1. Introduction

The Industrial Internet of Things (IIoT) is an emerging technology rapidly changing manufacturing and industrial terrain. IIoT leads to intermixing sensors, software, and other technologies into industrial processes to optimize and automate them [1,2,3]. With IIoT, devices and equipment are connected to the Internet, enabling them to intercommunicate real-time data and insights. This connectivity facilitates factories to monitor and examine their production processes, determine inefficiencies, and make data-driven decisions to improve their operations. The advantages of IIoT are myriad. IIoT can enable manufacturers to diminish expenses and enhance productivity by enhancing operational efficiency. In addition, IIoT also improves product quality, reducing downtime and enhancing worker safety [4,5,6].

With the integration of various devices, sensors, and systems, the Industrial Internet of Things (IIoT) presents numerous potential attack vectors that malicious actors can exploit. Among the primary concerns is the security of data. The vast amount of data generated by IIoT systems needs to be collected, processed, and stored securely. Unauthorized access to this data can have severe consequences, leading to significant economic and reputational damage. To mitigate these risks, robust security measures, including encryption and authentication, must be implemented in IIoT environments. In this paper, we propose an authentication and key agreement (AKA) scheme called “reliable device-access framework for the Industrial IoT (RDAF-IIoT)” to enable secure access to real-time information from devices deployed in IIoT environments. The proposed RDAF-IIoT scheme prioritizes computational efficiency by leveraging hash functions and symmetric encryption instead of computationally expensive operations.

2. Related Work

Within the existing literature, numerous AKA schemes or frameworks have been suggested to ensure secure access to real-time data for users. In this context, the authors of [7] introduced an AKA security framework for wireless sensor networks (WSNs) utilizing a hash function and XOR operation. Furthermore, they identified vulnerabilities in the scheme proposed by [8], including insider attacks, random parameters leakage (RPL), and perfect forward secrecy attacks. Another AKA framework for WSNs was proposed by the authors of [9], incorporating elliptic curve cryptography (ECC), hash function, and XOR. However, this framework is susceptible to man-in-the-middle (MITM), insider attacks, stolen smart card attacks, and RPL attacks. The authentication framework presented in [10] exhibits weaknesses against RPL, stolen smart cards, and password-guessing attacks. In the realm of IoT-enabled software-defined networks, an authentication framework using the symmetric encryption algorithm AES and ECC is proposed in [3]. The security of this scheme is validated using the random oracle model (ROM) and Scyther. Additionally, a user AKA scheme for WSNs based on symmetric encryption and ECC is devised in [11], with its security verified through ROM and AVISPA. However, the AKA scheme put forth in [11] can be compromised by malicious but valid users of the system. For the Internet of drones, a user authentication framework is provided in [12], designed using ECC and authenticated encryption. The security of this framework is demonstrated through Scyther and ROM. Similarly, an authenticated encryption and hash function-based AKA scheme is proposed in [2,13] for smart home and IIoT environments, with its security verified using ROM and Scyther. Lastly, an AKA scheme based on hyper-ECC is proposed in [14] for the Internet of drones environment.

In [15], a robust authentication scheme for WSNs based on temporal credentials is proposed. However, the AKA scheme presented in [16], which utilizes ECC and a hash function, exhibits weaknesses against denial-of-service (DoS), key compromise, and impersonation attacks. Similarly, ref. [17] introduces a multifactor AKA scheme employing AES and a hash function. Nevertheless, this scheme is vulnerable to DoS, replay, and de-synchronization attacks. In [18], a three-party AKA framework is proposed, but it lacks adequate user anonymity protection and does not offer an efficient method for password change. An anonymous AKA scheme constructed using the chaotic map and hash function is presented in [19], with its security validated using the Burrows–Abadi–Needham (BAN) logic model. However, vulnerabilities exist in an AKA scheme utilizing ECC and a hash function for the cloud-enabled IoT environment, as noted in [20]. The scheme involves four participants during the AKA phase and undergoes security validation using BAN logic and AVISPA. Furthermore, [12] proposes an AKA scheme based on AEAD and a hash function, and its security is demonstrated through ROM and Scyther. Lastly, an AKA scheme utilizing a hash function is presented in [21], which is susceptible to various security attacks, as highlighted in [20].

A secure AKA scheme based on ECC and a secure hash function is introduced in [22] for the IoT environment. The scheme’s security is validated using Scyther. However, the security framework proposed in [23], which utilizes ECC and a secure hash function, is vulnerable to stolen smart card attacks. Additionally, the security framework proposed in [24] fails to prevent DoS attacks, while the scheme presented in [25] is weak against DoS attacks as well. In the context of the IIoT environment, an AKA security framework is proposed in [17], but it is unable to withstand various security attacks. The scheme in [17] is constructed using symmetric encryption and a hash function. Various security frameworks are summarized in Table 1.

2.1. Research Contributions

The main contributions of the paper are listed as follows.

• In this article, an AKA framework is proposed called RDAF-IIoT, which is constructed using “Advanced Encryption Standard in Cipher Block Chaining mode (AES-CBC)” and hash function. RDAF-IIoT enables users to achieve authentication with a gateway. In addition, RDAF-IIoT enables users and sensing devices to communicate securely after establishing a secure channel (session key) with the assistance of a gateway. RDAF-IIoT is a three-factor AKA security framework, which also enables the users to change the password without involving the gateway.

