1 Introduction

IoT becomes one of the rapid growing and remarkable technologies as it makes the sensors and objects get connected with each other over the internet. The internet has challenges in ensuring privacy and security of the data collected by devices which demand the public attention over the years. The challenges in terms of user’s authentication, scaling the network, handling technical issues and adopting new policy are being solved as of now. The IoT devices need subtle human interaction and produces huge volume of data. The market trends have brought the IoT into widespread reality which includes surge of techniques in data analytics, general adoption of miniaturization, IP-based networking and global connectivity among the sensors that produces data stored in cloud[1]. The implementation of IoT mainly depends upon the most commonly used technical communications models: Device-to-Cloud, Device-to-Device, Device-to-Gateway and Back-End Data-Sharing.

All these communication modes are more flexible in providing IoT devices communicated among themselves and provide valuable data to the user. It has a huge craze in digital market and rule the globe in the upcoming years. IoT can be viewed as a giant and smart network, connects things and people, collects data and share them between the things by the way they are programmed. It witnesses general-purpose nature of the web service architecture that does not have constraints on applications to use the technology. Safety and resilience of the web are affected if a less secured device is connected online. This drawback is amplified into the considerations like deployment of homogenous IoT devices in a mass-scale. IoT deals to retrieve the data in the public channel that can be either lost or stolen and implements increased tracking, surveillance of data, data collection and gathering the data streams collected over the internet which can be termed as digital portraits of users. The challenges like user authentication and governance are wide and sophisticated in nature, have to be addressed.

The IIoT [2] is termed as a collection of sets of smart sensors and objects which are interconnected with real time industrial applications setup. The connectivity also deals with data aggregation, exchange and big data analysis. This in turn enhances the outcome such as productivity of data with the deployment of cloud. The IIoT has been considered to represent a parallel and distributed system which ensures high degree of automation of the monitoring and control of physical infrastructures in association with cloud infrastructure [3]. The other technologies such as cyber security, edge computing, mobile technologies, machine-to-machine communication, 3D printing, advanced robotics, bigdata, RFID technology and cognitive computing are also associated with IIoT.

The cyber-physical system is the enabler for establishing the communication over connected physical machines in the presence of IoT and IIoT environments. Moreover cloud computing domain facilitates establishing the connection among storage devices in cloud where files and data can be kept and retrieved. Accessing these stored files made easier as they are being stored in cloud instead of our local storage devices. Edge computing [4] is considered as a process in which decentralization of data is achieved at the edge of the network. In order to achieve incredible improvements in terms of accessing the huge volume of data and productivity across the users in the industrial applications, the IIoT requires edge-plus-cloud architecture. Big data analytics [5] is also adopted to investigate and analyze the data sets. Human anthropology can be achieved with the help of artificial intelligence [6] in which powerful algorithms and models are designed to help humans to take correct decisions during the analysis of data. The different layered modular architecture in the digital technology environment is referred to as IIoT systems. This includes some important physical components like cyber physical system, machines and sensors [7]. These components require to adopt the secure communication [8] strategies among them.

The rest of the paper is presented as follows. In chapter 2 the survey related to proposed work is discussed. Chapter 3 discusses about authentication and key agreement schemes. In chapter 4 the simulation results are presented and discussed. At the end, proposed work is concluded.

2 Related work

The authors in the paper [9] have presented a new strategy to address the privacy in the context billing under dynamic electricity pricing. The bi-directional communication between user and smart grid tend to face security and privacy issues[10] were addressed. In order to resolve the security constraint, proposed scheme introduces an efficient data aggregation scheme for executing the privacy-friendly price-based billing. This scheme consists of three phases of security such as authenticated initialization and refilling, data aggregation for price-based billing and demand response. These methods ensure the user privacy information when smart grids are subjected to capture fine-grained energy usage information. Moreover, from the empirical results it was found that proposed method achieves better privacy protection for electric meter reading aggregation and feasible computational efficiency. The authors of this paper [11] have presented a novel user authentication protocol which can be deployed in a resource constrained WSN protocol in order to solve user authentication issues. It is an ECC based protocol which uses an overall handshake module to solve the challenges. DES encryption algorithm was deployed for providing authentication among users, gateway and IoT devices and also used for generating session key. Furthermore, from the experimental results, it was found that this protocol escalates the security analysis by using ECC-based protocol in WSNs.

