Analysis and Improvement on an Authentication Protocol for IoT-Enabled Devices in Distributed Cloud Computing Environment

Recently, a number of authentication protocols integrated with the Internet of *ings (IoT) and cloud computing have been proposed for secure access control on large-scale IoT networks. In this paper, we carefully analyze Amin et al.’s authentication protocol for IoT-enabled devices in distributed cloud computing environment and find that Amin et al.’s protocol is vulnerable to several weaknesses. *e main shortcoming of Amin et al.’s protocol is in authentication phase; a malicious cloud server can counterfeit the cloud server chosen by a user, and the control server cannot find this counterfeit. To overcome the shortcomings of Amin et al.’s protocol, we propose an improved protocol. In the registration phase of the improved protocol, the pseudoidentity and real identity of a user or a cloud server are bundled up with the control server’s secret numbers. *is measure can effectively prevent impersonation attack. We also compare the improved protocol with several existing authentication protocols in security and computational efficiency.


Introduction
With the development of the Internet technology, people's life and production have been greatly improved by Internet of ings (IoT) [1]. But, IoT also faces problems of efficiency due to its sensors with low memory and low power. Using powerful cloud services [2] can improve the efficiency of IoT. Now, authentication protocols integrated with the IoT and cloud computing attract people's attention.
e first suggested authentication protocol was proposed by Lamport [3]. en, many password-based authentication protocols were proposed [4][5][6][7][8]. Recently, people discuss authentication protocols for multiserver in IoT and cloud environment [9][10][11][12][13][14][15][16]. Amin et al. [13] showed security vulnerabilities of two authentication protocols in multiserver cloud environment proposed by Xue et al. [11] and Chuang and Chen [12]. en, Amin et al. [13] proposed an authentication protocol for IoT-enabled devices in distributed cloud computing environment. ey claimed that the proposed protocol is protected against all possible security threats. However, in this paper, we find that Amin et al.'s protocol is vulnerable to several weaknesses. Firstly, during the registration phase of Amin et al.'s protocol, it is unreasonable for a user to register with a pseudoidentity. Secondly, the main shortcoming of Amin et al.'s protocol is that, in its authentication and key agreement phase, although the control server can identify a cloud server is legal, the control server cannot tell if this cloud server is the one chosen by a user. So, in Amin et al.'s protocol, a malicious server can counterfeit the server chosen by a user. On the basis of analyzing the shortcomings of Amin et al.'s protocol, we propose an improvement on Amin et al.'s protocol. In the registration phase of the improved protocol, the pseudoidentity and real identity of a user or a cloud server are bundled up with the control server's secret numbers. is measure can effectively prevent impersonation attacks. We also compare the improved protocol with two existing protocols [11,12] in security and computational efficiency. e rest of the paper is organized as follows. In Section 2, we briefly review Amin et al.'s protocol and analyze its weaknesses. e improved protocol is proposed in Section 3. Security cryptanalysis and comparisons are given in Section 4. Finally, the article is concluded in Section 5.

Amin et al.'s Protocol and Its Weaknesses
is section briefly reviews the Amin et al.'s protocol [13] and shows its weaknesses. In Amin et al.'s protocol, there are three types of entity such as user U i , service provider server S m , and control server (CS). e CS is a trusted third party responsible for registration and authentication of users and service providing servers. e S m provides set of services to U i . e notations used in this article are recorded in Table 1 During user registration, the user U i computes Finally, the CS prepares and delivers a smartcard for each U i after recording (C i , E i , h(·)) in the smartcard and transports it to U i through private communication. After getting it, U i records (DP, bb i ) in the smartcard, where DP � h(ID i ‖ P i ) ⊕ b 1 . Finally, the smartcard holds (C i , E i , DP, bb i , h(·)).

Login Phase.
For accessing server resources, a legal user U i first punches the smartcard into card reader and inputs ID * i and P * i to the terminal. en, the card reader . en, the card reader checks the condition e card reader produces a random number N i and computes where SID m is the cloud server's identity chosen by the user U i . en, the CR transmits the login messages (G i , F i , Z i , PID i , TS i ) to S m publicly.

