Smart city energy efficient data privacy preservation protocol based on biometrics and fuzzy commitment scheme

A smart city refers to a geographical area where technologies such as energy production, logistics and information communication technology are amalgamated to enhance environmental quality, intelligent development, citizen well-being, participation and inclusion. As explained in^1,2, smart cities utilize data-driven technologies to boost sustainability, efficiency, quality of life of the citizens and streamline city services. In addition, the usage of smart city data and technologies facilitate efficient and optimized management of resources, urban services and assets, as well as aiding in making informed decisions^3,4. The advancements in big data, cloud computing, Flying Ad-Hoc Networks (FANET), Wireless Sensor Networks (WSNs), Artificial Intelligence (AI), 5th generation mobile network (5G) and Internet of Things (IoT) have led to considerable traction towards smart cities^5,6,7,8. These technologies enable smart cities to collect, analyze and share data from a myriad of sources such as social media, sensors, vehicles, electronic devices, machines and mobile devices. The capabilities of interconnecting a large pool of heterogeneous smart devices enable seamless connections to the smart city environment devoid of communication loss⁹. This helps improve smart city operations and services in terms of enhanced traffic flow, reduced crime rates, energy efficiency and improved citizen engagement.

According to¹⁰, the deployment of heterogeneous communication modes to interconnect smart devices enables the smart cities to have direct exploitation of resources, facilitating easy access to information. In addition, it offers pervasive computing, comprehensive perception, ubiquitous and reliable services. These services may include smart parking, environmental monitoring¹¹, smart traffic lights, rescue operations¹², smart transportation, remote health monitoring, surveillance, disaster management, search, and traffic monitoring, which can be accomplished by WSNs or Internet of Drones (IoD). As such, smart cities are characterized by high responsiveness, high connectivity, enhanced sustainability, improved quality of life, elevated intelligence, enhanced resource utilization and affordable cost of living¹³. The low cost, flexibility, ease of deployment wide and range of applications of the WSNs and IoD have all led to rise in smart city adoption¹⁴.

Although smart cities provide numerous services and merits, they are exposed to numerous security, performance and privacy challenges. For instance, a typical smart city is composed of numerous sensors and IoT devices that generate massive volumes of data. Some of these data items contain user-specific information such as habits, ___location and behavior. Since the collected data are exchanged over the public channels, they are susceptible to attacks^15,16,17. In addition, some sensors and drones are placed in unattended environment but accessible locations and hence can be physically captured by the attackers¹⁸. Thereafter, the data stored in their memories can be extracted. Using the obtained credential, attackers can impersonate as legitimate entities. In addition, the authenticity of users, Cyber-Physical System (CPS), and Customer Premises Equipment (CPE) such as sensors and actuators is a major concern in smart cities. The high number of interconnected heterogeneous devices increases the surface from which adversaries can launch attacks, which can compromise economic development, safety and well-being of the users¹⁹. It is also possible for the collected data to be misused by the end users, posing serious threat to the smart cities²⁰. Moreover, some of the devices in smart cities have vulnerabilities which can be exploited by the adversaries to steal data, gain unauthorized access and manipulate the systems.

Based on the above discussion, it is evident that security and privacy are key challenges that need to be solved in smart cities. There is therefore need for the development of robust security schemes that can protect privacy, authenticity and data integrity^{17,21,22,23,24}. As explained in²⁵, reliable data measurement is critical for most IoT applications. As such, there is need of ensuring that data is generated and transferred by only authorized users and devices. To this end, various authentication protocols have been developed for the smart cities. However, majority of them fail to offer user anonymity and are vulnerable to attacks such as Denial of Service (DoS)¹³. In addition, majority of these schemes deploy public key cryptography²⁶ which is inefficient for the power and energy-limited smart city sensors. As such, the design of secure and truly lightweight security solutions for smart cities is still a challenging activity.

• We leverage on biometrics, error correction codes and fuzzy commitment schemes to develop a secure and energy efficient authentication scheme for the smart cities.

• Unlike majority of the current schemes that deploy timestamps to prevent replay attacks, our protocol incorporates random nonces in all exchanged messages. This is demonstrated to address security issues such as de-synchronization attacks inherent in timestamp-based schemes.

• We execute extensive formal security analysis using the BAN logic to show that our scheme performs strong mutual authentication and key negotiation in an appropriate manner.

• Informal security analysis is carried out to demonstrate that the proposed protocol supports numerous functional and security features such as strong mutual authentication, anonymity and perfect key secrecy. In addition, this analysis shows that our scheme can withstand a myriad of smart city security threats such as session hijacking, privileged insider and side-channeling attacks.

• Elaborate comparative evaluations are carried out to show that the proposed protocol incurs the lowest computation overheads and hence is energy efficient.

The rest of this paper is structured as follows: “Related work” section discusses related works while “The proposed protocol” section presents the proposed protocol. On the other hand, “Security analysis” section discusses the security analysis of our scheme while “Performance evaluation” section describes its performance evaluation. Towards the end of this paper, “Conclusion and future work” section presents the conclusion and future research work.

Mathematical preliminaries

In this section, we provide some mathematical formulations for the key cryptographic building blocks of the proposed scheme. This include fuzzy commitment, one way hashing and error correcting codes.

One way hashing

Suppose that N is a set of all positive integers, P_k is a family of uniform probability distributions and ℒ is a polynomial such that ℒ (k) > k. Then, H represents a family of functions which are defined by H = P_k H_k, where H_k is a multi-set of functions from \({\sum }^{\mathcal{L}(k)}\) to \({\sum }^{k}\). Here, P_k (x) = \(1/{2}^{\mathcal{L}(k)}\) for all \({x\in \sum }^{\mathcal{L}(k)}\). H is referred to as a hash function, which compresses ℒ (k)-bit input into some k-bit output strings.

Definition 1

Let us consider two strings \({a,b\in \sum }^{\mathcal{L}(k)}\), where \(a\ne b\). We say that string a collides with string b under \(h\in {H}_{k}\), or (a, b) is a collision pair for h, provided that h (a) = h (b).

Definition 2

H is regarded as polynomial time computable on condition that there exists a polynomial (in k) time algorithm that derives all \(h\in H.\)

Definition 3

H is regarded as accessible provided that there exists a probabilistic time algorithm which takes input \(k\in {\varvec{N}}\) and outputs homogeneously at random a depiction of \(h\in {H}_{k}\).

Error correcting codes

In noisy transmission channels, error correcting code (ecc) is crucial for accurate reception of the transmitted data. Particularly, error correcting codes are critical in fuzzy commitment systems where they ensure that data is exchanged accurately over noisy transmission channels. Suppose that Ψ is a set of messages, where Ψ = {0,1}^φ. Then, an error correcting code is made up of a set of codephrases \(CP\subseteq \{\text{0,1}{\}}^{\rho }\). A typical ecc comprises of a translation function ω and decoding function f, where ω: Ψ → CP and f: {0,1}^ρ → CP \(\cup\) {γ}. Denoting the Hamming distance as ℌ, then the decoding function maps a ρ—bit string S to the closest codephrase in CP in terms of ℌ, otherwise it outputs γ. Prior to transmission, any message ψ \(\in \Psi\) is mapped to an element in CP. For improved redundancy, \(\rho >\varphi\). Suppose that θ is the correction threshold, and τ \(\in\){0,1}^ρ is the error term. Then, for codephrase cp \(\in\) CP and Hamming weight ||τ||≤ θ, we have f (cp ⊕ τ) = cp.