In the research work [12], the authors discussed about patient information and health care management in IoT environment. This work proposed a secure IoT based health care monitoring system using body sensor networks which provides major security requirements in modern health care system. The system also allows the integration of intelligent, miniaturized, low-power body sensor nodes in and around the body to monitor the body functions and surrounding. The proposed scheme provides security to the sensor nodes against data privacy, data integrity, data freshness, anonymity and authentication. The proposed research work ensured that the scheme was light-weight in nature computationally feasible. In the article [13] the authors have presented a method called smart card based authentication can be applied in heterogeneous wireless ad-hoc sensor networks. This proposed scheme was proved to be more efficient in resolving several attacks such as impersonation attacks, stolen smart card attacks, node spoofing[14] attacks, etc. The proposed scheme uses hash function and XOR operation for authentication and it provides backward secrecy against the node spoofing attack. Also it was proved to solve the Elliptic Curve Discrete Logarithmic problem and found to enhance authentication using forward secrecy. The authors found that the proposed work provides greater security for protecting the password[15] which is mandated in WSNs where these networks demands highest degree of security using passwords.

A novel authentication protocol to be handled in wireless sensor networking system using ECC was proposed [16]. This work applied the ECC and a user authentication protocol to authenticate the clients. The author used a gateway node for applying three-way handshake mechanism. The gateway node acts as intermediate node between user and the IoT sensing devices. From the results the authors found that this ECC based authentication protocol was found to be more suitable for achieving high security in WSN networks. In [17] the authors have focused on Hierarchical IoT Networks which consist of different nodes namely gateway node, cluster head node and sensing node organized in a hierarchy. This paper emphasizes on the design of a new secure lightweight three-factor remote user authentication scheme for the hierarchical IoT networks called the User Authenticated Key Management Protocol which uses three key factors namely passwords, smart cards and personnel bio-metrics. Using this scheme, a user can access the real time data from the sensing nodes with good authentication strategy. The proposed scheme provides offline sensing node registration, freely password, user anonymity and bio-metric update facility. Empirical results have proved that the proposed work provided better computation and communication costs.

Resource constrained problem of the sensor nodes were thoroughly analyzed in [18] and authors proposed a 3-factor anonymous authentication scheme for WSNs. This proposed scheme uses a fuzzy commitment scheme for biometrics environment. The fuzzy scheme emphasizes the three-way handshake protocol and provides authentication to the user and the gateway. From the results it was observed that proposed scheme solved the problem design, security and efficiency of WSNs and improved the computational efficiency. It also achieved higher security, more functional requirements and seems to be suitable for high security WSN networks. The authors [19] focused on the security issues encountered during the bi-directional communication between the smart grids and service providers. They proposed a privacy-aware key agreement scheme for smart grid communication which deployed the lightweight cryptographic primitive such as the Physically Unclonable Function to protect the smart grid from hardware related security issues. In order ensure security and establish reliable communication, the proposed scheme utilized one-way hash function that encrypts data and session key. From empirical results it was shown that the proposed scheme was computationally feasible, cost efficient and can be adopted in resource-constrained smart meters.

The authors highlighted the password authentication of the WSNs in the IoT environment [20]. They proposed a one way function protocol, where the gateway node provides encryption between user and IoT sensing devices. It also resolved security and privacy issues, protects itself from illegal access of intruders. This one-way function protocol also encodes the password by encrypting the master keys and providing session keys during transmission. The user’s password was encrypted and validated by the system. From the experimental results it was found that this protocol provides greater security and privacy for password and is found to be suitable for WSN network. IoT in e-healthcare was discussed [21] where a new remote user authentication protocol for enhancing e-healthcare process was presented. The remote user protocol is based on extended chaotic maps that permits only authorized users to access the medical server data via wireless communication. The gateway node acts as a trusted node, provides authentication to the user. It was found from result that this scheme avoids computational expenses, secure and practical for battery limited devices and suitable for high security wireless communication.

