Analysis and Improvement of an Authentication Scheme for Fog Computing Services

: Fog computing utilizes devices in the edge network to transmit data with very low latency and supports high mobility. How‐ ever, fog computing inherits security and privacy problems from cloud computing. Therefore, various privacy schemes for fog computing have been proposed to prevent different types of attacks. Recently, Weng et al proposed a fog computing authentication scheme; after ana‐ lyzing, we found that Weng et al 􀆳 s scheme cannot resist user tracking attack and user impersonation attack. Then, we propose an improved scheme through adding a password, modifying the calculation method of E i , and adding timestamps. In addition, we also compare the im‐ proved scheme with existing authentication schemes in terms of security and computational efficiency. The results show that the improved scheme is more secure and has less computation.


Introduction
Cloud computing is a business computing model.It distributes computer tasks to resource pools made up of large numbers of computers, enabling various applications to obtain computing power, storage space, and information services as needed.However, compared with traditional decentralized computing, cloud computing centralizes computing resources, and risks are centralized together.Therefore, cloud computing cannot meet the needs of high mobility, location-aware, and lowlatency applications [1] .Fog computing was born to eliminate the limitations of cloud computing and is used to be a link between the Internet of Things devices and the cloud [1] .In fog computing, fog services are distributed at the margin of the network and close to terminal equipment geographically [2] , so some data can be processed and stored directly in the fog layer.As a result, fog computing can reduce the pressure on the cloud, improve transmission rates, and reduce latency.
Fog computing can effectively decentralize computational and analytical power and help reduce bandwidth usage.However, fog nodes are often deployed in remote and unprotected places [3] , and rely on insecure public channels for data transmission between users and fog servers, as well as fog servers and cloud servers.There-fore, secure identity authentication is critical in fog computing.
Many researchers have recently proposed identity authentication schemes in fog computing environments.Lampot first proposed a remote authentication scheme in an insecure environment in 1981 [4] .Then, many twofactor authentication schemes based on Hashes, smart cards, and temporary certificates were proposed [5][6][7][8][9][10] , but most of them have security issues.Then, lots of threefactor authentication schemes [1,[11][12][13][14][15] based on fog computing were proposed.In 2019, Ma et al [16] proposed an authenticated key agreement protocol without bilinear pairing and claimed that their scheme achieves mutual authentication, generates a securely agreed session key for secret communication, and supports privacy protection.In 2021, Chen et al [17] proposed an authenticated key exchange scheme for fog computing.However, after analysis, Rana et al [18] found that Chen et als scheme [17] does not provide user anonymity and is also not resistant to tamper-proof device stolen attack, user impersonation attack, fog node impersonation attack, insider attack, and known session key attack.In 2021, Weng et al [15] proposed a lightweight anonymous mutual authentication and secure communication scheme and claimed that their scheme only uses one-way Hash functions, and XOR operations and security can be ensured.
In this paper, we point out the shortcomings of Weng et als [15] scheme.Weng et als scheme cannot resist user traceability attack and user impersonation attack.Therefore, we propose an improved scheme through adding a password, modifying the calculation method of E i , and adding timestamps.We also compare security features and computation costs between the improved scheme and the other four schemes [3,[15][16][17] .
The rest of the paper is structured as follows: Section 1 briefly reviews Weng et al  s scheme.Section 2 analyses the shortcomings of Weng et al  s scheme.In Section 3, an improved scheme is presented.Section 4 provides a security analysis and comparison of the enhanced scheme.Section 5 concludes the paper.

Review of Weng et al􀆳s Scheme
In Weng et als scheme [15] , there are two mutual authentication and key agreement phases: one is the authentication and key agreement phase of edge user EU i and fog server FS j , and the other is the authentication and key agreement phase of edge device ED k and fog server FS j .Through analysis, we find that the two phases similarly implement mutual authentication and key agreement.So, in this section, we only review the authentication and key agreement phase of edge user EU i and fog server FS j .There are three participants in Weng et als scheme: cloud server, fog servers, and edge users.Fog servers and edge users all register to the cloud server, and then edge users and fog servers authenticate with each other and agree on the same session keys with the help of the cloud server.Weng et als scheme [15] consists of the following steps.The notations used in this article are listed in Table 1.

