A Robust and Anonymous Three-Factor Authentication Scheme Based ECC for Smart Home Environments

Abstract

With the rapid development of the Internet of Things (IoT) industry, the smart home is fully integrated with people’s shelter and transportation, which facilitates people’s daily life. A smart home without a security authentication mechanism will inevitably cause a series of security threats. This is essentially a problem of symmetry model worth solving. In fact, researchers have designed various authentication schemes to verify the identity of users and to ensure smart devices can be legally accessed through authorization in the smart home. In 2021, Yu proposed a three-factor anonymous authentication scheme for smart homes using lightweight symmetric encryption primitives and stated that their scheme is resistant to various known security attacks. However, after careful analysis, we found that Yu’s scheme needs further improvement in node capture attack and offline password guessing attack and that forward security cannot be guaranteed. Therefore, we first design a robust three-factor anonymous authentication scheme for smart homes based on asymmetric encryption Elliptic Curve Cryptography (ECC). Then, we perform formal and informal security analysis in which the formal analysis tools include Burrows-Abadi-Needham (BAN) logic and Scyther simulation tool to prove that the proposed scheme can achieve user anonymity, untraceability, and session key forward security. Meanwhile, mutual authentication is performed, and the scheme is resistant to all known attacks described in this article. Finally, a performance comparison is made in terms of efficiency, which shows that our scheme can have certain advantages with those newly designed schemes, achieve a delicate balance in performance and safety, and is more practical for the real smart home environment.

1. Introduction

With the rapid growth of 5G communication technology and the IoT ecosystem, the smart home and its device networks are gradually integrating with people’s lives. The smart home itself is a new concept [1]. Whether in academia or industry, the smart home has attracted the attention of many researchers.

A smart home can be an intelligent communication network composed of some commonly used smart devices, such as smart curtains, node sensors, smart TVs, and smart lights [2,3,4]. Smart devices in smart homes provide people with convenience in life through human–computer interaction. The home automation system reduces operating costs and improves user comfort. In smart home environments, users can utilize electronic portable devices to enjoy new smart functions. For example, before returning home, users can remotely turn on heating or cooling devices to control the indoor temperature to maintain a comfortable state. In addition, users can remotely monitor home electricity safety and power consumption during working hours. At the same time, users can use smart wearable devices to check the health and life status of the elderly at all times so as to accurately provide life support services for patients with chronic diseases, middle-aged and elderly people and the disabled [5]. Unfortunately, despite the various significant advantages of smart homes, it is vulnerable to various privacy and security issues due to the transmission interaction of information in wireless public network channels [6,7,8].

If the data collected in smart devices is leaked, malicious attackers can obtain various sensitive information and identity characteristics of legitimate users, including daily life habits and home movement trajectories, etc. [9]. Therefore, it is very necessary to ensure user safety and strengthen communication confidentiality for smart homes.

A typical smart home network [4] consists of user, gateway, smart device and registration authority (RA). Various types of smart devices are installed in the home environment, and their resources, such as computing power, communication power, and battery power, are limited in actual operation [5]. The RA is a trusted device that provides registration services for users and smart devices through a secure channel. Therefore, all data sent and received for registration cannot be tampered with by an attacker. The gateway node is a transit station for communication between users and smart devices, and it also connects smart devices to the world with the help of the Internet. While the information of these channels is public, it is essential to protect these sensitive real-time data from unauthorized access, an authentication mechanism [10,11] is needed to identify the user and establish the session key.

Designing a secure negotiation protocol is difficult because of the balance between security and efficiency. Due to some of the above problems and reasons, traditional cryptosystems cannot be used to provide lightweight authentication in smart home networks. ECC can be used as an efficient scheme for smart home because it requires less computing resources and has a smaller bit space compared to them [12].

At present and in the future, the most promising work is aimed to improve the existing schemes. Yu et al. [13] proposed a three-factor privacy anonymity scheme for smart home environments. They claim that their scheme is lightweight, privacy-anonymous, and resistant to attacks such as session key leakage. However, after a comprehensive analysis of Yu et al.’s scheme [13], we found security vulnerabilities in their schemes, including offline node capture attack, password guessing attack and session key leakage attack. Therefore, we propose a three-factor authentication scheme for smart homes based on ECC, hash, and XOR operation, which can overcome the above problems and can achieve multiple security properties. Actually, these attacks are extremely common and harmful in smart homes. For example, node capture attack is often used by malicious thieves as the first choice for obtaining confidential information in multi-node environments. Hence, our proposed scheme is a huge improvement over the scheme of Yu et al., and is more applicable to practical smart home environments. At the same time, our performance sacrifices are negligible in reasonable ranges.

1.1. Motivation and Contributions

A smart home environment that lacks an authentication mechanism will inevitably suffer from security threats from malicious attackers. However, the existing security authentication protocols based on identity privacy have more or less room for improvement as far as security properties and efficiency are concerned, which stimulates us to design an authentication scheme for the smart home. With superior security properties, the proposed scheme achieves a more balanced effect in terms of efficiency. Our contributions are summarized below:

• Three security threats discovered by Yu et al.’s scheme analysis: Through detailed security analysis, we demonstrate that Yu et al.’s [13] scheme cannot resist node capture attack and offline password guessing attack, and at the same time, cannot achieve forward security.
• A robust three-factor authentication scheme designed for a smart home: On the basis of Yu et al.’s scheme [13], we propose a three-factor authentication scheme based on ECC to provide security services for legitimate users in smart home, which can perform mutual authentication among the three entities, and at the same time generate a session key established by the user and the smart device. Additionally, our scheme enables changing user passwords and biometrics, as well as adding smart devices, anytime, anywhere;
• Security and efficiency: In terms of security properties, the proposed protocol is proven to resist node capture attack, offline password guessing attack and achieve forward security. Complete formal proofs and informal security analysis demonstrate that our scheme can not only generate secure session keys but also achieve more security features and resist various known security attacks. Then, we compare the performance of the proposed scheme with related authentication schemes published in recent years, and the results demonstrate that the scheme achieves a delicate balance between security and efficiency and is suitable for real-world environments. This also illustrates that our scheme is more suitable.

1.2. Organization

The article is organized as follows. Section 2 describes related works and Section 3 generalizes preliminary works. In Section 4 and Section 5, we briefly introduce Yu et al.’s scheme and analyze the flaws and vulnerabilities of his scheme. Our scheme is presented in Section 6. In Section 7 and Section 8, the security and performance analyses of the proposed scheme are carried out. Finally, Section 9 concludes the article and prospects for the future of related works.

2. Related Works

In recent years, researchers have proposed to ensure communication security in the smart home environment by constructing a safe and effective AKA scheme. In 2008, in order to realize the authorized access of home users to smart devices, Jeong et al. [14] proposed a lightweight AKA protocol suitable for the home network environment, which is based on two factors password and smart card. However, the scheme cannot protect the privacy of the user’s identity. At the same time, it only focuses on the mutual authentication between the user and the gateway, and lacks the mutual authentication process between the gateway and the smart device or between the user and the smart device. In addition, the scheme of Jeong et al. [14] is also vulnerable to attacks such as smart card loss attack, node capture attack, and privileged insider attack. In 2011, Vaidya et al. [15] proposed a password-based lightweight remote authentication scheme. The scheme adopts the hash-based one-time password operation to realize the authentication between the user and the server, and realizes the mutual authentication between the user and the gateway through the one-way hash chain technology. In the same year, Kim et al. [16] analyzed the scheme of Vaidya et al. [15] and proved that the protocol not only cannot resist offline password guessing attacks, but also cannot achieve forward security and user privacy security. In addition, the scheme of Vaidya et al. [15] also lacks mutual authentication between the gateway node and the smart device. Nevertheless, the scheme proposed by Kim et al. [16] also lacks the indispensable mutual authentication function between the three entities. In 2017, Kumar et al. [4] proposed an anonymous security framework suitable for smart home environments based on lightweight encryption primitives. The framework enables mutual authentication and key negotiation between the smart device and the gateway node, and ensures that devices are anonymous and unlinkable. In 2019, Poh et al. [17] proposed a privacy protection authentication scheme PrivHome for smart home secure communication and data storage. The scheme is constructed from two protocols: the first protocol is a lightweight authentication protocol that can provide mutual authentication for users and smart devices; the second protocol is a searchable encryption protocol for smart device authentication privacy-preserving encrypted queries. Unfortunately, the scheme of Poh et al. [17] is still not resistant to potential desynchronization attack.

