A Secure and Anonymous User Authentication Scheme for IoT-Enabled Smart Home Environments Using PUF

With the continuous development of Internet of Things (IoT) technology, research on smart home environments is being conducted by many researchers. In smart home environments, home users can remotely access and control a variety of home devices such as smart curtains, lights, and speakers placed throughout the house. Despite providing convenient services, including home monitoring, temperature management, and daily work assistance, smart homes can be vulnerable to malicious attacks because all messages are transmitted over insecure channels. Moreover, home devices can be a target for device capture attacks since they are placed in physically accessible locations. Therefore, a secure authentication and key agreement scheme is required to prevent such security problems. In 2021, Zou et al. proposed a two-factor-based authentication and key agreement scheme using elliptic curve cryptography (ECC) in smart home environments. They claimed that their scheme provides user anonymity and forward secrecy. However, we prove that their scheme suffers from forgery, ephemeral secret leakage, and session key disclosure attacks. To overcome the security vulnerabilities of Zou et al.’s scheme and provide home users with secure communication in smart home environments, we propose a secure user authentication scheme using physical unclonable functions (PUF). We utilize Real-or-Random (ROR) model and Burrows-Abadi-Needham (BAN) logic to verify the session key security and mutual authentication of the proposed scheme, respectively. Furthermore, we use the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to simulate the resistance of our scheme to security attacks. After that, we analyze and compare the communication costs, computational consumption, and security functionalities along with related schemes.

• We prove that Zou et al.'s scheme is vulnerable to 76 forgery, ephemeral secret leakage, and session key dis-77 closure attacks. Then, we propose a secure and anony-78 mous PUF-based authentication scheme to overcome 79 the security vulnerabilities of Zou et al.'s scheme. 80 We demonstrate that our scheme guarantees user 81 anonymity and resistance to various security attacks.

82
• We conduct informal security analysis to verify the 83 resistance for well-known security attacks and Real-or-84 Random (ROR) model [12] to prove the session key 85 security in the proposed scheme. The remainder of this paper is organized as follows. Section II 99 describes existing related works. Section III introduces our 100 scheme's system model, PUF, fuzzy extractor, notations, and 101 threat model. In Section IV and Section V, we briefly review 102 and analyze Zou et al.'s scheme. Then, we present the pro-103 posed scheme in Section VI. In Section VII, we evaluate 104 security analysis using BAN logic, ROR model, and AVISPA 105 simulation along with informal analysis. Section VIII demon-106 strates the security and efficiency performance of our scheme, 107 and Section IX is the conclusion.

109
User authentication schemes for secure smart home envi-110 ronments have been proposed over the past few years. In 111 2015, Chen et al. [15] argued that user authentication is a 112 significant security issue for WSNs due to sensors are 113 placed in locations where an adversary can easily access 114 them. Therefore, they suggested a user authentication scheme 115 using symmetric key cryptography to provide users with 116 secure communication. However, Jung et al. [16] pointed 117 out that their scheme cannot provide anonymity because 118 Chen et al.'s scheme transmits the user identity in plaintext 119 to the gateway. Thus, Jung et al. proposed an enhanced 120 authentication and key agreement scheme that guarantees 121 user anonymity. However, Xiang et al. [17] analyzed that 122 their scheme [16] does not provide the perfect forward 123 secrecy. In 2016, Kumar et al. [18] suggested an authentica-124 tion scheme for the smart home using cipher block chaining 125 message authentication code (CBC-MAC). Unfortunately, 126 In the same year, Shuai et al. [23] argued that the authenti-148 cation scheme that stores a verification table in the gateway 149 can be compromised from the verifier stolen attack by the 150 adversary. Therefore, they proposed an ECC-adopted authen-151 tication scheme without verification table. However, their 152 schemes [21], [22], [23] have a high computational consump-153 tion because they used elliptic curve scalar multiplication. 154 Furthermore, their schemes does not resist device capture 155 attacks [10]. 156 In smart home environments, device capture attack is a 157 significant security issue since an adversary can compro-158 mise the entire system by physically accessing the home 159 device. Therefore, PUF-adopted authentication schemes have 160 been proposed to prevent this security vulnerability. In 2020, 161 Liu et al. [24] suggested authentication and key agreement 162 scheme using PUF. They claim that their scheme prevents 163 device capture attack because each sensor in their PUF-based 164 scheme has a unique challenge-response pair. In 2021, Chen 165 and Chen [25] proposed a PUF-based authentication and key 166 agreement scheme. They asserted that MITM and tamper-167 ing attacks are powerless against their scheme due to the 168 proposed scheme performs mutual authentication based on 169 the secret key generated by the PUF response. Xia et al. [26] 170 proposed a PUF-assisted group authentication scheme for the 171 smart home that establishes a group session key between 172 the home user and the home device by utilizing the chinese 173 remainder theorem. Although their schemes [24], [25], [26] 174 resist device capture attack utilizing PUF, they does not con-  The notations used in our paper are listed in Table 1 • Under the CK model assumption, the adversary can 287 obtain session-specific temporary information, such as 288 a random nonce generated in each session. Thereafter, 289 the adversary tries to compute the session key [31].

