A Three-Factor-Based Authentication Scheme of 5G Wireless Sensor Networks for IoT System

Internet of Things (IoT) is an expanding technology that facilitate physical devices to interconnect each other over a public channel. Moreover, the security of the next-generation wireless mobile communication technology, namely, 5G with IoT, has been a field of much interest among researchers in the last several years. Previously, Sharif et al. have suggested an IoT-based lightweight three-party authentication scheme proclaiming a secured scheme against different threats. However, it was found that the scheme could not achieve user anonymity and guarantee session key security. Additionally, the scheme fails to provide proper authentication in the login phase, and it s unable to update a new password in the password change phase. Thus, we propose an improved three-factor-based data transmission authentication scheme (TDTAS) to address the weaknesses. The formal security analysis has been proved using the Real-or-Random (RoR) model. The informal security analysis demonstrates that the scheme is secure against several known attacks and achieves more security features. In addition, the comparison of the work with other related schemes demonstrates the proposed scheme has less communicational and storage costs.

. Communication of data in IoT framework. [2], [3], vehicular ad-hoc networks [4], [5], [6], and intelligent transportation system [7], [8], [9], [10]. By the support of 5G technology, the sensors are interconnected for sharing and collecting the data through WSNs over public channels in IoT environment [11]. The IoT devices gathered the data from their surrounding environment and sent them to the server. However, secure information exchange among the participants of the IoT environment is a challenging problem due to the open nature of the wireless channel and resource-constrained features of sensor nodes. Thus, key agreement and mutual authentication become essential security mechanisms to authenticate the participants.
The communication in WSN consists of sensor nodes, gateway nodes, and users. It is becoming critical for monitoring and data collection in a variety of industrial environments. Industrial IoT (IIoT), a subset of the larger IoT, focuses on the specialized requirements of industrial applications, such as health monitoring, agriculture, military, industrial and consumer applications, etc. [12], [13], [14], [15], [16], [17], [18], [19]. WSNs have a significant role in the IIoT to create a smart environment.
The basic communication architecture of the IoT framework is illustrated in Fig. 1. The sensor nodes are distributed randomly in the selected or inaccessible environments and constantly monitor the area to collect information, such as humidity, pressure, sound, motion, light, temperature, etc. However, the sensor node faces several issues, such as low memory, low power, and battery limitations. A user can access the sensor with the help of a gateway node which acts as an intermediate between user and sensor nodes. Moreover, WSN in IoT architecture is of prominent use in 5G-enabled applications. The development 5G promises to fulfill the needs of easily access through all sort of low-power wide area network, such as WiFi and ZigBee [19].
It is obvious that the combination of 5G-enabled IoT devices and WSN steadily become closer and getting deeper into the private lives of human beings. If human personal data are breached by any means it may pose serious threats to human life. To make the system more robust, privacy preservation anonymity along with untraceability is a common approach. Anonymity conceals the identities of any type of participant so that they do not know who accesses data at a particular time. On the other hand, untraceability does not allow to trace of different sessions of publicly exchanged messages. Furthermore, the two phenomena, such as authorization and access control grant additionally check access rights and privileges according to the sensitivity of the data. Therefore, privacy preservation anonymity, authorization, and access control mechanisms are important issues for securing the WSN with a 5G-enabled IoT system.

