Real-time and high-efficient communication becomes a vital property for IoT-enabled equipment, since the application range of the Internet of Things has extended widely. At the same time, the centralized characterization of the cloud computing is gradually unable to meet the demand for both low latency and high computing efficiency. To resolve these issues, new computing paradigms have been introduced, such as edge, dew, and fog computing. Recently, Saurabh et al. introduced a mutual authentication protocol, which was claimed to resist various attacks without the requirement of a trusted server, for dew-assisted IoT devices. However, this paper will show that Saurabh et al.’s scheme lacks forward security and user anonymity. Then, a new authenticated key agreement (AKA) protocol, named e-SMDAS, will be put forward and formally proven secure under the eCK security model. Further, the analysis results of BAN logic and Scyther tool will also confirm the security of e-SMDAS. Finally, the comparative analysis of security features and computation efficiency between e-SMDAS and several recent schemes will be demonstrated at the end of this paper.

1. Introduction

Cloud computing, developing swiftly and violently, is gradually unable to satisfy the growing needs in the Internet. Flavio et al. [1] introduced the idea of fog computing. However, with the rapid development of the Internet, fog computing alone could not satisfy the quality of cloud-assisted services. Some other computing paradigms were proposed to meet the growing demand for high-quality cloud services. Tian et al. [2] recently proposed a framework for blockchain-assisted edge services in the Industrial Internet of Things (IIoT). The paradigm of dew computing was put forward by Wang [3, 4] to fully make use of on-premises devices and cloud services. Defined as an on-premises device software-hardware organization paradigm in the cloud computing environment, the dew computing, in which dew servers are independent of cloud servers when offline and collaborative with cloud servers when online, provides the functionality of high information processing and low latency communication. The system architecture of cloud-fog-dew computing is demonstrated in Figure 1.

To build a secure and flexible dew computing paradigm, many security features need to be considered. Besides the basic mutual authentication and session key confirmation features, protocols in this paradigm also require forward security which confirms the leakage of long-term secrets will not influence the session keys. Since communications between servers are closely related to users’ privacy, anonymity and untraceability are also vital.

To achieve secure communication in the network driven by fog computing, Hameed et al. [5] proposed a scheme claiming that it could achieve mutual authentication, low consumption, and high efficiency in smart home case. In 2021, Liu et al. [6] proposed a distributed access control system based on the decentralized conception of fog computing and blockchain technology. A similar idea was also thought about by Shukla et al. [7], adopting a signature-based encryption algorithm to maximize the strength of fog computing and blockchain.

The application field of the Internet of Things (IoT) has extended largely in recent years. Aiming at protecting the secrecy, integrity, and anonymity of IoT-assisted end devices, Singh and Chaurasiya [8] discussed a possible mutual authentication scheme for the vulnerable fog nodes. A combination of elliptic curve Diffie–Hellman ephemeral key exchange algorithm and preshared key was analyzed by Amanlou et al. [9] to achieve credible communication between the fog gateways and devices located in IoT.

Our contributions in this paper mainly consist of the following four points.(i)We analyze an authenticated key agreement (AKA) protocol designed for a dew-assisted system by Saurabh et al. [10], referred to as SMDAS protocol below, and point out that their scheme lacks forward security and user anonymity.(ii)Upon the analysis, we design a new AKA protocol, called e-SMDAS protocol below, remedying SMDAS protocol to achieve the mutual authentication, session key establishment, forward security, user anonymity, and other security features.(iii)The security of our protocol is formally proven under the eCK security model and also confirmed using the Scyther tool and BAN logic.(iv)Finally, results of comparison between the enhanced protocol and several recent schemes demonstrate the advantages of our protocol in the aspects of security features and communication efficiency.

The arrangement of this paper is as follows. Related works are first introduced in Section 2. In Section 3, we present some preliminaries used in the analysis of the proposed protocol. After reviewing the process of SMDAS protocol in Section 4, we analyze the security flaws of SMDAS protocol in Section 5. Our newly proposed protocol is described explicitly in Section 6; its formal security proof and security analysis using Scyther tool and BAN logic are provided in Section 7. Comparisons between the proposed protocol and SMDAS protocol are demonstrated in Section 8. Finally, in Section 9, the conclusion is highlighted.

