Lightweight and Privacy-Preserving Remote User Authentication for Smart Homes

The rapid proliferation of embedded devices has led to the growth of the Internet of Things (IoT) with applications in numerous domains such as home automation, healthcare, education and agriculture. However, many of the connected devices particularly in smart homes are the target of attacks that try to exploit security vulnerabilities such as hard-coded passwords and insecure data transfer. Recent studies show that there is a considerable surge in the number of phishing attacks targeting smart homes during the COVID-19 pandemic. Moreover, many of the existing user authentication protocols in the literature incur additional computational overhead and need to be made more resilient to smart home targeted attacks. In this paper, we propose a novel lightweight and privacy-preserving remote user authentication protocol for securing smart home applications. Our approach is based on Photo Response Non-Uniformity (PRNU) to make our protocol resilient to smart home attacks such as smartphone capture attacks and phishing attacks. In addition, the lightweight nature of our solution is suitable for deployment on heterogeneous and resource constrained IoT devices. Besides, we leverage geometric secret sharing for establishing mutual authentication among the participating entities. We validate the security of the proposed protocol using the AVISPA formal verification tool and prototype it on a Raspberry Pi to analyze the power consumption. Finally, a comparison with existing schemes reveals that our scheme incurs a 20% reduction in communication overhead on smart devices. Furthermore, our proposed scheme is usable as it absolves users from memorizing passwords and carrying smart cards.


I. INTRODUCTION
T HE ubiquity and increasing popularity of Internet of Things (IoT) has led to the proliferation of embedded devices. The number of these devices was predicted to be around 400 million at the end of 2016 and it is projected to reach 1.5 billion in 2022 [1]. The potential application domains of IoT include environmental monitoring, energy and water management, smart cities, healthcare and supply chain management. Moreover, the IoT paradigm has the potential to address economic and environmental needs particularly in smart homes. Thereby, IoT integration in smart homes massively contributes to several sustainable development goals, through its capacity to increase efficiency and save costs.
However, the security aspects of the IoT devices in smart homes are not always covered holistically thus, making them vulnerable to cyber-attacks. Recently, researchers discovered security-critical design flaws in smart home devices [2]; in particular, devices using ZigBee and ZWave-wireless communication protocols for the smart homes [3], [4]. Numerous vulnerabilities have been identified in the OAuth protocol [5], which is the de-facto protocol used for authentication and authorization in the smart homes. Moreover, studies show that the remote work and remote schooling due to COVID- 19 have a multiplier effect on the rise of IoT attacks in smart VOLUME 4, 2016 homes. The number of phishing attacks aimed to steal the user credentials are on the rise in the past one year [6]. Besides, the heterogeneous and non-standardized architecture of IoT result in a greater number of smart home attacks [7].
Vulnerable smart home devices are increasingly being targeted by attackers to steal personal information and also launch distributed denial-of-service (DDoS) attacks [8], [9]. For instance, in October 2016, a massive Mirai botnet attack was launched, which almost brought down the Internet by taking advantage of vulnerable smart devices [10]. The Mirai botnet code uses telnet service to find devices such as smart home routers, security cameras, DVRs, etc., that are still using their factory default username and password. Nevertheless, numerous variants of Mirai have emerged in the last two years, which can infect many types of devices [11]. A security breach in smart homes can have high impact because it allows attackers to take control of the devices in smart homes, steal sensitive information and blackmail the occupants at very large scales [12].
In this paper, we propose a novel lightweight and privacypreserving remote user authentication protocol for smart home environments. Our proposed protocol is based on geometric secret sharing and uses face biometric and Photo Response Non-Uniformity (PRNU) [13] to authenticate both users and their smartphones. Unlike multi-factor authentication schemes, our scheme requires users to provide a single factor to prove the identity of both user and smartphones. Face biometric alone may not be sufficient to provide security as it is susceptible to face spoofing attacks [14]. Moreover, existing studies show that PRNU of a smartphone camera can be used to uniquely identify the device with an error rate less than 0.5% [15]. Hence, we incorporate PRNUbased smartphone authentication of the users to increase the complexity of the attackers. We conduct experiments to prove the effectiveness of using PRNU for smartphone authentication using 100 face images collected from 10 different smartphones. Further, the conventional peak-to-correlation energy (PCE) of the PRNU of the authenticated smartphone and the PRNU obtained from another set of face images is computed. Besides, we leverage geometric secret sharing to establish mutual authentication among the user, gateway and IoT device. A high-level representation of the mutual authentication between the user and the gateway is depicted in Fig. 1. Geometric secret sharing allows two entities to share completely distinct shares of the secret and which are then combined to retrieve the secret. Further, compromise of any of these shares neither reveals the other nor the secret as it is impossible to determine the line given a single point (share). Moreover, the secret reconstruction operation contains lightweight operations such as addition and subtraction. Hence, geometric secret sharing based mutual authentication provides better security than password or shared key based schemes to protect the smart devices.
Further, we prototype the proposed protocol in a Raspberry Pi and measure power and energy consumption. The proposed protocol uses simple hash and XOR operations at the device side to make it lightweight. Moreover, formal analysis and security properties verification have been done to prove that the proposed protocol is resilient to various known attacks.