Fuzzy commitment

Due to the noisy nature of biometric data, the input biometrics is not exactly similar to the biometric templates. Therefore, the biometric template can be deployed in fuzzy commitment schemes. Suppose that h: {0,1}^ρ → {0,1}^χ is a collision-resistant one-way hashing function. We also let w be the witness, λ = h(cp) and ε = w ⊕ cp. Then, the fuzzy commitment scheme F: ({0,1}^ρ, {0,1}^ρ) → ({0,1}^χ, {0,1}^ρ) commits codephrase cp \(\in\) CP using a ρ – bit witness w as F (cp, w) = (λ, ε). Provided that witness w^* is fairly close to w but not necessarily equivalent to w, then commitment F (cp, w) = (λ, ε) can be opened using w^*. Suppose that this commitment is sent from T towards R. Therefore, the opening of this commitment at R using w^* involves the derivation of cp^* = f (w^* ⊕ ε). Since ε = w ⊕ cp, then cp^* can also be expressed as cp^* = f (cp ⊕ (w^* ⊕ w)). Thereafter, R confirms whether λ ≟ h (cp^*). Provided that this condition holds, then the fuzzy commitment is effectively opened. Otherwise, witness w^* is flagged as invalid. We apply this fuzzy commitment concept in our biometric authentication procedures by treating the biometric template as witness w. As such, the user inputs biometric data (seen as witness w^*) which is deployed to open codephrase cp, provided that w^* is closer to w.

Attack model

In the proposed scheme, the adversary is assumed to have all the capabilities in the Canetti and Krawczyk (CK) threat model. Therefore, the communication process within the smart city is executed over the public internet and hence the attacker can have full control of this channel. In addition, the attacker can eavesdrop, alter, delete and insert bogus messages in the communication channel during message exchanges over the public smart city wireless channels. Moreover, all the sensitive data stored in the sensor nodes can be extracted upon physical capture of these nodes. It is also possible for all secret information, ephemeral secrets and session states to be compromised via session-hijacking attacks.

Many security techniques have been developed over the recent past to offer security protection in IoT and other devices interconnected in smart cities^{27,28,29,30,31}. However, these schemes have extensive communication and computation overheads³². Although the protocol in³³ is lightweight and hence can address this issue, it cannot withstand outsider attackers³⁴. Blockchain technology³⁵ can provide authentication and decentralized management of identity as well as authorization policies. Therefore, many blockchain-based security schemes have been presented in^{36,37,38,39,40,41,42,43}. However, these schemes incur high storage and computation overheads which are not suitable for the sensors⁴⁴. Therefore, a lightweight authentication scheme is developed in³. However, the communication costs analysis of this scheme is missing. In addition, it has not been evaluated against attacks such as side-channeling and de-synchronization.

Based on the Physically Unclonable Function (PUF), mutual authentication schemes are presented in^4,45,46. Although these protocols can withstand physical capture and side-channeling attacks, PUF-based schemes have stability challenges⁴⁷. On the other hand, biometric-based schemes have been introduced in^48,49,50,51. However, the three-factor authentication protocol in⁴⁸ cannot preserve perfect backward secrecy⁵². Therefore, an improved scheme is presented in⁵². Unfortunately, this protocol is susceptible to offline password guessing, forgery, session key disclosure and replay attacks⁴⁹. In addition, it cannot uphold perfect forward secrecy and data confidentiality. On the other hand, the protocol in⁵⁰ is vulnerable to impersonation and stolen verifier attacks⁵¹. In addition, it fails to preserve user untraceability. To prevent single-point of failure attacks, a scheme that is devoid of trusted issuer is developed in⁵³. However, comparative security and performance analyses of this scheme have not been carried out. Similarly, feasibility, scalability and comparative analyses against the state of the art techniques are missing in⁵⁴.

To mitigate service-oriented attacks in smart cities, a context-based trust model is presented in⁵⁵. However, processing huge volumes of contextual data results in high computation overhead⁵⁶. Similarly, the quantum-inspired technique presented in⁵⁷ incurs extensive computation overheads due to the required quantum computing⁵⁸. Although an energy-efficient framework for IoT developed in⁵⁹ can address this issue, its comparative performance and security analyses have not be carried out. The verification scheme in⁶⁰ is efficient and hence can address the performance issues in^55,57. However, it fails to provide robust identity check and user anonymity⁶¹. Similarly, the Elliptic Curve Cryptography (ECC) based protocol in⁶¹ cannot offer anonymity and untraceability. Therefore, an ECC based anonymous authentication protocol is introduced in¹³, while an identity based technique is presented in⁶² to offer strong unforgeability and anonymity. Although the scheme in¹³ is shown to resist DoS attacks, its numerous point multiplications can lead to high computation costs. Similarly, the fuzzy extractor based protocol in⁶³ incurs heavy computation overheads³². On the other hand, identity-based schemes have key escrow problems⁶⁴.

To protect smart cities against botnet attacks, an algorithm based on Long Short-Term Memory (LSTM) is developed in⁶⁵. However, its evaluation is carried out on a single dataset of botnet attacks and hence fails to reflect a variety of attack vectors in a typical smart city. In addition, its performance evaluation in terms of the required resources has not been presented. To ensure access control and high security level, Public Key Cryptography (PKC) based protocols have been developed in^66,67,68. However, these schemes are susceptible to physical capture attacks and hence their stored secret credentials can be retrieved⁴. Thereafter, the attackers are able to impersonate the entities whose credentials have been extracted. In addition, most of these PKC-based schemes incur extensive communication and computation overheads⁶⁹. Moreover, the homomorphic encryption based protocol in⁶⁶ is vulnerable to privileged insider and session key disclosure attacks⁴. On its part, the bilinear pairing based protocol in⁶⁷ fails to offer perfect forward secrecy and cannot withstand impersonation attacks⁶⁸. In addition, the deployed bilinear pairing operations incur extensive communication and computation overheads and hence cannot support real-time services provision in smart cities. Regarding the ECC-based developed in⁶⁸, it is susceptible to impersonation, replay and privileged insider attacks⁷⁰. In addition, it cannot offer strong mutual authentication among the communicating entities. Therefore, an improved security technique is presented in⁷⁰. However, this protocol is vulnerable to attacks such as server spoofing, session key disclosure and forgery⁴. Although the schemes in^71,72 can solve some of these challenges, they have not been evaluated against de-synchronization attacks. On their part, the three-factor security schemes in^{48,49,50,51,52} are susceptible to potential security attacks⁴. Although the protocol in⁷³ addresses some of the attacks such as ephemeral leakage, it cannot withstand identity guessing attacks^74,75,76.

Based on the discussion above, it is evident that many schemes have been developed for the smart city environment. However, the attainment of perfect smart city security at low computation and communication is still an open challenge. For instance, many security protocols have been shown to be vulnerable to numerous attacks while others cannot support anonymity, mutual authentication and untraceability. In addition, some of these schemes do not incorporate biometric and password change procedures. Moreover, some of these security techniques incur extensive computation and communication overheads while others deploy centralized architecture which can easily result in central failure, denial of services and privacy breaches³⁹. The proposed protocol is demonstrated to address some of these security, performance and privacy challenges. For instance, our scheme incurs the lowest computation overheads among its peers and hence addresses performance challenges in most of the above protocols. In addition, it provides support for anonymity, mutual authentication and untraceability which are features missing in most of the above schemes. Moreover, it mitigates attacks which are rarely considered in most of the existing protocols. Such attacks include de-synchronization, eavesdropping, session hijacking, forgery and side-channeling.

The elliptic curve cryptography offer offers strong security at relatively shorter key sizes compared to other public key cryptographies such as RSA. Therefore, we deploy elliptic curve cryptography in the proposed scheme. To address physical and side-channeling attacks, we leverage on biometric, error correction codes and fuzzy commitment schemes.