So far, anonymity and privacy-preserving are vital security features required urgently not only in dew computing paradigm but also in many other applications. To sum up the applications, several relative schemes [1116] are listed in Table 1. They have been paid much attention to because of the decentralized feature of dew-assisted paradigm [17].

Recently, a lightweight anonymity client authentication scheme was proposed by Gaikwad et al. [18] adopting chaotic hash function. Moreover, Masud et al. [19] proposed a lightweight and physically secure mutual authentication and secret key establishment protocol preserving privacy for COVID-19 patients’ care in the Internet of Medical Things. Their protocol used physical unclonable functions to make the network devices distinguish the legitimacy of doctors before acquiring a session key. Xiong et al. [20] proposed a three-party data privacy-preserving mechanism with game theory and machine learning technology. Tian et al. [21] proposed a graph clustering method to protect data privacy sharing in the Social Internet of Things (SIoT).

Besides, forward security is one of the main concerns for AKA protocols. In 2015, Chaudhry et al. [22] proposed a remote user authentication scheme. Regrettably, Ravanbakhsh et al. [23] claimed that Chaudhry et al.’s scheme was unable to achieve perfect forward security and proposed an authenticated communication scheme for Voice over Internet Protocol (VoIP). Later, Nikooghadam and Amintoosi [24] proved that Ravanbakhsh et al.’s scheme did not provide perfect forward security and put forward a two-factor AKA scheme with perfect forward security.

Recently, Saurabh et al. [10] introduced a mutual AKA protocol for the dew-assisted devices. They applied bilinear parings to achieve the mutual authentication and establishment of secure session keys. Formal analysis was presented by the use of AVISPA and the theory of security reduction. However, in this paper, we analyze the security of this protocol and show that it lacks forward security and user anonymity.

3. Preliminaries and Security Model

In this section, we concisely introduce the mathematical definitions and security model used next.

3.1. Mathematical Hard Problems

(i)Elliptic Curve Discrete Logarithm (ECDL) Problem: Given an elliptic curve , an additive cyclic group based on , a generator of , and an element from , it is hard to extract from and .(ii)Elliptic Curve Computational Diffie–Hellman (ECCDH) Problem: Given an elliptic curve , an additive cyclic group based on , and a generator of , considering the elements and from , it is hard to compute .

3.2. Security Model

LaMacchia et al. [25] proposed the eCK security model in 2007. In this model, each entity owns two secrets, a long-term key and an ephemeral key . Assume two entities are and ; their long-term keys are , ; and their ephemeral keys are , , respectively. Besides, each session under the eCK security model has its own identity, denoted as if this session’s owner is entity . Then, the abilities of adversary, denoted as , can be defined through the queries below:(i)Send(): Through this query, can send message to entity and get the corresponding message according to the protocol.(ii)Reveal(): Through this query, can acquire the session key of if session has been completed. Otherwise, will get nothing.(iii)Ephemeral(): Through this query, can obtain the ephemeral key of the session .(iv)Longterm(): Through this query, can obtain the long-term key of entity .(v)Test(): If launches this query, session will randomly choose from . If , will choose a random number from the set of keys and send it back to . If , will send the real session key back to .

To define a secure protocol in the eCK security model, a definition of freshness should be presented first since a secure game through Test() is querying toward a fresh session.

Definition 1. A session with identity in the eCK model at entity whose intended partner denoted as is fresh if the following items are satisfied:(i)The session has not been asked for a Reveal query.(ii)If a matching session exists with session identity , then(i)not both Ephemeral() and Longterm() queries have been asked for;(ii)not both Ephemeral() and Longterm() queries have been asked for.(iii)If no partner exists, then(i)not both Ephemeral() and Longterm() queries have been asked for;(ii)Longterm() queries have not been asked for.Based on this definition, we present the definition of a secure session in the eCK security model.

Definition 2. The advantage of the adversary in the secure game with AKA protocol is defined as .
If the matching session of computes the same session key and no efficient adversary has more than a negligible advantage in winning the secure game, then the protocol is secure under the eCK security model.

4. Review of SMDAS Protocol

In this section, we review the registration and session key distribution phases of SMDAS protocol [10]. There are three types of entities participating in SMDAS protocol, namely, a sensor node , a dew server , and a cloud server . Notations used in SMDAS protocol are listed in Table 2.