A. OUR CONTRIBUTIONS
Our contributions to this paper are listed as follows: 1) We propose a novel lightweight and privacy-preserving remote user authentication protocol for smart home environments based on geometric secret sharing. The proposed protocol builds on a smart home threat model and leverages PRNU to uniquely identify the smartphone of the user. 2) To our best of knowledge, our proposed lightweight protocol is the first to achieve mutual authentication using geometric secret sharing. 3) We conduct experiments to show the effectiveness of PRNU in uniquely identifying the smartphone of the users by collecting 100 face images from 10 different smartphones. 4) Security analysis using AVISPA tool and performance analysis show that the proposed protocol is highly secure against common attacks and there is a 20% of reduction in communication overhead at the smart device compared to the existing state-of-the-art schemes. The remainder of the paper is organized as follows: Section 2 presents related work. Section 3 provides a background on smartphone camera identification and mutual authentication using geometric secret sharing. Section 4 details our proposed protocol along with the threat model. In Section 5, we present a formal security analysis of our protocol. Section 6 details performance evaluation experiments and results. Section 7 concludes the paper.

II. RELATED WORK
A robust authentication method based on biometric identifiers can be considered as an effective countermeasure for tackling security risks related to IoT devices in smart homes [16]. Most of the existing protocols are designed based on passwords for user authentication [17], which make them susceptible to shoulder surfing attack in which an adversary observes directly over the shoulders or use external recording devices such as CCTV camera to collect users' credentials [18]. A passwordless authentication scheme is more convenient for users and simultaneously makes the tasks of the attackers difficult. Another essential factor in the design of an authentication scheme is its resilience to social engineering attacks [19], where psychological manipulations are used to trick users into making security mistakes or giving away sensitive information. An authentication scheme based on users' biometric identity can eliminate social engineering attacks to a significant extent as the credentials cannot be forged by an attacker using psychological tricks. Further, authentication based on the fingerprint of the smartphone is one of the effective approaches to authenticate a user to verify the possession of a registered smartphone [20].
Various authentication schemes in prior works require additional devices such as smart cards. Moreover, most of the existing user authentication approaches in the literature are susceptible to password guessing attacks, smartphone capture attacks, smart device capture attacks, user impersonation attacks and shoulder surfing attacks [15], [21]- [24]. Besides, conventional security mechanisms have become inapplicable as many of the IoT devices are resource-constrained and heterogeneous in terms of underlying communication protocols, data formats and technologies [25]. The above factors necessitate the development of lightweight, privacypreserving and secure solutions for smart homes [26], which is the focus of our novel work in this paper.
While the working environment shifted to work from home (WFM) scenario due to the COVID-19 pandemic, cyberattacks on individuals and organizations continue to rise steadily. The attackers are taking advantage of this scenario as the employees have to use their personal devices in the home network, lacking sufficient security measures [27]. Studies report that 76% of organizations are unprepared for facing security challenges [28]. Moreover, the attackers are launching phishing attacks disguised in the form of legitimate authorities with links pertaining to COVID-19 [29]. For instance, in Italy, cybercriminals sent emails aimed at infecting user's computer, disguising as World Health Organization [30]. Phishing emails may enable attackers to gain access to organizations' networks that was never intended for the public through unprotected devices in the home network. The pandemic witnessed various attacks ranging from online meeting hijacking, phishing, malware, ransomware and fake apps [31].
Recently, many user authentication schemes have been proposed for smart homes. Wazid et al. [21] proposed a shared key-based remote user authentication protocol for the smart home environment. The computation cost for their scheme is more than many of the schemes they considered for comparison. Besides, the scheme leaves out security features such as resilience to smart device capture attacks. A session key establishment scheme for the smart home environment was proposed by Kumar et al. [32]. This scheme does not support forward secrecy, gateway anonymity and mutual authentication. Further, Kumar et al. [33] developed a framework for connected smart home environments. The authors claim that their scheme provides anonymity and unlinkability, which make network tracking difficult in smart home networks. However, their scheme is vulnerable to physical attack in which an attacker tries to read out the keys stored in the smart devices. Oh et al. [34] proposed a password-based authentication protocol for smart homes. Their proposed scheme is vulnerable password guessing attack and incurs high communication and computation cost than our proposed scheme. Similarly, the scheme proposed by Fakroon et al. [35] also incurs high communication cost than our proposed scheme. Public key based authentication protocols [22], [36]- [39] are computationally expensive than symmetric key based approaches. Besides, almost all of the existing schemes are designed using timestamps, making them vulnerable to clock synchronization problems [21], [32], [36], [40]. In particular, IoT devices are more prone to such problems as they are deployed in a broad range of operating conditions and are resource-constrained [41].
In contrast to the above-mentioned schemes, we propose a hybrid key-based (uses both public key cryptography and symmetric key cryptography) lightweight and privacypreserving remote user authentication scheme that uses geometric secret sharing for establishing mutual authentication. The proposed protocol alleviates the burden of users from remembering long passwords and carrying additional mechanisms for authentication. PRNU and biometric based user authentication make the protocol resilient to spoofing VOLUME 4, 2016 and phishing attacks. Geometric secret sharing based mutual authentication among the participating entities prevents fake gateway and smart device impersonation attacks.