Motivation

Smart cities have streamlined services in urban centers, leading to the enhancement on the quality of life of the citizens. In a typical smart city, numerous smart devices are interconnected to facilitate activities such as surveillance, shipping, logistics, healthcare and warehousing. As such, high volumes of data are generated and exchanged among these smart devices. Since these message exchanges are carried out over the public internet, many security and privacy threats lurk in this environment. For instance, personal user information can be eavesdropped over the public channels while successful sensor and device capture can facilitate impersonation attacks. Therefore, past research works have presented numerous security techniques to alleviate these challenges. Unfortunately, majority of these schemes are based on computationally extensive cryptographic operations such as bilinear pairings. Consequently, these schemes are inefficient for the computation, bandwidth, storage and energy constrained sensor nodes. In addition, some of the presented security solutions still have security and privacy related issues^77,78 such as susceptibility to physical, impersonation, privileged insider and Man-in-the-Middle (MitM) attacks. Therefore, the design of provably secure and yet efficient⁷⁹ authentication protocols for smart cities is a nontrivial challenge.

Requirements

In smart city environment, security efficiency⁸⁰ is critical in ensuring that users can authenticate and access the required data in a timely manner. This is particularly important due to the bandwidth, energy, computation power and storage constraints of the interconnected sensor networks in light of this, the proposed protocol must fulfill the following security and performance requirements.

Mutual authentication All the entities involved in message exchanges within the smart city must verify each other at the onset of the communication process.

Key agreement Upon successful validation of each other, session keys should be setup among the communicating parties. This key is deployed to encipher all the exchanged data within the smart city.

Perfect key secrecy It should be computationally infeasible for the adversary to capture the current session keys and utilize them to derive keys for the previous and subsequent sessions.

Anonymity The adversaries with the capabilities of eavesdropping the communication channel should not be in a position to obtain the real identities of the communicating parties.

Untraceability An adversary should be unable to associate any communication sessions to a particular network entity.

Resilience against threats typical security threats such as de-synchronization, denial of service, physical, eavesdropping, session hijacking, privileged insider, KSSTI, replays, forgery, MitM, impersonation and side-channeling should be curbed in our scheme.

Resource efficiency Owing to the resource-constrained nature of the smart city sensors and devices, the proposed scheme should be computationally efficient.

In our scheme, each user deploys his/her mobile device (MD_i) to interact with the smart city sensor SN_j through some gateway node GW_k. In this environment, the GW_k bridges the connection between MD_i and SN_j as shown in Fig. 1.

Smart city network model.

Full size image

Table 1 presents all the notations deployed throughout this paper. The major phases executed in our scheme include the system setup, registration, login, authentication, key negotiation, and password change. The sub-sections below describe these phases in greater details.

System setup

This phase is carried out by the gateway node GW_k. The goal is to derive the long term keys that will be utilized in the latter phases of our scheme. The following 3 steps are executed during the system setup phase.

Step 1 The GW_k selects some elliptic curve E and additive group G over finite field F_p. Here, the generator is point P whose order is a large prime number q.

Step 2 GW_k generates nonce n \(\in {Z}_{q}^{*}\) and sets it as its secret key. Next, it derives its corresponding public key as P_k = nP.

Step 3 The GW_k selects M_k as its master key and privately keeps both n and M_k. Finally, it publishes parameter set {P, P_k, G, E (F_p)}.

Sensor node registration

Prior to actual deployment in their application domains, each sensor node SN_j must be registered at the gateway node GW_k. The aim is to assign these sensors some security values that are deployed during the login, authentication and key negotiation phase. The following 2 steps are executed in this phase.

Step 1 The GW_k chooses SNID_j as sensor node SN_j unique identity. This is followed by the derivation of private key K_GS = h (SNID_j||M_k). GW_k sends values SNID_j and K_GS to SN_j over secure channels as shown in Fig. 2.

System setup and registration.

Full size image

Step 2 Upon receiving parameters SNID_j and K_GS from the GW_k, the SN_j stores them in its memory. The sensor node is now ready to be deployed to the field.

User registration

All users within the smart city network must be registered at their respective gateway nodes. During this phase, the users are assigned security tokens that they will deploy to securely acquire data from the sensor devices deployed in a given ___domain. The following 4 steps are executed during this process.

Step 1 The user U_i through the MD_i generates unique identity UID_i and password PW_i. Next, nonce R_a is generated which is then used to derive value A₁ = h (PW_i||R_a).

Step 2 The U_i imprints biometric data β_i onto the MD_i. Finally, registration request Req = {UID_i, A₁, β_i} is constructed and forwarded to the GW_k over secure channels as shown in Fig. 2.

Step 3 Upon receiving registration request Req from U_i, the GW_k selects some random codephrase CP_i \(\in\) CP for this particular user U_i. Next, it derives tokens λ = h (CP_i), ε = CP_i ⊕ β_i, F (CP_i, β_i) = (λ, ε), A₂ = h (UID_i||A₁||CP_i) and A₃ = h (UID_i||M_k) ⊕ h (A₁||CP_i). Finally, it stores UID_i in its database before composing registration response Res = {f (.), λ, ε, A₂, A₃, P_k} that is sent to the U_i over secured channels.

Step 4 After getting registration response Res from the GW_k, the U_i through MD_i stores value set {f (.), λ, ε, A₂, A₃, P_k, R_a} in its memory.

Login, authentication and key negotiation

This phase is activated whenever the user U_i through the MD_i wants some access to the data help by the sensors. Here, the security tokens assigned during the registration phase are deployed to authenticate U_i to the gateway node GW_k. To accomplish this, the following 8 steps are executed.

Step 1 User U_i imprints his/her biometric data β_i^* onto the MD_i upon which value CP_i^* = f (ε⊕ β_i^*) is computed. Since ε = CP_i⊕β_i, CP_i^* can also be expressed as CP_i^* = f(CP_i⊕(β_i⊕β_i^*)). Thereafter, the MD_i checks whether h (CP_i^*) ≟ λ = h (CP_i). Basically, the user login session is terminated upon verification failure. Otherwise, U_i has passed the biometric validation and hence proceeds to input unique identity UID_i and password PW_i into the MD_i.

Step 2 The MD_i computes A₂^* = h (UID_i||h (PW_i||R_a)||CP_i^*) and confirms whether A₂^*≟ A₂. Since A₁ = h (PW_i||R_a), this verification should be successful otherwise the session is aborted. However, if this validation is successful, both user identity and password have been authenticated by the MD_i.

Step 3 The MD_i selects nonce R_m and R_n \(\in {Z}_{q}^{*}\) and computes values A₄ = A₃ ⊕ h (h PW_i||R_a)||CP_i^*), A₅ = R_n.P, B₁ = R_n.P_k = R_n.nP, B₂ = UID_i ⊕ B₁, B₃ = A₄ ⊕ R_m, B₄ = h (UID_i||R_m) ⊕ SNID_j and B₅ = h (A₄||SNID_j||B₁||R_m). At the end, the MD_i constructs login request message Log_Req = {A₅, B₂, B₃, B₄, B₅} that is transmitted to the GW_k over public channels as shown in Fig. 3.

Login, authentication and key negotiation.

