Security Enhancement on a Lightweight Authentication Scheme With Anonymity Fog Computing Architecture

The multi-level, heterogeneous and third-party attributes of fog computing (FC) have caused great concern in the communication security of next-generation IoT systems. This paper proposes a secure authentication scheme for dynamic key generation capability, which can enhance the security of the entire heterogeneous network without the constraints on device types, attributes and communication protocols. The communication devices exchange IDs and random numbers for registration, then generate anonymous information. During the authentication process, the cloud device (e.g., the server) uses the pseudonym information to match the recorded random numbers. Both FC devices utilize the protocol with such random numbers to generate session keys and deliver updated random numbers. Comprehensive security and performance analysis shows that the scheme can meet the security requirements of the FC architecture with lower overhead.


I. INTRODUCTION
With the popularity of the Internet of things (IoT), more and more information needs to be shared by wireless communication. However, due to the exposed nature of wireless signals, how to authenticate devices and ensure the information security in wireless communication becomes a huge challenge. Especially in the IoT system, the devices are often low computational capacity and low power consumption, which makes it necessary to reduce the cost of authentication and encryption while ensuring information security. Because the transmitted data onto IoT devices often involves certain privacy needs, we also need to avoid the third party knowing which device sends what kind of information. In addition, many wireless communication protocols in IoTs have different transmission speeds and connection modes, such as Z-Wave, Wi-Fi, Zigbee, 5G, etc [1]. Therefore, designing a universal, deployable dynamic key generation and The associate editor coordinating the review of this manuscript and approving it for publication was Parul Garg. device authentication method for various wireless protocols is essential.
In order to carry out multi-source heterogeneous data onto different devices more easily, avoid a lot of bandwidth load and resource waste, improve real-time service, and ensure security and privacy issues, the fog computing (FC) is proposed. Authentication is an important issue for the security of FC since services are offered to massive-scale end users by front fog nodes [2]. FC usually includes multiple authentication entities, such as edge devices (sensors, mobile phones, etc.), fog devices (gateways, base stations, small servers and other devices with computing, storage, network connectivity capabilities), and cloud data centers. In FC, different devices in different layers need to successively authenticate and transmit information from edge to cloud according to their needs. At the same time, fog layer devices need to authenticate and exchange data with each other and share the stored data and calculation results [3]. Therefore, we need a lightweight, anonymous and secure authentication method for IoT devices, which needs to meet the different needs of FC, e.g., mutual authentication between fog devices, VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ session key update, group key generation and multi-level fog device extension. To offer reliable services and protect data privacy, a variety of security protocols should be implemented on fog nodes [4]. Generally speaking, different authentication protocols need to transmit sensitive data by some encryption methods. It is also a challenge to adopt a more effective encryption method and update the key. Traditional encryption methods are generally divided into symmetric encryption and asymmetric encryption. Asymmetric encryption is not suitable for IoT devices with limited capability due to its high complexity, while symmetric encryption is easy to deploy and has high encryption and decryption efficiency. However, in symmetric encryption, both sides of communication share the same pair of keys. Once the key is known by the third party, or the third party just analyzes the network traffic, the communication content will be inferred. Therefore, the long-term use of a fixed session key is insecure among fog devices.
In order to update the key dynamically, the generation of symmetric key by using the physical layer information in wireless communication, i.e. channel state information (CSI) [5]- [8], has been concerned. However, the premise of such works is that CSI or received signal strength (RSS) needs to change constantly. Once the environment is static, the CSI/RSS will remain unchanged for a long time, the key cannot be updated. In addition, this kind of work also needs to assume that the antenna of the eavesdropper is not too close to the legitimate device, because when the antenna of the eavesdropper is connected with the legitimate device, the enemy can also eavesdrop the same CSI/RSS, to obtain the generated key between the legitimate devices. This kind of work can only be used to generate a consistent key after two devices are authenticated successfully, it does not matter how to authenticate each other. Some other works [9]- [14] use the protocol to authenticate and dynamically update the key. However, these works can only be applied to authenticate or update key between smart device and gateway. The application scenario is single and cannot be extended to the authentication between different devices in FC. Moreover, these works don't pay attention to anonymity and the authentication cost [9], [12], [13].
In this paper, we propose a lightweight scalable authentication method with anonymity for fog computing architecture. This model will face the following challenges: 1) It can be used for the devices in the entire FC architecture.
2) It is lightweight and has lower energy consumption to fit the characteristics of most IoT nodes. 3) It can ensure the dynamic session key generation and anonymity to provide higher security.
In response to the above challenges, our method takes the advantages of anonymous authentication protocol and physical layer dynamic key generation to meet the authentication and encryption requirements in the FC architecture. This method uses symmetric encryption to encrypt some sensitive data and uses the hash result of the combination of some random numbers and dynamic secret key generated by both sides as our session key. The pseudonym is updated in each time of authentication to ensure the anonymity. The specific contributions can be summarized as follows: 1) We design a lightweight anonymous authentication protocol for multi-level devices under the FC architecture. The protocol can dynamically update the session key adopted by both sides while ensuring anonymous authentication of the devices. 2) We propose a group key management protocol. The server can share the key to the desired communication fog nodes with a specific attribute, and the private key can be generated and updated between the two fog nodes without leaking keys to the servers. 3) We present comprehensive security and performance analysis of the proposed scheme. The analysis results show that the proposed protocols can prevent many attacks and ensure data security between wireless devices in the FC architecture with lower overhead.
The remainder of this paper is organized as follows. We provide some related works in Section II and present the detailed system model in Section III. Section IV and Section V describe the design of anonymous authentication protocol and the management scheme of group secret key respectively. Security analysis and protocol evaluation are illustrated in Section VI and Section VII. We conclude the whole paper in Section VIII.