Different from the above schemes based on lightweight encryption primitives, researchers have also tried to build AKA schemes using asymmetric encryption algorithms. These schemes have better security performance and can be more suitable for adversary attack environments of smart home. In 2015, Santoso and Vun [18] proposed an AKA protocol suitable for smart home environment based on ECC technology. However, the scheme cannot realize the privacy protection of the user’s identity. Additionally, their scheme is vulnerable to smart card loss attack and privileged insider attack. In 2019, Yu and Li [19] proposed another user authentication scheme for smart home. Their scheme does not require users and devices to be in a secure environment during the registration process, but uses bilinear pairing operation, which is computationally expensive and not practical in smart home environments. In order to improve the efficiency of designing the authentication scheme, Shuai [20] proposed an ECC-based smart home identity authentication scheme in the same year. However, Xu et al. [21] pointed out [20] that there are security vulnerabilities such as offline password guessing attack and insider privilege attack. In 2021, Kaur and Kumar [22] proposed an enhanced scheme based on two-factor authentication to overcome the security problems of the scheme of Shuai et al. [20]. They claim their scheme is resistant to potential security attacks and also guarantees user anonymity, privacy, and mutual authentication. However, in the same year, Yu et al. [13] proved that the scheme proposed by Kaur and Kumar is prone to several weaknesses, including the exposure risk of session keys and the inability to resist impersonation attacks. Furthermore, Yu et al. [13] also claim that Kaur and Kumar’s scheme [22] cannot provide mutual authentication. Thus, in the paper, we will analyze the security issues of Yu et al.’s [13] protocol and explore the strengths, weaknesses, and efficiency performance of various schemes. At the same time, compared with these schemes [13,19,20,22,23,24], we will propose a robust smart home three-factor authentication scheme to ensure security while guaranteeing efficiency.

3. Preliminaries

This section mainly introduces the indispensable models and notions to enhance the readability.

3.1. System Model

The system model of smart home is shown in Figure 1. In a smart home environment with wireless sensors, the system model typically consists of four entities. The specific details are as follows:

• Registration Authority (RA): RA is an absolute trusted third entity that must be responsible for the participants in communications;
• Gateway: As an intermediary for users and device nodes to pass information, the gateway assumes the responsibility for communication security. Meanwhile, the gateway also provides users with many convenient interactive services;
• User: User can use the various functions of the smart home anywhere by registering with the RA as legitimate users;
• Smart Device: Smart devices, as the nerve endings of smart homes to collect information, can pass real-time dynamic information through the gateway to legitimate users, including various sensor nodes and smart home appliances.

3.2. Threat Model

The Dolev–Yao [25] threat model is the most widely accepted attacker model in security protocol analysis. According to the model, if any two parties communicate on an insecure channel, the endpoint entity is not regarded as a trusted entity, and its transmission information is not in a secure channel. Based on this threat model and improved attacker capabilities, the capabilities of adversary $\mathcal{A}$ are summarized as follows:

• $\mathcal{A}$ may be a legitimate but malicious actor [26];
• $\mathcal{A}$ may be a legitimate but malicious sensor node that can obtain all the information of a limited number of sensor nodes [27,28];
• $\mathcal{A}$ can easily intercept, modify, destroy and delete information transmitted over insecure public communication channels;
• $\mathcal{A}$ can obtain all secret values stored in the smart terminal through side-channel attacks [26];
• $\mathcal{A}$ can obtain the system long-term key when evaluating forward security [29];
• $\mathcal{A}$ can guess and steal passwords and identifying information over polynomial time.
• In the n-factor protocol, $\mathcal{A}$ can obtain any (n − 1) factor information [27];
• In particular, when forward security is not evaluated, the gateway and base station of the system are trusted, and the information such as long-term keys stored by the gateway is safe.

3.3. Notions

For ease of notation and understanding by researchers, some of the shorthand notations used in our scheme are described in

Table 1. Notions and descriptions.

Symbol	Description
$U_a$	User
$GWN$	Gateway Node
$S{D}_j$	Smart Device
$RA$	Registration Authority
$SI{D}_j,GI{D}_k$	Identity of $SI{D}_j$ and $GWN$
$T{s}_i$	Timestamp
$r$	Nonce
$I{D}_i,P{W}_i$	$U_a$’s identity and password
$K$	Master key of $GWN$
$K_{GU}$	Secret key between $U_a$ and $GWN$
$K_{GS}$	Secret key between $GWN$ and $S{D}_j$
$SK$	Session key
$\left|\right|,\oplus$	Join, XOR operations
$h\left(·\right)$	Hash Function

.

4. Review of Yu et al.’s Scheme

The Section shows review of Yu et al.’s scheme [13]. Their scheme consists of registration phase, login and mutual authentication phase, and password update phase.

4.1. Registration Phase

4.1.1. User Registration Phase

In the user registration phase, the user $U_a$ registers with $RA$.

• Step 1: In order to send a registration request, the user generates a random number $r_i$, selects the identity $I{D}_i,$ the password $P{W}_i$, computes $Gen\left(Bi{o}_i\right)=〈{\gamma }_i,{\beta }_i〉,RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right),RP{W}_i=h(P{W}_i||{\gamma }_i)$, and transmits $\left\{RI{D}_i,RP{W}_i,r_i\right\}$ to $RA$ via a secure channel;
• Step 2: $RA$ computes $K_{GU}=h\left(RI{D}_i\left|\left|K\right|\right|r_i\right)$, $C_1=K_{GU}\oplus h(RP{W}_i|\left|r_i\right)$, then $RA$ transmits the secret key $K_{GU}$ to the gateway $GWN$ via the secure channel. Upon receiving $K_{GU}$ from $RA$, $GWN$ computes $L_k=h(GI{D}_i||K)\oplus K_{GU}$, stores it in the gateway $GWN$, and transmits $C_1$ to the smart card which saves it;
• Step 3: $U_a$ computes $K_i=h\left(I{D}_i\left|\left|P{W}_i\right|\right|{\gamma }_i\right)$, $C_2=E_{Ki}\left(C_1\right)$, $C_3=r_i\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_4=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$. After that, $U_a$ deletes $C_1$ in the smart card, and stores $\left\{C_2,C_3,C_4\right\}$ secret parameter into the smart card.

4.1.2. Smart Device Registration Phase

• Step 1: In order to send a registration request, the user generates a random number $r_i$, selects the identity $I{D}_i,$ the password $P{W}_i$, computes $Gen\left(Bi{o}_i\right)=〈{\gamma }_i,{\beta }_i〉,RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right),RP{W}_i=h(P{W}_i||{\gamma }_i)$, and transmits $\left\{RI{D}_i,RP{W}_i,r_i\right\}$ to $RA$ via a secure channel;
• Step 2:$RA$ computes $K_{GU}=h\left(RI{D}_i\left|\left|K\right|\right|r_i\right)$, $C_1=K_{GU}\oplus h(RP{W}_i|\left|r_i\right)$, then $RA$ transmits the secret key $K_{GU}$ to the gateway $GWN$ via the secure channel. Upon receiving $K_{GU}$ from $RA$, $GWN$ computes $L_k=h(GI{D}_i||K)\oplus K_{GU}$, stores it in the gateway $GWN$, and transmits $C_1$ to the smart card which saves it;
• Step 3:$U_a$ computes $K_i=h\left(I{D}_i\left|\left|P{W}_i\right|\right|{\gamma }_i\right)$, $C_2=E_{Ki}\left(C_1\right)$, $C_3=r_i\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_4=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$. After that, $U_a$ deletes $C_1$ in the smart card, and stores $\left\{C_2,C_3,C_4\right\}$ secret parameter into the smart card.

