Energy Efficient Dynamic Symmetric Key Based Protocol for Secure Traffic Exchanges in Smart Homes

Abstract

Highly sensitive information about people’s social life and daily activities flows in smart home networks. As such, if attackers can manage to capture or even eavesdrop on this information, the privacy of the users can be compromised. The consequences can be far-reaching, such as knowing the status of home occupancy that can then facilitate burglary. To address these challenges, approaches such as data aggregation and signcryption have been utilized. Elliptic curve cryptography, bilinear pairing, asymmetric key cryptosystem, blockchain, and exponential operations are among the most popular techniques deployed to design these security solutions. However, the computational, storage and communication complexities exhibited by the majority of these techniques are too high. This renders these techniques unsuitable for smart home components such as smart switches and sensors. Some of these schemes have centralized architectures, which present some single points of failure. In this paper, symmetric key authentication procedures are presented for smart home networks. The proposed protocol leverages on cryptographic primitives such as one-way hashing and bitwise exclusive-Or operations. The results indicate that this scheme incurs the lowest communication, storage, and computation costs compared to other related state-of-the-art techniques. Empirically, our protocol reduces the communication and computation complexities by 16.7% and 57.7%, respectively. In addition, it provides backward key secrecy, robust mutual authentication, anonymity, forward key secrecy, and unlinkability. Moreover, it can effectively prevent attacks such as impersonation, session hijacking, denial of service, packet replays, man-in-the-middle, and message eavesdropping.

1. Introduction

The Internet of Things (IoT) devices offer a myriad of services, such as smart lighting, remote surveillance, and door locking. A smart home is part of IoT application scenarios which comprises sensors, actuators, home appliances, and controllers that are accessed and controlled remotely. In smart homes, users may utilize various applications or voice commands to turn appliances on or off [1] or monitor temperature and humidity at home [2]. In so doing, smart homes potentially boost user comfort and quality of life. A typical smart home consists of Indoor Smart Devices (ISDs), users, Home Gateways (HGs), and Registration Authority (RA) which acts as a controller [2,3,4]. Here, the controllers scrutinize sensor data before transmitting messages to home appliances for some action. Since smart home devices such as sensors are bandwidth, computational power, and memory constrained, remote users access sensor data via the home gateway. In essence, the HG offers long and short-distance wireless connectivity between the ISDs and remote users. For remote monitoring and access to the ISDs, users deploy internet-enabled tablets and smartphones [5] while the ISDs communicate with each other via Radio Frequency (RF) channels [6]. Before the actual deployment of smart home networks, all ISDs, gateways, and users are registered at the RA.

The goals of smart homes include a reduction in operational costs, increased energy efficiency, convenience, and comfort [2,5] through home systems automation. As such, massive information flows over smart home networks, which raises performance, privacy, and security issues [1,7]. This is because message exchanges take place over insecure public channels [1,2,8,9] and over longer distances, which increases latencies [7]. In addition, most ISDs do not incorporate security and privacy in their designs [10] or have weak embedded security [11]. Therefore, it becomes easy for attackers to tamper, eavesdrop and have unauthorized access to the transmitted data. It is also possible for adversaries to insert bogus messages and insert or delete exchanged data. Consequently, the preservation of perfect privacy and security in smart-phone, stored data, networks, and ISDs is paramount [9]. Unfortunately, much attention has only been paid to boosting the smartness of the devices and user comfort while little work is devoted to security and privacy issues [2]. Numerous security issues have been identified in smart home networks. These issues include a lack of proper user privacy, identity authentication, and access control [8,12,13,14]. These vulnerabilities have made it possible for attackers to deploy these networks to launch attacks such as Distributed Denial of Services (DDoS) [15] and spreading malware [11]. In addition, packet interception, deletion, modification, and bogus data injections are common [2].

To address the above security, performance, and privacy challenges, authentication of the communicating entities must be executed. This ensures that only authorized parties are able to establish connections to the smart home network [16,17,18]. It also helps in establishing the integrity of applications and devices. In addition, there is a need to preserve the confidentiality and availability of the exchanged messages [1]. Moreover, secure remote access can prevent disclosure of access privileges and private information [17] or illegal control of ISDs and subsequent illegitimate surveillance [19]. Therefore, many security solutions have been presented in literature based on techniques such as usernames and passwords and asymmetric and symmetric key crypto-systems. However, usernames and passwords are not effective for highly mobile IoT devices [17]. Similarly, most asymmetric and symmetric key techniques have high computational overheads, which are not ideal for ISDs [1]. Since the majority of the sensors deployed in smart homes are limited in terms of computation power [16,20], the authentication protocols need to be lightweight [2,19]. There is also a requirement to negotiate the session key among the communicating entities utilized to encrypt the exchanged packets [6]. Unfortunately, the conventional authentication and key agreement protocols have high computational requirements such as power consumption, memory, and processing capacity. In addition, some of them have design flaws that result in leakages of sensitive data.

To address power constraints in smart home IoT devices, the Long-Range (LoRa) technology known as Low-Power Wide-Area Network (LPWAN) has been implemented. As one of the LPWAN technologies, the Long-Range Wide-Area Network (LoRaWAN) uses very little power for long-range communication and is, therefore, highly efficient [21]. In addition, LoRaWAN offers open standard specifications and hence is crucial for networking hybrid autonomous communication architectures [22]. Another important LPWAN technology is the Narrow Band IoT (NB-IoT) that is heavily deployed in 3GPP cellular systems. It has high throughput and low complexities and can therefore help extend the battery lifetime of IoT devices. In addition, it provides better performance in terms of enhanced channel quality [23], long-range, high capacity, and low power [24]. In general, LPWAN technologies have salient capabilities such as low-cost, long-range, low energy consumption, the transmission of low volumes of data, and support for a high number of devices. As such, these LPWAN technologies can play crucial roles in IoT applications such as smart homes.

Although LPWAN offers admirable features that render them applicable in smart home deployments, there are many security issues that need to be solved. For instance, LoRaWAN has numerous privacy and security vulnerabilities that can be utilized by adversaries to compromise the privacy of transmitted data, availability, and authentication [25]. For instance, its Activation by Personalization (ABP) activation mode uses static secret keys and addresses, which are stored in the end devices. Consequently, side-channeling through power analysis can retrieve these secrets and launch further attacks such as impersonation and spoofing. On its part, NB-IoT requires a large infrastructure and proprietary license [24]. Therefore, NB-IoT becomes costly to implement in realtime. In addition, lack of physical security, poor application, end-point security, and weak authorization and authentication are some challenges that are yet to be solved in NB-IoT [26].

It is evident that conventional IoT technologies, security protocols, and standards are unable to uphold privacy and security in smart homes [11]. Several hacks and software flaws have led to a lack of public confidence in smart home networks. As such, the design of efficient and secure message authentication protocols is still an open challenge.

