Table 2.
Analysis of IoT Authentication Schemes.
| Ref# | IoT Layer | Identity Context Credentials | Token Based? | Proc. | Arch. | HW. | Strength(+)/Weakness(−) |
|---|---|---|---|---|---|---|---|
| [145] | A | Encryption | x | 2 | C/H | I | +Encapsulation is used to efficiently benefit from resources. |
| [69] | A + N | Encryption/RSA | x/DTLS | 2 | C/H | I | +Low overhead regarding computation and communication and high interoperability −Unreliability due to the use of UDP over DTLS leads to |
| [108] | P | Encryption/Symmetric asynchronous One Time Password (OTP) | x/TLS | 2 | C/H | I | +Resistance to some DoS and replay attacks. −Performance analysis is not considered. |
| [109] | N | Encryption/Symmetric | ✓(NodeID, Indices of space, and Seed) | 3 | D/H | I | +Resistance to node capture attack −Energy cost is not efficient. |
| [110] | N | Encryption/Symmetric | ✓(polynomialID) | 3 | D/H | I | +Resistance to node capture attack +Efficient with respect to communication overhead −No consideration to location privacy. |
| [143] | A + N | Encryption/Asymmetric | ✓(Information) | 2 | D/H | I | +Resistance to Malicious entity by using PKI −Performance analysis is not considered |
| [144] | A + N | Encryption/Asymmetric | ✓(FormId) | 2 | C/H | I | +Compatibility problems are solved −Performance analysis is not considered. |
| [153] | A + N + P | Encryption/Symmetric | ✓(IP/EPC) | 2 | C/F | I | +Resilience to attacks, access control, client privacy and data confidentiality |
| [83] | N + P | Encryption/Symmetric using XOR | ✓(SpecificId) | 2 | C/F | I | +Authentication of RFID tags with readers −No consideration of location privacy. |
| [119] | N + P | Encryption/Symmetric + Hash + Credit card as context | ✓(Nonce) | 2 | C/H | E | +Resistance to Man-in-the-Middle, Impersonation, Replay, Privileged insider attacks, Stolen smart card, Smart card breach attacks, etc. −Communication cost is not efficient. |
| [120] | N + P | Encryption/Asymmetric using ECC | ✓(Identity, Elliptic curve function, and parameters) | 2 | C/H | I | +Resistance to Eavesdropping, DoS, Node capture, Replay and MITM attack −Attribute-based access control should be discussed in detailed manner. |
| [113] | A + N + P | Encryption/Asymmetric using RSA and ECC | x/DTLS | 2 | C/F | I | +Performance measurement is considered. +Resistance to MITM attack. −DoS and Replay attacks are not considered. |
| [114] | A + N + P | Encryption/Asymmetric using ECC | ✓(Identity) | 2 | D/F | I | +Resistance to malicious users and DoS attacks. −Not Efficient regarding the storage of the certificate. −Vulnerable to node capturing attack |
| [65,66] | A | N/A | ✓(OAuth2.0) | 1 | C/H | I | +Resistance to Impersonation and Replay attacks −No performance analysis is done. provided |
| [141] | A | Encryption: registered user with AES and non-registered users using Diffie–Hellman | x (username + password) | 1 | C/F | I | +Two separate servers for storing cryptography and authentication data, +Resistance to brute force, timing, and MITM −No performance analysis is done. |
| [82] | P | Encryption/Symmetric using AES | ✓ | 2 | C/H | I | +Resistance to split attacks (i.e., swapping tags, separating tag from product, etc.) −No analysis is done for location privacy. |
| [162] | A | No Encryption/Hash | ✓ | 1 | D/F | I | +Resistance to MITM, replay, DoS, and Eavesdropping attacks. −Storage cost is not efficient |
| [140] | A | Context/multiple credentials using physical context | x (User name + password) | Multiple authentication | D/H | I | +Resistance to replay attack −DoS attack is not considered |
| [142] | A | No Encryption/Hash 256 bits + context bio-metric | ✓(User Identity) | 2 | D/F | E | +Second-tier authentication is done at client side. +Resistance to attacks from inside the system. −No ability to change credentials in both the tiers. |
| [121] | A | Encryption/Asymmetric using ECC | ✓(UserId) | 2 | D/F | I | +Resistance to MITM and DoS attacks. −User must be authenticated many times in Multi-server environment. |
