Abstract
Due to the myriad applications of the Internet of Things (IoT) in various sectors like healthcare, military, industry, safety, etc., there is also a need to secure these systems efficiently. The devices in such networks need to provide services to users in a secure manner. User authentication is a mechanism through which we can provide secure communication between IoT devices. Recently Banerjee et al. outlined a lightweight anonymous user authenticated session key exchange scheme for Internet of Things deployment, which uses three-factor authentication of a user such as smart card, password and biometric. In this paper, we cryptanalyze their scheme and find that it is not secure against smart card loss attack and stolen verifier attack. Then we have proposed an improved scheme to overcome the weaknesses of their scheme. We present the formal security analysis of our scheme using the random oracle model and informal security analysis to show that our scheme is secure against many known attacks. Its formal security verification is carried out using ProVerif tool. Its performance analysis is carried out with the related schemes which shows that our scheme is more secure than other schemes. Also, our scheme does not contain any storage table at the gateway side for authentication.
Similar content being viewed by others
References
Adavoudi-Jolfaei A, Ashouri-Talouki M, Aghili SF (2019) Lightweight and anonymous three-factor authentication and access control scheme for real-time applications in wireless sensor networks. Peer-to-Peer Netw Appl 12(1):43–59
Akram MA, Mahmood K, Kumari S, Xiong H (2020) Comments on toward secure and provable authentication for internet of things: realizing industry 4.0. IEEE Internet Things J 7(5):4676–4681
Amin R, Biswas G (2016) A secure light weight scheme for user authentication and key agreement in multi-gateway based wireless sensor networks. Ad Hoc Netw 36:58–80
Amin R, Kumar N, Biswas G, Iqbal R, Chang V (2018) A light weight authentication protocol for iot-enabled devices in distributed cloud computing environment. Fut Gener Comput Syst 78:1005–1019
Banerjee S, Odelu V, Das AK, Chattopadhyay S, Rodrigues JJ, Park Y (2019a) Physically secure lightweight anonymous user authentication protocol for internet of things using physically unclonable functions. IEEE Access 7:85,627–85,644
Banerjee S, Odelu V, Das AK, Srinivas J, Kumar N, Chattopadhyay S, Choo KKR (2019b) A provably secure and lightweight anonymous user authenticated session key exchange scheme for internet of things deployment. IEEE Internet Things J 6(5):8739–8752
Bhargav-Spantzel A, Squicciarini AC, Modi S, Young M, Bertino E, Elliott SJ (2007) Privacy preserving multi-factor authentication with biometrics. J Comput Secur 15(5):529–560
Blanchet B (2013) Automatic verification of security protocols in the symbolic model: the verifier proverif. Foundations of security analysis and design VII. Springer, Berlin, pp 54–87
Blanchet B et al (2016) Modeling and verifying security protocols with the applied pi calculus and proverif. Found Trends Priv Secur 1(1–2):1–135
Canetti R, Krawczyk H (2002) Universally composable notions of key exchange and secure channels. International conference on the theory and applications of cryptographic techniques. Springer, pp 337–351
Challa S, Wazid M, Das AK, Kumar N, Reddy AG, Yoon EJ, Yoo KY (2017) Secure signature-based authenticated key establishment scheme for future iot applications. IEEE Access 5:3028–3043
Challa S, Das AK, Gope P, Kumar N, Wu F, Vasilakos AV (2018) Design and analysis of authenticated key agreement scheme in cloud-assisted cyber-physical systems. Fut Gener Comput Syst 108:1267–1286
Chang CC, Le HD (2015) A provably secure, efficient, and flexible authentication scheme for ad hoc wireless sensor networks. IEEE Trans Wirel Commun 15(1):357–366
Cheval V, Blanchet B (2013) Proving more observational equivalences with proverif. In: International conference on principles of security and trust, Springer, pp 226–246
Chuang YH, Tseng YM (2010) An efficient dynamic group key agreement protocol for imbalanced wireless networks. Int J Netw Manag 20(4):167–180
Das ML (2009) Two-factor user authentication in wireless sensor networks. IEEE Trans Wirel Commun 8(3):1086–1090
Das AK (2017) A secure and effective biometric-based user authentication scheme for wireless sensor networks using smart card and fuzzy extractor. Int J Commun Syst 30(1):e2933
Das AK, Kumari S, Odelu V, Li X, Wu F, Huang X (2016) Provably secure user authentication and key agreement scheme for wireless sensor networks. Secur Commun Netw 9(16):3670–3687
Dhillon PK, Kalra S (2017) Secure multi-factor remote user authentication scheme for internet of things environments. Int J Commun Syst 30(16):e3323
Dodis Y, Reyzin L, Smith A (2004) Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. In: International conference on the theory and applications of cryptographic techniques, Springer, pp 523–540
Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Fan CI, Lin YH (2009) Provably secure remote truly three-factor authentication scheme with privacy protection on biometrics. IEEE Trans Inf Forensics Secur 4(4):933–945
Frankel S, Glenn R, Kelly S (2003) The aes-cbc cipher algorithm and its use with ipsec
Gope P, Das AK, Kumar N, Cheng Y (2019) Lightweight and physically secure anonymous mutual authentication protocol for real-time data access in industrial wireless sensor networks. IEEE Trans Ind Inf 15(9):4957–4968
He D, Gao Y, Chan S, Chen C, Bu J (2010) An enhanced two-factor user authentication scheme in wireless sensor networks. Ad Hoc Sens Wirel Netw 10(4):361–371