4.1. Registration Phase

Firstly, the cloud server initializes this system according to the following steps.(i) selects an appropriate elliptic curve over a finite field and then selects , a subgroup of , whose order is . is a group generator of .(ii) randomly chooses and calculates .(iii)Finally, publishes the public parameters and keeps as its own secret key securely.

4.2. Dew Server Registration Phase

Assume that there are dew servers and each one is denoted as , . These servers select their own identities . When a dew server registers to the cloud server, it sends its identity to . After receiving ’s identity, will compute for , where .

4.3. Sensor Node Registration Phase

Every sensor node, denoted as , has its own identity and password . When the sensor node needs to register to , it firstly computes and sends message to . Upon receiving the registration request from , verifies to confirm is an unregistered node. Then, computes , , . After computing, stores and sends message to . When receives message from , it computes and stores .

4.4. Session Key Distribution Phase

After and register to , they can establish a session with and . The detailed steps are described below.(i) randomly chooses and computes the corresponding public key and . Then, calculates the elements of message as follows: , , , , . sends , where is the current timestamp.(ii) computes , , , and . According to these parameters, verifies whether equals . randomly selects and computes the public key . Then, calculates , , , . sends message , where is the current timestamp and stores the session key .(iii) computes , , and . According to these parameters, verifies whether equals . If it succeeds, accepts as the session key.

5. Cryptanalysis of SMDAS Protocol

In this section, we present two security flaws of SMDAS protocol as the adversary can acquire private key of and through Extract() and Extract(), respectively, mentioned in [10].

5.1. Lack of Forward Security

In this subsection, we demonstrate if the private key of sensor node is compromised; then, the session key will be easily recovered by the adversary :(i)In the session key distribution phase, eavesdrops the message from dew server to sensor node, .(ii) launches Extract query to the sensor node and acquires ’s private secret keys .(iii)After obtaining the parameters above, can extract by and the session key according to the way generating .

Thus, in this way, adversary can recover the session key. It can be concluded that the steps described are in accordance with the definition of weak forward security.

5.2. Lack of User Anonymity

We point out an efficient method to prove that SMDAS protocol lacks user anonymity in this subsection by compromising the private key of dew server following the steps below.(i) first eavesdrops the message .(ii)Then, launches Extract() to get the private key of , .(iii)In this way, can compute .(iv)Finally, the adversary can derive the identity of as .

When the adversary implements the attack described above, can easily get the identity of the sensor node. This means SMDAS protocol can hardly protect the anonymity of users.

6. e-SMDAS Protocol

In this section, we propose a new anonymity and secure mutual AKA protocol remedying the flaws of SMDAS protocol, which we call e-SMDAS protocol.

There are three main phases in the proposed protocol, namely, initialization phase, registration phase, and secure session key establishment phase. Particularly, the registration phase can be divided into two parts, the sensor node registration phase and the dew server registration phase. In Table 3, the notations applied in the proposed protocol are presented.

6.1. Initialization Phase

The cloud server, also the registration server, acts as the trusted authority. It first selects a suitable cyclic group based on an elliptic curve . The order of the group is the prime and the generator of the group is . Then, the server randomly selects as its master key while it computes its public key accordingly and defines the three hash functions , , . Finally, the server publishes the public parameters to initialize the system and keeps secretly.

6.2. Registration Phase

Before sensor nodes and dew servers are put into usage, they must be registered in the cloud server first to acquire their long-term keys in the further communications. Both the sensor node registration phase and the dew server registration phase are described as follows.

6.2.1. Sensor Node Registration Phase

Before registers in the cloud server , should first choose its identity and password . Then, can begin the registration phase as it first sends the registration request to the cloud server .(i) first chooses its identity and password . It randomly selects in and computes . Finally, sends message to .(ii)After receiving from , first checks if this identity has ever been registered. If it has not, then the server computes . After finishing computation, sends message back to .(iii)After getting from , stores as its long-term key securely and deletes timely.