| [79] | A | Encryption/RSA + Hash SHA or MD5 | x | 2 | C/H | I | +Filtering of the messages at gateway +Privacy preservation is considered +Resistance to Brute force, DoS, and Replay attacks −DDoS is not considered. |
| [77] | A + N | Encryption/RSA + AES | x | 2 | D/F | I | +Resistance to Modification, Replay, and Message analysis attacks −No analysis done for location privacy |
| [111] | A + N | Encryption/Symmetric + Hashing | ✓ + x | 2 | C/F | I | +Resistance to Replay, Impersonation, Spoofing, and Gateway attacks. −Blackhole and Wormhole attacks are not studied |
| [135] | A + N + P | Encryption/Symmetric | ✓(Identity) | 2 | C/F | I | +Resistance to MITM and DoS attack −Identity and Location privacy is not considered |
| [130] | A + N + P | Encryption/Asymmetric using ECC | ✓(Identity) | 3 | C/F | I | +Resistance to redirection, malicious, Dos, and MITM attacks. −Location and Identity privacy is not analyzed and can not authenticate group of machines at the same time |
| [129] | N + P | Encryption/Asymmetric | ✓(Identity) | 2 | C/F | I | +Location privacy is analyzed +Low communication and computational cost. |
| [131] | N + P | Encryption/Asymmetric using ECC + Hashing | ✓(Identity) | 2 | C/F | I | +Group of end devices is authenticated at the same time −Location and Identity privacy are not analyzed and resistance to attacks are not studied |
| [136] | N + P | N/A | ✓(audio samples as an identity) | 2 | D/H | I | +Low error rate and resistance to audio replay, changing distance, and same type device attacks. −Location privacy is not analyzed |
| [115] | N + P | Encryption/Symmetric + Hashing + Asymmetric using ECC | ✓(Elliptic curve function) | 2 | C/F | I | +Privacy preservation is considered −Threat and attacks are not considered |
| [104] | A + N + P | Encryption/Symmetric(AES) + Hashing | ✓(user Identity) | 2 | C/F | I | +Resistance to guessing, impersonation, and replay attacks −Privacy preservation is not considered |
| [128] | N + P | Encryption/Symmetric + Asymmetric using Hybrid Linear Combination Encryption (HLCE) | ✓(user Identity) | 2 | C/F | I | +Resistance to DoS and impersonation, considers data integrity and ensures user privacy −Location privacy is not analyzed. |
| [132] | P | N/A | ✓(writing process) | 2 | C/H | I | +Improve security without adding any extra hardware −No analysis for threats and attacks is done. |
| [102] | A + N + P | Encryption/Symmetric | ✓(user Identity) | 2 | D/H | I | +Less location update.+Uses asymmetric links in VANET. +Resistance to MITM, replay, and DoS attacks −Privacy is not analyzed |
| [98,99] | N + P | Encryption/Symmetric + Asymmetric + Hashing | x | 3 | D/H | I | +Computation cost is efficient. +Resistance to the replay attack −No analysis is done to the communication overhead |
| [92] | N + P | Encryption/Symmetric+ Hashing | x | 2 | C/F | I | +Resistance to DoS attacks and to packet loss +Computation and storage overhead are low −Privacy preservation is not considered |
| [93] | N + P | Encryption/Symmetric+ Hashing | x | 2 | C/F | I | +Resistance to DoS attacks and to packet loss +Computation and storage overhead are low. −Privacy preservation is not considered |
| [101] | N + P | Encryption/Asymmetric using ECC | ✓(cover image) | 2 | C/H | I | +Error rate is considered and analyzed −The size of the cover image should be greater than or equal the size of the text message. Otherwise, the text message will be truncated −Attack analysis is not considered. |
| [94] | N + P | Encryption/Symmetric + Asymmetric + Hashing | ✓(Spanish eID cards) | 2 | C/H | E | +Resistance to replay, DDoS attacks and improve confidentiality and non-repudiation. +Computation and communication overhead is low +Location privacy is considered −Identity privacy is not considered |
| [95] | N + P | Encryption/Symmetric(AES) + Asymmetric (DH) + Hashing | ✓(transaction ID) | 2 | C/H | I | +No rely on third parties for shared key management, instead a DH based key exchange mechanism is used. +Resistance to impersonation and MITM attacks. −Identity privacy is not considered |
