Secure and lightweight authentication schemes for Internet of Things (IoT)




Alshahrani, Mohammed M.

Journal Title

Journal ISSN

Volume Title



IoT platforms face huge challenges in deploying robust authentication mechanisms due to the fact that edge devices and resource-constrained devices may not have enough compute and storage capabilities to deploy and run existing mechanisms, which involve in general complex computations. Moreover, establishing end-to-end device authentication in the Internet of Things (IoT) networks is challenging because of the heterogeneous nature of IoT devices. One of the well-known challenges confronting the IoT infrastructure is related to authentication. Many IoT devices rely on weak authentication schemes, which has led in the last few years to several successful and widely publicized hacking incidents. According to the ISO/IEC 27002 standard, authentication is the process of determining whether something is, in fact, what it is declared to be. Authentication is considered the main gate to protect IoT networks from various security threats; determining who the entity is (authentication) is of high importance to establish a secure session between IoT devices. This dissertation identifies gaps in the literature and presents new authentication schemes and security mechanisms to improve IoT security and privacy against common attacks such as replay and impersonation. This research enhances IoT security and privacy by introducing a new lightweight mutual authentication and key exchange protocol for IoT based on dynamic identity and cumulative chained-hash. Nodes can anonymously and mutually authenticate and establish a session with the controller node using dynamic identities and temporary symmetric keys in an unlinkable and untraceable manner. Moreover, the enforcement of security policies between nodes is guaranteed by setting up virtual domain segregation and restricting node capabilities of sending and receiving data to or from other nodes. The Cumulative chained-hash technique is introduced as a way to ensure the identity of the sender (through challenge-response). Additionally, we introduce a new anonymous device- to-device mutual authentication and key exchange protocol based on the ZigBee technique. The proposed protocol relies on symmetric encryption and counter and enables IoT devices to authenticate in the network and agree on a shared secret session key when communicating with each other via a trusted intermediary (home controller). To achieve forward secrecy, the session keys are changed frequently after every communication session. The proposed scheme achieves secure, anonymous authentication with the unlinkability and untraceability of IoT device transactions. The security of the protocols is evaluated and simulated using three different methods: informal analysis, formal analysis using the Burrows–Abadi–Needham logic (BAN), and model-checking using the automated validation of Internet security protocols and applica- tions (AVISPA) toolkit. The overhead and efficiency of the proposed schemes are analyzed and compared with other related schemes. The results showed that our protocols are in general more efficient.



Internet of Things (IoT), Smart home, Authentication, Access Control