An Improved Authenticated Key Agreement Protocol for IoT and Cloud Server

Abstract

The internet of things (IoT) is a complex network system with applications in all walks of life. However, there are various risks in the process of information transmission between IoT devices and servers. Recently, research on the security of authenticated key agreement (AKA) protocols in the IoT environment has gradually increased. Iqbal et al. proposed an AKA protocol between IoT and cloud servers and proved that it was secure under the eCK model. This paper shows that the Iqbal et al.’s protocol has two security flaws, which are resisting ephemeral key leakage attack and key compromise impersonation attack, and proposes a new AKA protocol in the IoT environment. Through the security proof and formal analysis, it is proved that the new protocol is secure under the eCK model. Comparing the protocol proposed in this paper with other similar protocols, it is found that the protocol in this paper achieves a balance between security performance and communication consumption.

1 Introduction

1.1 Related Work

The internet of things (IoT) is a network that can realize the interconnection of any object anytime, anywhere. With the popularization of IoT smart devices, IoT plays an increasingly important role in life [1]. The IoT has a wide range of applications in infrastructure fields such as smart cities, smart malls, smart transportation, smart medical care, and smart logistics [2,3,4]. However, there may be attacks by malicious adversaries in the process of transmitting information between the devices and the servers [5]. Therefore, one of the foundations for building security services is authentication and session key agreement between IoT devices and servers. Many protocols for securing communication between IoT devices and cloud servers have been proposed.

Khelf et al. [6] proposed an IoT-oriented AKA micro-protocol to solve the security problem in wireless sensors, which could resist various types of attacks while reducing the computational cost. Qi et al. [7] proposed a two-factor AKA protocol based on elliptic curve cryptography for wireless sensor networks in the context IoT, and through heuristic security analysis showed that the protocol could resist various known attacks. Peng et al. [8] proposed an efficient protocol for IoT devices, which avoided the pairing operation of the client through an unbalanced computation method and proved the security of the protocol. Recently, Rostampour et al. [9] proposed an AKA protocol between IoT edge devices and cloud servers based on elliptic curve cryptography. Iqbal et al. [10] proved that the protocol proposed by Rostampour et al. was insecure under the eCK model, then they proposed a new AKA protocol called ITGR protocol below, at the same time, they used Scyther tool and BAN logic to prove that the protocol was secure under the eCK model. However, in this paper, we prove that the ITGR protocol cannot resist the ephemeral key leakage attack and key compromise impersonation attack, then we propose a new AKA protocol between IoT devices and cloud servers based on the ITGR protocol, called eITGR protocol. Finally, we prove that our protocol is secure under the eCK model.

1.2 Contribution

The contribution of this paper consists of the following four parts:

1. (i)

   This paper analyzes the ITGR protocol between IoT devices and cloud servers based on elliptic curve cryptography, and points out that it cannot resist ephemeral key leakage attack and key compromise impersonation attack.

2. (ii)

   A new AKA protocol between IoT devices and cloud servers is proposed, which makes up for the security defects of the ITGR protocol.

3. (iii)

   Use the security proof to prove that the eITGR protocol is secure under the eCK model, and confirm it through the Scyther tool.

4. (iv)

   By comparing the security properties and communication consumption of eITGR and similar protocols, the advantages of the eITGR protocol in terms of security and communication efficiency are shown.

1.3 Organization

The content of this paper is arranged as follows. Section 1 introduces the development status of the IoT, the research status of AKA protocol at home and abroad, and briefly introduces the research content and structure of this paper. Section 2 presents the basics of mathematics and cryptography applied during protocol design and analysis. A review of the ITGR protocol and analysis of security flaws are in Sect. 3. Section 4 proposes a new AKA protocol in the IoT environment, and its formal security proof, security analysis using Scyther tool and security properties analysis are shown in Sect. 5. The security properties, computation and communication cost of the protocol proposed in this paper and other similar protocols are compared in Sect. 6. Conclusion is given in Sect. 7.

2 Preliminaries and Security Model

The notations used in the paper are shown in Table 1.

Table 1. Notations used in the paper.