• The proposed RDAF-IIoT is corroborated informally to validate its resiliency against various security attacks, such as DoS, MITM, impersonation, and replay attacks. The security of the session key is corroborated using well known random oracle model. In addition, RDAF-IIoT is implemented using Scyther, and the analysis of Scyther shows that the RDAF-IIoT is secure.

• To evaluate the performance of the proposed RDAF-IIoT, RDAF-IIoT is compared with the state-of-the-art security frameworks, such as Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] regarding communication and computational costs. The proposed RDAF-IIoT requires [74.73% to 78.63%] low computational and [30.38% to 51.91%] low communication costs while rendering enhanced security functions than the related security frameworks.

2.2. Paper Organization

The remaining paper is organized as follows. Section 3 explicates the models, such as authentication and attack, used in the construction of the RDAF-IIoT. Section 4 provides the explanation of RDAF-IIoT. In Section 5, the informal, ROM, and Scyther-based security analyses are presented. Performance comparison is presented in Section 6. Concluding remarks are explicated in Section 7.

3. System Models

3.1. Authentication Model

The authentication model comprises the following components. Figure 1 shows the authentication model employed for the proposed RDAF-IIoT.

Gateway: $\left(G{W}_y\right|y=1,2,3,\cdots N)$: The registration authority (RA) is liable for registering gateway nodes ($G{W}_y$), and $G{W}_y$ equips Internet functionality to the IIoT-enabled devices stationed in the IIoT circumstances. In addition, $G{W}_y$ keeps the private credentials associated with the users and sensing devices. The $G{W}_y$ can connect the users through cellular and other internet connectivity.

Smart Sensing Node: ($S{N}_z|z=1,2,3,\cdots ,N$): All $S{N}_z$ are equipped with sensing, storage, and processing modules; however, these resources are constricted. In addition, $S{N}_z$ are the resource-constricted devices employed to sense the surrounding IIoT environment. $S{N}_z$ can communicate with $G{W}_y$ using wireless communication protocols, such as WiFi/6LoWPAN/Zigbee communication protocols. Using these wireless channels, $S{N}_z$ sends the collected information to $G{W}_y$.

User: $\left(U_x\right|x=1,2,3,\cdots ,N)$: $U_x$ has the smart devices ($SM{D}_{U_x}$), fitted with the biometric sensor. $U_x$ can intercommunicate with $S{N}_z$ through $G{W}_y$ and with $G{W}_y$ using cellular communication technology or wired network. $U_x$ mandates obtaining the real-time data from $S{N}_z$ stationed in the IIoT environment. Thus, a secure channel establishment scheme is proposed for the IIoT environment to prevent authorized information access in this paper. Table 2 demonstrates the various symbols employed in this paper.

3.2. Attack Model

The “Dolev–Yao (DY) model” [14,44,45] is repeatedly employed to investigate the security of AKA schemes. According to DY Model, the attacker can effectuate the MITM and impersonation attacks by capturing and modifying all the communication in the AKA schemes. An attacker can obtain a valid user’s identity for the traceability attack. In addition, in the registration procedure, the RA and other participants interact with each other via a secure channel. However, $U_x$, $G{W}_y$, and $S{N}_z$ communicate using the insecure channel while executing AKA process. The “Canetti–Krawczyk (CK) model”, which constructs additional noteworthy speculation than the DY model, is also contemplated. A malicious adversary can procure secure data incorporating the master key, session private credentials, and private key, employing the CK model.

4. The Proposed RDAF-IIoT Framework

The RDAF-IIoT comprises the registration of sensing device, user, and AKA phases. All the phases are explicated in detail in the following subsections.

4.1. Registration of Sensing Device

In this phase, the registration of the sensing device is performed. RA is responsible for the registration of the sensing device by executing the following procedure.

4.1.1. Step RDS-1

The RA selects a unique identity $TI{D}_{G{W}_y}$ and long-term secret key $K_{G{W}_y}$ for the gateway.

4.1.2. Step RDS-2

The RA selects the unique identity $TI{D}_{SN}$ for the sensor device and computes the secret key for the sensing device as $SKN=H(TI{D}_{SN}\Vert K_{G{W}_y}\Vert TI{D}_{G{W}_y})$. Finally, RA stores the parameters {$TI{D}_{SN}$, $SKN$} in the memory of the sensing device.

4.2. Registration User

In this phase, RA registers a user before allowing him/her to access the resource of the IIoT environment. For the registration of the user, RA executes the following steps.

4.2.1. Step RU-1

The user $U_x$ generates as random number $R_r$, unique identity $I{D}_{U_x}$, and password $P{W}_{U_x}$. In addition, $U_x$ has a smart device $SM{D}_{U_x}$ capable of sensing the biometric information $Bi{o}_{U_x}^{}$ of $U_x$. After sensing $Bi{o}_{U_x}^{}$, $SM{D}_{U_x}$ computes

(1)$\begin{array}{c}({\gamma }_1^{},hld)=Gen\left(Bi{o}_{U_x}^{}\right),\end{array}$

(2)$\begin{array}{c}K{e}_1^{}=H({\gamma }_1^{}\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$

(3)$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$

(4)$\begin{array}{c}(C{t}_1^{},C{t}_2^{},C{t}_3^{})=E_{K{e}_1^{}}\{I{V}_1,P_1^{},P_2^{},P_3^{}\},\end{array}$

