Authentication Protocols for Internet of Things: A Comprehensive Survey

In this paper, we present a comprehensive survey of authentication protocols for Internet of Things (IoT). Specifically, we select and in-detail examine more than forty authentication protocols developed for or applied in the context of the IoT under four environments, including: (1) Machine to machine communications (M2M), (2) Internet of Vehicles (IoV), (3) Internet of Energy (IoE), and (4) Internet of Sensors (IoS). We start by reviewing all survey articles published in the recent years that focusing on different aspects of the IoT idea. Then, we review threat models, countermeasures, and formal security verification techniques used in authentication protocols for the IoT. In addition, we provide a taxonomy and comparison of authentication protocols for the IoT in form of tables in five terms, namely, network model, goals, main processes, computation complexity, and communication overhead. Based on the current survey, we identify open issues and suggest hints for future research.


Internet
Http://www. ... The vision of the IoT will advance based on many new features and coping with novel challenges, as shown in Fig. 2, including, cloud computing, M2M, IoS, IoE, IoV, social networks, software defined optical networks (SDONs), and fifth generation (5G) cellular networks. The IoT data which will be produced from billions of interactions between devices and people is not only going to be massive, but also complex and it will suffer from many security and privacy problems, especially regarding the authentication between devices. To resolve these security issues, researchers in the field of computer security have developed many authentication protocols for or applied in the context of the IoT. In a recent survey paper which was published in 2015 [13] authors reviewed the state of the art of RFID authentication schemes which used elliptic curve cryptography and were used in healthcare environments. The aim of our survey paper is to provide a comprehensive and systematic review of recent studies on published authentication protocols for the IoT in four environments, including, M2M, IoV, IoE, and IoS. More precisely, we select and in-detail examine more than forty authentication protocols. The original set of papers was formed from the searchers run on SCOPUS and Web of Science from the period between 2005 and 2016 (See Tab. 1 for a breakdown of publication dates). The main contributions of this paper are:

Machine
• We survey around seventy survey articles published in the recent years that deal with the IoT.
• We discuss the authentication protocols in M2M, IoV, IoE, and IoS that were evaluated under thirty-five attacks. Then, we focus on four attacks, which are mostly studied in earlier works, namely, man-in-the-middle attack, impersonation attack, forging attack, and replay attack.
• We present various countermeasures and formal security verification techniques used by authentication protocols for the IoT.
• We present a side-by-side comparison in a tabular form of the current state-of-the-art of authentication protocols (more than forty) proposed for the IoT from five different aspects, namely, network model, goals, main processes, computation complexity, and communication overhead.
• We discuss the open issues for M2M, IoV, IoE, and IoS.
The remainder of this paper is organized as follows. In section 2, we summarize the existing survey works on different aspects of the IoT idea. In section 3, we present an overview of threat models in the IoT. Then in section 4, we discuss the countermeasures and formal security verification techniques. In section 5, we present a side-by-side comparison in a tabular form for the current state-of-the-art of authentication protocols proposed for M2M, IoV, IoE, and IoS. Finally, we identify the future directions 6 and conclude the article 7.

