Advances in Machine Learning for CybersecurityView this Special Issue
Review Article | Open Access
A Systematic Literature Review of Authentication in Internet of Things for Heterogeneous Devices
Internet of Things (IoT) has become one of the most significant technologies in recent years because of possessing the diverse application domains. The variety of applications results in a large amount of users’ private information diffusion that will pose a paramount security concern. User authentication is a significant factor in the IoT environment as it allows the user to communicate with the device securely. Integration of authentication technologies with IoT ensures secure data retrieval and robust access control. This paper provides a comprehensive systematic literature review of various authentication mechanisms for IoT security proposed in the literature. With the comparison of existing authentication mechanisms that are developed for the IoT in terms of security via a multicriteria classification, the open issues that require further research are identified.
Internet of Things (IoT) is a new paradigm where everyday objects are interconnected and communicate with each other over the Internet . IoT facilitates a direct integration of physical objects with the cyber world through smart sensors, RFID tags, smartphones, and wearable devices . IoT networks offer various application domains encompassing environmental monitoring, healthcare, smart cities, military affairs, and intelligent transportation system [3, 4]. IoT application will improve rapidly. Cisco systems predict that by 2020, there will be over 50 billion connected things in the Internet consist of sensors, actuators, GPS devices, mobile devices, and all other smart things . The security and privacy of these devices are the most notable challenges in IoT . These devices have an insufficient mechanism of computing platforms, and the communications are wireless often that prone the system to various attacks. Furthermore, the number of devices revealed to the public network are increasing gradually and the devices have direct interaction with the physical world to gather data. All these make them a suitable target for malicious users. Hence, it is substantial to assure devices’ authenticity to ensure that the legal device is operating in an expected status and is not affected by malware. As IoT devices are built on various technologies such as power management and sensors, their security requirements vary from one application to another. Several security requirements, which are required to be considered in designing an authentication protocol in IoT perimeter, are delineated in Figure 1.
IoT development is based on wireless networks that collect information for authorised users. In a wireless network, the instructions are sent to terminal nodes by the platform, and the information is collected and transmitted to the platform by the terminal nodes . Mutual authentication is required for the communication process to ensure the security of the network. It hinders illegal adversaries to use the network for malicious tasks. Moreover, other nodes should authenticate the terminal nodes to protect the sensor network from being added invalid terminal nodes by the attacker. Mutual authentication has an outstanding role in IoT security. In an unprotected IoT perimeter, the connection of a remote user to other nodes is possible by gaining access to IoT services via smart device applications. Specific information can be extracted from specific nodes once connected. Hence, remote user authentication is vital as inserting resourceful gateway nodes in IoT networks facilitates data delivery and considers most of the processing . In IoT networks, nodes are resource-constrained in terms of processing power, battery backup, memory, speed, and so on.
Authentication factors are ownership, knowledge, and biometrics : ownership factors such as smart cards and smartphones; knowledge factors such as passwords; inherence factors such as fingerprint. Potential authentication scheme can be achieved by integration of a second factor in regards to biometrics . To name multiple biometrics privileges intricate to copy, impossible to be lost or forgotten, difficult to counterfeit, so on. Biometrics is universal, distinctive, persistent, collectable, and unique .
Only authenticated and authorised users should be able to utilize the system to hinder security risks. There are various authentication schemes in wireless mobile communication and wireless sensor networks. For instance, in wireless sensor networks, they are based on elliptic curve cryptography , self-certified keys cryptosystem , and hash functions . Lightweight security solution, key agreement, mutual authentication, and multifactor authentication are significant requirements for a feasible authentication scheme development .
This paper is organized as follows. The applied research methodology is presented in Section 2. Section 3 elaborates the systematic literature review results. The comparisons of authentication schemes for the IoT are discussed in Section 4. Finally, Section 5 concludes the paper.
2. Research Method
A systematic literature review (SLR) is employed to review the existing documents about authentication mechanisms in IoT and discuss the results of the conducted review to conduct further research if it is required. Kitchenham and Charters  defined SLR as a means of identifying, evaluating, and interpreting all available research relevant to a particular research question, topic area, phenomenon of interest. da Silva et al.  stated incorporating current work in a manner that is fair and seen to be fair is known as a systematic review.
2.1. Research Questions
The research questions addressed by this research are as follows: RQ1. What are the security threats in the IoT perimeter? RQ2. What are the IoT authentication schemes security issues/challenges? RQ3. What kind of authentication scheme (techniques) has been developed or applied for IoT-based architectures? RQ4. What kind of security evaluation is used for IoT authentication?
2.2. Search Process
The search process is as follows. Primary search process consists of searching research keywords (authentication, CPS, IoT, and lightweight) through search engines such as ACM Digital Library, IEEE Xplore, and ScienceDirect. Secondary search process comprises searching of publications manually in the relevant area of research.
2.3. Inclusion and Exclusion Criteria
The papers that describe research on authentication schemes for IoT are included in our review. Papers with respect to their years, metrics, techniques, evaluation criteria, and results have been examined. The inclusion of papers was based on the similarity of the research with IoT authentication scheme topic. The papers that did not describe security experimental results were excluded from the review.
3. Results of the Systematic Literature Review
In this section, the result of our SLR is formulated. The results focus the set answers to the questions taken as bottom-line of our systematic literature review. Each subsection provides information to answer these questions regarding the objective of the studies. Different tables are shown to represent the results of this review. Authentication schemes in IoT showing the distribution of studies per year and publication source are investigated.
