S6AE: Securing 6LoWPAN Using Authenticated Encryption Scheme

IPv6 over Low Power Wireless Personal Area Networks (6LoWPAN) has an ample share in the Internet of Things. Sensor nodes in 6LoWPAN collect vital information from the environment and transmit to a central server through the public Internet. Therefore, it is inevitable to secure communications and allow legitimate sensor nodes to access network resources. This paper presents a lightweight Authentication and Key Exchange (AKE) scheme for 6LoWPAN using an authenticated encryption algorithm and hash function. Upon successful authentication, sensor nodes and the central server can establish the secret key for secure communications. The proposed scheme ensures header verification during the AKE process without using IP security protocol and, thus, has low communication and computational overheads. The logical correctness of the proposed scheme is validated through Burrows–Abadi–Needham logic. Furthermore, automatic security analyses by using AVISPA illustrate that the proposed scheme is resistant to various malicious attacks in 6LoWPANs.


Introduction
Low Power Wireless Personal Area Networks (LoWPANs) are an essential part of the Internet of Things (IoT) and are composed of resource-constrained devices tractable with the IEEE 802.15.4 standard. LoWPAN is a promising technology [1,2] having potential applications in smart grids, home automation, e-health-care, battlefield, and security surveillance. Such networks are constricted in storage capacity, transmission range, computational capabilities, power resources, and data rate. To provide Internet connectivity to LoWPAN devices, IPv6 is considered to be the most accordant solution [3,4]. However, IPv6 is a resource-intensive protocol originally designed for desktop and server environments and has a maximum frame size of 1280 bytes, whereas the maximum physical layer frame size for IEEE 802.15.4 is 127 bytes [5,6].
To make IPv6 frame size tractable with the IEEE 802.15.4 physical layer, the Internet engineering task force has standardized an IPv6 over LoWPAN (6LoWPAN) adaption layer [7]. This layer provides

Contribution and Paper Organization
This paper proposes a lightweight AKE scheme, called Securing 6LoWPAN using Authenticated Encryption Scheme (S6AE), which provides mutual authentication between the server and sensor nodes and also ensures header verification during the authentication process without employing the IPSec protocol. S6AE employs the well-known ASCON algorithm for authenticated encryption in 6LoWPANs. To the best of our knowledge, ASCON has never been employed in the literature for securing 6LoWPANs. Additionally, S6AE employs SHA-256 hash function and bit-wise XOR operations to achieve AKE in 6LoWPANs. SHA-256 is used to generate unique output strings by using the S6AE secret parameters. To decrease the communication overhead by means of reducing the message size, the length of the SHA-256 output string must be reduced to 64-bits with minimum computational cost and without compromising performance. For this purpose, we use bit-wise XOR operations. The key contributions of this paper are listed below.

•
The proposed scheme provides end-to-end security, mobility support, and header integrity.

•
Informal security analysis and formal validations using Burrows-Abadi-Needham (BAN) logic and Automated Validation of Internet Security Protocols and Applications (AVISPA) illustrate that S6AE secures 6LoWPANs against various malicious attacks.

•
Comparative analysis with eminent existing schemes demonstrates that S6AE is more efficient and provides better security features with less computational and communication overheads, memory utilization, and energy consumption.
The remainder of the paper is organized as follows. System models and preliminaries are discussed in Section 2. Section 3 details the proposed S6AE scheme, and Section 4 provides security analysis of S6AE scheme. Performance evaluation is presented in Section 5. Finally, the paper is concluded in Section 6.

System Models
This section presents the models and preliminaries used in the proposed scheme.

Network Model and Security Assumptions
This paper considers the network model shown in Figure 1 for the authentication process. The 6LoWPAN network model consists of sensor nodes (SNs), domain router 6LDR, the access router (6LAR), and the central server (CS). SNs are used to accumulate information from the surrounding environment and transfer the collected data to CS for further processing. Moreover, 6LDR provides Internet connectivity by SNs in a domain. 6LAR provides inter-connectivity with CS in IPv6 cloud. It is assumed that the communications among 6LAR, 6LDR, and CS are secure. Besides, it is assumed that CS is reachable by SNs, 6LDR, and 6LAR. 6LDR registers itself with CS through a secure channel. Additionally, SNs and 6LDR exchange their pseudo-identities (SIDs) through neighbor discovery (ND) protocol. Furthermore, each 6LDR registers itself with 6LAR. All the devices in 6LoWPAN learn about the global routing prefix of CS through 6LAR. Moreover, each SN generates an IPv6 address using an IEEE extended unique identifier mechanism or by using the personal area network identity [21].

Threat Model
The Dolev-Yao (DY) model [22] is the threat model used in S6AE. According to the DY model, an intruder can intercept and record the messages exchanged between two communicating entities in 6LoWPAN. Communications among the entities in 6LoWPAN are public in nature. If an adversary has the knowledge about the private key, it can encrypt and decrypt messages and perform unlawful activities, such as modifying or forging the captured messages. The communicating entities, such as SNs and 6LDRs, are considered to be untrusted under the DY model. An adversary can capture an SN due to its hostile environment and can extract the sensitive information stored its memory by employing the power analysis attack. However, CS is a central and vital component in the 6LoWPAN environment, and it cannot be compromised by an adversary.

Hash Function
A hash function can take a variable size input string, and return the output with a fixed size string. Each hash function must obey the following properties.

•
The output of the hash function with two different inputs, n and m, can never be the same, i.e., H(n) = H(m).