(5)$\begin{array}{c}V{P}_1^{}=H(C{t}_1^{}\Vert C{t}_2^{}\Vert C{t}_3^{}\Vert {\gamma }_1^{}).\end{array}$

In Equation (1), the biometric key ${\gamma }_1^{}$ and helper data $hld$ is computed by taking $Bi{o}_{U_x}^{}$ as the input parameter. The encryption key $K{e}_1^{}$ is computed in (2). In addition, $C{t}_1^{}$, $C{t}_2^{}$, and $C{t}_3^{}$ are computed by taking the $P_1^{}=I{D}_{U_x}$, $P_2^{}=P{W}_{U_x}$, and $P_3^{}={\gamma }_1^{}$ as the input parameters. Finally, $SM{D}_{U_x}$ derives the verification parameter $V{P}_1^{}$ in (5).

4.2.2. Step RU-2

Moreover, $SM{D}_{U_x}$ selects a unique pseudo identity $TI{D}_x$ and sends the credentials {$TI{D}_x$, $C{t}_3^{}$} to $G{W}_y$ using the secure channel. $G{W}_y$ stores the parameters {$TI{D}_x$, $C{t}_3^{}$} in its own database. In response, $G{W}_y$ sends the parameters, such as the list of the devices $TI{D}_{SN}$ and $TI{D}_{G{W}_y}$, to $SM{D}_{U_x}$ using a secure channel.

4.2.3. Step RU-3

$SM{D}_{U_x}$, on receiving these parameters computes,

(6)$\begin{array}{c}{Z}_1=(TI{D}_{S{N}_z}\Vert C{t}_3)\oplus H(C{t}_2^{}\oplus C{t}_3^{})),\end{array}$

(7)$\begin{array}{c}{Z}_2=(TI{D}_x\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^{}\oplus C{t}_3^{})).\end{array}$

By performing the XOR operation between $(TI{D}_{S{N}_z}\Vert C{t}_3)$ and $H(C{t}_2^{}\oplus C{t}_3^{})$, the variable $Z_1$ is obtained. Similarly, $Z_2$ is obtained by performing XOR between $(TI{D}_x\Vert TI{D}_{G{W}_y})$ and $H(C{t}_2^{}\oplus C{t}_3^{})$. Subsequently, $SM{D}_{U_x}$ stores the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} in its own database.

4.3. Authenticated Key Agreement Phase

In this phase, the user $U_x$ and sensor node $S{N}_z$ establish a session key during the execution of AKA phase. For this purpose, the following steps are executed in AKA phase.

4.3.1. Step AKA-1

$U_x$ inserts its secret credentials, such as the identity $I{D}_{U_x}$ and $P{W}_{U_x}$ at the available interface of the smart device of the user $SM{D}_{U_x}$. In addition, $U_x$ imprints the biometric impression $Bi{o}_{U_x}^l$ on the biometric sensor deployed at $SM{D}_{U_x}$ and computes

(8)$\begin{array}{c}\left({\gamma }_1^l\right)=Rep(Bi{o}_{U_x}^l,hld),\end{array}$

(9)$\begin{array}{c}K{e}_1^l=H({\gamma }_1^l\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$

(10)$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$

(11)$\begin{array}{c}(C{t}_1^l,C{t}_2^l,C{t}_3^l)=E_{K{e}_1^l}\{I{V}_1,P_1^l,P_2^l,P_3^l\},\end{array}$

(12)$\begin{array}{c}V{P}_1^l=H(C{t}_1^l\Vert C{t}_2^l\Vert C{t}_3^l\Vert {\gamma }_1^l),\end{array}$

(13)$\begin{array}{c}V{P}_1^l\stackrel{?}{=}V{P}_1,\end{array}$

(14)$\begin{array}{c}(TI{D}_{S{N}_z}\Vert C{t}_3)=(Z_1\oplus H(C{t}_2^l\oplus C{t}_3^l)),\end{array}$

(15)$\begin{array}{c}(TI{D}_x\Vert TI{D}_{G{W}_y})=(Z_2\oplus H(C{t}_2^l\oplus C{t}_3^l)).\end{array}$

Equation (8) computes the biometric key using the input parameters $Bi{o}_{U_x}^l$ and $hld$, while Equation (9) calculates the encryption key for achieving encryption. Additionally, the initialization vector is determined in Equation (10). By following the encryption process outlined in Equation (11), the credentials, namely $C{t}_1^l$, $C{t}_2^l$, and $C{t}^{l}3$, can be obtained using $P_1^l=I{D}_{U_x}$, $P_2^l=P{W}_{U_x}$, and $P_3^l={\gamma }_1^l$ as the input parameters. To authenticate the user’s secret credentials locally, the verification parameter is computed in Equation (12) and validated in Equation (13). If the condition in Equation (13) is satisfied, $SMD{U}_x$/$U_x$ derives the parameters from $TI{D}_x$, $TI{D}_{G{W}_y}$, $TI{D}_{S{N}_z}$, and $C{t}_3$ as indicated in Equations (14) and (15).

