A Practical Group Authentication Scheme for Smart Devices in IoT

Internet of things (IoT) is used to provide real-time data collection and analysis of the target area by the cooperation of low-cost devices. The authentication towards multiple devices has become the research hot-spot considering of the requirement in real applications. Sensitivity and privacy of data have caused widespread concerns because low-cost devices are neither tamper-proof nor capable of performing public key cryptography efficiently. However, many researchers only focus on the authentication between two devices in the network. They ignore the authentication among group devices attached to one network. In this paper, we propose A Practical Group Authentication Scheme for Smart Devices in IoT. Note that one device group to be authenticated consists of a group of smart devices. The personal digital assistant (PDA) as the group leader controls authentication operations in its group. From the security analysis, our scheme can resist to various attacks. In addition, the performance analysis shows that our scheme has lower computational cost than the existing scheme.


Introduction
Internet of things (IoT) is the reasonable association of physical devices, vehicles, buildings, and other things which are equipped with electronics, software, sensors, actuators and so on.IoT enables these intelligent objects to collect and exchange data [3] [2] [11] for different usages.Nowadays, IoT can be widely used in all walks of life.It can collect the distributed information and connects everything in the world, so applications of IoT mainly includes the following areas: health-care, transport, logistics, smart home, and so on.Note that IoT has very broad application prospects and markets in these areas.*  In IoT, each user can use electronic tags to connect real devices to the network.In the network, users can find one thing's specific location, running state and other * Corresponding author parameters of interest.The cloud servers are usually used in IoT as service providers [14] to provide storage and computation services.Internet users on the network can use IoT for personnel management, centralized control, remote control and other similar control systems.At the same time, other major breakthroughs to smart cities can be achieved based on analysing the collected data [13].With the development of Internet technology, IoT can be widely used in smart home, so as to provide people with a higher quality of life.However, security issues cannot be ignored, such as the theft of sensitive data leading to personal privacy leaks, illegal invasion of smart home, etc.In addition, devices used in IoT are usually lightweight and have restrictions on resources such as storage, computation and so on.So, applying nonlightweight public-key cryptography (PKC) to these devices is challenging.What's more, owing to the limit on the storage, the size of key should not be large.Compared with traditional systems, IoT is an easy target for attackers because communications are done in wireless environment.In this paper, we pay attention to data security and users' privacy protection by applying identity-based authentication protocol into IoT.

Related work
In last decades, many security authentication schemes have been proposed for network security [31].We mainly introduce device authentication schemes in networks here.
In [4], Gupta et al. proposed an authentication protocol using elliptic curve cryptography, which can intercept malicious nodes outside the sensor network.However, the protocol uses computationally intensive operations that require huge memory, which may be impractical for resource constrained sensor networks.In [20], Zhang et al. proposed a hierarchical authentication and key management framework for hierarchical wireless networks.However, this solution is implemented between the leader nodes, and there is no authentication method for the common devices in the network.Later, the KDC based authentication scheme was proposed [19], which employs a trusted third party to assist the authentication operations.In [19], two devices agree a pair of keys and store the keys in their database.Note that devices can authenticate themselves so as to generate a session key for data transmission.The drawback of this scheme is the dependence on the trusted third party and the lack of scalability.
The limitation on devices presents big challenges to design secure authentication schemes.Note that ECC [10] achieves high level security with small key size [9] compared with RSA.Using small key size in authentication scheme can achieve higher computation efficiency and save bandwidth, memory and energy.It is obvious that ECC is more suitable for resource limited devices in IoT [7].

Main Contributions
A user can hold many intelligent devices with the control of a PDA.By collecting and analysing the information from smart devices, the user sends control message to a specified device by PDA to complete the corresponding operation [21].
In this paper, we design a group devices authentication scheme for IoT.The main contributions of this paper are listed as follows: • We propose an identity-based group devices authentication scheme.Devices deployed in the same intelligent system form a group.The identity of each device is used into the authentication operation to guarantee the network security before data collection and data analysis stage.• We design a group conference key agreement scheme.Through the scheme, a conference key can be generated without consuming large amount of devices' energy resource.The generated key can be used to guarantee the security during the following data collection operations in IoT.
The rest of the paper is sketched as follows.In Section 2. we discuss some preliminaries.In Section 3, we propose a group authentication scheme to authenticate all devices with a PDA in the network.In Section 4, we provide rigorous security analysis.Then we provide the performance analysis in Section 5. Finally, we conclude this paper in Section 6.