•
It is not possible to compute the input, z, from the output of a hash function, H(z), i.e., (H(z)) −1 = z.

ASCON
ASCON is an authenticated encryption with associated data scheme [23] that works on the design principle of duplex sponge architecture. Moreover, ASCON is a symmetric, inverse free, single pass, and online block cipher. Broadly speaking, there are two versions of ASCON: (i) ASCON-128 that takes 64 bits data block and generates 64 bits ciphertext along with 128 bits of authentication tag, and (ii) ASCON-128a that takes 128 bits data block and generates 128 bits of ciphertext along with 128 bits of authentication tag. The architecture of ASCON is given in Figure 2, which works under the following four stages [23]. Initialization: In this stage, ASCON computes the initial input to ASCON state by combining the Initialization Vector (IV), nonce, and key. The size of ASCON state is 320 bits. Associated Data (AD) Processing: This stage processes AD that represents the data block to be transmitted in an un-encrypted form, while at the same time ensuring the integrity of the transmitted data block. Plaintext Processing: In this stage, ASCON takes plaintext as an input and generates the ciphertext as output. Finalization: In the final stage, ASCON generates the authentication tag, which ensures the integrity and authenticity of the ciphertext and AD. Furthermore, the substitution and permutation network of ASCON comprises 5-bit S-Box, bit-wise XOR, and rotation operations. Thus, ASCON is suitable for resource-constrained devices, such as embedded systems and radio frequency identifier tags, because of its lightweight property and minimal overheads [24][25][26]. For securing 6LoWPANs, the proposed S6AE scheme in this paper borrows the standard ASCON encryption design, which provides confidentiality and authenticity of data simultaneously. Additionally, S6AE employs SHA-256 hash function, and bit-wise XOR operations to achieve AKE in 6LoWPANs.

Initialization phase
Associative data processing phase Plain-text processing phase Finalization Figure 2. ASCON architecture.

The Proposed S6AE Scheme
S6AE verifies the legitimacy of SNs at the CS, and validates the integrity and authenticity of messages exchanged between SNs and the CS in 6LoWPANs. In S6AE, after verifying the authenticity of SNs, CS and SNs establish secret keys using ASCON as the encryption scheme. SHA-256 is used to generate unique output strings by using the S6AE secret parameters, and bit-wise XOR operations are used to reduce the computational and storage costs. S6AE consists of the registration phase, the AKE phase, and the handover phase. It is necessary for a static or mobile SN to execute the first two phases, whereas only a mobile SN requires to execute the handover phase. The notations used in this paper are listed in Table 1.

CS, SN
Central server and 6LoWPAN sensor node SID sn , SID ldr , Pseudo-identities of sensor node and 6LDR, respectively Secret real-identities of 6LoWPAN sensor nodes and secret parameter used in authentication process Encryption and decryption of message "x" using the secret-key "k"

Sensor Registration Phase
This phase deals with the registration of SN before its deployment in 6LoWPAN. CS performs the following operations to register SNs. It • calculates the master key K m by computing K m = H(ID cs r cs ), where ID cs is the real identity of CS and r cs is a random number. CS divides K m into four equal chunks of 64 bits, namely K 1 m , K 2 m , K 3 m , and K 4 m , and computes where K cs is a temporary key for CS. • assigns a unique ID sn of 64 bits for SN. • picks a key K sn of 64 bits for SN and computes the pseudo-identity SID sn = ID sn ⊕ K sn ⊕ K cs . • computes H r = H(K m K sn ID sn ) and derives security parameter SP 1 by computing and H 4 r are four equal chunks of 64 bit H r . Finally, CS stores SN related secret information, i.e., {ID sn , SP 1 , K sn , K cs , MACsn} into its database and {ID sn , SP 1 , SID sn , K sn , MACcs} in the memory of SN while making use of a secure channel. CS also stores SID sn into 6LDR memory through a secure channel.

Sponge State Generation
The initialization phase S k of ASCON consists of 320 bits, known as initialization states S k . In the proposed scheme, S k can be derived as follows. SN • generates a random number R 1 of 64 bits and time stamp T sn of 32 bits, • computes IV sn = R 1 SID sn , where IV sn is an initialization vector for SN, • computes H s = H(ID sn SID sn SID ldr T sn ) and derives S k = IV sn H 24 s , where H 24 s is the first 24 bytes of H s . The size of S k is 320 bits (H 24 s = 24 bytes + IV sn = 16 bytes), which is served as input to the encryption algorithm during the initialization phase.

Associative Data Generation
The proposed S6AE scheme generates AD while incorporating the compressed IPv6 and User Datagram Protocol (UDP) headers [8,21]. The header size is 10 bytes after compression. The subsequent Immutable Fields (IF) are used to generate AD. This includes parameters such as dispatch, internet protocol header compression, context identifier, next header compression, destination interface identifier, UDP Ports, UDP Checksum, Global routing prefix of 6LoWPAN (G6), and Global routing prefix of CS (GC). CS stores the MAC of SN and SN stores the MAC of CS. Moreover, the hop limit parameter is mutable, which is not incorporated in AD generation. The following operations are performed to generate AD.

•
SN computes H ad = H(IF sn G6 GC MAC sn ). It then divides H ad into two equal parts, i.e., H 1 ad and H 2 ad each of 128 bits. • SN computes AD = H 1 ad ⊕ H 2 ad and divides AD into two equal parts, i.e., AD 1 and AD 2 , each of 64 bits.

•
The encryption algorithm takes AD 1 and AD 2 as the inputs at the associative data processing phase to preserve their integrity.