| [96] | N + P | Encryption/Symmetric + Asymmetric + Hashing | ✓(pseudo-identity (PsID)) | 2 | C/H | I | +Provides a node, message authentication, and privacy protection. +Computation and communication overhead is studied. −Identity privacy is not considered |
| [97] | N + P | Encryption/Symmetric(AES) + Asymmetric(ECDSA) + Hashing | ✓(pseudo-identity (PsID)) | 2 | C/F | I | +Security and privacy analysis is considered +Computation and communication overhead is considered −Identity privacy is not considered |
| [90] | N + P | Encryption/Asymmetric + Hashing | ✓(pseudo-identity (PsID)) | 2 | C/F | I | +Resistance to DoS, Replay, Sybil, and False message attacks. +Consider privacy preservation. −Non-repudiation attack is not considered |
| [91] | N + P | Encryption/symmetric + Hashing | ✓(identity) | 2 | C/H | I | +Resistance to Movement tracking, Replay, and Message modification attacks. −Location privacy is not considered |
| [100] | N + P | Encryption/Symmetric + Asymmetric + Hashing | No/TLS | 2 | C/F | I | +Resistance to Impersonation and MITM attacks. −Privacy is not considered |
| [89] | N + P | Encryption/Symmetric + Asymmetric + Hashing | x | 2 | C/F | I | +Resistance to Substitution attack (a kind of MITM attack). −No evaluation for message delay and verification delay |
| [80] | A + N + P | Encryption/Asymmetric + Hashing | x | 2 | C/F | I | +Efficient use of one-way hash +Resistance to message forging attacks+Reduce the storage −Increase the computation overhead although it is balanced between sender and receiver −Privacy is not considered. −Integrity and Confidentiality are not considered. |
| [78] | N + P | Encryption/Asymmetric + Hashing | x | 2 | C/F | I | −Increase the computation overhead although it is balanced between sender and receiver −Storage cost is high −The distribution of the public key via secure channel is done before the complete consumption of the hash chains. |
| [70] | N + P | Encryption/Symmetric + Asymmetric + Hashing | x | 2 | C/F | I | +Resistance to Message modification attacks, Replay, Message analysis, and message injection attacks. +Efficient with respect to computation and communication overhead. −Most of the routing attacks are not considered. |
| [71] | N + P | Encryption/Asymmetric + Hashing | x | 2 | C/F | I | +Computation and communication cost is efficient +Fault tolerance Architecture. −Attacks and threats analysis is not considered. |
| [72] | N + P | Encryption/Asymmetric + Hashing | ✓(Node ID) | 3 | C/F | I | +Resistance to DoS, MITM, Brute force and Replay attacks +Secure key management. +Computation and communication cost is efficient. −Confidentiality and Integrity are not considered |
| [73] | N + P | Encryption/Asymmetric + Hashing | ✓(Identity) | 2 | C/F | I | +Efficient with respect to the success rate+Identity privacy is considered+Message overhead is low −Routing attacks are not considered −Storage cost is not considered |
| [74] | N + P | Encryption/symmetric + Asymmetric + Hashing | x | 2 | C/F | I | +Resistance to Replay, collision, and chosen-plain-text attacks. −Location and Identity privacy is not considered |
| [75] | N + P | Encryption/Asymmetric + Hashing | ✓(Entity Id and Serial number) | 2 | C/F | I | +Resistance to Impersonation, Brute force, DoS, MITM, and Replay attacks +Reducing management cost −Storage cost is not considered |
| [116] | N + P | Encryption/Asymmetric(chaotic map) + Hashing | ✓(Identity id and password) | 2 | C/H | I | +User is anonymous +Identity privacy is considered +Secure session key +Computation, communication and storage costs are considered −Data integrity is not considered |
| [117] | A + N + P | Encryption/symmetric + Asymmetric + Hashing | ✓(Identity) | 2 | D/H | I | +Resistance to Password guessing, Impersonation, Forgery, and Known session-key attacks +Computation cost is considered −Location privacy and communication cost are not considered |
| [123] | A + N + P | Encryption/symmetric + Hashing | ✓(Identity id and password) | 2 | C/F | E | +Resistance to Stolen-Verifier, Password guessing, and Impersonation attacks −Sensor node impersonation attack is not considered −Unsafe against user who have privilege within the system attack. −No way of changing the password. |