A. Related Work
Das [20] introduced a smart card (SC)-based user authentication scheme for WSNs with high efficiency, which opens a new research direction in WSN environments. Later, Das's scheme was found vulnerable to an insider attack, impersonation attack, Denial-of-Service (DoS) attack, password guessing attack, and sensor node capture attack. In addition, the scheme could not achieve key agreement, mutual authentication, and user anonymity [21], [22], [23]. Yeh et al. presented a SC-based user authentication scheme for WSNs using elliptic curve cryptography (ECC), as it requires less key size and better security features compared to other public cryptosystems. Later several authentication schemes have been proposed for different applications based on ECC [24], [25], [26]. However, Han showed that the scheme presented by Yeh et al. could not achieve mutual authentication, perfect forward secrecy, and did not support key agreement among user, server, and sensor [27]. To overcome the above weaknesses, Shi and Gong [28] came up with an improved ECC-based authentication scheme and claimed that their scheme is efficient and can resist several attacks. However, Shi and Gong analyzed and pointed out that the scheme in [28], fails to preserve the stolen SC attack, sensor energy exhausting attack, and key sharing attack [29]. They have proposed an ECCbased authentication scheme for wireless network with high security and better efficiency.
In 2012, Xue et al. [30] suggested a lightweight temporalcredential-based mutual authentication scheme for WSNs. In the same year, Das et al. [31] suggested a dynamic passwordbased authentication scheme for hierarchical WSNs in which real-time data can be accessed directly by the authorized users. However, Turkanovic and Holbl [32] pointed out the flaws in [31], scheme and came up with an enhanced scheme to overcome these flaws. Meanwhile, Li et al. [33] found that the scheme in [30], is susceptible to stolen-verifier, insider attack, off-line password guessing attack, and SC loss attack. Furthermore, the scheme suffers from several logged-in user's attacks. Turkanović et al. [34] proposed a user authentication scheme for WSN. Nevertheless, the scheme was vulnerable to SC attack, sensor node spoofing attack, impersonation attack, and stolen verifier attack [35]. In addition, the scheme could not achieve forward and backward secrecy. He et al. [36] demonstrated that Xu et al.'s scheme could not resist user impersonation attack, sensor node impersonation attack, modification attack, and fail to achieve user anonymity. He et al. suggested a new temporal-based mutual authentication scheme to overcome these weaknesses. Later, Jiang et al. [37] found that He et al.'s scheme suffers from user impersonation attack, stolen SC attack, tracing attack, and failed to provide user untraceability. They proposed an improved ECC-based authentication scheme and claimed that the scheme could use for real-life applications. However, Li et al. [38] found some common flaws that are knownsession specific temporary information attack, wrong password detection, and clock synchronization problem in schemes [30], [36], [37]. Recently, Ostad-Sharif et al. [39] pointed out that Amin et al.'s scheme and Jiang et al.'s scheme could not achieve perfect forward secrecy. Further, they proposed an authentication scheme pointing out that Amin et al.'s scheme suffers from a reply attack.
Chen et al. [40] proposed a temporal credential and dynamic ID-based secure authentication scheme for WSNs in IoT environments. In the same year, Kumar et al. [41] suggested an ECC-based three-factor authentication scheme for WSN. However, the scheme suffers from DoS attack, key compromise Impersonation attack, and lack of user revocation. Later, Vinoth et al. [42] proposed a multifactor authentication scheme using the secret sharing technology. The scheme is vulnerable to DoS attacks, Replay attack, and de-synchronization attacks. Recently, Wu et al. [43] proposed a lightweight biometric-based authentication for WSN providing session key security. The existing authentication schemes, used techniques, advantages, and the used domains are listed in Table I.

B. Research Contributions
Even though the schemes proposed by different researchers for WSN have advantages, but they are not completely suitable for 5G-enabled IoT environments. Further, the lack of proper standards for the IoT environment makes it susceptible to several security features. Recently, Ostad-Sharif et al. [39] proposed a lightweight three-factor-based authentication scheme for IoT networks. However, the scheme has a drawback in the session key computation, password change phase, and login phase. Thus, this study aims to improve Sharif et al.'s scheme by providing several security features while minimizing the overhead. In summary, the contributions are as follows.
1) We investigated Sharif et al.'s scheme and found various security flaws, such as violation of user anonymity, inefficient login and password change phase, and session key computation. 2) We presented an improved ECC-based authentication scheme called a three-factor-based data transmission authentication scheme (TDTAS), along with a fuzzy extractor to prevent the weakness of Sharif et al.'s scheme. Moreover, the proposed scheme provides sensor node addition and SC revocation phase. 3) The Real-or-Random (RoR) model is used for formal security analysis, which ensures the session key security of the proposed scheme. Further, informal security analysis has been accomplished to strengthen the security of our scheme. 4) In terms of computational, communication, and storage costs, the TDTAS has been thoroughly compared to various existing schemes. Furthermore, the proposed system was formally validated using the AVISPA tool.