Remark 1.
During the registration process of SN, CS stores the credential information in SN's memory. Based on this secret, S6AE computes S k , which is the initialization phase of the encryption algorithm as discussed in Section 3.2. The unencrypted information, such as IPv6/UDP information, is used for the associative data processing phase of the encryption algorithm, which is described in Section 3.3. The same process is repeated at the receiver side for decryption.

Authentication and Key Exchange
In this phase, SN achieves the anonymous authentication and key agreement with CS via the intermediate nodes, 6LDR and 6LAR. After establishing a secret key, SN and CS can exchange data securely. S6AE exchanges four messages to accomplish the authentication process. The detail of the messages exchanged in the proposed scheme is given below.

3.4.1.
Step AKE-1 SN generates a random number R s1 of 64 bits and timestamp T sn of 32 bits for computing X = ID sn ⊕ R s1 ⊕ SP 1 , and Y = ID sn ⊕ R s1 , where the sizes of X and Y are 64 bits. The encryption algorithm takes S k as shared secret inputs during the initialization phase, AD 1 , AD 2 at the associative data processing phase, which is computed in Section 3.3, X Y at the plaintext processing phase, and produces ciphertext C 1 = E S k {AD 1 , AD 2 , X Y } and Tag sn that is generated automatically by ASCON. C 1 ensures the confidentiality of the plaintext X Y . The generated Tag sn guarantees the authenticity and integrity of the ciphertext C 1 at the receiving end. Tag sn provides the same functionality as Message Authentication Code (MAC). SN also computes Z = SID sn ⊕ SID ldr , where SID ldr is the temporary identity of 6LDR. After performing the above operations, SN constructs a message M1 : T sn Z C 1 Tag sn R 1 and forwards it to 6LDR to be processed further.

Remark 2.
There are various encryption algorithms, such as the Advanced Encryption Standard (AES), which provides confidentiality features. However, AES does not provide authentication of data. To achieve the required authentication, another algorithm is required, such as the MAC algorithm. Thus, all authenticated encryption schemes can be used to achieve confidentiality and authenticity of the communicated message because these schemes generate ciphertext as well as authentication tag. The authentication tag renders the same functionality as that of the MAC algorithm. This implies that an authenticated encryption scheme provides the same functionality as that of the cumulative AES and MAC functionality. An AKE scheme, which is based on AES, requires another cryptographic algorithm to achieve the authenticity of messages.
The main idea here is to use ASCON to achieve the cumulative functionality of AES + MAC by using a single algorithm (i.e., ASCON), which generates its own MAC to be validated at the destination. To check the integrity of transmitted messages, we do not to employ any other MAC. In this way, we are able to reduce the computational cost, as shall be demonstrated in the performance evaluation section.

3.4.2.
Step AKE-2 After receiving M1 from SN, 6LDR picks out Z from the received message and computes SID r = Z ⊕ SID sn . 6LDR compares SID r with the stored SID ldr in its memory. If the contents of both the SID r and SID ldr are the same, 6LDR appends its SID ldr with the received M1 for generating and forwarding the new message M2 : SID ldr M1 to 6LAR. Contrarily, 6LDR aborts the AKE process and sends an error message back to SN.

3.4.3.
Step AKE-3 6LAR receives the newly generated M2 from 6LDR and checks SID ldr in the current list of the registered devices. If 6LAR does not find SID ldr in the list, it will abort the AKE process and add unverified SID ldr in the blacklist. On the contrary, upon successful verification of the SID ldr for M2, 6LAR picks a timestamp T lar and computes H lar = H(M2 SID lar T lar K lar ), where K lar is the pre-shared key between 6LAR and CS, and SID lar is the temporary identity of 6LAR. 6LAR then generates and forwards message M3: SID lar T lar M2 H lar to CS for further processing.

Step AKE-4
Upon receiving M3 from 6LAR, CS retrieves secret information related to 6LAR, such as a K lar using SID lar . CS also checks the validity of T lar by verifying if M3 is received within the maximum transmission delay (T d ) limit by computing T d ≥ T r − T lar , where T r is the received timestamp of M3. To verify the integrity of M3, CS computes H lar = H(M2 SID lar T lar K lar ). If the computed H lar and the received H lar are not identical, CS aborts the AKE process and adds 6LAR to the current list of fake devices. After checking the integrity of M3, CS retrieves M2 from M3, and checks if the condition T d ≥ T r − T sn holds. If the condition does not hold, then CS rejects M2. Moreover, CS also checks whether a valid SID ldr exists in the current list of 6LDR devices. On successful verification of SID ldr , CS picks Z from M2, derives SID sn by computing SID ldr ⊕ Z, and checks if SID sn exits in its database. After the verification of the SID sn , CS retrieves the information stored in its database, such as ID sn , K cs , K sn , and SP 1 .