A. DEVICES AUTHENTICATION IN IoT
There are some works [15], [16] that use face or other biometric features to ensure device security. However, computing and communication overhead will increase linearly with the expansion of the database. Some works such as [17], [18] consider solving this problem by cloud computing. Reference [19] analyzes and summarizes the security and privacy problems faced by this kind of work under the fog computing model, and proposes authentication, data encryption, and data integrity checking schemes with less communication cost. Such work requires the participation of human.
Some works use smart card to achieve anonymous authentication [20], [21]. However, these works introduce smart card, which limits the flexibility of use.
Reference [22] proposes a new resource-efficient physical unclonable function (PUF) based authentication scheme to protect the security and privacy of the confidential information in edge devices. However, this method needs some modification to the hardware of IoT devices.
The protocol proposed in [23] forces all fog nodes to store certain credential information of all the users in the trust domain, which costs large storage in each fog node. All the real identity of fog users and nodes are publicly transmitted, which makes the system not anonymous.
Subsequently, the elliptic curve cryptography (ECC) and the asymmetric encryption are exploited by an anonymous mutual authentication scheme for fog nodes in [24]. Although this work claims that confidential communication is guaranteed and no computation is needed in the authentication phase, it does not take message integrity or edge compromise resilience into account [25]. Due to the use of asymmetric encryption, the overhead may be high in some stages [26]. Using public-key infrastructure is not suitable due to the resource constraints of IoT devices [3].
In order to overcome the shortage of using asymmetric encryption method in [24], [27] proposes a method only use symmetric encryption and the hash-based Message Authentication Code (HMAC) to authenticate the devices. However, this work still used a long-term master secret to generate new session keys.
Reference [26] proposes a method uses the polynomial formed by the combination of the identity of fog node and fog user as the key, which exhibits a good performance in terms of communication, computation, and storage space for IoT devices [28]. However, they don't provide a complete authentication protocol and don't consider communication links between IoT devices.
These works mentioned in [23], [24], [26], [27] are all inconvenient in updating a new session key, and all need a central authentication server in the cloud layer to distribute the session key, which makes it inconvenient when register a new device, and the date transmitted known by the server. Different from these works, our method has no long-term master key, and updates the new session key conveniently, which makes the communication more secure.
After pointing out that many works [9], [13], [29] are high overhead and cannot guarantee anonymity and unlinkability, [11] proposes an anonymous lightweight authentication protocol for smart home devices. Although this work claims to be anonymous, the protocol is not anonymous to malicious devices connected in the same gateway. In addition, if some secret information, such as TK has been guessed out, all the secret information will be cracked.