290
• The adversary can extract the sensitive information 291 stored in the user smart card or the home device using 292 a power analysis attack [32]. The adversary can use this 293 information to attempt to generate a valid authentication 294 message.

295
• The adversary can register as a legitimate user of the 296 smart home. The adversary then attempts to impersonate 297 another legitimate user with his/her secret credentials. Before deploying the home device to the smart home, the 312 home device registers to the gateway as shown in Figure 2.
If A 2 is not the same as A 2 stored in the smart 344 card, the session is terminated and SUM = SUM + 1. 345 Otherwise, home user selects random numbers a, r 1 , r + 1 346 and timestamp T u . Then, home user computes When V 3 is valid, the 355 gateway selects random nonce r 2 and timestamp T g . 356 After that, the gateway computes k GS and sends the 359 message {M 2 , V 2 , T g } to the home device via public 360 channels.

361
• LAV 3: Upon receiving the message from the gate-362 way, the home device verifies the home device generates r 3 as a random nonce 367 and T d as a timestamp. Then, the home device computes 368 way verifies the timestamp's validation and cal-375

381
• LAV 5: After receiving the message from the gateway, 382 home user computes In this phase, the home user changes their password. The 387 home user inputs his/her ID i , PW i into the smart card. 388 Then, the home user computes      In this phase, the home device stores secret credentials in its 460 memory by registering with the registration center. Messages 461 in this phase are exchanged on a secure channel. As shown in 462 Figure 5, the detailed process is as follows.

463
• HDR 1: The home device computes is the unique identity of the home device, and sends 466 {SID j , C j , X j } to the registration center.

467
• HDR 2: The registration center verifies that HDC j = 468 h(SID j ||s) is stored in its database. If HDC j exists 469 in the database, the registration center terminates this 470 phase. Otherwise, the registration center stores it into the 471 database and computes After that, the registration center stores 474 Home users register with the registration center to use home 481 services by securely authenticating with home devices. All 482 messages in this phase are transmitted on a secure channel 483 and the detailed process is shown in Figure 6.
verifies that V i is equal to V i . If the condition is satisfied, 512 the home user generates random nonce a 1 , and computes

527
• LAV 3: Upon receiving the message, the home device 528 calculates (a 1 ||a 2 ||C j ) = M 3 ⊕ h(K HD j ||h(SID j ||b)), 529 V 2 = h(a 1 ||a 2 ||C j ||RID i ). If V 2 equal to V 2 , the home 530 device generates a 3 . Then, the home device computes 531 Home users can change their passwords and update informa-554 tion stored in the smart card through this phase. the home 555 user enters his/her ID i , PW i into the smart card. Then, the 556 smart card calculates

565
In this section, we perform informal and formal security 566 analysis to validate that the proposed scheme achieves the 567 resistance to security attacks. In our paper, we use the ROR 568 model to evaluate the security of the session key. We utilize 569 BAN logic to verify that our scheme performs mutual authen-570 tication correctly. Moreover, we simulate AVISPA to evaluate 571 security under the DY threat model.

