1. Introduction

With the recent advances in wireless sensor networks and embedded technologies, internet of things (IoT) connects objects and shares various useful data with internet through resource-constrained devices to provide convenient services for users such as smart home, healthcare, vehicle to everything and smart gird. However, a single server environment also is inefficient for IoT because an ocean of data is generated by resource-constrained devices such as microsensor, RFID tag and smart cards.

Cloud computing is a distributed computing mechanism for a large-scale data and allows sharing resources among all of the servers and users. The cloud computing provides five essential characteristics: on-demand self-services, ubiquitous network access, rapid elasticity, measured service and resource pooling [1,2]. On-demand self-service handles cloud services without human interaction and ubiquitous network access controls access service using standard protocols. Rapid elasticity and measured service optimize the resource usage. Resource pooling provides cloud service using homogeneous infrastructure among service users. The cloud computing deals with an ocean of data generated by devices and sensors and provides data managing service for users through these essential characteristics.

However, these services are vulnerable to potential attacks by malicious adversaries because they are provided through an open channel, including sensitive data of legitimate user about location, health, payment, etc. Therefore, a secure and efficient authentication for IoT environment has become essential security requirements to provide useful services to user.

In 1981, Lamport [3] proposed one factor user authentication scheme using passwords to ensure user’s privacy. However, security of the password based authentication scheme is easily broken because its security only relies on the passwords. In 2002, Chien et al. proposed two factor authentication scheme to overcome this security flaw using password and smart cards. However, their scheme is vulnerable to smart card stolen attack as the data stored in smart cards can be extracted by power analysis attacks [4]. When a malicious adversary obtains smart cards and password, they can perform various attacks such as impersonation, replay and insider attacks. To overcome the above-mentioned security weaknesses, three-factor authentication schemes have been proposed [5,6,7]. Biometrics (e.g., face, retina, fingerprint, iris, etc.) have several important characteristics: they cannot be lost or forgotten; they are hard to forge, copy, share or distribute; and they are difficult to guess.

In 2019, Pelaez et al. [8] demonstrated that the previous scheme is vulnerable to insider, off-line guessing and disclosure attacks and proposed enhanced IoT-based authentication scheme in cloud computing environment. This paper demonstrates that Pelaez et al.’s scheme does not withstand impersonation, session key disclosure and replay attacks. We also show that their scheme does not achieve secure mutual authentication and anonymity. Moreover, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to resolve these security weaknesses, considering computational costs.

1.1. Adversary Model

We present the Dolev–Yao (DY) model [9] to evaluate security of ours and previous schemes, which is widely accepted as security threat model. The detailed description of the DY model is as below:

1. A malicious adversary can modify, intercept, delete or insert the transmitted messages via an open channel. A malicious adversary can obtain or steal the smart card of legitimate user and can extract the data stored in the smart card by using power-analysis [4].

2. A malicious adversary can perform various attacks such as man-in-the-middle (MITM), replay, impersonation, and session key disclosure attack [10,11].

1.2. Our Contributions

Our contributions in this paper are as follows.

1. We demonstrate that Pelaez et al.’s scheme is not secure against various attacks such as impersonation, session key disclosure and replay attacks and does not achieve secure mutual authentication and anonymity.

2. We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to address the security shortcomings of Pelaez et al.’s scheme. The proposed scheme withstands impersonation, session key disclosure, and replay attacks and achieve secure mutual authentication and anonymity. Moreover, the proposed scheme is more efficient than Pelaez et al.’s scheme because it utilizes only bitwise exclusive or (XOR) and hash operations.

3. We prove that the proposed scheme provides secure mutual authentication using the Burrows–Abadi–Needham (BAN) logic [12] and perform an informal security analysis to prove that our scheme is secure against various attacks such as MITM, impersonation, replay and session key disclosure attacks. Furthermore, we compare the security properties and performance of proposed protocol with other related schemes.

4. We perform a formal security analysis using the automated validation of internet security protocols and applications (AVISPA) simulation tool to prove that the proposed protocol resists the MITM and replay attacks.

1.3. Organization

We introduce the related works and review Pelaez et al.’s scheme in Section 2 and Section 3. In Section 4 and Section 5, we cryptanalyze Pelaez et al.’s scheme and propose a lightweight IoT-based three-factor authentication scheme in cloud computing environment to enhance the security shortcomings of Pelaez et al.’s scheme. Section 6 and Section 7 prove the security of proposed scheme and present the simulation analysis using AVISPA. In Section 8, we compare the security properties and performances of proposed protocol with other related schemes. Finally, Section 9 concludes the paper.

2. Related Works

In last few decades, numerous authentication and key agreement schemes have been proposed to ensure privacy of user, considering resource-constrained environments such as wireless sensor networks, global mobility networks and vehicular networks [3,13,14,15,16,17,18,19]. In 1981, Lamport [3] firstly proposed a lightweight password based user authentication scheme to provide secure communication. However, Lamport’s scheme has low security level because its security only relies on passwords. In 2002, Chien et al. [13] presented a two-factor user authentication protocol using smart card and password to resolve this problem. Unfortunately, the two-factor authentication schemes using password and smart cards cannot ensure user’s privacy [13,14,15,16,17,18,19], when the data stored in token (e.g., smart card, mobile device, etc.) are compromised.