1.1. Motivation

The intelligent sensors in smart home networks collect and transmit sensitive data that can expose the privacy of homeowners if captured by adversaries. As such, strong security solutions are needed to protect the various elements of these networks, such as the communication channels and the data residing in sensors. Therefore, many asymmetric and symmetric key-based protocols have been deployed to offer the required levels of security. However, most of these schemes are susceptible to many attacks. Some of these schemes also require the execution of computationally intensive cryptographic operations [4] that are not ideal for most smart home devices. Other researchers have also presented security protocols based on objects such as smart cards to secure smart home networks. However, these schemes are vulnerable to smart card theft or smart card loss attacks. It is also inconvenient for users to carry these cards around for multiple authentications. Although blockchain-based techniques can address these issues, privacy protection for the access policy remains an open challenge in these techniques. Moreover, the public key infrastructure-based schemes are unsuitable for deployment in smart home devices due to their computationally intensive cryptographic operations and storage requirements. There is, therefore, a need for a truly lightweight authentication scheme that can address some of these challenges.

1.2. Mechanisms and Objective Overview

The proposed protocol addresses security, performance, and privacy challenges in smart home networks. In so doing, smart homeowners can be assured that the exchanged packets cannot be compromised in transit. In so doing, security and privacy features such as confidentiality, integrity, availability, non-repudiation, and authentication are upheld. Since the majority of the sensors in the smart home network are resource-limited [11], only lightweight cryptographic operations are executed in our scheme. As such, the objective of the proposed protocol is to prolong the battery life of smart home sensors byreducing energy consumption.

1.3. Security Goals and Requirements

The numerous vulnerabilities, threats, and attacks in smart home networks might impede the adoption of smart home networks. Therefore, strong security techniques should be implemented to protect the transmitted as well the stored data in smart home devices. To achieve this, an ideal authentication protocol should strive to offer the following security and privacy features:

Backward key secrecy: Suppose that an adversary has some access to the current session key. This backward key secrecy ensures that an attacker is unable to derive the session key utilized for the previous communication session based on the current session key.

Forward key secrecy: It should be computationally infeasible for the adversary equipped with the current session key to compute the session key for any subsequent communication [8].

Mutual authentication: Before the communicating entities can initiate any message exchanges, they should verify the legitimacy of each other.

Anonymity: During the authentication, key agreement, and communication processes, an attacker should be incapable of discerning the real identities of the communicating parties.

Unlinkability: It should be cumbersome for the adversary to relate the captured messages to any of the past as well as future messages emanating from the same communicating entities.

Robustness against attacks: A truly secure protocol should protect against conventional smart home attacks. These include denial of service, impersonation, man-in-the-middle (MitM), session hijacking, packet replays, and eavesdropping attacks.

1.4. Research Contributions

It is critical that memory, energy, communication, and computation complexities be kept at a minimum in smart home sensors and switches. Smart home networks comprise devices that are resource-limited in terms of memory, energy, and computation power. Such devices include smart switches and sensors; hence, any ideal authentication and key agreement (AKA) protocol must be lightweight. In addition, the massive data items exchanged over smart home networks are private andmay potentially reveal people’s lifestyles if captured by adversaries. It is, therefore, important that data be protected while in transit between the remote users and the ISDs. In this regard, the following contributions are acclaimed in this paper:

• Lightweight cryptographic primitives are deployed in the proposed protocol so as to render it efficient for resource-limited indoor smart home sensors and switches.
• Session-specific parameters are incorporated in the developed protocol to offer dynamism to the session state parameters. This eventually works towards the elimination of packet replay attacks.
• Extensive formal verification of the proposed protocol is executed using the most common Burrows Abadi-Needham (BAN) logic, which shows the establishment of a message protection session key among the communicating parties.
• Informal security analysis is carried out, which demonstrates the resilience of the proposed protocol against packet replays, impersonation, eavesdropping, Denial of Service (DoS), session hijacking, and man-in-the-middle attacks.
• Comparative performance evaluation is executed, which shows that the proposed protocol offers enhanced security and privacy protection at lower energy, communication, and computation complexities.

The rest of this paper is structured as follows: Section 2 presents the related work, while the proposed scheme is discussed in Section 3. Similarly, Section 4 presents the security analysis of this protocol, while Section 5 discusses its performance evaluation. Finally, Section 6 concludes the paper and gives future research directions.

2. Related Work

Numerous security and privacy schemes have been developed to protect the packets exchanged over smart home networks. For instance, a 3-dimensional S-box scheduling algorithm is presented in [27]. Although this scheme is efficient, its formal and informal security analyses are not carried out. In contrast, public key cryptosystems (PKC) based key agreement protocols are presented in [28,29,30,31]. However, PKC-based techniques have high communication and computational overheads [32]; hence they are unsuitable for ISDs. Although the protocol in [31] is resilient against attacks, it can neither withstand known-key attacks nor offer confidentiality, freshness checks, and anonymity [16,33]. Additionally, it incurs extremely high execution time and communication costs [16]. Although the protocol in [34] is robust against cloning, impersonation, traceability, and physical attacks, it involves extensive hashing operations and message exchanges which are not ideal for resource-constrained ISDs. Conversely, the device security protocol in [35] cannot offer secure mutual authentication and is susceptible to impersonation, stolen smart devices, and session key disclosure attacks [1].

To address the resource-constrained nature of ISDs, lightweight authentication protocols have been presented in [36,37]. Although the security model in [38] potentially protects user privacy, it has high power consumption due to the requirement for the installation of rechargeable batteries. Although the user authentication scheme in [39] can alleviate this problem, it is susceptible to a privileged insider, gateway bypass, offline password guessing, and replay attacks [40]. Therefore, a user authentication protocol has been proposed in [40] to address these issues. On the other hand, the scheme based on identity, password, and digital signatures is developed in [41]. However, it is based on PKI, which requires entities to maintain a pair of private and public keys, which increases its computation and communication complexities [42]. The protocols in [43,44,45] are efficient and can solve the problems in [41].However, the scheme in [43] cannot withstand de-synchronization attacks. In addition, it utilizes verification tables during authentication, which are susceptible to stolen verifier attacks [40]. Similarly, the protocol in [45] has some security issues that limit its applicability [41]. On its part, the scheme in [44] incurs low latency, storage costs, and power consumption, but its security analysis is not carried out.To boost efficiency and reliability, a smart card-based algorithm is developed in [46]. Although this approach has low computation and communication overheads, it cannot resist gateway spoofing, session key disclosure, and impersonation attacks. In addition, it cannot provide anonymity and secure mutual authentication [41]. The two-factor scheme in [47] is anonymous and can address anonymity issues in [46]. Unfortunately, it is vulnerable to password guessing, stolen user device, and impersonation attacks. In addition, it cannot provide mutual authentication [40].