Description
The cloud server The j-th fog server i-th edge user and his/her smart device The identity of EU i , FS j , respectively i-th edge users password and biometric

Biometric secret key and Public reproduction parameter
The pseudonym of EU i and FS j , respectively The long-term secret keys chosen by CS The master secret key of CS 160-bit random secret number of EU i 128-bit random number of CS, FS j and EU i , respectively

System Initialization
The cloud server CS generates a master secret key MK, and two long-term secret keys K cf and K cu , and keeps them secret.CS chooses a one-way Hash function h(•).

Fog Server Registration Phase
Fog server FS j selects a unique identity ID j and sends identity ID j to CS via a secure channel.On receiving ID j , CS generates a pseudonym TID j , and computes Then CS sends {TID j , B j , h(MK||K cf )} to FS j and maintains {TID j , ID j , B j } in a protected verifier table of FS j .Finally, FS j stores TID j , B j , and h(MK||K cf ) in its memory.

Edge User Registration Phase
Edge user EU i selects a unique identity ID i and imprints his/her biometric BIO i into smart device MD i .MD i generates a 160-bit random secret number n u and computes A i =h(ID i ||BIO i ||n u ).Then MD i sends {A i , ID i } to CS through a secure channel.After receiving ID i and A i , CS generates a pseudonym TID i , and computes Then CS sends {TID i C i D i h(×)h(K cu )} to EU i via a secure channel and maintains {TID i B i } in a protected verifier table of EU i .Finally, EU i  s smart device stores {TID i C i D i h(×)h(K cu )n u } in its memory.

Authentication and Key Agreement Phase
In this phase, an edge user EU i wants to access a fog server FS j through a public channel, the cloud server CS can help EU i and FS j to authenticate each other and achieve a session key SK ij .The specific steps are as follows.
Step 1: EU i first inputs ID' i and BIO' i into his/her smart device.Then, MD i retrieves n u and h(K cu ) to compute and checks whether C' i = C i .If it is true, it means EU i is a legal user, then smart device MD i selects a 128-bit random number r u and computes Finally, MD i sends the message M u1 = {TID i E i F i } to FS j through a public channel.
Step 2: On receiving M u1 , FS j selects a 128-bit random number r f and retrieves TID j , B j , and h(MK||K cf ) to compute Finally, FS j sends messages M u1 and M u2 = {TID j , O j , P j } to CS through a public channel.
Step 3: On receiving M u1 and M u2 , CS inspects M u1 and searches the verifier table of EU i in its database to find entry that match TID i .If there is no matching entry, CS rejects the request and terminates the session.Otherwise, CS retrieves B i and Then CS checks whether F' i = F i .If it is not true, CS terminates the session.Otherwise, the legitimacy of EU i is authenticated by CS.
Step 4: CS further inspects M u2 and searches the verifier table of FS j in its database to find entry that match TID j .If there is no matching entry, CS rejects the request and terminates the session.Otherwise, CS retrieves B j and Then CS checks whether P' j = P j .
Step 5: After verifying the validity of EU i and FS j , CS refreshes pseudonyms for EU i and FS j by computing And CS replaces TID i with TID new i in the verifier table of EU i , replaces TID j with TID new j in the verifier table of FS j .CS further selects a 128-bit random number r c and computes Step 6: On receiving M u3 and M u4 , FS j computes TID new If T ' j = T j , EU i believes that CS and FS j are legal parties and stores the shared session key SK ij for future secure communication.

Attacks on Weng et al􀆳s Scheme
This section will show that Weng et als scheme [15] is vulnerable to user traceability and impersonation attacks.Further details are provided in the following subsections.

