Introduction

Smart homes offer users enhanced quality of life, convenience as well as comfort through the exchange of real-time data. A typical Smart Home (SH) can provide intelligent and automated remote monitoring of the various activities [1]. It may comprise of remote users, registration authority, gateways and smart devices [2]. The smart devices in these networks may include refrigerators, cameras, television sets, motion sensors, lighting systems, doorbells, voice assistants and thermostats [3]. The smartness in these devices is reflected in their ability to monitor and control activities, as well as offering the required support to the users. As pointed out in [4], the smart homes can potentially result in energy efficiency and, hence, reduction in power bills. Another significant technique for improving safety as well as energy efficiency is through the incorporation of Artificial Intelligence (AI). Here, the big data generated by sensors and other smart devices can be deployed to train machine learning algorithms to distinguish between normal and anomalous smart home activities. Essentially, any network traffic or events that are flagged as anomalous can be indicators of possible attacks in these smart homes. Once attacks are detected, various actuators can be activated to protect the smart homes. Evidently, AI can be deployed to offer safety, boost productivity as well as the well-being of users [5]. It is also possible to deploy AI for home users’ behavior analysis, which can help predict their needs and optimize both device and resource usage. To accomplish this, machine algorithms such as decision trees, support vector machines and neural networks can be trained and deployed [6]. Thereafter, any behavioral change may be construed to imply anomalies.

Although smart homes have numerous benefits, many threats, vulnerabilities and attacks lurk in these networks. This may be attributed to the massive number of heterogeneous connected devices which increase the surfaces from which attacks can be launched. In addition, majority of the connected devices do not adhere to security practices as well as standards of typical computing systems. As such, they can be hacked and deployed to spread malware. The message exchange between the smart devices and the remote users is via the public internet and hence is open to several attacks [7]. As such, smart homes inadvertently create new privacy, security and authentication challenges [8]. The possible attacks in this environment include unauthorized access, data forgery, tampering, impersonation, Distributed Denial of Service (DDoS) and offline-guessing attacks [9, 10]. Since most of the communication is through the gateways, this presents a single point of failure. As such, any successful attack on this centralized architecture can lead to user privacy leaks, device malfunction and even harm to the home occupiers [11].

Based on the discussion above, it is evident that smart home devices have become pervasive with increased connectivity. As such, vulnerabilities in any of these devices may lead to unauthorized access to entire home networks. For instance, any adversarial access to the smart home heating system may raise the house temperature. This may lead to fires, smart home hardware failures or even death. Therefore, it is clear that the security and privacy of the users need to be protected [1]. Failure to accomplish this may result in slow uptake of this important technology. Strong mutual authentication presents one of the most promising mechanisms of protecting against the aforementioned attacks [12]. For anomaly detection, there is need for highly efficient and accurate detection models capable of adapting to novel attacks, increasing number of devices as well as threat landscape. Blockchain technology has been proposed as another most effective way of enhancing privacy, security and transparency in smart homes [13]. Unfortunately, majority of the smart devices are resource constrained [14] to handle the high processing required in blockchains.

Research Contributions

Smart homes enhance quality of life and convenience to its users. However, the sensed data from the smart home devices are relayed to remote users over public channels. As such, the exchanged data are exposed to numerous threats and attacks. Due to the existence of many interconnected devices, any successful compromise of a single smart device can have devastating ripple effect to all other devices. Although proper authentications can prevent these attacks, the resource constrained nature of smart devices such as sensors limit the deployment of strong cryptographic primitives. In addition, majority of the conventional smart home protocols only mutually authenticate smart devices to the servers but fail to execute authentication among the devices. To this end, this paper makes the following major contributions.

  • Elliptic curve cryptography is amalgamated with symmetric key and one-way hashing operations to develop a scheme that thwarts most of the conventional smart home attacks.

  • The algorithm executes mutual authentication and key negotiation among the smart devices, in addition to authenticating the smart devices to the trusted authority. Here, the trusted authority cannot derive session keys negotiated among the smart home devices. In addition, other devices can never derive session keys established between a particular smart device and the trusted authority. As such, privileged insider, impersonation, session hijacking, denial of service, man-in-the-middle and stolen verifier attacks are prevented.

  • Session delay tolerance and time-stamping are incorporated in the generated security tokens to avert packet replay attacks.

  • Extensive formal security validation is executed on this scheme using BAN logic, which shows the existence of strong mutual authentication and session key negotiation among the communicating entities.

  • Informal security analysis is carried out to demonstrate the robustness of this scheme under the Canetti–Krawczyk threat model.

As discussed in “Security Analysis” and “Performance Evaluation”, these approaches advance the state of the art authentication protocols in two ways. First, the deployed cryptographic primitives are fairly lightweight, and hence the developed scheme boosts network efficiency. Second, the negotiated session keys help in establishing secure communication channels among smart home devices as well as with the trusted authority.

Paper Organization

In “Related Work”, the authentication and key agreements protocols that have been presented to curb security and privacy issues in smart homes are discussed, including their shortcomings. “Mathematical Preliminaries”, “Security Goals and Requirements” and “Motivation” present mathematical preliminaries, security goals and requirements, as well as the motivation of this work, respectively. This is followed by the description of the proposed protocol in“The Proposed Scheme”. On the other hand, the security and performance analyzes are presented in “Security Analysis” and “Performance Evaluation”, respectively. Finally, “Conclusion” concludes the paper and offers some insights on future work in this particular domain.

Related Work

Security challenges in smart homes have prompted a lot of research, resulting in numerous schemes for anomaly detection and authentication. For example, authors in [15] have presented a scheme to distinguish between normal and anomalous activities. Similarly, the techniques in [10] and [16] deploy Hidden Markov Model (HMM) and are trained on sensor data. On the other hand, the approaches in [17] and [18] utilize Bayesian networks in their anomaly detection. In addition, flow-based attack detection scheme is presented in [19]. Using inbound and outbound sensor packets, a neural network-based anomaly detection scheme is developed in [20]. The attacks detected this way include Man-in-the-Middle (MitM) and Distributed Denial of Service (DDoS). However, authors in [21] have utilized a combination of machine learning and statistical techniques for behavioral analysis in smart homes. On the other hand, artificial neural networks and support vector machines have been utilized in [22] for network intrusion detection.