Even though the anonymous security technique developed in [11] provides user anonymity and secure mutual authentication, it is susceptible to attacks such as impersonation, MitM, and session key disclosure [2]. On the other hand, the protocol in [48] assumes that the short-range channel between the ISDs and HGs is secure and that these devices are trustworthy. However, these assumptions are not viable as the open wireless channel is susceptible to a myriad of attacks, and the devices are not tamper-proof and may have inbuilt backdoors [6]. To offer protection against malicious activities in distributed smart environments, a scheme based on implicit certificates is developed in [16]. However, certificate revocation and storage require large memory and elongated execution time [49]. Alternatively, a privacy-preserving scheme is introduced in [50,51]. However, a single trusted third party is responsible for access control and authorization, which presents a single point of failure. In addition, these protocols have scalability issues [19,52]. Biometric-based protocols have been introduced to overcome the shortcomings inherent in static credentials-based authentication schemes [53,54]. Although these schemes have faster response times, many smart devices still lack inbuilt biometric authentication capabilities. In addition, they are not privacy–preserving [55] and present challenges in revoking compromised biometric information. Moreover, many users regard biometric authentication as intrusive and a violation of their privacy. To offer secure communication, a robust protocol is developed in [56]. Unfortunately, this protocol is vulnerable to stolen user devices and privileged insider attacks. The scheme in [57] can solve this problem by upholding confidentiality and user and device authenticity. In addition, it prevents server spoofing, user impersonation, man-in-the-middle, replays, and offline password-guessing attacks. Unfortunately, it is vulnerable to de-synchronization attacks.

Based on digital certificates, a security protection scheme is introduced in [58]. In this approach, subsequent session keys are derived using some master keys and hence cannot assure forward key secrecy upon disclosure of these keys. In addition, a malfunctioning key derivation function (KDF) may lead to connection termination. On the other hand, the security technique in [59] is noted to be vulnerable to de-synchronization attacks [60]. To curb this challenge, a novel security preservation scheme is presented in [60]. Although the approach employed by the authors in [14] can uphold data confidentiality, it is unable to sustain authentication parameters privacy [61]. This problem is solved by the blockchain-based protocols in [62,63]. However, the deployed blockchain technology incurs heavy computation and storage overheads [64].

On its part, the temporal identity-based solution presented in [65] is vulnerable to attacks such as known-key and DoS. This is because it uses static parameters during the session key generation process. Due to computationally intensive cryptographic operations and heavy signaling during the authentication procedures, this approach incurs high communication and computation costs. A scheme based on fuzzy extraction is introduced in [66]. However, vulnerability to traceability attacks and inability to provide identity protection, as well as session key agreement, are its major challenges [67]. Conversely, the scheme in [8] dynamically renews the session key to thwart replay attacks. However, this approach has high computation costs due to a myriad of cryptographic operations involved.

Table 1. Pros and cons of current schemes.

Scheme	Pros	Cons
[8]	Thwarts replay attacks	High computation costs
[11]	Provides user anonymity and secure mutual authentication	Susceptible to impersonation, MitM, and session key disclosure attacks
[14]	Upholds data confidentiality	Cannot provide authentication parameters privacy
[16]	Protects against malicious activities in distributed smart environments	Elongated execution time
[27]	Efficient	Its formal and informal security analyses are not carried out
[34]	Robust against cloning, impersonation, traceability, and physical attacks	High communication costs
[38]	Protects user privacy	High power consumption
[43]	Efficient	Cannot withstand de-synchronization attacks
[46]	Boosts efficiency and reliability	Cannot resist gateway spoofing, session key disclosure, and impersonation attacks.
[47]	Offers anonymity	Vulnerable to password guessing, stolen user device and impersonation attacks
[50,51]	Privacy-preserving	Single point of failure & scalability issues
[53,54]	Faster response time	Not privacy-preserving
[57]	Upholds confidentiality, user, and device authenticity	Vulnerable to de-synchronization attacks
[62,63]	Privacy-preserving	Heavy computation and storage overheads

presents a summary of the cons and pros of some of these schemes.

In summary, the current authentication and key agreement protocols cannot offer complete security and privacy protection at low energy, execution time, and communication overheads. For instance, the asymmetric key protocols in [31,33] have higher costs compared with their symmetric counterparts in [14,59,60]. However, the communication and computation complexities of these symmetric protocols are still unsuitable for smart home devices such as sensors and smart switches. Although LoRaWAN and NB-IoT technologies can address the inefficiency issues in current schemes, these technologies have numerous security challenges. For instance, LoRaWAN is susceptible to attacks such as bit-flipping and replay. As explained in [25], LoRaWAN authentication procedures are vulnerable to network flooding, man-in-the-middle, eavesdropping, sinkhole, jamming, replay, and spoofing. On the other hand, the schemes in [8,11,14,16] have been shown to have numerous security and performance issues. High communication and computation costs are the performance limitations of the majority of these schemes. On the other hand, lack of forward key secrecy and anonymity, coupled with susceptibility to impersonation, MitM, and DoS, are serious security and privacy issues in these protocols. In contrast, our protocol deploys transient parameters such as nonces, timing information, and secret values during the derivation of the session key to preserve forward key secrecy. In addition, shared secret keys are deployed to encrypt user and device identities to uphold their anonymity. This enciphering and re-computation of user identity using random nonces and exclusive OR operation with mobile device identity renders it hard for an attacker to eavesdrop on these identities for any possible impersonation attempt. To curb MitM attacks, the contents of the authentication verification beacons are concatenated before being hashed. This makes it computationally infeasible for the attacker to reverse the one-way hash to obtain these parameters for launching MitM attacks. Regarding the DoS attack, our scheme derives the verification token and sends it to the trusted authority. Here, this token is re-computed and compared with its received equivalent. If these parameters are not equivalent, the communication process is immediately terminated.

3. The Proposed Scheme

The proposed network model is made up of the Smart Home Devices (SHDs), the Smart Home Owner (SHO), Mobile Device (MD), the Trusted Authority (TA), and the wireless network. Here, wireless connectivity can be the internet which facilitates SHO and SHDs interactions. The SHOs utilize software controls in their MDs to access SHDs services. On the other hand, the TA acts as the Home Gateway (HG), as shown in Figure 1.

The remote user commands are transmitted to the HG before being forwarded to the SHDs. In this arrangement, the HG manages all SHDs and is assumed to be a trusted entity with slightly higher memory, energy, and computation capabilities compared with SHDs. The communication link between the remote user and the HGs are assumed to be insecure. The MDs can be smartphones, laptops, or tablets.

Table 2. Notations and their descriptions.

Notation	Description
TA	Trusted authority
SHD	Smart home device
IDU	User identity
IDM	Mobile device identity
IDTA	TA’s identity
h(.)	Hashing operation
TM	Timer
ψ	MD & TA shared secret key
ɸ	SHD & TA shared secret key
ℕi	Random nonce
IDS	SHD identity
T1…T7	Timestamps
TTh	Threshold timestamp
Eψ	Encryption using ψ
⊕	XOR operation
||	Concatenation operation

presents the notations deployed here and their descriptions.