$SD{U}_x/U_x$ picks randomly $R_1$ and timestamps $Tm{e}_1$, and computes

(16)$\begin{array}{c}I{V}_2=H(Tm{e}_1\Vert TI{D}_{G{W}_y}\Vert TI{D}_x),\end{array}$

(17)$\begin{array}{c}(C{t}_a^{},C{t}_b^{})=E_{C{t}_3^{}}\{I{V}_2,TI{D}_{S{N}_j},R_1\},\end{array}$

(18)$\begin{array}{c}V{P}_2^{}=H(TI{D}_{S{N}_j}\Vert R_1\Vert C{t}_3^{}\Vert C{t}_a^{}\Vert C{t}_b^{}),\end{array}$

Equation (16) calculates the initialization vector, which plays a role in the encryption process. The encryption process itself is executed in Equation (17), utilizing the symmetric key $C{t}_3$. Furthermore, Equation (18) computes the verification parameter, which is employed to ensure data integrity. Lastly, $SD{U}_x/U_x$ constructs the message $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$ and transmits it to $G{W}_y$ through the open communication channel.

4.3.2. Step AKA-2

$G{W}_y$ validates the timeliness of the received message $ME{G}_1$ by checking the condition $Tm{e}_d\ge |Tm{e}_1-Tm{e}_r|$, where $Tm{e}_d$ represents the delay time, $Tm{e}_1$ is the generation time, and $Tm{e}_r$ is the received time of the message. If the message passes the validity check, $G{W}_y$ proceeds to verify $TI{D}_x\stackrel{?}{=}TI{D}_x^c$ and $TI{D}_x\stackrel{?}{=}TI{D}_i^{old}$. If there is no match found, $G{W}_y$ terminates the AKA process. Otherwise, it retrieves the parameter $C{t}_3^{}$ and performs further computations.

(19)$\begin{array}{c}I{V}_3=H(Tm{e}_1\Vert TI{D}_{G{W}_y}\Vert TI{D}_x),\end{array}$

(20)$\begin{array}{c}(TI{D}_{S{N}_z},R_1)=D_{C{t}_3^{}}\{I{V}_3,C{t}_4^{},C{t}_5^{}\},\end{array}$

(21)$\begin{array}{c}V{P}_3^{}=H(TI{D}_{S{N}_z}\Vert R_1\Vert C{t}_3^{}\Vert C{t}_a^{}\Vert C{t}_b^{}),\end{array}$

(22)$\begin{array}{c}V{P}_3^{}\stackrel{?}{=}V{P}_2^{}.\end{array}$

The initialization vector is computed in (19), which is used in the decryption process. In addition, from the decryption process, $G{W}_y$ obtains the plaintext $TI{D}_{S{N}_z}$ and $R_1$ and computes the verification parameter in (21). Finally, to ensure the integrity of the received message, $G{W}_y$ corroborates the condition in (22). If the condition does not hold, $G{W}_y$ stops the AKA process.

4.3.3. Step AKA-3

$G{W}_y$ generates $Tm{e}_2,R_2$, and pick new $TI{D}_x^{new}$ and computes

(23)$\begin{array}{c}{Z}_3=(C{t}_3\oplus R_1\oplus TI{D}_{G{W}_y}),\end{array}$

(24)$\begin{array}{c}K{e}_2^{}=H(LGK\Vert TI{D}_{S{N}_z}),\end{array}$

(25)$\begin{array}{c}I{V}_4=H(SI{D}_{S{N}_z}\oplus Tm{e}_2),\end{array}$

(26)$\begin{array}{c}(C{t}_c^{},C{t}_d^{})=E_{K{e}_2^{}}\{I{V}_4,Z_3,TI{D}_x^{new}\},\end{array}$

(27)$\begin{array}{c}V{P}_4^{}=H(SI{D}_{S{N}_z}\oplus Tm{e}_2\Vert Z_3\Vert TI{D}_x^{new}).\end{array}$

Here, in (23), the plaintext is computed, and it will be encrypted using the encryption key $K{e}_2^{}$ derived in (24). In addition, the initialization vector is computed in (25), which is used in the encryption process to enhance the randomness of the ciphertext. Finally, $C{t}_c^{}$ and $C{t}_d^{}$ by performing the encryption, and the verification parameter is computed in (27). Moreover, $G{W}_y$ updates $TI{D}_x^c$ with $TI{D}_x^{new}$ and $TI{D}_i^{old}$ with $TI{D}_x^c$ in its own database. Finally, a message $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$ is constructed by $G{W}_y$ and transmitted to $S{N}_z$ using the public communication channel.

4.3.4. Step AKA-4

$ME{G}_2$ is received at $S{N}_z$ and its timeliness is validated through the condition $Tm{e}_d\ge |Tm{e}_2-Tm{e}_r|$. If the message is not replayed, then $S{N}_z$ computes

(28)$\begin{array}{c}I{V}_5=H(SI{D}_{S{N}_z}\oplus Tm{e}_2),\end{array}$

(29)$\begin{array}{c}(Z_3,TI{D}_x^{new})=D_{SK{N}^{}}\{I{V}_5,C{t}_c^{},C{t}_d^{}\},\end{array}$

(30)$\begin{array}{c}V{P}_5^{}=H(SI{D}_{S{N}_z}\oplus Tm{e}_2\Vert Z_3\Vert TI{D}_x^{new}),\end{array}$

(31)$\begin{array}{c}V{P}_5^{}\stackrel{?}{=}V{P}_4^{}.\end{array}$

If the condition in (31) holds, the message is considered to be a valid message.