Full size image

Step 4 Upon receiving login request message Log_Req, the GW_k derives values B₁^* = n.A₅ = n. R_n.P, UID_i^* = B₂⊕B₁^*. This is followed by the confirmation of whether UID_i^* is in its database. Provided that UID_i^* cannot be found in its database, the MD_i login request is rejected. Otherwise, the GW_k calculates A₄^* = A₃⊕h (h PW_i||R_a)||CP_i^*), R_m^* = B₃⊕A₄^*, SNID_j^* = B₄⊕h (UID_i^*||R_m^*) and B₅^* = h (A₄^*||SNID_j^*||B₁^*||R_m^*).

Step 5 The GW_k checks if B₅^*≟ B₅ such that the session is terminated if this condition does not hold. Otherwise, it generates nonce R_g and derives values K_GS^* = h (SNID_j^*||M_k), C₁ = UID_i^* ⊕ K_GS^*, C₂ = R_g ⊕ h (UID_i^*||K_GS^*), C₃ = R_g ⊕ R_m^* and C₄ = h (UID_i^*||SNID_j^*||K_GS^*||R_m^*||R_g). At last, it composes authentication message Auth₁ = {C₁, C₂, C₃, C₄} which is sent to the sensor node SN_j over public channels.

Step 6 On receiving authentication message Auth₁, the SN_j derives UID_i^* = C₁ ⊕ K_GS^*, R_g^* = C₂ ⊕ h (UID_i^*||K_GS^*), R_m^* = R_g^* ⊕ C₃ and C₄^* = h (UID_i^*||SNID_j^*||K_GS||R_m^*||R_g^*). Next, it checks if C₄^*≟ C₄ such that the session is aborted upon verification failure. Otherwise, the SN_j generates nonce R_s before calculating parameter C₅ = R_s ⊕ K_GS, session key SK_S = h (UID_i^*||SNID_j^*||R_m^*||R_g^*||R_s) and value D₁ = h (K_GS||SK_S||R_s). Finally, SN_j constructs authentication response message Auth₂ = {C₅, D₁} which is sent over to GW_k.

Step 7 After getting authentication response message Auth₂, the GW_k derives value R_s^* = C₅ ⊕ K_GS^*, session key SK_G = h (UID_i^*||SNID_j^*||R_m^*||R_g||R_s^*) and parameter D₁^* = h (K_GS^*||SK_G||R_s^*). This is followed by the confirmation of whether D₁^*≟ D₁ such that the session is terminated upon verification failure. Otherwise, the GW_k derives parameters D₂ = A₄^* ⊕ R_g, D₃ = R_m^* ⊕ R_s^* and D₄ = h (UID_i^*||SK_G||R_g||R_s^*). At last, it composes authentication message Auth₃ = {D₂, D₃, D₄} that is forwarded to the MD_i.

Step 8 On receiving authentication message Auth₃, the MD_i calculates R_g^* = A₄ ⊕ D₂, R_s^* = R_m ⊕ D₃, session key SK_D = h (UID_i||SNID_j||R_m||R_g^*||R_s^*) and value D₄^* = h (UID_i||SK_D||R_g^*||R_s^*). It then verifies whether D₄^*≟ D₄ such that the session is aborted upon validation failure. Otherwise, user U_i, GW_k and SN_j have successfully authenticated each other and negotiated session keys. As such, the session key is set as SK_D = SK_G = SK_S and is shared among these three entities. Afterwards, U_i can securely access sensed data held at SN_j vial GW_k.

Password change

In this phase, the user executes password change upon its compromise. To reduce on communication overheads, this change is carried out without contacting the gateway node GW_k. the following…steps are executed during this phase.

Step 1 The user U_i imprints biometric data β_i^*onto the MD_i. Thereafter, the MD_i derives CP_i^* = f (ε ⊕ β_i^*) = f(CP_i ⊕ (β_i ⊕ β_i^*)).Next, the MD_i validates whether h (CP_i^*) ≟ λ = h (CP_i) such that the password change session is terminated upon verification failure. Otherwise, the user U_i has passed biometric authentication.

Step 2 User U_i inputs UID_i and PW_i into the MD_i after which it calculates A₂^* = h (UID_i||h (PW_i||R_a)||CP_i^*). This is followed by the confirmation of whether A₂^*≟ A₂ such that the session is aborted upon verification failure. Otherwise, user U_i is prompted to input new password PW_i^New.

Step 3 The MD_i computes A₂^New = h (UID_i||h (PW_i^New||R_a)||CP_i^*) and A₃^New = A₃ ⊕ h (h (PW_i||R_a)||CP_i^*) ⊕ h (h (PW_i^New||R_a)||CP_i^*). Finally, the MD_i updates value set {A₂, A₃} with their refreshed counterparts {A₂^New, A₃^New} in its memory.

In this section, we formally and informally analyze the security features provided by the proposed scheme. Whereas the formal security analysis is executed using Burrows–Abadi–Needham logic (BAN) logic, informal security analysis is carried out by formulating and proofing some propositions.

Formal security analysis

The aim of this sub-section is to verify that our scheme performs strong mutual authentication and key negotiation in an appropriate manner. The notations used throughout this proof are described below.

# (A): A is fresh.

\({\langle \text{A}\rangle }_{\text{B}}\) : A is enciphered using B.

S|≡Y: S believes Y.

(A, B): A or B is part of message (A, B).

S ◁ Y: S sees Y.

S|~ A: S once said A.

(A, B)_µ: A or B is hashed using µ.

S \(\Rightarrow\) A: S has jurisdiction over A.

\(\text{S}\stackrel{ \mu }{\leftrightarrow }\text{T}\) : S and T communicate using shared key µ.

In addition to the above BAN logic rules, the following BAN logic rules are used in our proof.

Belief Rule (BR): \(\frac{S|\equiv \left(A\right),S|\equiv \left(B\right)}{S|\equiv (A, B)}\)

Message Meaning Rule (MMR):\(\frac{{S| \equiv {\text{S}}\mathop \leftrightarrow \limits^{\mu } {\text{T}},{\text{S}} \triangleleft \langle {\text{A}}\rangle _{{\mu }} }}{{S| \equiv T|\sim A}}\)

Session Keys Rule (SKR):\(\frac{S|\equiv \#\left(A\right),S|\equiv T|\equiv A}{S|\equiv \text{S}\stackrel{ \mu }{\leftrightarrow }\text{T}}\)

Jurisdiction Rule (JR): \(\frac{S|\equiv T\Rightarrow A,S|\equiv T|\equiv A}{S|\equiv A}\)

Fresh Promotion Rule (FPR): \(\frac{S|\equiv \#(A)}{S|\equiv \#(A,B)}\)

Nonce Verification Rule (NVR): \(\frac{S|\equiv \#\left(A\right),S|\equiv T|\sim A}{S|\equiv T|\equiv A}\)

To be secure under the BAN logic, the proposed scheme must satisfy the following security goals.

Goal 1: SN_j \(|\equiv\) SN_j \(\stackrel{ {SK}_{S}}{\leftrightarrow }\) MD_i

Goal 2: SN_j \(|\equiv\) MD_i \(|\equiv\) SN_j \(\stackrel{ {SK}_{S}}{\leftrightarrow }\) MD_i

Goal 3: MD_i \(|\equiv\) SN_j \(\stackrel{ {SK}_{D}}{\leftrightarrow }\) MD_i

Goal 4: MD_i \(|\equiv\) SN_j \(|\equiv\) SN_j \(\stackrel{ {SK}_{D}}{\leftrightarrow }\) MD_i

Goal 5: GW_k \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) MD_i

Goal 6: GW_k \(|\equiv\) MD_i \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) MD_i

Goal 7: GW_k \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) SN_j

Goal 8: GW_k \(|\equiv\) SN_j \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) SN_j

In our scheme, 4 messages are exchanged during the login, authentication and key agreement phase. These messages include Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄}. For ease of analysis, we transform these messages into idealized format as follows.