Before the onset of the packet exchanges between the SHDs and SHOs, the MDs and SHDs must be registered at the TA, as outlined in Section 3.1 below. Thereafter, Authentication and Key Agreement (AKA) procedures are executed, as evidenced in Section 3.1. The block diagram in Figure 2 gives a summary of these steps.

As shown in Figure 2, the chronology of events includes registration, authentication, and data exchange between the smart home device and the smart home owner’s mobile device. During registration, the trusted authority generates and distributes the security parameters to the smart home device and the mobile device. To accomplish this, secure communication channels are utilized. During the authentication process, these security parameters are deployed to derive some security tokens used to validate the authenticity of the communicating parties. After successful authentication procedures, the smart home and mobile device can trust one another and commence data exchange.

3.1. SHDs and MDs Registration Phase

The registration phase consists of four major steps, as discussed below.

• Step 1: The TA instantiates timer T_M and derives the shared secret key ψ deployed between the MD and TA before generating user identity ID_U and MD identity ID_M. This is followed by the derivation of ⅆ = E_ψ (ID_U) and ⅇ =E_ψ (ID_M), which are actually ID_U and ID_M encrypted using ψ. Next, the SHO composes registration request SOReg_Req that is then sent to TA with security parameters ⅆ and ⅇ.
• Step 2: Upon receipt of Reg_Req, TA increments T_M and computes ephemeral S = E_ψ (T_M^*). Next, TA generates nonce ℕ₁ before deriving its current session secret value ℙ_TA = h (ID_U||ID_M||ℕ₁) that essentially binds ID_U and ID_M. This is followed by the derivation of ID_U’s current session secret value ℚ_U = E_ψ (ID_U, ID_M, ℙ_TA, S) and security parameter T_P = (ψ||ℕ₁). The TA terminates SHO registration by sending registration response SOReg_Res with T_P and ℚ_U to the SHO, which are then buffered into MD’s repository (Rep). Meanwhile, TA also buffers all the computed and generated security tokens in its Rep.
• Step 3: For the SHD to register to the TA, it generates the random number ℕ₂ and its session identity ID_S before calculating security token U = E_ψ (ID_S||ℕ₂). Next, the SHD sends its registration request SHReg_Req together with U to the trusted authority.
• Step 4: Upon receipt of this token, the TA generates random nonce ℕ₃ and its identity ID_TA, then derives SHD’s current session secret value H_S = h (ID_S||ℕ₃) together with its secret session tokens ℤ_S = E_ɸ (ID_S, H_S, ℕ₃) and V = E_ɸ (ID_TA||ℕ₃). Afterward, TA sends the registration response SHReg_Res together with security parameter ℤ_S and ID_TA to the SHD for storage. Figure 3 presents the message flow during the registration process.

As depicted in Figure 3, 4 messages are exchanged among the SHO, TA, and SHD during the registration phase. Note that ID_U and ID_M are encrypted using ψ to yield security tokens ⅆ and ⅇ, respectively, before being coupled to the communication channel. Similarly, parameters ID_U, ID_M, ℙ_TA, and S are encrypted using ψ before their transmission over the open wireless communication links. On the other hand, ψ is masked in nonce ℕ₁ to yield security parameter T_P. In addition, to securely transmit ID_S to the TA, the SHD masks it in nonce ℕ₂ before encrypting it using ψ. Finally, security parameters ID_TA, ID_S, and H_S are masked in nonce ℕ₃, then encrypted using Φ before being sent to the SHD.

3.2. Mutual Authentication

Whenever the SHO wishes to access the SHDs services, the following nine steps are invoked, as discussed below.

• Step 1: The MD generates nonce ℕ₄ before computing security parameter ℝ_U = ℕ₄⊕ID_M and MD’s authentication verification beacon P_U = h (ℚ_U||ℝ_U||ψ||T₁||ℕ₄||T_M). Next, the computed parameters, together with timestamp T₁ and buffered token ℚ_U, are transmitted to the TA together with the MD authentication request, MAuth_Req, as evidenced in Figure 4.
• Step 2: On getting these parameters, the TA determines timestamp T₂ and computes ∆T = T₂−T₁ before validating it against some set threshold T_Th. This step is critical for the prevention of packet replay attacks. If an attacker launches this attack against the proposed protocol using the captured security parameters, the freshness checks of timestamps together with threshold T_Th will render this attack futile.
• Step 3: The TA re-computes nonce ℕ₄ = ℝ_U⊕ ID_M before ℚ_U= D_ψ (ID_U, ID_M, ℙ_TA, S) is decrypted using ψ to yield its constituents that are then validated against their buffered equivalents in Rep. Here, provided that ID_M is not in Rep, the request is flagged as an impersonation attempt.

Next, TA checks whether T_M is within its Rep, and if this is the case, it proceeds to retrieve nonce ℕ₄ = ℝ_U⊕ ID_M before validating the received P_U against its buffered value.

• Step 4: To usher in SHD authentication with TA, the verification of P_U must be successful.When this happens, SHD’s authentication verification beacon P_S = h (ℤ_S||T₃||ID_TA) is derived and transmitted to the SHD with TA’s authentication request, TAuth_Req.
• Step 5: Upon receipt of this beacon, SHD determine the current timestamp T₄ before calculating ∆T = T₄−T₃, which is then validated. Provided that this validation is successful, P^*_S= h (ℤ_S||T₃||ID_TA) is re-computed, after which it is validated against its received counterpart P_S. Here, successful verification leads to the computation of another authentication verification beacon P_T= h (ℤ_S||T₅||ID_TA) sent to TA together with timestamp T₅ and TA’s authentication response TAuth_Res.
• Step 6: After getting these parameters, P^*_T = h (ℤ_S||T₅||ID_TA) is re-calculated before its validation against its received counterpart P_T. If this verification succeeds, SHD and TA mutual authentication is successful, and they can now trust each other. Next, the deployed parameter T_M is refreshed as T_M^New and buffered to preserve perfect forward key secrecy.
• Step 7: To accomplish TA and MD mutual authentication, TA generates nonce ℕ₅ before refreshing previous parameters with their new values ℙ_TA^New = h (ID_U||ID_M||ℕ₅) and ℚ_U^New = E_ψ (ID_U, ID_M, ℙ_TA^New, T_M^New). At the same time, P_TA = h (ℚ_U^New||ID_M||ℕ₄||T₆||ψ) is re-calculated, and additional security token B = ℚ_U^New⊕ ID_M is derived. This step is very crucial for the preservation of backward and forward key secrecy. Here, an attacker that has captured ℙ_TA and ℚ_U deployed in the current authentication session may attempt to reuse them to determine the previous as well as the subsequent session secret keys {ℙ_TA^Prev, ℚ_U^Prev} and {ℙ_TA^Next, ℚ_U^Next} respectively. However, updating these session secret keys incorporates random nonce ℕ₅, rendering them session-specific. Lastly, MD’s authentication response MAuth_Res, security parameters B and P_TA, together with timestamp T₆, are sent to the MD. Meanwhile, the TA updates its Rep with these new security parameters ℙ_TA^New, ℚ_U^New, ℕ₅, and T_M^New.
• Step 8: Upon receipt of these parameters, the MD re-derive ℕ₄ = ℝ_U⊕ ID_M before decrypting ℚ_U = D_ψ (ID_U, ID_M, ℙ_TA,T_M) to obtain its constituents which are then verified against their buffered counterparts in Rep. Provided that this verification is successful, the MD determines T₇ that is employed to derive ∆T = T₇−T₆ that is then validated against replay attacks. Next, ℚ_U^New = B⊕ID_M is re-computed for subsequent authentication.
• Step 9: The P_TA received from TA is verified such that if this process is successful, the MD and TA have mutually authenticated each other and can trust each other. However, if all the retrieved parameters are in Rep except MD’s ID_M, the implication is that the SHO may be utilizing an MD that is yet to be registered at the TA, and hence its registration is prompted.