C. Organization
The remainder of the work is organized as follows. The next section demonstrates some related mathematical preliminaries to carry out the proposed scheme. A brief study on the Sharif et al.'s scheme is discussed in Section III. Section IV demonstrates the proposed scheme, along with its various phases. The formal security analysis using the RoR model and verification of the scheme using the AVISPA tool are presented in Sections V and VI, respectively. Section VII presents the performance analysis of the proposed scheme, and Section VIII concludes the study.

II. PRELIMINARIES
This section briefly presents some preliminaries which are used as the basis of the TDTAS.

A. Hash Function
The hash function is defined as h : {0, 1} * → Z * p , which takes a variable length of random input and gives a fixed length of the output. The one-way hash function has the following features.
1) It is difficult to find any input m that makes y = h(m) for a given hash value y. 2) It is computationally infeasible to find any m 2 for a given

B. Indistinguishability of Encryption Under Chosen Plaintext
The standard definitions of indistinguishability of encryptions (IND) due to Goldwasser and Micali [52] and Choo [53] and chosen-plaintext attack (CPA) is defined as follows. In CPA, an adversary is allowed to encrypt plaintexts of his choice. Thus, A v can calculate a ciphertext for any plaintext with the knowledge of the public key.
Definition 2: Let, there are N different independent encryption oracles having several encryption keys. The advantages function of encryption is defined as where (pk, sk) is the pair of public and secret keys of key generation algorithm T; E is the encryption algorithm which takes the public key pk and a message x ε{0, 1} * as input to produce a ciphertext y; and D is the decryption algorithm which takes secret key sk and cipher text y as input to produce message x. Two messages {mg 0 , mg 1 } are provided by an adversary and bit b is choose by the challenger to compute the challenger cipher text y * . A v runs encryption algorithm on the input {y * , pk}, which guess b for b. If b = b, then Av will win the indistinguishability game, and advantages in playing the game is Adv IND−CPA

C. Elliptic Curve Cryptography
The ECC provides less key size compared to other conventional cryptography, such as RSA, DSA, and DH. The properties of an ECC over a finite field as follows.
A nonsingular elliptic curve equation is defined as The scalar multiplication is obtained as nP = P + P + P + . . . P(n times) = O, where P be a base point on Z p and O is called as the identity point at infinity or zero point.

Definition 3 [Elliptic Curve Discrete Logarithm Problem (ECDLP)]:
Computing Q = k · P is relatively easy for given k Z p and Q E p . However, given P, Q E p , to find an integer k [1, n − 1] such that Q = k · P is computational hard.
Definition 4 [Computational Diffie-Hellman Problem (ECDHP)]: Let P, aP, and bP are three points over an elliptic curve E p . It is computational infeasible to find abP E p without knowledge of a and b.

D. Fuzzy Extractor
A fuzzy extractor takes the biometric as input and outputs two random numbers. Using given biometric input ω, it can extract an almost random string σ [54]. The crucial thing about a fuzzy extractor is that it extracts the same output σ when the input changes to ω but the input remains near to ω. To recover σ , a uniformly random string θ will be produced from the ω . It requires two procedures that are probabilistic generation procedure (Gen) and deterministic reproduction procedure (Rep).