B. DYNAMIC KEY GENERATION
In order to update the symmetric key dynamically, the scheme of dynamic secret key generation using CSI and RSS can be used in many wireless communications. The principle of key generation based on physical layer information of wireless channel is channel reciprocity, temporal variation and spatial decorrelation [30]. Such random change of CSI can give us a random source for key generation. Spatial decorrelation means that if the distance between an eavesdropper (e.g., Eve) and legitimate device is greater than λ 2 (λ is the wavelength of the wireless signal), Eve cannot obtain the same CSI between Alice and Bob, so Eve cannot obtain the same key between them. There are many related works in many wireless bands, such as IEEE 802.11 [31], [32], IEEE 802.15.4 [33], Bluetooth [34], UWB [35], LTE [7], 5G [36], [37] etc.
Using these schemes, two communication parties can get similar CSI/RSS, and then generate the same key. However, these works often focus on how to use channel state to get random and consistent keys but ignore the need for authen- tication between devices. Even more, once the channel state remains stable, the key will not be updated in real time.
Our protocol is not only anonymous and lightweight, but also can be applied to the authentication scenarios among sensors and gateways. It can also be extended to the FC architecture for device authentication and key update.

III. SYSTEM MODEL A. SYSTEM ARCHITECTURE
We consider an architecture of FC, which contains different levels of wireless devices, as shown in Figure 1.
The server is connected with the authentication server, which stores the identity and key information of all subordinate devices (e.g. gateways which communicate with server directly) in the region. All its subordinate devices need to be authenticated to obtain the session key before communicating with each other. Gateway A, B and C are fog layer devices, which exchange information with other devices (e.g., server, gateway, sensor) through wireless signal(e.g., Wi-Fi, Zigbee etc.). Gateway A is the peer device of Gateway B. Because the distance from Gateway C to Server is too far, Gateway C can be the subordinate device of Gateway B. A1, A2 and C2 are edge devices, which only authenticate and exchange information with their superior device A, B and C.
Note that our protocol can be extended to a multiple level architecture. For example, multiple gateways can be connected under Gateway C, so that the superior gateway is equivalent to a small authentication server.

B. THREAT MODEL
We consider the Dolev-Yao attack model [38], which is widely used in the research of security protocols. This model assumes that the attackers have the following capacity: 1) Eavesdrop and intercept any message passing through the network. 2) Store the intercepted messages and the messages he constructs. 3) Send the intercepted messages and the messages he constructs to others. 4) Participate in the protocol as a legitimate user. In order to realize the above assumption of Dolev-Yao attack model, the eavesdropper can be placed in any range to carry out passive attacks and active attacks, to VOLUME 8, 2020  eavesdrop, intercept, change, replay the massage. In addition, the attacker may pretend to be a legitimate device to deduce the information of other legitimate devices.
We assume that the Server is tamper proof, and will not cooperate with other devices to make active attack. The hash functions, symmetric encryption functions, and protocols that all devices used are publicly known.
As shown in Figure 1, we consider the Server is trusted but curious. Therefore, under some privacy requirements, Gateway A and Gateway B still do not want the transmitted date known by the Server when they communicate. However, the key of Gateway A and Gateway B is distributed by Server. So, they also need a mechanism to avoid the Server knowing their session key.

