Analysis and Improvement on a Three ‐ Factor Authentication Scheme in IoT Environment

: With the development of IoT technology, more and more devices are connected to the Internet, which brings great convenience to people, but also security risks. As a result, IoT authentication scheme has become a research hotspot. In 2020, Lee et al. proposed a three-factor anonymous authentication scheme in IoT environment and claimed that their scheme can resist many known attacks. However, we find that their scheme not only has some drawbacks, but also has difficulty in resisting man-in-the-middle attack and impersonation attack. To overcome these drawbacks, we propose an improved scheme. Through security analysis and computational cost comparison, it is shown that the improved scheme is not only resistant to existing known attacks, but also has a smaller overhead in terms of computational cost and is suitable for resource-constrained IoT environment.


Introduction
With the rapid development of sensing and communication technologies, the Internet of Things (IoT) connects real-world objects to the Internet. IoT is a collection of physical devices such as embedded sensors and actuators with computing power that can communicate between devices and systems0. IoT enables seamless communication and automatic management between heterogeneous devices, and can bring significant benefits to social production and human life through a fully intelligent and automated remote management system [2].
However, from a security perspective, the vast majority of IoT devices are exposed to an almost uncontrollable environment. At the same time, the proliferation of smart devices places their connection to the Internet at potential risk, such as unauthorized node tampering or impersonation attack [3]. To ensure the security of the IoT, people have been exploring authentication schemes and carrying out related research. Authentication is not only a key requirement for the development and progress of IoT, but also the "first line of defense" for security protection. Inadequate authentication or the existence of security vulnerabilities will lead to a security crisis for the entire IoT.
In recent years, scholars have done a lot of research on authentication schemes in IoT, but many existing schemes have security concerns [4]. In 2014, Chen et al. [4] proposed a smart-card-based password authentication and key negotiation scheme in order to solve the problem of remote user access. They claimed that their scheme is resistant to offline password guessing attack even if an attacker extracts the information stored in smart card. In 2015, Jiang et al. [5] pointed out that the scheme of Chen et al. [4] is insecure and proposed an improved authentication scheme. In 2016, Das [6] found that Jiang et al.'s scheme [5] was not only vulnerable to internal privilege attack, but also failed to provide correct authentication during the login and authentication phase. Therefore, Das [6] presented a three-factor authentication scheme, especially the use of biometric-based password and smart card, which greatly enhanced the security of the scheme.
In 2017, Dhillion et al. [7] proposed a lightweight multi-factor remote user authentication scheme in IoT environment and claimed that their scheme can resist a variety of known attacks such as man-in-the-middle attack, replay attack and so on. In 2018, Kumari et al. [8] presented an ECC-based authentication scheme for IoT and cloud servers. They claimed that their scheme is resistant to known attacks such as impersonation attack, offline password guessing attack, and meets various security objectives. In 2019, Gope et al. [9] proposed a lightweight and privacy-preserving two-factor authentication scheme. The scheme allows IoT devices to communicate anonymously with the server and effectively improves the security of the scheme by exploiting the inherent security properties of physical unclonable functions (PUF). Moreover, they claimed that their scheme is efficient and suitable for resource-constrained IoT devices. In 2020, Lee et al. [10] pointed out that Dhillion et al.'s scheme [7] fails to resist stolen mobile device attack, user impersonation attack, and has no provision for revocation. As a result, they proposed an improved three-factor user authentication scheme to address these security issues. However, we find that there are some security vulnerabilities in Lee et al.'s scheme [10]. On the one hand, Lee et al.'s scheme [10] has some drawbacks in the registration of user, registration of IoT node as well as login and authentication phase. On the other hand, Lee et al.'s scheme [10] cannot resist man-in-the-middle (MITM) attack and user impersonation attack.
Section II briefly reviews Lee et al.'s authentication scheme. The analysis of the shortcomings of the Lee et al.'s scheme is in Section III. In Section IV, we propose an improved scheme. The security of the improved scheme is analyzed in Section V. Section VI compares the improved scheme with similar schemes. Section VII concludes the paper.

Review of Lee et al.'s Scheme
This section briefly reviews Lee et al.'s scheme [10], which mainly consists of the following five phases: (1) registration of user; (2) registration of IoT node; (3) login and authentication phase; (4) password change phase; (5) revocation phase. Since the shortcomings of the scheme of Lee et al. [10] are mainly focused on the first three phases, for the sake of brevity, this section reviews only the registration of user, the registration of IoT node, and the login and authentication phase. Table 1 denotes the notations and descriptions in Lee et al.'s scheme [10].