The authors have highlighted a new authentication scheme [22] for accommodating medicine anti-counterfeiting system that can be adopted in IoT environment. It was designed for examining the authenticity of pharmaceutical products used. It uses Near Field Communication in mobile environment and generates a session key which is robust against known attacks. From the empirical results it was observed that this scheme lowered the computation and communication cost, provided additional functionality features suitable to be used in WSN. In this paper [23] the authors have focused the wireless sensor nodes where integrity and trustworthiness of the nodes are taken as the key aspects. A novel zero watermarking scheme was proposed that accepts captured data from the surrounding vicinity and produces different watermarks as required. These watermarks are generated using the data length. From the results it was found that the proposed scheme can withstand multiple attacks on data and withstand attacks against various watermarks such as data deletion, data modification and data duplication. It was also found that proposed scheme is light-weight in nature, computationally efficient and reliable.

The authors in [24] proposed a lightweight privacy-preserving authentication protocol for RFID systems that uses a Physically Unclonable Functions to rectify security issues by encrypting RFID tags. It initiates three-way handshake protocol scheme for providing authentication and security to RFID systems thereby reducing computational cost. The experimental results have shown that this work provides secured data communication, efficient, suitable to be used with resource-constrained RFID tag. Authentication and security in WSNs was addressed in [25], which deployed a temporal-credential- based two factor authentication scheme using the Elliptic curve cryptography. Three-way handshake adopted where the user and IoT sensing devices are provided secret keys for transmission of data. Gateway node acts as a trusted node which does data encryption by generating a secret key and from results it was observed that this scheme can resist a variety of attacks such as personification attack, smart card attack etc., and it provides various security features. The related work is consolidated and shown in Table.1.

Table 1 Overview of the related work
Full size table

The work in this paper addressed the secure authentication mechanism that can be established between user and IoT devices using gateway Key Agreement and Authentication Scheme. Declaration of the nodes, pre-establishment of the network, the process of user registration, key authentication and dynamic IoT sensing device phases are designed. The relay attack has been overcome with the help of timestamps which makes all nodes in the network become synchronized with users, gateway nodes and IoT sensing devices. Before installation of IoT sensing Nodes in the IIoT environment, it is loaded with the credentials. The nodes are mutually authenticated with each other in the login and authentication phases, then secret key is said to be shared among them ensure secure communication. If a registered user node is willing to update the key dynamically it can be processed through KAAS. Interestingly, this Dynamic Authentication Key Agreement Scheme is completely executed with the help of the gateway Node with the credentials of other genuine nodes. The revocation process becomes useful if a legal node credentials is lost or stolen and it is done with the help of Effective Path Selection and Security Control Logic scheme. Finally, the dynamic IoT sensing device phase is designed to deploy some additional IoT nodes in the network. This proposed work is primarily aimed to have a secure and faster authentication scheme that can used to transfer data in a much more secure way than that of the existing authentication schemes with minimal loss, rerun of network deployment is less, efficient network lifetime management and condensed intrusion attacks [26].

