LAM-CIoT: Lightweight authentication mechanism in cloud-based IoT environment

https://doi.org/10.1016/j.jnca.2019.102496Get rights and content

Abstract

Internet of Things (IoT) becomes a new era of the Internet, which consists of several connected physical smart objects (i.e., sensing devices) through the Internet. IoT has different types of applications, such as smart home, wearable devices, smart connected vehicles, industries, and smart cities. Therefore, IoT based applications become the essential parts of our day-to-day life. In a cloud-based IoT environment, cloud platform is used to store the data accessed from the IoT sensors. Such an environment is greatly scalable and it supports real-time event processing which is very important in several scenarios (i.e., IoT sensors based surveillance and monitoring). Since some applications in cloud-based IoT are very critical, the information collected and sent by IoT sensors must not be leaked during the communication. To accord with this, we design a new lightweight authentication mechanism in cloud-based IoT environment, called LAM-CIoT. By using LAM-CIoT, an authenticated user can access the data of IoT sensors remotely. LAM-CIoT applies efficient “one-way cryptographic hash functions” along with “bitwise XOR operations”. In addition, fuzzy extractor mechanism is also employed at the user's end for local biometric verification. LAM-CIoT is methodically analyzed for its security part through the formal security using the broadly-accepted “Real-Or-Random (ROR)” model, formal security verification using the widely-used “Automated Validation of Internet Security Protocols and Applications (AVISPA)” tool as well as the informal security analysis. The performance analysis shows that LAM-CIoT offers better security, and low communication and computation overheads as compared to the closely related authentication schemes. Finally, LAM-CIoT is evaluated using the NS2 network simulator for the measurement of network performance parameters that envisions the impact of LAM-CIoT on the network performance of LAM-CIoT and other schemes.

Introduction

Information and Communications Technology (ICT) evolves a new kind of communication environment (i.e., Internet of Things (IoT)). Several physical objects (i.e., smart devices) can be interconnected in IoT for exchanging and collecting data over the Internet. IoT has different types of applications, such as smart traffic monitoring, smart home, wearable devices, industries, and smart cities. In a cloud-based IoT environment, cloud based platform is used to store the data of IoT sensors. This environment is highly scalable and provides real time event processing which is very important in some of the critical scenarios (i.e., IoT sensors based surveillance and monitoring). Therefore, IoT based applications become the essential parts of our day-to-day life.

In IoT-based critical applications, the real-time data access is necessary as and when it is required. This could happen when we permit an external parties (users) those who are authorized to access the real-time data directly from the IoT sensors deployed in the network. Once both the user and an accessed IoT sensor mutually authenticate each other, they need to establish a session key. With the help of the established session key, they can securely communicate each other for the real-time data access. For this purpose, we propose a new lightweight authentication mechanism in cloud-based IoT environment, called LAM-CIoT. By using LAM-CIoT, an authenticated user can access the data of IoT sensors remotely and directly.

Though IoT based applications facilitate the day-to-day life of the people, but the IoT environment is vulnerable to different security and privacy issues, such as leakage of confidential information, and various attacks including replay, man-in-the middle, impersonation and denial-of-service attacks. In the presence of these attacks, any unauthorized tasks can be performed by the remote malicious users. As a result, such circumstances can land to trouble for the life of the people who use IoT based applications in their day-to-day life. Furthermore, some of the devices (i.e., IoT sensors) which are used in IoT environment are resource constrained, and therefore we need lightweight security schemes to secure the communication among the participating entities in the IoT environment. In IoT-based critical applications, such as heathcare and battlefield, an external party (called a user) wants to access the real-time data from some designated IoT sensors in the IoT environment because the data available at the gateway nodes (GW) may be live data as the data may be collected at a periodic interval. This is possible when both the user and IoT sensor can mutually authenticate each other, and upon successful authentication they should be able to generate a secure session key among them for their future communication. In addition, the session key construction must be done in such a fashion that even if short term secrets (e.g., random secrets) are compromised to an adversary, it must to lead to compromise past and future session keys established between the user and IoT device over past and future sessions. In other words, the session key security must be guaranteed in a designed user authentication protocol in the IoT environment. To comeback with this issue, we aim to design a secure and lightweight authentication scheme for a cloud-based IoT environment in which a legitimate user and an IoT sensor can authenticate with each other and communicate securely using the established session key.

The contributions of the proposed work are given below.

  • We propose a new lightweight user authentication and key agreement protocol for cloud-based IoT environment, called LAM-CIoT. LAM-CIoT only uses the efficient and lightweight cryptographic hash functions and bitwise XOR operations. Apart from the these operations, fuzzy extractor method is only applied at the user's end for his/her local biometric verification at the login phase as discussed in Section 4.3.

  • The “formal security analysis using ROR model” (Abdalla et al., 2005) and “formal security verification using AVISPA tool” (AVISPA, 2017a) are performed for the security part of LAM-CIoT. The informal security is also done to depict the resilience of LAM-CIoT against other possible attacks.