Surveys articles for the IoT
There exist around seventy survey articles published in the recent years that deal with Internet of Things, focusing on different aspects of the IoT idea, e.g. networking, applications, standardization, social interactions, security and many more.
These survey articles are categorized in terms of field of research and year of publication as shown in tables 2 and 3. As it is seen from Tab. 3 the Internet of Things concepts attracts more and more attention as the years pass by and although a lot of different areas related to IoT are covered from previous review works, no survey article exists that thoroughly investigates authentication protocols that are especially developed for this new technology or better say this blend of technologies and systems. In this section we will briefly present all these survey articles grouped as shown in Tab. 2 and will discuss in more depth previous work that deal with security and privacy issues of the IoT.
The first survey article in the literature that was dealing with the IoT concept was published back in 2009 by Cooper et al. [82] and focused on the challenges for database management in the IoT. Seeing the IoT from that point of view they found that the technical priorities that needed to be addressed in order to support the interconnection of every device was proper indexing, archiving, development of smart agents the use of XML for achieving Interoperability and novel systems that will  [113,114,102,96,115,97,116,117,118,119,120,121,122,13,123,124,125,126,127,128] [ 129,130] [ 131,132,133,134] [ 6,101,102,107,135,5,97,136,137,138,139,140,141,142,143,144,145] [146] [147,148] [108] Year [82] 2009 [6,113,114] 2010 [94,95,86,101,88,96,135,112] 2011 [102,87,107,115,129,136,131] 2012 [103,5,97,104,116,105] 2013 [146,108,117,147,109,118,92,110,119,137,106,138,120,122,133,139] 2014 [140,13,141,123,90,124,125,148,130,98] 2015 [121, 142, 89, 126, 93, 143, 144, 145, 83, 111, 127, 91, 84, 99, 100, 85, 134, 128] 2016 be able to offer efficient and secure transaction management. In a later survey article that was published in 2010, Atzori et al. [6], discussed the vision of 'anytime, anywhere, any media, anything' communications that the IoT would bring in our everyday lives. Based on their research they had spotted two important technologies that needed to be applied in order to bring IoT into life, Internet Protocol version 6 (IPv6) and Web 2.0. The same year, the first survey article that dealt with security and privacy issues related to IoT was published [113]. In this article Weber et al., discussed the different measures that were needed in order to ensure the architecture's resilience to attacks, data authentication, access control and client privacy. The article dealt with security and privacy issues from the legislation perspective mostly due to the fact that the IoT was more an idea back in 2010 that a concrete system yet. Another article dealing with security and privacy was published in 2010 from Medaglia et al. [114]. The article tried to present a short term and a long term vision of the IoT along with the security issues and solutions that would be needed.
In 2011 there were published eight survey articles that focused on the IoT [94,95,86,101,88,96,135,112]. In [94] authors conducted a thorough analysis of the different publicly available testbeds. In [95] Mainetti et al., discussed about the necessary standards and solutions needed to guarantee the integration among several heterogeneous WSNs thus enabling smart objects to participate to the IoT. Bandyopadhyay et al. in [86], surveyed the state-of-the-art of the different approaches that middleware solutions used in order to support some of the functionalities necessary for operate in the IoT domain.
Similar to this work, authors in [88] surveyed the major challenges posed to service-oriented middleware towards sustaining a service-based Internet of Things. Bandyopadhyay et al. [101], published an interesting survey article about the current developments related to IoT and the open issues back in 2011. The article managed to spot most of the challenges that IoT had and still has to face nowadays, e.g. managing large amount of information and mining large volume of data, managing  [113] 0 X -Presented milestones of an adequate legal framework for IoT privacy. Medaglia and Serbanati (2010) [114] 0 X -Presented a Short-Term and Long-Term vision for IoT privacy. Roman et al. (2011) [96] X X -Analyzed some key management systems for sensor networks in the context of the IoT (public key cryptography and pre-shared keys). Miorandi et al. (2012) [102] 0 X -Presented some security challenges in IoT, including, Data confidentiality, Privacy, and Trust. Suo et al. (2012) [115] X X -Discussed the security requirements in each level for IoT (four key levels, i.e., recognition layer, network layer, support layer, and application layer) Aggarwal et al. (2013) [97] 0 X -Discussed the privacy in data collection, and during data transmission and sharing. Roman et al. (2013) [116] X X -Presented the security issues in distributed IoT systems. Yan et al. (2014) [117] X -Surveyed the privacy-preserving schemes IoT, including, database query, scientific computations, intrusion detection, and data mining. Ziegeldorf et al. [120] X -Surveyed the privacy threats and challenges in the IoT. Keoh  heterogeneity, ensuring security privacy and trust among others. Feasible solutions for the problem of establishing a session key between a client and a server in the context of the Internet of Things were surveyed in [96], where the authors considered the scenario where at least one peer were sensor nodes. They especially focused on different cryptography solutions and how these could be applied to server and client nodes. Ma et al. in [135] gave an overview of the objectives of the IoT and the challenges involved in IoT development while in [112] Zhang et al., covered the topic of how to build an appropriate search engine for IoT, a topic that was spotted from Cooper in [82] back in 2009 as a challenge to be addressed in the future.
During 2012 and 2013 the following fourteen survey articles were published [102,87,107,115,129,103,5,97,104,136,131,116,132,105]  for IoT similar to [86,88], presenting all the technical challenges of designing middleware systems for the IoT. Domingo et al. in [107] performed a more narrow but extensive survey of the IoT for people with disabilities. Authors spotted the relevant application scenarios and main benefits along with the key research challenges, like customization, self management and security and privacy issues. They argued that as brain-computer interfaces (BCIs) are becoming commercial, they will also be a part of the IoT world. Articles [115,116] focused on security and privacy issues as they were identified back in 2012 and 2013 respectively. Both articles agree that key management, legislation while authors in [116] take one step further and propose that grouping of the IoT devices and creating the so called intranet of things could help impose security mechanisms more effectively. Survey articles [129,97,136,131,132] researched the IoT system from different perspectives. In [129] authors discussed about RFID technology and its applications in the IoT and in [136] the role of fog computing in the IoT. Aggarwal et al. [97], conducted a thorough research about data analytics, data mining and data management in the IoT world. The article discusses all the issues related to data analytics and IoT, like real time and big data analytics challenges, effective crawling and searching in massive databases, privacy issues in data collections, data sharing and management and data security issues.
Finally articles [131] and [132] survey for the first time the social concept of the IoT, the so called Social Internet of Things, a concept that later will raise a lot of attraction and research works.
During 2014 and 2015 more than twenty five new survey articles about IoT were published [146,108,117,147,109,118,92,110,119,137,106,138,120,122,133,139,140,13,141,123,90,124,125,148,130,98]. Except from articles that discussed general issues regarding IoT [137,106,139,140], e.g. applications, challenges, trends and open issues, other papers focused on specific applications or research areas that are connected to the IoT idea. Authors in [146,109,119,141] surveyed context awareness from the IoT perspective covering several aspects, like context-aware computing [146], context-aware product development [109] and quality of context and privacy [119]. Authors in all three articles agree that IoT thus brings new opportunities by enabling enriched context-aware services, but it also raises new challenges that need to be addressed. Zanella et al. [92] focused specifically to an urban IoT system which is another term to describe the smart city environment. In contrast to the previous years during 2014 and 2015 a big proportion of the survey articles focus on security and privacy issues related to the IoT [117,118,120,122,13,123,124,125], revealing the significance that security was beginning to have for Cyber Physical systems. Cyber Physical systems need to rely on IoT enabled technologies which can be effectively and efficiently supported and assisted by Cloud Computing infrastructures and platforms. The integration of IoT and Cloud computing was thoroughly surveyed from Botta et al. [138] where also the possibility of exploiting fog computing capabilities for supporting the IoT concept was discussed. Data mining in the IoT context were surveyed by Tsai et al. [147] and Chen et al. [148]. Authors in [147] presented a good summary of the potentials of applying data mining technologies to the IoT could have to people, the system itself, and other interconnected systems. Authors in [148] took a step further and based on their survey and analysis proposed a big data mining system for IoT. Ortiz et al. [133], surveyed the Social Internet of Things and compared to the earlier survey articles [131,132] proposed a generic SIoT architecture which consists of actors, a central intelligent system, an interface and the internet. Two articles focused on IoT-based health care technologies [130,90], covering new platforms, applications and security and privacy issues that arise. Authors in [108] conducted an extensive literature review about the current status and future research opportunities regarding the use of IoT in industries, the so called Industrial Internet of Things (IIoT) while in [110] authors tried to identify the impact of the Internet of Things (IoT) on Enterprise Systems in modern manufacturing.
During 2016 over fifteen new survey articles that focused on the IoT concept were published [121,142,89,126,93,143,144,145,83,111,127,91,84,99,100,85,134,128]. Following the technology development three of the articles published this year focused on the integration of the cloud and the IoT, the applications, the requirements and the security issues that arise from it [142,126,145]. Security was also one aspect that was covered from a number of survey articles [126,127,128]. Authors in [127] covered several aspects of IoT security, e.g. general devices security, communication security, network security, and application while in [128] mechanisms that reassure secure routing were investigated. In contrast to previous years, surveys  [99], economic and pricing theory in IoT [85], social internet of vehicles [134] and data quality [83]. Other topics covered from the survey articles were middleware [89], context aware computing [144], applications of IoT in the healthcare industry [91], cognitive radio technology [100], data models [84], mobile crowd sensing strategies [143],the deployment of IoT in smart environments [93] and the main proposed architectures for IoT [111]. Xie et al. [121] surveys the security of the Web of Things (WoT) which is aimed to provide any electronic item (smart cards, sensors, etc.) with a URL.
Among the aforementioned surveys, the security and privacy issues that are related to the IoT was thoroughly covered and analyzed [113,114,102,96,115,97,116,117,118,119,120,121,122,13,123,124,125,126,127,128]. As it is shown in Tab. 4 data authentication and integrity was only covered partially from He et al. [130] while the rest of the articles did not cover this major security aspect. In this article we tend to survey authentication protocols for the IoT in four environments, We believe that this study will help researchers focus on the important aspects of authentication issues in the IoT area and will guide them towards their future research.

Threat models
In this section, we discuss the threat models in the IoT. The summary of thirty-five attacks in M2M, IoV, IoE, IoS and defense protocols are given in Tab. 5, Tab. 6, Tab. 7, and Tab. 8, respectively. We focus on five attacks, which are mostly used by authors that propose new authentications protocols for evaluating their methods, namely, man-in-the-middle attack, impersonation attack, forging attack, and replay attack. Generally, the classification of attacks [160,161,162,163] frequently mentioned in the literature is done using the following four types, as shown in Fig. 3: 1. Type A: Passive or active; 2. Type B: Internal or external; 3. Type C [164]: Key-based attacks, data-based attacks, impersonation-based attacks, and physical-based attacks; 4. Type D [165]: Identity-based attacks, location-based attacks, eavesdropping-based attacks, manipulation-based attack, and service-based attacks.