As shown in Figure 3, 4 messages are exchanged during the AKA phase. All the parameters in message {P_U,ℚ_U, ℝ_U,T₁} are sufficiently protected before their transmission over the communication links. For instance, P_U is in the hashed format while ℚ_U is in encrypted form using ψ. On the other hand, ℝ_U is exposed to XOR operation with nonce ℕ₄ and hence is fairly random. Similarly, message {P_S, T₃} is protected since P_S is in hashed form and timestamp T₃ is randomly selected. The same applies to message {P_T, T₅} sent to TA from SHD. Finally, in message {B, P_TA,T₆} sent from the TA to MD is protected through hashing (P_TA) and XOR operation (B), while timestamp T₆ is randomly chosen.

4. Security Analysis

To show that the proposed protocol offers strong privacy and security protection, formal verification and informal security analyses are carried out.

4.1. Formal Security Analysis

In this section, the widely deployed Burrows–Abadi–Needham (BAN) logic is utilized to demonstrate that the beacons exchanged are protected against any form of eavesdropping. Therefore, the communicating entities can trust each other as they communicate over insecure channels.

Table 3. BAN logic notations.

SNo.	Symbol	Description
BLN1	SK	One-time session key
BLN2	D|$\equiv$E	D believes statement E
BLN3	D| ~E	D once said statement E
BLN4	D$⨞\mathrm{E}$	D sees statement E
BLN5	#E	Statement E is fresh
BLN6	<E>F	Statement E is combined with secret statement F
BLN7	{E}G	Statement E is protected by secret key G
BLN8	$\mathrm{D}\stackrel{\mathrm{G}}{\leftrightarrow }\mathrm{H}$	D and H share secret key G
BLN9	$\mathrm{D}\Rightarrow \mathrm{E}$	D has jurisdiction over E

presents the BAN logic notations (BLNs) deployed in this formal verification process.

For easy of analysis, all the messages exchanged during the AKA procedures are transformed into some idealized format (IME) as shown in

Table 4. Idealized message exchanges.

IME1	SHO→TA: PU, ℚU: < IDU, IDM, ℕ1> ψ, ℝU<ℕ4> IDM, T1
IME2	TA→SHD: PS,T3
IME3	SHD→TA: PT,T5
IME4	TA→SHD: B:<ℚUNew> IDM, ℙTA,T6

.

Thereafter, the initial assumptions (ITA) in

Table 5. Initial state assumptions.

SNo.	Initial Assumption
ITA1	SHO|$\equiv$#(ℕ4)
ITA2	TA|$\equiv$#(ℚU)
ITA3	SHD|$\equiv$#(PT)
ITA4	TA|$\equiv$SHD$\Rightarrow$(PS)
ITA5	TA|$\equiv$SHO$\Rightarrow$ℚU
ITA6	SHD|$\equiv$TA$\Rightarrow$PT
ITA7	SHO|$\equiv$TA$\Rightarrow$ℚU

were made to facilitate easier analysis using BAN logic.

To provide enhanced protection, the security goals (SGs) in

Table 6. Security goals.

SNo.	Security Goal
SG1	$\mathrm{TA}|\equiv \mathrm{SHO}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$TA
SG2	$\mathrm{TA}\left|\equiv \mathrm{SHO}\right|\equiv \mathrm{SHO}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$TA
SG3	$\mathrm{SHD}|\equiv \mathrm{TA}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$SHD
SG 4	$\mathrm{SHD}\left|\equiv \mathrm{TA}\right|\equiv \mathrm{TA}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$SHD
SG5	$\mathrm{TA}|\equiv \mathrm{SHD}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$TA
SG6	$\mathrm{TA}\left|\equiv \mathrm{SHD}\right|\equiv \mathrm{SHD}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$TA
SG7	$\mathrm{SHO}|\equiv \mathrm{TA}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$SHO
SG8	$\mathrm{SHO}\left|\equiv \mathrm{TA}\right|\equiv \mathrm{TA}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$SHO

are formulated.Therefore, the formal verification procedures simply serve to demonstrate how these goals are attained in the proposed protocol.

Based on the above-idealized message exchanges (IME) and ITA, the BAN logic rules (BLR) in

Table 7. BAN logic rules.

Rule	Description
$\frac{D\left|\equiv H\Rightarrow E,D\right|\equiv H|\equiv E}{D|\equiv E}$	Jurisdiction rule (JR)
$\frac{D|\equiv \#\left(E\right)}{D|\equiv \#\left(E,F\right)}$	Fresh-promotion rule(FPR)
$\frac{D|\equiv \mathrm{D}\stackrel{G}{\leftrightarrow }\mathrm{H},\mathrm{D}⨞{\left\{\mathrm{E}\right\}}_G}{D\left|\equiv H\right|~E}$	Message-meaning rule (MMR)
$\frac{D|\equiv \#\left(E\right),D\left|\equiv H\right|~E}{D\left|\equiv H\right|\equiv E}$	Nonce verification rule (NVR)

were utilized to attain the security goals in Table 6 above.