Later, several authentication and key agreement schemes for IoT have been presented in various fields [20,21,22]. However, these environments are not suitable for IoT because it cannot handle a large number of data. In 2019, Zhou et al. [23] presented a lightweight IoT-based authentication scheme in cloud computing environment to overcome this issue. Zhou et al. claimed that their scheme can prevent various attacks such as insider, forgery and tracking attacks and provide secure mutual authentication and session key security. However, in 2019, Pelaez et al. [8] pointed out that Zhou et al.’s scheme [23] cannot withstand insider, off-line guessing and session key disclosure attacks and provide secure mutual authentication. To resolve these security problems, Pelaez et al. [8] presented a lightweight IoT-based authentication scheme in cloud computing environment. They also claimed that their scheme is secure against off-line password guessing, insider, impersonation and replay attacks.

3. Review of Pelaez et al.’s Scheme

We briefly review Pelaez et al.’s IoT based authentication scheme in cloud computing environment. Their scheme comprises of three processes: registration, authentication, and password change. These processes are presented as below (for details, see [8]).

3.1. User Registration Process

In Pelaez et al.’s scheme, a new user_Uiis registered from control serverCS via a secure channel. Figure 1 shows the user registration process of Pelaez et al.’s scheme. In Figure 1,_Uisends the registration request toCSand thenCSissues the smart cards.

3.2. Cloud Server Registration Process

In Pelaez et al.’s scheme, a cloud server_Sjis registered from control serverCS via a secure channel. Figure 2 shows the cloud server registration process of the Pelaez et al.’s scheme. In Figure 2,_Sjsends the registration request toCSand thenCSsends parameters_B2and_B3to_Sj.

3.3. Login Process

When_Uiwants to access the service,_Uifirstly sends login request message to_Sj . In Figure 3,_Uisends login request messages{_TUnew,_D1,PI_Di,_D2}to_Sj, and then_Sjsends the messages{_TUnew,_D1,PI_Di,_D2,_TSnew,_D3,PSI_Dj,_D4,_D5}toCSin order to check validation of_Ui.

3.4. Authentication Process

After finishing the login process,_Ui,_SjandCSperform mutual authentication with each entity, and then_Uiand_Sjcan share the session keyS_KU−S . Figure 4 shows the authentication process of the Pelaez et al.’s scheme.

4. Cryptanalysis of Pelaez et al.’s Scheme

In this section, we demonstrate that Pelaez et al.’s scheme does not resist replay, session key disclosure and impersonation attacks and show that their scheme does not achieve secure mutual authentication and anonymity.

4.1. Impersonation Attack

The impersonation attack is that a malicious adversary try to impersonate as a legitimate user. When a malicious adversary_UMAmay attempt to impersonate a legal user,_UMAcan easily generate the login request message of_Ui . According to Section 1.1,_UMAcan obtain smart card of_Uiand can extract the data{PI_Di,_C2,_C3,_C4,h(_nU)}stored in smart card. Furthermore,_UMAintercepts the message transmitted via an open channel. Finally,_UMAperforms the impersonation attack as below:

Step 1:

A malicious adversary_UMAcan compute real identityI_Di=_C2⊕_D1of legitimate user_Uiandh(_nUnew)=_D2⊕_C3⊕h(_TMAnew||I_Di). Then,_UMAgenerates timestamp_TMAnewand random nonce_nMAnew, computes_D2MA=_C3⊕h(_TMAnew||I_Di)⊕h(_nMAnew), and sends{_TMAnew,_D1,PI_Di,_D2MA}to the_Sj.

Step 2:

Upon getting the message from_UMA, the_Sjgenerates random nonces_TSnewand_nSnewand computes_D3=_B2⊕SI_Dj,_D4=_B3⊕h(_TSnew||SI_Dj)⊕h(_nSnew)and_D5=h(PI_Di||_TMAnew||SI_Dj||PSI_Dj||_TSnew). Then, the_Sjsends{_TMAnew,_D1,PI_Di,_D2MA,_TSnew,_D3,PSI_Dj,_D4,_D5}to theCS.

Step 3:

Upon getting the message from_Sj, theCScomputes_C2∗=h(PI_Di∗||h(I_DCS||x)||h(I_DCS ^||y))∗⊕h(I_DCS||x)⊕h(I_DCS||y),I_Di∗=h(PI_Di∗||h(I_DCS||x)||h(I_DCS ^||y))∗⊕h(I_DCS||x)⊕h(I_DCS||y)⊕_D1and_C1∗=h(I_Di∗||PI_Di). Then, theCSchecks whether_C1∗=?_C1. If it is valid, theCSauthenticates_UMA. Then, theCScomputesh^(_nMAnew)∗=h(I_Di∗||PI_Di∗||h(I_DCS||x)||h(I_DCS ^||y))∗⊕PI_Di∗⊕h(x||y)⊕h(_TMAnew||I_Di∗ ^)∗⊕_D2. After that, theCScomputesSI_Dj∗=h(PSI_Dj∗||h(I_DCS||z)||h(I_DCS ^||y))∗⊕h(I_DCS||z)⊕h(I_DCS||y)⊕_D3and_B1∗=h(SI_Dj∗||PSI_Dj∗). Then, theCSchecks whether_B1∗=?_B1. If it is valid, theCSauthenticate_Sj. After that, theCSrecoversh^(_nSnew)∗=h(SI_Dj∗||PSI_Dj∗||h(I_DCS||z)||h(I_DCS ^||y))∗⊕PSI_Dj∗⊕h(z||y)⊕h(_TSnew||SI_Dj∗)⊕_D4. Then, theCScomputes_D5∗=h(PI_Di∗||_TMAnew||SI_Dj∗||PSI_Dj∗||_TSnew ^)∗and checks whether_D5∗=?_D5. If it is valid, theCShave evidence of the connection attempt between_UMAand_Sj. To key agreement and mutual authentication, theCSgenerates a random nonce_nCSnewand computes the session keyS_KMA−S=h(h(_nMAnew)⊕h(_nSnew)⊕h(_nCSnew||_TCSnew)). Then, theCScomputes_D6=_B2⊕h(_TSnew||SI_Dj)⊕_TCSnew,_D7MA=h(_nCSnew||_TCSnew)⊕h(SI_Dj||_TCSnew)⊕h(_nMAnew),_D8MA=_C2⊕h(_TMAnew||I_Di)⊕_TCSnew,_D9=h(_nCSnew||_TCSnew)⊕h(I_Di||_TCSnew)⊕h(_nSnew),_D10MA=_ESK(h(_nCSnew)⊕h(SI_Dj||PSI_Dj||_B2))and_D11MA=_ESK(h(_nCSnew)⊕h(I_Di||PI_Di||_C2)). Finally, theCSsends{_D6,_D7MA,_D10MA,_D8MA,_D9,_D11MA}to the_Sj.

Step 4:

Upon getting the message fromCS, the_Sjcomputes_TCSnew∗=_B2⊕h(_TSnew||SI_Dj)⊕_D6,h(_nCSnew||_TCSnew ^)∗⊕h^(_nMAnew)∗=h(SI_Dj||_Tcsnew)⊕_D7MA,S_KU−S∗=h(h^(_nMAnew)∗⊕h(_nSnew)⊕h(_nCSnew||_TCSnew^)∗)and decrypts_DSK∗(_D10MA)=h(_nCSnew)⊕h(SI_Dj||PSI_Dj||_B2)=h^(_nCSnew)∗. After that, the_Sjsends{_D6,_D7MA,_D10MA,_D8MA,_D9,_D11MA}to the_UMA.

Step 5:

Upon getting the messages from_Sj, the_UMAcomputes_TCSnew∗=_C2⊕h(_TMAnew||I_Di)⊕_D8MA,h(_nCSnew||_TCSnew ^)∗⊕h^(_nSnew)∗=h(I_Di||_TCSnew)⊕_D9,S_KMA−S∗=h(h(_nUnew)⊕h^(_nSnew)∗⊕h(_nCSnew||_TCSnew^)∗)and decrypts_DSK∗(_D11MA)=h(_nCSnew)⊕h(I_Di||PI_Di||_C2)=h^(_nCSnew)∗. For mutual authentication with_Sj, the_UMAcomputes_M9MA={_ESK(h(_nCSnew||serverValue(challenge)))}and sends_M9MAto the_Sj.

Step 6:

Upon getting the messages from_UMA, the_Sjcomputes_DSK(_M9MA)=h^(_nCSnew)∗||serverValue(challenge))and checks whetherh^(_nCSnew)∗=?h(_nCSnew). Finally, the_Sjcomputes_M10MA={_ESK(serverValue(h(_nCSnew)||_TCSnew))}and sends_M10MAto the_UMA.

Step 7:

Upon getting the messages from_Sj, the_UMAcomputes_DSK(_M10MA)=serverValue(h(_nCSnew)||_TCSnew)=h(_nCSnew||_TCSnew ^)∗and checks whetherh(_nCSnew||_TCSnew ^)∗=?h(_nCSnew||_TCSnew).

_UMAcan successfully generates the login request message and session key between_UMAand_Sj. As a result, we show that Pelaez et al.’s scheme cannot withstand impersonation attack.

4.2. Session Key Disclosure Attack

The session key disclosure attack is that a malicious adversary can obtain the session key between_Uiand_Sj. Pelaez et al. claimed that their scheme can ensure security of session key because a malicious adversary cannot obtain random nonce_nUnew,_nSnew,_nCSnewand current timestamp_TCSnew . However, according to Section 1.1, a malicious adversary_UMAcan extract the data{PI_Di,_C2,_C3,_C4,h(_nU)}stored in the smart card and can obtain the transmitted messages_D1,_D2,_TUnew,_D8,_D9via an open channel. Therefore, a malicious adversary_UMAcan easily compute session keyS_KU−S∗=h(h^(_nUnew)∗⊕h(_nSnew)⊕h(_nCSnew||_TCSnew^)∗).