IV. ANONYMOUS AUTHENTICATION PROTOCOL
In this section, we will introduce the details of the protocol. It is mainly divided into the following parts: registration stage, authentication stage, group key distribution and private key establishment stage. In the registration phase, authentication information is exchanged between the subordinate device and the superior device. In the authentication phase, the subordinate device sends a request to the superior device, and the two sides use hash function to authenticate anonymously and generate session key. In the phase of group key distribution and private key establishment, the Gateways will obtain the consistent key through the server, and initialize the private key by analyzing the channel state. All edge nodes can also register on the Gateway in this way.
The notations are listed in the Table 1 and functions are listed in the Table 2.

A. REGISTRATION STAGE
In this stage, the two communication parties exchange identity information and session key related information securely (e.g., random numbers). The detailed process is shown in Figure 2. We assume that the identity of Gateway A and Server are id A and id S , respectively. It includes following steps: Step 1: Gateway A generates a random number R A and sends id A and R A to Server.
Step 2: After receiving the message from Gateway A, Server generates a random number R S and sends id S and R S to Gateway A. Gateway A and the Server exchange the identity and random number through a secure channel. And the dynamic key generation method using CSI described above is used to generate the dynamic key of both parties when they are transmitting the message. The first l bits of the dynamic key is key dy , and n is the reused times of key dy .
Step 3: Gateway A and Server store mutual information id S , R S , id A , R A , key dy , n, and generate CI D A = h id A ⊕ key dy ⊕ n for later identification.
To make CID A changed in time when key dy can't be updated, we use n to change CID A . Due to the use of hash function, even when n change a little, the hash result of CID A will change a lot, which cann't be tracked by adversary. So that even the CSI remains stable for a long time, the CID A can be updated in time.
The secure channel can be some other channels to transmit secret information except wireless signal, such as, using an encrypted wired network to register devices remotely, or saving information on two devices in the different places manually. In a word, it's a secure way to transmit information to different devices.

B. AUTHENTICATION STAGE
Before the communication between Gateway A and Server, they need to authenticate each other using their stored random number and generate the session key. The authentication process mainly includes four steps as shown in Figure 3. Step 1: Gateway A calculates the variables as shown in Step 1 in Figure 3. CI D A is the pseudonym of Gateway A, which is used to confuse the real identity information while authenticate on Server. p is some attribute information of Gateway A. The devices with specific attribute can share the session key. C 1 is used to transmit some information encrypted with TK to Server. The above variables connected with Exclusive OR symbol ⊕ are used to avoid the adversary's exhaustive attack to infer the contents of hash or ciphertext. T 1 is timestamp.
Step 2: After receiving the timestamp T 1 , Server compares the difference between T 1 and the current timestamp T 2 , to determine whether there is an intermediary tampering with the information. Then Server searches the saved variables CI D A in the database, and extract the corresponding variables for the next calculation and verification. SK is used to be a new session key. When update key dy , if the number of key bits generated by channel state dynamically is enough, we let key dy be next part of dynamic key, and let n = 0; if not enough, the key dy keeps unchanged and let n = n + 1, which means the times of reuse.
Step 3: After receiving the returned message, Gateway A performs the calculation shown on the flowchart. Among them, the calculated results of V 1 can be used to verify the identity of Server, judge whether it has received the accurate id A and R A , and whether Gateway A received the accurate R S and key dy . After confirming the identity and variables, Gateway A generates and updates all variables, and confirms the information with Server.
Step 4: After confirmation, the Server updates all variables and the pseudonym of Gateway A. We should note that in order to avoid desynchronization attack when confirm the session key, before Gateway A and Server can communicate with each other using new session key, they should store the former variables.

C. MULTI-LEVEL DEVICE EXTENSION
Our protocol can be extended to more levels in FC architecture. Each extension only needs to use the above protocol to resister the new device on other nodes. For example, let Gateway C register on Gateway B and then let Gateway B be the server of Gateway C.

V. SHARING KEY AMONG MULTIPLE FC NODES
In most cases, FC nodes need to share secret key with each other. However, because the session keys are distributed by the server, there needs a method to make the FC nodes authenticate with each other while making the key shared among them cannot be leaked to the server. In this section, we will introduce our method.

