A secure remote user authentication scheme for 6LoWPAN-based Internet of Things

Abstract

One of the significant challenges in the Internet of Things (IoT) is the provisioning of guaranteed security and privacy, considering the fact that IoT devices are resource-limited. Oftentimes, in IoT applications, remote users need to obtain real-time data, with guaranteed security and privacy, from resource-limited network nodes through the public Internet. For this purpose, the users need to establish a secure link with the network nodes. Though the IPv6 over low-power wireless personal area networks (6LoWPAN) adaptation layer standard offers IPv6 compatibility for resource-limited wireless networks, the fundamental 6LoWPAN structure ignores security and privacy characteristics. Thus, there is a pressing need to design a resource-efficient authenticated key exchange (AKE) scheme for ensuring secure communication in 6LoWPAN-based resource-limited networks. This paper proposes a resource-efficient secure remote user authentication scheme for 6LoWPAN-based IoT networks, called SRUA-IoT. SRUA-IoT achieves the authentication of remote users and enables the users and network entities to establish private session keys between themselves for indecipherable communication. To this end, SRUA-IoT uses a secure hash algorithm, exclusive-OR operation, and symmetric encryption primitive. We prove through informal security analysis that SRUA-IoT is secured against a variety of malicious attacks. We also prove the security strength of SRUA-IoT through formal security analysis conducted by employing the random oracle model. Additionally, we prove through Scyther-based validation that SRUA-IoT is resilient against various attacks. Likewise, we demonstrate that SRUA-IoT reduces the computational cost of the nodes and communication overheads of the network.

1 Introduction

Low-power wireless personal area networks (LoWPANs) have found numerous applications in the Internet of Things (IoT) [1]. LoWPAN devices are amenable with IEEE 802.15.4 and are constricted in power, communication, data rate, and storage resources [2]. IEEE 802.15.4-enabled LoWPAN devices are deployed in various real-world applications, such as home automation, healthcare systems, security surveillance, smart grids, and industrial motoring. To provide Internet connectivity to a large number of devices deployed in a particular IoT environment, the IPv6 protocol is considered the most accordant solution because of its larger address space to render a unique IP address to each sensor node. By using IPv6 addressing, sensor nodes can transmit sensed information to other devices or to a central location through the public Internet.

To support large-scale connectivity for IoT, the Internet Engineering Task Force has designed IPv6-over-LoWPAN (6LoWPAN) adaptation layer to render packet fragmentation, reassembly, and encapsulation features for IEEE 802.15.4-based LoWPAN networks [3, 4]. Since LoWPAN devices collect information and send to a designated location via the public Internet, it is imperative for LoWPAN applications to provide security and privacy. However, the basic 6LoWPAN design does not provide security and privacy features to preclude an unauthorized network entity from procuring the collected information and to prevent illegitimate users from accessing the 6LoWPAN network resources [5–9].

6LoWPANs encounter the same security attacks as the traditional networks. These include denial-of-service (DoS), replay, user/server impersonation (UI/SI), man-in-the-middle (MITM), identity guessing (IG), user anonymity (UA), user/device impersonation (UI/DI), stolen smart card/device (SSC/SSD), and ephemeral secret leakage (ESL) attacks. However, due to the resource-constricted nature of 6LoWPANs and the inadequacy of organized network architectures, securing 6LoWPAN becomes more challenging [10]. Authentication, availability, integrity, data freshness, and confidentiality are imperative security provisions in 6LoWPANs. Confidentiality guarantees secure data transmission between authorized users and servers. Authentication and key establishment (AKE) is the mechanism to identify devices’ and users’ legitimacy in 6LoWPANs [11] and to set up a secret session key (SK) for encrypted communication. Therefore, a lightweight AKE mechanism becomes imperative for securing the network [12–20].

1.1 Related work

An overview of the existing AKE schemes for 6LoWPAN-based IoT networks and their limitations is presented in S1 Table, which shows that no existing scheme can withstand all known attacks. Pandi et al. [42] propounded an authentication scheme for vehicular ad-hoc networks (VANETs) to enable the network entities to communicate securely. The scheme presented by Pandi et al. is efficient in terms of certificate computation while preserving privacy of the entities. Pandi et al. [43] presented an AKE scheme for IoT-based wireless body area networks (WBANs), which is computationally less expensive and ensures secure communication. Azees et al. [44] propounded an anonymous authentication scheme for WBANs, which is capable of resisting various covert security attacks while requiring fewer resources. Azees et al. [45] presented a blockchain based authentication scheme for VANETs, which is capable of resisting different security attacks and renders secure communication in VANETs.

The authors in [34] propounded a multi-factor AKE scheme for the IoT environment. The AKE scheme proffered in [34] uses a lightweight hash function along with advanced encryption standard (AES). However, the scheme is unable to restrain SSD, DoS, replay, and sensor node (SN) capture attacks. A Chinese remainder theorem-based authentication scheme is presented in [23], which cannot resist replay attack and does not provide strong privacy. In addition, a signature and certificate-based computationally efficient authentication scheme for VANETs is presented in [46]. The authors in [47] propounded a resource-efficient AKE scheme for the IoT environment by utilizing hash function and XOR operation. However, the AKE scheme presented in [47] is prone to SSD, stolen verifier, UI, and UA attacks and is unable to ensure SN’s anonymity. An AKE scheme is propounded in [48] for mobile networks. The scheme proposed in [48] is resource-efficient and is suitable for mobile networks. A cosine similarity-based AKE scheme for the IoT environment is proposed in [49]. Furthermore, to enable security and privacy in different IoT-based networks, various AKE schemes are reported in the exiting literature [19, 50–66].

Additionally, the security analysis of an eminent AKE scheme presented in [31] is given at S1 Appendix. We have thoroughly analyzed the scheme and demonstrate that it is unsafe against de-synchronization attack and does not provide a revocation phase (RP). In [31], gateway broadcasts the authentication message to all sensor nodes deployed in the network, and a user does not specify the sensor node from which it is going to procure the information. Thus, all the sensor nodes in the network process the received message, which causes an extra computational overhead for every node.

1.2 Research contributions

This paper presents a resource-efficient secure remote user authentication scheme for 6LoWPAN-based IoT networks (SRUA-IoT). The proposed scheme performs user authorization before procuring real-time data from sensors stationed in the 6LoWPAN-based IoT networks. The scheme employs a lightweight secure hash algorithm (SHA-160) and advanced encryption standard (AES-192) to accomplish the AKE process and makes the following contributions.

1. SRUA-IoT is an AES and hash function based remote user AKE scheme for 6LoWPAN-based IoT networks, which renders user revocation and password change phases. Besides, SRUA-IoT ensures the legitimacy of remote users (RUs) to access real-time information from a sensor node while ensuring the privacy and anonymity of RUs. An RU indicates to the gateway a particular sensor node for procuring real-time information, which reduces the unnecessary computational overhead.