Based on IME₁, the seeing rule (SR) in BLN₄ is deployed to yield BAN Logic 1 (BLP₁):

• BLP₁: TA$⨞$P_U, ℚ_U: < ID_U, ID_M, ℕ₁>ψ, ℝ_U<ℕ₄> ID_M, T₁

Hinged on ITA1, MMR and is applied to BLP₁ to yield BLP₂:

• BLP₂: TA$\left|\equiv \mathrm{SHO}\right|~$ℕ₄

The application of FPR in BLP₂ results in BLP₃:

• BLP₃: TA$\left|\equiv \mathrm{SHO}\right|\equiv$ℕ₄

Based on BLP₃, JR is applied to obtain BLP₄:

• BLP₄: TA$|\equiv$ℕ₄

From ITA₂ and ITA₅, JR is applied on BLP₄ yields BLP₅:

• BLP₅: TA$|\equiv \mathrm{SHO}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }\mathrm{TA}$

On the other hand, using NVR on BLP₅, BLP₆ is obtained:

• BLP₆:$\mathrm{TA}\left|\equiv \mathrm{SHO}\right|\equiv \mathrm{SHO}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$TA

Based on IME₂ and ITA₄, SR is applied to yield BLP₇:

• BLP₇: SHD$⨞$P_S,T₃

The application of MMR on BLP₇ results inBLP₈:

• BLP₈: SHD$\left|\equiv \mathrm{TA}\right|~$ℚ_U

Based on BLP₈, the FPR is deployed to yield BLP₉:

• BLP₉: SHD$\left|\equiv \mathrm{TA}\right|\equiv$ℚ_U

Next, using JR on BLP₉ results in BLP₁₀:

• BLP₁₀: SHD$|\equiv$ℚ_U

Applying JR on BLP₁₀, BLP₁₁ is obtained:

• BLP₁₁:$\mathrm{SHD}|\equiv \mathrm{TA}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$SHD

However, the application NVR on BLP₁₁ results in BLP₁₂:

• BLP₁₂:$\mathrm{SHD}\left|\equiv \mathrm{TA}\right|\equiv \mathrm{TA}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$SHD

Conversely, based on IME₃, SR is deployed to yield BLP₁₃:

• BLP₁₃: TA$⨞$P_T,T₅

Afterwards based on ITA₃, MMR is deployed in BLP₁₃ to obtain BLP₁₄:

• BLP₁₄: TA$\left|\equiv \mathrm{SHD}\right|~$P_T

According to BLP₁₄ and ITA₆, FPR is applied to produce BLP₁₅:

• BLP₁₅: TA$\left|\equiv \mathrm{SHD}\right|\equiv$P_T

Using JR on BLP₁₅, BLP₁₆ is obtained:

• BLP₁₆: TA$|\equiv$P_T

On the other hand, applying JR on BLP₁₆ yields BLP₁₇:

• BLP₁₇:$\mathrm{TA}|\equiv \mathrm{SHD}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$TA

The application of NVR on BLP₁₇ yields BLP₁₈:

• BLP₁₈:$\mathrm{TA}\left|\equiv \mathrm{SHD}\right|\equiv \mathrm{SHD}\stackrel{\mathbb{Z}\mathrm{S}}{\leftrightarrow }$TA

Based on IME₄, the SR is applied to obtain BLP₁₉:

• BLP₁₉: SHO$⨞B$:<ℚ_U^New> ID_M, ℙ_TA,T₆

Using MMR on BLP₁₉ results in BLP₂₀:

• BLP₂₀: SHO$\left|\equiv \mathrm{TA}\right|~$ℚ_U

According to BLP₂₀, FPR is applied to get BLP₂₁:

• BLP₂₁: SHO$\left|\equiv \mathrm{TA}\right|\equiv$ℚ_U

However, the deployment of JR on BLP₂₁ yields BLP₂₂:

• BLP₂₂: SHO$|\equiv$ℚ_U

Based on BLP₂₂ and ITA₇, JR is applied to obtain BLP₂₃:

• BLP₂₃:$\mathrm{SHO}|\equiv \mathrm{TA}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$SHO

On the other hand, the application of NVR on BLP₂₃ yields BLP₂₄:

• BLP₂₄:$\mathrm{SHO}\left|\equiv \mathrm{TA}\right|\equiv \mathrm{TA}\stackrel{{\mathbb{Q}}_{\mathrm{U}}}{\leftrightarrow }$SHO

It has been shown through BLP₁ to BLP₂₄ that SHO, TA, and SHD execute mutual authentication amongst themselves and negotiate the common session key. This is the key utilized to encipher all the messages exchanged among the communicating entities.

Table 8. Attainment of security goals.

SL	BLP
SG1	BLP5
SG2	BLP6
SG3	BLP11
SG 4	BLP12
SG5	BLP17
SG6	BLP18
SG7	BLP23
SG8	BLP24

presents the BLP and security goals achieved.

As shown in Table 8, the BAN logic that was carried out has demonstrated the capability of the proposed protocol to achieve all the eight security goals formulated above.

4.2. Informal Security Analysis

This sub-section presents the evaluation of the security posture of this protocol against the most common attack vectors in smart home networks. This is achieved through the formulation and proof of the following lemmas.

Lemma 1: 

Backward and forward key secrecy are preserved.

Proof: 

The aim of upholding forward key secrecy is to prevent an attacker from using the current session key to accurately derive the session for the subsequent communication session. In our scheme, TA’s current session secret value ℙ_TA and ID_U’s current session secret value ℚ_U are refreshed after every successful authentication. The computation of these session secrets incorporates random nonces and some timing information T_M that is updated after every successful authentication. Consequently, constructing any valid ℙ_TA and ℚ_U parameters is computationally infeasible. □

Lemma 2: 

Strong mutual Authentication is executed.

Proof: 

In our protocol, TA validates the authenticity of smart home users by computing security tokens ℚ_U and P_U such that the authentication process is terminated if these parameters are illegitimate. In addition, all smart home users authenticate TA through ℙ_TA and ℚ_U^New. In this process, only TA and MD have knowledge of security parameter ψ. To render this authentication dynamic, nonce ℕ₁, ℕ₄, and auto-incremented parameter T_M are deployed and refreshed after each successful authentication.□

Lemma 3: 

Packet replays attacks are prevented.

Proof: 

The success of this attack requires that security parameters ℚ_U and P_U must be captured by an attacker. However, this is impossible since ℚ_U is enciphered using secret key ψ. After every successful authentication, parameters ℚ_U and ℙ_TA are substituted by their refreshed counterparts ℚ_U^New and ℙ_TA^New, respectively. In addition, freshness checks using timestamps and random nonce renders packet replay attacks infeasible. □

Lemma 4: 

The proposed scheme provides device anonymity.

Proof: 

To successfully register the user, identity ID_U and mobile device identity ID_M are enciphered using shared secret parameter ψ. This happens by forwarding these two values to the trusted authority. Similarly, the SHD’s identity ID_S is encrypted using ɸ before its transmission over the communication channel. On the other hand, during the authentication phase, beacons such as {P_U,ℚ_U, ℝ_U,T₁} and {P_S, T₃} are exchanged. Suppose that an attacker eavesdrops on the first message. However, since user identity ℝ_U is masked in other parameters, including the timestamp, it is impossible for an attacker to determine with high precision the smart home user’s identity. In addition, ID_U’s current session secret value ℚ_U is encrypted using shared secret key ψ. Consequently; an attacker is incapable of accurately discerning the true identity of the smart home users and their mobile devices.□

Lemma 5: 

This protocol prevents impersonation attacks.