A. SMARTPHONE CAMERA IDENTIFICATION
The Photo-Response Non-Uniformity (PRNU) of an image is widely used in source camera identification (SCI) [42]. PRNU fingerprint of the source camera is mainly caused by imperfections that occurred during the sensor manufacturing process and different sensitivity of pixels to light [43]. The process of extracting PRNU fingerprint from an image for source camera identification is as follows. The digital camera output can be modeled as (1).
where I 0 is the noise-free version of the image I r , K is the camera PRNU fingerprint and θ represents a combination of independent random noises. Firstly, a denoising filter F such as weiner2 (in MATLAB) is applied to the image I r and it is subtracted from the image to obtain the noise residue as given in (2).
where Q is the image noise residual. The PRNU fingerprint, K, is derived from N number of images by computing the maximum likelihood estimate as given in (3) : The estimated fingerprintK contains a small noise factor δ and is represented asK = K + δ, where K is the real fingerprint. To identify the source camera of an image, a correlation, corr(K,K) of the estimated fingerprint and the real fingerprint is computed.

B. MUTUAL AUTHENTICATION USING GEOMETRIC SECRET SHARING
In a geometric secret sharing scheme, a secret is split into shares to distribute amongst the participants such a way that authorized subsets of participants alone can reconstruct the secret. A (t, n) threshold secret sharing scheme proposed by Shamir [44] and Blakley [45] distributes shares amongst n participants and allows only t participants to recover the secret S ec but no group of fewer than t participants can. The essential idea is that two points are sufficient to define a line in which the secret S ec is the coordinates of a fixed point (0, S ec ) on a given line l, which intersects the y axis at the secret point [46]. Let (1, S ec + R and ) and (2, S ec + 2R and ) be the coordinates of line l where R and is a random slope. Given any two points, the line l can be determined and the y-intercept of this line represents the secret. This is a (2, n) threshold scheme for any n. We propose using this scheme to distribute shares among two participants and reconstruct the secret to authenticate each other. The shares can be created as given in (4).
where p is a prime number. At the time of authentication, an entity who wants to authenticate will pass its share to the other. The shares share 1 and share 2 are then combined to reconstruct the secret S ec as given in (5).
Two points (shares) are sufficient to determine a line that passes through both the points. Once line is determined, we can find the intersection of the line with the y axis which is the secret. Even though one of these shares (points) is compromised, finding the other share (point) is impossible as there are infinitely many lines passing through a point.

IV. PROPOSED PROTOCOL
We proposed a preliminary version of a user authentication scheme based on public-key cryptography and conducted a performance evaluation [37]. As an extension to the proposed work, we developed a lightweight version of [37] and conducted a power analysis of the protocol. The enhanced version of the proposed protocol is hybrid key-based as it uses asymmetric and symmetric keys. Based on the power analysis results, we use asymmetric keys for generating temporal identities. Besides, the proposed scheme uses simple hash and XOR operations to establish authentication and key agreement. Hence, the proposed protocol in this paper has lower computation and communication overhead than the existing protocols.
In this section, we develop a novel lightweight and privacypreserving remote user authentication protocol for smart home environments using geometric secret sharing. The proposed protocol builds on a smart home threat model we developed and consists of four phases: initialization phase, registration phase, authentication and key establishment phase and re-registration phase. Table 1 shows the notations used in the proposed protocol.

A. SMART HOME THREAT MODEL 1) Home Network Model
The home network model for the proposed protocol, is depicted in Fig. 2. The participating entities include users, smart devices and gateway. To start with, a user needs to authenticate to the gateway to access devices in the home network. Generally, a smart home network consists of n number of users of the smart home denoted as U i where i = 1..n, m number of smart devices D j where j = 1..m and the gateway G. The smart devices are connected to the internet through the gateway. The gateway handles the registration and authentication of the users and smart devices. All requests pass through the gateway, verifying the authenticity before it is sent to the smart devices. To access a device D j in the network, the user U i sends a request to the gateway G. G verifies the authenticity of the user U i and sends messages to both U i and the device D j . These messages help to authenticate the gateway G to the user U i and the device D j . According to our proposed scheme, only an authenticated user U i and device D j can compute the session key and communicate with each other.

2) Threat Model
We use the formal Dolev-Yao threat model [47] for the proposed protocol for smart home environments. The communicating user or the smart device are not considered to be trusted. According to this model, the adversary who is an active eavesdropper is assumed to have access to the messages passing through the network. The adversary A can: • A can actively eavesdrop on the channel to obtain messages passing through the channel. • A can send, delete and modify messages. • A can replay the messages to prevent the protocol from achieving its goals. We also consider the smart home specific attacks: • A can install a fake gateway. • A can fake smart device. • A can capture a smart device and perform side-channel attacks to extract sensitive information stored in that device.