A. GROUP SECRET KEY GENERATION
If Gateway A wants to share the key with the devices with the same attribute, during the authentication process, make the variable p represent some attribute information of Gateway A, such as can/cannot share the key with other nodes. The Server can identify this variable to determine which devices to share the secret key with it.
When Server wants Gateway A and Gateway B to share the same key, the generated random number R G can be modified to make the SK of Gateway A and Gateway B consistent.

B. PEER PRIVATE KEY GENERATION
Because all authentication and encryption information of Gateway A and Gateway B are from Server, Server can know the communication content of both sides. In some cases of privacy requirements, fog devices do not want the superior equipment to know the results of computing, because the superior equipment is trusted but curious. We need an encryption method to enable Gateway A and Gateway B to obtain secret key that couldn't be known by the superior device. At this time, we use the dynamic key generation method based on channel state information mentioned in the section 2 to coordinate the private key.
As shown in the Figure 4, the two parties should carry out the following steps respectively:  Step 1: Gateway A uses CI D A to transmit pseudonym cid A and generates a random number R A . Uses C 1 to transmit the encrypted variables to Gateway B.
Step 2: After calculating cid A and R A , Gateway B uses CI D B to transmit pseudonym cid B and generates a random number R B . Uses V 1 to transmit the encrypted variables to Gateway A.
Step 3: After Gateway A obtaining the information of Gateway B and authenticates it successfully, it updates the variables, and sends a dynamic key generation request to Gateway B. It uses the results of channel state information measurement during the communication between the two parties to generate a dynamic key key dy . In this way, the two devices of the same level in FC architecture can generate mutual authentication information, and use the previous authentication process mentioned in the authentication stage to authenticate and update the key.
After authenticating and updating the key, these two devices can either authenticate each other in the way with no central server, or make the device with high performance as the server in a certain way.

VI. SECURITY ANALYSIS
In this section, we will discuss the security of our protocol. Some security performance compared with other works are listed in the Table 3. The complete analysis of the prevention of attacks are explained in the subsection.
In Table 3, the anonymity of [11] is incomplete (use Inc instead), because the devices under the same gateway will know the identity of each other. Data integrity means that there is integrity verification of sensitive variables in the process of authentication. Fog layer authentication means that the gateways in the fog layer can authenticate each other. The reason that [24] is not lightweight is that it uses asymmetric encryption method to transmit information.

A. ANONYMITY
Definition: Anonymity means that no one can know the real identity of the device through the transmitted information except trusted devices.
Theorem: Our scheme guarantees the anonymity of both sides of communication.
Proof: We suppose that the adversary wants to eavesdrop all the transmitted information to get the real identity of the legitimate device. However, the adversary can only know pseudonym CI D A = h id A ⊕ key dy ⊕ n . This information is the hash result of the Exclusive OR result of dynamic key key dy , reuse times n and real identity id A , which will be changed in each authentication, and there is no regular pattern. Only the server and the device itself can obtain the identity and variable information related to the device through the pseudonym. Although the message C 1 and V 1 contain the identity of id s , they are encrypted using symmetric key which can be updated after authentication, so the adversary cannot get id s .

B. UNLINKABILITY
Definition: Unlinkability means that it is impossible for an adversary to associate two authentication actions of the same device.
Theorem: Our scheme guarantees the unlinkability of messages from the same device.
Proof: In our protocol, the messages publicly transmitted are different every time, and the messages are encrypted or hashed information, between which there is no regularity, so the adversary cannot know the exact meaning and relationship between former information.