2.1 Computationally Difficult Problems

1. (i)

   Elliptic Curve Discrete Logarithm Problem (ECDL): Let E be an elliptic curve on a finite field F. G is a cyclic subgroup of E with order q, and P is a generator of G. If the \(P, Q\in G\) are known, it is hard to find \(a\in Z_q^*\) satisfying \(aP=Q\).

2. (ii)

   Elliptic Curve Computational Diffie-Hellman Problem (ECCDH): Let the generator of prime order cyclic group G be P, and for \(a_1,a_2\in Z_q^*\), when \(P,a_1P,a_2P\) are known, it is hard to calculate \(a_1a_2P\in G\).

2.2 Security Model

In 2007, LaMacchia et al. [11] proposed a new security model, which gave the adversary stronger attack capabilities based on the CK model [12], referred to as the eCK model. Let \(\{P_1,P_2,\cdots ,P_n\}\) denote the set of all participants, \(sid=(P_i,P_j,m_1,m_2,\cdots ,m_l)\) is the symbol of the session, where participant \(P_i\) is the initiator of the session, and participant \(P_j\) is the responder of the session, \(m_1,m_2,\cdots ,m_l\) representing the message sent between the participants of the session. Let \(\prod _{i,j}^{sid}\) be the sid session between participant \(P_i\) and \(P_j\). The adversary’s attack capabilities such as eavesdropping, tampering, and replay in the eCK model are reflected through the following query methods:

1. (i)

   StaticKeyReveal\((P_i)\) query: The adversary can obtain the long-term private key of the participant \(P_i\) through this query.

2. (ii)

   EphemeralKeyReveal\((P_i,sid)\) query: The adversary can obtain the ephemeral key of participant \(P_i\) in session sid through this query.

3. (iii)

   SessionKeyReveal(sid) query: The adversary obtains the session key generated in session sid through the query.

4. (iv)

   Send(sid, m) query: Through this query, the adversary can send message m to the session identified as sid, and get the corresponding reply according to the provisions of the protocol.

5. (v)

   Test(sid) query: The adversary can only interrogate the fresh session sid, which simulates a random coin tossing algorithm and makes corresponding answers according to the coin toss results. If the coin toss results \(b=1\), the oracle returns the real session key; if the coin toss results \(b=0\), the oracle returns a random value with the same distribution as the session key.

Definition 1

If both sessions \(\prod _{i,j}^{sid}\) and \(\prod _{i,j}^{sid^*}\) are run successfully, the generated session keys are equal, and the session identifiers sid and \(sid^*\) are the same, then the two sessions are called matching sessions.

Definition 2

Let the session run by users \(P_i\) and \(P_j\) be \(\prod _{i,j}^{sid}\), and the session is called fresh if none of the following conditions hold:

1. (i)

   The adversary has interrogated session \(\prod _{i,j}^{sid}\) or matching session \(\prod _{j,i}^{sid}\) (if exists) for SessionKeyReveal(sid) query;

2. (ii)

   If the matching session \(\prod _{j,i}^{sid}\) of session \(\prod _{i,j}^{sid}\) exists, the adversary has performed EphemeralKeyReveal\((P_i,sid)\) and StaticKeyReveal\((P_i)\) queries at the same time, or performed both EphemeralKeyReveal\((P_j,sid)\) and StaticKeyReveal\((P_j)\) queries;

3. (iii)

   If there is no matching session for session \(\prod _{i,j}^{sid}\), the adversary has performed EphemeralKeyReveal\((P_i,sid)\) and StaticKeyReveal\((P_i)\) queries at the same time, or performed a StaticKeyReveal\((P_j)\) query.

Definition 3

Let k be a security parameter, if the probability of the adversary \(\mathcal {A}\) winning the game is Pr, then the adversary’s winning advantage can be defined as:

$$\begin{aligned} Adv(k)=|Pr-\frac{1}{2}|. \end{aligned}$$

(1)

If two honest participants complete the matching session and calculate the same key, and there is no adversary to win the security game with a non-negligible advantage, then the AKA protocol is secure under the eCK model.

3 Review and Security Analysis of ITGR Protocol

In this section, we review the ITGR protocol [10] and analyze the security properties of the protocol.