B. ASSUMPTIONS
We make use of the following assumptions for the proposed protocol.
• The devices are assumed to be registered at the gateway in off-line mode. • The gateway is assumed to be completely trusted and protected from adversaries during the registration phase. • The face recognition method is assumed to be resilient to three types of face spoofing attacks, namely printed photo attack, printed mask attack and displayed video attack on mobile phone/HD screen [48]. • Keys are assumed to be stored in the secure key storage area in the internal memory of the smartphones [49]. • Users' smartphones are secured using a local authentication mechanism such as fingerprint authentication.

C. INITIALIZATION PHASE
In this phase, the public, private keys are generated using Elliptic Curve Cryptography (ECC). For this purpose, the gateway selects an Elliptic curve E(F p ) over a finite field F p which is defined by the equation Users and devices choose a private key n A and then compute the public key as K A = n A .P . Symmetric keys (pre-shared keys) are also generated and shared between the user and the gateway. Besides, users register their face images at the gateway at this phase. The gateway uses this information for recognizing the users during the subsequent phases.

D. USER REGISTRATION PHASE
In this phase, the user registers with the gateway providing a newly captured face image and choosing a unique identity. The smartphone encrypts the image using the pre-shared key and sends it to the gateway. Upon reception of the message, the gateway performs image analysis (iminfo in MATLAB) to check the freshness of the received image. After successful verification, the gateway performs face recognition and extracts PRNU P rnu from the face image and stores it along with the metadata I m of the image for further verification. Further, a secret is established using freshly generated nonce values exchanged between the user and the gateway. The secret is then split into two shares at both ends using a randomly chosen value. At the end of a successful run of the protocol, shares are created and stored at each end, later used for mutual authentication. Besides, the identity of the gateway will be provided by the mobile application. The detailed steps of the registration phase, as depicted in Fig. 3, are listed as follows.
Step R1: User U i is prompted to capture a face image I and chooses a unique identity ID i and enters it into the VOLUME 4, 2016 User is prompted to capture a face image. Chooses unique Performs image analysis and face recognition. Computes and stores , Generates . Computes: . User registration at the smart home gateway smartphone. The smartphone generates a nonce N i and computes C i = h(ID i ||h(I)||N i ||K UiG ). Smartphone encrypts ID i and I using the pre-shared key K UiG and sends the message Step R2: Upon receiving the message, gateway verifies the nonce N i . Upon successful verification, the gateway decrypts the message {ID i , I} K U i G and computes C i = h(ID i ||h(I)||N i ||K UiG ) to verify the integrity of the message and verifies h(I). Gateway then verifies the freshness of the image using image analysis and upon verification, performs face recognition. Upon successful verification, gateway extracts P rnu and metadata I m and stores it for future verification. In order to establish a secret S i , the gateway generates a random nonce N Gi and a random number R. Gateway computes the secret as S i = N Gi ⊕ N i and its share s Gi = (S i + 2R)mod p. To ensure the integrity of the secret computed, it computes To send the random number R and nonce N Gi to the user, gateway computes T D i = H(ID i ||K Ui ||N i ) and encrypts R as P U1 = R ⊕ T D i , similarly encrypts N Gi as P U2 = N Gi ⊕ T D i . Further, gateway generates another nonce N G and computes T D G = h(ID G ||K G ||N G ) and for verification at the user end. Gateway sends < M, P U1 , P U2 , N G , C G > to the user and then stores < ID i , h(S i ||ID i ), s Gi > in its memory for future verification.
Step R3: Upon successful verification of the nonce N G , the smartphone computes the temporal identities and verifies the received value. Upon successful verification, smartphone extracts R = P U1 ⊕T D i and N Gi = P U2 ⊕T D i and then computes the secret S i = N i ⊕ N Gi . Smartphone then proceeds to compute its share s i = (S i + R)mod p and stores it for future verification. To verify the correctness of the secret computed, the smartphone computes M = h(h(S i ||ID i )||N i ) and verifies it with the received value. At this point, the smartphone is assured that the secret S i is computed successfully at both ends. Smartphone stores < ID i , ID G , h(S i ||ID G ), s i > in its memory. Besides, the public keys of the gateway and the device will be shared by the mobile application after a successful registration.