3 Proposed work

There are different phases involved in the proposed model as shown in Fig. 1. The first phase called network establishing phase initiates the mounting of computational nodes which are programmed with all intended credentials. The gateway node is identified and intended to generate the secret key. Scaling of the network can be done by adding some additional nodes dynamically. Agreement and authentication scheme is well designed which has four phases called registration phase, login phase, authentication phase and dynamic node sensing. The first phase is designed to have three stages namely creation of user login ID, password and biometrics. The gateway node creates user’s secret key to be known to authenticated client and gateway node. The login phase enables creating login for user using smart card and chooses the appropriate IoT sensing device. The authentication phase examines the origin of the message using timestamp. Verification phase examines the secure communication channel established among user to gateway and gateway to IoT sensing device. Dynamic node sensing phase is meant for verifying the authentication of the user and their connected IoT devices. Mutually they share a common session key to initiate the session followed secure data transmission. The next component is Effective Path Selection and Security Control Logic scheme where it has phases like destination node selection, shortest path determination, intrusion detection, Real-Or-Random model and Automated Validation of Internet Security Protocols and Applications. The target computational node is then found to where the secured data has to be directed and shortest route is said to be identified with the help of relay nodes. Intrusion detection is said to be achieved to find intruder or unauthorized users who try to access aggregated data in the network. If the source node doesn’t receive the acknowledgement message at the stipulated time, it is understood that the intruder has been detected and destination path is altered. The formal security verification is executed using Real-OR-Random model and Automated Validation of Internet Security Protocols and Applications(AVISPA) tool. Then communication establishment phase is used to establish communication between the nodes to enable data transmission to be taken place in the network as shown in Fig. 1.

Fig. 1
figure 1

Phases of the proposed model

Full size image

Intrusion or spoofing can be detected without human intervention. Dynamic distributed key infrastructures and identity based protocol was deployed to ensure verification and authentication of network users, requires some important parameters like one-time-pad encryption, secure network access, digital signature, Digital Rights Management(DRM), repudiation, authentication, revocation and authorization used in digital context. A single key can be used to address all security needs. The most secure systems are network topologies in which users are pre-authenticated and keys are pre-distributed to all network users. This eliminates the problems faced during key exchange occurred in network sessions.

As stated, the level of secure authentication starts from the node level. the nodes are mutually authenticated with each other in the login and authentication phases and then session key (i.e. shared secret key) among them is established to communicate securely. The scope of the research work is to provide a secure and faster authentication scheme that can used to transfer data in a much more secure way than existing authentication schemes. The necessary notations and their descriptions are shown in Table 2.

Table 2 Notations and description
Full size table

3.1 Registration phase

In the registration phase of the process as shown in Fig. 2, the User (Ui) has to register with the Gateway Node in an offline mode via a definitive channel. The important steps are illustrated as follows:- Ui has to select his/her identity IDRi, password PSDi, and generate some random numbers ai, Pi, Pj, ni1, ni2. Ui then computes DIDRi = h(IDRi||ai) and DPSDi = h(IDRi||PSDi), and submits the registration request DIDRi _ ni1; DPSDi _ ni2 to the registered Gateway Node securely. The importance of using this random secrets ni1 and ni2 here is to protect from privileged-insider attack in the scheme. Even if an authorized user of the gateway node is the insider attacker knows the information, without having this random secrets, it will be difficult and practically infeasible to find the same ID and passwords DIDRi and DPSDi. Therefore, the attacker does not have the knowledge of secrets IDRi and PSDi. After receiving the request, the Gateway Node will check the availability of DIDRi in its database. If DIDRi is not available, the Gateway Node calculates according to the Eq. (1)

$${\text{C}}_{{\text{n}}} = {\text{ DIDR}}_{{\text{i}}} \_{\text{ n}}_{{{\text{i1}} }} .{\text{ DPSD}}_{{\text{i}}} \_{\text{ n}}_{{{\text{i2}}}} .{\text{ h}}({\text{X}}_{{{\text{GTN}}}} ||{\text{ h}}({\text{X}}_{{{\text{GTN}}}} \left( + \right){\text{ U}}_{{\text{i}}} ))$$
(1)
Fig. 2
figure 2

Sequence of registration phase

Full size image

The GTN then issues a smartcard SRi to Ui secretly. After receiving SRi, Ui marks his/her biometrics BMi of a specific terminal or mobile device in its sensor.