Proof: 

For an adversary to effectively impersonate the remote smart home owner, user identity ID_U and mobile device identity ID_M must be captured. However, these parameters are enciphered in ⅆ=E_ψ (ID_U) and ⅇ =E_ψ (ID_M) using shared secret keys ψ before being sent over the channel to the TA during the registration phase. During the initial phases of the AKA procedures, ℝ_U is computed using nonce ℕ₄ through exclusive OR operation with ID_M. As such, these two identities cannot directly eavesdrop from the communication channel and impersonation of the SHO and MD flops. □

Lemma 6: 

This protocol is robust against eavesdropping attacks.

Proof: 

In this scheme, the current secret value ℚ_U = E_ψ (ID_U, ID_M, ℙ_TA, S)is enciphered using shared secret ψ. It is then utilized during the authentication phase to accompany the MD’s authentication request MAuth_Req. Additionally, all the packets and parameters exchanged during AKA procedures are transient. Consequently, they cannot yield meaningful information that may facilitate the computation of next-session authentication parameters.□

Lemma 7: 

Man-in-the-middle attacks are thwarted.

Proof: 

The assumption made in this attack is that an adversary has captured current session secret value ℚ_U = E_ψ(ID_U, ID_M, ℙ_TA, S) and MD’s authentication verification beacon P_U = h(ℚ_U||ℝ_U||ψ||T₁||ℕ₄||T_M). The aim is then to modify the contents of these parameters before forwarding them to the unsuspecting trusted authority TA. However, all the contents of ℚ_U are enciphered using secret key ψ. Since this key cannot be obtained by the adversary, this attack flops. Additionally, security parameters in P_U are concatenated before being hashed. As such, a MitM attack using P_U is infeasible due to the difficulty of reversing the one-way hash function. □

Lemma 8: 

Denial of service and session hijacking attacks are prevented.

Proof: 

The goal of the attacker is to knock off the smart home device SHD by hijacking its session during the AKA procedures. To achieve this, the attacker derives a fake verification beacon P_T^F = h(ℤ_S^F||T₅^F||ID_TA^F), which is then sent to the TA. On getting this security parameter, the TA has to re-compute it through P^*_T = h (ℤ_S||T₅||ID_TA), as shown in Figure 3. Afterward, it is compared with the value received from the SHD in Tauth_Res. Here, if P^*_T ≠ P_T, the session is aborted and hence session hijacking using bogus P_T^F leads to session termination for this particular attacker and not for the legitimate SHD. □

5. Performance Evaluation

In this section, resilience against attacks, energy consumption, communication, and computation overheads are utilized to assess the proposed protocol. This choice is informed by the fact that these parameters are some of the most common metrics for evaluating authentication and key agreement schemes.

5.1. Computation Overheads

During the AKA procedures, one-way hashing and symmetric encryption are the only operations executed. For symmetric encryption, Advanced Encryption Standard (AES) is utilized. However, for one-way hashing operations, a secure hash algorithm (SHA-1) is used. To make a comparative evaluation with other related schemes straightforward, the values in [40] are used. As pointed out in [40], the execution time for symmetric encryption or decryption (T_ED) = 0.0215 ms, ECC multiplication (T_EM) = 0.4276 ms, message authentication code (T_MA) = 0.0215 ms, one way-hashing (T_H) = 0.052 ms andfuzzy extraction (T_FE) = 0.0215 ms as shown in

Table 9. Cryptographic execution time.

Cryptographic Operation	Execution Time (ms)
Symmetric encryption or decryption (TED)	0.0215
ECC point multiplication (TEM)	0.4276
Message authentication code (TMA)	0.0215
One way-hashing (TH)	0.052
Fuzzy extraction (TFE)	0.0215

.

As per Figure 4, the MD executes 1T_H and 1T_ED operations, while the TA executes 4T_H and 2T_ED operations. On the other hand, the SHD executes 2T_H operations. As such, the total computation cost is 7T_H + 3T_ED, which takes 0.4285 ms, as evidenced in

Table 10. Computation costs.

Scheme	Cryptographic Operations	Total Computation Time (ms)
Shuai et al. [39]	16TH + 3TEM	2.1148
Kaur et al. [40]	16TH + 3TEM	2.1148
Wazid et al. [43]	29TH + 4TED + TFE	1.6155
Wu et al. [47]	17TH + 6TED	1.0130
Sureshkumar et al. [56]	17TH + 16TEM	7.7256
Proposed	7TH + 3TED	0.4285

.

As shown in Table 9, the scheme in [56] requires 17 one-way hashing operations and 16 ECC point multiplication operations and hence incurs the highest computation overheads, as shown in Figure 5. The schemes in [39,40] have the second highest computation costs of 2.1148, followed by the protocols in [43,47] with 1.6155 ms and 1.0130 ms, respectively.

Conversely, the proposed protocol requires only seven one-way hashing operations and has the lowest computation overheads. It is, therefore, the most efficient in terms of computation complexities during the authentication and key negotiation phase.

5.2. Communication Overheads

Based on Figure 3, the following messages are exchanged during the AKA phase: {P_U, ℚ_U, ℝ_U,T₁}, {P_S, T₃}, {P_T, T₅} and {B, P_TA,T₆}. Using the values in [40], all user and device identities =128 bits, pseudo-random numbers = 128 bits, symmetric key output = 256 bits, hashing output = 160 bits, certificates =128 bits, nonce = 160 bits, signatures = 160 bits, and timestamp = 32 bits. Therefore, Here, P_U = P_S = P_T = P_TA = 160 bits, ℚ_U = 256 bits, ℝ_U = 160 bits, T₁ = T₃ =T₅ = T₆ = 32 bits, while B = 256 bits. As such, the cumulative communication complexity of the proposed protocol is 1440 bits.

Table 11. Communication costs.

Scheme	Total Costs (Bits)
Shuai et al. [39]	1728
Kaur et al. [40]	1856
Wazid et al. [43]	2268
Wu et al. [47]	2048
Sureshkumar et al. [56]	3296
Proposed	1440

compares this value with other state-of-the-art schemes.

Based on the graphs in Figure 6, the protocol in [56] has the highest communication costs of 3296 bits. This is followed by the schemes in [39,40,43,47] with 2268 bits, 2048 bits, 1856 bits, and 1728 bits, respectively.

On the other hand, the proposed protocol incurs the lowest communication overheads of only 1440 bits during the mutual authentication and key negotiation phase. Therefore, it makes the most effective usage of the available bandwidth.

5.3. Storage Overheads

In the proposed protocol, the SHD stores {ℤ_S, ID_TA} in its memory. Using the values in [40], ℤ_S = 256 bits and ID_TA = 128 bits. Therefore, the cumulative storage overhead in the proposed protocol is 384 bits.

Table 12. Storage overheads.

Scheme	Total Costs (Bits)
Shuai et al. [39]	512
Kaur et al. [40]	384
Wazid et al. [43]	640
Wu et al. [47]	576
Sureshkumar et al. [56]	960
Proposed	384

presents the storage overheads of the other related schemes.