User Traceability Attack
Weng et als scheme [15] cannot resist user traceability attack.The following steps show the process of user traceability attack.
Step 1: In the first authentication, if a user EU i sends a message M U1 ={TID i  E i  F i } trying to contact a fog server FS j , one attacker may intercept the message M U1 , and then he/she saves {E i , TID i }.At the end of this authentication, the cloud server CS and the user will update the pseudonym by (1).Lastly, the first authentication ends.
But through ( 1) and ( 2), the attacker can know Step 2: In the second authentication, assume that three users EU A , EU B , EU C , and the same user EU i all send messages trying to contact a fog server FS g .EU A sends message }, the attacker intercepts four messages M U1a , M U1b , M U1c , M U1i and uses the previous intercepted E i and TID i to calculate The attacker also saves the intercepted messages M U1a , M U1b , M U1c and M U1i .At the end of the second authentication, the new pseudonym of user EU i has been updated to TID new2 i .
Step 3: In the third authentication, assume that three users EU J , EU K , EU L and the same user EU i send messages trying to contact a fog server FS l .The four users send messages After calculating ( 4) and ( 5), the attacker will find that Thus, user traceability attack can be successful.

User Impersonation Attack
Weng et als scheme [15] cannot resist user impersonation attack and the attack can be simulated as follows.
Step 1: According to the Section 2.1, the attacker can obtain the value of A i ÅD i of edge user EU i .Based on user traceability attack, the attacker intercepts the message } sent by EU i to the fog server.According to (6), the attacker can calculate the random number r' u chosen by edge user EU i this time; then, the attacker can calculate the new pseudonym updated by the user and cloud server CS at the end of this authentication by (7).
Step 2: Assume that the attacker is a legitimately registered user, then, based on the analysis in Step 1, the attacker can know A i ÅD i TID new4 i h(K cu ).In the login and authentication phase, the attacker selects a fog server FS j that he/she wants to contact and picks a random number r A , calculates Then, the attacker sends the message Step 4: Upon receiving the message M * u1 , FS j chooses a random number r f1 , and calculates O j1 = B j År f1 , P j1 = h(h(MK||K cf )||TID new j ||r f1 ).
FS j sends the message M * U1 M * U2 ={TID new j O j1 P j1 } to the cloud server CS, where TID new j is the fog server FS j s pseudonym.
Step 5: On receiving messages M * U1 M * U2 CS first checks the validity of pseudonyms; it is evident that TID new4 i ,TID new j is valid, and then CS computes This verification can pass, and the attacker can successfully impersonate user EU i .Then, cloud server CS chooses a random number r c1 , and computes Then, the cloud server CS sends M U3 ={Q j1 , R j1 }, M U4 ={S j1 ,T j1 } to the fog server FS j .
Step 6: After receiving M U3 and M U4 from CS, the fog server FS j computes TID new2 Eventually, the attacker and the fog server FS j agree on a session key SK ij with the help of the cloud server CS.

The Improved Scheme
To overcome the shortcomings of Weng et al  s scheme [15] , we propose an improved scheme in this section.In the registration phase, we add a password to make the improved scheme more complete, and we also avoid sending h(k cu ) and h(MK||K cf ) directly, this can prevent attackers from performing impersonation attack.In the login and authentication phase, to ensure that the improved scheme is resistant to user traceability attack, we also modify the calculation of E i and add timestamps.The following is a detailed description of the improved scheme.

Deployment Phase
The cloud server CS generates a master secret key MK and two long-term secret keys K cf and K cu and keeps them secret.CS chooses a one-way Hash function h(•).

Fog Server Registration Phase
Fog server FS j selects a unique identity ID j and registers itself with CS by sending identity ID j to CS via a secure channel.On receiving ID j , CS generates a pseudonym TID j and a random secret number n f and computes B j = h(ID j ||K cf ) and h(MK||K cf ||n f ).CS publicizes fog server FS j  s identity ID j .Then CS sends {TID j , B j , h (MK||K cf ||n f )} to FS j and maintains {TID j , ID j , B j , n f } in a protected verifier table.Finally, FS j stores TID j , B j , and h (MK||K cf ||n f ) in its memory.The fog server registration phase is illustrated in Fig. 1.