E. Adversary Model
This section presents the adversarial model considering the following capabilities. 1) We have used the Dolev-Yao (DY) threat model in which two communicating parties can communicate with each other over an open channel [55]. An adversary A v has control over the transmitted messages during the communication. He can eavesdrop, modify, or delete the message but cannot intercept a message over the secure channel.
2) The power analysis attack or reverse engineering procedures allow a A v to easily compromise the secret parameters which are stored in the SC [56], [57]. 3) An adversary can be an authorized entrusted entity or an outsider. 4) Moreover, A v can guess a low entropy password, or master secret key but not simultaneously.  Table II listed the notation, which is used throughout this article.

A. Inefficient Login Phase
In the login phase, when a valid user needs to login, he inserts his SC into the card reader and get the parameter D ι , C ι , E ι , SCN ι . In addition he gives his biometric and compute he could not compute random number RN ι as C ι is not embedded in the SC. Thus, each time the login will fail, and the valid user could not get into the server.

B. Drawback in Password Change Phase
In this phase, U ι needs to enter ID ι , PW ι , B ι into the card reader. To complete the password change phase, SC checks the user validity by checking the condition RPW ι As discussed in the previous section, the computation of random number RN ι depends upon the C ι , which is unknown to the SC. As a result, a valid user could not change his password.

C. Drawback in the Computation of Session Key
The session key of user is calculated as SK ι = h(ID ι ID sj K ι K j ), where K ι and K j are two random numbers generated by user and sensor, respectively. The parameter ID sj is not clearly mentioned, whether it is private or public. However, in both cases, the session key can be compromised. Case-1: The assumption is ID sj is private and only known to the sensor and gateway node. So, it is impossible for the U ι to compute session key using ID sj as SK ι = h(ID ι ID sj K ι K j ). Without a session key, the scheme is vulnerable to several attacks.
Case-2: Let, ID sj is public and master key X j is revealed. An adversary can eavesdrop the message = M 6 . The condition will get true and A v generate a random number K * j of its own and computes , M * 10 , T * 5 } to the GWN through an insecure channel. Upon obtaining the parameters, GWN verifies the server by checking the condition M 9 . Each time the verification will get true as ID sj is public and A v can easily fool the GWN. Thus, in case-1 the computation of session key is inefficient and in case-2 key is vulnerable.
. Thus, the scheme could not achieve user anonymity.
IV. PROPOSED SCHEME This section presents a three-party secure data transmission authentication scheme for the IoT network. The scheme involves three parties that are user U ι , SN k , and GWN and six phases. GWN is designed to be a trustworthy and a link between U ι and SN k . GWN selects a point P on an elliptic curve with a large prime order n from a finite field Zp. Then, Authorized licensed use limited to the terms of the applicable license agreement with IEEE. Restrictions apply. it chooses a master key pk and computes P pub = pk.P. Finally, stores pk and publish {P, P pub } as public.

A. Initialization Phase
In this phase, GWN preloaded the secret credentials into the sensor's memory in off-line mode. The following steps are executed for initialization. S1: GWN picks a unique identity ID sj for each sensor, where (sj = 0, 1, 2, 3 . . . n) and generate a master key where ID gw is the identity of GWN. Also, shared a key SK gs with the sensor. S2: The GWN now stores PID sj and NID k into the SN k 's memory. In addition, the sensor has some computation power which calculate the parameters [58], [59].

B. Registration Phase
The user registration is important who wants to gain access to a sensor. The description of this phase is as follows. S1: User first picks his identity ID ι , password PW ι , and imprints the personal biometric BM ι at the sensor of a particular terminal. Using fuzzy extractor Gen function U ι computes Gen(BM ι ) = (ω ι , θ ι ) and computed password PW ι1 = h(PW ι ω ι ). U ι further picks a random number b and computes ID i1 as h (ID ι b). Afterwards, U ι sends {ID ι , ID i1 , PW ι1 } to the GWN through secure channel. S2: Upon receiving the registration message from U ι , the where ID gw , X GWN are the identity and master key of the GWN. The GWN records the {ID i1 , A ι } in its database for future use and sends the SC to the U ι with the information {B ι , UID ι , h(·)} into the SC. S3: After receiving the SC from the gateway node, The registration phase of the proposed scheme is summarized in Table III.