Preliminaries
In this section, some necessary preliminaries are introduced, including elliptic curve cryptography, Weil pairing and secret sharing scheme.

Elliptic Curve Cryptography
In the ECC cryptography system [6], the elliptic curve equation is defined as E p (a, b): y 2 = x 3 + ax + b (mod p) over F p , where b ∈ F p , p > 3 and 4a 3 + 27b 2 (mod p) is not equal to 0. In general, the security of ECC depends on the following difficult problems [22][23][24][25][26].
• Definition 1 For two different points P and Q over E p (a, b), the elliptic curve discrete logarithm problem (ECDLP) [5] is to find an integer s ∈ F p such that Q = sP.• Definition 2 Given three points P, sP and tP over E p (a, b) for s, t ∈ F p , the CDH problem [16] is to find the point (st)P over E p (a, b) without knowing s and t [1].• Definition 3 G is a generator of G 1 and G 2 is the subgroup of F p 2 containing all elements of order q.A modified Weil pairing is a map e: G 1 * G 1 = G 2 .The properties of the map have been shown in [15].

Secret sharing
The secret sharing (SS) scheme was proposed by Shamir in 1979 [12] which has been considered as one important tool in information security.
In this paper, we use the SS scheme to accomplish group device authentication.In this subsection, we give an overall review of SS scheme.Note that n users, a server and two algorithms are included.In the generation algorithm, server S selects a random polynomial function f(x) = a 0 + a 1 x + a 2 x 2 + … + a t-1 x t-1 and sets s = f (0).Then, users send their public messages xi to S. After getting users' public messages, S computes f(x i ) and returns it to users via a secure channel.In the reconstruction algorithm, each user broadcasts f(x i ) to other users in the system.Each user attempts to recover s by Lagrange interpolating formula.If the recovered value is equal to s, participating devices are certified; otherwise, Anxi Wang et al. authentication failed.Security requirements of the SS scheme are as follows: • Anyone can reconstruct s with t or more than t shares.• No one can get anything about s with fewer than t shares.

Group Devices Authentication Scheme
In this section, group devices authentication scheme in IoT is introduced in detail, which is available for multiple lightweight smart devices [30].Note that smart devices in one group are controlled by a PDA.In our assumption, smart devices in a smart home system have no need to transfer data packages to the credible service provider (CSP).The PDA plays the role of collecting data from devices and uploading to the CSP.Similar to heterogeneous wireless sensor networks (HWSNs), the data upload operation is completed by cluster head nodes [17].Smart devices communicate with the CSP according to their identities and communicate with the PDA according to their public keys.The CSP gathers secret information from devices and generates the proof by secret sharing scheme.The notations used in our scheme are described in Table 1.The secret of the CSP GSK CSP , GSK PDA The generated conference key between the CSP and the PDA It is assumed that a large set of group needs to be authenticated where smart devices are assigned in network areas.Moreover, the CSP and the PDA can generate session keys with the help of authorized devices for data uploading.

Scheme Design
Note that there are n smart devices in our scheme.SD denotes the set of smart devices.Device SD i ∈ SD, i = 1, 2, …, n.SD i is registered at the CSP and is controlled by the PDA to form a group.The polynomial function generated by the CSP is a random (n-1) th degree function.When the input of f(x) is 0, the output is a CSP which is the secret shared by the CSP.Each smart device obtains a part of a CSP by sending tokens to the CSP.Note that the authentication operation is executed by the PDA after collecting each device's f SDi .
Here, the group devices authentication scheme can be divided into the initialization phase, device login phase, group authentication phase and key agreement phase.There are three parts involved in our scheme including the CSP, the PDA and devices.In the initialization phase, each part of the system generates necessary information which will be used in the device login phase, group authentication phase and key agreement phase.Then, smart devices will get the shared secret from the CSP in the device login phase.Next, the PDA calculates a 0 CSP from received tokens and compares it with a CSP which is obtained from the CSP.If two values are equal, the authentication phase is successful.Otherwise, the PDA will run adversary detection operation.At last, the PDA and the CSP generate a session key for data uploading with the help of smart devices.
Initial Phase: The initial phase is done by the CSP, the PDA and SD as follows.SD i selects a random number x i in a finite field GF (p).Then, SD i sends {ID SDi , x i } to the CSP.The CSP selects an elliptic curve E p over Z p , p being a large prime.Then, the CSP selects a base point P of order d over E p such that d * P = O.The CSP also chooses its private key r CSP and computes the corresponding public key P CSP = r CSP * P. Note that the CSP selects a polynomial function of (n -1)-degree function: (mod) p.A collision-resistant one-way cryptographic hash function h () is selected by the CSP too.The PDA generates the private key r PDA and computes the public key as P P DA = r PDA * P.An encrypt function Encry () and a decrypt function Decry () are selected by the CSP.At the end of this phase, the CSP broadcasts {p, GF (p), E p , Z p , P, P CSP , h (), Encry (), Decry ()} to each participant in the system.
Device Login Phase: In this phase, smart devices register after exchanging messages with the CSP.The PDA needs to collect information from all devices to authenticate devices.Here, n devices are registered at the CSP and are assigned into one group by the PDA.If one device does not provide the right part of the shared secret, the authentication scheme cannot pass.As a consequent, the PDA and CSP cannot get the same session key and the adversity detection operation will be performed by the PDA.The device login phase is introduced as follows: • SD i randomly selects two numbers r SDi and x i for itself.Then SD i encrypts x i to obtain x SDi = Encry (x i , P CSP ).Note that SD i 's public key is calculated by P SDi A Practical Group Authentication Scheme for Smart Devices in IoT = r SDi P. Then SD i delivers (ID SDi , x SDi ) to the CSP via a public channel and broadcasts P SDi to other devices.