Registration of IoT Node
The registration process of IoT node is as follows.

Login and Authentication Phase
In this stage, MNi and Nj agree on a session key with the help of GW. The specific steps are as follows.

Analysis of Lee et al.'s Scheme
This section provides a security analysis of Lee et al.'s [10] scheme and identifies the following drawbacks of their scheme.

Drawbacks
Lee et al.'s scheme [10] has some drawbacks in the registration of user, registration of IoT node and login and authentication phase.

Drawbacks of the User Registration Phase
1) In the user registration phase of the Lee et al.'s scheme [10], GW selects a secret value GU K for MNi. However, GW does not store GU K in its own database, which will result in GW not being able to retrieve GU K during the login and authentication phase, and thus not being able to authenticate MNi by equation (1).
During the login and authentication phase, the identity information transmitted by MNi in the public channel is the pseudo- and authenticates the MNi by equation (1), without using the stored values . Therefore, the second drawback is that the user information stored by GW in the registration phase is not fully utilized.
On the one hand, storing { , } i i RID MID takes up the GW's storage space. If too much user information is stored or stored for too long, it will put pressure on the storage resources of GW. On the other hand, there is a risk of information leakage. For example, attackers can obtain user information by attacking GW, which can lead to security problems.

Drawbacks of the IoT Node Registration Phase
In the registration phase of the IoT node, GW calculates a secret value for Nj During the login and authentication phase, GW checks whether Nj is a registered IoT node according to equation (2), where j x is the key value to authenticate Nj. However, since GN K is a shared key between GW and Nj, and Nj knows its own identity IDj, then Nj can directly calculate j x , which means that Nj can register itself without registering with GW for the subsequent login and authentication phase.

Drawbacks of the Login and Authentication Phase
There are numerous nodes in IoT and each IoT node has a unique identity to identify itself and authenticate with other entities. During the login and authentication phase of Lee et al.'s scheme [10], as shown in equation (3), each value contained in the message 1

Man-in-the-Middle (MITM) Attack
and finds that the equation is correct, then it means that GW authenticates the user impersonated by Nj. Then, both GW and Nk will proceed normally with the rest of the login and authentication phase. 5) Eventually, Nk and attacker Nj agree on a session key, i.e., attacker Nj successfully impersonates the user.

Proposed Scheme
In order to overcome the shortcomings of Lee et al.'s scheme [10], an improved scheme is proposed in this section. Firstly, the improved scheme protects the key values stored in the mobile device against the stolen mobile device attack during the user registration phase. Secondly, in the registration phase of IoT node, the improved scheme transmits information through a secure channel and simplifies the registration process. Thirdly, messages transmitted over the public channel are added with timestamps to resist replay attacks during the login and authentication phase of the improved scheme. In addition, the updated user pseudoidentity PIDi new will not be transmitted to the user through the public channel, thus ensuring the untrace ability of the scheme.
For the sake of brevity, this section only describes the registration for user, the registration for IoT node, the login and the key agreement phase. The specific steps are as follows.

Registration for User
As soon as a new user wants to access an IoT service and contact one of the IoT nodes, he/she must first register with GW. GW stores the user's registration information in order to verify his/her identity during the login phase. As shown in Figure 1, this phase is divided into three steps.
1) MNi enters his/her identity IDi, password PWi and biometric BIOi. The mobile device selects a random number

Registration for IoT Node
As shown in Figure 2, the registration for IoT node is divided into three steps as follows.

Login and Key Agreement Phase
As shown in Figure 3, MNi and Nj authenticate with each other with the help of GW and establish a session key. The detailed steps are as follows.
GW verifies whether the equation

Security Analysis
This section provides a security analysis of the improved scheme. As described below, the improved scheme satisfies user anonymity and untraceability, and is also resistant to known attacks.

User Anonymity
In the improved scheme, user MNi's identity IDi is neither stored in the mobile device nor transmitted in the public channel, but a pseudo-identity PIDi is transmitted. PIDi is generated by GW for each user during the user registration phase. Even if an attacker intercepts PIDi, he/she cannot obtain the user's real identity information. In summary, the improved scheme satisfies user anonymity.