C. Login and Authentication Phase
In this phase, a user enter his login details, which is authenticated by servers. U ι performs the following steps to execute the phase. S1: U ι inserts the provided SC into card reader and inputs his ID ι , PW ι , and imprints his biometric BM ι at the sensor of the terminal. SC recovers biomet- . Then, the SC selects a random number N 1 and computes h(ID gw X GWN N 1 ) if the condition is satisfied. Now, U ι sends the login message {M 2 , M 4 , UID ι , T 1 } to GWN through public channel, where T 1 is the current time stamp. S2: When GWN received the login message, first checks the timeliness of the received time stamp with the condition T * 1 − T 1 ≤ T, where T * 1 is the received time stamp and T is the maximum transmission delay. If the condition is true, If the condition fails, GWN rejects the session. Otherwise, generate a random number α and computes . Now, GWN sends the message {G 1 , G 2 , G 4 , T 2 } to the SN k through public channel. S3: Upon receiving the message at time T * 2 , SN k checks the validity of T 2 with condition T * 2 − T 2 ≤ T. If the condition fails, the session is rejected. Otherwise, SN k computes α * = G 1 ⊕ NID k and verifies G * where β is the random number and sends {S 2 , S 4 , S 5 , S 6 , T 3 } to the U ι through the public channel.   Table IV summarized the graphical representation of the login and authentication phase of our scheme.

D. Password Change Phase
This phase is needed to change the old password with a new password of a valid user. The details are illustrated below. S1: The U ι first insert his SC and enters his ID ι , PW ι and BM ι .

F. Smart Card Revocation Phase
This phase is important to revoke the SC if it is lost or stolen. The phase is depicted in detail below. S1: When the SC is lost or stolen, U ι creates a registration message with same user identity ID ι and a new random number b nw . Then, sends {ID ι , (ID nw i1 ), PW ι1 } to the GWN for a new SC. S2: Upon receiving the message, GWN search for the ID ι .
If it is exit, then computes A nw

V. SECURITY ANALYSIS OF THE PROPOSED SCHEME
This section includes formal and informal security analysis, demonstrating that the proposed scheme can withstand several well-known attacks.

A. Formal Security Analysis Using RoR Model
We apply a widely accepted RoR standard model, which is used to prove the session key security of the scheme [60]. For the formal proof, there are three participants that are user U ι , gateway node GWN, and sensor SN k involved in the proposed scheme TDTAS. The definitions are described as follows.
Participants: We denote three instances ϑ s u ι , ϑ u gwn , and ϑ v sn k of participants U ι , GWN, and SN k , respectively. ϑ t is the union of all participants and any participant instance t of ϑ t is an oracle. Each oracle has three states: accept, reject, and ⊥. If the oracle receives the correct message, then it reaches an accept state. When the oracle receives an erroneous message, it enters the reject state. If no decision or result is obtained, the oracle enters the perp state. Partnering: Any two instances, ϑ t1 and ϑ t2 are partnered if both the instances mutually authenticated to each other, share the same session key sk u or sk s , and both are in accepted states. Each participant may run the protocol several times and may obtain a session key.
Adversary(A v ): An adversary used the DY model, which helps him to eavesdrop, modify, insert, or delete the transmitted message during the communication [55]. A v can perform many oracles queries defined in the following.