Although anomaly detection techniques play a significant role in securing smart homes, they are mainly concerned with activity detection. As such, they cannot execute the required access control in this environment. To address this shortcoming, many authentication and key negotiation protocols have been introduced based on various techniques. For instance, a three-factor authentication scheme based on Elliptic Curve Cryptography (ECC) is developed in [23] while a two-factor user authentication protocol is presented in [24]. However, the scheme in [23] cannot mutually authenticate all network entities and fails to uphold forward key secrecy. On the other hand, the protocol in [24] is susceptible to both stolen user device and insider attacks [25]. To offer decentralization [26] and prevent single point of failure in schemes based on centralized architectures, many protocols based on blockchain technology have been proposed in [8] and [27,28,29,30,31]. The security goals attained by these schemes include data integrity, availability, authentication, access control, user and data privacy. Unfortunately, these schemes have extensive computation requirements which are detrimental for majority of resource-limited smart home devices [32]. In addition, the protocol in [31] deploys a pair of private and public keys which further require high execution time.

The scheme in [33] can potentially address performance issues in blockchain-based techniques due to its reduced registration overheads. However, it is vulnerable to stolen smart device attacks. Similarly, the protocol in [2] is vulnerable to stolen smart device, impersonation, offline password guessing, privileged insider and packet replay attacks. In addition, it fails to provide anonymity and the usage of simple password exposes it to shoulder-surfing attacks [34]. To address some of the issues in [2], a two-factor authentication technique is developed in [25]. However, this protocol is still susceptible to session key disclosure and impersonation attacks. In addition, it has excessive communication and computation overheads [35]. On the other hand, the failure to incorporate random nonces and timestamps in [36] renders it susceptible to replay attacks. Similarly, the schemes in [37] and [38] are vulnerable to MitM and DoS attacks.

A scheme for remote user authentication is introduced in [39], while an identity-based security framework is presented in [40]. However, the protocol in [39] fails to offer forward key secrecy and cannot withstand stolen device, session key compromise and replay attacks [25]. On the other hand, identity-based scheme in [40] has key escrow issues [41]. To boost performance in smart home networks, a lightweight authentication protocol is developed in [35]. However, this scheme cannot provide integrity protection of the exchanged messages, leading to DoS [34]. Although the scheme in [42] is lightweight and hence applicable in most smart home devices, it cannot provide perfect forward key secrecy. This is because any compromise of its long terms key can facilitate adversarial computation of the session keys. On the other hand, the context-aware authentication approach developed in [43] has excessive execution time. Similarly, the multi-factor mutual authentication protocol in [44] has high computation overheads due to the bilinear pairing operations [45]. On its part, the protocol in [46] offers mutual authentication only between the devices and the server.

Mathematical Preliminaries

In this section, the cryptographic primitives for one-way hashing are provided, together with their collision resistant properties. The mathematical formulations for the deployed elliptic curve cryptography can be found in [7]. The second part of this section provides the mathematical preliminaries for symmetric key primitives, as elaborated below.

Symmetric Primitives

Symmetric algorithms (SA) comprise of symmetric key encryption algorithms (SKEA) and cryptographic hash functions. Here, SKEA can be stream or block ciphers. In the former, encryption is through the combination of plaintext and pseudo-random sequences. Each stream cipher takes key δ and initial value σ to produce pseudo-random key stream that is utilized in data encryption and decryption through bitwise exclusive or (XOR) operations.

Taking l as the block length and m as the cipher key size, then a block cipher is a transformation:

$$F:{\mathbb{C}}_{2}^{l} X {\mathbb{C}}_{2}^{m} \to {\mathbb{C}}_{2}^{l} ,$$
(1)

where \(F_{m} \underline{\underline{{{\text{def}}}}} F\left( {.,m} \right)\) is a bijection of \({\mathbb{C}}_{2}^{l}\) for \(m \in {\mathbb{C}}_{2}^{m}\).

Suppose that y = \(F_{m} \left( {\mathbbm{r}} \right)\); then r becomes the plaintext, while m and y are the key and cipher-text of \({\mathbbm{r}}\) under key m, respectively.

One-Way Hashing

A cryptographic hash function denotes a map F whose input is a string of arbitrary length. It then transforms this input string into an output string of fixed length l. Every one-way hash function:

  1. (a)

    Takes argument a of arbitrary length and outputs h(a) that is of some fixed length l bits.

  2. (b)

    Given that b is the image of h, it is computationally infeasible to find message x such that h (a) = b. This one-way property is referred to as the pre-image resistance.

  3. (c)

    Given a in the domain of h and h (a), it is computationally cumbersome to find message a’ ≠ a such that h (a’) = h(a). In terms of F, this can also be written as F (a’) = F (a). This one-way property is referred to as the second pre-image resistance.

Suppose that is a set of all integers and a binary alphabet is denoted as  = {0, 1}. Then, for l \(\in {\mathbb{N}}\), the set of all binary strings of length l is denoted as l. On the other hand, the set of all strings of arbitrary length is expressed as ⅀*. Let F be a function whose domain and range are denoted as Ή = ⅀* and Ḡ = l, respectively. Let us consider only inputs of bit length ḱ(l), where ḱ(l) is a function satisfying the condition ḱ(l) > l. With these definitions, the pre-image and second pre-image resistances can be written as follows:

  1. (d)

    A one-way hash function h is a function whose domain Ή = ḱ(l) and range  = l satisfy the following conditions:

Pre-image resistance: Suppose that x is uniformly chosen in Ή and let be an attacker, who on inputting h(x), he utilizes time ≤ t to output Ẵ(h(x))ϵ Ή. For every attacker Ẵ:

$$\begin{array}{*{20}c} {P_{r} } \\ {x \in ^{\prime}H} \\ \end{array} \left\{ {h\left( {\tilde{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\smile}$}}{A} }\left( {h\left( x \right)} \right)} \right) = h\left( x \right)} \right\} < \theta .$$
(2)

In (2), the probability is taken over some stochastically selected attacker .

Second pre-image resistance: Suppose that x is uniformly chosen in ḱ(l) and let * be an attacker, who on inputting x, he utilizes time ≤ t to output \(x^{*} \in\) Ή and x * ≠ x. For every attacker *:

$$\begin{array}{*{20}c} {P_{r} } \\ {x \in ^{\prime}H} \\ \end{array} \left\{ {\tilde{\overset{\lower0.5em\hbox{$\smash{\scriptscriptstyle\smile}$}}{A} }^{*} \left( x \right) = h\left( x \right)} \right\} < \theta .$$
(3)

In (3), the probability is taken over some stochastically selected attacker . The pre-image and second pre-image resistance conditions are significant when \(t/\theta\) is large and \(t/\theta \le 2^{n}\)

  1. (e)

    A collision-resistance hash function is a function h that satisfies condition (a), is one way (satisfies conditions (b) and (c)) and it is infeasible to find two distinctive messages that produce the same hash value.

Security Goals and Requirements

Massive and sensitive information flows in smart home networks. It is therefore paramount that proper security and privacy measures be instituted before the remote users can begin accessing data in these smart home devices. In light of this, the following security goals and requirements are pursued in this paper:

Backward and Forward Key Secrecy

An attacker located between the remote user and the smart home devices may have the ability of capturing the session key deployed for traffic encryption. As such, it should be infeasible for an adversary to derive the session key used for the previous and subsequent authentication sessions based on the current session key.