Man-in-the-middle attack
The Man-In-The-Middle (MITM) attack is one of the most well known attacks in the IoT. With MITM attack, an adversary can spoof the identities of two honest nodes (N1 and N2) involved in a network exchange and pass N1 for N2 and vice versa,   Brute-force attack X X X X X 0 X   [64,78,80,157] use the idea of mutual authentication. The two authentication protocols [41] and [40] use the idea of authentication acknowledge phase. With the protocol [151], all packets are fully encrypted with the receiver's public key, which can prevent the MITM attack. On the other hand, with the protocol [42], when the keys generated at the mobile router and the relay router for authentication are based on the concept of symmetric polynomials, an adversary can not identify a shared key between two legitimate users making it impossible for him to impersonate a mobile router or a relay router. In addition, both protocols [154] and [75] are based on a password and biometric update phase in order to prevent that an adversary can impersonate the passwords of a smart meter.

Impersonation and forging attack
Under the impersonation and forging attack in the IoS, an adversary can eavesdrop or intercept the login request message of previous sessions over the public/open channel during authentication protocol execution. After that, he can modify and re-transmit the message to the user in order to impersonate as a valid user, as defined by Amin et al. [73]. We note that this attack is analyzed more in authentication protocols that are produced for the IoS. Moreover, as presented in Tab. 10 there are sixteen authentication protocols for the IoT, which can detect the impersonation and forging attack. The protocol [43] uses two ideas, namely, 1) linear search algorithm and 2) binary search algorithm. The protocol [50] uses strong anonymous access authentication and user tracking on a disputed access request, to prevent the impersonation and forging attack. Besides, the idea of using a password for detecting the impersonation of the gateway node is presented by four authentication protocols [80,159,56], and [158]. In addition, the hash mechanism which is applied on the shared key between gateway wireless node and sensors can prevent the impersonation of a sensor.

Replay attack
The Replay attacks are MITM attacks, which consist of intercepting data packets and retransmitting them as is (without any decryption) to the destination server, as shown in Fig. 5 (intercepting D3 and retransmitting it). Under this attack, an adversary can obtain the same rights as the user. However, there are twenty-four authentication protocols for the IoT, which can detect and avoid the Replay attack, as presented in Tab. 11. These authentication protocols use three ideas, namely, Timestamp, Hash function, and Random numbers. The idea of random numbers is used by [41,56,40], and [42]. The idea of hash function is used by protocols [52] and [155], such as the IPSec protocol implements an anti-replay mechanism based on Message Authentication Code (MAC) [167]. In addition, the idea of Timestamp in the encrypted messages is used by [43,66,55,52,151,152,153,154,70,71,155,73,75,76,78,81,79,80,159].

Countermeasures and formal security verification techniques
In order to satisfy the authentication model for secure IoT, namely, mutual authentication, perfect forward secrecy, anonymity, and untraceability, the authentication protocols use both cryptosystems and non-cryptosystems countermeasures.
Tables 12, 13, 14, and 15 present the cryptosystems and countermeasures used in authentication protocols for M2M, IoV, IoE, and IoS, respectively. In this section, we will discuss the countermeasures and present the formal security verification techniques used in these authentication protocols for the IoT.

Countermeasures
Based on the cryptosystems, the existing authentication protocols for the IoT can mainly be classified into three categories: symmetric-cryptosystem based, asymmetric-cryptosystem-based, and hybrid protocols, as shown in Fig. 6. As presented in the following tables (12, 13, 14, and 15), most authentication protocols use a secure cryptographic hash function [168]. Secure cryptographic hash function [168] Original data acquisition