3.1. RQ1: What Are the Security Threats in the IoT Perimeter?
The presence of IoT devices in unprotected perimeters escalates the necessity of considering all possible security threats that can compromise the devices. Security threats in the IoT networks are described in Figure 2.
3.2. RQ2: What Are the IoT Authentication Schemes Security Issues/Challenges?
3.3. RQ3: What Kind of Authentication Scheme (Techniques) Has Been Developed or Applied for IoT-Based Architectures?
3.3.1. Cloud-Based IoT Authentication
Cloud can be a proper platform for storing and processing the IoT devices data. Cloud computing and IoT integration affect our daily life tasks impressively. Cloud-driven IoT privileges are more than a generic IoT architecture. Processing the real-time queries can be performed with less cost and alleviated processing overhead by cloud-driven IoT . In network architecture, a remote object/user should verify itself within the IoT and cloud architecture. Hence, the authentication scheme is required. Table 2 summarizes the relevant schemes based on IoT-cloud architecture authentication.
A cloud-based platform can be employed as a big data warehouse for IoT data. In IoT-based critical applications, only authorised users can access the IoT sensors data or query stored data on cloud servers to realise the hidden patterns of some phenomena. Wazid et al.  discussed the authentication schemes for cloud-driven IoT-based big data environment and provided a comparative study of numerous existing authentication schemes that are shown in Table 3.
3.3.2. Lightweight Authentication
A lightweight and secure authentication scheme is required because of the abovementioned weaknesses in the IoT-cloud architecture schemes. Feng et al.  presented a lightweight mechanism for Attestation and Authentication of Things (AAoT), which provides software integrity, mutual authentication, and tamper-proof feature for smart embedded devices. This scheme relies on physical unclonable functions (PUFs). Both strong PUFs and weak PUFs are used by the protocol. PUF-based memory random filling is employed to alleviate the memory resources. The scheme delineates efficient implementations and optimizations for each of the building blocks of AAoT and provides mutual authentication.(1)Attestation. The identity authenticity and software integrity of connected smart embedded devices require to be guaranteed to hinder malicious nodes. The identity authenticity ensures that the device is a legitimate one, and the software integrity ensures the device status and expected behaviors. The identity and integrity of devices can be verified by a known protocol as attestation . Two types of attestation for low-resource devices are software-based attestation [46–49] and attestation based on minimal embedded security architecture [50–52]. These methods are ineffective if IoT devices are impersonated. They are based on the traditional secure storage technology that is costly, rigid, and unsafe [53, 54]. Software-based attestation methods are as follows:(a)Time-Based Attestation. It is the most regular method such as SWATT , Pioneer , and SCUBA . It performs the checksum computation over the program memory that specifies time delays in case of memory alteration.(b)Attestation Based on Memory Filling. Attackers may elicit the extra memory space. Filling the empty memory by noncompressible pseudorandom noises was proposed by researchers [56–58]. Memory printing  and quine  can also be used to fill the RAM space. Time-based attestation and attestation based on memory filling are vulnerable to offline static analysis, reverse engineering, and manipulation due to the fixed function.(c)Attestation Based on Random Construction of Attestation Function. Shaneck et al.  proposed a random attestation function by a verifier that is sent to a prover per-protocol run. Park and Shin  proposed a novel randomized hash function tailored to low-cost CPUs, which was infeasible due to the network bandwidth consumption and complexity. Software-based attestation is not robust against the following attacks: memory copy attack, proxy attack Pioneer , an attack via the address translation mechanisms , the code compression attack , and attack exploiting high execution-time variance . Hence, the software-based attestation security is polemic.(d)Embedded Security Architecture and Attestation. Recent research is based on a hardware-software codesign such as SMART  or TrustLite . The goal is to make a dynamic trust anchor in a constrained embedded device. The trust anchor established can be further used to design a scalable collective attestation fulfill security requirements. Previous attestation methods were focused on software attacks.(2)Authentication. Traditional authentication method employs a cryptographic logic with a secret key that lacks secure hardware features and has a high cost. PUFs implemented a secure lightweight device authentication by exploiting the unavoidable manufacturing variations of an integrated circuit to generate a unique device fingerprint. PUF-based authentication strengthens authentication protocols due to the singularity, reproducibility properties, and unclonability. There are two types of PUFs as weak and strong PUFs . Kong et al.  presented a PUFatt as a novel PUF design (called ALU PUF) in regards to the delay difference in two different arithmetic and logic units by employing the approach proposed by Schulz et al. . Table 4 describes the relevant developed attestation schemes as well as their drawbacks.
3.3.3. Decentralized Blockchain-Based Authentication
Making an efficient centralized authentication system for IoT is not feasible because of IoT size and other features. Hammi et al.  presented a decentralized authentication mechanism called bubbles of trust. They create bubbles in which things can identify and trust each other by using blockchain Ethereum that implements smart contracts. The Master (a device of the bubble) sends a transaction including the Master’s identifier and the group identifier. The uniqueness of both will be checked by the blockchain. The bubble will be created if the transaction is valid. In turn, the Followers (each object that makes part of the system) send transactions to the relevant bubbles. Every Follower has a ticket that consists of a groupID, an objectID, pubAddr, and a Signature structure (using elliptic curve digital signature algorithm (ECDSA).The uniqueness of the Follower’s identifier and the Follower’s ticket validity are verified by the smart contract. In case of an initial successful transaction, there is no need for latter authentication by the Follower.