Authentication and Key Agreement Phase.
is phase is necessary for performing mutual authentication as well as key agreement among U i , S m , and CS. e detail explanation of this phase is as follows: Step 1: the S m first checks the condition whether TS m − TS i < ΔT holds or not on receiving the login message, where TS m and ΔT are the cloud server's current timestamp and expected valid time interval for transmission delay, respectively. If the condition is not true, the S m terminates the connection; otherwise, the S m produces a random number N m and computes Step 2: on getting messages from S m , CS first checks the time interval, i.e., TS CS − TS m < ΔT, where TS CS and ΔT are the CS's current timestamp and expected valid time interval for transmission delay, respectively. If the verification holds, CS computes After that, the CS checks the condition G * i � G i . If G * i � G i , the CS thinks that the U i is legal; otherwise, the procedures are terminated. After that, the CS computes BS the CS thinks that S m is legal; otherwise, the procedure is terminated. After that, the CS chooses a random number N CS and computes where SK CS is the secret session key. Finally, the CS sends (P CS ,R CS ,Q CS , V CS ) to S m for achieving mutual authentication of the protocol through public communication.
Step 3: on getting reply messages from CS, S m computes CS � V CS , the session is terminated; otherwise, messages (P CS , Q CS ) are sent to the U i publicly.
Step 4: on obtaining messages from S m , the U i calculates  [13] has some security drawbacks.

Weaknesses in User Registration
Phase. During registration in CS, the user U i sends (A i , PID i ) to the CS. But, PID i is just a pseudoidentity. It is unreasonable for a user to register with a pseudoidentity.

Weaknesses in Authentication and Key Agreement
Phase. In authentication and key agreement phase, when the CS receives messages (J i , K i , PSID m , G i , F i , Z i , PID i , TS i , TS m ) from the cloud server S m , although CS can know the identity SID m of the server chosen by the user from following calculation, and verifying G * i � G i . CS also can know the server with pseudoidentity PSID m , and the secret value BS m is a legal server by following calculation: and verifying K * i � K i . But, the CS cannot tell if the server with pseudoidentity PSID m and the secret value BS m is the one the user chose with real identity SID m .
Due to the above weaknesses, a malicious server can counterfeit the server chosen by the user, and the CS cannot see through him.

Puzzling Question of the User.
Due to the weaknesses in Section 2.2.2, the user cannot be convinced that the session key SK i is shared with his chosen server.

The Improved Protocol
To overcome the shortcomings of Amin et al.'s protocol, in this section, an improved protocol is proposed. Also, for the sake of brevity, only the registration, login, and authentication key agreement phases are described.

Registration Phase. Suppose the control server CS is a trusted third party responsible for registration and authentication of users and cloud servers. CS chooses two random secret numbers x and y.
In registration phase, any cloud server and user can register with CS. When one cloud server S m wants register with CS, it chooses its identity SID m and a random number d. en, it sends (SID m , d) to the control server CS. After CS receives (SID m , d), CS computes and sends BS m to the cloud server S m through the secure channel. Once S m receives BS m , S m stores secret parameters (BS m , d).
When one user U i registers with CS, U i chooses his identity ID i and password P i . en, U i calculates Here, B i is his biometric. Finally, U i submits (ID i , A i ) to the CS through the secure channel. On receiving the message, CS chooses a random number b i and computes and issues a smart card containing the information (C i , Ω i , Δ i , E i , h(·)) to the user U i .

Login Phase.
After punching his smart card, a user U i provides ID * i , P * i , and B * i to the card reader. e card reader computes en, the card reader checks whether C * i � C i or not.

Mathematical Problems in Engineering 3
where SID m is the identity of the cloud server S m chosen by the user U i . en, the card reader sends the login messages to the cloud server S m publicly. TS i is the U i 's current timestamp.