4.3. Replay Attack

Replay attack is that a malicious adversary try to obtain sensitive messages of user using the messages transmitted in previous and current session. Pelaez et al. claimed that their scheme can resist replay attack because a malicious adversary_UMAcannot obtain random nonce and timestamp. However,_UMAcan calculate the random nonce and timestamp of legitimate user correctly. According to 4.1,_UMAalso impersonates a legitimate user_Ui. Therefore,_UMAcan obtain_nUnew,_nSnewand_nCSnewand timestamp_TUnew,_TSnewand_TCSnew. As a result, Pelaez et al.’s scheme does not withstand replay attack.

4.4. Mutual Authentication

Pelaez et al claimed that their protocol allows secure mutual authentication among the user_Ui, the cloud server_Sj, and the control serverCS . However, according to Section 3.1, their protocol does not withstand to impersonation attack, as a malicious adversary_UMAcan successfully generate authentication request message_D2=_C3⊕h(_TUnew||I_Di)⊕h(_nUnew). Therefore, Pelaez et al.’s scheme does not achieve secure mutual authentication.

4.5. Anonymity

Pelaez et al claimed that a malicious adversary_UMAcannot obtain the real identityI_Di of legitimate user. However, according to Section 1.1, a malicious adversary_UMAcan extract the secret parameter_C2stored in the smart card and can intercept the transmitted message_D1via an open channel._UMAcan also computeI_Di=_C2⊕_D1and easily obtain real identity of legitimate user_Ui. Therefore, Pelaez et al.’s scheme does not guarantee anonymity.

5. Proposed Scheme

In this section, we propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance security drawbacks of Pelaez et al.’s scheme. The proposed scheme consists of three processes: registration, login and authentication, and password change. The details of each process are presented below.

5.1. User Registration Process

A new user_Uiwho requests the use of the IoT services must register with control serverCS . Figure 5 shows the user registration process of proposed scheme and the detailed processes are as below.

Step 1:

The_UiselectsI_DiandP_Wiand imprints biometricBI_Oi. After that,_Uicomputes⟨_Ri,_Pi⟩=Gen(BI_Oi),RP_Wi=h(P_Wi||_Ri)and sends messages{I_Di,RP_Wi}to control serverCSvia a secure channel.

Step 2:

After getting the messages from_Ui, theCSgenerates a random nonce_S1and computesRI_Di=h(I_Di||h(_S1||_KS)),_Xi=h(RI_Di||_KS||_S1),_Ai=_Xi⊕h(RI_Di||RP_Wi), and_Bi=h(_Xi||RP_Wi). Then, theCSstores{_S1},{_Ai,_Bi}in a database and smart card, respectively. TheCSsends{RI_Di}and issues smart card to_Uivia a secure channel.

Step 3:

After getting the message and smart card fromCS, the_Uicomputes_Qi=h(I_Di||P_Wi||_Ri)⊕RI_Diand stores{_Qi}in a smart cardSC.

5.2. Cloud Server Registration Process

A cloud server_Sjmust register with the control serverCS to provide IoT service to the users. Figure 6 shows the cloud server registration process of proposed scheme and the detailed processes are as below.

Step 1:

The cloud server_SjselectsSI_Djand generates a random nonce_rj. After that, the_Sjsends messages{SI_Dj,_rj}to theCSvia a secure channel.

Step 2:

After getting the messages, theCSgenerates a random nonce_S2and computesRSI_Dj=h(SI_Dj||_rj||_KS)andS_Ij=h(RSI_Dj||h(_S2||_KS)). Then, theCSstores{_S2}in a database and sends messages{RSI_Dj,S_Ij}to the_Sjvia a secure channel.

Step 3:

After getting the messages, the_Sjstores{RSI_Dj,S_Ij}in a database.

5.3. Login and Authentication Process

A user_Uiwho requests access to IoT service must send a login request message to theCS . Figure 7 shows the login and authentication process of the proposed scheme. The detailed process is as below.

Step 1:

The_UiinputsI_Di,P_Wiand imprints biometricBI_Di. Then, the_Uicalculates_Ri=Rep(BI_Oi,_Pi),RI_Di=h(I_Di||P_Wi||_Ri)⊕_Qi,RP_Wi=h(P_Wi||_Ri),_Xi=_Ai⊕h(RI_Di||RP_Wi)and_Bi∗=h(_Xi||RP_Wi). The_Uichecks whether_Bi∗=?_Bi. If it is correct, the_Uigenerates a random nonceR_Ui. After that, the_Uicomputes_M1=R_Ui⊕_Xi,CI_Di=I_Di⊕h(_Xi||R_Ui)and_M2=h(I_Di||_Xi||R_Ui)and sends login request messages{_M1,_M2,CI_Di,RI_Di}to the_Sjvia an open channel.