Various research studies were done on the blockchains and IoT integration while few pieces of researches were on the blockchain’s application in meeting IoT security requirements. Table 5 outlines the researches that are mostly based on the security mechanism such as Bitcoin or Ethereum. Although these mechanisms ensure anonymity completely, there is no identification assurance as a fundamental requirement. Private blockchains should be used to ensure identification. These mechanisms have limitations such as the difficulty of inserting a new service or a device. No implementations or simulations were provided by these researches.
3.3.4. Biometrics-Based Remote User Authentication Schemes (Multifactor Authentication)
Dhillon and Kalra  proposed a lightweight biometric multifactor remote user authentication and key agreement scheme for IoT security. The protocol used a gateway node for the user registration first. Henceforth, the user connects to the sought sensor node by his smart device. The proposed multifactor biometric user authentication phases are as follows:
(1) User Registration Phase. It consists of two phases after IoT deployment as the registration between the user and gateway node and the registration between the gateway node and the sensor node. Registration with the gateway node is required for access to IoT. The user executes the authentication phase to generate a shared session key. The second registration is required to add nodes dynamically to the network.
(2) Login Phase. To initiate the authentication phase, the user should log in to the IoT services. Registration and authentication are based on the user biometrics and password.
(3) Authentication Phase. The user and the node generate an encrypted secret session key that can be used onetime. There is mutual authentication between a remote user and the IoT node.
(4) Password-Change Phase. The user needs to update his/her password periodically for security reasons.
Table 6 indicates various biometrics-based remote user authentication schemes that have been done by researchers. They mostly employ the cryptographic key establishment between the user and the gateway node.
3.4. RQ4: What Kind of Security Evaluation is Used for IoT Authentication?
Security of an authentication scheme requires to be evaluated via various security analysis metrics to ensure that is not vulnerable to attacks. Formal security analysis should be performed to verify the scheme security.
It is a formal verification tool that checks the security properties’ compatibility for cryptographic protocols . Proverif patronages cryptographically operations comprise symmetric encryption/decryption, hash functions, and bit-commitment. Generally, it is employed by researchers to evaluate security reachability, proving session key secrecy, and authentication.
In 2019, Zhou et al.  used Proverif to test their scheme security and robustness against common attacks. They employed the two most prevalent cryptotechniques for secure communications as the AES and SHA-2 (256 bits) algorithms. Arduino Uno platform was used with the implementation of SHA-3 (512-bits). The results delineate that their scheme is practical to be implemented for IoT devices. Table 7 illustrates the comparison of this scheme with another two relevant ones. In terms of security and efficiency,  delineates superior results than the other two schemes.
Hammi et al.  applied Ethereum as blockchain and developed the smart contract to ensure the scheme functionality. They encode and decode Ethereum data for the interactions between end nodes and the blockchain suing a C++ interface. The comparison of  with other authentication schemes based on association phase is described in Table 8. The evaluation was based on the execution time, energy consumption, and financial cost. In regards to constrained devices, the fewer number of messages denotes minor system’s consumption. If the implementation is on the same hardware, energy, and computation consuming will be alleviated. Additionally, Messages’ authentication is realised by the ECDSA. Message authentication required time is based on the employed blockchain compared to other schemes, which is in some milliseconds. This scheme provides a robust identification, authentication, data integrity, and availability. The evaluation results delineate that this scheme ensures the security requirements as well as resiliency toward attacks. This scheme cannot be employed in actual applications, and it has costs due to the cryptocurrency used by the blockchain system.
3.4.2. Burrows–Abadi–Needham (BAN) Logic
A set of rules that can be used to analyze the authentication protocols are known as BAN logic . Through BAN logic, the communicating parties can specify the trustworthiness of the exchanged messages and mutually authenticate each other in IoT perimeter.
3.4.3. Real-or-Random (ROR Model)
The ROR model can be used to authenticate key exchange protocols.
3.4.4. Automated Validation of Internet Security Protocols and Applications (AVISPA)
A software tool that attests the resilience of an authentication scheme against replay and man-in-the-middle attacks . It analyzes large-scale Internet security protocols and applications. High-Level Protocol Specification Language (HLPSL) is employed to code the protocols.
The proposed authentication scheme by Dhillon and Kalra delineates robustness against numerous attacks that are depicted in Table 9. This scheme provides mutual authentication and a secure key as well as ensures password protection. The scheme security analysis is performed through formal verification using the AVISPA tool, which ensures its security if it is compromised.
3.4.5. Cryptographic Protocol Shapes Analyzer (CPSA)
CPSA is an analysis tool comprising authentication tests that count indispensable various cryptographic protocol executions . It is based on a Dolev-Yao model considering an intruder with unlimited access that can specify authentication as well as secrecy properties.
Feng et al.  analyzed the AAoT protocol security using the CPSA tool. The experimental results delineate the mutual authentication as well as the secrecy of CRPs and PUFRoT within the authorization protocol. In AAoT, the possibility of memory copy attack is substantial as a valid checksum cannot be counterfeited . AAoT is robust against cloning or impersonating because of the PUF unclonability and unpredictability. A cloned or impersonated prover requires access to the PUF CRPs or keys from the legitimate prover device to fraud verifier.