2. SK’s security in SRUA-IoT is corroborated using random oracle model (ROM). Informal security validation illustrates that SRUA-IoT is protected against SSC, de-synchronization, replay, and DoS attacks. In addition, Scyther tool analysis illustrates that the proposed scheme is protected.

3. We demonstrate that SRUA-IoT renders enhanced security functionalities aside from its low storage, computational, and communication costs, as compared to well-known AKE schemes.

1.3 Paper organization

The remainder of this paper is organized as follows. The system model is presented in Section 2. The proposed SRUA-IoT scheme is elaborated in Section 3. Security analysis is presented in Section 4. Performance evaluation of SRUA-IoT is detailed in Section 5. Finally, the paper is concluded in Section 6.

2 System model

The network model consists of a gateway GW, a registration center (RC), and remoter users (RU_y|y = 1, 2, 3, ⋯, N). In the SH environment, sensor nodes (SN_x|x = 1, 2, 3, ⋯, n) are deployed to monitor various processes. SN_x collect critical information and forward to the server stationed at RC. RC is responsible for the deployment of SN_x and implementing various access control policies in SH. Before procuring real-time information from SN_x, it is necessary for RU_y to register with RC. After registration, RU_y can access the network resources and the allocated SN_x. It is assumed that all network nodes are time synchronized.

The well-established Dolev Yao (DY) threat model [67] is employed, wherein an adversary $\mathcal{A}$ can intercept communications between two network entities communicating via a public channel. $\mathcal{A}$ can modify the intercepted messages or use the message for various malicious purposes. $\mathcal{A}$ can procure the secret credentials stored in a sensor node’s memory. Furthermore, $\mathcal{A}$ can obtain RU_y’s smart device SD_y and can extract secret credentials form SD_y to execute various security attacks.

RU_y needs to communicate with SN_x to securely procure the real-time information collected by SN_x. Therefore, an AKE scheme is imperative for secure and reliable communications between RU_y and SN_x. To achieve reliable and secure communication, the following section presents an RU_y AKE scheme, called SRUA-IoT.

3 The proposed SRUA-IoT scheme

SRUA-IoT seeks to ensure reliable and secure access to 6LoWPAN network resources. The scheme first verifies the authenticity of RU_y and then establishes a secret SK for encrypted communication by employing a lightweight hash function and AES-192 during the AKE process. SHA is an irreversible function, which means that it is impossible to derive the input from the output of SHA-160. Moreover, SHA-160 is a collision resistance function, which means that the output of SHA-160 can never be the same for different inputs. AES-192 is used as the encryption and decryption scheme in SRUA-IoT. SRUA-IoT is composed of seven phases, which are presented in the following subsections. S2 Table lists the notations used in this paper.

3.1 Sensor node deployment phase

RC assigns various secret credentials to SN_x before its deployment in the 6LoWPAN network. Moreover, RC selects a GW’s secret Key (GK) of 512 bits and a unique identity ID_G. Both GK and ID_G are known only to GW. RC executes the following steps to accomplish the sensor node deployment (SND) phase.

3.1.1 Step SND-1

RC picks a unique $I{D}_{S{N}_x}$ and $PI{D}_{S{N}_x}$ each of size 80 bits. Moreover, RC selects a random number R_x and computes a temporary secret (TS) for SN_x as A_e = H(GK ∥ R_x∥ ID_G), and $T{S}_{S{N}_x}=A_e^a\oplus A_e^b$, where $A_e^a$ and $A_e^b$ are two chunks of A_e, each of size 80 bits.

3.1.2 Step SND-2

RC stores the credentials {$I{D}_{S{N}_x}$, $PI{D}_{S{N}_x}$, $T{S}_{S{N}_x}$} in the memory of SN_x before its deployment.

3.2 Remote user registration phase

It is imperative for RC to register RU_y before providing access to the 6LoWPAN network resources. RC assigns different secret credentials and a list of SN_x to RU_y. RC executes the following steps to perform the remote user registration (RUR) phase.

3.2.1 Step RUR-1

RU_y selects a distinct identity $I{D}_{R{U}_y}$ and computes $HI{D}_y=H\left(I{D}_{R{U}_y}\right)$. Moreover, RU_y contrives a registration message $M{E}_1^r:\left\{HI{D}_y\right\}$ and dispatches $M{E}_1^r$ to RC via a protected channel.

3.2.2 Step RUR-2

RC selects a distinct pseudonym PID^x for RU_y and calculates A_q = H(GK ∥ ID_G), and A_x = H(HID ∥ ID_G ∥ GK). RC determines a TS credential for RU_y by dividing A_x into two equal parts, namely, $A_x^a$ and $A_x^b$, each of size 80 bits, and computes $T{S}_{R{U}_y}=A_x^a\oplus A_x^b$. Moreover, RC computes the revocation parameter (ReP) as B_x = A_q ⊕ HID_y and $R{P}_{R{U}_y}=B_x^a\oplus B_x^b$, where $B_x^a$ and $B_x^b$ are two chunks of B_x. Besides, RC assigns a list of SN_x to be accessed by RU_y. Furthermore, RC computes encryption key as EK = (A_q ∥ [A_q]³²), where [A_q]³² are the first 32 bits of A_q (to make the size of EK 192 bits). In addition, RC derives $C{T}_{R{U}_y}=E_{EK}\{T{S}_{R{U}_y},PI{D}_{S{N}_x},T{S}_{S{N}_x}\}$ by using AES-192, and stores a list of credentials {PID^x, $R{P}_{R{U}_y}$, $C{T}_{R{U}_y}$} in GW’s memory. Finally, RC fabricates a message $M{E}_2^r:\{PI{D}^x,T{S}_{R{U}_y},PI{D}_{S{N}_x}\}$ and sends $M{E}_2^r$ to RU_y securely.

3.2.3 Step RUR-3

After procuring $M{E}_2^r$ from RC, RU_y supplies its $I{D}_{R{U}_y}$, password $P{S}_{R{U}_y}$ and $B_{R{U}_y}$ at the interface of smart device SD_y and computes $({\beta }_k,Rp)=Gen\left(B_{R{U}_y}\right)$ by using fuzzy extractor (FE). FE consist of two functions. The first one is Gen(.), which is a probabilistic function that takes bio-metric information $B_{R{U}_y}$ of RU_y and produces two output parameters, namely, secret bio-metric key β_k and reproduction parameter Rp. The second function of FE is Rep(.), which is a deterministic function that takes Rp and $B_{R{U}_y}$ to reproduce β_k. Moreover, SD_y calculates $Z_x=H(PI{D}^x\parallel T{S}_{R{U}_y}\parallel PI{D}_{S{N}_x})$, $Z_y=H(I{D}_{R{U}_y}\parallel P{S}_{R{U}_y}\parallel {\beta }_k)$, and encryption key EK_y = (Z_y ∥ [Z_y]³²), where [Z_y]³² are the first 32 bits of Z_y to create EK_y of size 192 bits. Furthermore, SD_y calculates $C{T}_{lo}=E_{E{K}_y}\{PI{D}^x,T{S}_{R{U}_y},C{T}_{R{U}_y}\}$ by using AES-192. In addition, SD_y computes authentication parameter as $Aut{h}_y=H(I{D}_{R{U}_y}\parallel P{S}_{R{U}_y}\parallel {\beta }_k\parallel Z_x)$.