Edge User Registration Phase
Edge user EU i selects a unique identity ID i , PW i , and imprints his/her biometric BIO i into a smart device.EU i s smart device MD i generates a random secret number n u and computes Gen( Then MD i sends {A i , ID i , PPW i } to CS through a secure channel.After receiving ID i , A i and PPW i , CS generates a psedonym TID i and computes Then CS sends {TID i C i D i h(×)h(K cu ||PPW i )} to EU i via a secure channel and maintains {TID i B i H i } in a protected verifier table.Finally, MD i computes Then, MD i stores {TID' i C i D i h(×)Kn u Rep(×)τ i } in its memory.Edge user registration phase is explained in Fig. 2.

Authentication and Key Agreement Phase
In this phase, if an edge user EU i wants to access a fog server FS j through a public channel, EU i and FS j au- thenticate each other with the help of the cloud server CS and establish a session key SK ij .The detailed steps are as follows and the detailed process is explicated in Fig. 3.
Step 1: EU i first inputs ID' i PW' i and imprints BIO' i into his/her smart device MD i .Then, MD i computes checks whether C' i = C i .If it does not hold, the smart device MD i rejects the request and terminates the session.Otherwise, it means that this user is a legitimate smart device holder.Then, user EU i selects a fog server FS j that he/she wants to contact, selects a random number r u , and generates a current timestamp Finally, MD i sends the request message M u1 = {TID i M i V i T 1 } to FS j through a public channel.
Step 2: On receiving M u1 , FS j first checks the freshness of the message.Then, FS j selects a random number r f and a current timestamp T 2 , and retrieves TID j , B j , and Finally, FS j sends messages M u1 and M u2 ={TID j , M j , V j , T 2 } to CS through a public channel.
Step 3: On receiving M u1 and M u2 , CS first checks the freshness of the messages.If true, CS retrieves B i , H i and B j , ID j , n f according to TID i and TID j , respectively.

Then CS computes PPW'
If it is not true, CS terminates the session.Otherwise, the legitimacy of EU i is authenticated by CS.CS further computes Step 4: After verifying the validity of EU i and FS j , CS refreshes new pseudonyms for EU i and FS j by computing and replaces TID i with TID new i in the verifier table of EU i , replaces TID j with TID new j in the verifier table of FS j .CS further selects a random number r c and a current timestamp T 3 to compute Step 5: On receiving M u3 and M u4 , FS j computes If K ' i = K i , EU i believes that CS and FS j are legal parties and stores the shared session key SK ij for future secure communication.Then, EU i computes and replaces TID′ i with TID′ i new in smart devices memory.

Security Analysis
This section analyzes security of the improved scheme.We demonstrate the improved schemes security features and resilience against various attacks.

User anonymity
The improved scheme has strong anonymity.During the authentication and key agreement phase, the edge users identity is never shared openly or sent over the public channel; instead, the edge user sends his/her pseudonym TID i .Even if an attacker intercepts the edge user  s pseudonym TID i , he/she cannot know the user  s identity ID i .

Password guessing attack
Assuming that an attacker gets all information {TID' i C i D i h(×)Kn u Rep(×)τ i } stored in the mobile device, the attacker performs password guessing attack based on PPW i = h(n u ||PW i ).However, the attacker must know the values of PPW i and n u .Although the attacker knows the value of n u , he/she cannot know the value of PPW i .So, the attacker cannot guess the password.

Replay attack
An attacker may resend previous messages to cloud server for replay attack.However, this will not succeed because the improved scheme contains timestamp verifications, and the timestamps in past messages are not within an acceptable range.Resending past messages will cause the session to terminate.Even if an attacker can modify the timestamp T 1 , the attacker does not know D i , A i , and h(K cu ||PPW i ), then the corresponding values M i and V i cannot be modified based on the new timestamp.Finally, the value of V i sent by the attacker differs from V ' i calculated by the cloud server CS by (8), and verification V ' i = ?V i cannot pass.Therefore, the improved scheme can resist replay attack.