MD_i → GW_k: Log_Req = {A₅, B₂, B₃, B₄, B₅}

Idealized format: {R_n.P, \({\langle {UID}_{i}\rangle }_{{R}_{n}.{P}_{k}},{{\langle {R}_{m}\rangle }_{h({UID}_{i}||{M}_{k})},\langle {SNID}_{j}\rangle }_{h({UID}_{i}|\left|{R}_{\text{m}}\right)},({SNID}_{j}||{R}_{\text{m}}{)}_{{R}_{n}.{P}_{k}}{,}_{h({UID}_{i}||{M}_{k})}\)}

GW_k → SN_j: Auth₁ = {C₁, C₂, C₃, C₄}

Idealized format: {\({\langle {UID}_{i}^{*}\rangle }_{{KG}_{S}}, {\langle {R}_{g}\rangle }_{h({UID}_{i}^{*}|\left|{KG}_{S}\right)},{\langle {R}_{m}\rangle }_{{R}_{g}}, ({UID}_{i}||{SNID}_{j}{)}_{({R}_{m},{ R}_{g},{ KG}_{S})}\)}

SN_j → GW_k: Auth₂ = {C₅, D₁}

Idealized format: {\({\langle {R}_{s}\rangle }_{{KG}_{S}}\), (\({R}_{s}{)}_{({SK}_{S},{ KG}_{S})}\)

GW_k → MD_i: Auth₃ = {D₂, D₃, D₄}

Idealized format: {\({\langle {R}_{g}\rangle }_{h({UID}_{i}|\left|{KG}_{S}\right)}\),\({\langle {R}_{s}^{*}\rangle }_{{R}_{m}^{*}}\), (\({UID}_{i}^{*}{)}_{({R}_{g},{ R}_{s}^{*}, { SK}_{G})}\)}

The following initial state assumptions (SA) are also made.

SA₁: U_i \(|\equiv\)# R_m

SA₂: GW_k \(|\equiv\)# R_g

SA₃: SN_j \(|\equiv\)# R_s

SA₄: MD_i \(|\equiv\) MD_i \(\stackrel{ {nR}_{n}.P}{\leftrightarrow }\) GW_k

SA₅: MD_i \(|\equiv\) MD_i \(\stackrel{ {SK}_{S }}{\leftrightarrow }\) SN_j

SA₆: GW_k \(|\equiv\) GW_k \(\stackrel{ {R}_{n}.nP}{\leftrightarrow }\) MD_i

SA₇: GW_k \(|\equiv\) GW_k \(\stackrel{ {KG}_{S}}{\leftrightarrow }\) SN_j

SA₈: SN_j \(|\equiv\) SN_j \(\stackrel{ {SK}_{S }}{\leftrightarrow }\) MD_i

SA₉: SN_j \(|\equiv\) SN_j \(\stackrel{ {KG}_{S}}{\leftrightarrow }\) GW_k

SA₁₀: MD_i \(|\equiv\) SN_j \(\Rightarrow\) R_s, SK_S

SA₁₁: MD_i \(|\equiv\) GW_k \(\Rightarrow\) R_g, SK_G

SA₁₂: GW_k \(|\equiv\) MD_i \(\Rightarrow\) R_m, SK_D,nR_nP

SA₁₃: GW_k \(|\equiv\) SN_j \(\Rightarrow\) R_s ⊕ KG_S

SA₁₄: SN_j \(|\equiv\) GW_k \(\Rightarrow\) R_g ⊕ h(UID_i||KG_S)

SA₁₅: SN_j \(|\equiv\) MD_i \(\Rightarrow\) R_m, SK_D

Based on the above BAN logic rules, idealized format of the exchanged messages and the initial state assumptions, we proof that the proposed scheme attains all the above security goals through the following BAN logic proof (BLP).

Using the idealized form of Log_Req and BR, we obtain BLP₁,

BLP₁: GW_k ◁ {R_n.P, \({\langle {UID}_{i}\rangle }_{{R}_{n}.{P}_{k}},{{\langle {R}_{m}\rangle }_{h({UID}_{i}||{M}_{k})},\langle {SNID}_{j}\rangle }_{h({UID}_{i}|\left|{R}_{\text{m}}\right)},({SNID}_{j}||{R}_{\text{m}}{)}_{{R}_{n}.{P}_{k}}{,}_{h({UID}_{i}||{M}_{k})}\)}

Based on SA₆, BLP₁ and MMR, we obtain BLP₂ as follows,

BLP₂: GW_k \(|\equiv\) MD_i ~ {R_n.P, \({\langle {UID}_{i}\rangle }_{{R}_{n}.{P}_{k}},{{\langle {R}_{m}\rangle }_{h({UID}_{i}||{M}_{k})},\langle {SNID}_{j}\rangle }_{h({UID}_{i}|\left|{R}_{\text{m}}\right)},({SNID}_{j}||{R}_{\text{m}}{)}_{{R}_{n}.{P}_{k}}{,}_{h({UID}_{i}||{M}_{k})}\)}

Using FPR and NVR on both BLP₂ and SA₁ yields BLP₃ as shown below.

BLP₃: GW_k \(|\equiv\) MD_i \(|\equiv\) {R_n.P, \({\langle {UID}_{i}\rangle }_{{R}_{n}.{P}_{k}},{{\langle {R}_{m}\rangle }_{h({UID}_{i}||{M}_{k})},\langle {SNID}_{j}\rangle }_{h({UID}_{i}|\left|{R}_{\text{m}}\right)},({SNID}_{j}||{R}_{\text{m}}{)}_{{R}_{n}.{P}_{k}}{,}_{h({UID}_{i}||{M}_{k})}\)}

On the other hand, using JR on BLP₃, SA₆ and SA₁₂ yields BLP₄.

BLP₄: GW_k \(|\equiv\) {R_n.P, \({\langle {UID}_{i}\rangle }_{{R}_{n}.{P}_{k}},{{\langle {R}_{m}\rangle }_{h({UID}_{i}||{M}_{k})},\langle {SNID}_{j}\rangle }_{h({UID}_{i}|\left|{R}_{\text{m}}\right)},({SNID}_{j}||{R}_{\text{m}}{)}_{{R}_{n}.{P}_{k}}{,}_{h({UID}_{i}||{M}_{k})}\)}

Based on BLP₄, the SKR is applied to obtain BLP₅.

BLP₅: GW_k \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) MD_i, hence security Goal 5 is attained.

On the other hand, NVR is applied to both BLP₅ and SA₁₂ to yield BLP₆.

BLP₆: GW_k \(|\equiv\) MD_i \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) MD_i, achieving security Goal 6.

Considering idealized formats of both Auth₁ and Auth₃, the application of BR yields BLP₇ and BLP₈.

BLP₇: SN_j \(\triangleleft\){\({\langle {UID}_{i}^{*}\rangle }_{{KG}_{S}}, {\langle {R}_{g}\rangle }_{h({UID}_{i}^{*}|\left|{KG}_{S}\right)},{\langle {R}_{m}\rangle }_{{R}_{g}}, ({UID}_{i}||{SNID}_{j}{)}_{({R}_{m},{ R}_{g},{ KG}_{S})}\)}

BLP₈: MD_i \(\triangleleft\){\({\langle {R}_{g}\rangle }_{h({UID}_{i}|\left|{KG}_{S}\right)}\),\({\langle {R}_{s}^{*}\rangle }_{{R}_{m}^{*}}\), (\({UID}_{i}^{*}{)}_{({R}_{g},{ R}_{s}^{*}, { SK}_{G})}\)}

Using the MMR on both BLP₇ and SA₉ results in BLP₉.