Time-domain transformation
Correlation coefficient-based matching algorithm (C-MA) Deviation ratio-based matching algorithm (D-MA) Aggregate message authentication codes (AMACs) [169] Certificateless aggregate signature [170] Elliptic Curve Diffie-Hellman (ECDH) [171] ID-based signature scheme [172] Advanced encryption standard (AES) [173] Hybrid Linear Combination Encryption [174]  Secure cryptographic hash function [168] Proxy Mobile IP (PMIP) [175] Symmetric Polynomials [176] Search Algorithms [177] Group Signature [178] [179] Merkle Hash Tree (MHT) [180] TESLA Scheme [181,182,183] ECDSA Signature [184] Multiplicative secret sharing technique [185] Identity-based Public Key Cryptosystem [186] Identity-based aggregate signature [187] Digital signatures [188] Anonymous attribute-based group setup scheme [189] Keyed-hashing for message authentication (HMAC) [190]  Secure cryptographic hash function [168] HORS scheme [191] Heavy signing light verification (HSLV) [191] Light signing heavy verification (LSHV) [191] Merkle Hash tree technique [192] Short signatures (BLS) [193] Batch verification [194] Signature aggregation [195] Identity-based Public Key Cryptosystem [186] Public-key encryption, such as RSA [196] HMAC, such as SHA-1 [197] and MD5 [198] Diffie-Hellman key establishment protocol [199] EIBC mechanism [200] ID-based cryptography (IBC) [201] Digital signatures [188] Homomorphic Encryption [202] Bloom Filter [203] Commitment scheme Symmetric encryption/decryption algorithm [199] As presented in Tab. 12, the protocol [149] uses three cryptosystems, namely, original data acquisition, spatial-domain transformation, and time-domain transformation. The protocol [65] use two matching algorithms, namely, correlation coefficientbased matching algorithm (C-MA) and deviation ratio-based matching algorithm (D-MA). The aggregate message authentication codes (AMACs) [169] is used by both schemes [64] and [40]. The AMAC tool is a tuple of the following probabilistic polynomial-time algorithms: Authentication algorithm, Aggregation algorithm, and Verification algorithm. The Authentication algorithm outputs a tag tag, where the aggregate of tags can be simply computing the XOR of all the tag values; i.e., tag = tag 1 tag 2 · · · tag l , where 1, . . . , l are identifiers. The protocol [49] uses certificateless aggregate signature [170], which enables an algorithm to aggregate n signatures of n distinct messages from n users into a single short signature. In addition, the certificateless aggregate signature scheme is secure against existential forgery in the chosen aggregate model. For an aggregating set of n users {U 1 , . . . , U n } with identities {ID 1 , . . . , ID n } and the corresponding public keys {upk 1 , . . . , upk n }, and message-signature pairs (m 1 , σ 1 = (U 1 , V 1 )) , . . . , (m n , σ n = (U n , V n )) from {U 1 , . . . , U n } respectively, the aggregate signature generator computes V = n i=1 V i and outputs σ n = (U 1 , . . . , U n , V ) as an aggregate signature. The protocol [41] use Elliptic Curve Diffie-Hellman (ECDH) [171], which is an anonymous key agreement protocol. The protocol [37] uses ID-based signature scheme [172] that consists of four algorithms, Setup, Extract, Sign, and Verify. With Setup algorithm, the trust authority chooses efficiently computable monomorphisms. The trust authority performs the Extract algorithm when a signer requests the secret key corresponding to their identity. The Sign algorithm produce a signature from the user with identity ID on the message m. Therefore, the protocol [56] uses advanced encryption standard (AES) [173], which is a symmetric encryption standard intended to replace the Data Encryption Standard (DES) [204] that has become too weak in view of current attacks. The protocol [50] uses the Linear Combination Encryption (LCE) [174], which is an extension of ElGamal encryption [205] that is secure in groups where the Decision Diffie-Hellman (DDH) problem is easy but the Computational Diffie-Hellman (CDH) problem is hard. With the LCE scheme [174], a user's public and secret keys are As presented in Tab. 13, the protocol [42] uses both countermeasures, namely, Proxy Mobile IP (PMIP) [175] and Symmetric Polynomials [176]. The PMIP is a localized network-based IP mobility protocol (RFC 5213 [206]) that defines two entities: the Mobile Access Gateway (MAG) and the Local Mobility Anchor (LMA). The symmetric polynomial is defined as any polynomial of two or more variables that achieves the interchangeability property, i.e., f (x, y) = f (y, x). For example, given two users identities 1 and 2, and the symmetric polynomial f (x, y) = x 2 y 2 + xy + 10, the resultant evaluation functions are f (1, y) = y 2 + y + 10 and f (2, y) = 4y 2 + 2y + 10, respectively. Then, if user 1 evaluates its function f (1, y) for user 2, it obtains f (1, 2) = 16. In the same way, f (2, y) for user 1, user 2 obtains f (1, 2) = 16. As result, both users share a secret key, 16, without transmitting any additional messages to each other. Contrary to this idea of symmetric polynomials, the protocol [43] uses the idea of search algorithms [177], which include non-optimized search algorithms such as linear search algorithm, and optimized search algorithms such as binary search algorithm, and lookup hash tables. In another work [178] Chaum and van Heyst introduce the idea of group signatures in order to providing anonymity for signers. The protocol [66] uses this idea based on the Strong Diffie-Hellman assumption and the Decision Linear assumption. The protocol [67] uses three countermeasures, namely, 1) Merkle Hash Tree (MHT) [180], 2) TESLA scheme [181,182,183], and 3) Elliptic Curve Digital Signature Algorithm (ECDSA) [184]. The MHT is a binary tree structure where each leaf is assigned a hash value and an inner node is assigned the hash value of its children. To achieve source authentication, the TESLA scheme uses one-way hash chains with the delayed disclosure of keys based on symmetric cryptography. The protocol [68] uses multiplicative secret Secure cryptographic hash function [168] v Elliptic Curve Diffie-Hellman (ECDH) [171] Key agreement Biohashing [211] Access polynomial [212] Elliptic curve cryptography [213]  sharing technique [185] where the user can generate one-time pseudonym private key pairs and leakage-resilient locally. Similar to the protocol [66], the protocol [69] uses the idea of digital signatures [188]. The protocol [51] uses keyed-hashing for message authentication (HMAC) [190] to instantiate the pseudorandom function in the prototype implementation of electric vehicle ecosystem. The protocol [55] uses two similar ideas, namely, identity-based public key cryptosystem [186] and identity-based aggregate signature [187]. For providing a flexible attribute management, the protocol [57] uses an anonymous attribute-based group setup scheme [189] that incorporates the policy-based data access control in the ciphertext.
As presented in Tab. 14, the protocol [31] uses two types of verification, namely, Heavy signing light verification (HSLV) and Light signing heavy verification (LSHV), which is based on the HORS scheme [191]. The HSLV uses the following three algorithms: Key Generation, Signing, and Verification. The Key Generation algorithm outputs the public key . . , v t ) and the secret key SK = (k, s 1 , s 2 , . . . , s t ) where the trusted authority generates t random l-bit strings s 1 , s 2 , . . . , s t . The signature is (c, ( s i1 , s i2 , . . . , s k )) generated by the Signing algorithm. To verify a signature (c , ( s i1 , s i2 , . . . , s k )) over message m, the user check if he output integers i1 > i2 > ik and f (s j ) = v ij hold. On the other hand, with LSHV, the signature verification process verifies the k elements of a signature by applying the one-way function for a distinct number of times over each element. Similar to the protocol [67], the protocol [52] uses the same idea of Merkle Hash tree technique [192]. In order to increase the level of security, the protocol [150] uses three cryptosystems, namely, short signatures (BLS) [193], batch verification [194], signature aggregation [195]. The BLS is introduced by Boneh-Lynn-Shacham [193], which is based on Gap Diffie-Hellman groups. Specifically, the BLS scheme uses the following three algorithms: 1) Key generation algorithm to output the public key v ∈ G 2 and the private key x , where x ← Z p and v ← g 2 x ; 2) Signing algorithm to generate a signature σ ∈ G 1 , where σ ← h x and h ← H(M ) ∈ G 1 ; and 3) Verification algorithm to verify that (g 2 , v, h, σ) is a valid co-Diffie-Hellman tuple. The author of short signatures (BLS) [193], i.e., Dan Boneh, proposes the idea of signature aggregation [195], where an aggregate signature is valid only if it is an aggregation of signatures on distinct messages. Similar to the protocol [42], the protocol [151] uses the same cryptosystem, i.e., Identity-based Public Key Cryptosystem [186]. Therefore, both protocols [152] and [58] use the two same cryptosystems, namely, 1) the public-key encryption, such as RSA [196], and 2) HMAC, such as SHA-1 [197] and MD5 [198]. The protocol [153] uses the Diffie-Hellman key establishment protocol [199] in order to provide forward secrecy in Transport Layer Security's ephemeral modes. The protocol [154] uses the EIBC mechanism [200], which is based on the original model developed by D. Boneh and M. Franklin.
As presented in Tab.15, the protocol [71] uses two countermeasures, namely, Chebyshev Chaotic Maps [207] and Semigroup Property of Chebyshev Polynomials [208]. The Chebyshev Polynomial of degree p is defined by Mason and Handscomb [208] as T p (x) = cos(p X acrcos x) where the domain is the interval x ∈ [−1, 1] with two properties [215]. However, three protocols, i.e., [72], [73], and [74] use the ID-based cryptography (IBC) [201]. On the other hand, the protocol [155] uses the Advanced Encryption Standard (AES) [209] such as the protocol [56]. The smart card-based authentication protocols is a very promising and practical solution to remote authentication [216], as presented in Tab. 16. There are five [75,76,77,78,81] smart cardbased authentication protocols where each protocol integrates a method with the smart card. For example, the protocol [75] uses the fuzzy extractor technique [210], which a fuzzy extractor is a pair of randomized procedures, "generate" (Gen) and "reproduce" (Rep), and is efficient if Gen and Rep run in expected polynomial time. For more details about the fuzzy extractor technique, we refer the reader to the paper [210]. In addition, the elliptic curve cryptography [213] is used by both protocols [80] and [157].

