Formal Security Analysis and Improvement Based on LonTalk Authentication Protocol

Security analysis of security protocol can be used to ensure communication security in the network. *e process of security protocol analysis using the formal analysis method is simple and standardized, which is a research hotspot in the field of information security. In this study, a formal analysis method based on colored Petri net theory and Dolev-Yao attacker model is adopted to analyze LonTalk authentication protocol, and three types of attackable vulnerabilities including replay, tamper, and spoofing are found in LonTalk authentication protocol; thus, a secure LonTalk-SA authentication protocol is proposed. *e LonTalk-SA authentication protocol was added with a trusted third-party server, which authenticates the identity of the sender and receiver and generates session keys through XOR operations on random numbers. *e formal analysis of the new scheme shows that the new scheme can effectively resist three types of attacks, provide bidirectional authentication of communication nodes, and ensure the confidentiality, integrity, and authentication of messages during transmission, thus improving the security of protocols.


Introduction
Building automation system is a key part of smart buildings [1,2], as it can highly achieve automatization and intelligent centralized management for all mechanical and electrical facilities and energy equipment in smart buildings. e combination of internet and traditional bus improves the efficiency of traditional bus; however, it also introduces the security problems existing on internet into building automation system [3][4][5], for example, attackers can easily tamper with, replay, eavesdrop, and other attacks on the data transmitted in an industrial control system.
Under the development of technology, there are increasingly articles pointing out that the LonTalk authentication protocol in building automation system has many vulnerabilities [6]. Literature [7][8][9][10][11][12] points out that the LonTalk authentication protocol has the following security vulnerabilities: (1) this authentication protocol only supports verifying the identity of the sender and cannot check the identity of the receiver. Only the sender can initiate the challenge-answer request; however, the receiver cannot, so the protocol can only carry out one-way authentication. (2) e key used for identity authentication between devices is only 48 bits, which cannot avoid brute-force cracking attacks. (3) Only part of the data segment is used for hash calculation. Address information and other header information cannot be protected. (4) e data transfer in clear text will lead to the leakage of information. (5) e sender must always authenticate with the receiver, so the communication session cannot be established. Literature [13,14] points out that the LonTalk protocol is vulnerable to denialof-service (DoS) attacks. So this will lead to huge performance consumption of nodes. Literature [15] proposes to use SHA-1 and AES encryption to encrypt data to ensure confidentiality and integrity. It will provide a key distribution mechanism when using the advanced Needham-Schroeder protocol. e sender device does not authenticate the third-party server and cannot guarantee the authenticity of the feedback message. Literature [16,17] pointed out that the choice of the encryption algorithm is constrained by embedded architecture, and the public key encryption scheme is limited by chip processing capability in low-end embedded system.
To sum up, the existing research work on LonTalk authentication protocol security mostly points out the lack of security of the protocol and puts forward some suggestions for protocol improvement, or focuses on the realization of its own security functions. At present, there is no research on formal analysis of LonTalk authentication protocol or introducing an attacker model to analyze the security of the protocol.
is study takes the LonTalk authentication protocol as the research object, takes the colored Petri net and Dolev-Yao attacker model as the basic theory, uses CPN Tools [18] to evaluate the security of the protocol, puts forward a new improved scheme, and veri es the security of the new scheme. e veri cation results show that the LonTalk-SA protocol has higher security.

LonTalk Authentication Protocol.
When the LonTalk authentication protocol is enabled, the 48-bit preshared key is used for identity authentication, and the sender and the receiver have the same key.
e LonTalk authentication protocol model is shown in Figure 1. AUTH represents the identity authentication bit, MSG represents the message content, and Random Number represents the random number calculated by the sender. Hash indicates the hash value calculated by the sender based on the message and random number. Reply indicates that the receiver sends a reply to the sender about the authentication result.
e authentication mode process is as follows: (1) e sender sends a message to the receiver that contains an authentication bit. If the bit is 1, the message requires identity authentications.
(2) e receiver responds with a random number and saves the hash value that combines the random number with the original message through a hash function. (3) After receiving the random number, the sender calculates the hash value using the same method as the receiver and then sends the hash value to the receiver. (4) After receiving the hash values from the sender, the receiver compares the two hash values. If the hash values are the same, the receiver successfully authenticates the sender.

