦ ◦ ◦ ◦ ◦
MITM attack ◦ ◦ ◦ ◦ ◦
Off-line guessing attack × ◦ ◦ ◦ ◦
Stolen smart device attack - - - × ◦
Privileged-insider attack ◦ ◦ ◦ × ◦
Known session-secret temporary information attack - - ◦ × ◦
Desynchronization attack ◦ × - × ◦
Perfect forward secrecy × × - × ◦
Mutual authentication ◦ ◦ ◦ × ◦
Anonymity ◦ × × × ◦
Untraceability ◦ ◦ × × ◦
◦: Secure. ×: Insecure. -: Not considered.

9. Conclusions
We proved that Xiang and Zheng’s protocol does not perform secure mutual authenti-
cation. We also discovered that their protocol is vulnerable to impersonation, stolen smart
device, and session key disclosure attacks. To deal with the security threats to Xiang and
Zheng’s protocol, we proposed a secure and lightweight authentication protocol for IoT-
based smart homes. We demonstrated that the proposed protocol is secure against various
attacks, including impersonation, replay, MITM, and session key disclosure attacks. We per-
formed the BAN logic test to show that our protocol ensures secure mutual authentication.
Furthermore, we demonstrated that the proposed protocol provides session key security
and resists replay and MITM attacks by utilizing the ROR model and the AVISPA tool. We
compared our protocol with associated existing protocols in terms of security properties,
and computational and communication costs. In conclusion, our protocol provides better
security and low computational costs. When we consider all perspectives of security and
costs, our protocol is suitable for practical IoT-based smart home environments. In the
future, we will develop a better protocol and implement it in an actual environment.

Author Contributions: Conceptualization, J.O.; formal analysis, J.L., S.S. and M.K.; investigation,
S.Y.; methodology, J.O.; software, S.Y. and J.L.; supervision, Y.P.; validation, S.S., M.K. and Y.P.;
writing—original draft, J.O.; writing—review and editing, S.Y., J.L., S.S., and Y.P. All authors have
read and agreed to the published version of the manuscript.
Funding: This research was supported in part by the Basic Science Research Program through the
National Research Foundation of Korea (NRF) funded by the Ministry of Education under grant
2020R1I1A3058605, and in part by the BK21 FOUR project funded by the Ministry of Education,
Korea under grant 4199990113966.
Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.
Conflicts of Interest: The authors declare no conflict of interest.

References
1. Shin, S.; Kwon, T. A lightweight three-factor authentication and key agreement scheme in wireless sensor networks for smart
homes. Sensors 2019, 19, 2012. [CrossRef] [PubMed]
2. Naoui, S.; Elhdhili, M.E.; Saidane, L.A. Lightweight and secure password based smart home authentication protocol: LSP-SHAP.
J. Netw. Syst. Manag. 2019, 27, 1020–1042. [CrossRef]
3. Baruah, B.; Dhal, S. A two-factor authentication scheme against FDM attack in IFTTT based smart home system. Comput. Secur.
2018, 77, 21–35. [CrossRef]
Sensors 2021, 21, 1488 23 of 24