| [122] | A + N + P | Encryption/symmetric + Hashing | ✓((smart card and password) | 2 | C/F | E | +Resistance to Replay, Masquerading user, Masquerading gateway, Gateway secret guessing, Password guessing, and Stolen-Verifier attacks +Computation and communication cost is analyzed −Unsafe against privileged insider and off-line password guessing attacks. |
| [118] | A + N + P | Encryption/symmetric + Hashing | ✓(Identity Id) | 2 | C/F | I | +Resistance to node capture and key compromise impersonation attack. +Security is achieved even if the smart card is stolen or lost. −Message delay and verification delay is not considered. |
| [137] | P | N/A | x | 2 | C/F | I | +Provided a discussion of machine learning attacks and how to deal with it. −Lack of dealing with the variation of environmental conditions |
| [103] | P | Encryption/Asymmetric(RSA or ECC) + Hashing | x | 2 | C/F | I | +Resistance to MITM and compromising a device attacks. −Lack of dealing with the variation of environmental conditions |
| [138] | P | Encryption/symmetric + Asymmetric + Hashing | x | 2 | C/F | I | +Resistance to machine-learning attacks +Deal with environmental variations by using error correction codes |
| [146] | P | Hashing | ✓(User password) | 2 | C/F | I | +Resistance to device cloning or copying −An attacker could fake the user, then asking him for his password −Authentication is done between a server and end device only. |
| [134] | P | Encryption/symmetric + Hashing | ✓(One-time alias, identity and nonce) | 2 | C/F | I | +Computation cost is low +Impersonation and Physical attacks is taken into consideration. − No consideration for machine-learning attacks. −No consideration for environmental variations |
| [139] | P | Encryption/symmetric + Hashing | x | 2 | C/F | I | +Protect against physical and side channel attacks +Avoid modeling attacks by hiding the CRP data −No consideration for environmental variations |
| [105] | P | Encryption/symmetric + Asymmetric + Hashing | ✓(Dynamic Identity) | 2 | C/H | I | +Protect against Impersonation, Physical, and Reply attacks. −No consideration for machine-learning attacks. −No consideration for environmental variations |
| [84] | P | Encryption/symmetric + Asymmetric + Hashing | ✓(Identity) | 2 | C/F | E | +Resistance to physical cloning attack. +Resistance to cloning attack based on attacking the communication protocol between the reader and the tag. −No consideration for environmental variations |
| [85] | P | Encryption/symmetric + Hashing | ✓(Identity) | 2 | C/H | I | +Deal with environmental variations(noisy system) +Resistance to Physical attacks, DoS attacks, and Forward secrecy. +Efficient in terms of computation and communication cost+Security analysis is done compared to other schemes +Authentication scheme is evaluated using AVISPA tool. −No consideration for machine-learning attacks |
| [81] | P | Encryption/symmetric + Hashing | ✓(nonce) | 2 | C/F | I | +Resistance to cloning, replay, back-tracking, and clone attacks. +Efficient in terms of computation −No consideration for environmental variations |
| [68] | A + N + P | Encryption/symmetric + Asymmetric + Hashing | ✓(Identity) | 2 | C/F | E | +Resistance to DoS −Large packet header −Large key size of RSA. |
| [124] | P | Encryption/symmetric + Asymmetric + Hashing | ✓(Identity + smart card + password) | 2 | C/H | E | +Compared with RSA regarding the encryption and decryption time −No security analysis is done |
| [106] | P | Encryption/symmetric + Hashing | ✓(smart device ID) | 2 | C/H | I | +Efficient in terms of computation and communication +Resistance to Replay attacks −No consideration for machine-learning attacks −No consideration for environmental variations |
| [147] | A + N + P | Encryption/Asymmetric + symmetric + Hashing | ✓(smart card + ID) | 2 | C/H | E | +Computation and communication +Resistance to replay, impersonation, stolen verifier, DoS, and offline guessing attacks. +Privacy preserving is considered. −Not efficient in terms of computation and communication. |