Formal security verification techniques
In order to prove the performance of an authentication protocol in terms of security, researchers use formal security verification techniques. As presented in Fig. 7, there are five formal security verification techniques, namely, BAN-logic, analysis by process (Spi calculus), Game Theory, Automated reasoning (ProVerif), and Automated Validation (AVISPA). In addition, Tab. 17 presents the formal security verification techniques used in authentication protocols for the IoT.
The Burrows-Abadi-Needham Logic (BAN-logic) [221] is used by nine authentication protocols [71,72,73,77,78,81,79,80,158]. A typical BAN logic sequence includes three steps, 1) Verification of message origin; 2) Verification of message freshness; and 3) Verification of the origin's trustworthiness. Therefore, the protocol [71] uses the BAN-logic to prove that the proposed protocol can establish a session key between user and sensor node. Both protocols [72] and [80] use the BAN-logic in order to prove that the protocol has achieved mutual authentication and session key agreement securely. The protocol [81] uses the BAN-logic to prove that the protocol can resist numerous security attacks, which include the attacks, found in the Amin and Biswas's scheme [73]. There are seven authentication protocols [154,73,75,78,81,158,223] that use the Automated Validation of Internet Security Protocols and Application (AVISPA) security analyzer [220]. The AVISPA tool provides a modular and expressive formal language for specifying security protocols and properties. The protocol [223] uses -The security of the protocol is analyzed using the ProVerif tool [217] -Proof the mutual authentication between mobile equipment and its serving network.  -Burrows-Abadi-Needham Logic (BAN-logic) [221].
-Prove that the scheme allows a user to establish a session key with a sensor node of his choice near the end of the authentication process. -Burrows-Abadi-Needham Logic (BAN-logic) [221].
-The scheme can resist numerous security attacks, which include the attacks, found in the Amin and Biswas's scheme [73]. -Automated Validation of Internet Security Protocols and Application (AVISPA) security analyzer [220].
-The scheme is free from man-in-the-middle and replay attacks.
the AVISPA tool in order to prove that the proposed protocol is free from man-in-the-middle and replay attacks. The protocol [78] uses the AVISPA tool to prove that the protocol allows a user to establish a session key with a sensor node of his choice near the end of the authentication process. In addition, there are four authentication protocols [41,40,70,157] that use the ProVerif tool [217], which is an automatic cryptographic protocol verifier, in the formal model, called Dolev-Yao model [222]. The protocol [41] uses the ProVerif tool in order to proof the mutual authentication between the mobile equipment and its serving network. The protocol [40] uses the ProVerif tool to prove that the proposed protocol can implement mutual authentication and key agreement between multiple devices and the core network simultaneously. The protocol [157] uses the ProVerif tool prove that the proposed protocol can pass the verifications according to the Dolev-Yao model [222]. Finally, the protocol [76] uses a sequence of games under the decisional Diffie-Hellman (ECDDH) problem in order to proof that the protocol provides secure and perfect forward secrecy authentication. For more details about the game-theoretic approaches, we refer the reader to the survey [224].      + Active attack detection (e.g., audio replay attack).
-Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Storage costs is not considered. -Resistance to attacks is not studied.
-Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Storage costs is not considered.  -Storage costs is not considered.
-Resistance to attacks is not studied.
-No threat model presented. -Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Storage costs is not considered.
-Lack non-repudiation compared to the PBA scheme in [67]. + Efficient in terms of communication overhead and computation cost compared to two strong anonymous schemes [20] and [29]. + Considers the data integrity and ensure user privacy. + Resistance to attacks, namely, Denial of Service (DoS) attack and impersonation attack.
-Some privacy models are not analyzed such as location privacy.
-Lack non-repudiation compared to the PBA scheme in [67]. -Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Storage costs is not considered.
-Lack non-repudiation compared to the PBA scheme in [67]. -Privacy-preserving is not discussed.
-The reports' confidentiality and integrity are not considered compared to the scheme [52]. -The routing attacks are not considered such as wormhole attack.
-Storage costs is not considered. -Storage costs is not considered.
-Lack non-repudiation compared to the PBA scheme in [67]. -Location privacy is not considered.

Authentication protocols for M2M
The surveyed papers of authentication protocols for Machine to machine communications (M2M) as shown in Tab. 20 are published between 2012 and 2016. In order to speed up the process of authentication and avoid authentication signaling overload, Lai et al. [64] focused on the problem of group authentication and key agreement for resource-constrained M2M devices in 3GPP networks. Specifically, the authors proposed a novel group-based lightweight authentication scheme for resource constrained M2M, called GLARM. The network model used in [64] is based on 3GPP standard with three domains, including, access networks, evolved packet core, and non-3GPP domain, e.g., Internet. To guarantee the entity mutual authentication and secure key agreement, the GLARM scheme uses two main phases, namely, 1) Initialization phase and 2) Group authentication and key agreement phase. In addition, the GLARM scheme can not only ensure QoS for machine-type communications devices, but the computation complexity is much less than schemes [35], [49] and [41]. In order to distinguish between different physical devices running the same software and detecting mimic attacks, Chen et al. [65] proposed an authentication protocol for the IoT, named S2M. The S2M protocol uses tree main phases, namely, 1) audio-handshake phase, 2) mixed-signal generation phase, and 3) feature extraction and storage phase. S2M can achieve variable distance authentication and active attack detection using acoustic hardware (Speaker/Microphone) fingerprints. In addition, S2M is efficient in terms of lower error rates compared with DISWN [230], LDTLS [231], PLTEA [232], and SeArray [233], but the performance of the methods in terms of privacy preservation is not analyzed, especially in comparison to the GLARM scheme [64].
To authenticate a group of devices at the same time, Lai et al. [49] proposed a scheme named, SEGR. Based on roaming phase, SEGR can achieving mutual authentication and key agreement between all Machine-type Communication (MTC) devices when a group of MTC devices roams between 3GPP and WiMAX networks. SEGR is efficient in terms of the communication overhead computation complexity compared to the scheme in [37] and the scheme without aggregation, but again a comparison with other methods such as the GLARM scheme [64] regarding privacy preservation is missing. We also note that resistance to attacks of the SEGR method is not studied in the article as well [49]. To guarantee privacy-preservation and key forward/backward secrecy, Lai et al. [41] proposed an efficient group authentication and key agreement protocol, called SE-AKA, which is based on authentication and key agreement (AKA) protocol. The overhead of authentication message delivery of SE-AKA is lower than other existing AKA protocols, but the computational overhead is larger than that of other traditional protocols such as the work [234]. In addition, SE-AKA has smaller storage costs than others AKA protocols. Similar to the SE-AKA protocol, Lai et al. in [40] proposed a lightweight group authentication protocol for M2M, called LGTH, which is efficient in terms of the signaling and computation overhead compared to the schemes [35] and [225].
Similar to the SE-AKA & LGTH protocols, Fu et al. [37] proposed a group-based handover authentication scheme for mobile WiMAX networks. Based on the handover authentication phase, the work [37] is efficient in terms of the computational and communication overhead compared to three schemes [235], [236], and [234], but the resistance to attacks is not studied and no threat model is presented.
In order to achieve a mutual authentication process in machine-to-machine home network service, Sun et al. [56] proposed an M2M application model for remote access to the intelligence home network service using the existing Time Division-Synchronous Code Division Multiple Access (TD-SCDMA) system. The protocol [56] is efficient in terms of the amount of calculations needed and communication volume compared to the protocol in [237], but the article lacks a comparison of performance in terms of non-repudiation against other schemes such as the PBA [67]. To achieve the authentication of mobile subscribers in the roaming service, Lai et al. [50] proposed a conditional privacy-preserving authentication with access linkability, called CPAL. The CPAL can 1) provide a strong anonymous access authentication, 2) guarantee user tracking on a disputed access request, and 3) achieve anonymous user linking and efficient user revocation for dynamic membership. The CPAL is efficient in terms of communication overhead and computation cost compared to two strong anonymous schemes [20] and [29], but privacy aspects are not analyzed such as location privacy. Without adding any extra hardware devices, Zhu et al. [149] proposed a dual-factor authentication scheme, called Duth, designed for Android smartphone devices. Based on two main processes, namely, 1) feature-set extraction and storing for registration, 2) dual-factor authentication, the Duth scheme can satisfy the user-friendly requirements, along with a reasonable false rejection rate, providing on the same time an authentication process for Android smartphone devices. + Achieving less location update cost compared with the scheme [240]. + The handover delay lower than the one in the scheme [240]. + Resistance to replay attack, man-in-the-middle attack, and denial of service (DoS) attack.
-Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Lack non-repudiation compared to the PBA scheme in [67]. + Resistance to forging attack, replay attack, and colluding attack.
-Storage costs is not considered.
-No comparison with other schemes.
-Lack non-repudiation compared to the PBA scheme in [67]. -No comparison with other schemes.
-The communication overhead is not studied.
-Lack non-repudiation compared to the PBA scheme in [67]. + Efficient in terms of overall delay compared to the TESLA scheme in [181] [182] [183] and the VAST scheme in [180].
-Privacy-preserving is not analyzed compared to the GLARM scheme  + Efficient in terms of average energy consumption and Handshake duration compared to the LEACH-C scheme in [242] and the SecLEACH scheme [243].
-Privacy-preserving is not analyzed compared to the GLARM scheme [64].
-Lack non-repudiation compared to the PBA scheme in [67].
-The average message delay and the verification delay are not evaluated. -The end-to-end delay and throughput are not evaluated compared to the scheme [79].
-Collusion resistance is not considered compared to the scheme [156].