BLP₉: SN_j \(|\equiv\) GW_k ~ {\({\langle {UID}_{i}^{*}\rangle }_{{KG}_{S}}, {\langle {R}_{g}\rangle }_{h({UID}_{i}^{*}|\left|{KG}_{S}\right)},{\langle {R}_{m}\rangle }_{{R}_{g}}, ({UID}_{i}||{SNID}_{j}{)}_{({R}_{m},{ R}_{g},{ KG}_{S})}\)}

However, the application of MMR on both BLP₈ and SA₄ yields BLP₁₀.

BLP₁₀: MD_i \(|\equiv\) GW_k ~ {\({\langle {R}_{g}\rangle }_{h({UID}_{i}|\left|{KG}_{S}\right)}\),\({\langle {R}_{s}^{*}\rangle }_{{R}_{m}^{*}}\), (\({UID}_{i}^{*}{)}_{({R}_{g},{ R}_{s}^{*}, { SK}_{G})}\)}

Based on BLP₉, SA₂, SA₁₄, FPR and the NVR, we obtain BLP₁₁.

BLP₁₁: SN_j \(|\equiv\) GW_k \(|\equiv\) {\({\langle {UID}_{i}^{*}\rangle }_{{KG}_{S}}, {\langle {R}_{g}\rangle }_{h({UID}_{i}^{*}|\left|{KG}_{S}\right)},{\langle {R}_{m}\rangle }_{{R}_{g}}, ({UID}_{i}||{SNID}_{j}{)}_{({R}_{m},{ R}_{g},{ KG}_{S})}\)}

Using the FPR and NVR on BLP₁₀, SA₂ and SA₁₁, we get BLP₁₂.

BLP₁₂: MD_i \(|\equiv\) GW_k \(|\equiv\) {\({\langle {R}_{g}\rangle }_{h({UID}_{i}|\left|{KG}_{S}\right)}\),\({\langle {R}_{s}^{*}\rangle }_{{R}_{m}^{*}}\), (\({UID}_{i}^{*}{)}_{({R}_{g},{ R}_{s}^{*}, { SK}_{G})}\)}

On the other hand, the application of JR on BLP₁₂ and SA₁₁ yields BLP₁₃.

BLP₁₃: MD_i \(|\equiv\) {\({\langle {R}_{g}\rangle }_{h({UID}_{i}|\left|{KG}_{S}\right)}\),\({\langle {R}_{s}^{*}\rangle }_{{R}_{m}^{*}}\), (\({UID}_{i}^{*}{)}_{({R}_{g},{ R}_{s}^{*}, { SK}_{G})}\)}

According to BLP₁₃, the SKR is applied to get BLP₁₄.

BLP₁₄: SN_j \(|\equiv\) SN_j \(\stackrel{ {SK}_{S}}{\leftrightarrow }\) MD_i and hence security Goal 1 is achieving.

Based on BLP₁₄ and SA₁₄, the SKR is applied to obtain BLP₁₅.

BLP₁₅: SN_j \(|\equiv\) MD_i \(|\equiv\) SN_j \(\stackrel{ {SK}_{S}}{\leftrightarrow }\) MD_i, achieve Goal 2.

On the other hand, using SKR on BLP₁₄ yields BLP₁₆.

BLP₁₆: MD_i \(|\equiv\) SN_j \(\stackrel{ {SK}_{D}}{\leftrightarrow }\) MD_i and hence Goal 3 is realized.

The application of SKR on BLP₁₄, SA₅ and SA₁₁ results in BLP₁₇.

BLP₁₇: MD_i \(|\equiv\) SN_j \(|\equiv\) SN_j \(\stackrel{ {SK}_{D}}{\leftrightarrow }\) MD_i, attaining security Goal 4.

Using idealized form of message Auth₂, the BR is applied to get BLP₁₈.

BLP₁₈: GW_k \(\triangleleft\){\({\langle {R}_{s}\rangle }_{{KG}_{S}}\), (\({R}_{s}{)}_{({SK}_{S},{ KG}_{S})}\)}

However, the usage of MMR on both BLP₁₈ and SA₇ results in BLP₁₉.

BLP₁₉: GW_k \(|\equiv\) SN_j ~ {\({\langle {R}_{s}\rangle }_{{KG}_{S}}\), (\({R}_{s}{)}_{({SK}_{S},{ KG}_{S})}\)}

Based on BLP₁₉ and SA₃, NVR and FPR are applied to obtain BLP₂₀.

BLP₂₀: GW_k \(|\equiv\) SN_j \(|\equiv\) {\({\langle {R}_{s}\rangle }_{{KG}_{S}}\), (\({R}_{s}{)}_{({SK}_{S},{ KG}_{S})}\)}

On the other hand, using JR on BLP₂₀, SA₇ and SA₁₃ yields BLP₂₁.

BLP₂₁: GW_k \(|\equiv\) {\({\langle {R}_{s}\rangle }_{{KG}_{S}}\), (\({R}_{s}{)}_{({SK}_{S},{ KG}_{S})}\)}

However, using the SKR on both BLP₂₁ and SA₈ yields BLP₂₂.

BLP₂₂: GW_k \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) SN_j, realizing security Goal 7.

Based on BLP₂₂, SA₁₃ and SA₁₅, the SKR is applied to obtain BLP₂₃.

BLP₂₃: GW_k \(|\equiv\) SN_j \(|\equiv\) GW_k \(\stackrel{ {SK}_{G}}{\leftrightarrow }\) SN_j and hence Goal 8 is attained.

The attainment of all the 8 formulated security goals demonstrates that the proposed scheme achieves strong mutual authentication among the SN_j, MD_i and GW_k. In addition, it confirms that after successful mutual authentication, session key SK_D = SK_G = SK_S is established among these three entities.

Informal security analysis

In this sub-section, we state and proof various propositions to show that our scheme supports numerous security features and is robust against many typical smart city attacks. Based on the attack model in “Attack model” section, an adversary is capable of launching attacks such as de-synchronization, denial of service, eavesdropping, session hijacking, KSSTI, replays, forgery, MitM, privileged insider,physical, side-channeling and impersonation. In this sub-section, we demonstrate that our protocol mitigates all these attacks.

Proposition 1

Eavesdropping attacks are prevented.

Proof

Suppose that an adversary Å is interested in intercepting the exchanged messages after which parameters such as SNID_j and UID_i are retrieved. In our scheme, messages Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄} are exchanged over public channels. Here, A₅ = R_n.P, B₂ = UID_i ⊕ B₁, B₃ = A₄ ⊕ R_m, B₄ = h (UID_i||R_m) ⊕ SNID_j, B₅ = h (A₄||SNID_j||B₁||R_m), C₁ = UID_i^* ⊕ K_GS^*, C₂ = R_g ⊕ h (UID_i^*||K_GS^*), C₃ = R_g ⊕ R_m^*, C₄ = h (UID_i^*||SNID_j^*||K_GS^*||R_m^*||R_g), C₅ = R_s ⊕ K_GS, D₁ = h (K_GS||SK_S||R_s), D₂ = A₄^* ⊕ R_g, D₃ = R_m^* ⊕ R_s^* and D₄ = h (UID_i^*||SK_G||R_g||R_s^*). Clearly, none of these messages contain SNID_j and UID_i in plaintext. Therefore, eavesdropping attacks against our scheme fail.

Proposition 2

Our scheme thwarts session hijacking and denial of service attacks.