3.2.4 Step RUR-4

Finally, SD_y stores the list of credentials {CT_lo, Auth_y, Rp, Gen(.), Rep(.), Et} in its memory and deletes all other parameters.

3.3 RU AKE phase

To access and communicate with the deployed 6LoWPAN based devices, it is necessary for RU_y to register itself with RC. RC allocates a list of secret credentials and devices to RU_y at the time of registration. After authorizing RU_y’s legitimacy, RC allows RU_y to access the specified devices deployed in the network. After getting authenticated by RC, RU_y and SN_x set up an SK for reliable and secure communication. The following steps elaborate RU AKE phase (RAP).

3.3.1 Step RAP-1

SD_y receives the secret credentials $P{S}_{R{U}_y}$, $I{D}_{R{U}_y}$, and $B_{R{U}_y}$, and computes ${\beta }_k=Rep(B_{R{U}_y},Rp)$ and $Z_y=H(I{D}_{R{U}_y}\parallel P{S}_{R{U}_y}\parallel {\beta }_k)$. In addition, SD_y computes the decryption key DK_lo as DK_lo = (Z_y ∥ [Z_y]³²), where [Z_y]³² are the first 32 bits of Z_y to make DK_lo of size 192 bits. Moreover, SD_y computes $P{T}_{lo}=D_{D{K}_{lo}}\left\{C{T}_{lo}\right\}$, where CT_lo is the ciphertext stored in SD_y, and retrieves $P{T}_{lo}=\{PI{D}^x,T{S}_{R{U}_y},PI{D}_{S{N}_x}\}$. Furthermore, SD_y calculates $Z_x^{lo}=H(PI{D}^x\parallel T{S}_{R{U}_y}\parallel PI{D}_{S{N}_x})$, and authentication parameter $Aut{h}_{lo}=H(I{D}_{R{U}_y}\parallel P{S}_{R{U}_y}\parallel {\beta }_k\parallel Z_x)$. Finally, SD_y checks Auth_y = Auth_lo to perform local authentication. If the condition holds, SD_y continues the AKE process.

3.3.2 Step RAP-2

After performing the local authentication, SD_y chooses T_x of size 32 bits, and R₁ of size 80 bits. SD_y calculates $G_1=(R_1\parallel PI{D}_{S{N}_x})\oplus H(T{S}_{R{U}_y}\parallel T_x)$ and $Aut{h}_{a1}=H(PI{D}_{}^x\parallel PI{D}_{S{N}_x}\parallel R_1\parallel T{S}_{R{U}_y})$. Furthermore, SD_y contrives a message ME_a: {T_x, PID^x, G₁, Auth_a1} and dispatches it to GW via an open communication channel.

3.3.3 Step RAP-3

Upon procuring ME_a from SD_y, GW verifies the validity of timestamp by validating the condition TD_x ≥ |Tr − T_x|, where TD_x is maximum tolerable packet time delay, Tr is the receiving time of ME_a, and T_x is fabrication time of ME_a. If ME_a receives at the GW within the maximum allowed time delay limit, GW considers ME_a to be a licit and fresh message and continues the AKE phase. GW picks PID^x from the received ME_a and looks up PID^x in GW’s memory. If found, GW extracts the list of credentials {PID^x, $R{P}_{R{U}_y}$, $C{T}_{R{U}_y}$} related to PID^x. In addition, GW calculates DK as M₁ = H(GK ∥ ID_G) and DK = (M₁ ∥ [M₁]³²). Moreover, GW computes $P{T}_1=D_{DK}\left\{C{T}_{R{U}_y}\right\}$ by using AES-192, and procures secret credentials {$T{S}_{R{U}_y}$, ($PI{D}_{S{N}_x}$, $T{S}_{S{N}_x}$)} from PT₁. Furthermore, GW obtains R₁ and $PI{D}_{S{N}_x}$ by computing $(R_1\parallel PI{D}_{S{N}_x})=G_1\oplus H(T{S}_{R{U}_y}\parallel T_x)$. To validate the authenticity of ME_a, GW calculates $Aut{h}_{a2}=H(PI{D}^x\parallel PI{D}_{S{N}_x}\parallel R_1\parallel T{S}_{R{U}_y})$ and verifies the condition Auth_a1 = Auth_a2. If the condition holds, GW continues the execution of the AKE process.

3.3.4 Step RAP-4

After validating the authenticity of ME_a, GW picks a timestamp T_y and random number R₂, and computes $W_1=H(R_1\parallel T{S}_{R{U}_y}\parallel PI{D}^x)$, where W₁ is obtained using hash of the parameters, including R₁, $T{S}_{R{U}_y}$, and PID^x. GW calculates the update parameter (UP) as $UP=W_1^a\oplus W_1^b$, where $W_1^a$ and $W_1^b$ are obtained by dividing W₁ into two equal chunks of 80 bits each. Besides, GW computes PID^x+1 = UP ⊕ PID^x and stores both PID^x and PID^x+1 in its memory to avoid the de-synchronization attack. Moreover, GW calculates $W_2=H(T{S}_{S{N}_x}\parallel PI{D}_{S{N}_x}\parallel T_y)$, G₂ = W₁ ⊕ W₂, G₃ = (R₂, R₁) ⊕ W₂, and $Aut{h}_{a3}=H(W_1\parallel R_2\parallel R_1\parallel T{S}_{S{N}_x}\parallel PI{D}_{S{N}_x}\parallel T_y)$. Finally, GW creates a message ME_b: { T_y, G₂, G₃, Auth_a3} and sends it to SN_x via the public channel.

3.3.5 Step RAP-5

After procuring ME_b from GW, SN_x verifies the condition TD_x ≥ |Tr − T_y|. If the condition holds, SN_x computes $W_3=H(T{S}_{S{N}_x}\parallel PI{D}_{S{N}_x}\parallel T_y)$, W₁ = G₂ ⊕ W₃, and (R₂, R₁) = G₃ ⊕ W₃. Moreover, SN_x calculates $Aut{h}_{a4}=H(W_1\parallel R_2\parallel R_1\parallel T{S}_{S{N}_x}\parallel PI{D}_{S{N}_x}\parallel T_y)$. Furthermore, SN_x determines the integrity of ME_b by validating the condition Auth_a3 = Auth_a4. If the condition holds, SN_x picks a timestamp T_z and a random number R₂, and computes G₄ = H(R₁ ∥ R₂ ∥ R₃) ⊕ W₁. For securing communication with RU_y, SN_x calculates $S{K}_x=H(H(R_1\parallel R_2\parallel R_3)\parallel W_1\parallel T_z\parallel PI{D}_{S{N}_x})$. In addition, SN_x computes Auth_a5 = H(H(R₁ ∥ R₂ ∥ R₃) ∥ R₁ ∥ T_z ∥ SK_x). Finally, SN_x calculates a message ME_c: {T_z, G₄, Auth_a5} and sends it to RU_y via the public channel.