4.3.5. Step AKA-5

To response $ME{G}_2$, $S{N}_z$ selects $Tm{e}_3$ and $R_3$ and computes

(32)$\begin{array}{c}I{V}_6=(Z_3\oplus SI{D}_{S{N}_z}),\end{array}$

(33)$\begin{array}{c}{Z}_4=(Z_3\oplus SI{D}_{S{N}_z}\oplus R_3),\end{array}$

(34)$\begin{array}{c}(C{t}_e^{},C{t}_f^{})=E_{Z_3}\{I{V}_6,Z_4,TI{D}_x^{new}\},\end{array}$

(35)$\begin{array}{c}S{K}_{S{N}_Z}=H(SI{D}_{S{N}_z}\Vert Z_3\Vert Z_4\Vert Tm{e}_3),\end{array}$

(36)$\begin{array}{c}V{P}_6^{}=H(Z_3\Vert Z_4\Vert S{K}_{S{N}_Z}\Vert Tm{e}_3\Vert SI{D}_{S{N}_z}),\end{array}$

Finally, $S{N}_z$ constructs the message $ME{G}_3:\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ and transmitted the message to $U_x$ using the open communication channel.

4.3.6. Step AKA-6

$U_x$ validates the timeliness of the received message $ME{G}_3$ via the condition $Tm{e}_d\ge |Tm{e}_3-Tm{e}_r|$. The condition will be false if the message is replayed; otherwise, $ME{G}_3$ is considered as a valid message and $U_x$ computes

(37)$\begin{array}{c}{Z}_5=(C{t}_3^l\oplus R_1\oplus TI{D}_{G{W}_y}),\end{array}$

(38)$\begin{array}{c}I{V}_7=(Z_5\oplus SI{D}_{S{N}_z}),\end{array}$

(39)$\begin{array}{c}(Z_4,TI{D}_x^{new})=D_{Z_5}\{I{V}_7,C_e^{},C_f^{}\},\end{array}$

(40)$\begin{array}{c}S{K}_{U_x}=H(SI{D}_{S{N}_z}\Vert Z_5\Vert Z_4\Vert Tm{e}_3),\end{array}$

(41)$\begin{array}{c}V{P}_7^{}=H(Z_5\Vert Z_4\Vert S{K}_{S{N}_Z}\Vert Tm{e}_3\Vert SI{D}_{S{N}_z}),\end{array}$

(42)$\begin{array}{c}V{P}_6^{}\stackrel{?}{=}V{P}_7^{}.\end{array}$

The received message will be a valid message if the condition in (42) holds. Otherwise, $U_x$ drops the received message and stops the AKA phase. In addition, the validness of the condition (42) indicates both the session keys, which are derived at $U_x$ and $S{N}_z$, are the same, and mutual authentication successfully accomplished. Finally, $U_x$ computes $Z_2^{new}=(TI{D}_x^{new}\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^l\oplus C{t}_3^l)$ and updates $Z_2^{new}$ with $Z_2^{}$. The authentication process is summarized in Figure 2.

4.4. Bio-Metric/Password Change Phase

During this phase, the user has the option to change their password and update their biometric information. The following steps must be followed to successfully complete the bio-metric/password update phase.

4.4.1. Step BCP-1

$U_x$ need to provide the old biometric information and password and compute

(43)$\begin{array}{c}\left({\gamma }_1^o\right)=Rep(Bi{o}_{U_x}^o,hld),\end{array}$

(44)$\begin{array}{c}K{e}_1^o=H({\gamma }_1^o\Vert I{D}_{U_x}\Vert P{W}_{U_x}^o),\end{array}$

(45)$\begin{array}{c}I{V}_1^o=\left(R_1^o\right),\end{array}$

(46)$\begin{array}{c}(C{t}_1^o,C{t}_2^o,C{t}_3^o)=E_{K{e}_1^o}\{I{V}_1^o,P_1^o,P_2^o,P_3^o\},\end{array}$

(47)$\begin{array}{c}V{P}_1^o=H(C{t}_1^o\Vert C{t}_2^o\Vert C{t}_3^o\Vert {\gamma }_1^o),\end{array}$

(48)$\begin{array}{c}V{P}_1^o\stackrel{?}{=}V{P}_1,\end{array}$

(49)$\begin{array}{c}(TI{D}_{S{N}_z}\Vert C{t}_3)=(Z_1^{}\oplus H(C{t}_2^o\oplus C{t}_3^o)),\end{array}$

(50)$\begin{array}{c}(TI{D}_x\Vert TI{D}_{G{W}_y})=(Z_2^{}\oplus H(C{t}_2^o\oplus C{t}_3^o)).\end{array}$

If the condition (48) holds, a prompt message is generated to intimate $U_x$ to provide the new parameters.