4) Test(ϑ t ):
This query simulates the session key by flipping an unbiased coin b. If b = 1, correct session key is returned and if b = 0, random binary string is returned. If (ϑ s u ι / ϑ v sn k ) has not generated their session key, then ⊥ is returned. Semantic Security: A v may interact with the instances by determining the value of a bit b. If A v guesses the queries correctly, then the scheme fails to provide semantic security. Otherwise, he wins the game. Let S denotes the event in which A v wins. In breaking the semantic security of the scheme, A v has an advantage Adv TDTAS p = |2.P[S] − 1|. Theorem 1: Let E p , D 1 , D 2 , and D 3 be an elliptic curve group and uniformly distributed dictionaries of ID ι , PW ι , and BM ι , respectively. |D 1 |, |D 2 |, and |D 3 | denote the size of the D 1 , D 2 , and D 3 , respectively. Thus, we obtain where q h , q s , and q e represent the hash, Send, and Execute queries, respectively. 2 l is the string length of the hash results and t = t +(3q e +q s )T e where T e represents the time required to compute one modular exponentiation.
Proof: There are four games. (1) Game 1: In this game, all the oracles are used. An adversary A v launches a passive attack by Send(ϑ t , m) and Execute(ϑ s , ϑ v ) oracle. A v has to decide the value of b in Test(ϑ t ) oracle. The session key is computed by using N 1 , β, ID ι , PW ι , X GWN . Adversary tries to extract these values from {msg1, msg2, msg3}. A v cannot compute session key without corrupting SC and GWN's database. The user identity, biometric, and GWN's master key remain unknown to the adversary. So, the eavesdropping attack does not provide any advantage compared to Game 0. Thus, we have (2) Game 3: In this game, the simulation of Corrupt(SC) query has been added. A v receives SC information by querying Corrupt(SC). Then, A k attempts for dictionary attack with possible password and biometric information in D 2 and D 3 . Now, A v fakes the login message and sends the corresponding query to the server. The password guessing probability for A v is (q s /|D 2 |), while biometric template is (q s /|D 3 |). Then, we have Considering all above the games, A v is only left to guess the bit b to win the game. Thus, we have From (1) and (2), we obtain By dividing 2 in both side, we get Putting the value of (1/2), we have Using (3), (4), and triangle inequality we can get the following equation: From (5) and (9) |P[S 1 ] − P[S 4 ]| ≤ (q s + q e ) 2 2(q − 1)

B. Informal Security Analysis
The informal security analysis of TDTAS is discussed as follows.
1) User Anonymity: A valid user never sent ID ι in plain text to GWN or SN k during the login and authentication phase. If an adversary eavesdrops the message, then also he is unable to extract as ID ι is either encrypted or protected by one way hash function. Thus, the TDTAS achieves user anonymity.
2) Sensor Node Anonymity: In the TDTAS, the identity of the sensor node ID sj does not reveal during communication. Thus, an adversary could not get ID sj directly from the transmitted message. Furthermore, GWN encrypted the G 3 with PID sj , where PID sj = h(ID sj k) protected with one way hash function and k is the master key of the GWN. Thus, the TDTAS achieves sensor node anonymity.
3) Stolen Smart Card Attack: Let an adversary retrieve the sensitive information {B ι , L ι , UID ι , θ ι , h(.)} from the SC using power analysis attack and tries to get ID ι and PW ι from the {B ι , L ι }. However, it is computationally hard for an A v as L ι = h(ID ι PW ι1 B ι ω ι ) and where ID ι and PW ι are protected with one way hash function. Thus, the TDTAS is resilient against stolen SC attack. 4) Replay Attack: Assume that an adversary captures all login and authentication messages transmitted through an open channel and tries to replay the same message after some time. However, it is difficult to send the same message as GWN, SN k , and U ι checks the validity of the time stamp. Further, the assumption is A v generates a new timestamp, however, he can be found by checking the correctness of M * = h(ID sj PID sj α * T 2 ). The proposed scheme hence resist replay attack.

5) Insider Attack:
In an insider attack, a privileged insider such as a system administrator may get the user's information and tries to log in to the accounts of a valid user. However, in TDTAS, the valid user transmits the password as PW ι1 = h(PW ι ω ι ) instead of an original password. The generated password is also secured with a one-way hash function that is computationally hard to recover. Thus, neither an insider nor the registration center knows about the original password. = h(ID * ι h(ID gw X GWN ) N 1 T 1 ), where ID ι , h(ID gw X GWN ) are only known to valid user and gateway node. Similarly, ID sj and PID sj only known to sensor node and gateway node. SN k could find any modified message from GWN to Sj. Thus, the TDTAS is secured from man-in-the-middle (MIM) attacks.