4.2. Login and Mutual Authentication Phase

• Step 1: The user $U_a$ enters $I{D}_i$, $P{W}_i$ and fingerprints biometric information $Bi{o}_i$. Then the smart card computes ${\gamma }_i=Rep\left(Bi{o}_i,{\beta }_i\right)$, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$, $RP{W}_i=h(P{W}_i|\left|{\gamma }_i\right)$, $K_i=h\left(I{D}_i\left|\left|P{W}_i\right|\right|{\gamma }_i\right)$ and extracts $C_2$ from the memory, to compute $C_1=D_{Ki}\left(C_2\right)$, $K_{GU}=C_1\oplus h(RP{W}_i|\left|r_i\right)$, $r_i=C_3\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_4^{*}=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$, and check whether $C_4^{*}=C_4$. If the equation is valid, the smart card generates a random numbers $r_a$, $w\in Z_n^{*}$, the timestamp $T{s}_1$. $U_a$ selects the target smart device $S{D}_j$, and the smart card starts to compute $M_1=(SI{D}_j||r_a)\oplus K_{GU}\oplus T{s}_1$, $M_2=RI{D}_i\oplus h\left(K_{GU}\left|\left|r_a\right|\right|T{s}_1\right)$, $V_1=h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_1)$. Afterwards, the smart card sends $\left\{M_1,M_2,V_1,T{s}_1\right\}$ to $GWN$;
• Step 2: After receiving the message from $U_a$, $GWN$ extracts $L_k$ from the database, and first computes $K_{GU}=h(GI{D}_k||K)\oplus L_k$, $(SI{D}_j|\left|r_a\right)=M_1\oplus K_{GU}\oplus T{s}_1$, $RI{D}_i=M_2\oplus h\left(K_{GU}\left|\left|r_a\right|\right|T{s}_1\right)$, $V_1^{*}=h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_1)$, and verify if $V_1^{*}=V_1$. If it is equal, it means that the verification is completed, and then a random number $r_b$ and the timestamp $T{s}_2$ is generated by $GWN$. Furthermore, $GWN$ computes $K_{GS}=h\left(TI{D}_j\left|\left|K\right|\right|r_j\right)$, $M_3=(RI{D}_i\left|\left|GI{D}_k|\right|r_a\right||r_b)\oplus h\left(SI{D}_j\left|\left|K_{GS}\right|\right|T{s}_2\right)$, $V_2=h(RI{D}_i\left|\left|GI{D}_k\right|\right|K_{GS}|\left|r_a\right|\left|r_b\right|\left|T{s}_2\right)$, and transmits $\left\{M_3,V_2,T{s}_2\right\}$ to $S{D}_j$;
• Step 3: On receiving the message from the gateway $GWN$, $S{D}_j$ extracts $\{B_1,B_2\}$ from the memory, computes $r_j=B_1\oplus h\left(K_{SD}\left|\right|SI{D}_j\right)$, $K_{GS}=B_2\oplus h(K_{SD}||r_j)$, $(RI{D}_i\left|\left|GI{D}_k\left|\right|C_4\right|\right|r_a|\left|r_b\right)=M_3\oplus h\left(SI{D}_j\left|\left|K_{GS}\right|\right|T{s}_2\right)$, $V_2^{*}=h(RI{D}_i\left|\left|GI{D}_k\right|\right|K_{GS}|\left|r_a\right|\left|r_b\right|\left|T{s}_2\right)$, verify whether $V_2^{*}=V_2$ is established. If so, then certification passed. After that, $S{D}_j$ generates a random number $r_c$, the timestamp $T{s}_3$, and computes a session key $SK=h(r_a\left|\left|r_b\right|\right|r_c\left|\left|RI{D}_i\right|\right|GI{D}_k||SI{D}_j)$), $M_4=r_c\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $V_3=h\left(SI{D}_j\left|\left|r_c\left|\left|K_{GS}\right|\right|SK\right|\right|T{s}_3\right)$. Finally, $S{D}_j$ transmits $\left\{M_4,V_3,T{s}_3\right\}$ to $GWN$;
• Step 4: After receiving the message sent by the smart device $S{D}_j$, $GWN$ computes $r_c=M_4\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $SK=h(r_a\left|\left|r_b\right|\right|r_c\left|\left|RI{D}_i\right|\right|GI{D}_k||SI{D}_j)$, $V_3^{*}=h\left(SI{D}_j\left|\left|r_c\left|\left|K_{GS}\right|\right|SK\right|\right|T{s}_3\right)$), and verify if $V_3^{*}$=$V_3$. If the equation holds, the authentication is completed. Then $GWN$ generates the timestamp $T{s}_4$ and computes $M_5=\left(GI{D}_k\left|\left|r_b\right|\right|r_c\right)\oplus h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_4)$, $V_4=h\left(RI{D}_i\left|\left|GI{D}_k\right|\right|r_a\left|\left|r_b\right|\left|SK\right|\right|T{s}_4\right)$. Lastly, $GWN$ transmits the message $\left\{M_5,V_4,T{s}_4\right\}$ to $U_a$;
• Step 5: On receiving the message from $GWN$, $U_a$ first computes $\left(GI{D}_k\left|\left|r_b\right|\right|r_c\right)=M_5 \oplus h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_4)$, $SK=h(r_a\left|\left|r_b\right|\right|r_c\left|\left|RI{D}_i\right|\right|GI{D}_k||SI{D}_j)$, $V_4^{*}=h\left(RI{D}_i\left|\left|GI{D}_k\right|\right|r_a\left|\left|r_b\right|\left|SK\right|\right|T{s}_4\right)$, and then verify if $V_4^{*}=V_4$. If the equation holds, $U_a$ accept this response. At this point, the mutual authentication between the user and the smart device entity is completed, and the three entities of communication have generated the session key.

4.3. Password Update Phase

• Step 1:$U_a$ firstly enters the identity $I{D}_i$, the password $P{W}_i$, and fingerprints the biometric information $Bi{o}_i$;
• Step 2: The smart card begins to compute ${\gamma }_i=Rep\left(Bi{o}_i,{\beta }_i\right)$, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$, $RP{W}_i=h(P{W}_i|\left|{\gamma }_i\right)$, $K_i=h\left(I{D}_i\left|\left|P{W}_i\right|\right|{\gamma }_i\right)$, $C_1=D_{Ki}\left(C_2\right)$, $K_{GU}=C_1\oplus h(RP{W}_i|\left|r_i\right)$, $r_i=C_3\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_4^{*}=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$, and verify if $C_4^{*}=C_4$. If the equation does not hold, the smart card rejects the session request. Otherwise, $U_a$ is allowed to enter a new password and biometric feature;
• Step 3:$U_a$ enters a new password $P{W}_i^{new}$ and a new biometric feature $Bi{o}_i^{new}$ into the smart card. Then, the smart card computes $Gen\left(Bi{o}_i^{new}\right)=〈{\gamma }_i^{new},{\beta }_i^{new}〉$, $RI{D}_i^{new}=h(I{D}_i|\left|{\gamma }_i^{new}\right)$, $RP{W}_i^{new}=h(P{W}_i^{new}||{\gamma }_i^{new})$, $K_i^{new}=h\left(I{D}_i\left|\left|P{W}_i^{new}\right|\right|{\gamma }_i^{new}\right)$, $C_2^{new}=E_{K_i^{new}}\left(C_1\right)$, $C_3^{new}=r_i\oplus h(RI{D}_i^{new}|\left|RP{W}_i^{new}\right)$, $C_4^{new}=h(RI{D}_i^{new}|\left|RP{W}_i^{new}\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$. Finally, the smart card stores $\left\{C_2^{new},C_3^{new},C_4^{new}\right\}$ into the memory instead of $\left\{C_2,C_3,C_4\right\}$.

5. Cryptanalysis of Yu et al.’s Scheme

In this section, we perform cryptanalysis on Yu et al.’s scheme [13]. Yu claims that their scheme is resistant to various security attacks and implements multiple security properties, and also provides secure session keys. Unfortunately, we prove that their scheme is not resistant to potential security attacks, such as node capture attacks, offline password guessing attacks, and cannot achieve forward security.

5.1. Node Capture Attack

Node capture attack is an attacker who physically captures a sensor node and steals stored information to obtain a secret value calculated by the system. The attack is common and easy to implement in smart home multi-sensor node environments. Wang [30] listed various types of node capture attacks in detail and comprehensively of which the node capture attack in this paper is Type-I. In addition, Type-I has the following target and capability.

• $\mathcal{A}$ attack target: get the session key $SK$;
• $\mathcal{A}$’s unique capability: $\mathcal{A}$ can capture the node, get the long-term private key $K_{SD}$, and steal its stored information $\left\{B_1,B_2,SI{D}_j\right\}$.

Step 1: 

Compute $b_j=B_1\oplus h\left(K_{SD}\left|\right|SI{D}_j\right)$, $X_{GS}=B_2\oplus h(K_{SD}||b_j)$;

Step 2: 

Compute $(RI{D}_i\left|\left|GI{D}_i\right|\right|r_U|\left|r_{GW}\right)=M_3\oplus h\left(SI{D}_j\left|\left|X_{GS}\right|\right|T_2\right)$;

Step 3: 

Compute $r_{SD}=M_4\oplus h(X_{GS}\left|\left|RI{D}_i\right|\right|GI{D}_i||T_3)$;

Step 4: 

Compute $SK=h(r_U\left|\left|r_{GW}\right|\right|r_{SD}\left|\left|RI{D}_i\right|\right|GI{D}_i||SI{D}_j)$.

Through the above steps, attacker $\mathcal{A}$ successfully obtains the session key, and the forwarding security cannot be guaranteed.

5.2. Offline Password Guessing Attack

In authentication phase, offline password guessing attack requires an attacker to steal the secret value stored offline as well as the authentication parameters. Authentication parameters can be used to verify that the user’s password is correct until the password is obtained. Yu et al.’s scheme [13] is not resistant to offline password guessing attack, and we have two attack methods to steal user’s password. Next, we will introduce the steps of two attack in detail.

5.2.1. Offline Password Guessing Attack in Smart Cards

Attacker $\mathcal{A}$ can obtain the biometric $Bio$ through a malicious scanner, and acquire the information $\left\{A_2,A_3,A_4,h\left(.\right),{\beta }_i,Gen\left(.\right)\right\}$ in the smart card through the side channel. $\mathcal{A}$ can perform password guessing attacks through the following steps.