3.4.5.
Step AKE-5 CS generates IV cs by concatenating R 1 with SID sn , which are attached with the received M2. CS also computes H s = H(ID sn SID sn SID ldr T sn ) to derive S k . It is important to mention here that 320 bits of S k is the concatenation of IV cs and H 24 s , i.e., S k = IV cs H 24 s , where H 24 s are the first 24 bytes of the H s (which is of 32 byte. The size of S k is 40 bytes. Moreover, CS determines AD by using the received header information and the stored MAC sn in CS's database by computing ad ⊕ H 2 ad and divides AD x into two parts, i.e., AD 1 and AD 2 . AD is the input to the encryption algorithm and its purpose is to ensure the integrity of header information. The detailed process of computing AD is given in the Section 3.3. In addition, CS performs the decryption operation D s k { AD 1 , AD 2 , C 1 }, where S s k is the input at the initialization phase, AD 1 and AD 2 are the inputs at associative data processing phase, and C 1 is the input at the ciphertext processing phase, as shown in Figure 2. Moreover, the decryption algorithm generates Tag g before extracting the plaintext information. ASCON generates the authentication tag automatically after processing AD and ciphertext. Then CS checks the condition Tag sn = Tag g , where Tag sn is received with M 1 . An inverse free authenticated encryption scheme generates the same authentication tag during the encryption and decryption process, if there is no modification in AD and ciphertext. However, if there is any modification in the communicated message, the generated authentication tag will be different, which causes the failure of authentication process in the proposed AKE. If the condition holds, decryption process will reveal the plaintext information. Otherwise, CS will abort the AKE process. The revealed plaintext, after the decryption of C 1 , includes X and Y. CS picks the retrieved ID sn and performs ID sn ⊕ Y operation to determine R s1 for computing SP 1 = ID sn ⊕ R s1 ⊕ X. Furthermore, in order to check the legitimacy of SN, CS checks the condition SP 1 = SP 1 . If the condition holds, CS registers SN as a legitimate device, otherwise, CS will abort the AKE process. 3.4.6.
Step AKE-6 After verifying the legitimacy of SN, CS picks timestamps T s of 32 bits. CS picks three random numbers R s2 , R 2 , and R n each of 64 bits. CS then computes H r = H(K cs R n ID sn ) and calculates a new security parameter SP n 1 by computing SP n R s2 ). Moreover, for secure handover from one domain to another domain as shown in Figure 1, CS calculates a unique ticket T sn ic for SN by computing T sn ic = ID sn ⊕ R s2 ⊕ R s1 Y 1 ⊕ SP n 1 ). SN will make use of the generated T sn ic during the handover process. CS also picks T sn ic 's expiry time T exp (32 bits). In addition, the encryption algorithm takes into account S k during the initialization phase, AD 1 and AD 2 during the associative data processing phase, and SP n 1 R s2 during the plaintext information processing phase, in order to generate C 2 = E S k {AD 1 , AD 2 , SP n 1 R s2 } and Tag cs . Moreover, CS constructs the message M4: T cs T exp X 1 C 2 Tag cs R 2 , and forwards it to 6LAR. 6LAR and 6LDR simply relay M4 to SN. Furthermore, CS stores the parameters {ID sn , SP 1 , SP n 1 , K cs , T sn ic , T exp } in its memory.

3.4.7.
Step AKE-7 After receiving M4, SN checks the validity of timestamp T s by checking the condition T d ≥ T r − T sn , where T d is the maximum allowed time TD and T r is the period in which M4 is received. Significantly, SN will reject M4 if T s exceeds the maximum allowed delay. SN picks R 2 , X 1 from the received M4 and calculates IV sn is the first 24 bytes of H s . Next, SN calculates AD by computing H ad = H(IF cs G6 GC MAC cs ), AD x2 = H 1 ad ⊕ H 2 ad and divides AD x2 into two parts, i.e., AD 1 and AD 2 . The decryption algorithm takes S k as the input during the initialization phase, AD 1 and AD 2 during the associative data processing phase, C 2 during the ciphertext processing phase, and performs the decryption operation D S k {AD 1 , AD 2 , C 2 }, to generate Tag sn . In the final step, SN checks the condition Tag cs = Tag sn . If the condition holds then decryption algorithm will reveal the plaintext information, i.e., SP n 1 R s2 . Additionally, SN computes the session key K se by computing , which will be used during the handover process. Finally, SN stores the parameters {ID sn , SP n 1 , SID sn , K sn , T sn ic , T exp } in its memory. The AKE phase of the proposed scheme is summarized in Figure 3.

Handover Phase
In the proposed scheme, a sensor node can move from network Domain-1 to another Domain-2, as shown in Figure 1. Hence, it is essential to verify the authenticity of a roaming SN with minimal overhead complexity. Importantly, SN utilizes the ticket T sn ic , generated during the AKE phase, to accomplish fast authentication. More specifically, SN performs the following operations during the handover process. T h SID sn ) and checks the condition H h2 = H h . If the condition holds, 6LDR2 stores SID sn in its memory and forwards M h1 to CS. Contrarily, CS aborts the handover process and adds SID sn into blacklist in its database. After receiving M h1 , CS computes H h3 = H(T sn ic T h SID sn ) and checks the condition H h3 = H h . If the condition holds, CS checks if SID sn exists in its database and verifies the condition T sn ic = T sn ic . If the condition holds, CS continues the handover process, otherwise CS marks ID sn as a compromised node and broadcasts ID sn in the network. CS also sends a message to 6LDR1 to delete SID sn from its memory. 6LDR1 sends an acknowledgment to CS. T sn ic is the stored ticket at SN and CS. Step AKE-1 • picks timestamp Tsn, Rs1, and R1 • Forwards M1 to 6LDR Step AKE-2

6LAR
• picks ID lar and secret key K lar • computes H lar = H(M2 ID lar K lar ) • forwards M3 to CS Step AKE-4

3.5.2.
Step HP-2 CS picks two random numbers R n , R 1 each of 64 bits, and timestamps T n exp and T h1 each of 32 bits. It also computes S h k = (K es R h ⊕ ID sn ) and P = R n ⊕ SP n 1 , where the size SP n 1 is 64 bits. CS calculates C h = E S h k (P T n exp T h1 ) and Tag cs by using the encryption algorithm. The Tag cs ensures the authenticity of the transmitted information. It also computes the new session key as K n se = H(ID sn R n K se ). CS constructs a message M h2 : SID sn C h Tag cs and forwards M h2 to 6LDR2. Upon receiving M h2 , 6LDR2 looks up SID sn in 6LDR2's memory. If SID sn exists in the memory of 6LDR2, 6LDR2 forwards M h2 to SN.