573
We demonstrate that the proposed scheme resists various 574 security attacks, including smart card stolen, forgery, and 575 ephemeral secret leakage attacks, and ensures perfect for-576 ward secrecy and mutual authentication using the informal 577 analysis.

578
A can attempt to compute an authentication request message   In the login and verification phase of our scheme,  and key agreement schemes [33], [34], [35], [36]. HD ), Reveal(I a n x ), and Test(I a n x ). Each of 711 these queries is described in Table 2.  (1), where q puf , q hash , and q send denote the number of 718 times to perform PUF, hash, and send queries, respectively.

719
Additionally, C * and S * are Zipf's law parameters [37], and 720 l is the length of the secret key.   • Game 4 : In this game, A conducts a CorruptSC(P a 1 U ) 753 query to extract the {X i , Y i , V i , A 1 , A 2 } stored on the 754 smart card. However, A cannot guess the correct ses-755 sion key using this information because the home user's 756 secret credential is masked with a one-way hash func-757 tion. Thus, we can derive the equation below, where C * 758 |Adv game 4 − Adv game 3 | ≤ max{C * · q S * send , After completing all previous games, A guesses bit c. There-761 fore, we obtain the following equation.

4) Freshness meaning rule (FR):
The goal of our scheme is to successfully share session 803 keys between entities. We denote home users, gateways, 804 and home devices as US, GW , and HD, respectively. The 805 detailed goal is as follows. The idealized forms of authentication request and response 816 messages exchanged in our scheme is as follows. The following list is the assumptions for BAN logic anal-823 ysis of our scheme. Step 10: We can obtain S 10 from Msg 3.   As a result, we prove that our scheme provides correct 897 mutual authentication because our scheme achieves all the 898 goals in BAN logic.    we compare the security functionality of our scheme with 945 related authentication schemes [10], [19], [21], [22], [23], 946 [24], [25], [26].

948
We evaluate the computation cost to prove the computa-949 tional efficiency of the proposed authentication scheme. 950 We denote the consumption time of one-way hash function, 951 fuzzy extractor, elliptic curve scalar multiplication, PUF, 952 and symmetric cryptography operation as T h , T f , T mul , 953 T p and T s , respectively. According to [26], each time is 954 defined as T h = 0.0026 ms, T f = 1.989 ms, T mul = 955 1.989 ms, T p = 0.12 ms and T s = 0.00325 ms.  [19] authentication scheme, which uses only the 960 one-way hash function. However, their scheme is vul-961 nerable to offline-password guessing and insider attacks. 962 We can achieve better security characteristics by using PUF 963 and fuzzy extractor, and our scheme is more efficient than 964    Table 5. Our scheme has a higher communi-981 cation cost compared to [22]. However, our scheme is more 982 efficient than other related schemes. Therefore, our scheme 983 is sufficiently efficient in smart home environments.

985
To evaluate the security functionality of the proposed 986 authentication scheme, we compare the security charac-987 teristics between the related schemes and ours in Table 6.

1003
In this paper, we proved that Zou et al.'s authentication 1004 and key agreement scheme proposed in smart home envi-1005 ronments using IoT is vulnerable to forgery, ephemeral 1006 secret leakage, and session key disclosure attacks and 1007 does not guarantee mutual authentication. We proposed an 1008 improved authentication scheme to provide secure com-1009 munication and achieve various security functions in smart 1010 home systems. Furthermore, our scheme utilized PUF and 1011 fuzzy extractors to overcome device capture attack on 1012 home devices. We demonstrated that our scheme is secure 1013 from various security vulnerabilities by performing infor-1014 mal security analysis and AVIPA simulation. In addition, 1015 of the proposed scheme was analyzed by comparing the 1018 previously proposed authentication scheme with commu-1019 nication cost, computational consumption, and security 1020 properties. In the future, we will estimate the packet delay rate, end-to-end delay, and throughput of the proposed 1022 scheme by additional simulations to evaluate the efficiency.
Then, we will improve the proposed scheme to design a