E. AUTHENTICATION AND KEY ESTABLISHMENT PHASE
This phase, depicted in Fig. 4, is invoked when the user wants to access a device in the smart home. The user is then prompted to capture a face image and it is sent to the gateway for further processing. The gateway ensures the freshness of the image by performing image analysis. On successful verification, the photo response non-uniformity (PRNU) and image metadata are then extracted and compared with the stored values. Upon successful verification, the gateway performs face recognition and then it retrieves the hash of the secrets pertaining to the user and the device and sends it to the device and the user along with its share. The user and the device use this information for establishing a session key. The steps for this phase are described as follows.
Step AK1: User is prompted to capture her face image and selects the device, the smartphone computes the hash of the image and generates a nonce N i . Further, smart- the gateway where T D j is the temporal identity of the device the user wants to access.
Step AK2: After verification of N i and C i , the gateway decrypts the image I and verifies integrity and freshness of the image by performing hash comparison and image analysis respectively. Upon successful verification it extracts P rnu and I m and compares with the stored values. Gateway then proceeds to perform face recognition of the user. After successful verification, the gateway retrieves M D = h(S j ||ID j ) and M U = h(S i ||ID i ) from its memory. To establish a session key at both user and device end, Gateway computes M = M U ⊕ M D ⊕ N G using the newly generated nonce N G . It then encrypts the shares as follows VOLUME 4, 2016 computes C j = h(M ||P D ||N Gj ||ID j ) ⊕ s Gj and C i = h(M ||P U ||N Gi ||ID i ) ⊕ s Gi for verification of the received message at both ends. Gateway then sends a message < M , P D , N Gj , C j > to the device and sends another message < M , P U , N Gi , C i > to the user.
Step AK3: Upon receiving the message M , P D , N Gj , C j , device verifies N Gj . Device computes h(M ||P D ||N Gj ||ID j ) and extracts share of the gateway s Gj = C j ⊕ h(M ||P D ||N Gj ||ID j ). It verifies the integrity of the message by comparing C j ⊕ s Gj and h(M ||P D ||N Gj ||ID j ). Further, the device reconstructs the secret using the share of the gateway and its own share as S j = (2s Gj − s j ) mod p. The device then proceeds to compute h(S j ||ID G ) and compares it with the stored value. At this juncture, the gateway is authenticated to the device. Upon successful authentication, the device Step AK4: Upon receiving the message M , P U , N Gi , C i , smartphone verifies N Gi . Smartphone computes h(M ||P U ||N Gi ||ID i ) and extracts share of the gateway It verifies the integrity of the message by comparing C i ⊕ s Gi and h(M ||P U ||N Gi ||ID i ). Further, the smartphone reconstructs the secret using the share of the gateway and its own share as S i = (2s Gi − s i ) mod p. The device then proceeds to compute h(S i ||ID G ) and compares it with the stored value. At this juncture, the gateway is authenticated to the user. Upon successful authentication, the smartphone computes . Upon successful communication using the newly generated session key, the user and the device are mutually authenticated and also the device is implicitly authenticated to the gateway. Given that the device fails to authenticate, an error message will be sent to the gateway.
The main advantage of this protocol is that the device identity ID j , identity of the gateway ID G and its share s j are stored at the device. An attacker who captures the device learns no knowledge about the gateway or the user.

F. RE-REGISTRATION PHASE
This phase is invoked when the user has lost the smartphone or would like to register a new smartphone. The steps for performing re-registration are as follows: Step RR1: User selects the re-registration option in the smart home application and is then prompted to take a face image. The smartphone generates a new nonce N i and computes Smartphone sends the following message to the gateway RREG, T D i , T D G , h(I), N i , C i , {I} K U i G .
Step RR2: Upon reception of the message, the gateway verifies N i and C i for checking the integrity of the message. The gateway then decrypts {I} K U i G and verifies the integrity of I with h(I). Further, gateway verifies the freshness of the image. Upon successful verification, the gateway performs face recognition to identify the user. On successful authentication, gateway proceeds to extract P rnu and image information I m and stores it for future verification.
Further, the gateway computes the secret using the newly generated nonce N Gi . The gateway and smartphone follow the steps (Step R2 to R3) listed in the registration phase. The user has to follow the authentication and key establishment phase to access a device in the smart home.

V. FORMAL SECURITY ANALYSIS USING AVISPA
This section presents the formal security analysis using AVISPA and analysis of various security features that are essential to cryptographic protocols.

A. FORMAL SECURITY ANALYSIS USING AVISPA
We use the SPAN+AVISPA (Security Protocol ANimator for Automated Validation of Internet Security Protocols and Applications) tool for performing the formal analysis of the proposed protocol [50] [51]. Experimental results on many internet security protocols show that the AVISPA tool is state of the art for automated validation of security protocols.
AVISPA uses a High-Level Protocol Specification Language (HLPSL) to represent the cryptographic protocols. The HLPSL2IF translator translates the protocol to Intermediate Format (IF) specifications. IF specification is then provided to the back-end modules for analysis. There are mainly four back-ends in the AVISPA tool: which include OFMC, an Onthe-fly Model-Checker which detects all known attacks, CL-AtSe, a Constraint-Logic-based Attack Searcher, SATMC, an SAT-based Model-Checker and TA4SP, a Tree Automata based on Automatic Approximations for the Analysis of Security Protocols. The back-ends of AVISPA analyze the protocol under the assumption that the network is under the control of the Dolev-Yao intruder over which is the exchange of messages happens.
We translate both the registration and authentication and key establishment phases of the proposed protocol to HLPSL. The actions of each entity are represented as basic roles. Further, these basic roles are combined to represent the composed role, representing the interactions among them. The entities are represented as user U , gateway G and the smart device D.
The entities communicate using two different channels: SND and RCV. Finally, an environment role is defined as shown in Fig. 5, which contains global constants and composition of one or more sessions. Besides, it describes the intruder i who plays the role of a legitimate user. The intruder_knowledge is specified in the environment session. Finally, the CL-AtSe and OFMC back-ends found the protocol SAFE; in other words, the proposed protocol is secure against the Dolev-Yao threat model used in AVISPA. The implementation also includes the simulation of the intruder attack with the publicly known parameters. The intruder gains no knowledge after capturing the message sent by the user. This shows that the proposed protocol is  The results of the analysis using the CL-AtSe and OFMC back-ends are depicted in Fig. 6 and Fig. 7 respectively. In other words, the security goals are satisfied by the proposed protocol as specified in the environment.