Step HP-3
After receiving the message M h1 from CS, SN performs the decryption using The decryption process reveals the plaintext, which is (P T n exp T h1 ) and also it generates the Tag sn . SN checks the condition T d ≥ T r − T h . If the condition holds then SN considers M h1 valid, otherwise it rejects M h1 . T n exp indicates new expiry time of the T sn ic . SN checks the condition Tag sn = Tag cs . If the condition holds, then SN computes R n = SP n 1 ⊕ P and SP n 1 = P ⊕ R n . Authentication will be successful if the stored SP n 1 and the computed SP n 1 are the same. SN generates a symmetric key between SN and CS by computing K n se = H(ID sn R n K se ). Finally, SN replaces the stored session key K se with the new session key K n se in the memory and updates the expiry time T n exp in the tuple {ID sn , SP n 1 , SID sn , K n se , T sn ic , T n exp }. Figure 4 shows the message exchange during the handover phase.

Security Analysis
This section analyzes the security properties of our proposed S6AE scheme in three different phases. In the first phase, the characteristics and capabilities of the S6AE scheme against malicious attacks are described. In the second phase, BAN logic is incorporated to show the logical correctness of the S6AE scheme. In the final phase, AVISPA tool is used for automatically verifying the security properties of the proposed strategy.

Header Verification
Header Verification (HV) is an effective mechanism to mitigate the replay and Denial-of-Service (DoS) attacks. In the proposed scheme, to provide IPv6/UDP header verification, SN computes H ad = H(IF G6 GC MAC sn ), AD = H 1 ad ⊕ H 2 ad , where H 1 ad and H 2 ad are the two equal chunks each of 128 bits of H ad . SN divides AD into two equal parts, i.e., AD 1 and AD 2 each of 64 bits, which are the inputs at the associative data processing phase of the encryption algorithm. After receiving the message M1, CS computes AD 1 , AD 2 and the decryption algorithm takes AD 1 , AD 2 at the associative data processing phase. If there is no modification in the IPv6/UDP header, then the condition Tag sn = Tag g will hold. This condition will not hold if an adversary modifies the IPv6/UDP header during the AKE process. The same procedure holds for the message transmitted from CS to SN. In this way, the proposed scheme ensures IPv6/UDP header integrity (origin verification).

Remark 3.
In this paper, HV means verification of the IPv6 header at the receiving end. We achieve HV by generating AD through the Hash function SHA-256, as discussed in Section 3.3. If A tries to modify the the IPv6 header, the generated authentication tag will not match the authentication tag attached with the received message.

DoS Attack
By a DoS attack, an attacker can perform malicious activities and prevent a legal user from accessing the network resources [11]. A DoS attack can degrade the performance of the network. An IP spoofing attack is used to launch the DoS attack in the network by generating a large amount of data packet with fake IP addresses. S6AE can provide protection against the IP spoofing attack by ensuring the integrity of the IPv6 header. To perform a DoS attack, an adversary needs to calculate Then A checks the condition Tag A g = Tag sn . The condition Tag A g = Tag sn will not hold after capturing the IPv6/UDP header information because A requires the parameters, such as ID sn , SP, and K sn , which are secrets to SN and CS. Thus, S6AE can protect against DoS attacks.

Replay Attack
A sort of network attack in which attacker wiretaps or captures the valid transmitted data and retransmits the seized data in the network for harmful intention [27]. During the authentication process (Section 3.4), all the transmitted messages M1: T sn Z C 1 Tag sn R 1 , M2: SID ldr M1 , M3: ID lar T lar M2 H lar , and M4: T cs T exp X 1 C 2 Tag cs R 2 include timestamps, and random numbers. The verification of the timestamps, such as T sn , T cs , and T lar , ensure the freshness of the received message. Usually, T d is very small. Therefore, within T d , the probability of replaying M1, M2, M3, and M4 for adversary A is negligible. A similar situation holds for the handover phase messages. S6AE also prevents the replay attack by ensuring the IPv6/UDP header integrity. Any modification in the IPv6/UDP header during the transmission of a message through the public Internet makes the decryption and authentication unsuccessful at the respective communicating entities, such as CS and SN. Hence, S6AE is secure against the replay attacks.

Man-in-the-Middle (MITM) Attack
MITM is an action of an intruder in which the intruder somehow conjoins the communication between the two communicating network nodes while both the nodes believe that they are communicating directly [28]. Let an adversary A captures all the transmitted messages M1, M2, M3, and M4 during the communication between SN and CS. Suppose A attempts to forge M1 to generate a valid message to force CS to believe that the forged message is from an authentic source. For this purpose, A needs to guess the real identity ID sn of SN, which is an infeasible task for A. Therefore, it not possible for A to generate a bogus message M1. A similar condition holds for all other transmitted messages. This clearly indicates that S6AE is protected against MITM attack.