Step 2:

Upon getting the messages from the_Ui, the_Sjgenerates a random nonceR_Sjand computes_D1=S_Ij⊕R_Sj,CSI_Dj=SI_Dj⊕h(S_Ij||R_Sj)and_D2=h(SI_Dj||S_Ij||R_Sj). Then, the_Sjsends the messages{_M1,_M2,CI_Di,RI_Di,_D1,_D2,CSI_Dj,RSI_Dj}to theCSvia an open channel.

Step 3:

Upon getting the messages from the_Sj, theCScomputes_Xi=h(RI_Di||_KS||_S1),R_Ui=_M1⊕_Xi,I_Di=CI_Di⊕h(_Xi||R_Ui), and_M2∗=h(I_Di||_Xi||R_Ui)and checks whether_M2∗=?_M2. If it is correct, theCScomputesS_Ij=h(RSI_Dj||h(_S2||_KS)),R_Sj=h(_D1)⊕S_Ij,SI_Dj=CSI_Dj⊕h(S_Ij||R_Sj), and_D2∗=h(SI_Dj||S_Ij||R_Sj)and checks whether_D2∗=?_D2. If it is valid, theCScomputes_M3=R_Sj⊕h(I_Di||R_Ui),_D3=R_Ui⊕h(SI_Dj||R_Sj)and_QCS=h(R_Ui||R_Sj||S_Ij). Then, theCSupdatesRI_DitoRI_Dinewand replaces{RI_Di}with{RI_Dinew}. Finally, theCSsends messages{_M3,_D3,_QCS}to the_Sj.

Step 4:

Upon getting the messages from theCS, the_SjcomputesR_Ui=_D3⊕h(SI_Dj||R_Sj)and_QCS∗=h(R_Ui||R_Sj||S_Ij)and checks whether_QCS∗=?_QCS. If it is valid, the_SjcomputesS_Ki=h(R_Ui||R_Sj)and_QCU=h(R_Ui||R_Sj||S_Ki)and sends messages{_M3,_QCU}to the_Ui.

Step 5:

Upon getting the messages from the_Sj, the_UicomputesR_Sj=_M3⊕h(I_Di||R_Ui),S_Ki=h(R_Ui||R_Sj)and_QCU∗=h(R_Ui||R_Sj||S_Ki)and checks whether_QCU∗=?_QCU. If it is correct, the_UicomputesRI_Dinew=h(RI_Di||h(R_Ui||R_Sj))andRI_DitoRI_Dinew. After that, the smart card updates_Ainew=_Xi⊕h(RI_Dinew||RP_Wi) and_Qinew=h(I_Di||P_Wi||_Ri)⊕RI_Dinewand replaces{_Ai,_Qi}with{_Ainew,_Qinew}. As a result, the_Ui,_SjandCSachieve the mutual authentication successfully.

5.4. Password Change Process

When_Uiwants to update his/her password, the_Ui can freely update their password in the proposed scheme. Figure 8 shows the password change process of the proposed scheme. The detailed process is as below.

Step 1:

The_UichoosesI_Di∗,P_Wi∗and imprints biometricsBI_Oi∗. Then, the_Uicalculates⟨_Ri,_Pi⟩=Gen(BI_Oi∗),RP_Wi∗=h(P_WMU||_Ri)and sends{I_DMU∗,RP_Wi∗}to the smart cardSC.

Step 2:

After getting the message from_Ui, theSCcomputes_Xi∗=_Ai∗⊕h(I_Di∗||RP_Wi∗)and_Bi∗=h(_Xi∗||RP_Wi∗)and checks whether_Bi∗=?_Bi. If it is equal, theSCsends the authentication message to the_Ui.

Step 3:

Upon getting the message from theSC, the_Uiinputs a new passwordP_Winewand imprints a new biometricsBI_Oinew._Uicomputes⟨_Rinew,_Pinew⟩=Gen(BI_Oinew),RP_Winew=h(P_Winew||_Rinew)and sends{RP_Winew}to theSC.

Step 4:

Upon getting the message from the_Ui, theSCcomputes_Ainew=_Xi∗⊕h(I_Di∗||RP_Winew),_Binew=h(_Xi∗||RP_Winew)and replaces{_Ai,_Bi}with{_Ainew,_Binew}.

6. Security Analysis

To assess secure mutual authentication of the proposed scheme, we utilize the BAN logic, which is widely accepted formal security model. Furthermore, we perform an informal security analysis to assess the safety of proposed scheme against various types of attacks.

6.1. Informal Security Analysis

The security of the proposed scheme is accessed utilizing an informal security analysis. Our scheme can withstand against various types of attacks, including impersonation, replay, session key disclosure attacks, and allows secure mutual authentication and anonymity.

6.1.1. Impersonation Attack

When a malicious adversary_UMAmay attempt to impersonate a legitimate user,_UMAmust generate a login request message_M2=h(I_Di||_Xi||R_Ui)correctly. However,_UMAcannot compute it because_UMAcannot obtain_Ui’s random nonceR_Ui, real identityI_Di, and secret parameter_Xi. Therefore, our scheme is secure against the impersonation attack because_UMAcannot calculate a login request message successfully.