B. ANALYSIS OF SECURITY FEATURES
In this section, we analyze the security features of the proposed protocol.

1) Anonymity
User U i , gateway G and smart device D j have temporal identities to preserve the anonymity of the communicating entities. They use their public keys for computing the temporal identities. The user, gateway and device compute the temporal identities as respectively. Hence, adversary A who is eavesdropping on the channel will not be able to identify the communicating entities, thus preserving the privacy of all communicating entities.

2) Key Freshness
Key freshness is of paramount importance to a key establishment protocol that ensures that each session's key is randomly generated. In the proposed protocol, to generate a session key both U i and D j compute the secrets to obtain h(S i ||ID i ) and h(S j ||ID j ) respectively. Finally, they compute the session key as where N G is a newly generated nonce for each session. Hence, the freshness of the key is ensured by the presence of nonce generated by G, which is a trusted entity.

3) Forward Secrecy
Forward secrecy ensures that the session keys established are not compromised when the long-term key is compromised [52]. Suppose A steals the share s j of the device D j . The A will not be able to determine the secret S as it requires the knowledge of each of the shares and hence will not compute the session keys. Therefore, in this proposed protocol, compromise of any long-term key does not compromise the session keys.

4) Fake Gateway Attacks
In this attack, A adds a fake gateway to steal the credentials, such as stored keys, or hijack communication between the user and the smart device. The fake gateway won't be able to decrypt the message < the key K UiG . Moreover, it won't be able to compute the message < M, P U , N Gi , C i >. Further, if the fake gateway replays a previously sent message < M, P U , N Gi , C i >, the message will be discarded by the smartphone because of old nonce N Gi or unmatched C i value.

5) Man-In-The-Middle Attacks
In man-in-the-middle attack (MITM), A intercepts the messages and possibly alters the communications between two entities. Suppose, A relays the message < T D i , T D G , T D j , h(I), N A , C A , {I} K U i G > to gateway G, G will discard the message upon verification of N A and C A . Besides, A will not be able to produce a similar response to VOLUME 4, 2016 force user U i to compute a key which is known to A. The key is computed as K s = h(V i ||N G ||V j ) where V i and V j are neither stored at user end nor at the device end. Both entities compute the session key using their corresponding shares. Moreover, suppose A manipulates the content of the message < M , P U , N Gi , C i > where M denoted by M , the proposed protocol will be aborted by the U i when h(S i ||ID G ) is not matched. Similarly, A will not succeed in establishing a session key with the device by relaying or modifying the message. Hence, the proposed protocol is resilient to MITM attacks.

6) Replay Attacks
In a replay attack A interferes by replaying a message or a part of a message that was sent previously in any protocol run [53]. Our proposed protocol detects replay attacks through the verification of nonce and integrity. Suppose, A replays the message < T D i , T D G , T D j , h(I), N i , C i , {I} K U i G > which was previously sent by the user with a modified N i . G will abort the protocol as C i won't match with the received value. Similarly, rest of the messages include the nonces in their hash values. Hence, the proposed protocol is resilient to replay attacks.

7) User Impersonation Attacks
Suppose A impersonates as user U i and sends a photo of user's video. A cannot generate the message < T D i , T D G , T D j , h(I), N i , C i , {I} K U i G > as it does not possess the public keys of U i and G and the pre-shared key K UiG . Hence, the proposed protocol is resilient to user impersonation attacks.

8) Smart Device Impersonation Attacks
Suppose an A tries to add a device AD j to the smart home network. AD j will neither be able to compute the session key as it does not possess a share to reconstruct the secret with G nor be able to compute h(M ||P D ||N Gj ||ID j ) to extract the share of the gateway as it requires the knowledge of ID j . Hence, the proposed protocol is resilient to smart device impersonation attacks.

9) Denial of Service Attacks
There are two types of denial of service attacks (DoS) mainly connection depletion attack and resource depletion attack [54]. Connection depletion attack can be mitigated using local authentication in the smartphone. However, it is difficult to mitigate a resource depletion attack completely. The nonce and hash verification prevent this attack to a great extent. For instance, A can send spurious number of messages to force the G to process the message. G aborts execution when a nonce verification fails, or a hash mismatch occurs which prevents it from further processing. Hence, the proposed protocol is resilient to DoS attacks.

10) Fingerprint Forgery Attacks
In this attack, A generates a forged image using the P rnu extracted from publicly available images of the user U i . A will not be able to succeed in launching this attack as it does not possess the shared key K UiG , public keys of U i and G, the share s i and h(S i ||ID G ). Hence, A will not be able to send the forged image to G for authentication. Hence, the proposed protocol is resilient to fingerprint forgery attacks.

11) Stolen Smart Device Attacks
Suppose A obtains physical access to a smart device, A can extract the identities ID j , ID G , public key K D and hash of the secret h(S j ||ID G ) using power analysis attacks [55].
A will not be able to compromise the session key as s Gj is also required to compute it. Also, A does not obtain any information regarding the user U i or any other smart devices in the network. Hence, the proposed protocol is resilient to stolen smart device attacks.