User Untraceability
The attacker can intercept the message M1. However, as shown in equation (14), the values contained in M1 are associated with random numbers nm, ri, respectively, and these random numbers vary from session to session. That is, all values in M1 are not associated with a specific user. Therefore, the attacker cannot trace the user's actions in the login and authentication phase.
Meanwhile, as shown in equation (15), GW will update and store PIDi after each session. Moreover, the updated pseudoidentity PIDi new is not directly transmitted over the public channel. MNi can calculate the PIDi new by itself to be used in the next session. In a word, the attacker cannot obtain the correlation between PIDi and PIDi new by intercepting them. Therefore, the improved scheme has untraceability.

Resistance to Man-in-the-middle (MITM) Attack
If an attacker attempts to manipulate a message transmitted in the public channel, he/she will be caught by the mutual authentication mechanism of each of the entities involved in the authentication. GW authenticates Nj and MNi through V1 and V2 in equation (16), respectively. Nj achieves authentication to the GW by verifying V3 in equation (16).
MNi checks whether the same session key is reached with Nj by validating V4 in equation (16). Therefore, malicious attempts by attackers will not succeed and the improved scheme can resist MITM attacks.

Resistance to Impersonation Attack
In the improved scheme, MNi uses a pseudo-identity PIDi to transmit identity information over the public channel, which is updated at the end of each session. Therefore, it is difficult for the attacker to use an outdated pseudo-identity to impersonate a legitimate user. Even if the attacker happens to guess the identity of MNi, it is impossible for the attacker to send a valid message to GW for proving his/her identity. It is because that the attacker cannot obtain a secret value Therefore, the improved scheme can resist the impersonation user attack.

Resistance to Replay Attack
During the login and authentication phase of the improved scheme, each entity performs a series of calculations to generate the current timestamp Tx, and adds Tx to each value transmitted over the public channel to ensure the freshness of the message. After each entity receives the message, it first verifies the validity of Tx and then proceeds to subsequent operations. Therefore, an attacker cannot create a session key by intercepting the information transmitted in the public channel and send the message through the session key. In summary, the improved scheme can resist replay attack.

Performance Analysis
This section compares the improved scheme with Lee et al.'s scheme [10] and other schemes of the same type in terms of computational cost and security.

Implementation Setup
This section refers to the experimental results of Xie et al. [11]. For convenience, only four main cryptographic operations are considered in this section: (1) one-way hash function (2) point operation (3) symmetric encryption/ decryption (4) fuzzy extraction function. Their respective estimated times are shown in Table 2.

Computation Comparisons
The comparison between the improved scheme and the same type of scheme in terms of computational cost is shown in Table 3. Although the running time of the improved scheme is slightly longer than that of the Lee et al.'s scheme [10], the improved scheme solves the defects in the Lee et al.'s scheme [10] and significantly improves the safety. It can be more intuitively seen from Fig. 4 that the difference in computational cost between improved scheme and Lee et al.'s scheme [10] is small. Meanwhile, the computational cost of the improved scheme is significantly lower than that of the schemes of Rafique et al. [12], Sahoo et al. [13], Chaudhry et al. [14], and Srinivas et al. [15].

Comparison of Safety Features and Functions
In this section, the improved scheme is compared with Lee et al.'s [10] scheme and similar schemes in recent years for safety. As shown in Table 4, the existing schemes are not resistant to some attacks and their security needs to be enhanced. Compared with these schemes, the improved scheme has great security advantages and is suitable for resource-constrained IoT devices. R1: User anonymity; R2: User untrace ability; R3: Mutual authentication; R4: Resistance to reply attack; R5: Resistance to MITM attack; R6: Resistance to DOS attack; R7: Forward security; R8: Resistance to impersonation attack; R9: Resistance to stolen smart card attack; R10: Resistance to known session key attack; R11: Resistance to off-line password guessing attack; √: denotes the scheme can provide the corresponding attribute; ×: denotes the scheme cannot provide the corresponding attribute.

Conclusion
The paper first reviews a three-factor anonymous authentication scheme proposed by Lee et al. in an IoT environment and points out that their scheme not only has shortcomings in the user registration phase, the IoT node registration phase, and the login and authentication phases, but also fails to resist man-in-the-middle attacks and impersonation attacks. In order to overcome these shortcomings, this paper proposes an improved scheme to address the security vulnerabilities of Lee et al.'s scheme. Through security analysis, it proves that the improved scheme can resist various known attacks and meet all security requirements. In addition, this paper also compares and analyzes the security and computational effort of the proposed scheme with similar schemes in recent years. The analysis results show that the improved scheme achieves the expected efficiency and is suitable for the IoT environment.