C. MUTUAL AUTHENTICATION
Definition: Mutual authentication is a security process in which both devices authenticate each other's identities before actual communication occurs.
Theorem: Our scheme guarantees the mutual authentication of both the two devices which need to authenticate each other according to Lemma 1 and Lemma 2.
Lemma 1: Server can authenticate Gateway A. Proof: CID A is the hash result of the combination of id A , key dy and n, which is only known to the Server and Gateway A. After receiving CID A , Server will check CID A in database to get id A , R A , key dy , n, id S corresponding to it. Server will use these information to compute TK . If Gateway A also has these information, C 1 will be encrypted using TK , which can be decrypted by Server. After decrypting, if Server gets the plaintext, Server can successfully authenticate the Gateway A.
Lemma 2: Gateway A can authenticate Server. Proof: After authentication on Gateway A, Server will send V 1 to Gateway A, which is encrypted with secret key TK . If Server is the trusted device, V 1 can be decrypted by Gateway A using TK , thus Gateway A can authenticate Server. Further more, Gateway A can also check key dy ⊕R S ⊕ R S and R S ⊕ R A in V 1 to make sure that whether Server has the same information.

D. DATA INTEGRITY
Definition: Data integrity refers to the accuracy and reliability of the transmitted data, which is confirmed by another method.
Theorem: Our scheme guarantees the integrity of transmitted data.
Proof: After receiving C 1 , Server can check the integrity of some information, such as R a , key dy , T 1 , through the analysis of CID A , TK , C 1 . If these information are not integrity, the result of CID A , TK , C 1 will be different. After receiving V 1 from Server, Gateway A can check whether it received accurate R S and Server received accurate R A using key dy ⊕ R S ⊕ R S and R S ⊕ R A encrypted in the V 1 .

E. RESISTANCE TO REPLAY ATTACK
Definition: Replay attack means that the adversary pretends to be a legitimate device by replaying the messages sent by the legitimate device.
Theorem: Our scheme guarantees the resistance to replay attack.
Proof: In our protocol, all messages will be changed in different authentication, and some key messages contain timestamp. In the protocol of authentication stage, suppose that when Gateway A sends authentication request, the adversary blocks and eavesdrops CI D A , C 1 and T 1 , wants to replay these messages at another time to pretend to be legitimate users. The adversary cannot modify the timestamp in C 1 . Even if the server receives CI D A , T 2 − T 1 > T will be found after decrypting C 1 . Similarly, when the server returns V 1 , the enemy cannot modify the timestamp in V 1 . Even if the adversary cracked C 1 and modified the timestamp, sent the authentication request to the server and got the reply V 1 from the server, the session key could not be established, because some variables were covered with XOR, and the adversary doesn't know some variables, such as R A and R S .

F. RESISTANCE TO EXHAUSTIVE ATTACK
Definition: Exhaustive attack means that the adversary may try to obtain the plaintext by exhausting the keys and hash results using a very high performance computer. And when adversary get the secret information, he may calculate the key in the next authentication easily.
Theorem: Our scheme guarantees the resistance to exhaustive attack.
Proof: In our protocol, all sensitive information in messages, such as id A , R S , R A , perform XOR operations with the known information. Even if the adversary gets the plaintext, they cannot know the exact values of these variables, thus cannot get the key used in the next authentication.

G. RESISTANCE TO DESYNCHRONIZATION ATTACK
Definition: Desynchronization attack means that the adversary interferes with the whole authentication process by blocking messages in the authentication process, and makes the legitimate users unable to authenticate in the future.
Theorem: Our scheme guarantees the resistance to desynchronization attack.
Proof: In previous systems, if the legitimate device and server cannot synchronize the pseudonym, they must use the real identity to authenticate or re-register, which will expose the real identity. However, in our protocol, on the one hand, we need to keep the previous variables before the authentication to recovery after authentication failure. On the other hand, even if the authentication fails and the pseudonym cannot be synchronized, we can use the dynamically generated key key dy to generate the pseudonym CI D A to hide the real identity. Since the dynamically generated key can be generated by both parties at the same time, even if the synchronization of pseudonym fails, both parties can generate another dynamic key to generate a new pseudonym. The server can know which device the pseudonym belongs to by hashing each real identity with key dy .