4.4.2. Step BCP-2

$U_x$ after receiving the new parameters, such as $P{W}_{U_x}^n$ and $Bi{o}_{U_x}^n$. Moreover, $SM{D}_{U_x}$ picks $R_1^n$ computes

(51)$\begin{array}{c}\left({\gamma }_1^n\right)=Rep(Bi{o}_{U_x}^n,hl{d}^n),\end{array}$

(52)$\begin{array}{c}K{e}_1^n=H({\gamma }_1^n\Vert I{D}_{U_x}\Vert P{W}_{U_x}^n),\end{array}$

(53)$\begin{array}{c}I{V}_1^n=\left(R_1^n\right),\end{array}$

(54)$\begin{array}{c}(C{t}_1^n,C{t}_2^n,C{t}_3^n)=E_{K{e}_1^n}\{I{V}_1^n,P_1^n,P_2^n,P_3^n\},\end{array}$

(55)$\begin{array}{c}V{P}_1^n=H(C{t}_1^n\Vert C{t}_2^n\Vert C{t}_3^n\Vert {\gamma }_1^n),\end{array}$

(56)$\begin{array}{c}{Z}_1^n=(TI{D}_{S{N}_z}\Vert C{t}_3)\oplus H(C{t}_2^n\oplus C{t}_3^n),\end{array}$

(57)$\begin{array}{c}{Z}_2^n=(TI{D}_x\Vert TI{D}_{G{W}_y})\oplus H(C{t}_2^n\oplus C{t}_3^n).\end{array}$

Finally, $U_x$ replaces the credentials {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} with {$Z_1^n$, $Z_2^n$, $R_r^n$, $V{P}_1^n$, $hl{d}^n$, $Gen(.)$, $Rep(.)$} in the memory of $SM{D}_{U_x}$.

5. Security Validation

The security strengths of the proposed RDAF-IIoT are validated through informal and formal security analysis. For the formal security analysis, the well-known mathematical method ROM is employed. In addition, Scyther, a software tool, is also used for the formal analysis.

5.1. Informal Security Analysis

In this section, the resiliency of the proposed RDAF-IIoT is corroborated against various attacks through informal (non-mathematical) analysis.

5.1.1. MITM Attack

There are three messages exchanged during the AKA phase. such as $ME{G}_1$:{$Tm{e}_1$, $TI{D}_x$, $C{t}_a^{}$, $C{t}_b^{}$, $V{P}_2^{}$}, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$. After capturing any of these communicated messages, $\mathcal{A}$ tries to modify the contents of messages. As $V{P}_2^{}$, $V{P}_4^{}$, and $V{P}_6^{}$ are validated at the receiving node to ensure the integrity of $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively. However, without knowing short-term and long-term secret credentials associated with $U_x$, $G{W}_y$, and $S{N}_z$, it is hard for $\mathcal{A}$ to compute $V{P}_2^{}$, $V{P}_4^{}$, and $V{P}_6^{}$ for the message $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively. In this way, the proposed RDAF-IIoT is resistant to MITM attack.

5.1.2. DoS Attack

The proposed RDAF-IIoT, $U_x$ achieves the local authentication by computing

(58)$\begin{array}{c}\left({\gamma }_1^{}\right)=Rep(Bi{o}_{U_x}^{},hld),\end{array}$

(59)$\begin{array}{c}K{e}_1^{}=H({\gamma }_1^{}\Vert I{D}_{U_x}\Vert P{W}_{U_x}),\end{array}$

(60)$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$

(61)$\begin{array}{c}(C{t}_1^{},C{t}_2^{},C{t}_3^{})=E_{K{e}_1^{}}\{I{V}_1,P_1^{},P_2^{},P_3^{}\},\end{array}$

(62)$\begin{array}{c}V{P}_1^{}=H(C{t}_1^{}\Vert C{t}_2^{}\Vert C{t}_3^{}\Vert {\gamma }_1^{}),\end{array}$

(63)$\begin{array}{c}V{P}_1^l\stackrel{?}{=}V{P}_1.\end{array}$

In the event that the condition stated in (63) is satisfied, $U_x$/$SM{D}_{U_x}$ transmits the AKA message to $G{W}_y$. Conversely, if the condition is not met, $U_x$/$SM{D}_{U_x}$ terminates the execution process. By employing a local authentication mechanism, the proposed RDAF-IIoT effectively safeguards against potential DoS attacks by thwarting the efforts of malicious yet legitimate $U_x$/$SM{D}_{U_x}$ entities attempting to flood $G{W}_y$ with a high volume of AKA messages.

5.1.3. Impersonation Attack

During the AKA phase, $U_x$ sends message, such as $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$ to $G{W}_y$ for further authentication of $U_x$. However, to impersonate as the valid $U_x$, $\mathcal{A}$ needs to generate a bogus $ME{G}_1^{{}^{\prime }}$ using random parameters. Moreover, without knowing the the parameters $TI{D}_{S{N}_j}$, $R_1$, and $C{t}_3^{}$, $\mathcal{A}$ cannot fabricate a valid $ME{G}_1^{}$. Similarly, $\mathcal{A}$ cannot generate a valid message, such as $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ without having the valid parameters used in the construction of these messages. Thus, the proposed scheme cannot provide protection against impersonation attacks.