3.3.6 Step RAP-6

RU_y considers the received ME_c fresh if the condition TD_z ≥ |Tr − T_z| holds. If ME_c is valid, RU_y calculates $W_4=H(R_1\parallel T{S}_{R{U}_y}\parallel PI{D}^x)$, and H(R₁ ∥ R₂ ∥ R₃) = G₄ W₄. For encrypted communication with SN_x, RU_y computes $S{K}_y=H(H(R_1\parallel R_2\parallel R_3)\parallel W_4\parallel T_z\parallel PI{D}_{S{N}_x})$. Furthermore, RU_y computes Auth_a6 = H(H(R₁ ∥ R₂ ∥ R₃) ∥ R₁ ∥ T_z ∥ SK_y) and checks Auth_a5 = Auth_a6. If the equation holds, RU_y considers ME_c as a valid message. Finally, RU_y computes $U{P}_{}=W_4^a\oplus W_4^b$ and updates PID^x by calculating PID^x+1 = PID^x ⊕ UP₁. RU_y keeps both PID^x+1 and PID^x in its memory to ensure resistance against de-synchronization attack. The user AKE phase of SRUA-IoT is summarized in S1 Fig.

3.4 Password change phase

In SRUA-IoT, an authorized user RU_y can change its password and update bio-metric information without involving RC. RU_y needs to perform the following steps to execute the password change phase (PCP).

3.4.1 Step PCP-1

RU_y provides its secret credentials, namely, $I{D}_{R{U}_y}^o$, $P{S}_{R{U}_y}^o$, and $B_{R{U}_y}^o$ as inputs at the interface of SD_y. After procuring the inputs, SD_y computes the bio-metric key ${\beta }_k^o=Rep(B_{R{U}_y}^o,R{p}^o)$. Moreover, SD_y derives the decryption Key $D{K}_{lo}^o$ by computing $Z_y^o=H(I{D}_{R{U}_y}^o\parallel P{S}_{R{U}_y}^o\parallel {\beta }_k^o)$, and $D{K}_{lo}^o=(Z_y^o\parallel {\left[Z_y^o\right]}^{32})$. By using AES-192 decryption algorithm, SD_y calculates $P{T}_{lo}^o=D_{D{K}_{lo}^o}\left\{C{T}_{lo}^o\right\}$, where $P{T}_{lo}^o=\{PI{D}^x,T{S}_{R{U}_y},PI{D}_{S{N}_x}\}$. Furthermore, SD_y computes $Z_x^o=H(PI{D}^x\parallel T{S}_{R{U}_y}\parallel PI{D}_{S{N}_x}),Aut{h}_{lo}^o=H(I{D}_{R{U}_y}^o\parallel P{S}_{R{U}_y}^o\parallel {\beta }_k^o\parallel Z_x^o)$, and verifies if the condition $Aut{h}_{lo}^o\stackrel{}{=}Aut{h}_{lo}$ holds. If it holds, SD_y notifies RU_y to enter a new password $P{S}_{R{U}_y}^n$ and update bio-metric information $B_{R{U}_y}^n$. Otherwise, SD_y halts the AKE process.

3.4.2 Step PCP-2

Upon procuring $P{S}_{R{U}_y}^n$ and $B_{R{U}_y}^n$ from RU_y, SD_y determines a new bio-metric key βⁿ by computing $({\beta }^n,R{p}^n)=Gen(B_{R{U}_y}^n)$. Moreover, SD_y computes the encryption key $E{K}_{lo}^n$ as $Z_y^n=H(I{D}_{R{U}_y}^o\parallel P{S}_{R{U}_y}^n\parallel {\beta }_k^n)$, $E{K}_{lo}^n=(Z_y^n\parallel {\left[Z_y^n\right]}^{32})$, where ${\left[Z_y^n\right]}^{32}$ are the first 32 bits of $Z_y^n$. Furthermore, SD_y calculates new plaintext $P{T}_{lo}^n$ by deriving $P{T}_{lo}^n=\{PI{D}^x,T{S}_{R{U}_y},PI{D}_{S{N}_x}\}$. In addition, SD_y computes $Z_x^n=H(PI{D}^x\parallel T{S}_{R{U}_y}\parallel PI{D}_{S{N}_x})$, and $Aut{h}_{lo}^n=H(I{D}_{R{U}_y}^o\parallel P{S}_{R{U}_y}^n\parallel {\beta }_k^n\parallel Z_x^n)$. Finally, by utilizing AES-192 encryption algorithm, SD_y calculates $C{T}_{lo}^n=E_{E{K}_{lo}^n}\left\{P{T}_{lo}^n\right\}$, replaces $\{C{T}_{lo}^n,Aut{h}_y^n,R{p}^n,Gen(.),Rep(.),E{t}^n\}$ with {CT_lo, Auth_y, Rp, Gen(.), Rep(.), Et} in SD_y’s memory, and deletes all other credentials in its memory. S2 Fig summarizes PCP.

3.5 Revocation phase

If a legitimate RU_y loses its SD_y, RU_y can obtain a new $S{D}_y^{new}$ from RC. To obtain $S{D}_y^{new}$, it is necessary for RU_y to remember its $I{D}_{R{U}_y}$. For proper RP, it is necessary to remove the previous data from GW’s memory. Most AKE schemes do not delete the old data from the memory of GW or server. RU_y needs to perform the succeeding steps to procure a new SC.

3.5.1 Step RP-1

Upon getting $I{D}_{R{U}_y}$, SD_y computes $HI{D}_y=H(I{D}_{R{U}_y})$, constructs a message $M{E}_1^{rov}:\left\{HI{D}_y\right\}$, and forwards $M{E}_1^{rov}$ to RC. After getting $M{E}_1^{rov}$ from RU_y, RC computes B = H(GK ∥ ID_G) ⊕ HID_y, $R{P}_{R{U}_y}^{}=B_{}^a\oplus B_{}^b$, and verifies if $R{P}_{R{U}_y}^{}$ exists in its memory. If found, RC removes $R{P}_{R{U}_y}^{}$ related record and informs RU_y for new registration by sending $M{E}_1^{rov}:\left\{registrationrequest\right\}$ to RU_y.

3.5.2 Step RP-2

Upon getting the new registration request, RU_y picks new $P{S}_{R{U}_y}^{new}$, $I{D}_{R{U}_y}^{new}$, and computes $HI{D}^{new}=H\left(I{D}_{R{U}_y}^{new}\right)$. SD_y constructs a message $M{E}_3^{rov}:\left\{HI{D}_y^{new}\right\}$ and sends to RC.

