Secure Three-Factor Authentication Protocol for Multi-Gateway IoT Environments

3.1. Threat Model

3.2. Fuzzy Extraction

3.3. System Model

• Users: A user who wants to use the IoT service receives a smartcard from the control server to access the multi-gateway. After registration, login, and authentication, the user has access to use the IoT service. The users’ smartcard can be lost or stolen by an attacker.
• Gateways: The gateways consist of IoT environments such as smart homes, smart buildings, smart offices, and gateways. We assume that the gateway and IoT environments are connected in advance by a wireless network through a secure authentication. The performance of the gateways is approximately the performance of the server computer.
• Control Server: The control server is a trusted authentication server with sufficient computation power to compute complicated hash and exclusive functions or store security parameters. The control server stores the identities of the legitimate gateways in advance, and we assume that an attacker can never attack the control server.

3.4. Notations

4.1. Registration Phase

Step 1:

$S_j$ requests registration to the $CS$. $S_j$ sends its identity $SI{D}_j$ to $CS$ through a secure channel, then $CS$ computes $Serinfo{r}_j$ and sends this to $S_j$.

Step 2:

$U_i$ chooses the $I{D}_i$, and $P{W}_i$, computes $EncPas{s}_i=h(I{D}_i\Vert h\left(P{W}_i\right))$ and sends the message $(I{D}_i,EncPas{s}_i)$ and $UI{D}_i$, which is an anonymity value of $U_i$, to $CS$ through a closed channel.

Step 3:

$CS$ receives the message from $U_i$. $CS$ computes the secret information value $Userinfo{r}_i=h(EncsPas{s}_i\Vert x)$, stores $\{UI{D}_i,Userinfo{r}_i,EncPas{s}_i,h(*),h\left(x\right)\}$ in the smartcard, and stores $Userinfo{r}_i$, $UI{D}_i$ and $statusbit$ in the verifier table. Then, $CS$ issues the smartcard to $U_i$.

4.2. Login and Authentication Phase

Step 1:

$U_i$ inputs his/her $I{D}_i$ and $P{W}_i$ and inputs the smartcard into a smartcard reader. The smartcard computes $EncPas{s}_i^{{}^{\prime }}=h(I{D}_i\Vert h\left(P{W}_i\right))$. Then, the smartcard checks whether $EncPas{s}_i\stackrel{?}{=}EncPas{s}_i^{{}^{\prime }}$. If it is equal, $U_i$ generates a random number $N_{i1}$ and computes $A_i=Userinfo{r}_i\oplus h\left(x\right)\oplus N_{i1}$, $Ver{u}_i=h(h\left(x\right)\Vert N_{i1})$. Then, $U_i$ generates $Ts$ to prevent a replay attack. Finally, $U_i$ sends the login request message $\{UI{D}_i,A_i,Ver{u}_i,Ts\}$ to $S_j$ through a secure channel.

Step 2:

If $S_j$ receives the login request message, $S_j$ generates a random number $N_{i2}$ and computes $B_i=Serinfo{r}_j\oplus N_{i2}$, $Ver{s}_i=h\left(h\right(SI{D}_j\Vert x)\Vert N_{i2})$. Then, $S_j$ sends the login request message $\{UI{D}_i,A_i,Ver{u}_i,B_i,Ver{s}_i,SI{D}_j,Ts\}$ to $CS$ through an open channel.

Step 3:

After $CS$ receives the login request message from $S_j$, $CS$ computes $T{s}^{{}^{\prime }}=Ts+1$ and checks $\mathsf{\Delta }Ts\ge T{s}^{{}^{\prime }}-Ts$ to see whether the login request message is legitimate. If it is valid, $CS$ computes $Serinfo{r}_j^{{}^{\prime }}=h(SI{D}_j\Vert x)$, $N_{i2}^{{}^{\prime }}=Serinfo{r}_i^{{}^{\prime }}\oplus B_i$, $Ver{s}_i^{{}^{\prime }}=h\left(h\right(SI{D}_j\Vert x)\Vert N_{i2}^{{}^{\prime }})$. Then $CS$ compares $Ver{s}_i\stackrel{?}{=}Ver{s}_i^{{}^{\prime }}$ to check that the message from $S_j$ is valid. If it is equal, $CS$ retrieves $Userinfo{r}_i$ from the verifier table using $UI{D}_i$ from the login request message. Then, $CS$ computes $N_{i1}^{{}^{\prime }}=Userinfo{r}_i\oplus h\left(x\right)\oplus A_i$, $Ver{u}_i^{{}^{\prime }}=h(h\left(x\right)\Vert N_{i1}^{{}^{\prime }})$. If $Ver{u}_i\stackrel{?}{=}Ver{u}_i^{{}^{\prime }}$ is correct, $CS$ selects a random number $N_{i3}$ and generates a session key $S{K}_i=h\left(h\right(A_i\Vert h\left(x\right))\oplus h(N_{i1}\oplus N_{i2}\oplus N_{i3}))$. $CS$ generates time stamp $Ts$ and computes $C_i=N_{i1}\oplus N_{i3}\oplus h(SI{D}_j\oplus N_{i2})$, $D_i=h(A_i\Vert h\left(x\right))\oplus h(SI{D}_j\oplus N_{i2})$, $E_i=N_{i2}\oplus N_{i3}\oplus h(A_i\Vert h\left(x\right))$. Finally, $CS$ sends an authentication message $\{C_i,D_i,E_i,Ts\}$ to $S_j$.