Proof

The aim of adversary Å in this attack is to gain access to the MD_i belonging to user U_i, effectively disconnecting him/her from accessing sensory data. To prevent this, our scheme incorporates invalid password, identity and biometric checks. For biometric authentication, the the MD_i checks whether h (CP_i^*) ≟ λ = h (CP_i). On the other hand, user password and identity are verified by the MD_i through the confirmation of whether A₂^*≟ A₂. In both cases, the session is terminated upon validation failure. Therefore, unauthorized logins that can facilitate session hijacking and denial of service attacks are thwarted.

Proposition 3

Message replay and de-synchronization attacks are prevented.

Proof

During the login, authentication and session key negotiation phases, random nonces are incorporated in all the exchanged messages. These random nonces include R_m, R_n, R_g and R_s included in parameters A₅ = R_n.P, B₁ = R_n.P_k = R_n.nP, B₃ = A₄ ⊕ R_m, B₄ = h (UID_i||R_m) ⊕ SNID_j, B₅ = h (A₄||SNID_j||B₁||R_m), C₂ = R_g ⊕ h (UID_i^*||K_GS^*), C₃ = R_g ⊕ R_m^*, C₄ = h (UID_i^*||SNID_j^*||K_GS^*||R_m^*||R_g), C₅ = R_s ⊕ K_GS, D₁ = h (K_GS||SK_S||R_s), D₂ = A₄^* ⊕ R_g, D₃ = R_m^* ⊕ R_s^* and D₄ = h (UID_i^*||SK_G||R_g||R_s^*). Therefore, the freshness of messages Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄} is upheld, thwarting any replay attacks. This is in contrast to most schemes that employ timestamps to prevent replay attacks. In these schemes, these timestamps render them vulnerable to de-synchronization attacks.

Proposition 4

Our scheme is robust against privileged insider and impersonation attacks.

Proof

The aim of this attack is to allow users with elevated privileges such as system administrators to access users’ registration information. Thereafter, the obtained information is utilized to impersonate the legitimate users. During the user registration phase, registration request Req = {UID_i, A₁, β_i} is constructed by U_i and forwarded to the GW_k over secure channels. Here, UID_i is the user’s unique identity, β_i is the user’s biometric data and A₁ = h (PW_i||R_a). Evidently, privileged users cannot retrieve user’s password PW_i from A₁ due to its encapsulation in random nonce R_a and eventual one-way hashing, which is computationally infeasible to reverse.

Proposition 5

Untraceability and anonymity are preserved.

Proof

Suppose that adversary Å is interested in tracking particular users and sensors within the network. To realize this, all the messages exchanged over the public channels are intercepted. These messages include Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄}. Thereafter, attempts are made to obtain SNID_j and UID_i. However, according to Proposition 1, this attempt will fail. Although parameters C₂ = R_g ⊕ h (UID_i^*||K_GS^*), C₄ = h (UID_i^*||SNID_j^*||K_GS^*||R_m^*||R_g), and D₄ = h (UID_i^*||SK_G||R_g||R_s^*) contain these unique identities, they are scrambled in other security tokens and hashed. This makes it cumbersome for adversary Å to retrieve them. To prevent traceability attacks, the MD_i generates random nonces R_a, R_m and R_n that are incorporated in values A₅ = R_n.P, B₁ = R_n.P_k, B₃ = A₄ ⊕ R_m, B₄ = h (UID_i||R_m) ⊕ SNID_j and B₅ = h (A₄||SNID_j||B₁||R_m). Similarly, the SN_j generates nonce R_s that is incorporated in parameters C₅ = R_s ⊕ K_GS, session key SK_S = h (UID_i^*||SNID_j^*||R_m^*||R_g^*||R_s) and value D₁ = h (K_GS||SK_S||R_s). Therefore, user’s login request message Log_Req and SN_j’s authentication message Auth₂ are session-specific. As such, it is difficult for the adversary to associate these two messages to particular users and sensors.

Proposition 6

Our scheme is resilient against side-channeling and physical attacks.

Proof

The goal of the attacker is to steal user’s MD_i and use power analysis techniques to retrieve the stored secrets. In our scheme, the MD_i stores value set {f (.), λ, ε, A₂, A₃, P_k, R_a} in its memory. Here, λ = h (CP_i), ε = CP_i ⊕ β_i, A₁ = h (PW_i||R_a), A₂ = h (UID_i||A₁||CP_i), A₃ = h (UID_i||M_k) ⊕ h (A₁||CP_i), CP_i is the code-phrase chosen by the GW_k, R_a is the random nonce generated by the MD_i while P_k = nP is the public key computed at the GW_k. Next, an attempt is made to retrieve user’s unique identity UID_i and password PW_i. This requires access to security tokens such as CP_i and master key M_k for GW_k. In addition, adversary Å needs to reverse the one-way hashing function to obtain these parameters from A₁and A₂. Since this presents a computationally infeasible activity, this attack flops.

Proposition 7

Known Session-Specific Temporary Information (KSSTI) attacks are prevented.

Proof

In our scheme, all the three entities derive the session key used to encipher the sensory data. Whereas the SN_j derives the session key as SK_S = h (UID_i^*||SNID_j^*||R_m^*||R_g^*||R_s), the GW_k derives it as SK_G = h (UID_i^*||SNID_j^*||R_m^*||R_g||R_s^*). Similarly, the MD_i computes the session key as SK_D = h (UID_i||SNID_j||R_m||R_g^*||R_s^*). Based on Propositions 1 and 5, adversary cannot obtain identities UID_i and SNID_j from the exchanged messages. In addition, Proposition 6 has detailed the difficulty of obtaining UID_i from MD_i’s memory. Therefore, even if temporary information such as random nonces R_m, R_g and R_s are compromised by Å, these session keys cannot be computed.

Proposition 8

Strong mutual authentication is executed among all network entities.

Proof

In our scheme, the MD_i validates user biometric data by checking whether h (CP_i^*) ≟ λ = h (CP_i). In addition, it verifies user unique identity UID_i and password PW_i by confirming if A₂^*≟ A₂. On its part, the the GW_k authenticates MD_i by checking whether B₅^*≟ B₅, while the SN_j validates GW_k through the confirmation of whether D₁^*≟ D₁. Finally, the the MD_i authenticates the SN_j by establishing whether D₄^*≟ D₄. In all these authentication scenarios, the session is aborted upon validation failure.

Proposition 9

Session keys are negotiated among all network entities.

Proof

To protect the exchanged sensor data, the MD_i, GW_k and SN_j setup session keys amongst themselves. Upon receiving authentication message Auth₁ = {C₁, C₂, C₃, C₄}, the SN_j computes values UID_i^* = C₁ ⊕ K_GS^*, R_g^* = C₂ ⊕ h (UID_i^*||K_GS^*), R_m^* = R_g^* ⊕ C₃, C₄^* = h (UID_i^*||SNID_j^*||K_GS||R_m^*||R_g^*), C₅ = R_s ⊕ K_GS and session key SK_S = h (UID_i^*||SNID_j^*||R_m^*||R_g^*||R_s). Similarly, on getting authentication response message Auth₂ = {C₅, D₁}, the GW_k derives value R_s^* = C₅ ⊕ K_GS^* and session key SK_G = h (UID_i^*||SNID_j^*||R_m^*||R_g||R_s^*). On its part, the MD_i receives authentication message Auth₃ = {D₂, D₃, D₄} after which it derives values R_g^* = A₄ ⊕ D₂, R_s^* = R_m ⊕ D₃ and session key SK_D = h (UID_i||SNID_j||R_m||R_g^*||R_s^*). These session keys are used by these entities to encipher the sensor data exchanged between the MD_i and SN_j via the GW_k.