4. Kumar, P.; Gurtov, A.; Iinatti, J.; Ylianttila, M.; Sain, M. Lightweight and secure session-key establishment scheme in smart home
environments. IEEE Sens. J. 2015, 16, 254–264. [CrossRef]
5. Kumar, P.; Braeken, A.; Gurtov, A.; Iinatti, J.; Ha, P.H. Anonymous secure framework in connected smart home environments.
IEEE Trans. Inf. Forensics Secur. 2017, 12, 968–979. [CrossRef]
6. Xiang, A.; Zheng, J. A situation-aware scheme for efficient device authentication in smart grid-enabled home area networks.
Electronics 2020, 9, 989. [CrossRef]
7. AVISPA. Automated Validation of Internet Security Protocols and Applications. Available online: http://www.avispa-project.org/
(accessed on 10 November 2020).
8. SPAN: A Security Protocol Animator for AVISPA. Available online: http://www.avispa-project.org/ (accessed on 10 November
2020).
9. Mandal, S.; Bera, B.; Sutrala, A.K.; Das, A.K.; Choo, K.R.; Park, Y. Certificateless-signcryption-based three-factor user access
control scheme for IoT environment. IEEE Internet Things J. 2020, 7, 3184–3197. [CrossRef]
10. Burrows, M.; Abadi, M.; Needham, R.M. A logic of authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [CrossRef]
11. Abdalla, M.; Fouque, P.A.; Pointcheval, D. Password based authenticated key exchange in the three-party setting. In Public Key
Cryptgraphy; Springer: Les Diablerets, Switzerland, 2005; pp. 65–84.
12. Dolev, D.; Yao, A. On the security of public key protocols. IEEE Trans. Inf. Theory 1983, 29, 198–208. [CrossRef]
13. Lee, J.; Yu, S.; Kim, M.; Park, Y.; Das, A.K. On the design of secure and efficient three-factor authentication protocol using honey
list for wireless sensor networks. IEEE Access 2020, 8, 107046–107062. [CrossRef]
14. Yu, S.; Lee, J.; Lee, K.; Park, K.; Park, Y. Secure authentication protocol for wireless sensor networks in vehicular communications.
Sensors 2018, 18, 3191. [CrossRef]
15. Canetti, R.; Krawczyk, H. Universally composable notions of key exchange and secure channels. In International Conference on the
Theory and Applications of Cryptographic Thechniques (EUROCRYPT’02); Springer: Amsterdam, The Netherlands, 2002; pp. 337–351.
16. Wazid, M.; Bagga, P.; Das, A.K.; Shetty, S.; Rodrigues, J.J.P.C.; Park, Y. AKM-IoV: Authenticated key management protocol in fog
computing-based internet of vehicles deployment. IEEE Internet Things J. 2019, 6, 8804–8817. [CrossRef]
17. Yu, S.; Lee, J.; Park, Y.; Park, Y.; Lee, S.; Chung, B. A secure and efficient three-factor authentication protocol in global mobility
networks. Appl. Sci. 2020, 10, 3565. [CrossRef]
18. Roy, S.; Chatterjee, S.; Das, A.K.; Chattopadhyay, S.; Kumar, N.; Vasilakos, A.V. On the design of provably secure lightweight
remote user authentication scheme for mobile cloud computing services. IEEE Access 2017, 5, 25808–25825. [CrossRef]
19. Park, K.; Park, Y.; Park, Y.; Das, A.K. 2PAKEP: Provably secure and efficient two-party authenticated key exchange protocol for
mobile environment. IEEE Access 2018, 6, 30225–30241. [CrossRef]
20. Chaudhry, S.A.; Alhakami, H.; Baz, A.; Al-Turjman, F. Securing demand response management: A certificate-based access control
in smart grid edge computing infrastructure. IEEE Access 2020, 8, 101235–101243. [CrossRef]
21. Park, K.; Noh, S.; Lee, H.; Das, A.K.; Kim, M.; Park, Y.; Wazid, M. LAKS-NVT: Provably secure and lightweight authentication
and key agreement scheme without verification table in medical internet of things. IEEE Access 2020, 8, 119387–119404. [CrossRef]
22. Ul Haq, I.; Wang, J.; Zhu, Y. Secure two-factor lightweight authentication protocol using self-certified public key cryptography for
multi-server 5G networks. J. Netw. Comput. Appl. 2020, 161, 102660. [CrossRef]
23. Amin, R.; Islam, S.H.; Biswas, G.P.; Khan, M.K.; Kumar, N. A robust and anonymous patient monitoring system using wireless
medical sensor networks. Future Gener. Comput. Syst. 2018, 80, 483–495. [CrossRef]
24. Chandrakar, P.; Om, H. A secure and robust anonymous three-factor remote user authentication scheme for multi-server
environment using ECC. Comput. Commun. 2017, 110, 26–34. [CrossRef]
25. Santoso, F.K.; Vun, N.C.H. Securing IoT for smart home system. In Proceedings of the 2015 International Symposium on
Consumer Electronics (ISCE), Madrid, Spain, 24–26 June 2015; pp. 1–2.
26. Fakroon, M.; Alshahrani, M.; Gebali, F.; Traore, I. Secure remote anonymous user authentication scheme for smart home
environment. Internet Things 2020, 9, 100158. [CrossRef]
27. Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Rodrigues, J.J.P.C.; Park, Y. Physically secure lightweight anonymous user
authentication protocol for internet of things using physically unclonable functions. IEEE Access 2019, 7, 85627–85644. [CrossRef]
28. Dey, S.; Hossian, A. Session-key establishment and authentication in a smart home network using public key cryptography.
IEEE Sens. Lett. 2019, 3, 7500204. [CrossRef]
29. Gaba, G.S.; Kumar, G.; Monga, H.; Kim, T.; Kumar, P. Robust and lightweight mutual authentication scheme in distributed smart
environments. IEEE Access 2020, 8, 69722–69733. [CrossRef]
30. Kumar, P.; Chouhan, L. A privacy and session key based authentication scheme for medical IoT networks. Comput. Commun.
2021, 166, 154–164. [CrossRef]
31. Shuai, M.; Yu, N.; Wang, H.; Xiong, L. Anonymous authentication scheme for smart home environment with provable security.
Comput. Secur. 2019, 86, 132–146. [CrossRef]
32. Vaidya, B.; Park, J.H.; Yeo, S.S.; Rodrigues, J.J. Robust one-time password authentication scheme using smart card for home
network environment. Comput. Commun. 2011, 34, 326–336. [CrossRef]
33. Kim, H.J.; Kim, H.S. AUTH HOTP-HOTP based authentication scheme over home network environment. In International
Conference on Computational Science and Its Applications; Springer: Berlin/Heidelberg, Germany, 2011; pp. 622–637.
Sensors 2021, 21, 1488 24 of 24