6.2.2. Dew Server Registration Phase

Just as the sensor node registration phase, the dew server first registers in the cloud server . operates the following steps for registration:(i) randomly selects in and computes . Then, it sends its identity and to in a secure channel.(ii)After receiving the message from , first checks whether the has been registered. If it has not, generates the long-term key for the dew server. computes , and sends to .(iii)On receiving the message from , stores securely and publishes .

6.3. Secure Session Establishment Phase

After registering in the cloud server, both the sensor node and the dew server get their long-term keys. Then, they can establish their session key through the following steps, also illustrated in Figure 2.(i) randomly chooses and computes the corresponding public key . Then, computes , . sends message to as the request for service, where is the present timestamp.(ii)On receiving message from , first checks the freshness of the timestamp . Then, it computes and . If it succeeds, can obtain , by utilizing which it can compute . randomly selects and computes , as well as the session key . Finally, computes , and sends message .(iii)After receiving the message from , computes , and the session key . Finally, it verifies whether the equality is right.

Hence, both the sensor node and the dew server get the same session key:

In this way, if the dew server is the right potential partner, it can correctly calculate . and can obtain the same session key apparently according to the equality bellow:

7. Security Proof

This section provides the proof of the security of e-SMDAS protocol by three methods. Firstly, we prove the proposed protocol security under the eCK security model. Then, we present a further security attribute analysis using the Scyther tool. Finally, by using BAN logic, we deduce the final security goals.

7.1. Security Theorem

We have proven the correctness of the proposed protocol above; in this subsection, we will prove the security of e-SMDAS protocol.

Theorem 1. Let be a probabilistic polynomial time adversary against the proposed protocol with a time bound , making at most . Send queries , , random oracle queries. Then,where means the success probability of solving an instance of ECCDH problem by an algorithm .

Proof. of Theorem 1: Next, we will prove the security of the proposed protocol through defining a sequence of hybrid experiments where correctly guesses the random bit in the Test query. Specifically, each experiment has a definition of to illustrate the advantage.(i)Experiment 0: This experiment simulates the situation of the attacks against the real protocols in the random oracle model. According to the definition, there exists , which means the origin advantage of adversary.(ii)Experiment 1: In this experiment, simulates the random oracles , , and by keeping hash lists , , as follows:(i)If there exists a record of message as in the list , it returns . Otherwise, it selects an element , adds the record to the list , and then returns .(ii)If there exists a record of message as in the list , it returns . Otherwise, it selects an element in the key set, adds the record to the list , and then returns .(iii)If there exists a record of message as in the list , it returns . Otherwise, it selects an element in the key set, adds the record to the list , and then returns .The Send, Reveal, Longterm, Ephemeral, and Test queries are also simulated as the real attack. Thus, this experiment is same as the real experiment, which means that the equation holds.(i)Experiment 2: In this experiment, we simulate all oracles the same as Experiment 1 except that a collision occurs in the output of the oracle or the session transcripts. According to the birthday paradox, the probability of collisions in the output of the oracle is at most , where is the maximum times of queries to . The same deduction can be applied to and . Therefore, the successful probability of Experiment 2 satisfies .(ii)Experiment 3: In this experiment, the protocol will not halt except that successfully guesses or () without querying or . Therefore, there exists .(iii)Experiment 4: In this experiment, we only consider the situation where exactly chooses a random session as the test session. Besides, the computation of the test session key is modified to select a random key from the key set. Consequently, the difference between Experiment 3 and Experiment 4 is in the event when queries the tuple or to in the test session. To describe this difference, the following four cases may be considered:(i)Longterm() and Longterm() are queried, from which can obtain the long-term key of and , of . To calculate the session key, either or is required.(ii)Longterm() and Ephemeral() are queried, from which can obtain the long-term key of and of . To calculate the session key, is required.(iii)Ephemeral() and Longterm() are queried, from which can obtain the long-term key of and , of . To calculate the session key, is required.(iv)Ephemeral() and Ephemeral() are queried, from which can obtain the long-term key of and of . To calculate the session key, and are required.If any of these four cases happens, then referring to the method proposed in [26], we can construct an algorithm to solve an instance of ECCDH problem, and there existsBesides, in Experiment 4, to guess the bit in the Test query is random, and other sessions do not matter. Therefore, there exists .