Table 10 demonstrates the comparison result of AAoT scheme with the most two similar approaches by [67, 68]. The concentration of AAoT is on static attestation. Additional techniques are required for runtime protection such as control flow attestation. AAoT is applicable for low-resource devices. To secure the IoT and CPS, the integration of attestation and authentication can be practical. AAoT ensures either integrity or authenticity and removes the gap from the protocol theory to tangible realization. The AAoT covers the problems in PUFatt.
The IoT-based perimeters security issues and challenges that are required for authentication techniques are discussed. Furthermore, various existing authentication mechanisms for IoT are reviewed and compared. For instance, in  a lightweight authentication scheme uses one-way hash, perceptual hash functions, and XOR operations that are inexpensive. Hence, this scheme is appropriate for resource-constrained IoT devices. Although this scheme depicts robustness against various security attacks through AVISPA tool, it requires to be set up on a testbed to detect the memory requirements and its applicability for real IoT devices.
To secure IoT and CPS, integration of attestation and authentication is so significant and effective. Most of the existing schemes only render one of them. In , a lightweight attestation and authentication of low-resource things in IoT and CPS called AAoT are proposed. This scheme presents a feasible and secure hardware-software codesign employing the present resources limited in the smart embedded devices. AAoT integrity and authenticity are achieved by memory-based attestation and PUF-based authentication. In , a lightweight IoT-based authentication scheme in cloud computing circumstance presents robustness against different types of attacks and provides mutual authentication. The performance evaluation of this scheme delineates a highly suitable authentication scheme for real IoT-cloud circumstances. A decentralized blockchain-based authentication system for IoT called bubbles of trust is presented in . Devices can communicate securely in the created virtual zones. Despite satisfying security requirements due to using a public blockchain and resilience toward attacks, it has three significant issues as follows: inadaptable to real-time applications, requiring an initial phase, and cryptocurrency rate transformation.
Our findings demonstrate that various types of solutions have been proposed to address the secure authentication scheme for IoT. Even though the existing authentication schemes are applicable in IoT perimeter, there is still a gap, which necessitates additional effort in designing and developing a more secure authentication mechanism to hinder security breaches. The collected information from this SRL will assist future researchers by providing different directions to cover the gap and design a secure authentication scheme for IoT.
A massive heterogeneous network of IoT devices generates a huge amount of data that must be reachable and can be retrieved by only authorised user. Attack surfaces increase swiftly by the connection of billions of IoT devices. To provide secure access to the devices, services, and communication exchanges, authentication is a challenging task. Researchers proposed various authentication schemes, which might be different from each other and applicable across different domains. This paper reviewed different ways to perform authentication in IoT perimeters to identify the challenges and opportunities. The representative security requirements, security issues, and challenges of authentication schemes for IoT have been discussed. Various authentication schemes such as cloud-based IoT, lightweight, decentralized blockchain-based, and biometrics-based remote user authentication (multi-factor) were analyzed. Furthermore, the formal verification analysis provided by the different verification tools comprising Proverif, BAN logic, ROR model, AVISPA, and CPSA for evaluating the security of the authentication schemes is described. Although these authentication schemes for IoT have resulted in more secure design, they still have limitations, which require massive improvement to ensure deeper privacy and security. It is significant that the authentication scheme will be able to provide high security for IoT. Hence, a more in-depth investigation is necessitated in this direction, as achieving a robust authentication scheme is still an open issue.
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
- G. Zhao, J. Wang, J. Luo, X. Long, and X. Si, “Applicability of elliptic curve cryptography on internet of things,” Energy Procedia, vol. 11, pp. 128–133, 2011.
- Z. Dawy, W. Saad, A. Ghosh, J. G. Andrews, and E. Yaacoub, “Towards massive machine type cellular communications,” IEEE Wireless Communications Magazine, vol. 24, no. 1, pp. 120–128, 2017.
- X. Zeng, S. K. Garg, P. Strazdins, P. P. Jayaraman, D. Georgakopoulos, and R. Ranjan, “IOTSim: a simulator for analysing IoT applications,” Journal of Systems Architecture, vol. 72, pp. 93–107, 2017.
- C. M. Sosa-Reyna, E. Tello-Leal, and D. Lara-Alabazares, “Methodology for the model-driven development of service oriented IoT applications,” Journal of Systems Architecture, vol. 90, pp. 15–22, 2018.
- D. Evans, “The internet of things, how the next evolution of the internet is changing everything,” in Whitepaper, Cisco Internet Business Solutions Group (IBSG), vol. 1, pp. 1–12, 2011, http://www.cisco.com/c/dam/enus/about/ac79/docs/innov/IoTIBSG0411FINAL.pdf.
- K. Zhao and L. Ge, “A survey on the internet of things security,” in Proceedings of the 2013 Ninth International Conference on Computational Intelligence and Security, pp. 663–667, Leshan, China, December 2013.
- G. Zhao, X. Si, J. Wang, X. Long, and T. Hu, “A novel mutual authentication scheme for internet of things,” in Proceedings of 2011 International Conference on Modelling, Identification and Control, Shanghai, China, June 2011.
- M. Henze, L. Hermerschmidt, D. Kerpen, R. Häußling, B. Rumpe, and K. Wehrle, “A comprehensive approach to privacy in the cloud-based internet of things,” Future Generation Computer Systems, vol. 56, pp. 701–718, 2016.