H. RESISTANCE TO IMPERSONATION ATTACK
Definition: Impersonation attack means that the adversary communicates with the server by pretending to be a legitimate user, such as Gateway A, and forging authentication messages.
Theorem: Our scheme guarantees the resistance to impersonation attack.
Proof: In this case, even if the adversary knows the real identity id A of Gateway A, and generates a dynamic key dy with the server, to obtain CI D A , the adversary also does not know the random number R A and R S used in the previous communication, and cannot carry out the next session key.

I. FORWARD SECRECY
Definition: Forward secrecy refers to that the elements used to generate the key are changed everytime, and no regular pattern between keys; if one key is cracked, the security of other keys will not be affected.
Theorem: Our scheme guarantees the forward secrecy. Proof: In our protocol, when Gateway A and Server authenticate, random numbers R A and R S will be generated independently. The new session key SK only uses the hash result of the combination of R S , R A , R S and dynamic key VOLUME 8, 2020   key dy , which has no relation with the previous random number. Even if SK is cracked, it is impossible to infer any information of the random number that constitutes the key.
The key TK used in the authentication process is the result of exclusive or. Since R A is not used to generate the last round of session key SK , the adversary cannot know TK .

J. RESISTANCE TO DEVICE COMPROMISED THREAT
Definition: Device compromised threat means that the adversary can approach the device for physical attack to get secret information.
Theorem: Our scheme guarantees the resistance to device compromised threat.
Proof: We assume that the adversary can compose the gateway and connect its own antenna to the antenna of the gateway to obtain the dynamic key key dy generated each time. This method can break the previous schemes that only use channel state information to generate key dynamically. However, in our protocol, due to the random numbers R A and R S are generated independently by both parties, the adversary cannot know what the session key is. And because of the reuse number n, the adversary cannot know which part of dynamic key is used.

K. SECURITY VERIFICATION USING AVISPA
We adopt an industiral-strength security protocol analysis toolset, AVISPA [39], with HLPSL (The High Level Protocol Specification Language) to verify the security of the proposed protocols.
After transforming the HLPSL script into IF (Intermediate Format) using the translator HLPSL2IF, we can see that our goal and the request are shown in Figure 5, Figure 6 and Figure 7.
The variable Ra2, Rs2, IDa, Dy1, Dy2 in the program are corresponding to R A , R S , id A , key dy , key dy in the protocol.
Finally, our proposed protocol is proved safe in the OFMC backend and CL-AtSe backend.

L. BAN LOGICAL PROOF
We can use BAN logic [40] to prove the security of our protocol. In our protocol, we expect that Gateway A and Server can authenticate each other and communicate with the same session key TK . We can verify that the newly generated session key SK and random number R A , R S are fresh. In Ban logical proof, we can prove the following goals. The details about Ban logical proof can be seen in appendix.

VII. PERFORMANCE ANALYSIS
In this section, we analyze the computation and traffic overhead of our protocol (ignoring the overhead of peer private key generation). In addition, the overhead of dynamic key generation using channel state information is not discussed in this work. We use Advanced Encryption Standard (AES) symmetric encryption algorithm to encrypt. The AES algorithm is currently the standard block cipher algorithm that has replaced the Data Encryption Standard (DES). It accepts 128 bits size block and the key size can be 128, 192, and 256 bits [41]. We use SHA-1 [42] as the hash function, which can generate 160 bits. The following statistics only consider the authentication stage.

A. COMPUTATION COST
First, we consider the computation cost of authentication stage. Table 4 summarizes the calculation amount of our work and other works. The numbers in the table represent the number of calculations of this function. Each column represents one device in an authentication.
In our protocol, the Gateway will perform two hash operations, one is to calculate CID A , another is to calculate SK , the same as Server. There will be 13 XOR operations for Gateway and 12 for Server in authentication stage. Although the number of our XOR operations is more than others, the calculation time of XOR operation is very fast and can be ignored.
If we do not consider the process of dynamic key generation using channel state information, the amount of computation required by our method is almost the same as [11].  Therefore, the protocol is lightweight on both sides of the authentication.
It is worth noting that the device side of [11] is equivalent to our gateway, that is, the lower level device; the gateway side of [11] is equivalent to our server, that is, the superior level device. The above overhead does not include the process of dynamic key generation using channel state information. The dynamic key generation is usually low cost, as it only requires non-complex operations with only a change to the drivers [5].