Authentication Key Agreement Phase.
is phase includes four steps. It is also illustrated in Figure 1.
Step 1: once S m receives the login message, S m checks the condition whether TS m − TS i < ΔT holds or not. If the condition is true, S m chooses a random number N m and computes en, the S m submits ( Here, TS m and ΔT are the cloud server's current timestamp and expected time interval for transmission delay, respectively.
Step 2: on receiving the messages from S m , CS first checks whether TS CS − TS m < ΔT holds or not, where TS CS and ΔT are the similar meanings mentioned before. If the verification holds, CS calculates en, the CS checks whether G * i � G i holds or not. If G * i � G i , the CS believes the U i with real identity ID i is legal. en, the CS computes en, the CS checks the condition K * i � K i . If K * i � K i , the CS believes S m with real SID m is legal and chosen by the user U i . en, the CS produces a random number N CS and computes (10) en, the CS sends (P CS , R CS , Q CS , V CS ) to the S m publicly.
Step 3: on receiving the reply messages from CS, S m computes en, the S m checks the condition V * CS � V CS . If V * CS � V CS , S m sends messages (P CS , Q CS ) to the U i publicly.
Step 4: on receiving messages from S m , the U i calculates Next, the U i checks whether Q * CS � Q CS . If Q * CS � Q CS , U i believes the authenticity of S m and CS and shares a session key SK i (� SK m ) with the cloud server S m .

Security Analysis.
is section shows that the improved protocol is well protected against relevant security threats. Firstly, like Amin et al.'s protocol [13], the improved protocol is user anonymous and protected against password guessing attack, replay attack, insider attack, and session key discloser attack. For the shortcomings of Amin et al.'s protocol, the following analysis is focused on the improved protocol against impersonation attack.
In cloud server registration phase of the improved protocol, the cloud server S m with identity SID m and pseudoidentity PSID m has secret value computed by the control server CS. So, in the authentication phase, if one cloud server S * m not chosen by the user U i counterfeits S m , S * m intercepts the login messages where to the CS publicly. But, CS obtains the identity SID m of the cloud server S m chosen by the user U i from Z i and computes Obviously, due to BS * m ≠ BS * m , then K * i ≠ K i . So, S * m cannot pass the CS's verification.
erefore, the improved protocol is protected against cloud server impersonation attack.
In Amin et al.'s protocol, CS does not know the real identities of the user. But, in improved protocol, we use O i to show the real identities of the user. Also, is used in the improved protocol, and the user cannot pass CS's verification if he uses false identity.
In summary, the improved protocol completely overcomes the shortcomings of Amin et al.'s protocol. In the improved protocol, neither the user nor the cloud server can launch impersonation attacks. In the improved protocol, the user and the cloud server can use the shared session key between them with trust.

Comparisons.
In this section, the comparison of the improved protocol with other protocols [11,13] is shown. e comparison results of the security features and computation costs are shown, respectively, in Tables 2 and 3.
From Table 2, the improved protocol is superior to the protocols [11,13] in terms of security. Furthermore, in Table 3, the comparison of computation costs is shown between the improved protocol and the relatively good protocol [11]. From Table 3, the total computation cost of the protocol [11] is 37H + 32X, but the total computational cost of the improved scheme is 30H + 30X. e computation cost of the improved protocol is significantly less than the protocol [11].

Conclusion
In this paper, we find that Amin et al.'s authentication protocol is vulnerable to several weaknesses. To overcome the shortcomings of Amin et al.'s protocol, we propose an improved protocol. We also compare the improved protocol with several existing authentication protocols in security and computational efficiency. e improved protocol not only  [11] Yes No Yes Yes Yes Yes Yes Amin et al. [13] Yes Yes Yes Yes Yes No No Improved protocol Yes Yes Yes Yes Yes Yes Yes F1: user anonymity; F2: resist password guessing attack; F3: resist replay attack; F4: resist insider attack; F5: resist session key discloser attack; F6: resist impersonation attack; F7: CS knows the real identities of users and cloud servers.  [11] 7H + 2X 5H + 5X 25H + 25X 37H + 32X Improved protocol 7H + 3X 5H + 6X 18H + 21X 30H + 30X completely overcomes the shortcomings of Amin et al.'s protocol but also has less computation cost.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.