Sensor Impersonation Attack
By using an impersonation attack, the attacker can impersonate as an authentic SN to perform malicious activities in the network [11]. To execute this attacks, an adversary A picks the current timestamp T sn , ID sn and random number R s1 and then attempts to transmit the message M1 to CS on behalf of SN. However, to construct a legitimate M1 , A must know the real identity ID sn of SN, R s1 and SP 1 . Without knowing these parameters, it is hard for A to generate valid S k = IV sn H 24 s and C 1 . For A, it is computationally hard to generate ID sn , SP 1 and R s1 . Therefore, A cannot generate a legitimate M1 and, thus, the proposed scheme provides protection against the impersonation attack.

Server Impersonation Attack
In this attack, adversary A can send M4 to SN on behalf of CS . To compute a valid S k = H 24 s IV cs and C 2 , it is necessary for A to know the secret parameters ID sn , K cs , R n , and R s1 . However, for A, it is computationally hard to generate these parameters, which are known only to CS. Therefore, S6AE can mitigate CS impersonation attacks.

Identity Privacy Preservation
Normally, SN utilizes the pseudo-identity SID sn during the transmission of the authentication messages, which is computed as SID sn = ID sn ⊕ K sn ⊕ K cs , where all the parameters are secret to CS and SN. Therefore, it is hard for A to generate SID sn without knowing these parameters. This demonstrates that the proposed scheme ensures the identity privacy of SN.

Unlinkability/Anonymity
S6AE renders the unlinkable and anonymous session during the AKE process. Each time when a new session starts, SN picks a fresh random number R 1 and generates an IV sn = R 1 SID sn . The newly generated IV sn is the input to the initialization phase of the encryption algorithm. The encryption algorithm produces different ciphertext each time even with the same secret parameters SP 1 , R s1 , and ID sn . The ciphertext also includes another fresh random number R s1 , which in turn enhances the randomness of the ciphertext. Therefore, it is hard for an adversary to correlate the two sessions form the same node. S6AE is untraceable, and it is not possible for an attacker to create a link between two different AKE processes. Since each AKE session utilizes a new SID sn , this makes the AKE session anonymous. Hence, S6AE ensures unlinkability and anonymity during the AKE process.

Sybil Attack
In a Sybil attack, the adversary can generate multiple counterfeit identities of real nodes. S6AE can prevent the Sybil attack because each SN in the network authenticates itself with CS [11]. If CS discover any duplicate ID sn of an SN during the AKE process in the database, then CS considers that particular ID as a compromised node. CS adds these IDs to the blacklist and forwards the list to 6LDR1 and 6LDR2, which in turn broadcast these IDs in the network. Thus, S6AE protects against the Sybil attack.

Forward/Backward Secrecy
Forward/backward secrecy means that if an adversary reveals the current session key, it does not enable an intruder to compromise the privacy of the past and future session keys [11]. S6AE determines session key by computing K se = H(ID sn Y 1 SP n 1 R s1 R s2 ) for each AKE session. A new AKE process establishes a session key by incorporating fresh parameters, such as Y 1 , SP n 1 , R s1 , and R s2 . If an adversary A breaches the security of the current session key K se , it does not allow A to compromise the future session key. Therefore, it is hard for an adversary to construct the past or future session keys.

Ephemeral Secret Leakage (ESL) Attack
Pre-computed Ephemeral Secrets (ES), which are stored in insecure memory, can be compromised by A. By using these compromised ES (short term) and long term parameters, A can breach the session key security. Such types of attacks are known as ESL [29]. In S6AE, SN and CS establish a secret session key K se during the AKE process for the future secure communication. The established session key K se = H(ID sn Y 1 SP n 1 R s1 R s2 ) incorporates ephemeral terms, such as R s1 , R s2 , and long terms, such as ID sn . If A compromises the ephemeral terms R s1 and R s2 , A still requires the long term SID sn to breach the the security of the session key K se . To compromise the security of K se , A must know the valid long and ephemeral terms, which are hard for A to know. Therefore, the proposed S6AE is resilient to the ESL attack.

Crypt-Analysis Using BAN Logic
The BAN logic [30] is a logic of belief and action. It is a well defined formal method to test the logic correctness of a security protocol and determines the trustfulness of agreement among the participants in the AKE process of S6AE. The BAN logic is employed here to validate the mutual authentication properties of the proposed S6AE scheme as a whole. The notations used in the BAN logic are listed in the Table 2, which are used to describe different inference rules. A list of BAN logic inference rules are listed in Table 3, which are used to determine the goal of the proposed scheme.
If S is true then H is also true Table 3. Ban Logic inference rules.

Notation Description
Message-Meaning-Rule

Goals
To verify the AKE process of S6AE, it must achieve the following goals.

Protocol Idealized Form
The idealized form of the proposed scheme can be expressed as follow.

Formal Verification
In this phase of the BAN logic, the inference rules, listed in Table 3, are used to determine if S6AE has achieved its security goals. VF-1: From IF1, AS-7, AS-8, and by applying Message-Meaning-Rules, it is possible to achieve VF-2: From IF1, AS-2 and by applying Freshness-Rule concludes VF-3: Using VF-1, VF-2 and by applying the Nonce-Verification-Rule, it is possible to obtain VF-4: From VF-3 and by applying the Belief-Rule, the goal G1 can be achieved as VF-5: The goal G2 can be accomplished by utilizing VF-4, AS-13, and by employing the Jurisdiction-Rule from VF-6: From IF2, AS-11, and by applying Message-Meaning-Rules, it is possible to derive VF-7: By using IF2, AS-1, and utilizing the Freshness-Rule, we get VF-8: Using VF-6, VF-7 and by applying the Nonce-Verification-Rule, it is possible to obtain