- Y. Choi, J. Nam, D. Lee, J. Kim, J. Jung, and D. Won, “Security enhanced anonymous multiserver authenticated key agreement scheme using smart cards and biometrics,” The Scientific World Journal, vol. 2014, Article ID 281305, 15 pages, 2014.
- C.-H. Lin and Y.-Y. Lai, “A Flexible biometrics remote user authentication scheme,” Computer Standards & Interfaces, vol. 27, no. 1, pp. 19–23, 2004.
- W.-C. Kuo, H.-J. Wei, Y.-H. Chen, and J.-C. Cheng, “An enhanced secure anonymous authentication scheme based on smart cards and biometrics for multi-server environments,” in Proceedings of the 10th Asia Joint Conference on Information Security, Kaohsiung, Taiwan, May 2015.
- Z. Benenson, N. Gedicke, and O. Raivio, “Realizing robust user authentication in sensor networks,” in Real-World Wireless Sensor Networks (REALWSN), 2005.
- C. Jiang, B. Li, and H. Xu, “An efficient scheme for user authentication in wireless sensor networks,” in Proceedings of the 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW’07), pp. 438–442, Niagara Falls, Canada, May 2007.
- X. H. Le, M. Khalid, R. Sankar, and S. Lee, “An efficient mutual authentication and access control scheme for wireless sensor networks in healthcare,” Journal of Networks, vol. 6, no. 3, pp. 355–364, 2011.
- T.-H. Chen and W.-K. Shih, “A robust mutual authentication protocol for wireless sensor networks,” ETRI Journal, vol. 32, no. 5, pp. 704–712, 2010.
- B. Kitchenham and S. Charters, “Guidelines for performing systematic literature reviews in software engineering,” Keele University, Keele, UK, 2007, EBSE 2007-001.
- F. Q. B. da Silva, M. Suassuna, R. F. Lopes et al., “Replication of empirical studies in software engineering: preliminary findings from a systematic mapping study,” in Proceedings of the 2011 Second International Workshop on Replication in Empirical Software Engineering Research, Banff, Canada, September 2011.
- G. S. Aujla, R. Chaudhary, N. Kumar, A. K. Das, and J. J. P. C. Rodrigues, “SecSVA: secure storage, verification, and auditing of big data in the cloud environment,” IEEE Communications Magazine, vol. 56, no. 1, pp. 78–85, 2018.
- A. K. Das, S. Zeadally, and D. He, “Taxonomy and analysis of security protocols for internet of things,” Future Generation Computer Systems, vol. 89, pp. 110–125, 2018.
- Y. Yang, H. Peng, L. Li, and X. Niu, “General theory of security and a study case in internet of things,” IEEE Internet of Things Journal, vol. 4, no. 2, pp. 592–600, 2017.
- J. Singh, T. Pasquier, J. Bacon, H. Ko, and D. Eyers, “Twenty security considerations for cloud-supported internet of things,” IEEE Internet of Things Journal, vol. 3, no. 3, pp. 269–284, 2016.
- S. M. R. Islam, D. Kwak, M. H. Kabir, M. Hossain, and K.-S. Kwak, “The internet of things for health care: a comprehensive survey,” IEEE Access, vol. 3, pp. 678–708, 2015.
- Y.-P. Liao and S.-S. Wang, “A secure dynamic id based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 1, pp. 24–29, 2009.
- H.-C. Hsiang and W.-K. Shih, “Improvement of the secure dynamic id based remote user authentication scheme for multi-server environment,” Computer Standards & Interfaces, vol. 31, no. 6, pp. 1118–1123, 2009.
- S. K. Sood, A. K. Sarje, and K. Singh, “A secure dynamic identity based authentication protocol for multi-server architecture,” Journal of Network and Computer Applications, vol. 34, no. 2, pp. 609–618, 2011.
- C.-C. Lee, T.-H. Lin, and R.-X. Chang, “A secure dynamic id based remote user authentication scheme for multi-server environment using smart cards,” Expert Systems with Applications, vol. 38, no. 11, pp. 13863–13870, 2011.
- X. Li, Y. Xiong, J. Ma, and W. Wang, “An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards,” Journal of Network and Computer Applications, vol. 35, no. 2, pp. 763–769, 2012.
- J.-S. Leu and W.-B. Hsieh, “Efficient and secure dynamic id-based remote user authentication scheme for distributed systems using smart cards,” IET Information Security, vol. 8, no. 2, pp. 104–113, 2014.
- K. Xue, P. Hong, and C. Ma, “A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture,” Journal of Computer and System Sciences, vol. 80, no. 1, pp. 195–206, 2014.
- S. Shunmuganathan, R. D. Saravanan, and Y. Palanichamy, “Secure and efficient smart-card-based remote user authentication scheme for multiserver environment,” Canadian Journal of Electrical and Computer Engineering, vol. 38, no. 1, pp. 20–30, 2015.
- H. Zhu, “Flexible and password-authenticated key agreement scheme based on chaotic maps for multiple servers to server architecture,” Wireless Personal Communications, vol. 82, no. 3, pp. 1697–1718, 2015.
- X. Li, J. Niu, S. Kumari, J. Liao, and W. Liang, “An enhancement of a smart card authentication scheme for multi-server architecture,” Wireless Personal Communications, vol. 80, no. 1, pp. 175–192, 2015.