Mutual Authentication

To ensure that only legitimate entities access the smart home networks, all the entities initializing any connection requests should have their identities verified before any such access is granted.

Resilience Against Attacks

To ensure strong security in smart home networks, it should be infeasible for an adversary to launch typical smart home network attacks such as MitM, packet replays, privileged insider, session hijacking, DoS, impersonation, offline dictionary and stolen verifier.

Confidentiality

The smart home network-based sensors collect high volumes of sensitive and private data. As such, only authorized and fully authenticated entities should be allowed to access the sensed data.

Integrity

During data transmission across the public networks, the communicating parties should ensure that no malicious modifications are made to the data.

Availability

Within the smart home network, the remote users should be able to access the sensed data anywhere and at any time.

Scalability

It should be easy for the smart home to support additional smart devices without compromising the underlying security and privacy architecture.

Motivation

The transmission of senses data to the remote users over public wireless channels opens up the smart home networks to numerous attacks. Any successful attack on the smart devices may lead to malfunction of other devices or malicious control of the smart home devices. For instance, hacked heating systems may result in temperature increments that can endanger the lives of home occupiers. In addition, due to the interconnectivity of the smart home devices, any successful compromise of a single device can lead to privacy leaks and attacks on other devices. Although many protocols have been developed for smart home authentications, majority of them only authenticate the smart devices to the servers. As such, authentication among the smart home devices is largely ignored. This is detrimental as it facilitates attacks on other systems using vulnerabilities in other devices. In addition, the security solutions developed to address these issues are either inefficient or have security holes that can be exploited. Therefore, the inefficiency, privacy and security holes in most of the current authentication protocols need urgent solution.

The Proposed Scheme

The network entities in the proposed algorithm include the Smart Home Owners (SHOs), Trusted Authority (TA), the Smart Home Devices (SHDs) and the Mobile Devices (MDs) through which remote users interact with their SHDs. As shown in Fig. 1, the smart home devices may include smart doors, TV, thermostats, cameras, lighting systems and refrigerators.

Fig. 1
figure 1

Network architecture

Full size image

All smart home devices as well as mobile devices are registered at the trusted authority before they are permitted to communicate with each other. After registration, all MDs and SHDs have to execute mutual authentication with the TA and negotiate a session key. Similarly, the MDs and the SHDs must also mutually authenticate each other before exchanging any messages. As such, the proposed scheme is highly scalable to support additional smart devices within this authentication architecture. The communication channel between the MDs and the SHDs may be cellular network such as the Fifth Generation (5G). Table 1 presents the symbols used in this paper together with their brief descriptions.

Table 1 Notations and their descriptions
Full size table

In terms of the actual execution, the proposed algorithm comprises of the registration phase, SHDs-TA authentication, MD-TA authentication, and SHDs-MD authentication. The sub-sections below describe these phases in more details.

Registration Phase

In this phase, the smart home devices as well as the remote user mobile devices are registered at the trusted authority. Basically, the MD and SHD registration procedures are the same and hence only the SHD registration is described here. This is a three-step process as detailed below.

Step 1: The smart home device selects IDSHD as its unique identity, which it forwards to the trusted authority over secure channels.

Step 2: Upon receiving IDSHD, the trusted authority generates random number R1 which it utilizes to derive A1 = h (R1||TASV||T1||IDSHD), A2 = A1 × G, A3 = R1 ⊕ h (TASV), A4 = h (R1 ⊕ h (TASV)||A2) and A5 = A4 × G. Finally, the trusted authority stores parameter set {IDSHD, T1, A3, A5} before sending A2 to the smart home device as shown in Fig. 2.

Fig. 2
figure 2

Registration and device–TA authentication

Full size image

Step 3: After getting A2 from the TA, the SHD stores it in its memory for use in the authentication phase.

Device–TA Authentication Phase

In this phase, both the SHD and the MD mutually authenticate themselves to the TA. After successful authentication, they negotiate session keys between themselves and the TA. This is a five-step process as discussed below.

Step 1: The SHD generates random number R2 that it uses to compute security parameters B1 = R2 × G and B2 = h (B1||R2 × A2). Next, it sends these two parameters in authentication message AM1 = {B1, B2} to the TA for verification as shown in Fig. 2.

Step 2: On receiving parameters B1 and B2, the TA deploys T1, TASV and A3 to compute A1 and utilize it to confirm the validity of both B1 and B2. To accomplish this, parameter B2* is computed as B2* = h (B1||A1 × B1). Next, it checks if B2* \(\stackrel{?}{=}\) B2 such that the session is terminated when this verification fails. Otherwise, it generates random number R3 that is used to derive parameters B3 = R3 × G and B4 = h (B2*||R3 × A5). Finally, the TA sends authentication response message AM2 = {A3, B3, B4} back to the SHD over public channels.

Step 3: After obtaining {A3, B3, B4} from the TA, the SHD validates the TA by computing parameter A4 as A4 = h (A3 × A2). On condition that the computed A4 is legitimate, the SHD proceeds to derive parameter B4* = h (B2||A4 × B3). Next, it checks whether B4*\(\stackrel{?}{=}\) B4 such that the session is terminated if the two parameters do not match.

Step 4: The SHD uses B3 and B4* to compute parameter C1 and the ℚST as C1 = h (B4*||R2 × B3) and ℚST = h (B3||R2 × B3). Finally, it sends the computed parameters to the TA in authentication message AM3 = {C1, ℚST} over public channels.

Step 5: After getting parameter C1 and session key ℚST from the SHD, the TA re-computes them as C1* = h (B4||R2 × B3) and ℚST* = h (B3||R3 × B1). Next, it confirms whether C1*\(\stackrel{?}{=}\) C1 and ℚSTST*\(\stackrel{?}{=}\)ST. Here, the session is terminated when these verifications are unsuccessful.

Otherwise, the TA and SHD set ℚST * = ℚST as the session key for the current session. Similar procedures are followed by the MD and the TA to authenticate themselves and establish session key ℚMT between themselves.

SHD–MD Authentication Phase

At the onset of the SHD and MD communication process, they have to mutually authenticate each other. As stated earlier, the SHD and the MD must have authenticated themselves to the trusted authority and agreed on session keys ℚST and ℚMT. The next task is for the SHD and the MD to authenticate themselves to each other. Before the commencement of data exchanges between the SHD and the MD, the following 7 procedures are executed. Here, it is assumed that the session is initiated by the remote MD to access some data on the SHD.