Proposition 10

Our scheme is robust against MitM and forgery attacks.

Proof

The aim of adversary Å is to gather information belonging to the network entities and attempt to forge the exchanged messages Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄}. Here, A₁ = h (PW_i||R_a), A₃ = h (UID_i||M_k) ⊕ h (A₁||CP_i), A₄ = A₃ ⊕ h (h(PW_i||R_a)||CP_i^*), A₅ = R_n.P, B₁ = R_n.P_k = R_n.nP, B₂ = UID_i ⊕ B₁, B₃ = A₄ ⊕ R_m, B₄ = h (UID_i||R_m) ⊕ SNID_j, B₅ = h (A₄||SNID_j||B₁||R_m), C₁ = UID_i^* ⊕ K_GS^*, C₂ = R_g ⊕ h (UID_i^*||K_GS^*), C₃ = R_g ⊕ R_m^*, C₄ = h (UID_i^*||SNID_j^*||K_GS^*||R_m^*||R_g), C₅ = R_s ⊕ K_GS, D₁ = h (K_GS||SK_S||R_s), D₂ = A₄^* ⊕ R_g, D₃ = R_m^* ⊕ R_s^* and D₄ = h (UID_i^*||SK_G||R_g||R_s^*). To forge these messages, Å needs access to GW_k’s master key P_k, UID_i, SNID_j, PW_i, CP_i^*, M_k, SK_S, SK_G, K_GS as well as random nonces R_a, R_g, R_m , R_n and R_s. Proposition 1 , Proposition 5 and Proposition 6 have demonstrated the difficulty that Å faces in obtaining UID_i and SNID_j. On the other hand, Propositions 4 and 6 have shown the challenges Å faces in retrieving PW_i. Similarly, Proposition 7 has demonstrated the diffulty of adversarial derivation of session keys SK_S, SK_G and SK_D. Since M_k is only known to GW_k and K_GS is only known by GW_k and SN_j, Å cannot access these values. Similarly, random nonces are independently derived at the MD_i, GW_k and SN_j, hence not available to Å. As such, forgery attacks against our scheme flops.

Proposition 11

Backward and forward key secrecy is upheld.

Proof

In our scheme, the SN_j computes session key as SK_S = h (UID_i^*||SNID_j^*||R_m^*||R_g^*||R_s) while the GW_k derives the session key as SK_G = h (UID_i^*||SNID_j^*||R_m^*||R_g||R_s^*). Similarly, the MD_i calculates the session key as SK_D = h (UID_i||SNID_j||R_m||R_g^*||R_s^*). The incorporation of random nonces R_m, R_g^* R_s^* renders the derived session keys one-time such that they are only valid for a particular session. Therefore, although adversary Å compromises the current session keys, it is not possible to use the captured parameters to derive session keys for the previous and subsequent communication session.

In this section, we present the comparative evaluations of our scheme in terms of computation costs, communication costs, functional and security features. The specific details are elaborated in the sub-sections below.

Computation costs

The proposed scheme is implemented in a laptop with the specifications in Table 2. Using the specifications in Table 2, the execution time times for the the elliptic curve point multiplication (T_EM) ≈ 21.74 ms, one-way hashing (T_H) ≈ 0.63 ms and elliptic curve point addition (T_EA) ≈ 6.75 ms.

During the login, authentication and key negotiation phase, the MD_i executes 2 ECC point multiplications and 8 one-way hashing operations. On the other hand, the GW_k carries out a single ECC point multiplication and 9 one-way hashing operations. On its part, the SN_j executes only 4 one-way hashing operations. Therefore, the total computation cost of our scheme is 21T_H + 3 T_EM. Table 3 presents the computation costs comparative evaluation of our scheme against other related schemes.

As shown in Fig. 4, the scheme developed in⁷¹ incurs the highest computation costs of 251.33 ms. This is attributed to the numerous elliptic curve point multiplications which are computationally intensive. This is followed by the protocols in^{31,61,68,72,73} which incur computation overheads of 248.99 ms, 215.46 ms, 145.56 ms, 133.59 ms and 98.93 ms respectively.

Computation costs comparisons.

Full size image

On the other hand, the proposed scheme incurs the lowest computation costs of only 78.45 ms. Based on the scheme in⁶⁸, our protocol reduced the computation costs by 20.7%. Since the sensors in smart cities are limited in terms of the computation power, our scheme is the most ideal for deployment in this environment.

Communication costs

In the course of the login, authentication and session key setup phase, 4 messages are exchanged among the MD_i, GW_k and SN_j. These messages include Log_Req = {A₅, B₂, B₃, B₄, B₅}, Auth₁ = {C₁, C₂, C₃, C₄}, Auth₂ = {C₅, D₁} and Auth₃ = {D₂, D₃, D₄}. Here, ECC point multiplication = 160 bits, identities = 32 bits, one way hashing = 160 bits and random nonces = 128 bits. Using these values, Log_Req = 160 + 160 + 160 + 160 + 160 = 800 bits, Auth₁ = 160 + 160 + 128 + 160 = 608 bits, Auth₂ = 160 + 160 = 320 bits and Auth₃ = 160 + 128 + 160 = 448 bits. As such, the total communication overhead is 2176 bits. Table 4 provides comparative evaluation of the communication costs of our scheme against other related protocols.

As shown in Fig. 5, the protocol in⁶⁸ has the highest communication costs of 2336 bits. This is followed by the proposed scheme which inclurs a communication overhead of 2176 bits. This is attributed to the strong mutual authentication that must be executed among the MD_i, GW_k and SN_j.

Communication costs comparisons.

Full size image

Although the protocols in^{31,61,71,72,73} incur relatively lower communication costs, they are insecure since they cannot offer functional and security features supported by our scheme, as evidenced in Table 5.

Functional and security features

In this sub-section, we discusses the comparative evaluation of our scheme in terms of offered functional and security features. Table 5 presents the security features supported by our scheme as well as the attacks that this scheme is resilient against. The security features and resilience of its peers are also detailed.

As shown in Table 5, the protocol in⁶⁸ supports only 7 functionalities and hence is the most insecure. This is followed by the scheme in³¹ which supports 8 security features. On the other hand, the protocols in^71,72,73 support 10 functionalities each. However, the protocol developed in⁶¹ supports 12 functionalities while the proposed scheme offers support for all the 20 security features and functionalities. Although our scheme incurs slightly higher communication overheads, it supports the highets number of security and privacy functionalites. In addition, it incurs the lowest computation costs. As such, it offers a good trade-off between privacy, security and performance.

Some of the anticipated limitations that are likely to crop up during the practical implementation of our scheme is its slightly high communication costs and the need for biometric reader at the user mobile device MD_i. Specifically, the accurate recovery of biometric tokens via fuzzy extraction is not a trivial exercise.

The security, privacy and performance issues in smart cities have attracted a lot of attention from the industry and academia. Therefore, past research works have developed a myriad of security solutions for this environment. In majority of these approaches, public key cryptography, blockchain and bilinear pairing operations are utilized. As such, the resulting authentication process is computationally extensive and hence long latencies can be experienced. In addition, they place high communication, energy and storage overheads on the resource-limited smart city sensor devices. Motivated by this, we have presented a biometric-based scheme that has been demonstrated to incur the least computation overheads. Its formal security analysis has shown that it performs strong mutual authentication and key negotiation in an appropriate manner. In addition, informal security analysis has shown that it is secure under all the threat assumptions in the Canetti and Krawczyk attack model. Future research work will involve further reductions in the communication overheads which are observed to be slightly higher compared with some of its peers.