Authentication protocols for IoV
The surveyed papers of authentication protocols for Internet of Vehicles (IoV) as shown in Tab. 21 are published between 2013 and 2016. Cspedes et al. in [42] considered the security association between asymmetric links during Vehicle to Vehicle (V2V) communications. More precisely, the authors proposed a multi-hop authenticated proxy mobile IP scheme, called MA-PMIP. Based on authentication phase and mobile router revocation, MA-PMIP can achieve less location update cost compared with the scheme [240] and the handover delay lower than the scheme [240]. In addition, MA-PMIP can achieve mutual authentication against authentication attacks but the privacy preserving is not analyzed compared to the GLARM scheme [64]. In order to expedite message authentication in VANET, Wasef et al. [43] proposed an expedite message authentication protocol, named EMAP. Based on the revocation checking process, EMAP can overcome the problem of the long delay incurred in checking the revocation status of a certificate using a certificate revocation list. EMAP is efficient in terms of computational complexity of revocation status checking and the authentication delay is constant and independent of the number of revoked certificates. Therefore, the question we ask here is: can these protocols work well in the decentralized group model? The authentication scheme proposed recently by Shao et al. in [66] can answer this question where he can achieve two requirements for threshold authentication, namely, distinguishability and efficient traceability. The protocol in [66] is proven that is secured by three theorems, namely, 1) The proposed group signature scheme satisfies unforgeability, 2) The proposed group signature scheme satisfies anonymity, and 3) The proposed theorem satisfies the traceability.
To achieve the non-repudiation in IoV, Lyu et al. in [67] proposed a lightweight authentication scheme called PBA. Based on the idea of merkle hash tree construction and self-generated MAC storage, the PBA scheme can resist packet losses and maintain high packet processing rate with low storage overhead. The PBA is efficient in terms of overall delay compared to the TESLA scheme in [181], [182], and [183] and the VAST scheme in [180]. Zhang et al. in [55] considers a VANET with four main entities, i.e., key generator center (KGC), traffic management authority (TMA), RSUs and vehicles. Based on identity-based aggregate signatures, the protocol in [55] can guarantee some properties such as message authentication, non-repudiation, message confidentiality, privacy, and traceability. Similar to the scheme [55], Zhang et al. [68] proposed an efficient distributed aggregate privacy preserving authentication protocol, called DAPPA, which is based on a new security tool called multiple-TA OTIBAS (MTA-OTIBAS). The DAPPA protocol can guarantee the conditional unlinkability, ideal tamper-proof device (TPD) freeness, key escrow freeness. In addition, the DAPPA protocol is efficient than the ECDSA protocol in [184] and more efficient than the IBA scheme in [55] on average, but lack non-repudiation compared to the PBA scheme in [67]. Based on monolithically certified public key and attributes, Dolev et al. [69] proposed an idea to ensuring the countermeasures against the Man-in-the-Middle attack under the vehicle authentication. The work in [69] is efficient in terms of iteration cost compared to other existing Authenticated Key Exchange (AKE) protocols such as ISO-KE [241] and SIGMA [228]. To defend against coordinated cyber-physical attacks, Chan et al. [51] proposed a two-factor cyber-physical device authentication protocol, which can be applied in the IoV. Especially in the IoT, the vehicles may join or leave the platoon at any time in the platoon-based vehicular cyber-physical system. To guarantee anonymity of platoon members, Lai et al. [57] proposed a secure group setup and anonymous authentication scheme, named SGSA, for platoon-based vehicular cyber-physical systems. Based on the anonymous authentication with traceability phase, the SGSA scheme can provide strong anonymous access authentication.

Authentication protocols for IoE
The surveyed papers of authentication protocols for Internet of Energy (IoE) as shown in Tab. 22 are published between 2011 and 2016. We noted here that we have reviewed some authentication protocols proposed for secure smart grid communications in our survey in [164], namely, the schemes in [254], [255], [256], [33], [257], [258], [259], [260], [261]. In this subsection, we will review only the works that are not reviewed in the survey [164].
To provide multicast authentication in smart grid, Li et al. [31] proposed the scheme Tunable Signing and Verification (TSV). Specifically, TSV combines Heavy Signing Light Verification (HSLV) and Light Signing Heavy Verification (LSHV) to achieve a flexible tradeoff between the two. TSV can reduce the storage cost, but the privacy-preserving is not discussed and the reports' confidentiality and integrity are not considered compared to the scheme [52]. The smart meters is planning to reduce the time intervals to 1 min or even less. For this, Li et al. [52] developed a merkle-tree-based authentication scheme to minimize computation overhead on the smart meters. The work [52] is efficient in terms of computation complexity of the HAN user and the neighborhood gateway compared to the Rivest-Shamir-Adleman (RSA)-based authentication scheme [262]. Therefore, Li et al. [150] fixed the single-point failure in smart grid by proposing the idea of deploys a fault tolerance architecture to execute the authentication approach without any additional configuration or setup. Based on both main processes, namely, 1) Batch verification and trinary diagnose TreeBatch, and 2) Signature amortization for Package Blocks, the work [150] can legalize the data aggregation with tremendously less signing and verification operations.
Nicanfar et al. [151] addressed the key management for unicast and multicast communications in the smart grid. The work [173] proposed a scheme for the mutual authentication between the smart grid utility network and Home Area Network smart meters, called SGAS-I, which he can increases performance of the key management and does not cause any security drawback.
Based on the multicast key support phase, SGAS-I can provide simplicity and low overhead, but the reports' confidentiality and integrity are considered compared to the scheme [52]. To guarantee the message authentication with identity privacy and traceability, Chim et al. [152] proposed a scheme, called PASS, for the hierarchical structure of a smart grid. The PASS scheme focus only on the substation-to-consumer subsystem where the real identity of any smart appliance can only be known by the control center using the concept of pseudo identity. Similar to the PASS scheme, Fouda et al. [153] proposed a scheme that can only providing an authenticated and encrypted channel for the late successive transmission but can also establish a semantic-secure shared key in the mutual authentication environment. The work in [153] is efficient in terms of communication overhead and message decryption/verification delay compared to ECDSA-256, but the identity privacy and traceability are not considered compared to the scheme [152].
In order to provide the mutual authentication between smart meters and the security and authentication server in the smart grid using passwords, Nicanfar et al. [154] proposed a mutual authentication scheme and a key management protocol, called SGMA and SGKM, respectively. The SGMA scheme concentrates on data communications over the advanced metering infrastructure (AMI) outside of the HAN domain, which each node has a unique ID and each smart meter has a unique serial number SN embedded by the manufacturer and an initial secret password. On the other hand, the SGKM protocol concentrates on node-to-node secure communications, which the nodes have the appropriate private-public keys to be used for unicast. Based on the multicast key mechanism, the SGMA scheme can prevent various attacks while reducing the management overhead, but lack non-repudiation compared to the PBA scheme in [67]. Shim et al. [58] consider a smart grid network based on hierarchical architecture, i.e., HANs, BANs, NANs. The work [58] proposed privacy-preserving recording and gateway-assisted authentication of power usage information. The message filtering at gateway smart meters can helpful in reducing the impact of attacking traffic. Similar to the scheme [58], Mahmood et al. [70] proposed a lightweight message authentication scheme. Based on two main processes, namely, 1) Authentication and 2) Message transmission, the scheme [70] can detect and omit some attacks, namely, replay, false message injection, message analysis and modification attacks. In addition, the scheme [70] is efficient in terms of communication cost and computation cost compared to the schemes [33] and [38], but the location privacy is not considered.