- A. Irshad, H. F. Ahmad, B. A. Alzahrani, M. Sher, and S. A. Chaudhry, “An efficient and anonymous chaotic map based authenticated key agreement for multi-server architecture,” KSII Transactions on Internet and Information Systems, vol. 10, no. 12, pp. 5572–5595, 2016.
- T. Maitra, S. K. H. Islam, R. Amin, D. Giri, M. K. Khan, and N. Kumar, “An enhanced multiserver authentication protocol using password and smart-card: cryptanalysis and design,” Security and Communication Networks, vol. 9, no. 17, pp. 4615–4638, 2016.
- R. Amin, N. Kumar, G. P. Biswas, R. Iqbal, and V. Chang, “A light weight authentication protocol for IoT-enabled devices in distributed cloud computing environment,” Future Generation Computer Systems, vol. 78, pp. 1005–1019, 2018.
- L. Zhou, X. Li, K.-H. Yeh, C. Su, and W. Chiu, “Lightweight IoT-based authentication scheme in cloud computing circumstance,” Future Generation Computer Systems, vol. 91, pp. 244–251, 2019.
- M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “Secure remote user authenticated key establishment protocol for smart home environment,” IEEE Transactions on Dependable and Secure Computing, 2017.
- H.-L. Yeh, T.-H. Chen, P.-C. Liu, T.-H. Kim, and H.-W. Wei, “A secured authentication protocol for wireless sensor networks using elliptic curves cryptography,” Sensors, vol. 11, no. 5, pp. 4767–4779, 2011.
- M. Turkanović, B. Brumen, and M. Hölbl, “A novel user authentication and key agreement scheme for heterogeneous ad hoc wireless sensor networks, based on the internet of things notion,” Ad Hoc Networks, vol. 20, pp. 96–112, 2014.
- W.-B. Hsieh and J.-S. Leu, “A robust user authentication scheme using dynamic identity in wireless sensor networks,” Wireless Personal Communications, vol. 77, no. 2, pp. 979–989, 2014.
- M. S. Farash, M. Turkanović, S. Kumari, and M. Hölbl, “An efficient user authentication and key agreement for heterogeneous wireless sensor network tailored for the internet of things environment,” Ad Hoc Networks, vol. 36, pp. 152–176, 2016.
- S. Challa, M. Wazid, A. K. Das et al., “Secure signature-based authenticated key establishment scheme for future IoT applications,” IEEE Access, vol. 5, pp. 3028–3043, 2017.
- X. Li, J. Niu, M. Z. A. Bhuiyan, F. Wu, M. Karuppiah, and S. Kumari, “A robust ECC-based provable secure authentication protocol with privacy preserving for industrial internet of things,” IEEE Transactions on Industrial Informatics, vol. 14, no. 8, pp. 3599–3609, 2018.
- W. Feng, Y. Qin, S. Zhao, and D. Feng, “AAoT: lightweight attestation and authentication of low-resource things in IoT and CPS,” Computer Networks, vol. 134, pp. 167–182, 2018.
- T. Abera, N. Asokan, L. Davi et al., “Invited—things, trouble, trust: on building trust in IoT systems,” in Proceedings of the 53rd Annual Design Automation Conference (DAC’16), pp. 1–6, Austin, TX, USA, June 2016.
- A. Seshadri, A. Perrig, L. van Doorn, and P. Khosla, “SWATT: software-based attestation for embedded devices,” in Proceedings of the IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004, pp. 272–282, Berkeley, CA, USA, May 2004.
- A. Seshadri, M. Luk, A. Perrig, L. van Doorn, and P. K. Khosla, “SCUBA: secure code update by attestation in sensor networks,” in Proceedings of the 5th ACM workshop on Wireless Security, pp. 85–94, New York, NY, USA, September 2006.
- F. Armknecht, A. R. Sadeghi, S. Schulz, and C. Wachsmann, “A security framework for the analysis and design of software attestation,” in Proceeding of the 2013 ACM SIGSAC Conference on Computer & communications Security, pp. 1–12, Berlin, Germany, November 2013.
- J. Horsch, S. Wessel, F. Stumpf, and C. Eckert, “SobTrA: a software-based trust anchor for ARM cortex application processors,” in Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, pp. 273–280, San Antonio, TX, USA, March 2014.
- K. El Defrawy, A. Francillon, D. Perito, and G. Tsudik, “SMART: secure and minimal architecture for (establishing a dynamic) root of trust,” in Proceedings of the 19th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, Febuary 2012.
- P. Koeberl, S. Schulz, A.-R. Sadeghi, and V. Varadharajan, “TrustLite: a security architecture for tiny embedded devices,” in Proceedings of the Ninth European Conference on Computer Systems (EuroSys’ 14), pp. 1–14, Amsterdam, Netherlands, April 2014.
- F. Brasser, B. El Mahjoub, A.-R. Sadeghi, C. Wachsmann, and P. Koeberl, “TyTAN: tiny trust anchor for tiny devices,” in Proceeding 52nd ACM/EDAC/IEEE Design Automation Conference (DAC ‘15), pp. 1–6, San Francisco, CA, USA, June 2015.
- R. Maes, “PUF-based entity identification and authentication,” in Physically Unclonable Functions, pp. 117–141, Springer, Berlin, Heidelberg, 2013.
- S. Zhao, Q. Zhang, G. Hu, Y. Qin, and D. Feng, “Providing root of trust for ARM trust zone using on-chip SRAM,” in Proceedings of the 4th International Workshop on Trustworthy Embedded Devices (TrustED ’14), pp. 25–36, Scottsdale, Arizona, USA, November 2014.