As shown in Figure 7, the protocol in [56] requires the largest storage space of 960 bits. This is followed by the schemes in [39,43,47] with 640 bits, 576 bits, and 512 bits, respectively.

On the other hand, the scheme in [40] and the proposed protocol require the smallest storage space of only 384 bits. As such, they are the most ideal for deployment in memory-constrained smart home devices.

5.4. Attacks Resilience

In this sub-section, security comparative evaluation is accomplished to show the robustness of the proposed protocol against conventional smart home attacks. As shown in

Table 13. Security features comparisons.

	[39]	[40]	[47]	[56]	Proposed
Security feature
Backward key secrecy	-	-	-	-	√
Forward key secrecy	√	√	√	√	√
Mutual Authentication	√	√	×	√	√
Secret key agreement	√	√	√	√	√
Device anonymity	√	√	√	√	√
Protection against:
Packet replays	×	√	×	√	√
Impersonation	√	√	×	√	√
Eavesdropping	-		-	-	√
Man-in-the-middle	-		-	-	√
Denial of service	√	√	√	√	√
Session hijacking	√	√	√	√	√

Legend, √ Effective, × Ineffective, - Not considered.

, the scheme in [47] offers only three security features and is robust against two attacks only. On the other hand, the protocol in [39] provides only four security features and resilience to only three attack vectors.

This is followed by the schemes in [40,56], which offer four security features and resilience against four attacks. On the other hand, the proposed protocol provides five security features and is robust against six attack vectors. It is, therefore, the most secure among other related schemes.

5.5. Experimentations

In this sub-section, the simulation results of the proposed protocol are presented. Owing to the wide acceptance of the network simulation (NS) tool, its latest version, NS3 (3.32), has been deployed. The host machine is an HP Elitebook Core i7 with 8GB of RAM running on Ubuntu 20.04 LTS. Within the coordinate system, the TA is placed at the origin, while the remote users assume a random mobility model. The communication is over IEEE 802.11, operating at a frequency of 2.4 GHz, while the maximum range for the remote users is a square of 180 m, whose center is the TA. The speed of the remote users varies from 0 m/s to 5 m/s. On the other hand, the SHDs are randomly placed at locations between 25 m and 120 m away from the TA. The number of remote users is varied from 5 to 30, while the number of SHDs ranges from 5 to 25. The simulation is then executed for 10 min as the end-to-end latency and throughput are measured. The obtained end-to-end latency results are shown in Figure 8.

Based on the graphs in Figure 8, the value of end-to-end latency increases with the number of SHDs. It is also evident that as the number of users increases, so does the end-to-end latency. This is explained by the processing delays at the TA as the number of authentication requests surges. The graphs are not entirely linear due to other transmission impairments, such as network congestion and packet losses that may trigger re-transmissions. Figure 9 shows the values for the measured throughput as the number of users and SHDs increments.

It is evident from Figure 9 that throughput increases with both the number of users and the number of SHDs. This is attributed to the many bits sent and received across the network when users and devices increase. However, network congestions and packet drops within the network imply that the graphs are not always linear.

6. Discussion

Smart home IoT devices are exposed to numerous attacks due to their vulnerable environment, low computation power, the tendency of users to utilize default device credentials, and insecure networks. Therefore, many security schemes have been developed to secure the smart home network environment. However, most of these schemes still have numerous flaws that render them vulnerable to attacks. Performance degradation occasioned by highly extensive cryptographic operations is another major issue in smart home networks. To this end, highly efficient technologies such as NB-IoT and LoRaWAN have been developed. However, many vulnerabilities exist in these LPWAN technologies that can be exploited to bring the entire network down. For instance, LoRaWAN uses three keys, AppKey, NwkSKey, and AppSKey, that are exposed to risks during message transmissions, key management procedures, key generation phase at the onset of communication sessions, and in storage at the end devices. If these keys are compromised through side-channeling, then other keys derived using them as the basis can be compromised as well. For instance, the compromise of NwkSKey can expose the entire LoRaWAN to attacks. This is because the adversaries are now able to decrypt the exchanged messages. In addition, the LoRaWAN gateway periodically transmits beacons to the network server, and therefore these beacons can be intercepted to launch numerous attacks.

Another serious issue in smart homes is that much attention has been paid to mutually authenticating the remote user to the gateway node, while the mutual authentication between this gateway node and the IoT sensors is largely ignored. In addition, some application layer protocols in IoT, such as the Message Queue Telemetry Transport (MQTT) and Constrained Application Protocol (COAP), do not have adequate security protection. As such, they have to depend on the underlying transport layer security protocols. Unfortunately, these protocols exhibit high computation overheads. To this end, a highly efficient protocol has been developed in this paper, which has been demonstrated to offer sufficient privacy and security protection at the lowest computation, storage, and communication costs. Considering the lowest overheads attained in other related schemes,

Table 14. Percentage improvements.

Metric	Achieved by	Best Performance	Proposed Protocol Score	Improvement
Computation Costs	Wu et al. [47]	1.0130 ms	0.4285 ms	57.7%
Communication Costs	Shuai et al. [39]	1728	1440	16.7%
Storage overheads	Kaur et al. [40]	384	384	0%

presents the percentage improvements achieved by the proposed protocol.

As shown in Table 14, the proposed protocol reduced the computation and communication costs by 57.7% and 16.7%, respectively. Considering the security comparative evaluation in Table 14 above, then it is clear that the proposed protocol records the best performance and also offers salient security features. It is also demonstrated to resist the highest number of attacks. It is, therefore, the most suitable for deployment in the smart home network, where devices are not only resource-limited but also exposed to numerous attacks.

7. Conclusions

Over the recent past, there have been numerous security protocols developed to address security and privacy threats in smart homes. Unfortunately, the majority of these security solutions have performance challenges or still have some security and privacy weaknesses. In this paper, a symmetric key-based authentication protocol is presented. The formal security analysis of the proposed protocol has been accomplished using BAN logic. Based on this formal analysis, it has been demonstrated that the communicating parties negotiate shared session keys for traffic protection over the public internet. In addition, the protocol has been informally analyzed to demonstrate its resilience against common smart home attacks such as packet replays, impersonation, eavesdropping, man-in-the-middle, denial of service, and session hijacking. It has also been demonstrated to provide backward key secrecy, mutual authentication, secret key agreement, device anonymity, and forward key secrecy. Moreover, its performance evaluation has shown that it reduces communication and computation complexities by 16.7% and 57.7%, respectively. Future work lies in the exploration of other cryptographic primitives that can further reduce the reported computation overheads. There is also a need for other innovative ways of assuring the same level of security and privacy using very few message exchanges to reduce communication and storage overheads. The current work was limited to performance evaluation using computation, storage, and communication overheads. There is, therefore, a need to evaluate this protocol using other metrics that were not within the scope of the current work.