Step 1: 

Guess ($I{D}_i,P{W}_i)$ from the user space $D_{id}$ and the password space $D_{pw}$;

Step 2: 

Compute $Rep\left(Bio,{\beta }_i\right)={\gamma }_i$, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$, $RP{W}_i=h(P{W}_i||{\gamma }_i)$;

Step 3: 

Extract $A_3$ from the memory of smart card, calculate $a_i=A_3\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $A_4^{*}=h\left(RI{D}_i\left|\left|RP{W}_i\right|\right|a_i\right)$;

Step 4: 

Verify if $A_4^{*}=A_4$, and if it is established, the guess is successful. If it fails, repeat Steps 1–4 until it succeeds.

5.2.2. Offline Password Guessing Attacks on Open Channels

Once attacker $\mathcal{A}$ obtains $\left\{A_2,A_3,A_4,h\left(.\right),{\beta }_i,Gen\left(.\right)\right\}$ and eavesdrops on the public channel information transmitted by the user to the gateway, which includes the authentication factor, the password of users can be obtained by the following steps.

Step 1: 

Guess ($I{D}_i,P{W}_i)$ from the user space $D_{id}$ and the password space $D_{pw}$;

Step 2: 

Compute $Rep\left(Bio,{\beta }_i\right)={\gamma }_i$, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$, $RP{W}_i=h(P{W}_i||{\gamma }_i)$;

Step 3: 

Compute $a_i=A_3\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $K_i=h\left(I{D}_i\left|\left|P{W}_i\right|\right|{\gamma }_i\right)$, $A_1=D_{K_i}\left(A_2\right)$, $X_{GU}=A_1\oplus h(RP{W}_i|\left|a_i\right)$, $(SI{D}_j|\left|r_U\right)=M_1\oplus X_{GU}\oplus T_1$. At this time, $M_{UG}^{*}=h(RI{D}_i\left|\left|X_{GU}\right|\right|r_U||T_1)$ can be computed as the verification factor, or $M_2^{*}=RI{D}_i\oplus \left(X_{GU}\left|\left|r_U\right|\right|T_1\right)$ can be computed as the factor in the same way;

Step 4: 

Verify whether $M_{UG}^{*}=M_{UG}$ is established, and the establishment guess is successful. In addition, verify whether $M_2^{*}=M_2$ holds, which can be performed password guessing. If it fails, repeat Steps 1–4 until it succeeds.

5.3. No Forward Security

Implementing forward security means that past sessions including past session keys are still secure, even if the long-term session keys and the system long-term keys are exposed. However, the following steps can be used to attack the system of Yu et al. [13], and forward security will not be guaranteed due to the exposure of session keys.

• $\mathcal{A}$ attack target: get the session key $SK$;
• $\mathcal{A}$’s unique capability: obtain the long-term master key $K_G$ of GWN, and its stored information $\left\{b_j,PI{D}_j \right\}$.

Step 1: 

Compute $X_{GS}=h\left(PI{D}_j\left|\left|K_G\right|\right|b_j\right)$;

Step 2: 

Compute $(RI{D}_i\left|\left|GI{D}_i\right|\right|r_U|\left|r_{GW}\right)=M_3\oplus h\left(SI{D}_j\left|\left|X_{GS}\right|\right|T_2\right)$;

Step 3: 

Compute $r_{SD}=M_4\oplus h(X_{GS}\left|\left|RI{D}_i\right|\right|GI{D}_i||T_3)$;

Step 4: 

Compute $SK=h(r_U\left|\left|r_{GW}\right|\right|r_{SD}\left|\left|RI{D}_i\right|\right|GI{D}_i||SI{D}_j)$.

The attacker $\mathcal{A}$ successfully obtains the session key, and forward security cannot be guaranteed.

6. The Proposed Scheme

In this section, we design a robust three-factor authentication scheme for smart home. On the basis of Yu et al.’s scheme [13], we propose an authentication and key agreement scheme based on ECC to overcome the weakness of Yu et al.’s scheme, which provides various security features for legitimate users in smart home. Our proposed scheme includes the following four phases: initialization phase, registration phase, login and authentication phase, and password update phase.

6.1. System Initialization

The $RA$ system administrator firstly selects the elliptic curve $E$ over a prime finite field $F_q$, and a base point $Q$ based on $E$. Furthermore, $RA$ selects a system private key $y\in F_q$, calculates the system public key $P=y·Q$, and generates an identity $GI{D}_k$ for $GWN$. Then, $RA$ generates a master key $K$ to $GWN$, and stores it in $GWN$ together with the system private key $y$. Finally, $RA$ generates an identity $SI{D}_j$ for $SI{D}_j$ and generate long-term key $K_{SD}$ gives $S{D}_j$.

6.2. Registration Phase

6.2.1. User Registration Phase

• Step 1: In order to send a registration request, the user generates a random number $r_i$, selects an identity $I{D}_i,$ a password $P{W}_i$, enter the biometric information $Bi{o}_i$, computes $Gen\left(Bi{o}_i\right)=〈{\gamma }_i,{\beta }_i〉,RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right),RP{W}_i=h(P{W}_i||{\gamma }_i)$, and transmits $\left\{RI{D}_i,RP{W}_i,r_i\right\}$ to $RA$ via a secure channel;
• Step 2: $RA$ computes $K_{GU}=h\left(RI{D}_i\left|\left|K\right|\right|r_i\right)$, $C_1=K_{GU}\oplus h(RP{W}_i|\left|r_i\right)$, then $RA$ transmits the secret key $K_{GU}$ to the gateway $GWN$ via the secure channel. Upon receiving $K_{GU}$ from $RA$, $GWN$ computes $L_k=h(GI{D}_i||K)\oplus K_{GU}$, stores it in the gateway $GWN$, and transmits $C_1$ to the smart card which saves it;
• Step 3: $U_a$ computes $C_2=r_i\oplus h(RI{D}_i|\left|RP{W}_i\right),C_3=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$. After that, $U_a$ stores $\left\{C_1,C_2,C_3\right\}$ secret parameter into the smart card.

6.2.2. Smart Device Registration Phase

• Step 1: The smart device $S{D}_j$ generates a random number $r_j$, computes $TI{D}_j=h(SI{D}_j||r_j)$, and then transmits $\left\{r_j,TI{D}_j\right\}$ to $RA$ via a secure channel;
• Step 2: Upon receiving the message from $S{D}_j$, $RA$ computes $K_{GS}=h\left(TI{D}_j\left|\left|K\right|\right|r_j\right)$, stores $\left\{r_j,TI{D}_j\right\}$ in the secure database of $GWN$, and transmits $K_{GS}$ to $S{D}_j$ via the secure channel;
• Step 3:$S{D}_j$ computes $B_1=r_j\oplus h\left(K_{SD}\left|\right|SI{D}_j\right)$,$B_2=K_{GS}\oplus h(K_{SD}||r_j)$. Finally, $S{D}_j$ stores $\left\{B_1,B_2\right\}$ in the memory.

6.3. Login and Mutual Authentication Phase

As shown in Figure 2, the procedure of login and mutual authentication is described as follows:

• Step 1: The user $U_a$ enters $I{D}_i$, $P{W}_i$ and fingerprints the biometric information $Bi{o}_i$. Then, the smart card computes ${\gamma }_i=Rep\left(Bi{o}_i,{\beta }_i\right)$,$RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$,$RP{W}_i=h(P{W}_i|\left|{\gamma }_i\right)$, $K_{GU}=C_1\oplus h(RP{W}_i|\left|r_i\right)$, $r_i=C_2\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_3^{*}=h(RI{D}_i|\left|RP{W}_i\right||r_i)$ mod $v$, where $v\in \left[2^4,2^8\right]$, and check whether $C_3^{*}=C_3$. If the equation is valid, the smart card generates a random number $r_a$, $w\in Z_n^{*}$, the timestamp $T{s}_1$. $U_a$ selects the target smart device $S{D}_j$, and the smart card starts to compute $M_1=(SI{D}_j||r_a)\oplus K_{GU}\oplus T{s}_1$, $C_4=w·Q$, $C_5=w·P$, $V_1=h\left(RI{D}_i\left|\left|K_{GU}\right|\right|r_a\left|\left|C_5\right|\right|T{s}_1\right)$, $S_1=RI{D}_i\oplus C_5$. Afterward, the smart card sends $\left\{C_4,M_1,V_1,S_1,T{s}_1\right\}$ to $GWN$;
• Step 2: After receiving the message from $U_a$, $GWN$ extracts $L_k$ from the database, and first computes $RI{D}_i=S_1\oplus C_5$, $K_{GU}=h(GI{D}_k||K)\oplus L_k$, $(SI{D}_j|\left|r_a\right)=M_1\oplus K_{GU}\oplus T{s}_1$, $V_1^{*}=h\left(RI{D}_i\left|\left|K_{GU}\right|\right|r_a\left|\left|C_5\right|\right|T{s}_1\right)$, and verify if $V_1^{*}=V_1$. If it is equal, it means that the verification is completed, and then a random number $r_b$ and the timestamp $T{s}_2$ is generated by $GWN$. What’s more, $GWN$ computes $K_{GS}=h\left(TI{D}_j\left|\left|K\right|\right|r_j\right)$, $M_2=(RI{D}_i\left|\left|GI{D}_k\left|\right|C_4\right|\right|r_a|\left|r_b\right)\oplus h\left(SI{D}_j\left|\left|K_{GS}\right|\right|T{s}_2\right)$, $V_2=h(RI{D}_i\left|\left|GI{D}_k\right|\right|K_{GS}|\left|r_a\right|\left|r_b\right|\left|T{s}_2\right)$, and transmits $\left\{M_2,V_2,T{s}_2\right\}$ to $S{D}_j$;
• Step 3: On receiving the message from the gateway $GWN$, $S{D}_j$ extracts $\{B_1,B_2\}$ from the memory, computes $r_j=B_1\oplus h\left(K_{SD}\left|\right|SI{D}_j\right)$, $K_{GS}=B_2\oplus h(K_{SD}||r_j)$, $(RI{D}_i\left|\left|GI{D}_k\left|\right|C_4\right|\right|r_a|\left|r_b\right)=M_2\oplus h\left(SI{D}_j\left|\left|K_{GS}\right|\right|T{s}_2\right)$, $V_2^{*}=h(RI{D}_i\left|\left|GI{D}_k\right|\right|K_{GS}|\left|r_a\right|\left|r_b\right|\left|T{s}_2\right)$, verify whether $V_2^{*}=V_2$ is established. If so, then certification passed. After that, $S{D}_j$ generates a random number $r_c$, the timestamp $T{s}_3$, and computes $C_6=r_c·Q$, $C_7=r_c\cdot C_4=w·C_6$, a session key $SK=h(RI{D}_i\left|\left|GI{D}_k\right|\right|SI{D}_j\left|\left|C_4\right|\right|C_6||C_7)$, $M_3=C_6\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $V_3=h\left(SI{D}_j\left|\left|GI{D}_k\right|\right|C_6\left|\left|K_{GS}\right|\right|T{s}_3\right)$. Finally, $S{D}_j$ transmits $\left\{M_3,V_3,T{s}_3\right\}$ to $GWN$;
• Step 4: After receiving the message sent by the smart device $S{D}_j$, $GWN$ computes $C_6=M_3\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $V_3^{*}=h\left(SI{D}_j\left|\left|GI{D}_k\right|\right|C_6\left|\left|K_{GS}\right|\right|T{s}_3\right)$, and verify if $V_3^{*}$=$V_3$. If the equation holds, the authentication is completed. Then $GWN$ generates the timestamp $T{s}_4$ and computes $M_4=(GI{D}_k\left|\left|r_a\right|\right|r_b||C_6)\oplus h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_4)$, $V_4=h(RI{D}_i\left|\left|GI{D}_k\right|\right|r_a\left|\left|r_b\right|\right|C_6||T{s}_4)$. Lastly, $GWN$ transmits the message $\left\{M_4,V_4,T{s}_4\right\}$ to $U_a$;
• Step 5: On receiving the message from $GWN$, $U_a$ first computes $(GI{D}_k\left|\left|r_a\right|\right|r_b||C_6)=M_4\oplus h(RI{D}_i\left|\left|K_{GU}\right|\right|r_a||T{s}_4)$, $C_7=w·C_6$, $V_4^{*}=h(RI{D}_i\left|\left|GI{D}_k\right|\right|r_a\left|\left|r_b\right|\right|C_6||T{s}_4)$, and then verify if $V_4^{*}=V_4$. If the equation holds, $U_a$ accept this response and compute $SK=h(RI{D}_i\left|\left|GI{D}_k\right|\right|SI{D}_j\left|\left|C_4\right|\right|C_6||C_7)$. At this point, the mutual authentication between the user and the smart device entity is completed, and the two entities of communication have generated the session key.

6.4. Password Update Phase

• Step 1:$U_a$ firstly enters the identity $I{D}_i$, the password $P{W}_i$, and fingerprints the biometric information $Bi{o}_i$;
• Step 2: The smart card begins to compute ${\gamma }_i=Rep\left(Bi{o}_i,{\beta }_i\right)$, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$, $RP{W}_i=h(P{W}_i|\left|{\gamma }_i\right)$, $K_{GU}=C_1\oplus h(RP{W}_i|\left|r_i\right)$, $r_i=C_2\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_3^{*}=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$, and verify if $C_3^{*}=C_3$. If the equation does not hold, the smart card rejects the session request. Otherwise, $U_a$ is allowed to enter a new password and biometric feature;
• Step 3:$U_a$ enters a new password $P{W}_i^{new}$ and a new biometric feature $Bi{o}_i^{new}$ into the smart card. Then, the smart card computes $Gen\left(Bi{o}_i^{new}\right)=〈{\gamma }_i^{new},{\beta }_i^{new}〉$, $RI{D}_i^{new}=h(I{D}_i|\left|{\gamma }_i^{new}\right)$, $RP{W}_i^{new}=h(P{W}_i^{new}||{\gamma }_i^{new})$, $C_1^{new}=K_{GU}\oplus h(P{W}_i^{new}|\left|r_i\right)$, $C_2^{new}=r_i\oplus h(RI{D}_i^{new}|\left|RP{W}_i^{new}\right)$, $C_3^{new}=h(RI{D}_i^{new}|\left|RP{W}_i^{new}\right|\left|r_i\right)$ mod $v$, where $v\in \left[2^4,2^8\right]$. Finally, the smart card stores $\left\{C_1^{new},C_2^{new},C_3^{new}\right\}$ into the memory instead of $\left\{C_1,C_2,C_3\right\}$.

7. Security Analyses of the Proposed Scheme

In this section, we first show that the proposed scheme is resistant to various known attacks and provides the desired security properties through heuristic analysis [31]. Then, we formalize the proposed scheme by using BAN logic [32,33] to prove that the proposed scheme successfully achieves mutual authentication, including establishing a secure session key between users and smart devices. Furthermore, we demonstrate that the proposed scheme provides mutual authentication and resists man-in-the-middle attacks and replay attacks confidentiality using an automatic cryptographic scheme verifier tool Scyther [34,35].

7.1. Informal Security Analysis

7.1.1. Mutual Authentication

The user $U_a$ and the smart device $S{D}_j$ achieve mutual authentication with the help of the intermediate $GWN$. Particularly, $U_a$ and $GWN$ realize mutual authentication by verifying whether $V_1^{*}=V_1$ and $V_4^{*}=V_4$ are established. Similarly, $GWN$ and $S{D}_j$ achieve mutual authentication by verifying whether $V_2^{*}=V_2$ and $V_4^{*}=V_4$ are established, respectively. Therefore, the proposed protocol is able to successfully achieve three-party mutual authentication.

7.1.2. Session Key Agreement

$SK=h(RI{D}_i\left|\left|GI{D}_k\right|\right|SI{D}_j\left|\left|C_4\right|\right|C_6||C_7)$ is negotiated between $U_a$ and smart device $S{D}_j$ in which the attacker $\mathcal{A}$ cannot calculate the parameters $\left\{C_6,C_7\right\}$ through public information, which is based on the hardness of the discrete logarithm problem on the ECC. Hence, $SK$ cannot be obtained by the attacker $\mathcal{A}$. At the same time, $GWN$ does not generate $SK$, and does not associate $SK$ with the generation of the authentication factor, which increases the robustness of the system.

7.1.3. User Anonymity

In fact, $\mathcal{A}$ cannot get the identity $I{D}_i$ directly from the transmitted message, since $I{D}_i$ is not directly included in any public channel message. Meanwhile, $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$ is calculated during the registration and login phases, which need to use biometric information. Furthermore, in public channels, $RI{D}_i$ is also communicated under the protection of $ECC$, and will be $S_1=RI{D}_i\oplus C_5$ protection. Without knowing the system key $y$, $\mathcal{A}$ cannot obtain the user’s $RI{D}_i$ from the communication message, based on the hardness of the discrete logarithm problem on the $ECC$ of the public key technology, which further enhances user anonymity.

7.1.4. Untraceability

When an attacker $\mathcal{A}$ can distinguish between multiple users, then the user can be considered to be trackable. Obviously, in each session, the random number $w$ is randomly generated, and the message $S_1$ sent by the current session is also different from the $S_1$ of others. By computing $RI{D}_i=h(I{D}_i|\left|{\gamma }_i\right)$ and the encryption protection of parameter $C_5$, the scheme can achieve the untraceability of user behavior.