5.1.4. Password Guessing Attack

After capturing $SM{D}_{U_x}$ of $U_x$, $\mathcal{A}$ obtains the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} through the power analysis attack. To perform the password-guessing attack, $\mathcal{A}$ selects the random secret credentials, such as $I{D}_{U_x}^{\mathcal{A}}$ and $P{W}_{U_x}^{\mathcal{A}}$, and $Bi{o}_{U_x}^{\mathcal{A}}$ and computes

(64)$\begin{array}{c}\left({\gamma }_1^{\mathcal{A}}\right)=Rep(Bi{o}_{U_x}^{\mathcal{A}},hld),\end{array}$

(65)$\begin{array}{c}K{e}_1^{\mathcal{A}}=H({\gamma }_1^{\mathcal{A}}\Vert I{D}_{U_x}^{\mathcal{A}}\Vert P{W}_{U_x}^{\mathcal{A}}),\end{array}$

(66)$\begin{array}{c}I{V}_1=\left(R_r\right),\end{array}$

(67)$\begin{array}{c}(C{t}_1^{\mathcal{A}},C{t}_2^{\mathcal{A}},C{t}_3^{\mathcal{A}})=E_{K{e}_1^{\mathcal{A}}}\{I{V}_1,P_1^{\mathcal{A}},P_2^{\mathcal{A}},P_3^{\mathcal{A}}\},\end{array}$

(68)$\begin{array}{c}V{P}_1^{\mathcal{A}}=H(C{t}_1^{\mathcal{A}}\Vert C{t}_2^{\mathcal{A}}\Vert C{t}_3^{\mathcal{A}}\Vert {\gamma }_1^{\mathcal{A}}),\end{array}$

(69)$\begin{array}{c}V{P}_1^{\mathcal{A}}\stackrel{?}{=}V{P}_1.\end{array}$

In order to successfully change the password, the condition in (69) must hold. However, without knowing the valid secret parameters, such as $I{D}_{U_x}^{}$ and $P{W}_{U_x}^{}$, and $Bi{o}_{U_x}^{}$ or $({\gamma }_1^{}$ associated with the valid $U_x$, it hard for $\mathcal{A}$ to compute above computation. In this way, the proposed scheme is resistant to the password guessing attack.

5.1.5. Identity Guessing Attack

$\mathcal{A}$ after capturing the messages, such as $ME{G}_1$:$\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$:$\{Tm{e}_3,C{t}_e^{},C{t}_f^{},V{P}_6^{}\}$ cannot obtain the real identity of $U_x$. In addition, $\mathcal{A}$ from the parameters {$Z_1$, $Z_2$, $R_r$, $V{P}_1^{}$, $hld$, $Gen(.)$, $Rep(.)$} cannot obtain the real identity of $U_x$. In this way, the proposed scheme is resistant to the identity guessing attack.

5.1.6. Replay Attack

All the communicated messages, such as $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$ during the AKA phase of the scheme are incorporated with the latest timestamps. The conditions $Tm{e}_d\ge |Tm{e}_1-Tm{e}_r|$, $Tm{e}_d\ge |Tm{e}_2-Tm{e}_r|$, and $Tm{e}_d\ge |Tm{e}_3-Tm{e}_r|$ are checked at the receiving node for $ME{G}_1$, $ME{G}_2$, and $ME{G}_3$, respectively, to detect the if the particular message is replayed or not. If the received message is not within the allowed time delay, the receiving node drops the messages and considers the received message as the replayed message. Hence, the RDAF-IIoT is resistant to replay attacks.

5.1.7. RPL Attack

In RDAF-IIoT, the session key is generated as $S{K}_{S{N}_z}(=S{K}_{U_x})=H(SI{D}_{S{N}_z}\Vert Z_5\Vert Z_4\Vert Tm{e}_3),\mathrm{where}(Z_5=Z_3=(C{t}_3^{}\oplus R_1\oplus TI{D}_{G{W}_y})$, which the combination of both the long term and short term parameters. Without knowing both long-term and short-term parameters, it is hard for $\mathcal{A}$ to generate a valid session key. Thus, the proposed RDAF-IIoT is resistant to RPL attack.

5.2. ROM Based Validation

The security of RDAF-IIoT is examined formally by employing ROM. The components of the ROM are demonstrated in Table 3. Capabilities of $\mathcal{A}$ are examined in Section 3.2. In addition, $\mathcal{A}$ effectuates the queries presented in Table 4 to generate various attacks on RDAF-IIoT.

5.3. Scyther-Based Security Verification

Scyther serves as a user-friendly tool for verifying, falsifying, and analyzing security protocols. It stands out among other advanced tools by offering several novel components. By employing a pattern refinement algorithm, Scyther efficiently generates concise representations of trace sets, aiding in the examination of attack categories and potential protocol behaviors. Extensively used in research, Scyther is a freely available security protocol verification tool. The proposed implementation of the RDAF-IIoT employs the security protocol description language (SPDL). The SPDL script defines three prominent roles: $U_x$, $G{W}_y$, and $S{N}_z$. Each role is associated with specific claims outlined within the SPDL script. Scyther verifies all the claims, as demonstrated in Table 5 and Figure 3.

6. Performance Comparison

The proposed RDAF-IIoT is compared with Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] regarding computational and communication costs. In addition, the security functionality is also considered as a performance measure. To compute the computational time, a system with “Intel(R) Core(TM) i5-2400 CPU @ 3.10 GHz”, operating system “Ubuntu,” and RAM 8 GB is used to simulate as $G{W}_y$. In addition, a system with “CPU Quad Core 1.2 GHz, BCM2837, operating system Ubuntu, and RAM 1 GB RAM’ (Raspberry Pi-3 (RPI3))’ is used to simulate the smart sensing device and smart device of the user. All the cryptographic primitives are implemented using the cryptographic library called “Pycrypto” and each cryptographic primitive is executed 100 times to estimate the average computational time. Table 6 tabulates the computational complexities of various cryptographic primitives.