Step 1: The MD generates random number R4 that it deploys to derive parameters C2, C3 and C4 as C2 = R4 × G, C3 = R4.h (ℚMT) and C4 = h (C2||C3 × G). It then constructs authentication request AMSM1 = {C2, C4, IDMD, T1} that it transmits to SHD as shown in Fig. 3.

Fig. 3
figure 3

SHD–MD authentication

Full size image

Step 2: Upon receiving message AMSM1, the SHD checks its freshness using timestamp T1 and delay tolerance ∆T. It then generates random number R5 for the derivation of security parameter D1 = R5 × G. Next, it composes authentication response message AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD, T1) which it then sends to the TA for verification. Evidently, this message is protected using session key ℚMT to prevent against eavesdropping and tampering.

Step 3: After getting message AMSM2, the TA decrypts it using ℚMT. Next, it retrieves SHD and MD data from its database to determine whether the two had been registered and authenticated themselves with it. Using timestamp T1 and ∆T, the TA also establishes the freshness of the received request. If all these verifications are successful, TA proceeds to derive C4* = h (C2||h(ℚMT) × C2). It then checks if C4*\(\stackrel{?}{=}\) C4. This proof proceeds as follows:

C4* = h (C2||h(ℚMT) × C2)

= h (C2||h(ℚMT)×(R4×G)); since C2 = R4×G

= h (C2||(h(ℚMT). R4) × G

= h (C2||C3×G); since C3 = R4.h (ℚMT)

= C4; since C4 = h (C2||C3×G).

As such, the TA will terminate the authentication session between the SHD and MD whenever C4*\(\ne\) C4. Otherwise, it computes parameter D2 = h (D1||h (ℚMT) × C2). Finally, it encrypts D2 using session key ℚST in authentication message AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2) that is forwarded to the SHD.

Step 4: On obtaining message AMSM3, the SHD is assured that MD is a legitimate entity. As such, it proceeds to determine the current timestamp T2 before deriving session key ℚSM = h (C2||R5 × C2). However, it waits for the confirmation message from MD before storing ℚSM in its memory. This is particularly important in ensuring that both the SHD and MD have generated the same session key. Next, it constructs authentication message AMSM4 = {D1, D2}. Finally, it forwards AMSM4 to the MD over public channels.

Step 5: After obtaining message AMSM4, the MD re-computes parameter D2* = h (D1||C3 × G) and compares it with parameter D2 it received from the SHD. This is important for authenticating SHD such that the MD is sure it is communicating with a legitimate SHD. This proof proceeds as follows:

D2* = h (D1||C3 × G)

= h (D1||(R4.h (ℚMT))×G); since C3 = R4.h (ℚMT)

= h (D1||h(ℚMT)×(R4× G))

= h (D1||h(ℚMTC2); since C2 = R4×G

= D2; since D2 = h (D1||h (ℚMTC2).

Here, only the TA can generate D2 using session key ℚMT before transmitting it to SHD. As such, the MD is sure that SHD is a legitimate entity and not any other entity impersonating it.

Step 6: The MD computes session key ℚMS = h (C2||R4 × D1), which is then validated against session key ℚSM = h (C2||R5 × C2) derived at the SHD. This proof is elaborated below:

MS = h (C2||R4 × D1),

= h (C2||R4 × (R5 × G)); since D1 = R5 × G

= h (C2||(R4.R5G)

= h (C2||R5 × C2); since C2 = R4 × G.

Provided that ℚSM = ℚMS, the SHD and MD have successfully established a common session key. Next, it determines the current timestamp T3 before storing parameter set {IDSHD, T3, ℚSM} in its memory. Finally, it encrypts parameter C2 using session key ℚMS and sends it to SHD in authentication message AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2).

Step 7: Upon receiving confirmation message AMSM5, from the MD, the SHD decrypts it using ℚMS. Provided that parameter C2 can be retrieved successfully from AMSM5, the SHD updates IDMD, session key ℚMS and timestamp T2 in its memory. This serves to thwart any adversarial packet replay attacks. This confirmation is critical since the SHD might mistakenly update an invalid session key, hence compromising its current communication session with the MD.

Security Analysis

In this section, both formal and informal security analyses are carried out to demonstrate the resilience of the proposed protocol against conventional smart home attacks.

Formal Security Analysis

The Burrows–Abadi–Needham logic (BAN logic) has proofed to be the widely deployed formal analysis model for the correctness of many authentication and key negotiation protocols. As such, the aim of this analysis here is to demonstrate that this protocol successfully attains mutual authentication and session key negotiation between the communicating entities. To achieve this, the notations in Table 2 are utilized.

Table 2 BAN Logic Notation
Full size table

As shown in Table 2, eleven notations are critical during the execution of the BAN logic proofs (BLPs). On the other hand, Table 3 gives the BAN logic postulates that are applied during these security proofs.

Table 3 BAN Logic postulates
Full size table

To show the existence of strong mutual authentication between SHD and MD, the following four goals are formulated:

Goal 1:\(\mathrm{MD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD};\)

Goal 2:\(\mathrm{MD}\left|\equiv \mathrm{SHD}\right|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD};\)

Goal 3:\(\mathrm{SHD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD};\)

Goal 4:\(\mathrm{SHD}\left|\equiv \mathrm{MD}\right|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD}.\)

The five messages that are exchanged during MD and SHD mutual authentication are thereafter translated into idealized format as follows:

MD → SHD: AMSM1 {C2, C4, IDMD,T1}

Idealized format: \({E}^{{R}_{4}}\), \({\langle {E}^{{R}_{4}}\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}\)

SHD → TA: AMSM2 {\({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MD}}}\)(C2, C4, D1, IDMD, T1)}

Idealized format: {\({E}^{{R}_{4}}\),\({\langle {E}^{{R}_{4}}\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}{\}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)

TA → SHD: AMSM3 {\({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2)}

Idealized format: {\({E}^{{R}_{5}}\),\({\langle {E}^{{R}_{4}},{E}^{{R}_{5}}\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}\)

SHD → MD: AMSM4 {D1, D2}

Idealized format: {\({E}^{{R}_{5}}\),\({\langle {E}^{{R}_{4}},{E}^{{R}_{5}}\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}\}\)

MD → SHD: AMSM5 {\({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2)}

Idealized format:\({\langle {E}^{{R}_{4}}\rangle }_{{\mathbb{Q}}_{\mathrm{MS}}}\)

For effective proofs using the BAN logic, the following Initial Assumptions (IAs) are then made:

IA1: MD \(|\equiv\) MD \(\stackrel{{\mathbb{Q}}_{\mathrm{MT}}}{\leftrightarrow }\) TA

IA2: MD \(|\equiv \mathrm{MD}{}_{\leftrightharpoons }{}^{ {\mathbb{Q}}_{\mathrm{MT}}}\mathrm{ TA}\)