3.1 Review of ITGR Protocol

There are two types of participants in the ITGR protocol [10], namely IoT device U and server S. At the same time, the protocol consists of the following two phases: registration phase, and login and authentication phase.

Registration Phase. The registration steps are given as follows:

1. (i)

   Device U selects random number \(x_u\in Z_q^*\) and its identity \(ID_u\). Then U computes \(R_u=x_u\cdot ID_u\cdot P\) and sends it to the server.

2. (ii)

   Server S receives the \(R_u\) and splits its private key \(x_s\) into two unequal parts \(x_s^1\), \(x_s^2\) such as \(x_s^1\not =x_s^2\), then server calculates \(Y_u^1=R_ux_s^1\), \(Y_u^2=R_ux_s^2\). The server sends \(\{Y_u^1,Y_u^2\}\) to U and stores \((R_u,Y_u^1,Y_u^2)\) in its database.

3. (iii)

   The device receives \(\{Y_u^1,Y_u^2\}\) from server and stores \((R_u,Y_u^1,Y_u^2)\) as its long-term private key securely.

Login and Authentication Phase. The steps of the login and authentication process between device U and server S are given as follows:

1. (i)

   Device U chooses its ephemeral key \(t_u\in Z_q^*\) and computes \(X_u=(Y_u^1+Y_u^2)\cdot t_u\cdot H(R_u)\), \(T_u=(Y_u^1+Y_u^2)\cdot t_u\), then U sends \(\{X_u,T_u\}\) to the server.

2. (ii)

   Server S receives \(\{X_u,T_u\}\) and checks whether \(T_u \overset{?}{=}\ X_u[H(R_u)]^{-1}\) to authenticate U. If true, the device U passes the identity authentication of server; else, login request from U is rejected.

3. (iii)

   The server S selects \(t_s\in Z_q^*\) and computes \(X_s=X_ut_s\), \(T_s=(Y_u^1+Y_u^2)\cdot t_s\), then S calculates its session key with U as \(SK_{su}=T_ut_s\) and sends \(\{X_s,T_s\}\) to the device U.

4. (iv)

   The device U receives \(\{X_s,T_s\}\) from server S and checks whether \(T_s \overset{?}{=}\ X_s[H(R_u)]^{-1}t_u^{-1}\) to authenticate S. If true, the server S passes the identity authentication of device; else, login response from S is rejected.

5. (v)

   The device U calculates its session key with S as \(SK_{us}=T_st_u\), then encrypts \(E_{SK_{us}}[H(SK_{us})]\) and sends it to the server S.

6. (vi)

   The server S receives \(E_{SK_{us}}[H(SK_{us})]\) and checks whether \(H(SK_{su})\overset{?}{=}D_{SK_{su}}[E_{SK_{us}}[H(SK_{us})]]\) to authenticate U and approve login request. If true, the session key exchange between U and S is over; else, the session key is invalid.

3.2 Security Analysis of ITGR Protocol

In this subsection, we prove that the ITGR protocol is susceptible to ephemeral key leakage attack and key compromise impersonation attack, and give specific attack methods.

Ephemeral Key Leakage Attack. If the ephemeral private key \(t_s\) of the server or the ephemeral private key \(t_u\) of the device is obtained by the adversary, then the adversary can calculate the session key by using the monitored transmission information. The specific steps are described as below:

If the adversary obtains the ephemeral private key \(t_s\) of the server S, and obtains \(T_u\) by monitoring the communication between the device and the server in public channel, then the adversary calculates \(SK_{su}=T_ut_s\), and verify the session key by judging \(H(SK_{su})\overset{?}{=}D_{SK_{su}}[E_{SK_{us}}[H(SK_{us})]]\).

If the adversary obtains the ephemeral private key \(t_u\) of the device U, and obtains \(T_s\) by monitoring the communication between the device and the server in public channel, then the adversary calculate \(SK_{us}=T_st_u\), and verify the session key by judgment \(H(SK_{us})\overset{?}{=}D_{SK_{us}}[E_{SK_{us}}[H(SK_{us})]]\).