7) Known Session-Specific Temporary Information Attack:
The session key is computed as SK c = h(PID sj M 1 S 1 ), where S 1 = β·G 3 , G 3 = α·P pub . Let, the random number α and β two numbers are revealed. However, it is impossible to compute the session key as he need PID sj and M 1 where M 1 = N 1 .P pub . To compute session key, A v has to obtain PID sj , N 1 simultaneously, which is an infeasible task. As a result, if two random numbers are compromised, no prior session key will be revealed.
8) User Impersonation Attack: In the TDTAS, to generate a valid login message {M 2 , M 4 , UID ι , T 1 }, A v needs to know ID ι , ID gw , N 1 , X GWN where N 1 and X GWN are the random number and master key generated by the GWN and U ι , respectively. To guess both ID ι and PW ι simultaneously is an infeasible work for him. Again, to compute PW ι1 adversary needs user's biometric which is impossible for A v . Thus, user impersonation attack is not possible in our scheme.

9) Ephemeral Secret Leakage Attack:
In an ephemeral secret leakage attack, if an adversary can reveal the private keys, then the session key would turn out to be known from the eavesdropped messages. In the proposed scheme let the private key is revealed, however session key cannot reveal as M1 and S1 and used for computation. As N1 and beta are used to compute the session key which are random in nature, for each session the session key will be different. Thus, the proposed scheme can resist ephemeral secret leakage attack.
10) Session Key Security: The session key security includes perfect forward secrecy and known key secrecy.
Perfect Forward Secrecy: Let the session key is compromised, and an adversary obtained the random number α and β, which are used to compute the session key. However, the compromise of one session key will not reveal any other previous session key as A v needs ID ι , PW ι1 , ID gw , X GWN to compute the session key. Thus, the TDTAS achieves perfect forward secrecy.
Known Key Secrecy: For known key secrecy, if the master key is revealed, then also the session key will not be computed. Although S 2 and Pub is obtained by an adversary, however, find β is computationally hard (Definition 3). Besides, due to two random numbers, the session key will be different in each session. Thus, the TDTAS provides known key secrecy. = h(SK * c NID k SK gs ), respectively. If any one of the condition is not satisfied, then the session is aborted. Thus, TDTAS provides mutual authentication. 12) Three-Factor Security: Three-factor security includes password, SC, and biometric information.
Case 1: The assumption is a Av has the SC information and password of a valid user. However, he is unable to obtain the user's identity using this information as biometric information is used.

Case 2:
The assumption is A v has SC information, biometric, and the login message {M 2 , M 4 , UID ι , T 1 }. Also, he could retrieve ω * ι = Rep(BM i , θ ι ) using biometric and Rep function. Now, he could derive ID ι and PW ι by verifying To guess both ID ι and PW ι in polynomial time is an infeasible work for him.
Case 3: Assume that an adversary has a password and biometric and attempt to derive ID ι . However, he could not derive without knowledge of B ι . Again, it is an infeasible work, as ID ι is protected with a hash function. Thus, TDTAS provides three-factor security.
13) Efficient Login Phase: In an authentication scheme, an efficient login phase is achieved when the SC can identify incorrect input, thereby no need to contact the server for identifying the incorrect input. In the TDTAS, for the efficient login SC verifies the condition L * Thus, an adversary needs to know identity, password, and biometric simultaneously to satisfies the condition, which is an infeasible work for him. Hence, the TDTAS achieves efficient login phase.
14) Efficient Password Change Phase: In the TDTAS, the user can change his biometrics and password without contacting GWN. Since the SC could verify correctness of identity, password, and biometrics and replaces PW ι1 , L ι with PW new ι1 , L new ι into the SC's memory without involvement of GWN. Hence, the TDTAS provides an efficient password and biometry change phase.

