Efficient IoT User Authentication Protocol with Semi-Trusted Servers
Internet of Things (IoT) user authentication protocols enable secure authentication and session key negotiation between users and IoT devices via an intermediate server, allowing users to access sensor data or control devices remotely. However, the existing IoT user authentication schemes often assu...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Sensors |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1424-8220/25/7/2013 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850188910712324096 |
|---|---|
| author | Shunfang Hu Yuanyuan Zhang Yanru Guo Wang Zhong Yanru Chen Liangyin Chen |
| author_facet | Shunfang Hu Yuanyuan Zhang Yanru Guo Wang Zhong Yanru Chen Liangyin Chen |
| author_sort | Shunfang Hu |
| collection | DOAJ |
| description | Internet of Things (IoT) user authentication protocols enable secure authentication and session key negotiation between users and IoT devices via an intermediate server, allowing users to access sensor data or control devices remotely. However, the existing IoT user authentication schemes often assume that the servers (registration center and intermediate servers) are fully trusted, overlooking the potential risk of insider attackers. Moreover, most of the existing schemes lack critical security properties, such as resistance to ephemeral secret leakage attacks and offline password guessing attacks, and they are unable to provide perfect forward security. Furthermore, with the rapid growth regarding IoT devices, the servers must manage a large number of users and device connections, making the performance of the authentication scheme heavily reliant on the server’s computational capacity, thereby impacting the system’s scalability and efficiency. The design of security protocols is based on the underlying security model, and the current IoT user authentication models fail to cover crucial threats like insider attacks and ephemeral secret leakage. To overcome these limitations, we propose a new security model, IoT-3eCK, which assumes semi-trusted servers and strengthens the adversary model to better meet the IoT authentication requirements. Based on this model, we design an efficient protocol that ensures user passwords, biometric data, and long-term keys are protected from insider users during registration, mitigating insider attacks. The protocol also integrates dynamic pseudo-identity anonymous authentication and ECC key exchange to satisfy the security properties. The performance analysis shows that, compared to the existing schemes, the new protocol reduces the communication costs by over 23% and the computational overhead by more than 22%, with a particularly significant reduction of over 95% in the computational overhead at the intermediate server. Furthermore, the security of the protocol is rigorously demonstrated using the random oracle model and verified with automated tools, further confirming its security and reliability. |
| format | Article |
| id | doaj-art-9137b3e3ce9e4b60b5a07ecb38beb2f5 |
| institution | OA Journals |
| issn | 1424-8220 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Sensors |
| spelling | doaj-art-9137b3e3ce9e4b60b5a07ecb38beb2f52025-08-20T02:15:46ZengMDPI AGSensors1424-82202025-03-01257201310.3390/s25072013Efficient IoT User Authentication Protocol with Semi-Trusted ServersShunfang Hu0Yuanyuan Zhang1Yanru Guo2Wang Zhong3Yanru Chen4Liangyin Chen5College of Computer Science, Sichuan University, Chengdu 610065, ChinaCollege of Computer Science, Sichuan University, Chengdu 610065, ChinaCollege of Computer Science, Sichuan University, Chengdu 610065, ChinaCollege of Computer Science, Sichuan University, Chengdu 610065, ChinaCollege of Computer Science, Sichuan University, Chengdu 610065, ChinaCollege of Computer Science, Sichuan University, Chengdu 610065, ChinaInternet of Things (IoT) user authentication protocols enable secure authentication and session key negotiation between users and IoT devices via an intermediate server, allowing users to access sensor data or control devices remotely. However, the existing IoT user authentication schemes often assume that the servers (registration center and intermediate servers) are fully trusted, overlooking the potential risk of insider attackers. Moreover, most of the existing schemes lack critical security properties, such as resistance to ephemeral secret leakage attacks and offline password guessing attacks, and they are unable to provide perfect forward security. Furthermore, with the rapid growth regarding IoT devices, the servers must manage a large number of users and device connections, making the performance of the authentication scheme heavily reliant on the server’s computational capacity, thereby impacting the system’s scalability and efficiency. The design of security protocols is based on the underlying security model, and the current IoT user authentication models fail to cover crucial threats like insider attacks and ephemeral secret leakage. To overcome these limitations, we propose a new security model, IoT-3eCK, which assumes semi-trusted servers and strengthens the adversary model to better meet the IoT authentication requirements. Based on this model, we design an efficient protocol that ensures user passwords, biometric data, and long-term keys are protected from insider users during registration, mitigating insider attacks. The protocol also integrates dynamic pseudo-identity anonymous authentication and ECC key exchange to satisfy the security properties. The performance analysis shows that, compared to the existing schemes, the new protocol reduces the communication costs by over 23% and the computational overhead by more than 22%, with a particularly significant reduction of over 95% in the computational overhead at the intermediate server. Furthermore, the security of the protocol is rigorously demonstrated using the random oracle model and verified with automated tools, further confirming its security and reliability.https://www.mdpi.com/1424-8220/25/7/2013internet of thingsuser authenticationinsider attackskey privacysemi-trusted servers |
| spellingShingle | Shunfang Hu Yuanyuan Zhang Yanru Guo Wang Zhong Yanru Chen Liangyin Chen Efficient IoT User Authentication Protocol with Semi-Trusted Servers Sensors internet of things user authentication insider attacks key privacy semi-trusted servers |
| title | Efficient IoT User Authentication Protocol with Semi-Trusted Servers |
| title_full | Efficient IoT User Authentication Protocol with Semi-Trusted Servers |
| title_fullStr | Efficient IoT User Authentication Protocol with Semi-Trusted Servers |
| title_full_unstemmed | Efficient IoT User Authentication Protocol with Semi-Trusted Servers |
| title_short | Efficient IoT User Authentication Protocol with Semi-Trusted Servers |
| title_sort | efficient iot user authentication protocol with semi trusted servers |
| topic | internet of things user authentication insider attacks key privacy semi-trusted servers |
| url | https://www.mdpi.com/1424-8220/25/7/2013 |
| work_keys_str_mv | AT shunfanghu efficientiotuserauthenticationprotocolwithsemitrustedservers AT yuanyuanzhang efficientiotuserauthenticationprotocolwithsemitrustedservers AT yanruguo efficientiotuserauthenticationprotocolwithsemitrustedservers AT wangzhong efficientiotuserauthenticationprotocolwithsemitrustedservers AT yanruchen efficientiotuserauthenticationprotocolwithsemitrustedservers AT liangyinchen efficientiotuserauthenticationprotocolwithsemitrustedservers |