Ei = h(Ji || h(_i ||PSDi) ||TS1)

Ag = Tri (DIDRi || SIDRj|| Ei)

Gi = Ag_ h(DIDRi ||Ji ||TS1)

VGTN = h(DIDRi ||Ag ||Gi ||SIDRj ||TS1)

E0i = Ei_h (DIDRi ||Ji ||TS1),

DIDR0i = DIDRi_ h(Ei ||Ji ||TS1) and

SID0j = SIDRj_ h (DIDRi ||TS1) and computes Gen (BMi)

3.2 Login and authentication phase

The sequence of operations performed in login and authentication phase is shown in Fig. 3. In this phase the login activity is executed with the help of a user Ui as mentioned in the following steps.

Fig. 3
figure 3

Login and authentication phase

Full size image

L1: First, user Ui uses his/her smart card SRi and then inserts the same into the reader by giving the login authentication credentials, user id IDRi and password PSDi. Then the user places his biometrics BMi. Then SRi then finds DPSDi = h(IDRi ||PSDi) and checks if RBi = h(IDRi||PSDi).

L2: If the above test is completed successfully and noted as satisfied, then SRi assures that Ui’s entered credentials (IDRi; PSDi; BMi) are true, and then finds Cn = C0n_h(i ||IDR]i), DIDRi = h(IDRi||ai), Ji = Cn_ DIDRi_ DPSDi with its stored parametric conditions. In this step, Ui then picks the ID, SIDRj of an used IoT sensing device ISNj from which he is willing to avail the services.

L3: Then SRi produces current timestamp TS1 and random number ri. Finally the login message is transmitted to the gateway over an open channel as follows. MSG1 = {E0i; DIDR0i; VGTN; Gi; SID0j; TS1g}. So far, the interaction between the user and gateway was shown. The following steps are activities that are required to complete this phase:

A1: After receiving the message MSG1 (Transmitted Message by the user U1) from Ui, the Gateway Node calculates the message freshness with the help of the condition |TS01_TS1|< _T, where the transmission delay is denoted as _T and the received time message is TS01. If the condition is evaluated to be true, the GTN then computes the following:

Mi = h(XGTN ||h (XGTN ||Ui)),

DIDRi = DIDR0i_ h(E0i ||Mi ||TS1),

Ag = Gi_ h(DIDRi ||Mi ||TS1),

SIDRj = SID0j_ h(DIDRi ||TS1), and verifies the condition.

VGTN = h(DIDRi || Ag||Gi||SIDRj ||TS1).

A2: If the above condition fails, the Gateway Node (GTN) rejects the right of the User by not accepting the login message MSG1. Otherwise, the Gateway Node(GTN) computes Ei = E0i_ h (Mi ||DIDRi ||TS1) and also generates current timestamp TS2.

A3: On receiving MSG2, ISNj (IoT Sensing Device) later calculates the message freshness with the help of the condition |TS02_TS2|< _T, where the receiving time of the message is TS02. If the result of checking holds true, ISNj also checks the condition VSNj = h (Skeyj ||SIDRj kA0g ||hj kTS2). If the condition fails, IoT sensing Device rejects MSG2.

A4: Then the ISNj produces a random number rj with present timestamp TS3, and then calculates.

Nj = Trj (DIDRi ||SIDRj ||Ei),

Sij = h(Trj (A0g) (mod p) ||DIDRi kTS3) as the session shared between Ui and ISNj,

Pj = h(SKij||Nj ||TS3) and N0j = Nj_ h(DIDRi ||SIDRj kTS3).

ISNj then transmits the message MSG3 = fPj; N0j; TS3g to Ui via the open channel.

A5: Finally Ui receives the message MSG3 and calculates the message freshness with the help of the condition |TS03|| TS3|< _T. If the result of this checking holds true, then SRi again computes Nj = N0j_ h (DIDRi ||SIDRj kTS3) and the session key.

if the verification holds, Ui authenticates ISNj. Atlast, Ui and ISNj will store the common session key ‘r’ shared secret key SKij = (SKij) for their forthcoming secure communication.