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla, “Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems,” in Proceedings of the Twentieth ACM Symposium on Operating Systems Principles (SOSP ‘05), pp. 1–16, Brighton, UK, October 2005.
- T. AbuHmed, N. Nyamaa, and D. Nyang, “Software-based remote code attestation in wireless sensor network,” in Proceedings of the GLOBECOM 2009—2009 IEEE Global Telecommunications Conference, pp. 1–8, Honolulu, HI, USA, November 2009.
- Y. Yang, X. Wang, S. Zhu, and G. Cao, “Distributed software-based attestation for node compromise detection in sensor networks,” in Proceedings of the 26th IEEE International Symposium on Reliable Distributed Systems (SRDS) 2007, pp. 219–230, Beijing, China, October 2007.
- D. Perito and G. Tsudik, “Secure code update for embedded devices via proofs of secure erasure,” in Proceedings of the European Symposium on Research in Computer Security (ESORICS) 2010, pp. 643–662, Athens, Greece, September 2010.
- M. Jakobsson and K.-A. Johansson, “Practical and secure software-based attestation,” in 2011 Workshop on Security and Privacy, 2011 Lightweight Security & Privacy: Devices, Protocols, and Applications, pp. 1–9, Istanbul, Turkey, March 2011.
- V. Gratzer and D. Naccache, “Alien vs. quine, the vanishing circuit and other tales from the industry’s crypt,” in Proceedings of the 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT’06), pp. 48–58, St. Petersburg, Russia, May 2006.
- M. Shaneck, K. Mahadevan, V. Kher, and Y. Kim, “Remote software-based attestation for wireless sensors,” in Proceedings of the Second European Conference on Security and Privacy in Ad-Hoc and Sensor Networks, 2005 (ESAS’05), pp. 27–41, Visegrad, Hungary, July 2005.
- T. Park and K. G. Shin, “Soft tamper-proofing via program integrity verification in wireless sensor networks,” IEEE Transactions on Mobile Computing, vol. 4, no. 3, pp. 297–309, 2005.
- G. Wurster, P. C. van Oorschot, and A. Somayaji, “A generic attack on check summing-based Software tamper resistance, security and privacy,” in Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P’05), pp. 127–138, Oakland, CA, USA, May 2005.
- C. Castelluccia, A. Francillon, D. Perito, and C. Soriente, “On the difficulty of software-based attestation of embedded devices,” in Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS ’09), pp. 400–409, Chicago, IL, USA, November 2009.
- Y. Li, Y. Cheng, V. Gligor, and A. Perrig, “Establishing software-only root of trust on embedded systems: facts and fiction,” in Security Protocols XXIII, pp. 50–68, Springer, Berlin, Germany, 2015.
- U. Ruhrmair and D. E. Holcomb, “Pufs at a glance,” in Proceedings of the Conference on Design, Automation & Test in Europe (DATE ‘14), Dresden, Germany, March 2014.
- J. Kong, F. Koushanfar, P. K. Pendyala, A.-R. Sadeghi, and C. Wachsmann, “PUFatt: embedded platform attestation based on novel processor-based PUFs,” in Proceedings of the 51st ACM/EDAC/IEEE Design Automation Conference (DAC), San Francisco, CA, USA, June 2014.
- S. Schulz, A.-R. Sadeghi, and C. Wachsmann, “Short paper: lightweight remote attestation using physical functions,” in Proceedings of the Fourth ACM Conference on Wireless Network Security (WISEC ‘11), pp. 109–114, Hamburg, Germany, June 2011.
- M. T. Hammi, B. Hammi, P. Bellot, and A. Serhrouchni, “Bubbles of trust: a decentralized blockchain-based authentication system for IoT,” Computers & Security, vol. 78, pp. 126–142, 2018.
- K. Christidis and M. Devetsikiotis, “Blockchains and smart contracts for the internet of things,” IEEE Access, vol. 4, pp. 2292–2303, 2016.
- H. Malviya, “How blockchain will defend IoT,” 2016, http://www.slideshare.net/HiteshMalviya/how-blockchain-will-defend-iot.
- A. Bahga and V. K. Madisetti, “Blockchain platform for Industrial Internet of things,” Journal of Software Engineering and Applications, vol. 9, no. 10, 2016.
- T. Hardjono and N. Smith, “Cloud-based commissioning of constrained devices using permissioned blockchains,” in Proceedings of the 2nd ACM International Workshop on IoT Privacy, Trust, and Security (IoTPTS ‘16), pp. 29–36, Xi’an, China, May 2016.
- S. Huh, S. Cho, and S. Kim, “Managing IoT devices using blockchain platform,” in Proceedings of the 19th International Conference on Advanced Communication Technology (ICACT), Bongpyeong, Republic of Korea, Febuary 2017.
- M. Ruta, F. Scioscia, S. Ieva, G. Capurso, A. Pinto, and E. Di Sciascio, “A blockchain infrastructure for the semantic web of things,” in Proceedings of the SEBD 2018: 26th Italian Symposium on Advanced Database Systems, Castellaneta Marina, Italy, June 2018.
- A. Dorri, S. S. Kanhere, R. Jurdak, and P. Gauravaram, “Blockchain for IoT security and privacy: the case study of a smart home,” in Proceedings of the 2017 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops), Kona, HI, USA, March 2017.