Figure 1. Group authentication phase of the authentication scheme
The CSP generates a random number r i for SD i and stores (ID SDi , r i ) locally.Then, the CSP calculates x i by the private key r CSP according to x i = Decry (x SDi , r CSP ).After getting x i , the CSP takes x i as the input of f(x) and gets f(x i ).To avoid exposing the shared secret, the CSP encrypts f(x i ) by f SDi = Encry(f(x i ), P SDi ).In addition, the secret is a CSP = f (0) = a 0 .Finally, the CSP sends (f SDi , h (r i , ID SDi )) to SD i and delivers h (a CSP ) to the PDA for authentication.After this step, each device obtains the shared secret and necessary information for the following steps.
• SDi computes R SDi = h (r i , ID SDi ) * P and acquires f(xi) from f SDi by its own private key r SDi .SDi stores {ID SDi , f(x i )} in its own database for special circumstances.Then, SDi calculates SS SDi = Encry (f(x i ), P PDA ) and sends (SS SDi , R SDi ) to PDA via a public channel.

Group Authentication Phase:
The main task of this phase is completed by the CSP and the PDA with unconstrained resource.This phase plays the most important role in the whole scheme.The PDA gathers shared secrets from devices and authenticates devices by comparing with h (a CSP ).Instead of using devices' real IDs, we use the temporary identity TempID SDi = h (r i , ID SDi ) which is the hash value of a random number r i and the ID SDi .The TempID SDi of device SD i is obtained from the CSP at the login phase and transferred to the PDA by SD i at the beginning of the group authentication phase, which provides strong resistance to the tracing problem on smart devices.In addition, the random number r i is selected by the CSP and will be upgraded at the next round.In this phase, when devices make no response.the PDA will wait until the timer expires.If the PDA does not receive enough shared secret parts from devices, the PDA will send some empty packets to the CSP to get enough parts of shared secret, which makes the authentication scheme more efficient.Note that the number of empty devices is less than n -1.The main steps of the group authentication phase are shown as follows: • After receiving (SS SDi , R SDi ) from each device, the PDA computes group devices key by aggregating R SDi (  = ∑     =1 = ∑ ℎ�  ,    � *

𝑛𝑛 𝑖𝑖=1
). • Then, the PDA resolves f(x i ) from SS SDi .After getting enough parts of shared secrets, the PDA uses Lagrange interpolation method to calculate  0 • At last, the PDA compares ℎ( 0 ′ ) with h(a CSP ).If ℎ( 0 ′ ) and h(a CSP ) are equal, all devices pass the authentication scheme.In addition, the group session key between the CSP and the PDA will be computed if the authentication scheme succeeds.
The above three steps will be stopped if the authentication phase fails.And the PDA starts the fault detection.The fault detection process is ignored in our scheme, which can be done by referring to [18].When all devices pass the authentication phase, the state of this system can be confirmed.We can guarantee the normal operation of the scheme by adding empty devices.In this way, some devices are not totally credible, but the network can still work well.In addition, the PDA will obtain identities of untrustworthy devices through the authentication information received from the CSP, which is very convenient for the operation of network maintenance without checking all devices in IoT. by itself.The PDA aggregates all devices' information to compute GP PDA which has been introduced in step 1 of the group authentication phase.
The group session key is used to guarantee secure data uploading for the CSP and the PDA.The CSP computes and the PDA calculates .
It is obvious that GSK CSP and GSK PDA are equal if the shared secret is equal in each side.