Step 4:

After $S_j$ receives the message from $CS$, $S_j$ computes ${(N_{i1}\oplus N_{i3})}^{{}^{\prime }}=C_i\oplus h(SI{D}_j\oplus N_{i2})$, $h(A_i{\left|\right|h\left(x\right))}^{{}^{\prime }}=D_i\oplus h(SI{D}_j\oplus N_{i2})$. $S_j$ generates a session key $S{K}^{{}^{\prime }}=h\left(h\right(A_i{\left|\right|h\left(x\right))}^{{}^{\prime }}\oplus h(N_{i1}\oplus N_{i2}\oplus N_{i3}){)}^{{}^{\prime }}$. Then, $S_j$ computes $E_i=(N_{i2}\oplus N_{i3})\oplus h(A_i\Vert h\left(x\right))$ and sends an authentication message $\{E_i,Ts\}$ to $U_i$.

Step 5:

After receiving the message from $S_j$, $U_i$ computes $T{s}^{{}^{\prime }}=Ts+1$ and checks whether $\mathsf{\Delta }Ts\ge T{s}^{{}^{\prime }}-Ts$. If it is correct, $U_i$ computes ${(N_{i2}\oplus N_{i3})}^{{}^{\prime }}=E_i\oplus h(A_i\Vert h\left(x\right))$ and generates a session key $S{K}^{{}^{\prime \prime }}=h\left(h\right(A_i\Vert h\left(x\right))\oplus h(N_{i1}\oplus N_{i2}\oplus N_{i3}){)}^{{}^{\prime }}$. Therefore, $U_i$, $S_j$, and $CS$ generate the same session key, so they can perform the authentication.

4.3. Password Change Phase

Step 1:

The $U_i$ inserts his/her smartcard into a card reader and inputs $I{D}_i$ and $P{W}_i$. Then, $U_i$ sends the $\{I{D}_i,P{W}_i\}$ to the smartcard reader through the closed channel.

Step 2:

After receiving the values from $U_i$, the smartcard computes $EncPas{s}_i=h(I{D}_i\Vert h\left(P{W}_i\right))$, $Userinfo{r}_i^{{}^{\prime }}=h(EncPas{s}_i\Vert x)$. The smartcard verifies whether $Userinfo{r}_i^{{}^{\prime }}\stackrel{?}{=}Userinfo{r}_i$. If it is equal, the smartcard requests a new password.

Step 3:

$U_i$ inputs a new password $P{W}_i^{new}$ and generates $EncPas{s}_i^{new}=h(I{D}_i\Vert h\left(P{W}_i^{new}\right))$. Then, $U_i$ inputs $EncPas{s}_i^{new}$ into the smartcard.

Step 4:

The smartcard computes $Userinfo{r}_i^{new}=h(EncPas{s}_i^{new}\Vert x)$ by using $EncPas{s}_i^{new}$. The smartcard updates $Userinfo{r}_i$ to $Userinfo{r}_i^{new}$ and replaces $Userinfo{r}_i$. Finally, the user $U_i$ changes his/her password.

5.1. User Impersonation Attack

Step 1:

$U_a$ obtains $\{Userinfo{r}_i,h\left(x\right)\}$, $\{A_i,Ts\}$ from the smartcard of $U_i$ and the previous session, respectively.

Step 2:

$U_a$ computes $N_{i1}=A_i\oplus Userinfo{r}_i\oplus h\left(x\right)$ and obtains a random nonce $N_{i1}$. Then $U_a$ computes $Ver{u}_i=h(h\left(x\right)\Vert N_{i1})$.

Step 3:

$U_a$ computes $A_i=Userinfo{r}_a\oplus h\left(x\right)\oplus N_{a1}$, $Ver{u}_a=h(h\left(x\right)\Vert N_{a1})$. Finally, $U_a$ can generate a login request message $\{UI{D}_i,A_i,Ver{u}_a,Ts\}$ successfully.