Authentication protocols for IoS
The surveyed papers of authentication protocols for Internet of Sensors (IoS) as shown in Tab. 23 are published in 2016.
We noted here that we have reviewed some authentication protocols proposed for ad hoc social network (an application of WSN) in our survey in [165], namely, the protocols in [263], [264], [265], [266], [267], and [268]. In this subsection, we will review only the works that are not reviewed in the survey [165] and the articles published in 2016 related to authentication protocols for IoS. For more details about the articles published before 2016, we refer the reader to six surveys published in 2013, 2014, and 2015, namely, [269], [270], [271], [272], [273], [274].
Kumari et al. [71] reviewed and examined both schemes proposed by Li et al.'s in [45] and He et al.'s in [60] for its suitability to WSNs. Based on the results of this analysis, the authors proposed a chaotic maps based user friendly authentication scheme for WSN with forward secrecy and wrong identifier detection mechanism at the time of login. The idea is to establish a session key between user and sensor node (SN) using extended chaotic maps. The scheme of Kumari et al. [71] is efficient in unauthorized login detection with wrong identity and password, but the data integrity is not considered. Similar to the [71], Chung et al. [72] reviewed and examined the scheme [63]. Based the security weaknesses of the scheme [63], the work [72] proposed an enhanced lightweight anonymous authentication scheme for a scalable localization roaming service in WSN. Using three phases, namely, 1) Registration phase, 2) Login and authentication phase, and 3) Password change phase, the work [72] can provide both anonymity, hop-by-hop authentication, and untraceability, but location privacy is not considered.
Jan et al. [155] proposed an extremely lightweight payload-based mutual authentication, called PAWN, for the clusterbased hierarchical WSN. The PAWN scheme is based on two main phases, namely, 1) Token-based cluster head election and 2) Payload-based mutual authentication. With the phase 1, the higher-energy nodes perform various administrative tasks such as route discovery, route maintenance, and neighborhood discovery. The authentication procedure is accomplished using the cooperative neighbor × neighbor (CNN) [275], i.e., session initiation, server challenge, client response and challenge, server response. The PAWN scheme is efficient in terms of average energy consumption and Handshake duration compared to the LEACH-C scheme in [242] and the SecLEACH scheme [243], but the privacy-preservation is not analyzed compared against other methods, such as the GLARM scheme [64]. Based on the security weaknesses of the scheme [54], Amin et al. [73] proposed a secure lightweight scheme for user authentication and key agreement in multi-gateway based WSN. The scheme [73] is efficient in terms of computational cost, storage and communication cost compared to the schemes [54], [44] [39], [48], and [34]. In addition, the scheme [73] can provide very less energy consumption of the sensor nodes and user anonymity.
For the security of real-time data access in WSNs, Gope et al. [74] proposed an authentication protocol to ensuring the user anonymity, perfect forward secrecy, and resiliency of stolen smart card attacks. The protocol [74] is efficient in terms of computational and communication cost compared to the schemes [34], [44], [244], [214] and [75]. Based on the security weaknesses of the scheme [214], Das [75] proposed a secure and robust temporal credential-based three-factor user authentication scheme. The scheme [75] use a biometric, password and smart card of a legal user. The simulation results of the scheme [75] demonstrate that it is efficient in terms of computational and communication overhead compared to the schemes [44], [245], and [246]. Based on the weaknesses in Turkanovic et al.'s protocol [54], Chang et al. [76] proposed a flexible authentication protocol using the smart card for WSNs, which operates in two modes, namely, 1) provides a lightweight authentication scheme, and 2) an advanced protocol based on ECC, which provides perfect forward secrecy. Both this two modes are efficient in terms of computation cost in the authentication phases compared to the schemes [54], [45], [247], and [53].
Trying to deal with the weaknesses of the scheme presented in [60], Jiang et al. [77] proposed an untraceable two-factor authentication scheme based on elliptic curve cryptography. The scheme [77] is efficient in terms of computational cost compared to previous schemes [60], [34], [247], [53] , and [248], but the performance of the system under common attacks such as the wormhole attack and the blackhole attack is not presented. Based on the weaknesses in the scheme [54], Farash et al. [78] proposed an efficient user authentication and key agreement scheme for heterogeneous wireless sensor network tailored for the Internet of Things environment. The scheme [78] is efficient in terms of communication, computation and storage cost compared to the scheme [54], but again the performance of the system under the wormhole attack or the blackhole attack is not presented. Based on the weaknesses in the Amin and Biswas's scheme [73], Srinivas et al. [81] proposed a user authentication scheme for multi-gateway WSNs. The scheme [81] is efficient in terms of communication overhead during the login and authentication phase compared to the schemes [73], [24], [22] [34], [39], [48], [44], [249], [54], but the performance of the system in terms of privacy-preservation is not analyzed compared to previous methods, such as the GLARM scheme [64].
Similar to both schemes [77] and [81], Kumari et al. [79] pointed out that the scheme of Farash et al. [78] is insecure against some attacks. Especially, the work presented in [79] is efficient not only in terms of end-to-end delay (EED) (in seconds) and throughput (in bps), but also in terms of computation cost in either login and authentication phases compared to both schemes Turkanovic et al. [54] and Farash et al. [78].
Sun et al. [156] considered the multicast communications in WSNs, including, sink and many groups, where each group may have a powerful node and many low ordinary nodes. The powerful node acts as the group manager (GM), and is responsible for network security management, such as key issues, updating, revocation, intrusion detection, etc. Then, the authors reviewed and examined the scheme [212] in order to propose a scheme that considers the forward security, backward security, and collusion resistance. Based on the idea of access polynomial, the Sun et al. scheme [156] is efficient in terms of storage, computation, and communication overhead compared to the schemes [250], [251], [252] , and [253], but not only the end-to-end delay and throughput are not evaluated compared to the scheme [79], also the replay attack is not considered.
Jiang et al. proposed a scheme [80] that can achieve mutual authentication among the communicating agents with user anonymity and untraceability. In addition, the Jiang et al. scheme [80] is efficient in terms of computational cost compared to the schemes in [34], [247], [53], [248], but the collusion resistance is not considered compared to the scheme in [156].
Based on the weaknesses in the scheme [276], Wu et al. [157] proposed an improved three-factor authentication scheme for WSNs, which can be resistant to the de-synchronization attack. Das et al. [158] reviewed the recently proposed Chang-Le's two protocols [277] and then showed that their protocols are insecure against some known attacks. Liu and Chung [159] proposed a secure user authentication scheme for wireless healthcare sensor networks, which is efficient in terms of computation cost of compared to both schemes in [278] and [279]. Gope et al. [280] proposed a special idea for resilience of DoS attacks in designing anonymous user authentication protocol. Combining three techniques, namely, smart card, password, and personal biometrics, Das et al. [223] proposed a three-factor user authentication and key agreement scheme based on multi-gateway WSN architecture. The scheme [223] is efficient in terms of computational, communication, and energy costs compared to the schemes [73], [48], [44], [54]. Benzaid et al. [281] proposed an accelerated verification of digital signatures generated by BNN-IBS [282], which is an idea inspired by the acceleration technique of Fan and Gong [283].