  • We also provide the comparative study of LAM-CIoT with the closely related existing schemes. LAM-CIoT provides better trade-off between the “security and functionality features, and communication and computation costs” as compared to related schemes.

  • Finally, for the practical demonstration purpose, we use NS-2 simulator and measure the impact of LAM-CIoT on the network performance parameters. This demonstration and analysis depict the behavior of network and under the implementation of LAM-CIoT.

The network as well as threat models associated with LAM-CIoT are explained in Section 2. The literature survey of related existing protocols is provided in Section 3. Section 4 consists of the details of various phases of LAM-CIoT. The detailed informal and formal security analysis of LAM-CIoT along with the “formal security verification using AVISPA tool” are given in Section 5. The comparative study of LAM-CIoT and closely related existing schemes is given in Section 6. The impact on network performance parameters of LAM-CIoT is also provided in Section 7 using the NS2 simulation. Finally, the paper is concluded in Section 8.

Section snippets

System models

In LAM-CIoT, we follow the following two models for explaining its working and usability.

Related work

Wolf and Serpanos (2018) discussed various security issues in Cyber-Physical System (CPS) and IoT systems. They presented a safety/security threat model for CPS and IoT systems. Ni et al. (2018) reviewed the architecture and characteristics of fog computing. Then, they discussed the roles of fog nodes in IoT applications (i.e., real-time services, data dissemination and decentralized computation). Moreover, they examined several promising IoT applications as per the different roles of fog

The proposed scheme (LAM-CIoT)

In order to explain the working of the proposed LAM-CIoT scheme, we divide the scheme into seven phases: i) pre-deployment, ii) user registration, iii) login, iv) authentication and key agreement, v) password and biometric information update, vi) dynamic IoT sensor addition, and vii) smart card revocation.

LAM-CIoT is designed using the three factors of authentication procedure, which are: 1) smart card SCi of a user Ui, 2) password of Ui and 3) biometrics of Ui. The biometrics is used to

Security analysis

This section provides an extensive security analysis of the proposed LAM-CIoT scheme using both formal and informal analysis. In addition, the formal security verification using the well known AVISPA tool (AVISPA, 2017a) is carried out to assure that LAM-CIoT is resilient against active attacks, such as replay and man-in-the-middle attacks.

Comparative study with related schemes

It is worth noticing that so far no user authentication protocols have been reported in the literature for securing cloud-based IoT environment. Due to this, in this section, we measure the performance of the proposed LAM-CIoT with closely related user authentication schemes in other fields. Thus, the comparative study of LAM-CIoT with other related existing schemes, such as Challa et al.'s scheme (Challa et al., 2017) and Farash et al.'s scheme (Farash et al., 2016) has been performed. The

NS2 simulation study

We have performed the simulation study on LAM-CIoT and other existing related schemes of Challa et al. (2017) and Farash et al. (2016) using the NS2 simulator. We have measured the impact of LAM-CIoT on important network performance parameters, such as throughput (in bits per second, bps) and end-to-end delay (in seconds).

Conclusion

This paper deals with an emerging research area in cloud-based IoT environment. We have presented a lightweight authentication mechanism for securing cloud-based IoT environment (LAM-CIoT) to address security issues needed for it. The rigorous security analysis of LAM-CIoT using formal security using ROR model, formal security verification using AVISPA tool, and also the informal security show that LAM-CIoT can withstand several well-known attacks needed for it. LAM-CIoT supports addition of

Declaration of competing interest

We do not have any conflicts of interest.

Acknowledgments

The authors would like to thank the anonymous reviewers for their constructive feedback.

Mohammad Wazid received M.Tech. degree in Computer Network Engineering from Graphic Era University, Dehradun, India and Ph.D. degree in Computer Science and Engineering from the International Institute of Information Technology, Hyderabad, India. He is currently working as an Associate Professor in the Department of Computer Science and Engineering, Graphic Era University, Dehradun, India. Prior to this, he was working as an Assistant Professor at the Department of Computer Science and

References (40)

  • AVISPA

    SPAN, the Security Protocol ANimator for AVISPA

    (2017)
  • S. Challa et al.

    Secure signature-based authenticated key establishment scheme for future IoT applications

    IEEE Access

    (2017)
  • C.C. Chang et al.

    A Provably Secure, Efficient, and flexible authentication scheme for ad hoc wireless sensor networks

    IEEE Trans. Wirel. Commun.

    (2016)
  • S. Chatterjee et al.

    Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment

    IEEE Trans. Dependable Secure Comput.

    (2018)
  • Cloud Computing and IoT
  • A.K. Das

    An unconditionally secure key management scheme for large-scale heterogeneous wireless sensor networks

  • M.L. Das

    Two-factor user authentication in wireless sensor networks

    IEEE Trans. Wirel. Commun.