3.5.3 Step RP-3

RC picks a new pseudonym $PI{D}_{new}^x$ for RU_y and computes $A_q^{new}=H(GK\parallel I{D}_G)$. To issue a new $S{D}_y^{new}$ to RU_y, RC computes the same computation as accomplished in Step RUR-2 of Section 3.2. Finally, RC contrives a message $M{E}_4^{rov}:\{PI{D}_{new}^x,T{S}_{R{U}_y}^{new},PI{D}_{S{N}_x}^{new}\}$ and sends $M{E}_4^{rov}$ to RU_y via a reliable channel.

3.5.4 Step RP-4

After receiving $M{E}_4^{rov}$ from RC, SD_y executes the same computation as excuted in Step RUR-3 of Section 3.2 Finally, SD_y stores a new list of parameters {CT^new, $Aut{h}_y^{new}$, Gen(.), Rep(.), Rp^new, Et^new} in SD_y’s memory. Moreover, RC stores a list of credentials {$PI{D}_{new}^x$, $R{P}_{R{U}_y}^{new}$, $C{T}_{R{U}_y}^{new}$} in GW’s memory. The revocation phase is summarized in S3 Fig.

3.6 New SN deployment phase

RC can deploy a new SN (NSN) by performing the following steps.

3.6.1 Step NSN-1

RC picks a distinct $I{D}_{S{N}_x}^n$ and $PI{D}_{S{N}_x}^n$ for NSN $S{N}_x^n$. In addition, RC picks $R_x^n$ and computes a new temporary secret $T{S}_{S{N}_x}^n$ for $S{N}_x^n$ by calculating $A_e^n=H(GK\parallel R_x^n\parallel I{D}_G)$, and $T{S}_{S{N}_x}^n=A_e^{n-a}\oplus A_e^{n-b}$, where $A_e^{n-a}$ and $A_e^{n-b}$ are two chunks of $A_e^n$, each of size 80 bits.

3.6.2 Step NSN-2

Finally, RC stores the credentials {$I{D}_{S{N}_x}^n$, $PI{D}_{S{N}_x}^n$, $T{S}_{S{N}_x}^n$} in $S{N}_x^n$’s memory before its deployment.

4 Security analysis

In this section informal security analysis of SRUA-IoT is carried out to shows its resistance against various security attacks. The security of SK is validated by utilizing the well-known ROM. Scyther based security analysis is performed to validate SRUA-IoT’s resistance against replay and MITM attacks.

4.1 Informal security analysis

This subsection illustrates that the proposed scheme is protected against various attacks, namely, replay, MITM, UI, offline PG, PI, and impersonation attacks.

Proposition 1 SRUA-IoT is resistant to replay attack.

proof 4.1 There are three messages exchanged during the execution of the AKE phase, namely, ME_a: {T_x, PID^x, G₁, Auth_a1}, ME_b: {T_y, G₂, G₃, Auth_a3}, and ME_c: {T_z, G₄, Auth_a5}. These messages are constructed by incorporating latest timestamps T_x, T_y, and T_z. The freshness of each timestamp is verified by validating the conditions TD_x ≥ |Tr − T_x|, TD_x ≥ |Tr − T_y|, and TD_x ≥ |Tr − T_z| for each message ME_a, ME_b, and ME_c, respectively. If these conditions do not hold, GW, SN_x, and RU_y will detect the replay attack and the receiving network entity will discard the received message. Therefore, SRUA-IoT is resistant to replay attack.

Proposition 2 SRUA-IoT is protected against DoS attack.

proof 4.2 In SRUA-IoT, RU_y uses its secret credentials to pass the local authentication, for which SD_y needs to calculate $Aut{h}_{lo}=H(I{D}_{R{U}_y}\parallel P{S}_{R{U}_y}\parallel {\beta }_k\parallel Z_x)$ and check the condition Auth_y = Auth_lo. Local verification will be successful if the condition holds. After local verification, SD_y sends the AKE request to GW. Otherwise, SD_y terminates the AKE process and prevents RU_y from sending a large number of AKE requests to GW. Hence, SRUA-IoT is protected against DoS attack.

Proposition 3 SRUA-IoT ensures untraceability and anonymity of RU_y.

proof 4.3 In SRUA-IoT, during the registration and the AKE phase, only pseudo identities are used, which do not provide any information about $I{D}_{R{U}_y}$ . For each new AKE session, RU_y utilizes the updated PID^x+1, and fresh random numbers R₁, R₂, and R₃. During the AKE process, the communicated messages are different for each session. Therefore, $\mathcal{A}$ cannot correlate the captured message from two different AKE sessions. Thus, SRUA-IoT renders the anonymity and untraceability of RU_x and SN_x.

Proposition 4 SRUA-IoT is protected against MITM attack.

proof 4.4 In SRUA-IoT, there are three messages exchanged, i.e., ME_a, ME_b, and ME_c. Let $\mathcal{A}$ captures the the message ME_a: {T_x, PID^x, G₁, Auth_a1}, which is transmitted by RU_y, and tries to update the message content by selecting a random number $R_1^a$ and timestamp $T_x^a$. For this, $\mathcal{A}$ needs to compute $G_1^a$ and $Aut{h}_{a1}^a$ to pretend that $M{E}_a^a$ is from a legitimate RU_y. However, $\mathcal{A}$ cannot compute valid $G_1^{}$ and $Aut{h}_{a1}^{}$ without knowing the secret credentials, namely, $T{S}_{R{U}_y}$, and $PI{S}_{S{N}_x}$, which are known only to RU_y. We can illustrate the same conditions for ME_b, and ME_c. Hence, SRUA-IoT is protected against MITM attack.

Proposition 5 SRUA-IoT is immune to offline PG and SSC attacks.

proof 4.5 In this case, $\mathcal{A}$ can execute various attacks by procuring sensitive information stored on the stolen/lost smart card or device. Let $\mathcal{A}$ obtains lost/stolen SD_y of RU_y and, by using power analysis attack, can procure the information, such as {CT_lo, Auth_y, Rp, Gen(.), Rep(.), Et} stored in the memory of SD_y. From the obtained information, $\mathcal{A}$ cannot retrieve secret credentials, which are used during the AKE process. Therefore, SRUA-IoT is protected against SSC attack. To update the password of RU_y, $\mathcal{A}$ picks a random identity, password and bio-metric information to compute ${\beta }_k^a=Rep(B_{R{U}_y}^a,Rp)$, $Z_y^a=H(I{D}_{R{U}_y}^a\parallel P{S}_{R{U}_y}^a\parallel {\beta }_k^a)$, $D{K}_{lo}^a=(Z^{a}y\parallel {\left[Z_y^a\right]}^{32})$, and $P{T}_{lo}^a=D_{D{K}_{lo}^a}\left\{C{T}_{lo}\right\}$, retrieve $P{T}_{lo}^a=\{PI{D}^x,PI{D}_{S{N}_x}^a,T{S}_{R{U}_y}^a\}$, calculate $Z_x^a=H(PI{D}^x\parallel T{S}_{R{U}_y}^a\parallel PI{D}_{S{N}_x}^a),Aut{h}_a=H(I{D}_{R{U}_y}^a\parallel P{S}_{R{U}_y}^a\parallel {\beta }_k^a\parallel Z_x^a)$, and check $Aut{h}_y^a\stackrel{}{=}Aut{h}_{lo}$. However, without knowing the secret credentials of RU_y, such as $I{D}_{R{U}_y}$, $P{S}_{R{U}_y}$, and $B_{R{U}_y}$, it is not possible for $\mathcal{A}$ to perform valid commutation as mentioned above. Therefore, SRUA-IoT is immune to offline PG attack.