4 Results and discussion

The result of the proposed work is demonstrated using NS2 simulator. In this work, our demonstration is mainly focused on network throughput performance and end-to-end delay analysis which has a major impact on the Dynamic Authentication Key Agreement Scheme. The important parameters like throughput, residual energy, packet dropping rate, delay analysis are measured and represented in a graphical format. It is compared with the existing systems.

4.1 Throughput analysis

The network throughput is considered as an important performance parameter in the network which can be defined as the total number of bits transmitted in unit time, and it is formally calculated as (_r _ j _j) = Td, where Td is the maximum time taken (in seconds), _j the amount of data (size of a packet), and _r is the number of received packets during transmission as shown in Fig. 4a. The actual total time is taken as 100 s, which is basically referred as simulation time. Throughput is calculated as shown in Fig. 4a with time in the x-axis and data in the y-axis. Throughput of Dynamic Authentication Key Agreement Scheme is comparatively less than the one-way authentication protocol, because our scheme makes use of less-sized messages during the login & authentication phases. However, the scheme provides good security and greater functionality features.

Fig. 4
figure 4

a Throughput analysis. b Residual energy. c Packet dropping rate. d Delay analysis

Full size image

4.2 Residual energy

Residual energy plays a vital role in determining the energy of nodes after transmission. It is defined as energy left in the particular node after the completion of transmission or reception of routing packets. Nodes will make use of energy for transmission or reception of routing packet and therefore it may lose energy. The resulted value i.e. initial Energy of a particular node may get decreased. The residual energy can be utilized to find the estimated time during transmission or reception. The residual energy En is calculated by dividing the current consumption in per component to duty cycle Tn, which were obtained to estimate the usable time. Residual energy is calculated with node strength in the x-axis and remaining energy in the y-axis. As shown in Fig. 4b, it is observed that the residual energy of nodes in the Dynamic Authentication Key Agreement Scheme is comparatively greater than the Chaotic Map-based Authentication scheme. The proposed scheme provides low power consumption and greater battery life to the nodes in the network.

4.3 Packet dropping rate

Packet dropping rate is one of the factors that determines the reliability of the IoT sensing devices. It is defined as the rate of loss in the transmission of data packets. The packet loss is calculated as a percentage of packets lost with respect to packets sent. The retransmission of packets should also be considered. It is caused by errors in data transmission; typically across wireless networks or network congestion. So the proposed scheme initiates an Effective path selection algorithm to securely transmit data without causing much data loss. Packet dropping rate is calculated with node strength in the x-axis and data in the y-axis. The graph shown in Fig. 4b screens that the Dynamic Authentication Key Agreement Scheme has less packet dropping rate when compared to the ECC-based authentication protocol. The proposed scheme also provides speculation in the dropping rate and provides reliable communication among IoT sensing devices.

4.4 Delay analysis

It is understood that delay performance is key parameter for every successful development and deployment of all the real-time networked sensing applications. End-to-End delay refers to the total amount of time taken for a packet to transmit across the network from source to destination. The particularity of the sensing scenario is that all nodes generate and collectively work together to stimulate transmission at a higher rate. Delay is calculated with node strength in the x-axis and packet delivery ratio in the y-axis. The proposed scheme is verified through comparison between the analytical and numerical stimulated result and the graph shown in Fig. 4d is used to conclude that the Dynamic Authentication Key Agreement Scheme provides less transmission delay compared with ECC-based authentication protocol.

5 Conclusion

The Dynamic Authentication Key Agreement Scheme proposed in this research work found to be scalable and efficient in achieving better authentication between the sensor nodes in an IIoT environment. The scheme supports both static and dynamic IIoT wireless sensor nodes, provides secure and authenticated communication between any pair of nodes. Node compromising attacks are resilient and scalable and the capacity of managing the revocation list for lost nodes or compromised nodes is found to be fair. The work was carried out and compared with some popular and latest protocols where are used in WSNs. This scheme also proves to be efficient in saving the energy with minimum of 20% in communication. Further, this scheme makes use of less memory cost and provides higher probability in sharing a secret key between two sensor nodes.