6.1. Security Comparison

The proposed RDAF-IIoT is contrasted with Wazid et al. [34], Srinivas et al. [35], and Challa et al. [25] regarding the security features and functions. The scheme of Wazid et al. [34] is not secure against the identity de-synchronization attack. Srinivas et al. [35] yields a security strategy weak against identity guessing, MITM, and user and device impersonation attacks. In addition, the authentication strategy suggested in [35] has a design defect, due to which the authentication procedure cannot be accomplished. The security framework suggested in Challa et al. [25] user anonymity, privilege insider, password guessing, and stolen smart card attack. Nevertheless, the security framework RDAF-IIoT is more secure and reliable than the contrasted security framework, as shown in Table 7.

6.2. Computational Cost

In this subsection, the computational cost of the proposed RDAF-IIoT is estimated. The computational time of ECC, ECC point addition, hash operation, symmetric encryption, and FE-based key generation is denoted by $T_{ecc}$, $T_{eca}$, $T_h$, $T_{enc}$, and $T_b$, respectively. To derive the computational cost of the proposed RDAF-IIoT, computational complexities listed in Table 6 are employed. Total computational cost of RDAF-IIoT is $18T_h+7T_{enc}+T_b\approx 11.145$ ms, which is 78.63%, 74.73%, 77.36%, and 75.58% better than Srinivas et al. [35], Challa et al. [25], and Wazid et al. [34]. Figure 4, Figure 5 and Figure 6 and Table 8 show the computational cost comparison at $U_x$, $G{W}_y$, and $S{N}_z$. Moreover, Figure 7 exhibits that with increasing the number, the proposed RDAF-IIoT requires less computational resources than Srinivas et al. [35], Challa et al. [25], and Wazid et al. [34].

6.3. Communication Cost

To calculate the communication, which is required to accomplish the AKA phase, the parameters presented in Table 6 are used. There are three messages, such as $ME{G}_1$: $\{Tm{e}_1,TI{D}_x,C{t}_a^{},C{t}_b^{},V{P}_2^{}\}$, $ME{G}_2$:$\{Tm{e}_2,C{t}_c^{},C{t}_d^{},V{P}_4^{}\}$, and $ME{G}_3$: {$Tm{e}_3$, $C{t}_e^{}$, $C{t}_f^{}$, $V{P}_6^{}$} communicated during the AKA phase of the proposed RDAF-IIoT. The size of $ME{G}_1$, $ME{G}_2$, $ME{G}_3$ is {32 + 128 + 128 + 128 + 256} = 672 bits, {32 + 128 + 128 + 256} = 544 bits, and {32 + 128 + 128 + 128+ 256 } = 544 bits, respectively. Cumulative communication of the proposed RDAF-IIoT is {672 + 544 + 544 } = 1760 bits. The security framework of Srinivas et al. [35], Challa et al. [25], Wazid et al. [34], and Irshad et al. [3] require 2656 bits, 2528 bits, 3660 bits, and 3040 bits, respectively. Table 9 and Figure 8 show the communication efficiency of the proposed security framework than the relevant state of the security scheme.

6.4. Discussion

The proposed RADF-IIoT adopts a resource-efficient approach by utilizing XoR operations, hash functions, and symmetric encryption, rather than relying on complex and computationally intensive public key cryptosystems. This design choice enables RADF-IIoT to minimize the computational resources required compared to other related security frameworks. By leveraging these lightweight cryptographic primitives, RADF-IIoT achieves efficient and effective security measures while reducing computational overhead.

Furthermore, in the proposed RADF-IIoT, the AKA process involves the exchange of a small number of parameters with small message sizes. This characteristic contributes to a reduced communication overhead in the RDAF-IIoT while still maintaining robust security features. By minimizing the amount of data transmitted during the authentication and key agreement process, the proposed RADF-IIoT optimizes communication efficiency without compromising the overall security of the system.

7. Conclusions

A security scheme to set up a session key between the user and the IIoT device is proposed in this paper called RDAF-IIoT. Moreover, during the AKA phase of RADF-IIoT, the established session key is used to achieve encrypted communication to avert various security attacks. It is through the informal security analysis proved that RDAF-IIoT is resistant to MITM and impersonation attacks. ROM is employed to corroborate the security of the session key generated in AKA phase of the proposed RDAF-IIoT. In addition, Scyther is utilized to corroborate that RDAF-IIoT is protected. Furthermore, the performance analysis illustrates that the proposed RDAF-IIoT required [74.73% to 78.63%] lower computational and [30.38% to 51.91%] lower communication costs than the related security schemes while providing enhanced security features.

Footnotes

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Enlarge this image.

Figure 1. Smart IIoT environment.

Enlarge this image.

Figure 2. RDAF-IIoT AKA phase.

Enlarge this image.

Figure 3. Scyther analysis of the device access phase of RDAF-IIoT.

Enlarge this image.

Figure 4. Comparisons of computational cost at [Forumla omitted. See PDF.] {[3,25,34,35]}.

Enlarge this image.

Figure 5. Comparisons of computational cost at [Forumla omitted. See PDF.] {[3,25,34,35]}.

Enlarge this image.

Figure 6. Comparisons of computational cost at [Forumla omitted. See PDF.] {[3,25,34,35]}.

Enlarge this image.

Figure 7. Total computational cost required to complete the AKA phase {[3,25,34,35]}.

Enlarge this image.

Figure 8. Communication cost required to accomplish AKA phase {[3,25,34,35]}.