Key Compromise Impersonation Attack. The registration information of each device is stored in the server, and the server is at risk of being attacked by an adversary, so \((R_u,Y_u^1,Y_u^2)\) may be obtained by an adversary. If the adversary obtains the secret \((R_u,Y_u^1,Y_u^2)\) of the device U, then the adversary can deceive the device by pretending to be a legitimate server in front of the device, and generate the session key with device through the AKA process. The specific attack steps are described as below:

1. (i)

   The adversary \(\mathcal {A}\) receives \(\{X_u,T_u\}\) from device U and checks whether \(T_u \overset{?}{=}\ X_u[H(R_u)]^{-1}\) to authenticate U. If true, the device U passes the identity authentication of adversary \(\mathcal {A}\); else, login request from U is rejected.

2. (ii)

   The adversary \(\mathcal {A}\) selects \(t_s'\in Z_q^*\) and computes \(X_s'=X_ut_s'\), \(T_s'=(Y_u^1+Y_u^2)\cdot t_s'\), then \(\mathcal {A}\) calculates its session key with U as \(SK'_{su}=T_ut_s'\) and sends \(\{X_s',T_s'\}\) to the device U.

3. (iii)

   The device U receives \(\{X_s',T_s'\}\) from adversary \(\mathcal {A}\) and checks whether \(T_s' \overset{?}{=}\ X_s'\cdot [H(R_u)]^{-1}t_u^{-1}\). If true, the adversary \(\mathcal {A}\) passes the identity authentication of device U; else, login response from \(\mathcal {A}\) is rejected.

4. (iv)

   The device U calculates its session key as \(SK'_{us}=T_s't_u\), then encrypts \(E_{SK'_{us}}[H(SK'_{us})]\) and sends it to the adversary \(\mathcal {A}\).

5. (v)

   The adversary \(\mathcal {A}\) receives \(E_{SK'_{us}}[H(SK'_{us})]\) from U and checks whether \(H(SK'_{su})\overset{?}{=}D_{SK'_{su}}[E_{SK'_{us}}[H(SK'_{us})]]\) to authenticate U and approve login request. If true, the session key negotiation between U and \(\mathcal {A}\) is over; else, the session key is invalid.

Since the session key calculated by adversary \(\mathcal {A}\) and device U is equal, the session key negotiation is completed.

4 Proposed Scheme

The ITGR protocol cannot resist key compromise impersonation attack and ephemeral key leakage attack, so this paper proposes a new AKA protocol called eITGR protocol which makes up for the defects of ITGR protocol. The proposed protocol consists of three phases: system establishment phase, registration phase, and login and authentication phase.

4.1 System Establishment Phase

The server S establishes an elliptic curve \(E(a,b): y^2=x^3+ax+b\) on the finite field F, where G is a cyclic subgroup of E with order q, and P is a generator of G. Then the S selects three hash functions \(H_1:\{0,1\}^*\times G\rightarrow Z_q^*\), \(H_2:\{0,1\}^*\times G\times G\times \{0,1\}^*\rightarrow G\), \(H_3:\{0,1\}^*\times Z_q^*\rightarrow Z_q^*\).

4.2 Registration Phase

The registration phase is when the IoT device registers on the server in the secure communication environment, and generates a private key for communication between the two parties. The registration steps between device U and server S are as follows:

1. (i)

   Device U selects random number \(x_u\in Z_q^*\) and its identity \(ID_u\). Then U computes \(X_u=x_uP, R_u=H_1(ID_u\Vert X_u)\cdot P\) and sends \(\{ID_u,R_u\}\) to the server.

2. (ii)

   Server S receives the \(\{ID_u,R_u\}\) from U and splits its private key \(x_s\) into two unequal parts \(x_s^1,x_s^2\) such as \(x_s^1\not =x_s^2\), then server S calculates \(y_u=x_s^1+x_s^2\cdot H_1(ID_u\Vert R_u)\), \(Y_u=y_uP\). The server S sends \(Y_u\) to U and stores \((ID_u,R_u,y_u)\) in its database.

3. (iii)

   The device receives \(Y_u\) from server and stores \((x_u,R_u,Y_u)\) as its long-term private key securely.