M2M Open Issues
M2M communications can facilitate many applications, like e-health, smart grids, industrial automation and enviromental monitoring but on the same time face various security threats and trust issues. Especially in e-health authentication of the devices must be robust to attacks that could threaten the correct exhancge of information and the consequently the life of the patient. In order to safely share and manage access to information in the healthcare system, it is essential to be able to authenticate users, including organizations and people. In Australia authentication is achieved through the use of digital certificates that conform to the Australian Government endorsed Public Key Infrastructure (PKI) standard, through the National Authentication Service for Health (NASH) but thorough research of the resistance to attacks of this and other similar systems is needed in order to reassure its robustness. Scalability and Heterogeneity is a rather general problem when dealing with M2M communication of devices that come from different vendors and using different operating systems. Solutions that focus only to Android devices [149] cannot guarantee end to end security of the system.

IoV Open Issues
Although a number of authentication protocols have been proposed recently which are capable of guaranteeing authentication for a network of vehicles, there are still open issues that need to be addressed by the research community.

Autonomous driving
Until now anonymity of platoon members has been addressed in [57], which is capable of providing strong anonymous access authentication to the members of the platoon. Taking on step further and dealing with full automated vehicles that will be able to create platoons on the fly, with no central entity or trust authority in reach, novel authentication methods that vehicles can run by themselves must be developed. This could be done using several techniques. One method would be to use digital signatures, where each vehicle holds its own signing key and can verify its identity by signing challenges, combined with a defense mechanism that can face MITM attacks. Other method could be the use of the trust levels of every vehicle using methods similar to [284].

Heterogeneous vehicular networking
The design, development and deployment of vehicular networks is boosted by recent advances in wireless vehicular communication techniques, such as dedicated short-range communications (DSRC), Long-Term Evolution (LTE), IEEE 802.11p and Worldwide Interoperability for Microwave Access (WiMax). Novel protocols that can be deployed on all these communication channels and can guarantee authentication under attacks that can be initiated from each one of these networks is an area of future research. Safeguarding one communication channel without dealing with the threats that all these networks face, will leave the IoV vulnerable to several kinds of attacks against authentication.

Social Internet of Vehicles
Social Internet of Vehicles (SIoV) describes both the social interactions among vehicles [285] and among drivers [286].
Ensuring authentication in the communication among vehicles cannot guarantee full protection of identities of entities if the social notion of communication is neglected [134]. Future authentiation-enhancing technologies for SIoVs should be based on proven authentication-enhancing technologies for social networks and vehicular networks.

IoE Open Issues
Based on the definition of the Internet of Energy as an integrated dynamic network infrastructure based on standard and interoperable communication protocols that interconnect the energy network with the Internet allowing units of energy to be dispatched when and where it is needed, it is easily understood that authentication in the IoE environment is not an easy problem to solve. IoE combines M2M, V2G, IIoT (industrial Internet of things), Smart home automation, cloud services and IoS. It would be better to define IoE as an application of the IoT on the Energy domain. Authentication on the IoE domain cannot be reassured without dealing with each of the aforementioned sub domains. Security [287] and hardware [288] authentication techniques along with solutions dealing with middleware security [289] must be combined.

IoS Open Issues
The major problems that the IoS networks have to face are energy efficiency and security assurance of the sensors.
Intrusion Detection Systems (IDSs) and energy efficient mechanisms are not thoroughly investigated and resolved in the surveyed authentication protocols for the IoS. Raza et al. [290] proposed an idea based on real-time intrusion detection for the IoT, called SVELTE. Mechanisms that can extend the SVELTE scheme for the IoS in order to be energy effiecient would be a possible research direction. Hence, future works addressing both security, mainly IDSs, and energy will have an important contribution for the authentication protocols. In addition, we believe further research is needed to develop a new framework for combining intrusion detection systems and authentication protocols for detecting and avoiding attacks in IoS.

Pattern recognition and biometrics for the IoT
Hybrid authentication protocols are based on two methods for identifying an individual, including, knowledge-based (e.g., the passwords) and token-based (e.g., the badges). Each method has its weakness, i.e., 1) the password can be forgotten or guessed by an adversary, and 2) the badge can be lost or stolen. Nevertheless, the safest way is the use of biometric characteristics because two people cannot possess exactly the same biometric characteristic. Hence, future works addressing pattern recognition authentication techniques along with biometrics will have an important contribution in improving authentication in the IoT. Recently new promising efforts that apply biometrics on IoT have been proposed [291,292,293] and the term of Internet of biometric things (IoBT) has been introduced [294]. Biometric technology on the other hand rises privacy and ethical issues that need to be taken in mind when designing new authentication protocols, especially for applications that deal with critical data [295]

Conclusion
This paper contains a structured comprehensive overview of authentication protocols for the IoT in four environments, including, (1) Machine to machine communications (M2M), (2) Internet of Vehicles (IoV), (3) Internet of Energy (IoE), and (4) Internet of Sensors (IoS). We presented the survey articles published in the recent years for the IoT. We reviewed the major threats, countermeasures, and formal security verification techniques used by authentication protocols. We presented a side-by-side comparison in a tabular form for the current state-of-the-art of authentication protocols proposed for M2M, IoV, IoE, and IoS.
After conducting a comprehensive survey of authentication protocols, we see that the reliability of an authentication protocol depends not only on the effectiveness of the cryptography method used against attacks but also on the computation complexity and communication overhead. Therefore, in order to guarantee authentication between the machines for the IoT, we invite well-positioned researchers and practitioners to propose authentication frameworks that covers not only one but three layers, namely, the application layer, the network layer, and the sensing layer. In this paper, we also see a need for a comprehensive survey for privacy-preserving schemes for the IoT under four environments, including, M2M, IoV, IoE, and IoS.
Authentication protocols for the IoT may be improved in terms of (1) addressing both the authentication and privacy problem, (2) developing efficient IDSs, (3) improving the computation complexity of the proposed methods, (4) improving the communication overhead of the methods, (5) developing of formal security verification techniques, (6) accounting of the process of detecting and avoiding attacks, and (7) capturing of experts opinion in the field of computer security.