A secure, lightweight, and anonymous user authentication protocol for IoT environments

The Internet of Things (IoT) is being applied to various environments such as telecare systems, smart homes, and intelligent transportation systems. The information generated from IoT devices is stored at remote servers, and external users authenticate to the server for requesting access to the stored data. In IoT environments, the authentication process is required to be conducted efficiently, and should be secure against various attacks and ensure user anonymity and untraceability to ensure sustainability of the network. However, many existing protocols proposed in IoT environments do not meet these requirements. Recently, Rajaram et al. proposed a paring-based user authentication scheme. We found that the Rajaram et al. scheme is vulnerable to various attacks such as offline password guessing, impersonation, privileged insider, and known session-specific temporary information attacks. Additionally, as their scheme uses bilinear pairing, it requires high computation and communication costs. In this study, we propose a novel authentication scheme that resolves these security problems. The proposed scheme uses only hash and exclusive-or operations to be applicable in IoT environments. We analyze the proposed protocol using informal analysis and formal analysis methods such as the BAN logic, real-or-random (ROR) model, and the AVISPA simulation, and we show that the proposed protocol has better security and performance compared with existing authentication protocols. Consequently, the proposed protocol is sustainable and suitable for real IoT environments.