User untraceability
In the mutual authentication and key agreement phase, the users identity is hidden by sending the pseudonym TID i , and the user  s pseudonym TID i is updated every time by (9).Due to the inclusion of random number r u in (9), the user  s pseudonym will be different each time.Therefore, the attacker does not know what the user  s next pseudonym TID new i will be.
When the attacker intercepts EU i s request message M u1 ={TID i , M i , V i , T 1 }, and stores {TID i , M i } as described in Section 2.1.
In the second authentication, even if the attacker intercepts EU i s message In the third authentication, assuming that the attacker intercepts EU i  s request message Because h(D i ÅA i ÅT 1 ) and h(D i ÅA i ÅT ' 1 ) contain timestamps T 1 T ' 1  which makes the value of h(D i ÅA i Å T 1 ) is not equal to the value of h(D i ÅA i ÅT ' 1 ).Therefore, even if the attacker intercepts messages from the same user EU i , the result of M i ÅTID new i ÅTID i will be different every time, and the user traceability attack cannot be performed.

User impersonation attack
If an attacker intercepts by edge user EU i on the public channel and assumes that the attacker obtains the users data stored in the mobile device  s memory {TID' i C i D i h(×)Kn u Rep(×)τ i }, if an attacker wants to impersonate the user to spoof the cloud server successfully, he/she must construct new M i and V i based on ( 10) and ( 11), so that the verification of the V i can pass.Still, the attacker cannot construct a correct M i and V i , because the attacker cannot obtain the values of D i , A i , and h(K cu ||PPW i ).Therefore, the attacker cannot impersonate an edge user.

Session key agreement
The improved scheme can achieve secure session key agreement.Edge user, fog server, and the cloud server CS can compute a shared session key SK ij = h(r u År f År c ).And the attacker cannot compute the correct session key because the random numbers r u , r f and r c chosen by the three entities are protected by ( 12), ( 13), ( 14), (15); the attacker does not know the value of the random number r u , r f and r c in the session key, so security of the session key in the improved scheme is guaranteed.
M j = r f Åh(B j ||T 2 ) (13) 4.1.7Mutual authentication In the improved scheme, edge users, fog servers, and the cloud server can authenticate each others identity.For example, the cloud server can authenticate the edge users identity through the verification of V i in (16), because the calculation of V i includes h(K cu ||PPW i ), only edge user EU i and the cloud server CS know the value of h(K cu ||PPW i ).Cloud server CS authenticates the fog server  s identity via V j in (17), because only fog server FS j and CS know the value of h(MK||K cf ||n f ).Therefore, the attacker cannot impersonate the edge user or fog server.

Scheme
Ma et al [16] Jia et al [3] Chen et al [17] Weng et al [15] Our scheme Because of the use of fuzzy extractor, the improved scheme requires more computation than Weng et al  s scheme [15] .However, the improved scheme can resist various known attacks and is more secure.It is worthwhile to add some necessary computations to ensure communication security.

Conclusion
In this paper, we find that Weng et als authentication scheme is not resistant to user traceability attack and user impersonation attack.We propose an improved scheme to overcome the weaknesses of Weng et al  s scheme.We compare the improved scheme with several existing authentication schemes in terms of security features and calculation costs.The improved scheme not only completely overcomes the drawbacks of Weng et als scheme but also meets the lightweight feature.Therefore, the improved scheme is suitable for use in fog computing.

Fig. 2
Fig. 2 Edge user registration where A i and D i are constant, then the attacker can determine the messages M U1 , M U1i and M new U1i are from the same user EU i .When a user EU k contacts a fog server FS n with the new pseudonym TID new3 k next time, the attacker can judge whether EU k is EU i by calculating TID new2