7.1.5. Offline Password Guessing Attack

Regarding offline password guessing attack, $\mathcal{A}$ can obtain the parameters in the smart card, construct the authentication factor with the guessed password and identity, and verify the guessed password by comparing the constructed authentication factor with the value of the real one. On one hand, the password is protected by $C_3^{*}=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$ mod $v$, $v\in \left[2^4,2^8\right]$ through the “fuzzy-verifier” technique. Meanwhile, since the “honey-list” records the number of authentication failures, $\mathcal{A}$ has a limited number of online attempts. Even if under the premise of biometric leakage, $\mathcal{A}$ cannot successfully guess the password. On the other hand, for the authentication factor transmitted in the open channel, in order to perform the offline password guessing attack, $\mathcal{A}$ needs to construct and compute $V_1=h\left(RI{D}_i\left|\left|K_{GU}\right|\right|r_a\left|\left|C_5\right|\right|T{s}_1\right)$. However, only the gateway and users who have the secret private key $y$ can calculate the parameter $C_5$, which is based on the hardness of $ECC$. All in all, the proposed scheme can resist offline password guessing attacks not only against smart card but also against open channels.

7.1.6. Smart Card Loss Attack

In the smart card loss attack, $\mathcal{A}$ can obtain the information stored in the smart device through side-channel attack. In the proposed scheme, the smart card stores $\left\{C_1,C_2,C_3\right\}$, where $C_1=K_{GU}\oplus h(RP{W}_i|\left|r_i\right)$, $C_2=r_i\oplus h(RI{D}_i|\left|RP{W}_i\right)$, $C_3=h(RI{D}_i|\left|RP{W}_i\right|\left|r_i\right)$. After stealing $\left\{C_1,C_2,C_3\right\}$, it is impossible for $\mathcal{A}$ to forge the identity without knowing the random number $r_i$ generated by $U_a$ and the gateway key $K$, thus impersonating the user. At the same time, in the sending request $V_1=h\left(RI{D}_i\left|\left|K_{GU}\right|\right|r_a\left|\left|C_5\right|\right|T{s}_1\right)$, $C_5$ cannot be computed by $\mathcal{A}$ based on the hardness of ECDLP, and thus $\mathcal{A}$ is unable to construct the request. Therefore, the proposed scheme is resistant to smart card loss attack and has a higher robustness.

7.1.7. Node Capture Attack

The attacker $\mathcal{A}$ can steal the stored information by capturing the node. The sensor node of the smart device sends $\left\{M_3,V_3,T{s}_3\right\}$ to $GWN$, where $M_3=C_6\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $V_3=h\left(SI{D}_j\left|\left|GI{D}_k\right|\right|C_6\left|\left|K_{GS}\right|\right|T{s}_3\right)$. Since, the parameter $C_6$ is calculated from the random number $r_c$ generated by the node, $\mathcal{A}$ cannot calculate $\left\{M_3,V_3\right\}$. Moreover, when the attacker steals the session key, the generation of $SK=h(RI{D}_i\left|\left|GI{D}_k\right|\right|SI{D}_j\left|\left|C_4\right|\right|C_6||C_7)$ needs to compute the parameters $C_6$ and $C_7$, where $C_7=w·C_6$. However, $\mathcal{A}$ cannot calculate $C_7$ based on the hardness of ECDLP, and only the user and the smart device can compute the session key $SK$. Therefore, the proposed scheme is resistant to node capture attack.

7.1.8. Replay Attack

Replay attack is one of the most common attack means. In the proposed scheme, timestamp and random number mechanisms are used to resist replay attack. The messages passed between the communicating entities contain timestamps $\left\{T{s}_1,T{s}_2,T{s}_3, T{s}_4\right\}$ and random numbers $\left\{r_a,r_b\right\}$. The freshness of these parameters is verified in the authentication factor, and even if the attacker $\mathcal{A}$ replays the communication message, the authentication of entities cannot be realized. Therefore, replay attack is impossible in our scheme.

7.1.9. Forward Security

When implementing forward security, it is necessary to consider whether the attacker can guarantee the security of the session key under the condition that the attacker can obtain the long-term key of the system. In fact, in the proposed protocol $SK=h(RI{D}_i\left|\left|GI{D}_k\right|\right|SI{D}_j\left|\left|C_4\right|\right|C_6||C_7)$, $\mathcal{A}$ steals the long-term secret $K$ of $GWN$, and further computes $K_{GS}$, $K_{GU}$ and $C_6$. However, the parameter $C_7$ is still unable to be obtained based on the hardness of ECDLP, only the two entities of the user and the smart device can calculate the session key $SK$. Thus, our scheme achieves forward security.

7.1.10. Desynchronization Attack

After the session key is established, $U_a$, $GWN$ and $S{D}_j$ do not need to update any parameters, and the three entities do not store the same secret value. Therefore, the proposed scheme is resistant to desynchronization attack.

7.1.11. Smart Device Impersonation Attack

In the designed scheme, $S{D}_j$ sends a message $\left\{M_3,V_3,T{s}_3\right\}$ to $GWN$, where $M_3=C_6\oplus h\left(K_{GS}\left|\left|RI{D}_i\right|\left|GI{D}_k\right|\right|T{s}_3\right)$, $V_3=h\left(SI{D}_j\left|\left|GI{D}_k\right|\right|C_6\left|\left|K_{GS}\right|\right|T{s}_3\right)$. To calculate these values, $\mathcal{A}$ needs to calculate $K_{GS}$ and $C_6$, but $\mathcal{A}$ cannot construct $M_3$ and $V_3$ without knowing the gateway key $K$ and random number $r_c$. Furthermore, in the process of forging the session key $SK$, $\mathcal{A}$ cannot compute $C_7$ based on the hardness of ECDLP. Therefore, no attacker can impersonate himself as a legitimate smart device, and our scheme has a strong resistant-smart device impersonation attack ability.

7.1.12. Privileged Insider Attack

During the registration phase of the protocol, $U_a$ sends a registration request message to $RA$. $\mathcal{A}$ cannot obtain the identity and password of $U_a$ from the sent message, because the identity and password values are protected by the biometric information parameter ${\gamma }_i$ and calculated by a one-way hash function. Therefore, the scheme is resistant to privileged insider attack.

7.1.13. Man-in-the-Middle Attack

Obviously, each message sending and receiving realizes mutual authentication, including under the protection of the secret values $K_{GU}$ and $K_{GS}$. More importantly, the message consists of the three important parameters $\left\{C_5,C_6,C_7\right\}$. Since, the calculation of parameters can only be done by both communicating parties, no one can construct a legitimate message without knowing the secret value and important parameters. Therefore, the proposed scheme is resistant to man-in-the-middle attack.

7.2. BAN Logic

BAN logic is a very well-known formal proof to verify the mutual authentication properties of a scheme and the security of the session key. As a result, we demonstrate that the mutual authentication of the proposed scheme can be realized.

7.2.1. Rules

The basic notions and implications are shown in

Table 2. Notions of BAN Logic.

Notions	Implications
$P|\equiv X$	$P$ believes $X$
$P⊲X$	$P$ receives $X$
$P|~X$	$P$ once said $X$
$P|\Rightarrow X$	$P$ has jurisdiction over $X$
$P\stackrel{K}{\leftrightarrow }Q$	$K$ is a shared key between $P$ and $Q$
$\#\left(X\right)$	$X$ is fresh
${\left\{X\right\}}_K$	$X$ is encrypted with the key $K$
${(X)}_h$	hash of $X$
$\left(X, Y\right)$	$X$ and $Y$ is one part of message $\left(X, Y\right)$
$<X{>}_Y$	$X$ combines with $Y$, $Y$ is secret value

.

The basic rules of BAN logic are as follows

• Message-meaning rule:

$$\frac{P|\equiv \left(P\stackrel{K}{\leftrightarrow }Q\right),P⊲{\left\{X\right\}}_K}{P|\equiv (Q|~X)}$$

2.

Nonce-verification rule:

$$\frac{P\left|\equiv \#\left(X\right),P\right|\equiv (Q|~X)}{P|\equiv (Q|\equiv X)}$$

3.

Jurisdiction rule:

$$\frac{P|\equiv (Q|\Rightarrow X),P|\equiv (Q|\equiv X)}{P|\equiv X}$$

4.

Message-freshness rule:

$$\frac{P|\equiv \#\left(X\right)}{P|\equiv \#\left(X,Y\right)}$$

5.

Belief rule:

$$\frac{P\left|\equiv X,P\right|\equiv Y}{P|\equiv \left(X,Y\right)}$$

6.