7.2. Scyther Security Analysis

Besides proving the security of the proposed model formally, we also use Scyther tool to show the proposed protocol is secure against various attacks. The setting used is presented in Figure 3 to achieve highly strong security, including perfect forward security, resistance to session key reveal attack, and resistance to ephemeral key leakage attack.

The result of analysis is demonstrated in Figure 4. According to Figure 4, we can clearly infer that under the setting predefined, the session key is secure against various attacks.

7.3. BAN Logic Formalized Security Proof

In this subsection, we provide another method to analyze the security of e-SMDAS protocol.

Next, we will prove that the proposed protocol can achieve the mutual authentication and two participants can obtain the same session key. We first present the security goals using BAN logic followed. We simplify the sensor node as , and the dew server as .(i).(ii).(iii).(iv).

Then, we formalize the original messages into the idealized ones as follows:(i).(ii).

Thirdly, we make the initial assumptions.(i).(ii).(iii).(iv).(v).(vi).

Finally, following the idealized messages, we utilize the predefined notations, rules, and assumptions to deduce the goals of the proposed protocol. The proof process is presented as follows:(i)From , we can derive the formula as follows:(1)(ii)According to and , we can deduce the formula as follows:(1)(2)(iii)According to , , and , we can deduce the formula as follows:(1)(iv)According to , , and , we can deduce the formula as follows:(1)(2)(3)(v)From , we can derive the formula below:(1)(vi)According to , and , we can deduce the formula , , and :(1).(2).(3).(vii)According to , , and , we can deduce the formula :(1)(viii)According to , , and , we can deduce the formula :(1)(2)(ix)Since , we can deduce the formula according to , , and , which is also :(1)(x)Since , we can deduce the formula according to , , and , which is also :(1).(xi)According to , , and , we deduce the formula , which is also :(1).(xii)Similarly, according to , , and , we deduce the formula , which is also :(1).

According to to , the secure goals to of e-SMDAS protocol are achieved. The sensor node and the dew server can achieve the mutual authentication and the same session key securely.

8. Performance Analysis

In this section, we present the performance analysis of e-SMDAS protocol, compared with several recent works, namely, SMDAS [10], He et al.’s scheme [27], and Ying et al.’s scheme [28], from the aspects of security features and computational efficiency.

Table 4 demonstrates the result of security feature comparison with several similar works. According to the work of [29, 30], the comparative result of security features is clear. It is shown in the table that the proposed protocol remedies the flaws of SMDAS protocol. As Table 4 shows, the e-SMDAS protocol can resist replay attack as well as user impersonation attack and satisfy the secure requirements for anonymity and forward security. Generally, our e-SMDAS protocol performs better than the previous one.

Before presenting the analysis, we first denote the notations used in the estimation of the computation efficiency. To be concise, the meanings of , , , , , , and are time of performing a point addition in elliptic curve group, time of performing an exponentiation operation in cyclic group, time of performing a hash function, time of performing a bilinear map, time of performing an exponentiation over bilinear pairing, time of performing a modular addition in cyclic group, and time of performing an encryption or decryption operation, respectively. Besides, the time of XOR can be negligible. In Table 5, we compare the computation efficiency of the related works with that of ours. For the sensor node in the proposed protocol, the computation cost is . On the other hand, dew server operates at the cost of .

To compare the efficiency of communication precisely, we simulate the schemes under the following assumptions. The output length of hash function is 160 bits while that of symmetric encryption tool is 1024 bits. The size of timestamp is 32 bits, while the output of elliptic curve is 160 bit. The comparative result is demonstrated in both Table 5 and Figure 5, in which e-SMDAS appears to be more efficient.

9. Conclusion

The dew-assisted IoT framework is an essential approach developing rapidly in the communication systems, which can provide high efficiency and low latency. In this paper, we first analyze SMDAS protocol showing that this protocol lacks forward security and user anonymity. Then, based on ECCDH problem, we propose an enhancement of the original one, called e-SMDAS protocol. We present the formal security proof of the proposed protocol. Moreover, the test of security by the usage of formalization tool Scyther and BAN logic shows that e-SMDAS can satisfy more security features than the former protocol. Furthermore, the performance analysis is presented at last showing that the enhancement does not affect the running time and computation efficiency.

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest regarding the publication of this paper.


This work was supported in part by the National Natural Science Foundation of China (Grant no. 61872449).