IA3: SHD \(|\equiv\) SHD \(\stackrel{{\mathbb{Q}}_{\mathrm{ST}}}{\leftrightarrow }\) TA

IA4: SHD \(|\equiv\) \(\mathrm{SHD}|{}_{\leftrightharpoons }{}^{ {\mathbb{Q}}_{\mathrm{ST}}}\mathrm{ TA}\)

IA5: TA \(|\equiv\) MD \(\stackrel{{\mathbb{Q}}_{\mathrm{MT}}}{\leftrightarrow }\) TA

IA6: TA \(|\equiv\) \(\mathrm{MD}|{}_{\leftrightharpoons }{}^{ {\mathbb{Q}}_{\mathrm{MT}}}\mathrm{ TA}\)

IA7: TA \(|\equiv\) SHD \(\stackrel{{\mathbb{Q}}_{\mathrm{ST}}}{\leftrightarrow }\) TA

IA8: TA \(|\equiv\) \(\mathrm{SHD}|{}_{\leftrightharpoons }{}^{ {\mathbb{Q}}_{\mathrm{ST}}}\mathrm{ TA}\)

IA9: MD \(|\equiv\) \(\mathrm{SHD}\Rightarrow\) R5

IA10: MD \(|\equiv\) \(\mathrm{SHD}\Rightarrow {\mathrm{E}}^{{\mathrm{R}}_{5}}\)

IA11: SHD \(|\equiv\) \(\mathrm{MD}\Rightarrow\) R5

IA12: SHD \(|\equiv\) \(\mathrm{SHD}\Rightarrow {\mathrm{E}}^{{\mathrm{R}}_{4}}\)

IA13: If MD \(|\equiv\) TA \(|\equiv\) N then MD \(|\equiv\) SHD \(|\equiv\) N.

Afterwards, the BAN logic notations, rules, idealized messages and initial assumptions are deployed to execute the BAN logic proofs as follows:

Since the MD is charged with the generation of random number R4, then:

BLP1: MD \(|\equiv\) R4.

Applying RR to the MD’s selection of random number R4, BLP2 is obtained:

BLP2: MD \(|\equiv\) #(R4).

The application of FPR2 to BLP2 yields BLP3:

BLP3: MD \(|\equiv\) # (\({\mathrm{E}}^{{\mathrm{R}}_{4}}\)).

Since the random number R5 is generated by the SHD, then:

BLP4: SHD \(|\equiv\) R5.

The application of RR to the SHD’s selection of random number R5, BLP5 is obtained:

BLP5: SHD \(|\equiv\) # (R5).

Using FPR2 in BLP5 results in BLP6:

BLP6: SHD \(|\equiv\) # (\({\mathrm{E}}^{{\mathrm{R}}_{5}}\)).

Based on message AMSM4, it is clear that:

BLP7: MD \(\triangleleft \{{E}^{{R}_{5}}, {\langle {(E}^{{R}_{4}},{E}^{{R}_{5}})\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}\}.\)

The application of SER1 to BLP7 yields BLP8:

BLP8: MD \(\triangleleft {\langle {(E}^{{R}_{4}},{E}^{{R}_{5}})\rangle }_{{\mathbb{Q}}_{\mathrm{MT}}}.\)

Using MMR3 in IA2 and BLP8 yields BLP9:

BLP9: MD \(|\equiv\) TA|\(\sim\) \({(E}^{{R}_{4}},{E}^{{R}_{5}}\)).

On the other hand, the application of FPR1 in IA2 and BLP3 results in BLP10:

BLP10: MD \(|\equiv\) #\({(E}^{{R}_{4}},{E}^{{R}_{5}}\)).

To obtain BLP11, NVR is applied to both BLP9 and BLP10:

BLP11: MD \(|\equiv\) TA \(|\equiv\) \({(E}^{{R}_{4}},{E}^{{R}_{5}}\)).

However, to obtain BLP12 and BLP13, BR1 is applied to BLP11:

BLP12: MD \(|\equiv\) TA \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{4}},\)

BLP13: MD \(|\equiv\) TA \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{5}}.\)

Considering IA13, BLP12 and BLP13, it is evident that:

BLP14: MD \(|\equiv\) SHD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{4}},\)

BLP15: MD \(|\equiv\) SHD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{5}}.\)

On the other hand, the application of SKR to both BLP15 and IA10 yields BLP16:

BLP16: MD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{5}}.\)

Since session key ℚMS can be expressed as ℚMS = h (\({\mathrm{E}}^{{\mathrm{R}}_{4}}\)||\({\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5}}\)), then based on both BLP2 and BLP16:

BLP17: MD \(|\equiv\) # (ℚMS).

However, the application of SKR to both BLP15 and BLP17 results in BLP18:

BLP18: \(\mathrm{MD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD}\), and as such, Goal 1 is attained.

To obtain BLP19, BR2 is applied to BLP15:

BLP19: MD \(|\equiv\) SHD \(|\equiv\) R5.

On the other hand, BLP20 is easily obtained from BLP14 and BLP19:

BLP20:\(\mathrm{MD}|\equiv \mathrm{SHD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD}\), achieving Goal 2.

Based on the difficulty of solving both the elliptic curve discrete logarithm and the elliptic curve Diffie–Hellman problems, then the belief of MD and SHD can be expressed as in BLP21 and BLP22:

BLP21: MD \(|\equiv\) \(\mathrm{MD} {}_{\leftrightharpoons }{}^{{\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5}}} \mathrm{SHD},\)

BLP22: SHD \(|\equiv\) \(\mathrm{MD} {}_{\leftrightharpoons }{}^{{\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5}}} \mathrm{SHD}.\)

Regarding idealized message AMSM5, it can be re-written as:

AMSM5*: \({\langle {\mathrm{E}}^{{\mathrm{R}}_{4}},{\mathrm{E}}^{{\mathrm{R}}_{5}}\rangle }_{{\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5.}}}\)

Based on AMSM5*, BLP23 can be obtained:

BLP23: SHD \(\triangleleft {\langle {\mathrm{E}}^{{\mathrm{R}}_{4}},{\mathrm{E}}^{{\mathrm{R}}_{5}}\rangle }_{{\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5.}}}\)

Using MMR3 in both BLP22 and BLP23, it is clear that:

BLP24: SHD \(|\equiv\) \(\mathrm{MD}\)|\(\sim\) (\({\mathrm{E}}^{{\mathrm{R}}_{4}},{\mathrm{E}}^{{\mathrm{R}}_{5}}\)).

On the other hand, using FPR1 in BLP6 results in BLP25:

BLP25: SHD \(|\equiv\) \(\#\)(\({\mathrm{E}}^{{\mathrm{R}}_{4}},{\mathrm{E}}^{{\mathrm{R}}_{5}}\)).