Session key rule:

$$\frac{P|\equiv \#\left(X\right),P\left|\equiv Q\right|\equiv X}{P|\equiv P\stackrel{K}{\leftrightarrow }Q}$$

7.2.2. Goals

The proposed scheme needs to achieve the following goals:

• $G_1$: $U_a\left|\equiv S{D}_j\right|\equiv \left(U_a\stackrel{SK}{\leftrightarrow }S{D}_j\right)$
• $G_2:U_a|\equiv \left(U_a\stackrel{SK}{\leftrightarrow }S{D}_j\right)$
• $G_3:S{D}_j\left|\equiv U_a\right|\equiv \left(U_a\stackrel{SK}{\leftrightarrow }S{D}_j\right)$
• $G_4:S{D}_j|\equiv \left(U_a\stackrel{SK}{\leftrightarrow }S{D}_j\right)$

7.2.3. Idealized Forms

First of all, the messages communicated in the proposed scheme can be transformed into idealized forms as follows:

$$Msg1:\left\{C_4,M_1,V_1,S_1,T{s}_1\right\}:$$

$$<SI{D}_j,RI{D}_i,r_a,T{s}_1, w·Q{>}_{U_a\stackrel{K_{GU}}{\leftrightarrow }GWN}$$

$$Msg2:\left\{M_2,V_2,T{s}_2\right\}:$$

$$<RI{D}_i,GI{D}_k,r_a,r_b,w·Q,T{s}_2{>}_{GWN\stackrel{K_{GS}}{\leftrightarrow }S{D}_j}$$

$$Msg3:\left\{M_3,V_3,T{s}_3\right\}:$$

$$<SI{D}_j,GI{D}_k,r_c·Q,T{s}_3{>}_{S{D}_j\stackrel{K_{GS}}{\leftrightarrow }GWN}$$

$$Msg4:\left\{M_4,V_4,T{s}_4\right\}:$$

$$<RI{D}_i,GI{D}_k,r_a,r_b,r_c·Q,T{s}_4>{ }_{GWN\stackrel{K_{GU}}{\leftrightarrow }{U}_a}$$

7.2.4. Assumptions

Then, some initial assumptions are given below:

$N1$: $GWN|\equiv \#r_a$

$N2$: $S{D}_j|\equiv \#r_b$

$N3$: $GWN|\equiv \#T{s}_3$

$N4$: $U_a|\equiv U_a\stackrel{K_{GU}}{\leftrightarrow }GWN$

$N5$: $GWN|\equiv GWN\stackrel{K_{GU}}{\leftrightarrow }{U}_a$

$N6$: $GWN|\equiv GWN\stackrel{K_{GS}}{\leftrightarrow }S{D}_j$

$N7$: $S{D}_j|\equiv S{D}_j\stackrel{K_{GS}}{\leftrightarrow }GWN$

$N8$: $U_a\left|\equiv S{D}_j\right|\Rightarrow \left\{SI{D}_j,T{s}_3,SK,r_c·Q\right\}$

$N9$: $U_a\left|\equiv GWN\right|\Rightarrow \left\{GI{D}_k,r_b,T{s}_2,wy.Q\right\}$

$N10$: $GWN\left|\equiv U_a\right|\Rightarrow \left\{RI{D}_i,r_a,T{s}_1,yw.Q\right\}$

$N11$: $GWN\left|\equiv S{D}_j\right|\Rightarrow \left\{T{s}_3,SI{D}_j,r_c·Q\right\}$

$N12$: $S{D}_j\left|\equiv U_a\right|\Rightarrow \left\{RI{D}_i,r_a,SK,w{r}_c·Q\right\}$

$N13$: $S{D}_j\left|\equiv GWN\right|\Rightarrow \left\{GI{D}_k,r_b,T{s}_2\right\}$

7.2.5. Proof

Next, based on the BAN logic rules and assumptions, the main proofs are given below:

According to the $Msg1$, we get $B1$: $GWN⊲<SI{D}_j,RI{D}_i,r_a,T{s}_1,w·Q{>}_{U_a\stackrel{K_{GU}}{\leftrightarrow }GWN}$

From $N5$, $B1$ and Message-meaning rule, we obtain $B2$:

$$GWN\left|\equiv U_a\right|~\left(SI{D}_j,RI{D}_i,r_a,T{s}_1,w·Q\right)$$

From $N1$ and Message-freshness rule, we get $B3$:

$$GWN|\equiv \#\left(SI{D}_j,RI{D}_i,r_a,T{s}_1, w·Q\right)$$

From $B2$, $B3$ and Nonce-verification rule, we have $B4$:

$$GWN\left|\equiv U_a\right|\equiv \left(SI{D}_j,RI{D}_i,r_a,T{s}_1, w·Q\right)$$

According to the $Msg2$, we get $B5$:

$$S{D}_j⊲<RI{D}_i,GI{D}_k,r_a,r_b,w·Q,T{s}_2{>}_{GWN\stackrel{K_{GS}}{\leftrightarrow }S{D}_j}$$

From $N7$, $B5$ and Message-meaning rule, we obtain $B6$:

$$S{D}_j\left|\equiv GWN\right|~\left(RI{D}_i,GI{D}_k,r_a,r_b,w·Q,T{s}_2\right)$$

From $N2$ and Message-freshness rule, we get $B7$:

$$S{D}_j|\equiv \#\left(RI{D}_i,GI{D}_k,r_a,r_b,w·Q,T{s}_2\right)$$

From $B6$, $B7$ and Nonce-verification rule, we have $B8$:

$$S{D}_j\left|\equiv GWN\right|\equiv \left(RI{D}_i,GI{D}_k,r_a,r_b,w·Q,T{s}_2\right)$$

According to the $Msg3$, we get $B9$:

$$GWN⊲<SI{D}_j,GI{D}_k,r_c·Q,T{s}_3{>}_{S{D}_j\stackrel{K_{GS}}{\leftrightarrow }GWN}$$

From $N6$, $B9$ and Message-meaning rule, we obtain $B10$:

$$GWN\left|\equiv S{D}_j\right|~\left(SI{D}_j,GI{D}_k,r_c·Q,T{s}_3\right)$$

From $N3$ and Message-freshness rule, we get $B11$:

$$GWN|\equiv \#\left(SI{D}_j,GI{D}_k,r_c·Q,T{s}_3\right)$$

From $B10$, $B11$ and Nonce-verification rule, we have $B12$:

$$GWN\left|\equiv S{D}_j\right|\equiv \left(SI{D}_j,GI{D}_k,r_c·Q,T{s}_3\right)$$

According to the $Msg4$, we get $B13$:

$$U_a⊲<RI{D}_i,GI{D}_k,r_a,r_b,r_c·Q,T{s}_4>{ }_{GWN\stackrel{K_{GU}}{\leftrightarrow }{U}_a}$$

From $N4$, $B13$ and Message-meaning rule, we obtain $B14$:

$$U_a\left|\equiv GWN\right|~\left(RI{D}_i,GI{D}_k,r_a,r_b,r_c·Q,T{s}_4\right)$$

From $N1$, $N2$, $N3$ and Message-freshness rule, we get $B15$:

$$U_a|\equiv \#\left(RI{D}_i,GI{D}_k,r_a,r_b,r_c·Q,T{s}_4\right)$$

From $B14$, $B15$ and Nonce-verification rule, we have $B16$:

$$U_a\left|\equiv GWN\right|\equiv \left(RI{D}_i, GI{D}_k,r_a,r_b, r_c·Q, T{s}_4\right)$$

From $B4$, $B8$, we get $B17$:

$$S{D}_j\left|\equiv U_a\right|\equiv \left(RI{D}_i,r_a,w·Q\right)$$

From $B7$, $B17$ and Session key rule, we have $B18$:

$$S{D}_j\left|\equiv U_a\right|\equiv U_a\stackrel{SK}{\leftrightarrow }S{D}_j\left(Goal3\right)$$

From $N12$, $B18$ and Jurisdiction rule, we get $B19$:

$$S{D}_j|\equiv U_a\stackrel{SK}{\leftrightarrow }S{D}_j\left(Goal4\right)$$

From $B12$, $B16$, we get $B20$:

$$U_a\left|\equiv S{D}_j\right|\equiv \left(SI{D}_j,GI{D}_k,r_c·Q\right)$$

From $B15$, $B120$ and Session key rule, we have $B21$:

$$U_a\left|\equiv S{D}_j\right|\equiv U_a\stackrel{SK}{\leftrightarrow }S{D}_j\left(Goal1\right)$$

From $N8$, $B21$ and Jurisdiction rule, we get $B22$:

$$U_a|\equiv U_a\stackrel{SK}{\leftrightarrow }S{D}_j\left(\mathit{Goal}2\right)$$

All in all, the above BAN logic analysis proves that $U_a$, $GWN$ and $S{D}_j$ can perform mutual authentication successfully. In particular, with the assistance of $GWN$, the secure session key $SK$ is established between $U_a$ and $S{D}_j$.