12) Smartphone Capture Attacks
In our proposed protocol, we assume that the face recognition scheme is resilient to printed photo attack, printed mask attack and displayed video attack as there are schemes which can prevent these attacks [48]. In that sense, suppose the A obtains physical access to the smartphone of the user U i . A will not be able to provide the face biometric of the user U i . Hence, the proposed protocol can withstand stolen smartphone attack.

13) Shoulder Surfing Attacks
Password is used as a common authentication factor in many applications and its ease of use makes the scheme more usable and easy to steal. The A can observe directly or use external recording devices to collect user' credentials [18]. We use face recognition and PRNU fingerprint in our proposed protocol to make it resilient to this attack. The PRNU fingerprint verification makes sure that the face image is taken using the user's registered smartphone. According to the proposed protocol, a face image captured using any other camera other than the authenticated smartphone is not accepted as authentic. Hence, the proposed protocol is resilient to shoulder surfing attacks.

VI. PERFORMANCE EVALUATION
In this section, we present the performance evaluation of the proposed protocol and compare our scheme with existing approaches to demonstrate the lightweight nature of the proposed protocol in terms of both communication and computation overheads. Besides, we show the effectiveness of PRNU by presenting the results of experiments conducted to prove that single reference image is sufficient during registration.

A. EVALUATION OF PRNU FINGERPRINT
To verify the efficacy of the PRNU fingerprint of smartphones in uniquely identifying devices as proved by Ba et al. [56], we use 100 face images collected from more than ten individual smartphones. Smartphones include Vivo 1807, Samsung Galaxy M-30s, Moto G Plus 7015, Redme 8, Vivo V17, Nokia 6.1 Plus, iPhone 7, Realme 2 Pro, Asus Z010D, Realme X, Lenovo A7010a48. We collect the face image captured using the front camera of the smartphones for this purpose. We use the source camera identification algorithm presented in MATLAB source code [57], [58] to test the images. We use Peak Correlation Energy (PCE), which is deemed to be the most used similarity metric, for identifying the source camera or smartphone. PCE is defined as the ratio between the height of the peak and the energy of the cross correlation between reference PRNU and the obtained PRNU patterns [42]. We use MATLAB R2018b [59] for our experiment on a Lenovo/ IBM ThinkPad L480 Laptop running with Windows 10 powered by an Intel Core i5 processor and 4GB of RAM. We compare randomly chosen images with its own set of images as well as images from different sets. Besides, we use multiple reference images and a single reference image for computing the reference fingerprint. The results are depicted in Fig. 8 and Fig. 9 respectively. Our experiments show that in both the cases, the PCE values effectively classify images captured between same and different smartphones based on a threshold. Our results show that though a single image is sufficient to authenticate smartphones, the reference PRNU fingerprint computed using multiple images increases the PCE values. When images are compared against those taken from the same camera, the correlation values are high. On the other hand, we observe the correlation values to be closer to zero when different cameras are used for comparison.

B. EVALUATION OF THE PROPOSED PROTOCOL
In this section, we present the power and energy analysis of different algorithms used in our proposed protocol. As we use a hybrid approach, we first present the power analysis of various ECC operations such as Ellipticcurve Diffie-Hellman (ECDH), Elliptic Curve Integrated Encryption Scheme (ECIES) and Elliptic Curve Digital Signature Algorithm (ECDSA) [60]. The ECC curves which were selected for analysis include secp112r1, secp128r1 and secp160r1 [61] as these are the commonly used curves. We use Raspberry Pi 3 model B device which is equipped with Quad Core 1.2 GHz Broadcom BCM2837 64 bit CPU with 1 GB RAM, 16 GB SD card and Raspbian Jessie Lite operating system to run these operations. We analyze the power and energy consumption of various ECC operations for a payload of 512 bits of data. The power consumption for each operation is measured using Keysight series B2901A Source Measure Unit [62]. We execute Elliptic curve (EC) key generation, ECIES encryption, ECIES decryption, ECDSA signature generation, ECDSA signature verification and ECDH operations and compute the average power and energy consumption. The energy consumption values for each operation are given in Table 2. We infer that the encryption operation consumes more energy than other operations while the signature generation consumes lesser energy than other operations. Moreover, ECC operations are expensive in terms of power and energy consumption than symmetric key operations. We use symmetric key encryption for sending the face image from the user to the gateway. Besides the protocol uses temporal VOLUME 4, 2016 identities which are unique for each sessions and hence, the protocol satisfies anonymity and untraceability properties. Further, we implement image hash, encryption and decryption in Python using AES (Advanced Encryption Standard) algorithm for various sizes of images using Raspberry Pi. The execution time and energy consumption for these operations are listed in Table 3. We infer that as the size of the face image increases the execution time increases and hence the energy consumption. Therefore, it is desirable to use a smaller size image for user authentication.