To obtain BLP26, NVR is applied to both BLP24 and BLP25:

BLP26: SHD \(|\equiv\) MD \(|\equiv\) (\({\mathrm{E}}^{{\mathrm{R}}_{4}},{\mathrm{E}}^{{\mathrm{R}}_{5}}\)).

However, to get BLP27 and BLP28, BR2 is applied to BLP26:

BLP27: SHD \(|\equiv\) MD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{4}}.\)

BLP28: SHD \(|\equiv\) MD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{5}}.\)

The application of JR to both BLP27 and IA12 yields BLP29:

BLP29: SHD \(|\equiv\) \({\mathrm{E}}^{{\mathrm{R}}_{4}}.\)

Since session key can be expressed as ℚMS = h (\({\mathrm{E}}^{{\mathrm{R}}_{4}}\)||\({\mathrm{E}}^{{{\mathrm{R}}_{4}\mathrm{R}}_{5}}\)), then based on both BLP2 and BLP16, BLP30 is obtained.

BLP30: SHD \(|\equiv\) # (ℚMS).

In addition, using SKR in both BLP27 and BLP30 results in BLP31:

BLP31: \(\mathrm{SHD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD}\), effectively attaining Goal 3.

However, using BR2 in BLP15 results in BLP32:

BLP32: SHD \(|\equiv\) MD \(|\equiv\) R4.

Based on both BLP28 and BLP32, BLP33 is obtained:

BLP33:\(\mathrm{SHD}|\equiv \mathrm{MD}|\equiv \mathrm{MD}\stackrel{ {\mathbb{Q}}_{\mathrm{MS}} }{\leftrightarrow }\mathrm{SHD}\), hence Goal 4 is realized.

The successful attainment of all the four goals formulated earlier shows the existence of mutual authentication between the MD and the SHD. In addition, it demonstrates the existence of a session key that enciphers traffic exchanged between these entities.

Informal Security Analysis

In this section, it is demonstrated that the proposed scheme is secure under the Canetti–Krawczyk threat model. The assumptions of the CK threat model are given in [7]. To accomplish these security proofs, the following lemmas are formulated and proofed.

Lemma 1

The proposed algorithm prevents man-in-the-middle attacks.

Proof

The goal of this attack is to capture the exchanged messages, modify and forward them to the unsuspecting receivers. Suppose that the attacker has captured parameters C2, C4, D1 and D2. Here, C2 = R4 × G, C4 = h (C2||C3 × G), D1 = R5 × G and D2 = h (D1||h (ℚMT) × C2). Next, an adversary tries to construct messages AMSM1 = {C2, C4, IDMD,T1}, AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD, T1), AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2), AMSM4 = {D1, D2} and AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2). Clearly, the construction of valid messages require additional parameters such as random numbers R4 and R5, the MD’s real identity, session key between MD and TA (ℚMT), session key between SHD and TA (ℚST) and the session key between SHD and MD (ℚMS). Since these security parameters are unavailable to the adversary, this attack flops. In addition, the derivation of R4 from C2 is computationally infeasible.

Lemma 2

The communicating entities are properly authenticated to each other.

Proof

In this protocol, upon receiving message AMSM2 from the SHD, the TA utilizes ℚMT to decrypt it. Afterwards, it retrieves SHD and MD data from its database to determine whether the two had been registered and authenticated themselves with it. In addition, the TA authenticates the SHD by checking whether C4*\(\stackrel{?}{=}\) C4. On the other hand, on obtaining message AMSM4 from the SHD, the MD re-computes D2* = h (D1||C3 × G) and compares it with parameter D2 it received in AMSM4. Here, it is only legitimate TA that can derive D2 using ℚMT before forwarding it to SHD. Consequently, the MD is confident that SHD is a legitimate entity and not any other masquerading entity.

Lemma 3

Packet replay attacks are effectively thwarted in this scheme.

Proof

The purpose of this attack is to intercept the transmitted messages, store them and re-transmit them later to the intended receivers. Suppose that an adversary captures message AMSM1 = {C2, C4, IDMD, T1} sent from the MD towards the SHD. After sometimes, the attacker re-sends it to the SHD in an effort to fool the SHD that the MD is requesting another communication session. However, any replayed message will fail the freshness checks at the SHD. Similarly, any adversarial effort to replay message AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD,T1) will be detected at the TA using T1. As such, the proposed protocol is robust against packet replay attacks.

Lemma 4

This protocol offer backward and forward key secrecy.

Proof

At the SHD, the session key ℚSM is derived as ℚSM = h (C2||R5 × C2), where C2 = R4 × G. Similarly, session key ℚMS is computes as ℚMS = h (C2||R4 × D1) at the MD. Here, D1 = R5 × G and C2 = R4 × G. Evidently, these session keys incorporate random numbers R4 and R5. As such, they are stochastic such that different sessions have different keys. Consequently, the capture of any key belonging to the current session cannot facilitate the derivation of keys used in the previous and subsequent communication sessions. Similarly, an attacker with captured session keys cannot utilize them to decrypt messages for the current as well as subsequent communication sessions.

Lemma 5

Privileged insider attacks are prevented in this scheme.

Proof

In this protocol, the trusted authority mediates the authentication and key agreement between the MD and the SHD. In this attack, it is assumed that the TA is a privileged entity that may attempt to derive the MD-SHD session keys using the security parameters it has access to. Here, the SHD derives session key ℚSM, where ℚSM = h (C2||R5 × C2) and C2 = R4 × G. On the other hand, the MD computes session key ℚMS, where ℚMS = h (C2||R4 × D1) and D1 = R5 × G. Evidently, the derivation of session keys ℚSM and ℚMS requires random numbers R4 and R5. Here, random number R4 is generated at the MD while random number R5 is generated at the SHD. As such, although the TA supervises the authentication between the MD and SHD, it cannot derive the session keys for traffic enciphering between the two entities. Consequently, it is unable to encrypt or decrypt the exchanged messages between the MD and the SHD.

Lemma 6

The proposed protocol is robust against session hijack and denial of service attacks.

