A lightweight three factor authentication framework for IoT based critical applications

IoT is emerging as a massive web of heterogeneous networks estimated to interconnect over 41 billion devices by 2025, generating around 79 zettabytes of data. The heterogeneous network shall bring in a plethora of digital services leveraging cloud and communication technologies to drive smart city applications. As users access these services remotely in a ubiquitous environment over public channels, it becomes imperative to secure their communication. Both entity and message authentication emerge as a critical security primitive to thwart unauthorized access and prevent the falsification of messages. While researchers have given due attention to achieving mutual authentication between the subscriber (remote user) and gateway node (broker), the mutual authentication between the gateway node and an IoT sensor node is left to be desired. It could be done at the peril of a rogue or a shadow IoT device unauthorizedly joining an IoT-based network. Some of the widely used IoT-specific application layer protocols like constrained application protocol (COAP) and message queue telemetry transport (MQTT) protocol are not inherently equipped with adequate security safeguards. They, therefore, rely on underlying transport layer security protocols, which are highly computationally intensive. To address this issue, this paper proposes a three-factor authentication framework suitable for IoT-driven critical applications based upon identity, password and a digital signature scheme. The framework employs publish-subscribe pattern leveraging elliptical curve cryptography (ECC) and computationally low hash chains. The formal and informal security analysis shows that the framework is resistant to different types of cryptographic attacks. Furthermore, the automated validation performed with the Scyther tool verifies that there are no cryptographic attacks found on any of the claims stated in the proposed framework. Finally, a comparison of the framework security features, computational, and communication overheads is carried out with other existing protocols. (c) 2021 The Authors. Published by Elsevier B.V. on behalf of King Saud University. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Automated summary

IoT is a vast heterogeneous network that provides digital services for smart city applications. Ensuring communication security is crucial when accessing these services remotely. Both entity and message authentication are important for this purpose. While mutual authentication between subscribers and gateway nodes has received attention, there is still a need to improve mutual authentication between gateway nodes and IoT sensor nodes.