He D, Kumar N, Chen J, Lee CC, Chilamkurti N, Yeo SS (2015a) Robust anonymous authentication protocol for health-care applications using wireless medical sensor networks. Multimed Syst 21(1):49–60
He D, Kumar N, Chilamkurti N (2015b) A secure temporal-credential-based mutual authentication and key agreement scheme with pseudo identity for wireless sensor networks. Inf Sci 321:263–277
Huang HF, Chang YF, Liu CH (2010) Enhancement of two-factor user authentication in wireless sensor networks. In: 2010 Sixth international conference on intelligent information hiding and multimedia signal processing, IEEE, pp 27–30
Kaur D, Kumar D, Saini KK, Grover HS (2019) An improved user authentication protocol for wireless sensor networks. Trans Emerg Telecommun Technol 30(10):e3745
Ko LC (2008) A novel dynamic user authentication scheme for wireless sensor networks. In: 2008 IEEE international symposium on wireless communication systems, IEEE, pp 608–612
Kocher P, Jaffe J, Jun B (1999) Differential power analysis. In: Annual international cryptology conference, Springer, pp 388–397
Kumar P, Lee SG, Lee HJ (2012) E-sap: efficient-strong authentication protocol for healthcare applications using wireless medical sensor networks. Sensors 12(2):1625–1647
Kumar D, Chand S, Kumar B (2019a) Cryptanalysis and improvement of an authentication protocol for wireless sensor networks applications like safety monitoring in coal mines. J Ambient Intell Hum Comput 10(2):641–660
Kumar D, Grover HS et al (2019b) A secure authentication protocol for wearable devices environment using ecc. J Inf Secur Appl 47:8–15
Li CT, Weng CY, Lee CC (2013) An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks. Sensors 13(8):9589–9603
Li X, Niu J, Kumari S, Liao J, Liang W, Khan MK (2016) A new authentication protocol for healthcare applications using wireless medical sensor networks with user anonymity. Secur Commun Netw 9(15):2643–2655
Li W, Li B, Zhao Y, Wang P Wei F (2018) Cryptanalysis and security enhancement of three authentication schemes in wireless sensor networks. Wirel Commun Mob Comput
Messerges TS, Dabbish EA, Sloan RH (2002) Examining smart-card security under the threat of power analysis attacks. IEEE Trans Comput 51(5):541–552
Odelu V, Das AK, Goswami A (2014) A secure effective key management scheme for dynamic access control in a large leaf class hierarchy. Inf Sci 269:270–285
Odelu V, Das AK, Goswami A (2015) An efficient biometric-based privacy-preserving three-party authentication with key agreement protocol using smart cards. Secur Commun Netw 8(18):4136–4156
Porambage P, Schmitt C, Kumar P, Gurtov A, Ylianttila M (2014) Two-phase authentication protocol for wireless sensor networks in distributed iot applications. In: 2014 IEEE Wireless communications and networking conference (WCNC), IEEE, pp 2728–2733
Ryu J, Lee Y, Won D (2020) Cryptoanalysis of lightweight and anonymous three-factor authentication and access control protocol for real-time applications in wireless sensor networks. In: Computational science and technology, Springer, pp 341–349
Stevens M, Bursztein E, Karpman P, Albertini A, Markov Y (2017) The first collision for full sha-1. In: Annual international cryptology conference, Springer, pp 570–596
Tseng HR, Jan RH, Yang W (2007) An improved dynamic user authentication scheme for wireless sensor networks. In: IEEE GLOBECOM 2007-IEEE global telecommunications conference, IEEE, pp 986–990
Turkanović M, Brumen B, Hölbl M (2014) A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion. Ad Hoc Netw 20:96–112
Vaidya B, Rodrigues JJ, Park JH (2010) User authentication schemes with pseudonymity for ubiquitous sensor network in ngn. Int J Commun Syst 23(9–10):1201–1222
Wang D, Wang P (2016) Two birds with one stone: two-factor authentication with security beyond conventional bound. IEEE Trans Dependable Secur Comput 15(4):708–722
Wazid M, Das AK, Odelu V, Kumar N, Conti M, Jo M (2017) Design of secure user authenticated key management protocol for generic iot networks. IEEE Internet Things J 5(1):269–282
Wazid M, Das AK, Bhat V, Vasilakos AV (2020) Lam-ciot: lightweight authentication mechanism in cloud-based iot environment. J Netw Comput Appl 150(102):496
Wong KH, Zheng Y, Cao J, Wang S (2006) A dynamic user authentication scheme for wireless sensor networks. In: IEEE international conference on sensor networks, ubiquitous, and trustworthy computing (SUTC’06), IEEE, vol 1, pp 8–pp
Wu S, Chen K (2012) An efficient key-management scheme for hierarchical access control in e-medicine system. J Med Syst 36(4):2325–2337
Wu F, Xu L, Kumari S, Li X (2015) A novel and provably secure biometrics-based three-factor remote authentication scheme for mobile client-server networks. Comput Electr Eng 45:274–285
Xie Q, Tang Z, Chen K (2017) Cryptanalysis and improvement on anonymous three-factor authentication scheme for mobile networks. Comput Electr Eng 59:218–230
Xue K, Ma C, Hong P, Ding R (2013) A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks. J Netw Comput Appl 36(1):316–323
Yeh HL, Chen TH, Hu KJ, Shih WK (2013) Robust elliptic curve cryptography-based three factor user authentication providing privacy of biometric data. IET Inf Secur 7(3):247–252
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Kumar, D., Jain, S., Khan, A. et al. An improved lightweight anonymous user authenticated session key exchange scheme for Internet of Things. J Ambient Intell Human Comput 14, 5067–5083 (2023). https://doi.org/10.1007/s12652-020-02532-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12652-020-02532-8