6.1.2. Replay Attack

If a malicious adversary_UMAmay attempt to impersonate legal user by resending messages transmitted in a previous session,_UMAcannot utilize the previous messages because theCSchecks whether_M2∗=?_M2and_D2∗=?_D2, respectively. Furthermore, our scheme can withstand replay attack by using dynamic random nonceR_UiandR_Sjthat are changed every session. Therefore, our scheme protects against replay attack.

6.1.3. Session Key Disclosure Attack

In our scheme, a malicious adversary_UMAcannot compute session keyS_Kibecause_UMAcannot obtain random nonceR_UiandR_Sj. In addition,_UMAcannot obtain random nonceR_UiandR_Sjwithout secret parameter_XiandS_Ij. Consequently, our scheme withstands the session key disclosure attack.

6.1.4. Smart card Stolen Attack

According to Section 1.1, we suppose that a_UMAcan obtain a smart card and extract the data{_Ai,_Bi,_Qi}stored in the smart card. However, the_UMAcannot obtain sensitive informationI_DiandP_Wiof legitimate user because the data stored in the smart card are protected_Ai=_Xi⊕h(RI_Di||RP_Wi),_Bi=h(_Xi||RP_Wi)and_Qi=h(I_Di||P_Wi||_Ri)⊕RI_Diby using a hash function and XOR operation.

6.1.5. Mutual Authentication

In our scheme, after getting the request message{_M1,_M2,CI_Di,RI_Di}from the_Ui, the control serverCSchecks whether_M2∗=?_M2. If it is correct,CSauthenticates_Ui. After getting the messages{_D1,_D2,CSI_Dj,RSI_Dj}from cloud server_Sj, theCSchecks whether_D2∗=?_D2. If it is equal,CSauthenticates_Sj. After getting the messages{_M3,_D3,_QCS}from theCS, the_Sjchecks whether_QCS∗=?_QCS. If it is correct,_SjauthenticatesCS. After getting the messages{_QCU}from the_Sj, the_Uichecks whether_QCU∗=?_QCU. Finally, the_Uiauthenticates_Sj. As a result, our scheme achieve secure mutual authentication among_Ui,_Sj, andCSbecause a malicious adversary_UMAdoes not know secret parameters_XiandS_Ij.

6.1.6. Anonymity

A malicious adversary_UMAcannot obtain the real identityI_Diof legitimate user because it is masked by using hash function and XOR operation such asCI_Di=I_Di⊕h(_Xi||R_Ui). In addition, the_UMAcannot obtain secret parameter_Xiand random nonceR_Ui. Consequently, our scheme provides anonymity.

6.2. Security Features

We shows the better security levels achieved by the proposed scheme compared with some existing schemes [8,23,24,25]. The existing schemes are insecure against various attacks, including impersonation, session key disclosure smart card stolen, and replay attacks and cannot provide mutual authentication and anonymity. Table 1 shows the analysis results of the security features.

6.3. BAN Logic Based Authentication Proof

We performed security analysis utilizing the BAN logic to demonstrate the secure mutual authentication of the proposed scheme. We present the BAN logic notations in Table 2. Furthermore, we define the rules, the goals, the idealized form, and the assumptions for BAN logic analysis. We prove that the proposed scheme provides secure mutual authentication among_Ui,_SjandCS.

6.3.1. BAN Logic Rules

The rules of BAN logic are as below.

1. Message meaning rule:

A|≡A↔KB,A⊲_XKA≡B∼X

2. Nonce verification rule:

A≡#(X),A≡B|∼XA≡B≡X

3. Jurisdiction rule:

A≡B⟹X,A≡B≡XA|≡X

4. Freshness rule:

A|≡#(X)A|≡#X,Y

5. Belief rule:

A|≡X,YA|≡X.

6.3.2. Goals

To assess the BAN logic proof, we present the goals of the proposed scheme as below.

Goal 1:

_Ui∣≡(_Ui⟷SK_Sj)

Goal 2:

_Sj∣≡(_Ui⟷SK_Sj)

Goal 3:

_Ui∣≡_Sj∣≡(_Ui⟷SK_Sj)

Goal 4:

_Sj∣≡_Ui∣≡(_Ui⟷SK_Sj)

6.3.3. Idealized Forms

To assess the BAN logic proof, we define the assumptions of the proposed scheme as below.

Msg₁:

_Ui→_Sj:_{(RIDi,IDi,RUi)Xi}

Msg₂:

_Sj→CS:_{(RIDi,IDi,RUi,RSIDj,SIDj,RSj)SIj}

Msg₃:

CS→_Sj:_{(IDi,SIDj,RUi,RSj)SIj}

Msg₄:

_Sj→_Ui:_{(IDi,RUi,RSj,(Ui⟷SKSj))Xi}

6.3.4. Assumptions

We present the initial assumptions to assess the BAN logic proof.