4.3 Login and Authentication Phase

The login and authentication process between device U and server S is as follows:

1. (i)

   The device U chooses its ephemeral key \(t_u\in Z_q^*\) and timestamp T, computes \(T_u=t_uP\), \(H_u=H_2(ID_u\Vert R_u\Vert T_u\Vert T)\), then U sends \(\{ID_u,H_u,T_u,T\}\) to the server S.

2. (ii)

   After receiving the message \(\{ID_u,H_u,T_u,T\}\), the server S first verifies the freshness of the timestamp T, then uses \(ID_u\) to find the corresponding entry \((ID_u,R_u,y_u)\) in its database, After this server S uses the stored data to calculate \(H_s=H_2(ID_u\Vert R_u\Vert T_u\Vert T)\), \(X_u=H_u-H_s\) and checks whether \(R_u \overset{?}{=}\ H_1(ID_u\Vert X_u)\cdot P\) to authenticate U. If true, the device U passes the identity authentication of server; else, login request from U is rejected.

3. (iii)

   The server S selects \(t_s\in Z_q^*\) and computes \(T_s=t_sP\), then S calculates \(K_s=(t_s+y_u+H_1(ID_u\Vert X_u))(T_u+X_u)\) and its session key with U as \(SK_{su}=H_1(ID_u\Vert K_s)\), \(Q_s=H_3(ID_u\Vert SK_{su})\), and sends \(\{T_s,Q_s\}\) to the device U.

4. (iv)

   The device U receives \(\{T_s,Q_s\}\) from S, calculates \(K_u=(t_u+x_u)(T_s+Y_u+R_u)\) and its session key with S as \(SK_{us}=H_1(ID_u\Vert K_u)\), then checks whether \(Q_s \overset{?}{=} H_3(ID_u\Vert SK_{us})\) to authenticate S. If true, the server S passes the identity authentication of device and the session key exchange between U and S is over; else, the session key is invalid.

The login and authentication phase is given in Fig. 1.

Fig. 1.

Login and authentication phase of eITGR.

5 Security Analysis of eITGR Protocol

In this section, we present two proof methods for the eITGR protocol. First, we prove that the eITGR protocol is secure under the eCK model, then we use the Scyther tool to verify the security of the protocol.

5.1 Security Proof Under the eCK Model

We will prove that the protocol is secure under the eCK model [11] below.

Theorem 1

The eITGR protocol satisfies eCK security if the ECCDH assumption holds on group G and \(H_1, H_2, H_3\) are modeled by independent random oracles.

Proof

Let the adversary \(\mathcal {A}\) activates at most n(k) honest parties and s(k) sessions. The session key generated by the protocol is \(SK=H_1(ID_u\Vert K)\) and \(H_1\) is simulated as a random oracle, so the adversary has only three ways to distinguish the session key from the random value:

1. (i)

   Guessing attack: The adversary guesses the session key correctly.

2. (ii)

   Session key replication attack: The adversary establishes a session that does not match the test session but has the same session key. The adversary obtains the session key of the test session by querying the session key of the established session.

3. (iii)

   Forgery attack: The adversary \(\mathcal {A}\) queries random oracle \(H_1\) with the same secret value as that used to generate the test session key, and obtains the session key.

Since \(H_1\) is a random oracle that obeys a uniform distribution, the probability \(O(1/2^k)\) of the adversary guessing the correct key can be ignored. The two unmatched sessions cannot have the same session participant and ephemeral key, So the success probability of the session key replication attack is equivalent to find a collision of \(H_1\), and the probability that two random oracles collide is \(O(s(k)^2/2^k)\). Therefore, guessing attacks and session key replication attacks can be ignored, and only forgery attacks are considered below. Next, we show that if the adversary \(\mathcal {A}\) wins the game by a non-negligible advantage, then the algorithm \(\mathcal {S}\) can be constructed to solve the ECCDH problem with non-negligible probability. The algorithm \(\mathcal {S}\) selects \(A, B\in G\) where \(A=aP\), \(B=bP\), \(a, b\in Z_q^*\), and sends the parameters \((G, q, P, H_1, H_2, H_3)\) to \(\mathcal {A}\). Then, algorithm \(\mathcal {S}\) guesses that the adversary selects the session marked with sid as the test session, \(S_a\) and \(U_b\) are the owners of the test session and its matching session respectively with at least \(1/n(k)^2s(k)\) probability. Consider the following two cases according to the definition of session freshness:

1. (1)

   Case 1: The matching session of the test session exists, and the owner of the matching session is an honest participant;

2. (2)

   Case 2:No honest party owns a matching session for the test session.