B. COMMUNICATION COST
Next, we count the cost of communication in the authentication stage. Here we compare the overhead by counting the types of communication data, not the binary bits. For example, when a message in a communication is generated by hash functions, the length of the message is one hash; if the message is encrypted by AES, the length of the message is an AES length. We ignore the detailed length because it depends on the settings. The amount of data sent by the subordinate device to the superior device during certification is shown in Table 6.
In our protocol, the subordinate device needs to send CID A (a hash result), C 1 (a message encrypted with symmetric key) and a timestamp T 1 .
The amount of data received by superior device from subordinate device is shown in Table 7. It can be seen that we need very little traffic in the authentication process.
We also calculate the total communication cost. Since these works do not specify the specific length of each variable, we need to make some assumptions. We assume that the length of number, Hash, MAC, HMAC results are 16 bytes. The length of identity and timestamp are 4 bytes. The length of encrypted data is the same as the length of decrypted data. The length of other shorter variables is 1 byte. The total communication cost of different works are shown in the Figure 8.  The overhead also does not include the process of dynamic key generation using channel state information. Because the measurement of channel state can take place during the whole process of communication, which does not generate additional traffic. There will be some communication requirements in the consistency check after sampling in dynamic key generation, which mainly depends on the length of the check code.

C. STORAGE COST
We also compare our storage cost with other works, as shown in the Table 5. We divide the key and random number into one category, because the length of this kind of information is not VOLUME 8, 2020 clearly indicated in other works, and their length is relatively similar.
The numbers in Table 5 means the number of this kind of information saved in the devices after one device registering on another device. We can see that there is little difference in storage requirements between different works.

VIII. CONCLUSION
In this paper, we propose a protocol that can authenticate devices and dynamically generate session key in FC architecture. Our protocol uses hash, symmetric key and physical layer dynamic key generation technique to achieve that goal, which is not only anonymous and lightweight, but also can be applied for each device in the whole FC architecture, to make the edge nodes, fog nodes and cloud server authenticate each other and make data transmission more secure. We also analyze the performance and security of our method, which proves that our method is lightweight and secure.

APPENDIX BAN LOGICAL PROOF
In this section, we use BAN logic [40] to prove the security of our protocol. BAN logic is widely used in reasoning and proving the security of protocol. It uses the existing rules and logic symbols to reasoning and prove the security goals. The process is mainly divided into the following four steps: (1) transforming the informal protocol into logical symbols for representation; (2) finding out the initial assumptions in the protocol and converting them into logical symbols for representation; (3) listing the security objectives to be proved; (4) using the specific process, initial assumptions and existing rules of the protocol, proving whether the protocol can achieve the security goals.

A. BAN LOGIC NOTATIONS
In BAN logic, we first define some symbols, as shown below. P,Q,R: Principal entities. X ,Y : Message. K : Secret key. P |≡ X : The principal P believes the message X .
P |∼ X : P once said X , i.e., at some time the principal P sent a message including X . P X : P sees X , i.e., suppose a device once sent a message containing X to P, then P can read and repeat X (after some decryption operations).
P |⇒ X : P has control over X , i.e., principal P is authoritative about X and should be trusted.
# (X ): Fresh(X ), i.e., X has not been sent recently during protocol execution.
{M } K : Message M is encrypted with secret key K . M N : M is combined with the secret parameter N . P K ↔ Q: P and Q share a secret K which will not be disclosed. P M ⇔ Q: The principal X and Y have message(M ) that contains the secret parameters.

B. LOGIC RULES
In the following rules, we assume that if the conditions above the horizontal line are met, then we can infer the following results under the line. We use these rules to perform logical derivation.