5.2. Server Spoofing Attack

Step 1:

$U_a$ obtains transmitted messages $\{E_i,Ts\}$ in the previous session and extracts $h\left(x\right)$ from the smartcard of an authorized user.

Step 2:

$U_a$ computes $h(A_i\Vert h\left(x\right))$ and obtains $(N_{i2}\oplus N_{i3})$. After that, $U_a$ computes $E_i=(N_{i2}\oplus N_{i3})\oplus h(A_i\Vert h\left(x\right))$.

Step 3:

Finally, $U_a$ generates authentication messages $\{E_i,Ts\}$ successfully.

5.3. Session Key Disclosure Attack

5.4. Mutual Authentication

6.1. Registration Phase

Step 1:

$G_j$ requests registration to the $CS$. $G_j$ selects $GI{D}_j$ and sends the value to $CS$ through a secure channel, then $CS$ computes $PI{D}_j=h(GI{D}_j\Vert h(x\Vert y))$ and sends $PI{D}_j$ to $G_j$ via a secure channel. $G_j$ stores $PI{D}_j$ in itself.

Step 2:

$U_i$ chooses the his/her identification $I{D}_i$ and password $P{W}_i$ and imprints biometrics $BI{O}_i$. Then $U_i$ generates a random number $a_i$, computes $<R_i,P_i>=Gen\left(BI{O}_i\right)$, $HIDi=h(I{D}_i\Vert a_i))$, which is an anonymity value of $U_i$, and $HP{W}_i=h(I{D}_i\Vert P{W}_i\Vert a_i)$, and sends the message $\{HI{D}_i,HP{W}_i,a_i\}$ to $CS$ through closed channel.

Step 3:

After $CS$ receives the message from $U_i$, $CS$ computes the secret information value $U{I}_i=h(HI{D}_i\Vert a_i\Vert x)$, $A_i=U{I}_i\oplus h\left(HP{W}_i\right)$, $B_i=h(U{I}_i\Vert A_i)$, and $X_i=h(U{I}_i\Vert x)$. Then, $CS$ stores $\{A_i,B_i,X_i,h(*)\}$ in the smartcard, and stores $U{I}_i$ with $HI{D}_i$ in the database. Then $CS$ issues the smartcard to $U_i$.

Step 4:

After receiving the smartcard from $CS$, $U_i$ computes $L_i=h(R_i\Vert P{W}_i)\oplus a_i$. Then $U_i$ inputs $L_i$ and $P_i$ in the smartcard.

6.2. Login and Authentication Phase

Step 1:

$U_i$ inserts the smartcard, his/her $I{D}_i$ and $P{W}_i$, and biometric $BI{O}_i$. The smartcard computes $R_i=Rep(BI{O}_i,Pi)$, $a_i=L_i\oplus h(R_i\Vert P{W}_i$), $HI{D}_i=h(I{D}_i\Vert a_i)$, $HP{W}_i=h(I{D}_i\Vert P{W}_i\Vert a_i)$, $U{I}_i=A_i\oplus h\left(HP{W}_i\right)$, $B_i^{*}=h(U{I}_i\Vert A_i)$. Then, the smartcard checks whether $B_i^{*}\stackrel{?}{=}{B}_i$ to check whether the user is legitimate. If it is valid, $U_i$ generates a random number $N_i$ and computes $C_i=U{I}_i\oplus N_i$, $V{U}_i=h(X_i\Vert N_i\Vert GI{D}_j)$. Finally, $U_i$ sends the login request message $\{HI{D}_i,C_i,V{U}_i\}$ to $G_j$ through a public channel.

Step 2:

After receiving a login request message, $G_j$ generates a random number $N_j$ and computes $D_i=G{I}_j\oplus N_j$, $V{S}_j=h(GI{D}_j\Vert G{I}_j\Vert N_j)$. Then, $G_j$ sends the login request message $\{HI{D}_i,C_i,PI{D}_j,D_i,V{S}_j\}$ to $CS$ via an open channel.

Step 3:

After $CS$ receives the login request message from $G_j$, $CS$ computes $G{I}_j=h(PI{D}_j\Vert h(x\Vert y))$, $N_j=D_i\oplus G{I}_j$ and compares $V{S}_j^{*}\stackrel{?}{=}V{S}_j$ to see whether $G_j$’s login request message is legitimate. If it is equal, $CS$ retrieves $U{I}_i$ from the verifier table using $HI{D}_i$ of the login request message. Then, $CS$ computes $X_i=h(U{I}_i\Vert x)$, $N_i=C_i\oplus U{I}_i,V{U}_i^{*}=h(X_i\Vert N_i\Vert GI{D}_j)$. Then $CS$ compares $V{U}_i^{*}\stackrel{?}{=}V{U}_i$ to check that the message from $U_i$ is valid. If it is valid, $CS$ generates a random number $N_c$ and computes $E_i=G{I}_j\oplus N_c$, $F_i=G{I}_j\oplus N_i$. $CS$ computes $M_{cg}=h(E_i\Vert G{I}_j\Vert N_c)$ to mutually authenticate with $G_j$ and $M_{cu}=h(X_i\Vert U{I}_i\Vert N_i)$ to authenticate with $U_i$ and generates a session key $SK=h(N_i\oplus h(N_j\Vert N_c\left)\right)$. $CS$ updates $HI{D}_i$ to $HI{D}_i^{new}=h(HI{D}_i\Vert N_i\Vert h(N_j\Vert N_c\left)\right)$ and $U{I}_i$ to $U{I}_i^{new}=h(HI{D}_i^{new}\Vert N_i\Vert U{I}_i)$, then replaces $HI{D}_i$ and $U{I}_i$. Finally, $CS$ sends the authentication message $\{M_{cg}$, $M_{cu}$, $E_i$, $F_i\}$ to $G_j$.

Step 4:

After $G_j$ receives the authentication message from $CS$, $G_j$ computes $N_c=E_i\oplus G{I}_j$, $M_{cg}^{*}=h(E_i\Vert G{I}_j\Vert N_c)$.Then, $G_j$ compares $M_{cg}^{*}\stackrel{?}{=}{M}_{cg}$ to verify whether the message from $CS$ is legitimate. If it is valid, $G_j$ computes $N_i=F_i\oplus G{I}_j$ and generates a session key $SK=h(N_i\oplus h(N_j\Vert N_c\left)\right)$. Then, $G_j$ computes $G_i=h(GI{D}_j\Vert N_i)$, $H_i=G_i\oplus h(N_j\Vert N_c)$ and sends the authentication message $\{H_i,M_{cu}\}$ to $U_i$.

Step 5:

After receiving the message from $G_j$, $U_i$ computes $M_{cu}^{*}=h(X_i\Vert U{I}_i\Vert N_i)$ and verifies whether $M_{cu}^{*}\stackrel{?}{=}{M}_{cu}$. If it is valid, $U_i$ computes $G_i^{*}=h(GI{D}_j\Vert N_i)$, $h(N_j\Vert N_c)=H_i\oplus G_i^{*}$ and generates a session key $SK=h(N_i\oplus h(N_j\Vert N_c\left)\right)$. Therefore, $U_i$, $S_j$, and $CS$ generate the same session key, so they can perform the authentication. $U_i$ updates $HI{D}_i$ to $HI{D}_i^{new}=h(HI{D}_i\Vert N_i\Vert h(N_j\Vert N_c\left)\right)$ and $U{I}_i$ to $U{I}_i^{new}=h(HI{D}_i^{new}\Vert N_i\Vert U{I}_i)$, then replaces $HI{D}_i$ and $U{I}_i$. The smartcard updates $A_i^{new}=U{I}_i^{new}\oplus h\left(HPW\right),B_i^{new}=h(U{I}_i^{new}\Vert A_i^{new})$, and $X_i^{new}=h(U{I}_i^{new}\Vert U{I}_i)$.

6.3. Password Change Phase

Step 1:

A legitimate user $U_i$ inserts the smartcard, his/her $I{D}_i$ and $P{W}_i$, and biometric $BI{O}_i$.

Step 2:

The smartcard computes $<R_i,P_i>=Gen\left(BI{O}_i\right)$, $a_i=L_i\oplus h(R_i\Vert P{W}_i$), $HP{W}_i=h(I{D}_i\Vert P{W}_i\Vert a_i)$, and $B_i^{*}=h(U{I}_i\Vert A_i)$. After that, the smartcard compares the $B_i^{*}$ with $B_i$ stored value. If it is equal, the smartcard requests a new password to $U_i$.

Step 3:

When $U_i$ receives the request message from smartcard, $U_i$ inputs a new password $P{W}_i^{new}$.

Step 4:

After receiving the new password from $U_i$, the smartcard computes $L_i^{new}=a_i\oplus h(R_i\Vert P{W}_i^{new})$, $HP{W}_i^{new}=h(I{D}_i\Vert P{W}_i^{new}\Vert a_i)$, $A_i^{new}=U{I}_i\oplus h\left(HP{W}_i^{new}\right)$, and $B_i^{new}=h(U{I}_i\Vert A_i^{new})$. Consequently, the smartcard updates the old information $\{A_i,B_i,L_i\}$ to new information $\{A_i^{new},B_i^{new},L_i^{new}\}$.

7.1. Informal Security

7.2. Ban Logic