7.3. Scyther Simulation

In this section, the proposed scheme will be formally analyzed by the Scyther tool, in the environment (CPU: 2.7 GHz Intel Core i5; RAM: 8 GB 1867 MHz DDR3). Scyther is an automated security scheme verification tool [34] that can be used to capture potential attacks and security threats. In previous related work, it has been used by many researchers to evaluate various security schemes. In this paper, we employ Scyther Tool to evaluate the properties of the proposed scheme, mainly focusing on confidentiality, resistance to replay attack, and resistance to a man-in-the-middle attack. Scyther provides a graphical user interface, which includes the Scyther command line tool and Python scripting interface, and the description of the scheme is written in Security Protocol Description Language(SPDL). Security properties are schemaless as declarative events. The adversary model used by Scyther is predefined and based on the Dolev–Yao model. The simulation results use Scyther to ensure that the private information used by the proposed scheme is safe from attackers during scheme execution. Compared to other emulators, such as AVISPA, ProVerif, etc., Scyther emulation tools are now very popular for authentication-based schemes. If it is analyzed that the scheme is secure, it means that the scheme is protected from man-in-the-middle attack and replay attack, achieving important security properties, such as confidentiality.

To analyze the proposed scheme, we model our scheme in SPDL, and various claims are made on the scheme. The specific claims and codes are found in Appendix A. Figure 3 accurately illustrates the results obtained in Scyther’s simulation of the login and authentication scheme, which clearly shows that the proposed scheme is secure.

We repeated the Scyther verification thirty times with the same experimental results, using a combination of manually defined claims and Scyther’s automatically generated claims. The results of the analysis for the proposed scheme are as follow:

8. Performance and Security Analysis

In this section, we show the results of the comparison results of the proposed protocol with similar protocols [13,19,20,22,23,24], including computational costs, communication costs, security features [36], and storage costs.

8.1. Computation Costs Comparison

Completely, for computation cost analysis in these schemes, we denote $T_p$, $T_{ED}$, $T_e$ and $T_h$ as the time needed for computing “bilinear pairing”, “encryption and decryption”, “ECC multiplication”, and “hashing” operations, respectively. According to the experimental data of [37], the running time for bilinear pairing is $T_p$ ≈ 32.713 ms (milliseconds), for an ECC multiplication is $T_e$ ≈ 13.405 ms, for hash function computation is Th ≈ 0.056 ms, and for encryption and decryption is $T_{ED}$ ≈ 1.657 ms. In

Table 3. Computation Costs Comparison.

Scheme	Naoui [23]	Shuai [20]	Yu & Li [19]	Kumar [22]	Nasib [24]	Yu [13]	Ours
$U_a$	$12T_h$$+2T_e$$+3T_{ED}$	$6T_h$$+2T_e$	$7T_h$$+14T_e$	$6T_h$$+2T_e$	$7T_h$$+2T_e$	$12T_h+T_{ED}$	$9T_h$$+3T_e$
$GWN$	$13T_h$$+2T_e$$+4T_{ED}$	$7T_h$$+T_e$	$12T_h$$+19T_e$$+4T_p$	$8T_h+T_e$	$5T_h+T_e$	$11T_h$	$9T_h+T_e$
$S{D}_j$	$T_e$$+T_{ED}$	$3T_h$	$7T_h$$+14T_m$	$3T_h$	$6T_h$	$7T_h$	$7T_h$$+2T_e$
Total costs	81.681	27.604	762.343	41.167	41.223	3.337	68.425

, we show the compared results of computation cost analysis. We can see that the computation costs of the proposed scheme is slightly greater than that of Yu et al. [13]. However, as the informal analysis and Table 3 show, our proposed scheme has more security features and is able to overcome the weaknesses of Yu et al.’ scheme [13]. Therefore, these sacrifices of computational overhead are acceptable, and our proposed scheme achieves a high-level balance in terms of security and efficiency, which is more suitable for the practical application environments of smart home.

8.2. Communication Costs

For the communication cost comparison, it is assumed that the ECC point is 320 bits, the hash digest is 160 bits, the encryption and decryption are 256 bits, the timestamp is 32 bits, and the nonce or identity are 128 bits long. In

Table 4. Communication Costs Comparison.

Scheme	Total Costs (Byte)	Number Messages
Naoui [23]	(228 + 136 + 96) = 460	3
Shuai [20]	(192 + 80 + 80 + 80) = 432	4
Yu & Li [19]	(84 + 124 + 164 + 164) × 2 = 1072	8
Kumar [22]	(200 + 88 + 88 + 88) = 464	4
Nasib [24]	(352 + 184 + 112 + 184) = 832	4
Yu [13]	(144 + 80 + 80 + 80) = 384	4
Ours	(192 + 80 + 80 + 112) = 464	4

, We show the comparison results of the communication cost in bytes between the proposed scheme and previous schemes. It can be concluded that the proposed scheme provides better communication costs compared to related schemes.

8.3. Security Comparisons

This section evaluates the security properties of the proposed scheme compared to previous schemes [13,19,20,22,23,24].

Table 5. Security Features.

Feature	Naoui [23]	Shuai [20]	Yu & Li [19]	Kumar [22]	Nasib [24]	Yu [13]	Ours
S1	✓	✓	✓	✓	✓	✓	✓
S2	✓	✓	✓	✓	✓	✓	✓
S3	✓	✗	✓	✗	✗	✓	✓
S4	✓	✓	✓	✓	✓	✗	✓
S5	✗	✗	✓	✓	✗	✗	✓
S6	✗	✓	✓	✓	✗	✗	✓
S7	✗	✗	✓	✗	✗	✗	✓
S8	✓	✓	✓	✓	✓	✓	✓
S9	✗	✗	✓	✗	✗	✗	✓
S10	✓	✓	✗	✓	✓	✓	✓
S11	✗	✗	✓	✗	✗	✗	✓
S12	✓	✓	✓	✓	✗	✓	✓
S13	✓	✓	✓	✓	✓	✓	✓
S14	✗	✗	✓	✗	✓	✓	✓
S15	✗	✓	✗	✓	✗	✓	✓

S1: mutual authentication; S2: session key agreement; S3: user anonymity; S4: untraceability; S5: anti-offline password guessing attack; S6: anti-smart card loss attack; S7: anti-node capture attack; S8: anti-reply attack; S9: forward security; S10: anti-desynchronization attack; S11: anti-smart device impersonation attack; S12: anti-privileged insider attack; S13: anti-man-in-the-middle attack; S14: three-factor security; S15: no password verification table.

shows that previous schemes suffer from various security attacks, such as smart card loss attack, insider privilege attack, and offline password guessing attack, etc., and fail to provide user anonymity, forward security, and mutual authentication. In contrast, the proposed scheme resists various security attacks. In particular, forward secrecy, user anonymity, etc. are also provided in Table 5. Therefore, it can be concluded that our proposed scheme provides more security properties than previous schemes [13,19,20,22,23,24].

8.4. Storage Costs

Comparing storage costs is based on the size of the data storage in the smart card.

Table 6. Storage Costs Comparison.

Scheme	Total Costs (Bit)
Naoui [23]	320
Shuai [20]	512
Yu & Li [19]	480
Kumar [22]	384
Nasib [24]	640
Yu [13]	480
Ours	480

shows how many bits are stored in the smart card for each scheme, where the length of the secret parameters is described in Section 8.2. Obviously, we can see the advantages of the proposed scheme in storage costs, and our scheme overhead is in a reasonable range, which can be well adapted to the practical remote control system.

9. Conclusions

The security issue of smart homes has been a serious challenge to the growing demand. In related research, a large number of authentication schemes have been designed to adapt to the unique communication environment of smart homes. However, previous schemes do not make a good job of guaranteeing the privacy of transmitted information and the anonymity of users. Fortunately, in this paper, we first prove that Yu et al.’s [13] scheme is insecure to offline password guessing attack, node capture attack, and cannot achieve forward secrecy. Hence, in order to overcome these security threats, we propose a robust three-factor anonymous authentication scheme. Next, we demonstrate that the scheme is resistant to various known attacks through formal and informal proofs. Moreover, we compared the scheme with the recently related schemes in terms of computation consumption time and communication overhead, and demonstrated the efficiency and superior performance of the proposed scheme, which can adapt to the actual environment of a smart home. After comparing the security properties of these protocols, it can be proved that our scheme can better ensure the applicability of smart home systems. Looking to the future, the schemes designed for the future smart home will continue to focus on security, privacy and anonymity, which is also in line with people’s pursuit of a safe life. It should be pointed out that the existing scheme models have high requirements for trusted third parties. However, in practice, we need to think further about how to reduce the pre-safety conditions of the system and still achieve the same safety effect.