Proposition 6 SRUA-IoT is secure against impersonation attack.

proof 4.6 SRUA-IoT considers the following three types of impersonation attacks.

1. UI attack: Let $\mathcal{A}$ tries to generate an AKE request message $M{E}_a^a:\{T_x^a,PI{D}^x,G_1^a,A^{a}ut{h}_{a1}\}$ by selecting $T_x^a$, and R₁. However, to send an AKE request to RC, $\mathcal{A}$ needs to known both the secret credentials, i.e., $T{S}_{R{U}_y}$ and $PI{D}_{S{N}_x}$, which are known only to RU_y. Moreover, $T{S}_{R{U}_y}$ and $PI{D}_{S{N}_x}$ are stored in SD_y’s memory in the encrypted form. Therefore, SRUA-IoT is secure against UI attack.

2. RC impersonation attack: In this case, $\mathcal{A}$ picks $R_2^a$, $T_y^a$, and contrives a message $M{E}_b^a:\{T_y^a,G_2^a,G_3^a,Aut{h}_{a3}^a$} to pretend that this messages is from a legitimate RC. However, to generate $M{E}_b^a$, $\mathcal{A}$ needs to know the secret parameters, such as $T{S}_{S{N}_x}$ and $PI{D}_{S{N}_x}$, which are stored in encrypted form. Therefore, without knowing these parameters, $\mathcal{A}$ cannot fabricate a false massage to make SN_x believe that the message is created by a legal RC. Hence, SRUA-IoT is secure against RC impersonation attack.

3. SN_x impersonation attack: $\mathcal{A}$ can generate a fake message $M{E}_c^a:\{T_z^a,G_4^a,Aut{h}_{a5}^a\}$ and send it to RU_y to make RU_y believe that the message is from a legal SN_x. However, to generate a valid $M{E}_c^{}$, $\mathcal{A}$ needs to know W₁, R₁, R₂, R₃, and $T{S}_{S{N}_x}$. Without the knowledge of these secret credentials, it is impractical for $\mathcal{A}$ to create a licit message $M{E}_c^{}$. Hence, SRUA-IoT is secure against SN_x impersonation attack.

Proposition 7 SRUA-IoT is resilient against SN_x capture attack.

proof 4.7 In 6LoWPANs, SN_x are deployed in unattended environment. $\mathcal{A}$ can capture an SN_x and can procure the sensitive information stored in the memory of SN_x. Since all the deployed SN_x contain distinct secret information, therefore, by capturing an SN_x $\mathcal{A}$ cannot breach the security of the entire 6LoWPAN. Hence, SRUA-IoT is resilient against SN_x capture attack.

Proposition 8 SRUA-IoT is immune to de-synchronization attack.

proof 4.8 If the network entities are updating pseudonyms during the execution of the AKE process, $\mathcal{A}$ can establish de-synchronization attack by dropping the captured message. In SRUA-IoT, GW and RU_y update PID^x to PID^x+1 to accomplish anonymous communication. However, to avoid the de-synchronization attack, both GW and RU_y keep PID^x and PID^x+1 in their memory. If $\mathcal{A}$ halts the AKE process by dropping the authentication messages, RU_y can use old PID^x for the AKE process. Therefore, SRUA-IoT is immune to de-synchronization attack.

Proposition 9 SRUA-IoT is resistant to ESL attack.

proof 4.9 Proof In SRUA-IoT, both RU_y and SN_x compute SK as $S{K}_{x,y}=H(H(R_1\parallel R_2\parallel R_3)\parallel H(R_1\parallel T{S}_{R{U}_y}\parallel PI{D}^x)\parallel T_z\parallel PI{D}_{S{N}_x})$. It is obvious that the calculated SK is the concoction of ephemeral (short term) parameters R₁, R₂ and R₃, and long term credential, $T{S}_{R{U}_y}$, $PI{D}_{S{N}_x}$, and PID^x. $\mathcal{A}$ needs to compromise both ephemeral and long term credentials to reveal SK. Therefore, SRUA-IoT is resistant to ESL attack.

Proposition 10 SRUA-IoT ensures PFS.

proof 4.10 From the discussion in Proposition 9, it is clear that SK is the concatenation of fresh ephemeral and long term secret credentials. If $\mathcal{A}$ compromises SK of the previous AKE process but cannot compromise SK of the new AKE processes, then SRUA-IoT renders the PFS feature.

Proposition 11 SRUA-IoT ensures secure MA.

proof 4.11 In SRUA-IoT, RU_y achieves validation on RC after verifying the condition Auth_a1 = Auth_a2. For this condition to hold, the knowledge of credentials GK, ID_G, and $T{S}_{R{U}_y}$ is required. To verify the condition at SN_x Auth_a3 = Auth_a4, the knowledge of $T{S}_{S{N}_x}$ and $PI{D}_{S{N}_x}$ is necessary. SN_x achieves authentication on $S{D}_{R{U}_y}$ by validating the condition Auth_a5 = Auth_a6. Therefore, RU_y, SN_x, and GW mutually validate each other to achieve secure mutual authentication.

4.2 SK security validation using random oracle model

We employ ROM to corroborate SK’s security in SRUA-IoT. In ROM, $\mathcal{A}$ consociates with kth instance of a participating entity EN^k, which is involved in executing SRUA-IoT. It can be a legitimate RU_y, GW or SN_x. Therefore, $E{N}_{R{U}_y}^k$, $E{N}_{GW}^k$, and $E{N}_{S{N}_x}^k$ are $k_1^{th}$, $k_2^{th}$, and $k_3^{th}$ instances of RU_y, GW, and SN_x, respectively. To simulate real attacks, ROM considers various queries, namely, Send, Test, Reveal, CorruptSD, and Execute. A description of these queries is presented in S3 Table. Furthermore, SHA is modeled as a random oracle HR (|HR| specifies the rage space of SHA output) and it is available for all SRUA-IoT executing entities including $\mathcal{A}$. By using the queries presented in S3 Table, the security of SK is proved in Theorem 4.12.