Case 1 can be divided into the following four sub-cases:

1. (1)

   Case 1.1: The adversary performs the StaticKeyReveal(C) query on the test session and its matching session. Algorithm \(\mathcal {S}\) sets A and B as the ephemeral public keys for participants \(S_a\) and \(U_b\), and algorithm \(\mathcal {S}\) assigns the long-time public-private key pair normally. Since algorithm \(\mathcal {S}\) knows the long-term private keys of all participants, when queried by an adversary, algorithm \(\mathcal {S}\) can answer truthfully according to the query ability in the model. When the adversary queries information about participants \(S_a\) and \(U_b\), the algorithm \(\mathcal {S}\) replies to the adversary as follows:

   1. (i)

      StaticKeyReveal(C) query: The algorithm \(\mathcal {S}\) provides the adversary with the long-term private key of participant C generated in the above simulation.

   2. (ii)

      EphemeralKeyReveal(C, sid) query: If C is participant \(S_a\) or \(U_b\), then algorithm \(\mathcal {S}\) abandons the simulation, otherwise algorithm \(\mathcal {S}\) returns the ephemeral key for party C in session sid.

   3. (iii)

      Test(sid) query: If sid is not the test session, the simulation fails, otherwise, algorithm \(\mathcal {S}\) returns a random value with the same distribution as the session key.

   4. (iv)

      SessionKeyReveal(sid) query: If sid is a test session or its matching session, the simulation fails, otherwise set the session as \(sid=(ID_s, ID_u, H_u, T_u, T_s, Q_s, T)\), then calculate the session key as \(SK=H_1(ID_u\Vert K)\), where the input of K is as follows

      $$\begin{aligned} K=ECCDH(T_u+X_u, T_s+Y_u+R_u). \end{aligned}$$

      (2)

   Algorithm \(\mathcal {S}\) queries whether the random oracle \(H_1\) has been queried. If it has been queried, it outputs the correct session key; otherwise, it outputs a random value with the same distribution as the session key. Therefore, the algorithm \(\mathcal {S}\) successfully simulates the environment in which the adversary \(\mathcal {A}\) runs the protocol. If the adversary wins the forgery attack, then it must obtain the session key by querying, and the algorithm \(\mathcal {S}\) must be able to solve the problem of ECCDH(A, B). In addition to, the only consideration is that the adversary solves the ECDL problem in time t while setting its advantage to be \(Adv_G^{ECDL}(k,t)\). Let \(p_1\) be the probability that the Case 1.1 occurs and the adversary succeeds through the forgery attack, so the advantages of simulating algorithm \(\mathcal {S}\) to solve the ECCDH problem are as follows

   $$\begin{aligned} Adv_G^{ECCDH}(k,t)\ge \frac{p_1}{n(k)^2s(k)}-Adv_G^{ECDL}(k,t). \end{aligned}$$

   (3)
2. (2)

   Case 1.2: The adversary performs the StaticKeyReveal(C) query on the test session and EphemeralKeyReveal(C, sid) query on its matching session. Algorithm \(\mathcal {S}\) sets A as the ephemeral public key of participant \(S_a\), replaces \(X_u\) with B for participant \(U_b\), and assigns a public-private key pair normally for the remaining participants. Then the algorithm \(\mathcal {S}\) simulates the operating environment of the protocol, which is the same as in Case 1.1 except for the following query:

   1. (i)

      StaticKeyReveal(C) query: If C is participant \(U_b\), then algorithm \(\mathcal {S}\) abandons the simulation; otherwise, algorithm \(\mathcal {S}\) provides the adversary with the long-term private key of party C generated in the above simulation.