Proof

The ultimate objective of these attacks is to cut off the communication between the MD or SHD and the TA. To carry out this attack, an adversary tries to derive legitimate session keys ℚMT and ℚST. Here, ℚST = h (B3||R2 × B3) and B3 = R3 × G. The session key between the MD and the TA is derived in a similar version. Clearly, the derivation of any legitimate session key requires knowledge of the random numbers R2 and R3. Here, R2 is generated at the SHD and MD while R3 is generated at the TA. As such, adversarial computation of these session keys will fail due to the difficulty of deriving R3 from B3. Suppose that an attacker attempts to construct authentication messages AM1, AM2 and AM3. Here, AM1 = {B1, B2}, AM2 = {A3, B3, B4}, AM3 = {C1, ℚST}, A1 = h (R1||TASV||T1||IDSHD), A2 = A1 × G, A3 = R1 ⊕ h (TASV), A4 = h (R1 ⊕ h (TASV)||A2), A5 = A4 × G B2 = h (B1||R2 × A2), B1 = R2 × G, B2 = h (B1||R2 × A2), B3 = R3 × G, B4 = h (B2*||R3 × A5), C1 = h (B4*||R2 × B3), B4* = h (B2||A4 × B3) and ℚST = h (B3||R2 × B3). It is evident that in addition to random numbers R1, R2 and R3, the attacker needs TA’s secret value TASV, timestamp T1 and the SHD’s unique identity IDSHD to construct these messages. Since all these parameters are unavailable to the adversary, the construction of these messages fails. Therefore, the sessions of the MD and SHD are sufficiently protected and cannot be hijacked. Ultimately, availability is upheld and the remote users are able to access the sensed data anytime and from any location.

Lemma 7

Impersonation attacks are prevented in this protocol.

Proof

The aim of these attacks is to send connection requests using the identities of other network entities. Suppose that an adversary wants to impersonate the SHD and send connection request AM1 to the TA. Here, AM1 = {B1, B2}, B1 = R2 × G, B2 = h (B1||R2 × A2), A2 = A1 × G and A1 = h (R1||TASV||T1||IDSHD). It is clear that to construct a legitimate connection request AM1, the adversary requires the TA’s secret value TASV, timestamp T1 and the SHD’s unique identity. In addition, random numbers R1 and R2 are needed. In this protocol, one-way hashing operations prevent an attacker from obtaining T1, TASV and IDSHD from parameter A1. Although hashing functions can have collisions, only the underlying hashing algorithm can be discerned while the protected data remains secure. On the other hand, the stochastic nature of random numbers makes it computationally infeasible for the attacker to derive them with high success probability.

Lemma 8

This protocol preserves the confidentiality and integrity of the communication process.

Proof

To uphold confidentiality, all exchanged messages are sufficiently enciphered using the derived session keys. These session keys can only be derived between the communicating devices after successful mutual authentication process. For instance, authentication message AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD,T1) is encrypted using the session key set between MD and TA (ℚMT). Similarly, authentication message AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2) is enciphered using the session key set between SHD and TA (ℚST). On the other hand, authentication message AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2) is encrypted using Session key set between SHD and MD (ℚMS). As such, the enciphered parameters cannot be modified on transit and hence, their integrity is preserved.

Lemma 9

Offline dictionary attacks are thwarted in this scheme.

Proof

The goal of an adversary in this attack is to capture the exchanged messages and attempt to discern sensitive information in them. Finally, the learned messages are utilized to compute the session keys ℚSM, ℚMS, ℚST and ℚMT. Here, ℚST = h (B3||R2 × B3), ℚSM = h (C2||R5 × C2) and ℚMS = h (C2||R4 × D1). On the other hand, the exchanged messages between the MD and SHD include AMSM1, AMSM2, AMSM3, AMSM4 and AMSM5. Here, AMSM1 = {C2, C4, IDMD, T1}, AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD,T1), AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2), AMSM4 = {D1, D2} and AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2). Here, both ℚST and ℚMT were derived in early device-TA authentication phase. As such, the attacker lacks random number R2 and security parameter B3 needed to derive them. In addition, the one-way hashing function renders it infeasible to obtain these two parameters through reverse engineering. Although messages AMSM1 and AMSM4 are transmitted in plaintext, their contents do not contain random numbers R4 and R5 required to derive session keys ℚMS and ℚSM. Consequently, the proposed protocol is resilient against offline-guessing attacks.

Lemma 10

The proposed protocol is robust against stolen verifier attacks.

Proof

Suppose that an attacker manages to steal the session keys ℚSM and ℚMS used to encrypt and decrypt traffic between the MD and the SHD. An attempt may then be made to derive session keys ℚMT and ℚST deployed to secure device–TA communication. Here, ℚMS = h (C2||R4 × D1), ℚSM = h (C2||R5 × C2) and ℚST = h (B3||R2 × B3). Evidently, the captured session keys can only be deployed to encrypt and decrypt MD–SHD traffic for only the current session. They cannot be deployed for encryption and decryption in the past or subsequent sessions due to the random numbers R4 and R5 which imply that these session keys are different for dissimilar sessions. The one-way hashing operation prevents an attacker from sniffing the contents of these session keys for other malicious verifications. It is also evident that session keys ℚST derivations requires random number R2 and security parameter B3, all of which cannot be discerned from the captured session keys.

Performance Evaluation

In this section, the lightweight nature of the proposed algorithm is demonstrated. To accomplish this, performance metrics such as computation and communication overheads, memory requirements and energy consumption are used. In addition, experiments are run to investigate energy consumption variations under different transmission loads. Moreover, the security features provided by this scheme are compared with the ones offered by other related schemes.

Computation Overhead

In this sub-section, the execution time of the various cryptographic primitives during the MD–SHD mutual authentication is taken into consideration. During this phase, only three cryptographic operations are executed. These are elliptic curve point multiplication (TEP), symmetric encryption and decryption (TSED), and one-way hash function (TH). At the MD, 4TH + 3TEP + 4TSED operations are carried out. On the other hand, 1TH + 2TEP + 14TSED operations are executed at the SHD. Similarly, 4TH + 2TEP + 14TSED operations are carried out at the TA. As such, the total computation overhead of this algorithm is 9TH + 7TEP + 32TSED. Based on the values in [2], Table 4 gives the execution time for the various cryptographic primitives.

Table 4 Cryptographic primitives execution time
Full size table

Based on the values in Table 4, the total computation overhead in the proposed protocol is 3.728 ms. On the other hand, Table 5 presents the computation overheads of other related schemes.

Table 5 Computation overheads
Full size table

As shown in Fig. 4, the protocol in [39] has the highest computation overheads of 7.84 ms. This is followed by the protocol in [24] with execution time of 6.93 ms. The proposed scheme is third, followed by the schemes in [35, 43] and the schemes in [2] and [25], respectively. Although the schemes in [2] and [25] have low computation complexities, they have a number of security issues. For instance, the scheme in [2] is vulnerable to session hijacking, privileged insiders, packet replays, offline dictionary and stolen verifier attacks. In addition, its design doesn’t consider confidentiality, integrity and MitM attacks. Similarly, the scheme in [25] fails to consider MitM, integrity and confidentiality in its design. On its part, the protocol in [35] cannot withstand DoS attacks.