Theorem 4.12 Suppose a polynomial-time $\mathcal{A}$ is running against the proposed SRUA-IoT in time T_i. If QR_h denotes the hash quires, |HR| specifies the range space of SHA output, SQ_s indicates the send queries, lbk defines the length of β_k key, and |PD| refers to the password dictionary, the approximated advantage of $\mathcal{A}$ in breaching the security of SRUA-IoT for procuring SK between RU_y and SN_x can be defined as

$$\begin{array}{c}\hfill A{D}_{\mathcal{A}}^{SRUA-IoT}\left(T_i\right)\le \frac{Q{R}_h^2}{\left|HR\right|}+\frac{S{Q}_s}{2^{lbk-1}\left|PD\right|}.\end{array}$$ (1)

proof 4.13 To prove this theorem, we consider the following four games (GM_x|x = 0, 1, 2, 3).

4.2.1 GM₀

A real security attack is accomplished by $\mathcal{A}$ against SRUA-IoT in GM₀. $\mathcal{A}$ picks c bits at GM₀. Therefore, we can procure

$$\begin{array}{c}\hfill A{D}_{SRUA-IoT}^{\mathcal{A}}\left(T_i\right)=|2.A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_0}-1|.\end{array}$$ (2)

4.2.2 GM₁

In GM₁, $\mathcal{A}$ effectuates an eavesdropping attack and captures all the exchanged messages ME_a:{T_x, PID^x, G₁, Auth_a1}, ME_b:{T_y, G₂, G₃, Auth_a3}, and ME_c:{T_z, G₄, Auth_a5} during the AKE process of SRUA-IoT by utilizing the execute query defined in S3 Table. To procure SK, $\mathcal{A}$ executes the Reveal and Test queries and checks if the return key is a random string or real key at the completion of GM₁. The constructed SK between RU_y and SN_x is $S{K}_{x,y}=H(H(R_1\parallel R_2\parallel R_3)\parallel H(R_1\parallel T{S}_{R{U}_y}\parallel PI{D}^x)\parallel T_z\parallel PI{D}_{S{N}_x})$. $\mathcal{A}$ needs to know all the long-term secrets and other ephemeral numbers, which are known only to RU_y, SN_x, and RC. Hence by executing the eavesdropping attack, the chance of $\mathcal{A}$ to win the game will not be enhanced. Therefore, it is evident that

$$\begin{array}{c}\hfill A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_1}=A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_0}.\end{array}$$ (3)

4.2.3 GM₂

In GM₂, $\mathcal{A}$ performs an active attack by simulating Send and Hash quires. All the exchanged messages ME_a, ME_b, and ME_c are protected using the collision resistance SHA function. The communicated message incorporates random number, timestamps, secret identities, and TSs. Therefore, no SHA collision will occur when $\mathcal{A}$ effectuates the Send and Hash quarries. By birthday paradox, the following can be achieved.

$$\begin{array}{c}\hfill |A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_1}-A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_2}|\le Q{R}_h^2/\left(2\right|HR\left|\right).\end{array}$$ (4)

4.2.4 GM₃

This game effectuates the simulation of CorruptSD query. Typically, RU_y picks low-entropy passwords. By utilizing the password dictionary attack, $\mathcal{A}$ tries to guess the password of RU_y after procuring the information stored on SD_y, including {CT_lo, Auth_y, Rp, Gen(.), Rep(.), Et}. $\mathcal{A}$ also attempts to guess β_k from the information stored on SD_y. SRUA-IoT employs robust FE that generates highly random β_k ∈ [0, 1]^lbk, where lbk is the length of β_k. The probability of guessing β_k is nearly $\frac{1}{2^{lbk}}$. Furthermore, in the communication system, only a limited number of wrong password attempts are allowed. Under these conditions, we have

$$\begin{array}{c}\hfill |A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_2}-A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_3}|\le \frac{S{Q}_s}{2^{lbk}\left|PD\right|}.\end{array}$$ (5)

After executing the above queries, $\mathcal{A}$ needs to guess bit c upon executing the Test query. Therefore, we have $A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_3}=\frac{1}{2}$.

By utilizing the triangular inequality and simplifying (2)–(5), the following is achieved:

$$\begin{array}{c}\hfill \begin{array}{c}\hfill \frac{1}{2}A{D}_{SRUA-IoT}^{\mathcal{A}}\left(T_i\right)=|A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_3}=\frac{1}{2}|\\ \hfill =|A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_1}-A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_3}|\\ \hfill \le |A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_1}-A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_2}|\\ \hfill +|A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_2}-A{D}_{SRUA-IoT}^{\mathcal{A},G{M}_3}|\\ \hfill \le \frac{Q{R}_h^2}{2\left|HR\right|}+\frac{S{Q}_s}{2^{lbk}\left|PD\right|}.\end{array}\end{array}$$ (6)

Hence, we get

$$\begin{array}{c}\hfill A{D}_{SRUA-IoT}^{\mathcal{A}}\left(T_i\right)\le \frac{Q{R}_h^2}{\left|HR\right|}+\frac{S{Q}_s}{2^{lbk-1}\left|PD\right|}.\end{array}$$ (7)

4.3 Scyther analysis

We employ the well-known formal security validation tool, called Scyther [68], to validate the security properties and correctness of the proposed SRUA-IoT scheme. To that end, the security protocol description language (SPDL) is utilized to specify SRUA-IoT by employing the operational semantics ascertained in [68]. S4 Fig demonstrates that proclaims are satisfied, which are specified in the SPDL script. In S4 Fig, SRUA-IoT is the name of the devised protocol with the initiator RU and RC as the helper node and SN as the responder. The descriptions of Nisynch and secrecy are provided in [68]. Secrecy signifies that specific information is not disclosed to any attacker, even when the information is exchanged over a public network. Furthermore, Nisynch describes that any claim defined in the devised protocol specification will also appear in the trace. Moreover, SRUA-IoT analysis illustrates that the supplementary security characteristics produced by Scyther, namely, weak agreement (Weakagree), aliveness (Alive), and non-injective agreement (Niagree) are validated.

5 Performance evaluation

In this section, the performance of SRUA-IoT is compared with Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], Wazid et al. [35], and Chen et al. [27] in terms of computational cost, communication cost, security features, and storage cost. We use C/C⁺⁺ based cryptographic library MIRACL and Raspberry PI-3 (RPI-3B) with Quad-core @1.2 GHz, 1BG of RAM, and Ubuntu 16.04 LTS for implementing the proposed SRUA-IoT and the relevant AKE schemes.

5.1 Security features

The proposed SRUA-IoT is compared with the relevant AKE scheme in terms of security functionalities and resistance against various attacks. S4 Table exhibits that Park et al. [69] is unprotected against UA, SSC, and PT attacks, Shuai et al. [36] is unsafe against de-synchronization attacks, Das et al. [30] cannot withstand SSC, PI, and UA attacks and does not ensure SK security, Shin et al. [31] is insecure against de-synchronization attack and does not provide revocation phase, Challa et al. [22] cannot withstand PI, SSC, UA, PG, and UI attacks, Srinivas et al. [33] fails to protect against UI, PI, and SSC attacks, Wazid et al. [35] is unsafe against UI, PI, and SSC attacks, and Chen et al. [27] cannot protect PI, PG, UA, UI, replay and DoS attacks and also does not ensure mutual authentication. Contrarily, SRUA-IoT is secure as compared to the relevant eminent AKE schemes, as shown in S4 Table.