Security Analysis
In this section, some security properties of our scheme are analysed.Our scheme can resist various attacks, such as replay attack, eavesdropping attack, physical attack, manin-the middle attack, and so on.Moreover, the scheme can also be used to track devices.The PDA controls and monitors the entire network changes in the authentication process.
• Replay Attack.In our scheme, replay attack is prevented by the selected pseudo-random numbers r SDi and x i .In the device login phase, r SDi and x i are all selected by the smart device itself.The information communicated between the PDA and the device is protected by the random numbers.In the next authentication round, the device will change the value of r SDi and x i , so replay attack is prevented [27].
• Eavesdropping.The identity of the smart device and the secrets are encrypted during communication.
Public key encryption is used to protect the communication between the device and CSP.So, the proposed scheme can resist to eavesdropping.
• Physical Attack.The smart device may be stolen by the adversary and all stored information can be exposed to the adversary.In this case, the PDA can still accomplish the authentication without the stolen device, since the SS scheme can guarantee the authentication with disable devices in the group.The adversary cannot interrupt the authentication operation unless it corrupts all the devices.This is difficult and worthless.Note that the PDA is assumed to be well protected.Physical attacks to the PDA are not taken into consideration in our scheme [28].
• Man-In-The-Middle Attack.Even if the communicated message sent by the device is blocked, the adversary cannot get xi and private key together owing to the public key encryption technology.The PDA will ask for message from other devices after a period time, and the authentication process can be operated without the blocked message.Hence, this attack is prevented by our design [29].• De-Synchronization Attack.Devices' real IDs are hidden, and random numbers are used to substitute real IDs in our scheme.The stored real ID in the device needs no update.If the information between the CSP and devices is not synchronized, the authentication operation will not succeed.Hence, smart devices in IoT are prevented from desynchronization attack according to our design.

Performance Analysis
In this section, the performance of the proposed scheme is analysed and simulated compared with b-SPECS scheme [8].Simulation result shows that our scheme is more lightweight and practical.
According to the design of the group devices authentication scheme, each device receives messages from the CSP and sends messages to the PDA.After receiving these messages, the devices perform necessary operations including addition, pairing computation, point multiplication and so on.For the convenience of evaluating the total computational cost, we let T H , T AO , T PC , T PM be the time cost of implementing a hash function, an addition operation, a modified Weil pairing and an elliptic curve point multiplication.As described in Section 3, the total computational cost in our group authentication scheme is 2T H + 2T PC + T PM + 3T AO .The comparison between our scheme and b-SPECS scheme is shown in TABLE 2. The performance of our scheme is simulated by using C programming language with the Pairing-Based Cryptography (PBC) library on Ubuntu OS with Intel Core Xeon E5-2650M processors running at 2.60 GHz and 8 G memory, Ubuntu 14.04 X64.From the simulation result, the time required to perform a hash function, a pairing computation, a point multiplication, The CSP and the PDA are the trusted third parts which do not consume resources from the smart devices.Therefore, the computational cost consumed by the CSP and the PDA are not taken into consideration.Figure .2 shows that the computational cost increases as the number of devices increases.It is obvious that the computational cost in scheme is lower than that in b-SPECS in different number of devices.Deploying multiple devices in one group can not only increase the authentication success rate, but also increase the chance for accurate positioning, which satisfies the real application requirements.In this paper, an identity-based group devices authentication scheme is proposed.The authentication scheme is based on the SS scheme, which can efficiently assist the PDA to authenticate the group devices.In addition, an efficient conference key agreement scheme is designed to guarantee the security of data uploading between the PDA and the CSP.The security and performance analysis show the better performance of our scheme compared with the existing scheme.
07 2018 | Volume 4 | Issue 15 | e3 Figure. 1 gives the brief description of this phase.Anxi Wang et al. 4 EAI Endorsed Transactions on Internet of Things 03 2018 -07 2018 | Volume 4 | Issue 15 | e3Key Agreement Phase: In the key agreement phase, the generated random number of r i as well as sequence numbers of all devices in are covered into the group session key.The CSP computes   = ∑ ℎ�  ,    � *   =1

Figure 2 .
Figure 2. Computational cost in different number of users

Table 1 .
Notation used in the group devices authentication scheme