VI. FORMAL SECURITY VERIFICATION USING AVISPA TOOL
This section presents the simulation of the proposed scheme using the AVISPA tool [61], [62], [63]. It is a GUI-based tool for automated validation of the security protocols, which ensures the formal verification against several attacks. AVISPA tool needs the scheme to be specified in a role-oriented language called high-level protocol specification (HLPSL). It has two major roles, namely, basic role and composition role. The basic role demonstrates each participant involved in the scheme and composition role represent the scenario of participants. The protocol specification is given as input to the HLPSL2IF translator. HLPSL2IF translator takes HLPSL specification as input and produces intermediate form (IF) as output. IF is a lower-level specification than HLPSL. IF can be read directly by AVISPA backend tools. After the protocol has been properly accomplished, one of the four AVISPA backend tools generates output format (OF). Depending on the OF result is produced as SAFE or UNSAFE.
OFMC, CL-Atse, SATMC, and TA4sp are the four backends included. The suggested approach has been tested using two different backends: 1) OFMC and 2) CL-Atse, with the results reported in Fig. 2(a) and (b). The results confirm that TDTAS is secure under the DY model.

VII. PERFORMANCE COMPARISON OF THE PROPOSED SCHEME
This section presents the performance evaluation of our scheme with the other relevant scheme in terms of computation, communication, and storage cost as well as the security features of the scheme. Fig. 3 provides a comparative analysis of the suggested scheme's computing cost with other relevant schemes. We denote T HS , T EP , and T EN as the computational time required for a cryptographic one-way hash function, elliptic curve point multiplication, and symmetric encryption/decryption functions with values 0.0000464, 0.02314, and 0.00258 s, respectively. The computational cost of the proposed scheme of user is 5T HS + 1T EP , the gateway node 6T HS + 2T EP , and the sensor node 5T HS + 2T EP , respectively. Thus, the total cost of TDTAS is 16T HS + 5T  [64] and Wang et al. [65] have more computational cost compared to proposed scheme. Though TDTAS needs a little more time, it is justified that the proposed scheme provides more functionality   features, better security, less communicational, and storage cost as compared to other related schemes.
The efficiency of the TDTAS is also analyzed in terms of the communication costs associated with sending messages throughout the login and authentication phases. We consider the length of the identity/password/nonce/time stamp is 32 bits, encryption/decryption is 128 bits and hash function/ECC is 160 bits. In the proposed scheme, four message are exchanged among U i , GWN i , and SN k .  Fig. 4. Fig. 5 shows the comparative study on storage costs for the proposed TDTAS and other existing schemes. The storage cost is calculated as {B ι , L ι , UID ι , θ ι } = 352 bits.

VIII. CONCLUSION
This article represents the security weakness of Sharif et al.'s scheme. We pointed out that the scheme lacks the functions of password change, inefficient login, and could not achieve user anonymity. Besides, the scheme could not guarantee session key security, which is vulnerable to several passive and active attacks. We proposed a three-party-based authentication scheme for 5G-enabled IoT environments along with a fuzzy extractor. The security analysis results show TDTAS can resist most of the known attacks and security features. Unlike existing schemes, the formal security analysis of the proposed scheme has been proved under the RoR model. Moreover, the informal security analysis indicates that the scheme is secure and robust. The formal verification of our scheme has been done using a widely accepted AVISPA tool. In future work, we plan to simulate our scheme using the NS-2 tool to evaluate its efficiency. In addition, the computational cost associated with the proposed scheme may be reduced further. Moreover, research needs to enhance the capability of the proposed scheme for secure communication among IoT devices to achieve desired performance metrics, such as transmission delay, throughput, QoS, etc. Sujata Mohanty received the Ph.D. degree in com-