A₁:

_Sj∣≡(_Ui⟷_XiSj)

A₂:

_Sj∣≡#(R_Ui)

A₃:

CS∣≡(CS⟷S_IjSj)

A₄:

CS∣≡#(R_Sj)

A₅:

_Sj∣≡(CS⟷S_IjSj)

A₆:

FA∣≡#(R_Sj)

A₇:

_Ui∣≡(_Ui⟷_XiSj)

A₈:

_Ui∣≡#(R_Sj)

A₉:

_Ui∣≡_Sj⇒(_Ui⟷SK_Sj)

A₁₀:

_Sj∣≡_Ui⇒(_Ui⟷SK_Sj)

6.3.5. Proof Using BAN Logic

The proof then proceeds as below.

Step 1:

According toMs_g1, we could get

(_S1):_Sj⊲_{(RIDi,IDi,RUi)Xi}

Step 2:

Using the message meaning rule with_S1and_A1, we get

(_S2):_Sj∣≡_Ui∣∼_{(RIDi,IDi,RUi)Xi}

Step 3:

From the freshness rule with_S2and_A2, we obtain

(_S3):_Sj∣≡#_{(RIDi,IDi,RUi)Xi}

Step 4:

Using the nonce verification with_S2and_S3, we get

(_S4):_Sj∣≡_Ui∣≡_{(RIDi,IDi,RUi)Xi}

Step 5:

From the belief rule with_S4, we obtain

(_S5):_Sj∣≡_Ui∣≡_(RUi)Xi

Step 6:

According toMs_g2, we could get

(_S6):CS⊲_{(RIDi,IDi,RUi,RSIDj,SIDj,RSj)SIj}

Step 7:

Using the message meaning rule with_S6and_A3, we get

(_S7):CS∣≡_Sj∣∼_{(RIDi,IDi,RUi,RSIDj,SIDj,RSj)SIj}

Step 8:

From the freshness rule with_S7and_A4, we obtain

(_S8):CS∣≡#_{(RIDi,IDi,RUi,RSIDj,SIDj,RSj)SIj}

Step 9:

Using the nonce verification rule with_S7and_S8, we get

(_S9):CS∣≡_Sj∣≡_{(RIDi,IDi,RUi,RSIDj,SIDj,RSj)SIj}

Step 10:

According toMs_g3, we could get

(_S10):_Sj⊲_{(IDi,SIDj,RUi,RSj)SIj}

Step 11:

Using the message meaning rule with_S10and_A5, we get

(_S11):_Sj∣≡CS∣∼_{(IDi,SIDj,RUi,RSj)SIj}

Step 12:

From the freshness rule with_S11and_A6, we obtain

(_S12):_Sj∣≡#_{(IDi,SIDj,RUi,RSj)SIj}

Step 13:

Using the nonce verification rule with_S11and_S12, we get

(_S13):_Sj∣≡CS∣≡_{(IDi,SIDj,RUi,RSj)SIj}

Step 14:

According toMs_g4, we could get

(_S14):_Ui⊲_{(IDi,RUi,RSj,(Ui⟷SKSj))Xi}

Step 15:

Using the message meaning rule with_S14and_A7, we get

(_S15):_Ui∣≡_Sj∣∼_{(IDi,RUi,RSj,(Ui⟷SKSj))Xi}

Step 16:

From the freshness rule with_S15and_A8, we obtain

(_S16):_Ui∣≡#_{(IDi,RUi,RSj,(Ui⟷SKSj))Xi}

Step 17:

Using the nonce verification with_S15and_S16, we get

(_S17):_Ui∣≡_Sj∣≡_{(IDi,RUi,RSj,(Ui⟷SKSj))Xi}

Step 18:

From the belief rule with_S17, we obtain

(_S18):_Ui∣≡_Sj∣≡(_Ui⟷SK_Sj)(Goal3)

Step 19:

Using the jurisdiction rule with_S18and_A9, we get

(_S19):_Ui∣≡(_Ui⟷SK_Sj)(Goal1)

Step 20:

Because ofSK=h(R_Ui||R_Sj), from the_S5,_S9,_S13and_S17we could get

(_S20):_Sj∣≡_Ui∣≡(_Ui⟷SK_Sj)(Goal4)

Step 21:

Using the jurisdiction rule with_S19and_A10, we obtain

(_S21):_Sj∣≡(_Ui⟷SK_Sj)(Goal2)

Referring to Goals 1–4, we show that proposed scheme achieves secure mutual authentication among_Ui,_SjandCS.

7. Simulation for Security Verification with the AVISPA tool

We performed a formal security verification of the proposed scheme utilizing AVISPA simulation tool [26,27] to evaluate the safety of the authentication protocol against MITM and replay attacks, which is widely accepted for formal security analysis [28,29,30,31]. To perform AVISPA simulation tool, the environment and the session of security protocol must be implemented using the High Level Protocols Specification Language (HLPSL).

7.1. HLPSL Specifications

We considered three basic roles: user_Ui, cloud server_Sj, and control serverCS. Then, we presentsessionandenvironment utilizing HLPSL in Figure 9, which contains the security goals. The role specifications of_Ui,_Sj, andCS are as shown in Figure 10, Figure 11 and Figure 12.