34. Wazid, M.; Das, A.K.; Odelu, V.; Kumar, N.; Susilo, W. Secure remote user authenticated key establishment protocol for smart
home environment. IEEE Trans. Dependable Secur. Comput. 2017, 17, 391–406. [CrossRef]
35. Lyu, Q.; Zheng, N.; Liu, H.; Gao, C.; Chen, S.; Liu, J. Remotely access “my” smart home in private: An anti-tracking authentication
and key agreement scheme. IEEE Access 2019, 7, 41835–41851. [CrossRef]
36. Poh, G.S.; Gope, P.; Ning, J. Privhome: Privacy-preserving authenticated communication in smart home environment. IEEE Trans.
Dependable Secur. Comput. 2019. [CrossRef]
37. Irshad, A.; Usman, M.; Chaudry, S.A.; Bashir, A.K.; Jolfaei, A.; Srivastava, G. Fuzzy-in-the-loop-driven low-cost and secure
biometric user access to server. IEEE Trans. Reliab. 2020. [CrossRef]
38. Banerjee, S.; Odelu, V.; Das, A.K.; Chattopadhyay, S.; Park, Y. An efficient, anonymous and robust authentication scheme for
smart home environments. Sensors 2020, 20, 1215. [CrossRef] [PubMed]
39. AL-Turjman, F.; Deebak, D.B. Seamless authentication: For IoT-big data technologies in smart industrial application systems.
IEEE Trans. Ind. Inf. 2020. [CrossRef]
40. Lee, J.; Yu, S.; Park, K.; Park, Y.; Park, Y. Secure three-factor authentication protocol for multi-gateway IoT environments. Sensors
2019, 19, 2358. [CrossRef]
41. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensics Secur. 2017, 12, 2776–2791.
[CrossRef]
42. Park, K.; Park, Y.; Das, A.K.; Yu, S.; Lee, J.; Park, Y. A dynamic privacy-preserving key management protocol for V2G in social
internet of things. IEEE Access 2019, 7, 76812–76832. [CrossRef]
43. Yu, S.; Lee, J.; Park, K.; Das, A.K.; Park, Y. IoV-SMAP: Secure and efficient message authentication protocol for IoV in smart city
environment. IEEE Access 2020, 8, 167875–167886. [CrossRef]
44. Boyko, V.; MacKenzie, P.; Patel, S. Provably secure password-authenticated key exchange using Diffie-Hellman. In Proceedings of
the International Conference on the Theory and Applications of Cryptographic Techniques, Bruges, Belgium, 14–18 May 2000;
pp. 156–171.
45. Vigano, L. Automated security protocol analysis with the AVISPA tool. Electron. Notes Theor. Comput. Sci. 2006, 155, 61–86.
[CrossRef]
46. Mo, J.; Chen, H. A lightweight secure user authentication and key agreement protocol for wireless sensor networks. Secur. Commun.
Netw. 2019, 2019, 2136506. [CrossRef]