Crypt-Analysis Using AVISPA
Crypt-analysis of S6AE is conducted using the AVISPA tool [31], which obeys the DY attack model and is commonly used by the research community to examine the capabilities of the security algorithms. AVISPA comprises four back-end models, known as CL-AtSe, TA4SP, OFMC, and SATMC. These back-ends perform various automatic analyses to detect vulnerabilities in the security scheme. It uses perfect cryptography, which means that the adversary cannot derive the messages or plaintext from ciphertext without perceiving the secret key. It uses formal language High-Level Protocol Specification Language (HLPSL) to code a specified security algorithm. A translator known as HLPSL2IF is used to convert the HLPSL code into the Intermediate Form (IF). AVISPA uses four back-end techniques defined in [32] for the automatic analysis and the capabilities of a security algorithm against various attacks. The XOR operation is not supported by SATMC and TA4SP back-end. Therefore, the simulation of S6AE using these two back-ends is not possible. Figure 5 shows the Output Format (OF) generated by AVISPA's OFMC and CL-AtSe back-ends. A generated OF has different sections, including SUMMARY, DETAILS, PROTOCOL, GOAL, BACKEND and STATISTICS, as shown in Figure 5. SUMMARY shows whether a security scheme being tested is safe or unsafe. PROTOCOL describes the HLPSL specification of the scheme in IF.
GOALS is the analysis of the goals conducted by AVISPA as specified in HLPSL. BACKEND is used for the backend analysis of the scheme. In S6AE implementation, there are 4 basic roles, i.e., SN, CS, 6LDR, and 6LAR, and two compulsory roles, i.e., environment & goals and session defined in HLPSL. Figure  5 illustrates that the proposed S6AE scheme is secure and protects against MITM and replay attacks.

Performance Evaluation
This section presents the performance evaluation of S6AE in comparison with eminent 6LoWPAN security schemes, namely, SAKES [16] and EAKES6Lo [17].
S6AE server-side has been implemented in Python 2.7 and each SN is consigned with a unique ID, SID, and SP by CS utilizing a random number generator. Simulations are conducted on a computer with Intel(R) Core(TM) i7-6700 CPU @ 3.40 GHz, Ubuntu (64-bit) and 8-GB RAM. A list of configuration parameters is given in the Table 4.

Security Comparison
The security functionalities of the proposed scheme, compared with the existing security schemes, are given in Table 5. EAKES6Lo and SAKES do not provide any header verification mechanism to mitigates various malicious attacks, such as DoS and replay attacks. EAKES6Lo does not offer identity privacy preservation of the sensor node. However, S6AE is more reliable than other security schemes for 6LoWPAN, as can be seen in Table 5.

Computational Overhead
The proposed S6AE scheme renders protection against well-known and various covert attacks. However, during the AKE process, many unforeseen attacks, such as a jamming attack, may interfere with the execution of S6AE and may introduce delay during the progress of the AKE process. To estimate the computational overhead, the total execution time delay T d of S6AE can be calculated as where T t = ∑ 5000 i=1 T i ex is the total time for 5000 runs, where T ex is the time required for the execution of S6AE and N asp = 5000 × (1 − attack success probability). SAKES is a hybrid security scheme and applies the Diffie-Hellman (DH) key exchange mechanism. Four DH groups provide different levels of security. To achieve the security level of 128-bits, we use the DH group 15 [33]. AES-CTR-128 bits, SHA-256, and ECDSA-160, are the cryptographic operations used by EAKES6Lo during the AKE process. S6AE utilized SHA-256 and ASCON cryptographic operations. The average time consumed by S6AE, SAKES, and EAKES6Lo are 0.417 ms, 1.375 ms, and 0.868 ms, respectively, as shown in Figure 6. Thus, S6AE has the lowest overall computational time. Furthermore, Table 6 presents the comparison of the computational overheads of SAKES, EAKES6Lo, and S6AE. To compute the computational overheads, this paper considers the average time required for SHA-256, i.e., T sha = 0.0311 ms, and for the AES-128 is T aes = 0.125 ms. The time needed for the signature generation/verification is T sg = 5.20 ms and the time required for ECC public/private key generation is T g = 5.50 ms. The average time required for ASCON is T ascon = 0.065 ms (10 MHz) [23,24] and 19.16 ms is the time required for the modular exponentiation (DH). The computational costs of SAKES, EAKES6Lo, and S6AE are 3T exp + 8T aes + 4T sha ≈ 58.6044 ms, 5T aes + 4T sha + 2T sv + T sg ≈ 17.2494 ms, and 4T ascon + 13T sha + 24T xor ≈ 0.6643 ms, respectively. Thus, SAKES and EAKES6Lo are computationally more expensive as compared to the S6AE.

Communication Overhead and Energy Consumption
Optimization of energy consumption is a critical parameter of interest for 6LoWPAN. It is imperative to minimize the transmitted message size to reduce the energy consumption of sensor nodes. 6LAR, CS, and 6LDR are powerful devices with ample energy resources. Therefore, S6AE considers the energy consumption in the wirelessly connected constrained devices, and the energy consumption outside 6LoWPAN is not evaluated. To evaluate the transmission overhead in the proposed scheme, we consider 10 bytes overhead of the compressed form of IPv6/UDP header defined in [21]. The energy consumption during sending and receiving of a single bit is 0.72 µJ and 0.81 µJ, respectively [34]. The transmission overhead of S6AE is given in Table 7 and energy consumption in Table 8. S6AE has been compared with EAKES6Lo and SAKES. It is observed that S6AE utilizes fewer energy resources. The average energy cost for AES encryption/decryption is 9 µJ, SHA-256 needs 5.9 µJ/byte, ECDSA-160 consumes 6.26 mJ in signature generation, and ASCON requires 0.0207 µJ [24]. Total energy cost overhead of the EAKESLo, SAKES, and S6AE are 6.52 mJ, 2.51 mJ, and 1.48 mJ, respectively. If an adversary interrupts the execution of the protocol, it may increase energy consumption. Figure 7 shows the total energy utilization in the presence of jamming attacks.