Fig. 4
figure 4

Computation overheads

Full size image

In addition, its design fails to consider communication integrity and confidentiality, as well as attack models such as offline dictionary, privileged insiders and session hijacking. Similarly, the protocol in [43] cannot offer confidentiality, integrity and protection against session hijacking attacks.

Communication Overheads

In this section, the bandwidth requirement of the proposed scheme is derived. During MD and SHD mutual authentication, messages AMSM1, AMSM2, AMSM3, AMSM4 and AMSM5 are exchanged. Here, AMSM1 = {C2, C4, IDMD, T1}, AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD,T1), AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2), AMSM4 = {D1, D2} and AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2). Table 6 gives the output sizes of the various cryptographic primitives.

Table 6 Cryptographic output sizes
Full size table

Using the values in Table 6, the derivation of the communication overheads of the proposed scheme is carried out as shown in Table 7. Based on these derivations, the cumulative communication overhead of this scheme is 1472 bits.

Table 7 Message sizes derivations
Full size table

However, the communication costs for the protocols in [2, 24, 25, 35, 39] and [43] are 1728 bits, 3296 bits, 1856 bits, 794 bits, 986 bits and 2304 bits, respectively, as shown in Table 8.

Table 8 Communication overheads
Full size table

Based on the values in Fig. 5, the protocol in [24] has the highest communication overheads. This is followed by the scheme in [25, 43] and [2]. On the other hand, the proposed protocol has the third lowest communication costs, followed by the protocols in [39] and [35], respectively.

Fig. 5
figure 5

Communication overheads

Full size image

Although the protocol in [35] has the lowest communication costs, it is susceptible to DoS attacks. In addition, it does not consider attack models such as offline dictionary, privileged insiders and session hijacking. Moreover, communication integrity and confidentiality are never catered for in this scheme. On the other hand, the scheme in [39] is vulnerable to packet replay attacks. In addition, it cannot offer key secrecy as well as communication integrity and confidentiality.

Memory Requirements

The number of bytes stored during the MD and SHD authentication process is considered in this section. Here, each device is required to store only the session key for each of the other device. As such, MD needs to store ℚSM while the SHD is required to store ℚMS. For packet replay prevention, the delay tolerance time may also need to be stored in both the SHD and MD. Based on the values in [47], ℚSM = ℚMS = 160 bits. On the other hand, timestamp T1 = T2 = T3 = 32 bits. As such, both the SH and MD require 192 bits of storage each, which is equivalent to 24 bytes. Consequently, the total memory requirement of this protocol during MD–SHD mutual authentication is 48 bytes as shown in Table 9.

Table 9 Memory Requirements
Full size table

It is evident from Fig. 6 that the protocol in [24] has the largest memory requirements. This is followed by the schemes in [39] and [2], respectively. On the other hand, the proposed scheme together with the protocols in [25] and [43] have the lowest memory requirements.

Fig. 6
figure 6

Memory requirements

Full size image

As such, the proposed scheme together with these two other protocols put the least strain on the sensor memory. Consequently, they are the most suitable for deployments in smart home networks.

Energy Consumptions

In this section, the number of bits exchanged during the mutual authentication and key agreement between the MD and the SHD are deployed to derive the energy consumption of these two devices. The messages transmitted and received are as follows.

MD → SHD: AMSM1 = {C2, C4, IDMD, T1}

SHD → TA: AMSM2 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MT}}}\)(C2, C4, D1, IDMD,T1)

TA → SHD: AMSM3 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{ST}}}\)(D1, D2)

SHD → MD: AMSM4 = {D1, D2}

MD → SHD: AMSM5 = \({\mathrm{E}}_{{\mathbb{Q}}_{\mathrm{MS}}}\)(C2)

Based on the values in Table 7, AMSM1 = 416 bits, AMSM2 = 256, AMSM3 = 256, AMSM4 = 288, and AMSM5 = 256. As such, the MD sends and receives a total of 672 bits and 288 bits, respectively. On the other hand, the TA sends and receives 256 bits in each case. However, the SHD sends and receives 544 bits and 928 bits, respectively. As pointed out in [42], single-bit transmission and reception on TelosB requires 0.00072 mJ and 0.00081 mJ, respectively. Using these values, Table 10 presents the energy consumptions of these three entities.

Table 10 Energy consumptions
Full size table

Based on the values in Table 10, the MD consumes more energy to send requests than to receive and process requests. On the other hand, both the SHD and TA consume more energy to receive and process requests than to send requests. In the face of active DoS attacks, the MD will be least affected, while the SHD will be the most affected. This is because the SHD will commit sufficient computational resources to process and authenticate incoming requests when compared with the MD. To further investigate the implication of concurrent requests on the energy consumptions, experimentations were run in Python programming language. The specifications of the host machine were as follows: i5-4210U, Windows 10 Pro 64-bit, CPU1.70 Ghz × 4 and 4G RAM. Figure 7 shows the variation of the energy consumptions as a function of the number of concurrent requests and number of SHDs.

Fig. 7
figure 7

Energy variations at varying loads

Full size image

As shown in Fig. 7, as the number of SHDs increase, there is a corresponding increase in energy consumptions. This is attributed to the increased processing at the terminals. It is also evident that at a particular SHDs density, there is more energy consumed when the number of concurrent requests surge.

Security Features

To appreciate the security features offered by the proposed scheme, comparisons are made with other related schemes as shown in Table 11. It is clear that the scheme in [2] supports only 5 security features while the protocol in [35] offers 7 security features. This was followed by the scheme in [24, 25, 39] and [43] which provide 8, 8,10 and 10 security features, respectively.

Table 11 Security features
Full size table

On the other hand, the proposed scheme supports 14 security features, which is the highest number. As such, although this scheme has relatively higher computation and communication overheads, it is the most secure among all these other schemes.

Conclusion

Smart homes introduce convenience, comfort and energy consumptions through automated management and control of activities. However, security and privacy challenges are very pertinent setbacks that may hamper the adoption of smart homes. Although many authentication techniques have been developed to address these issues, these schemes have some performance challenges. In addition, none of these schemes addresses all the required security and privacy goals. Consequently, security and privacy provisioning in smart homes is still a challenging issue. The presented scheme has been demonstrated to have lower computation and communication overheads compared to other conventional approaches. On the other hand, its memory requirement is the lowest among other similar protocols. The security features such as strong mutual authentication, backward and forward key secrecy, session key agreement, as well as the preservation of both integrity and confidentiality make it attractive for deployment in smart homes. On the other hand, its resilience against impersonations, denial of service, session hijacking, privileged insiders, packet replays, man-in-the-middle, offline dictionary and stolen verifier attacks render it superior to other related schemes. Future work will involve the evaluation of the proposed scheme using security attack models and performance metrics that were not within the scope of this paper. There is also need to come up with new innovative techniques for reducing the communication and computation costs of this scheme.