   2. (ii)

      EphemeralKeyReveal(C, sid) query: If C is participant \(S_a\), then algorithm \(\mathcal {S}\) abandons the simulation; otherwise, algorithm \(\mathcal {S}\) provides the adversary with the ephemeral key of participant C generated in the above simulation.

   Let \(p_2\) be the probability that the case 1.2 occurs and the adversary succeeds through the forgery attack, so the advantages of simulating algorithm \(\mathcal {S}\) to solve the ECCDH problem are as follows

   $$\begin{aligned} Adv_G^{ECCDH}(k,t)\ge \frac{p_2}{n(k)^2s(k)}-Adv_G^{ECDL}(k,t). \end{aligned}$$

   (4)
3. (3)

   Case 1.3: The adversary performs the EphemeralKeyReveal(C, sid) query on the test session and StaticKeyReveal(C) query on its matching session. Algorithm \(\mathcal {S}\) sets B as the ephemeral public key of participant \(U_b\), replaces \(Y_u\) with A for participant \(S_a\). Swap \(S_a\) and \(U_b\), the rest is the same as case 1.2. Let \(p_3\) be the probability that the case 1.3 occurs and the adversary succeeds through the forgery attack, so the advantages of simulating algorithm \(\mathcal {S}\) to solve the ECCDH problem are as follows

   $$\begin{aligned} Adv_G^{ECCDH}(k,t)\ge \frac{p_3}{n(k)^2s(k)}-Adv_G^{ECDL}(k,t). \end{aligned}$$

   (5)
4. (4)

   Case 1.4: The adversary performs the EphemeralKeyReveal(C, sid) query on the test session and its matching session. Algorithm \(\mathcal {S}\) replaces \(X_u\) with A and \(Y_u\) with B for participants \(S_a\) and \(U_b\), computes \(R_u=H_1(ID_u\Vert X_u)\cdot P\) and for the remaining \(n(k)-2\) participants, algorithm \(\mathcal {S}\) assigns the public-private key pair normally. Then the algorithm \(\mathcal {S}\) simulates the operating environment of the protocol, which is the same as in case 1.1 except for the following query:

   1. (i)

      StaticKeyReveal(C) query: If C is participant \(S_a\) or \(U_b\), then algorithm \(\mathcal {S}\) abandons the simulation; otherwise, algorithm \(\mathcal {S}\) returns the long-term private key for party C in session sid.

   2. (ii)

      EphemeralKeyReveal(C, sid) query: The algorithm \(\mathcal {S}\) provides the adversary with the ephemeral key of participant C generated in the above simulation.

   Let \(p_4\) be the probability that the case 1.4 occurs and the adversary succeeds through the forgery attack, so the advantages of simulating algorithm \(\mathcal {S}\) to solve the ECCDH problem are as follows

   $$\begin{aligned} Adv_G^{ECCDH}(k,t)\ge \frac{p_4}{n(k)^2s(k)}-Adv_G^{ECDL}(k,t). \end{aligned}$$

   (6)

Case 2 can be divided into the following two sub-cases:

1. (1)

   Case 2.1: The adversary performs the EphemeralKeyReveal(C, sid) query on the test session. Since no honest participant participates in the matching session of the test session, it is equivalent that the adversary also obtains the ephemeral key of the intended communicating party, so it is similar with case 1.4.

2. (2)

   Case 2.2: The adversary performs the StaticKeyReveal(C) query on the test. Since no honest participant participates in the matching session of the test session, it is equivalent to the adversary also obtaining the ephemeral key of the intended communicating party, so it is similar with case 1.2.

In summary, if the adversary successfully distinguishes the session key from the random value with a non-negligible advantage, there is an algorithm \(\mathcal {S}\) that solves the ECCDH problem with a non-negligible probability, which contradicts the ECCDH assumption. Therefore, the eITGR protocol given in this paper satisfies the security properties under the eCK model. \(\square \)

5.2 Security Analysis Using Scyther Tool

Cremers and his team [13] developed the Scyther tool in 2006 for formal analysis of protocols. This paper uses Scyther tool to formally analyze the eITGR protocol, and the setting used is presented in Fig. 2 to achieve highly strong security, including perfect forward security and resistance to ephemeral key leakage attack. According to the analysis result in Fig. 3, we point out that the eITGR protocol is secure under the eCK model, which is consistent with the security proof result in Sect. 5.1.