5.2 Computational cost

In this subsection, the approximated computational overhead of SRUA-IoT and relevant AKE schemes is determined by using computational time of various cryptographic primitives presented in S5 Table. SRUA-IoT has a computational cost of 19T_SA + 2T_ED + $T_{{\beta }_k}\approx 6.901$ ms, which is less than the benchmark schemes, as shown in S5 Fig and S6 Table. SRUA-IoT has 53.09%, 23.88%, 44.23%, 29.56%, 22.04%, 76.41%, 24.07%, and 38.93% less computational cost as compared to Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Srinivas et al. [33], Challa et al. [22], Wazid et al. [35], and Chen et al. [27], respectively. Furthermore, SRUA-IoT has a computational overhead of 5T_SA ≈ 1.275ms at SN_x, which is less than the benchmark AKE schemes, as shown in S6 Fig and S6 Table. The computational overhead at GW increases with the number of users accessing the network resources. S7 Fig shows that SRUA-IoT requires low computational overhead while processing multiple AKE requests simultaneously.

Although the security of SRUA-IoT is verified through formal and informal analyses in Section 4 where the scheme has been shown to resist various covert security attacks, however, an attack or some unexpected event can halt the execution of SRUA-IoT, which may occur at any step of the AKE phase. Under a specific attack, the execution time can be computed as

$$\begin{array}{c}\hfill T_{atp}=\frac{{\sum }_i^{100}{T}_i}{(1-\text{attack}\text{success}\text{probability})},\end{array}$$ (8)

where T_i denotes time required to accomplish the AKE phase and ${\sum }_i^{100}{T}_i$ denotes the average time, which is procured after running SRUA-IoT 100 times, and T_atp denotes the execution time required to complete the AKE phase under successful attack probability. S8 Fig demonstrates the time utilization of SRUA-IoT and other related schemes with attack success probability. Under various successful attack attempts, SRUA-IoT requires less time to complete its execution than the related AKE schemes.

5.3 Communication cost

The comparative analysis of communication cost is illustrated in this subsection. For SRUA-IoT, the size of timestamp is 32 bits, ECC point is 160 bits, SHA output size is 160 bits, random number size is 80 bits, different PID size is 80 bits, and AES key size is 192 bits. During the execution of the AKE phase, SRUA-IoT exchanges three message, namely, ME_a: {T_x, PID^x, G₁, Auth_a1}, ME_b: {T_y, G₂, G₃, Auth_a3 and ME_c: {T_z, G₄, Auth_a5}, of length {32 + 80 + 160 + 160} = 432 bits, {32 + 160 + 160 + 160} = 512 bits, and {32 + 160 + 160} = 412 bits, respectively. The aggregated communication overheads of SRUA-IoT is 1356 bits. S7 Table and S9 Fig demonstrate the comparison of SRUA-IoT and other related AKE schemes. SRUA-IoT has 75.92%, 21.53%, 11.72%, 29.28%, 46.36%, 11.72%, 20.05%, and 57.2% less communication cost as compared to Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], and Chen et al. [27], respectively.

5.4 Storage cost

This subsection provides the storage cost comparison of SRUA-IoT with other AKE schemes. In SRUA-IoT, RU_y, GW, and SN_x store {CT_lo, Auth_y, Rp, Gen(.), Rep(.), Et}, {PID^x+1, PID^x, $R{P}_{R{U}_y}$, $C{T}_{R{U}_y}$}, and {$PI{D}_{S{N}_x}$, $T{S}_{S{N}_x}$} of length {240 + 160 + 160 + 8} = 568 bits, {80 + 80 + 80 + 240} = 480 bits, and {80 + 80} = 160 bits, respectively. The total storage overhead can be calculated as {568 + 480 + 160} = 1208 bits. Besides, the storage costs of Park et al. [69], Shuai et al. [36], Das et al. [30], Shin et al. [31], Challa et al. [22], Srinivas et al. [33], Wazid et al. [35], and Chen et al. [27] are 1600 bits, 1776 bits, 3738 bits, 1160 bits, 4016 bits, 2888 bits, 4126 bits, and 1792 bits, respectively. SRUA-IoT has a slightly higher storage cost as compared to Shin et al. [31]. However, SRUA-IoT has less computational and communication cost during the AKE phase in contrast to Shin et al. [31]. S10 Fig illustrates the storage cost comparison of SRUA-IoT and the related AKE schemes.

6 Conclusion

Information security is critical in resource-constricted 6LoWPAN-based IoT networks. This paper has presented an AKE scheme called SRUA-IoT for resource-constricted 6LoWPAN devices to validate the legitimacy of remote users interacting in real-time with sensor nodes deployed in smart home networks. The scheme performs user authorization before procuring real-time data from sensors by employing a lightweight secure hash algorithm (SHA-160) and an advanced encryption standard (AES-192) to accomplish the AKE process. The proposed scheme is corroborated both formally and informally to explicate its resistance against various malicious security vulnerabilities. Moreover, numerical results in comparison with benchmarks reveal that SRUA-IoT requires low computational and communication resources in 6LoWPANs to accomplish the AKE phase. Our future work will explore authenticated encryption with associated data to devise a resource-efficient AKE scheme with reduced computational cost for resource-constricted IoT devices.

Supporting information

S1 Fig. The user AKE phase of SRUA-IoT.

(TIF)

S2 Fig. Password change phase.

(TIF)

S3 Fig. Revocation phase.

(TIF)

S4 Fig. Scyther results.

(TIF)

S5 Fig. Comparison of total computation cost required to complete the AKE process.

(TIF)

S6 Fig. Computational overhead at SN_x side.

(TIF)

S7 Fig. Computational delay at GW with increasing number of users.

(TIF)

S8 Fig. Computational overhead with attack success probability.

(TIF)

S9 Fig. Communication overhead in the network with increasing number of users.

(TIF)

S10 Fig. Comparison of storage costs.

(TIF)

S1 Table. Comparative analysis of eminent AKE schemes [21–41].

(PDF)

S2 Table. List of key notations.

(PDF)

S3 Table. Description of different ROM queries.

(PDF)

S4 Table. Comparison of security features [22, 30, 31, 33, 35, 36, 69].

(PDF)

S5 Table. Experimental computational cost of various cryptographic operations.

(PDF)

S6 Table. Comparison of computational costs [22, 27, 30, 31, 33, 35, 36, 69].

(PDF)

S7 Table. Comparison of communication costs [22, 27, 30, 31, 33, 35, 36, 69].

(PDF)

S1 Appendix

(ZIP)

Data Availability

Minimal data set underlying the results described in this paper can be found https://github.com/TanveerPhD/Minimal-data/blob/main/Data.ods.

Funding Statement

The author(s) received no specific funding for this work.