The_Uireceives the initial message and updates the updates the state value from 0 to 1. The_Uithen sends the registration request messages{I_Di,RP_Wi}to theCSvia a secure channel and receives{RI_Di,Smartcard}from theCS. The_Uiupdates the state value from 1 to 2. In the login and authentication phase, the_Uideclareswitness(UA,CS,ua_sn_rui,R_Ui′)from the_Sj, and then updates the state value from 2 to 3. Finally, the_Uireceives the authentication messages{_M3,_QCU}from the_Sj. The_Uichecks whether_QCU∗=?_QCU. If it is valid, the_Uiauthenticates the_Sjsuccessfully. The role specification for_Sjis similarly defined.

7.2. AVISPA Simulation Result

We show the AVISPA results to verify the safety of the proposed scheme using OFMC and CL-AtSe. The OFMC checks whether the proposed scheme is safe from MITM attack. In addition, the CL-AtSe demonstrates the safety of the protocol against replay attack. Consequently, Figure 13 shows that the proposed scheme is secure against MITM and replay attacks though AVISPA simulation.

8. Performance Analysis

We compared the computation cost, communication cost and security features of the proposed scheme with some existing schemes [8,23,24,25]. We show that the proposed scheme provides better efficiency and security features.

8.1. Computation Cost

We compared the computation overheads of the proposed scheme with some existing schemes [8,23,24,25]. To analyze of computation cost, we estimated using the following parameters. Table 3 shows the analysis results of computation cost and the detailed total cost are as below.

The total computation cost for the proposed scheme and Pelaez et al.’s scheme are 34_Thand 48_Th+ 8_Ts, respectively. We provide better efficiency than some existing schemes because the proposed scheme uses only hash and XOR operations. Therefore, our scheme is secure and efficient for practical IoT-based cloud computing environment.

1. _Thdenotes the time for the hash function (Case 1≈0.00517 ms [23] and Case 2≈0.0000328 ms [32]).

2. _Tsdenotes the time for the symmetric key cryptography operation using AES algorithm (case 1≈0.02148 ms [23] and Case 2≈0.0214385 ms [32]).

3. The XOR operation was not included because it is negligible compared to the other operations.

8.2. Communication Cost

We compared the communication overhead of the proposed scheme with some existing schemes [8,23,24,25]. In authentication phase of the proposed scheme, the transmitted messages{_M1,_M2,CI_Di,RI_Di},{_M1,_M2,CI_Di,RI_Di,_D1,_D2,CSI_Dj,RSI_Dj},{_M3,_D3,_QCS}and{_M3,_QCU} require (128 + 128 + 128 + 128 = 512 bits), (128 + 128 + 128 + 128 + 128 + 128 + 128 + 128 = 1024 bits), (128 + 128 + 128 = 384 bits), and (128 + 128 = 256 bits), respectively. Table 4 shows the analysis results of communication cost. Consequently, the proposed scheme is thus more efficient than other related schemes [8,23,24,25] because the total communications cost are 2176 bits (Case 1) and 4352 bits (Case 2).

1. Case 1 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 128 bits, respectively.

2. Case 2 defines that the pseudo-identity, random nonce, timestamp, identity, password, and hash function are 256 bits, respectively.

3. The block length for symmetric encryption is 128 bits.

9. Conclusions

This paper shows that Pelaez et al.’s scheme does not defend various attacks such as impersonation, session key disclosure and replay attacks. Furthermore, we show that Pelaez et al.’s scheme cannot allow mutual authentication and anonymity. We propose a secure and lightweight three-factor authentication scheme for IoT in cloud computing environment to enhance the security drawbacks of Pelaez et al.’s scheme. Our scheme can withstand various types of attacks, including impersonation, session key disclosure and replay attacks, and can provide mutual authentication and anonymity. Then, we demonstrate that our scheme allows secure mutual authentication among_Ui,_Sj, andCSutilizing BAN logic analysis. We also performed a formal security verification analysis of the proposed scheme utilizing the AVISPA simulation tool. In addition, we compared the security features and performance of the proposed scheme with some existing schemes. We show that our scheme provides better safety and efficiency than related schemes. Therefore, our scheme can be suitable for practical IoT-based cloud computing environment because it is more secure and lightweight than the previous schemes.

[Image omitted. See PDF.]."]

[Image omitted. See PDF.]."]

[Image omitted. See PDF.]."]

[Image omitted. See PDF.]."]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

[Image omitted. See PDF.]

∘, preserves the security features; ×, does not preserve the security features;

Th, hash function; Ts, symmetric key cryptography operation using AES algorithm

Author Contributions

Conceptualization, S.Y.; software, S.Y. and K.P.; validation, K.P.; formal analysis, K.P.; writing—original draft preparation, S.Y.; writing—review and editing, K.P. and Y.P.; supervision, Y.P.

Funding

This work was supported by the Basic Science Research Program through the National Research Foundation of Korea funded by the Ministry of Science, ICT and Future Planning under Grant 2017R1A2B1002147 and in part by the BK21 Plus project funded by the Ministry of Education, Korea under Grant 21A20131600011.

Conflicts of Interest

The authors declare no conflict of interest.