    (2009)
  • A.K. Das

    Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards

    IET Inf. Secur.

    (2011)
  • A.K. Das et al.

    Design of secure and lightweight Authentication protocol for wearable devices environment

    IEEE J. Biomed. Health Inf.

    (2018)
  • Y. Dodis et al.

    Fuzzy extractors: how to generate strong keys from biometrics and other noisy data

  • Cited by (192)

    View all citing articles on Scopus

    Mohammad Wazid received M.Tech. degree in Computer Network Engineering from Graphic Era University, Dehradun, India and Ph.D. degree in Computer Science and Engineering from the International Institute of Information Technology, Hyderabad, India. He is currently working as an Associate Professor in the Department of Computer Science and Engineering, Graphic Era University, Dehradun, India. Prior to this, he was working as an Assistant Professor at the Department of Computer Science and Engineering, Manipal Institute of Technology, Manipal Academy of Higher Education, Manipal, Karnataka, India. He was also a Postdoctoral Researcher at Cyber Security and Networks lab, Innopolis University, Innopolis, Russia. His current research interests include security, remote user authentication, Internet of things (IoT), and cloud computing. He has published more than 60 papers in international journals and conferences in the above areas. He was a recipient of the University Gold Medal and the Young Scientist Award by UCOST, Department of Science and Technology, Government of Uttarakhand, India. He has also received the recognition of “Best Reviewer of 2019” from ICT Express (Elsevier) Journal.

    Ashok Kumar Das received a Ph.D. degree in computer science and engineering, an M.Tech. degree in computer science and data processing, and an M.Sc. degree in mathematics from IIT Kharagpur, India. He is currently an Associate Professor with the Center for Security, Theory and Algorithmic Research, International Institute of Information Technology, Hyderabad, India. His current research interests include Cryptography, network security, blockchain, security in Internet of Things (IoT), Internet of Vehicles (IoV), Internet of Drones (IoD), smart grids, smart city, cloud/fog computing and industrial wireless sensor networks, and intrusion detection. He has authored over 200 papers in international journals and conferences in the above areas, including over 170 reputed journal papers. Some of his research findings are published in top cited journals, such as the IEEE Transactions on Information Forensics and Security, IEEE Transactions on Dependable and Secure Computing, IEEE Transactions on Smart Grid, IEEE Internet of Things Journal, IEEE Transactions on Industrial Informatics, IEEE Transactions on Vehicular Technology, IEEE Transactions on Consumer Electronics, IEEE Journal of Biomedical and Health Informatics (formerly IEEE Transactions on Information Technology in Biomedicine), IEEE Consumer Electronics Magazine, IEEE Access, IEEE Communications Magazine, Future Generation Computer Systems, Computers & Electrical Engineering, Computer Methods and Programs in Biomedicine, Computer Standards & Interfaces, Computer Networks, Expert Systems with Applications, and Journal of Network and Computer Applications. He was a recipient of the Institute Silver Medal from IIT Kharagpur. He is on the editorial board of KSII Transactions on Internet and Information Systems, International Journal of Internet Technology and Secured Transactions (Inderscience), and IET Communications, is a Guest Editor for Computers & Electrical Engineering (Elsevier) for the special issue on Big data and IoT in e-healthcare and for ICT Express (Elsevier) for the special issue on Blockchain Technologies and Applications for 5G Enabled IoT, and has served as a Program Committee Member in many international conferences. He also severed as one of the Technical Program Committee Chairs of the International Congress on Blockchain and Applications (BLOCKCHAIN′19), Avila, Spain, June 2019.

    Vivekananda Bhat K received the Ph.D. degree in computer science and engineering from IIT Kharagpur, India and the M.Tech. degree in Systems Analysis and Computer Applications from National Institute of Technology Karnataka, Surathkal, India. He is currently an Associate Professor with the Department of Computer Science and Engineering, Manipal Institute of Technology, Manipal Academy of Higher Education, Manipal, India. His research interests include audio watermarking, digital watermarking, cryptography and information security. He has published several papers in reputed international journals and conferences.

    Athanasios V. Vasilakos is recently Professor with the Lulea University of Technology, Sweden. He served or is serving as an Editor for many technical journals, such as the IEEE Transactions on Network and Service management, IEEE Transactions on Cloud Computing, IEEE Transactions on Information Forensics and Security, IEEE Transactions on Cybernetics, IEEE Transactions on Nanobioscience, IEEE Transactions on Information Technology in Biomedicine, IEEE Transactions on Cloud Computing, IEEE Communication Magazine, ACM Transactions on Autonomous and Adaptive Systems, IEEE Journal on Selected Areas in Communications, ACM Transactions on Autonomous and Adaptive Systems, etc. He has published over 700 technical research papers in leading journals and conferences in his areas of research. He is Web of Science 2017 and 2018 Highly Cited Researcher. He is also General Chair of the European Alliances for Innovation (http://www.eai.eu).

    View full text