6 Comparison with Other Protocols

In this section, we compare the security properties, computation cost, and communication overhead of the eITGR protocol with several similar protocols. The protocols involved in the comparison include Rostampour et al.’s protocol [9], ITGR [10], Hassan et al.’s protocol [14], Zhang et al.’s protocol [15] and Zhou et al.’s protocol [16].

6.1 Comparison of Security Properties

Table 2. Comparison of security properties.

The security properties of several recently proposed protocols are shown in Table 2, where SP1 refers to known key security, SP2 refers to forward security, SP3 represents resistance to key compromise impersonation attack, SP4 represents resistance to ephemeral key compromise impersonation attack, and SP5 represents resistance to ephemeral key leakage attack, respectively. Simultaneously, Y refers to the scheme achieves this security property and N refers to the scheme does not achieve this security property. According to Table 2, the above-mentioned comparison protocols all have some security flaws. However, the protocol presented in this paper satisfies the above five security properties and is secure under the eCK model.

Fig. 2.

The setting of Scyther.

Fig. 3.

Scyther verification results of the eITGR.

6.2 Computation and Communication Overhead Comparison

Computation efficiency and transmission consumption are important indicators to measure the communication performance of the protocol. In this section, we use \(T_b\) to denote the computation time of the bilinear map, \(T_m\) to represent the time of performing an scalar multiplication operation, \(T_a\) to represent the time of performing a point addition in elliptic curve group, \(T_i\) to represent the time of performing a multiplicative inverse operation and \(T_h\) to represent the time of performing a hash function. Due to the relatively short operation time of XOR, integer addition and multiplication, they are ignored in this paper. The device computing cost and the total computing cost of each protocol are shown in the Table 3. It can be seen from Table 3 that our proposed protocol requires less computation on the device and greatly improves the computing efficiency on the device.

Table 3. Comparison of computation and communication cost.

In order to avoid the difference of computing efficiency in different environments, this paper uses the Miracl function library in the C language environment [17]. According to the operation time in Table 4, the device running time and the total running time of the above protocols in the login and authentication phase are compared as shown in Fig. 4, where the abscissa is the protocol type, and the ordinate represents the time in milliseconds. It can be seen from Fig. 4 that the computing time on the device and total computing time of the eITGR protocol we propose is short, which greatly improves the practicability of the protocol in the IoT environment.

Table 4. Running time of various operations.

The more data transmitted during the protocol operation, the more communication overhead. This paper compares the communication efficiency by comparing the amount of data that needs to be transmitted during the operation of different protocols. Table 3 shows the communication transmission data during the operation of each protocol. In order to compare the data transmission efficiency intuitively during the operation of the protocol, we set the parameter lengths as \(|ID|=10\) bytes, \(|Z^*_q|=20\) bytes, \(|G|=40\) bytes, timestamp \(|T|=8\) bytes and \(|E_{SK}[H(SK)]|=25\) bytes. The comparison of the amount of data transmitted by each protocol is shown in Fig. 5, where the abscissa represents the type of protocol, and the ordinate represents the amount of transmitted data in bytes.

Fig. 4.

Comparison of computation time.

Fig. 5.

Comparison of communication time.

In summary, in the case of more perfect security performance, the computation and communication overhead of the eITGR protocol proposed in this paper is relatively low, therefore, the eITGR protocol achieves a balance between security and communication efficiency.

7 Conclusion

With the wide application of IoT technology in life, the security of data transmission and identity authentication between devices and servers in the IoT has attracted much attention. This paper analyzes that the ITGR protocol is vulnerable to ephemeral key leakage attack and key compromise impersonation attack, so an AKA protocol suitable for the IoT environment is proposed. Our protocol is proven to be secure under the eCK model based on the ECCDH assumption, and then the security of the protocol is verified using Scyther tool. Finally, we compare the proposed protocol with similar protocols in terms of security properties and communication cost in the same environment, the analysis results show that our protocol is secure and efficient. In future work, we will consider how to design a secure and efficient group authenticated key agreement protocol for IoT and cloud server.