| [125] | A + N + P | Biometric | ✓(physical properties) | 1 | C/H | E | +Ease to be used in smart health environments+No ability to be stolen, borrowed, and forgotten. +Resistance to clone and fork attacks. −The uniqueness of behavioral biometric properties is low and its computation cost is high. |
| [126] | A + N + P | Encryption/+ symmetric + Hashing + Biometric | ✓(physical properties, smart card, ID and password) | 2 | C/H | E | +Uses three-factor authentication and privacy preserving is considered. +Resistance to replay, MITM, active, passive, forgery, user traceability +Resistance to clone and fork attacks. +The ability to update the biometric or password. +Scalability is high −No consideration for DoS and DDoS attacks. |
| [148] | P | Encryption/Asymmetric | ✓(Nonce) | 2 | C/H | I | +Uses two-factor authentication and +Resistance to replay attack −No security analysis is done −No comparison is done with existing authentication schemes. |
| [149] | P | Encryption/+symmetric | ✓(physical properties) | 2 | C/H | I | +New architecture using PUF +The ability to update the biometric or password. −No consideration for machine-learning attacks −Complex architecture with respect to resource-constrained devices in IoT |
| [150] | A + N + P | Encryption/+Assymmetric + Hashing | ✓(ID, token) | 2 | C/H | I | +New architecture of using Blockchain in IoT. +Security analysis is done. −The consensus protocol takes about 14 seconds to validate a transaction which considered long period for real time applications −Using a public blockchain requires a fees to be paid for each transaction, which considered inefficient. |
| [107] | A + N + P | Encryption/+symmetric | ✓(ID, token) | 2 | C/H | I | +Resistance to replay, DoS, eavesdropping, and resource exhaustion attacks. +Computation and communication cost is low. −Preshared key should be deployed at the provisioning phase −Privacy preservation is not considered. |
| [152] | A + N + P | Encryption/+ Assymmetric + symmetric + Hashing | ✓(ID) | 2 | D/H | I | +Use of Azure IoT hub cloud infrastructure. +The accuracy of generating X.509 digital certificates for device authentication is increased from 50.9% into 84.7%. −Security analysis is not considered. −No consideration for the scalability requirements of IoT systems while using PKI. |
| [151] | A + N + P | Encryption/+ symmetric + Hashing | ✓(ID, pseudo-identity pair) | 2 | D/H | I | +Computation cost is low at the device side. +Resistance to offline guessing, User tracking, forgery, and insider attacks. −Communication cost is high. −No consideration for Dos and DDoS attacks. −Computation cost at cloud is high. |
| [86] | P | physical fingerprint as context | ✓(ID) | 1 | C/F | E | +Two-factors are used for authentication +Quick search of specific book and finding the location by attaching an NFC tag on each book. −Data collected are stored as plain text in the mobile phone. −Computation and communication cost is considered. −No security analysis is done. |
| [133] | P | Behavior as context | ✓(ID) | 1 | C/H | I | +Modeling subset of the data to test the results −Restriction of the study to android platform mobile phones only −Data collected are stored as plain text in the mobile phone −No consideration for attacks. −Computation cost is high. −Achievement of positive identification of the owner is 70 out of 100. |
| [87] | P | Hashing + Xor | ✓(ID) | 2 | C/H | I | +Novel scheme and benefiting from cache concept. +Resistance to forward, replay, eavesdropping, spoofing, tracking, and DoS attacks. +Computation and storage cost is efficient with respect to other schemes in literature. −Security of data storage in IoT systems is not considered. |
| [88] | P | Shifting + Xor | ✓(ID, pseudonym (IDS)) | 2 | C/H | I | +Novel scheme and benefiting from cache concept. +Resistance to forward, replay, eavesdropping, tracking, de-synchronization, and DoS attacks. +Computation and communication cost is efficient with respect to other schemes in literature. −Storage overhead of the database is high. |