- A. Ouaddah, A. A. Elkalam, and A. A. Ouahman, “Towards a novel privacy-preserving access control model based on blockchain technology in IoT,” in Proceedings of the Europe and MENA Cooperation Advances in Information and Communication Technologies, pp. 523–533, Niagara Falls, Canada, October 2017.
- Q. Xu, K. M. M. Aung, Y. Zhu, and K. L. Yong, “A blockchain-based storage system for data analytics in the internet of things,” in New Advances in the Internet of Things, Springer, Berlin, Germany, 2018.
- P. K. Dhillon and S. Kalra, “A lightweight biometrics-based remote user authentication scheme for IoT services,” Journal of Information Security and Applications, vol. 34, pp. 255–270, 2017.
- M. K. Khan and J. Zhang, “Improving the security of ‘a flexible biometrics remote user authentication scheme’,” Computer Standards & Interfaces, vol. 29, no. 1, pp. 82–85, 2007.
- G. de Meulenaer, F. Gosset, F.-X. Standaert, and O. Pereira, “On the energy cost of communication and cryptography in wireless sensor networks,” in Proceedings of the 2008 IEEE International Conference on Wireless and Mobile Computing, Networking and Communications, Avignon, France, October 2008.
- C.-T. Li and M.-S. Hwang, “An efficient biometrics-based remote user authentication scheme using smart cards,” Journal of Network and Computer Applications, vol. 33, no. 1, pp. 1–5, 2010.
- D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced two-factor user authentication scheme in wireless sensor networks,” Ad Hoc & Sensor Wireless Networks, vol. 10, no. 4, pp. 361–371, 2010.
- L. Yao, B. Liu, G. Wu, K. Yao, and J. Wang, “A biometric key establishment protocol for body area networks,” International Journal of Distributed Sensor Networks, vol. 7, no. 1, Article ID 282986, 2011.
- X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic framework for three-factor authentication: preserving security and privacy in distributed systems,” IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 8, pp. 1390–1397, 2011.
- Y. An, “Security analysis and enhancements of an effective biometric-based remote user authentication scheme using smart cards,” Journal of Biomedicine and Biotechnology, vol. 2012, Article ID 519723, 6 pages, 2012.
- T. Kothmayr, C. Schmitt, W. Hu, M. Brunig, and G. Carle, “A DTLS based end-to-end security architecture for the internet of things with two-way authentication,” in Proceedings of the 37th Annual IEEE Conference on Local Computer Networks—Workshops, pp. 956–963, Clearwater, FL, USA, October 2012.
- J. Liu, Y. Xiao, and C. L. P. Chen, “Authentication and access control in the internet of things,” in Proceedings of the 32nd International Conference on Distributed Computing Systems Workshops, Macau, China, June 2012.
- C.-T. Li, C.-Y. Weng, and C.-C. Lee, “An advanced temporal credential-based security scheme with mutual authentication and key agreement for wireless sensor networks,” Sensors, vol. 13, no. 8, pp. 9589–9603, 2013.
- Y.-P. Liao and C.-M. Hsiao, “A secure ECC-based RFID authentication scheme integrated with ID-verifier transfer protocol,” Ad Hoc Networks, vol. 18, pp. 133–146, 2014.
- K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based mutual authentication and key agreement scheme for wireless sensor networks,” Journal of Network and Computer Applications, vol. 36, no. 1, pp. 316–323, 2013.
- B. Ndibanje, H.-J. Lee, and S.-G. Lee, “Security analysis and improvements of authentication and access control in the internet of things,” Sensors, vol. 14, no. 8, pp. 14786–14805, 2014.
- Y. B. Saied, A. Olivereau, D. Zeghlache, and M. Laurent, “Lightweight collaborative key establishment scheme for the internet of things,” Computer Networks, vol. 64, pp. 273–295, 2014.
- L. Chen, F. Wei, and C. Ma, “A secure user authentication scheme against smart-card loss attack for wireless sensor networks using symmetric key techniques,” International Journal of Distributed Sensor Networks, vol. 11, no. 4, pp. 63–73, 2015.
- A. K. Das and A. Goswami, “A robust anonymous biometric-based remote user authentication scheme using smartcards,” Journal of King Saud University-Computer and Information Sciences, vol. 27, no. 2, pp. 193–210, 2015.
- M. Abadi, B. Blanchet, and H. Comon-Lundh, “Models and proofs of protocol security: a progress report,” in Proceedings of the International Conference on Computer Aided Verification, pp. 35–49, Grenoble, France, June 2009.
- M. A. Jan, P. Nanda, X. He, Z. Tan, and R. P. Liu, “A robust authentication scheme for observing resources in the internet of things environment,” in Proceedings of the 13th International Conference on Trust, Security and Privacy in Computing and Communications, Beijing, China, September 2014.
- K. Hartke and H. Tschofenig, “A DTLS. 1.2 profile for the internet of things. Draft-ietf-dice-profle-00,” 2014, https://tools.ietf.org/id/draft-ietf-dice-profile-00.html.
- AVISPA, “The security protocol animator for AVISPA,” 2017, http://www.avispa-project.org/.
- S. F. Doghmi, J. D. Guttman, and F. J. Thayer, “Searching for shapes in cryptographic protocols,” in Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), pp. 523–537, Springer, Berlin, Germany, October 2007.
Copyright © 2019 Sanaz Kavianpour et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.