C. PERFORMANCE COMPARISON 1) Security Features Comparison
The comparison of security features such as mutual authentication, anonymity and resilience to various attacks are listed in Table 4.
Wazid et al. [21] proposed an efficient lightweight authentication protocol. However, their informal security analysis section states that an adversary can obtain the session key if he captures the device. Thus, the compromise of the session keys can reveal the messages exchanged between the user and the device. Hence, the scheme does not provide security against smart device capture attacks. Similarly, the scheme of Challa et al. [36] is also vulnerable to smart device capture attack as it can lead to the compromise of the session key. Besides, Chaudhry et al. [63] pointed out the correctness issues of this scheme and argued that it cannot complete operations normally.
The scheme proposed by Yu et al. [40] does not provide integrity protection to verify whether messages are modified in transit. Hence, entities have to perform computations to authenticate the message. Consequently, their scheme is vulnerable to DoS attacks.
The scheme proposed by Shuai et al. [24] is vulnerable to replay attacks due to the lack of nonce or timestamp verification. Besides, the scheme is vulnerable to user impersonation attacks and shoulder surfing attacks as the method is based on simple password authentication. Moreover, the scheme doesn't provide anonymity as the identities of the user and the device are always encrypted using the same master key.
In contrast to the existing approaches, our scheme provides features such as anonymity, key freshness, session key establishment, resilience to smart device capture attacks and fake gateway attacks.

2) Comparison of Communication Overhead
We make a general assumption that the length of the identities of the user, gateway and the smart device, randomly gener- ated nonces, timestamps and the message digest are 128, 128, 64, 128, 77 (verified in MATLAB) and 160 bits respectively. Based on the above assumption, we compute the communication overhead at the device as it is resource-constrained, while G and U i are assumed to be resource-rich. The communication cost of our scheme for the message sent from the gateway to the smart device is 544 bits (68 bytes) (128+128+128+160 = 544). Similarly, the communication costs of the existing protocols proposed by Wazid et al. [21] is 986 bits, Yu et al. [40] is 794 bits, Challa et al. [36] is 711 bits and Shuai et al. [24] is 960 bits. Table 5 shows the communication overhead at the smart device, which includes the number of messages received and sent and the total cost in bits. Our proposed protocol uses the lowest number of messages and the smallest size of messages compared to the other protocols, which are practical in such smart home applications. Hence, it implies that the proposed protocol consumes lesser power compared to the other schemes.

3) Comparison of Computation Overhead
Based on the approximate time [64] given in Table 6, we compute the computation overhead for each scheme. The computation overhead at the smart device incurred by each scheme is given in Table 7. The computation cost for the proposed scheme is estimated to be 1.28ms which comprises the computation cost for 4 hash operations and a negligible cost for secret reconstruction when tested in Raspberry Pi (4T H ≈ 0.00128 + 0.00000405).  [21] 7T H + T S 7.84 [40] 7T H 2.24 [36] 5T H 1.6 [24] 3T H 0.96 Proposed 4T H 1.28 The comparison of communication and computation costs with existing schemes in terms of a number of message exchanges and approximate computation time at the smart device is depicted in Fig. 10. The proposed scheme incurs a significant reduction in the number of message exchanges, computation costs and satisfies security features. Even though the computation cost is negligibly higher than [24], the security aspects of the proposed scheme outperform other schemes. Hence, we can conclude that the proposed protocol is lightweight and can be applied to smart home environments.

VII. DISCUSSION
Although our proposed protocol has been prototyped on embedded devices, it needs to be evaluated in realistic smart home environments to understand the behavioral characteristics of the protocol from usability and security perspectives. Performance and energy consumption need to be estimated in an end-to-end manner. For instance, cryptographic operations and remote face recognition may incur processing and transmission delays respectively. Similarly, remote face recognition needs to consider the aging and illumination conditions of diverse users.

VIII. CONCLUSION
In this paper, we proposed a lightweight and privacypreserving remote user authentication protocol using geometric secret sharing for smart home environments. The proposed protocol is designed to avoid the use of passwords and smart cards and hence alleviates the burden of users in carrying additional mechanisms and in memorizing long passwords. Performance analysis including power consumption and comparison with other existing schemes revealed that the proposed protocol is lightweight, privacy-preserving, usable and prevents attacks specifically phishing and fake gateway and smart device impersonation attacks. Further, we conducted experiments to show the effectiveness of PRNU in identifying the smartphone of the users. Moreover, the formal security analysis using AVISPA and performance evaluation using Raspberry Pi showed that the proposed protocol is highly secure to provide enhanced security to smart homes. As part of future work, we plan to implement this protocol in a real-time smart home environment and security of the proposed protocol. In addition, we propose to conduct user studies to evaluate the effectiveness of the authentication protocol for diverse environmental conditions. K. NIMMY is a Ph.D. scholar at the Center for Cyber Security Systems and Networks, Amrita Vishwa Vidyapeetham (Amrita University). She received a master's degree (M.Tech) in Cyber Security from TIFAC CORE in Cyber Security of Amrita Vishwa Vidyapeetham, Coimbatore and a bachelor's degree (B.Tech) in Computer Science and Engineering from Rajiv Gandhi Institute of Technology, Kerala. She has more than 4 years of experience in research projects funded by ISRO (Indian Space Research Organization) and more than 3 years of teaching experience. Her research interests include authentication protocols, IoT security, Web Security and Cryptography.