Storage Overhead Comparison
In the proposed scheme, SN is required to store the tuple {ID sn , SID sn , SP n 1 , T sn ic , MAC cs , T exp }, which requires (64 + 64 + 64 + 128 + 48 + 32) = 400 bits. CS needs to store the parameters {SID sn , ID sn , SP 1 , SP n 1 , T sn ic , MAC sn , T exp }, which requires (64 + 64 + 64 + 64 + 128 + 48 + 32) = 464 bits. Table 9 shows the comparison of storage cost of SAKES, EAKES6Lo, and S6AE. It is observed that the proposed scheme requires more storage at the server and less storage at SN as compared to the EAKESLo and needs less storage at SN and CS as compared to SAKES.

Handover Phase Comparison
This section presents the computational and communication overhead during the handover phase. The computational overhead of EAKES6Lo and S6AE are 6T aes + T sg + T sv + 6T sha ≈ 11.9366 ms, and 2T ascon + 4T sha ≈ 0.2544 ms, respectively, during handover phase. Table 10 shows the communication and computational overheads during the handover phase. The results manifest that the proposed scheme is efficient as compared to the existing schemes. n/a -n/a n/a n/a n/a 5.6. Discussion 6LoWPANs are at the core of IoT. However, the original 6LoWPAN design does not offer security services, including data confidentiality, integrity and authentication. To address this issue, we have presented an AKE scheme, called S6AE, for 6LoWPANs. For this purpose, we have employed ASCON, which is a lightweight general-purpose encryption algorithm, in conjunction with SHA-256 hash function, to enable the required confidentiality, integrity and authenticity in 6LoWPANs. To the best of our knowledge, ASCON has never been employed in the literature for securing 6LoWPANs.
In S6AE, after verifying the authenticity of SNs, CS and SNs establish secret keys using ASCON as the encryption scheme. ASCON has been employed to achieve data confidentiality and authenticity simultaneously without using a separate MAC. Using AES renders confidentiality, and to achieve the authenticity of the encrypted information it is imperative to use MAC. The main idea in this paper is to use ASCON to achieve the cumulative functionality of AES + MAC by using a single encryption algorithm, i.e., ASCON, which generates its own MAC. To check the integrity of transmitted messages, we do not need to employ any other MAC. In this way, we reduce the computational cost, as compared with the benchmarks.
We use SHA-256 to generate unique output strings by using the S6AE secret parameters. To decrease the communication overhead by means of reducing the message size, the length of the SHA-256 output string must be reduced to 64-bits with minimum computational cost and without compromising performance. For this purpose, we use bit-wise XOR operations. Through BAN logic and AVISPA, we have validated S6AE to be logically complete and offering the required security services in 6LowPANs. We have demonstrated that S6AE reduces the computational and communicational overheads, energy consumption and storage costs, in comparison with the benchmarks.
Results demonstrate that the proposed scheme provides better features in comparison with the benchmarks, namely, EAKES6Lo and SAKES. EAKES6Lo is a hybrid scheme, which uses ECC and AES-CTR and is computationally expensive as compared to S6AE because ECC is resource intensive for the resource constrained 6LoWPANs. Table 6 and Figure 6 show that S6AE requires less resources as compare to EAKES6Lo. Table 5 shows that EAKES6Lo does not provide the identity privacy and header verification. Moreover, SAKES is insecure against the 6LAR gateway compromised attack and does not ensure the header integrity in 6LoWPANs, as shown in Table 5. SAKES employs DH key exchange mechanism and also uses AES as a encryption and decryption scheme, which is computationally expensive in comparison to S6AE, as shown in Table 6 and Figure 6. Table 9 shows that S6AE requires less memory as compared SAKES and EAKES6Lo. Moreover, Table 7 indicates that S6AE is less expensive. Furthermore, S6AE requires less energy resources as compared to the EAKES6Lo and SAKES because S6AE uses lightweight and authenticated encryption that requires less energy and computational resources. In a nutshell, we have found that the implementation of ASCON, in conjunction with SHA-256, in 6LoWPANs is promising to secure communications.

Conclusions
6LoWPAN is a providential technology having a vital share in IoT and is commonly deployed in a variety of applications. Originally, 6LoWPAN does not provide any security and privacy mechanism. To address this issue, this paper has presented an authentication and key exchange scheme. The proposed scheme establishes a session key after the mutual authentication, which ensures secure communication and prevents an attacker from accessing the transmitted information. The proposed scheme also renders the header verification or origin verification of the message simultaneously without using the IPSec protocol. The employed BAN logic analysis indicates that S6AE is logically complete. Moreover, the security verification using AVISPA illustrates that the proposed scheme is secure against various malicious attacks. Finally, the performance evaluation reveals that, as compared to eminent schemes, S6AE has less communication, computational handover, energy, and storage overheads. As a future work, S6AE can be extended to varying security levels using secure cryptographic algorithms.