Colored Petri Net eory and CPN Modeling
Tool. e CPN [19] is a graphical language that has strong advantages in modeling and verifying concurrent, distributed systems. e CPN Tools supports the hierarchical CPN models with and without time and uses good interpersonal interface technology to design the user graphical interface, which can not only edit, simulate, and analyze colored Petri nets but also support temporal CPN and hierarchical CPN. With the help of CPN Tools, users can easily model, simulate, and analyze parallel systems as well [20]. e CPN has certain advantages when compared with other popular automatic protocol security veri cation tools. e limited attack path set calculated by ProVerif [21] is far smaller than the attack path set extracted by the CPN-based methods. Scyther [22] tried to use the same method to provide state-space analysis. Although some attack paths could be found in this way, comprehensive security analysis still could not be achieved. Tamarin Prover [23] has high requirements for professional knowledge of modelers and is not so simple and intuitive compared with CPN. In addition, the highly free modeling process of CPN and the realization of di erent modeling and analysis methods for di erent  protocols are important reasons for using CPN as the formal analysis of protocols.

Dolev-Yao Attacker
Model. Dolev and Yao proposed a mathematical model for verifying public key cryptographic protocols, namely, the Dolev-Yao attacker model [24], which formally defined the behavior of attackers. Based on the assumption that the cryptographic system is "perfect," discussing the security properties of the protocol itself can help researchers focus on the intrinsic security properties of the protocol instead of discussing the security of the cryptographic algorithm. e Dolev-Yao attacker model is introduced in the formal security analysis process of the protocol, which can eavesdrop, intercept, replay, and tamper with the messages exchanged between real entities during the operation of the protocol, and encrypt, decrypt, split, and combine the original messages and forge message content.

LonTalk Color Set Definition of Authentication Protocol
Messages. e color set is established for the four messages exchanged between the receiver and the sender. First, AUTH, MSG, RN, REPLY, and PK are metainformation, and other information is constructed on the basis of meta information. AUTH represents the identity authentication bit, MSG represents the original data information, RN represents the random number generated by the receiver, and PK represents the key of the device to calculate the hash value. RPDU indicates authentication request packets consisting of AUTH and MSG, which are sent from the sender to the receiver. CAPDU is a random number sent by the receiver to the sender. RAPDU represents the hash value calculated by combining PK and MS. e APDU type indicates whether the receiver sends a message to the sender for identity authentication. e specific color set definition is shown in Table 1.

Formal Modeling of LonTalk Authentication Protocol.
is study will use CPN Tools for formal modeling of the LonTalk authentication protocol. In the top-down sequence, the protocol top-level model is established first, and then, the protocol submodule is established. Ellipses represent places, rectangles represent transitions, and double-line transitions refer to substitution transitions, which include more detailed submodules below.
e top-level model of the LonTalk authentication protocol consists of 5 transitions and 10 places. e process of sending the first packet from the sender to the receiver is represented by the substitution transition Connection. e process in which the receiver receives the packet sent from the sender and replies to the sender and calculates the hash value that is represented by the substitution transition Production. e sender's process of receiving random numbers and calculating hash is known as the substitution transition Computation. Finally, the receiving end compares the two hash values, and the process of sending the authentication result back to the sender is represented by the substitution transition Comparation, as shown in Figure 2 for details.
Five detailed submodules are explained as follows. e transition Combination first combines the authentication bit ID and message content MSG into an RPDU message, which is sent to the transition Send_MSG1, and finally sent to the receiver via the place send_RPDU. e place rec_CAPDU receives the information from the receiver, and then combines RPDU and RN into content information through the transition Combination1, which is sent to the model for calculating hash values. Figure 4 shows the internal model of substitution transition Production. First, the place rec_RPDU will send the received information to the transition Division where will split the received messages. e transition Judge will judge whether the received ID is correct. If the ID is incorrect, it will send the received information to the place Discard. If the ID is correct, it is sent to the transition COMB2. At this time, the random number generated by the place will be sent to the place send_CAPDU through the transition Combination2 and sent to the sender through the place send_CAPDU. e transition Combination2 also combines the message RPDU and the random number RN into a content. Content is encrypted with key PK through the transition Combination4 and sent to the transition Combination5 after encryption. e transition Combination5 computes the hash value and finally sends the hash value to the place Compute. Figure 5 shows the internal model of substitution transition Computation. e place Content receives the message and sends it to the transition Combination7. e transition Combination7 sends messages to the place Content1 and the place Content2. First, the transition Combiation6 will encrypt the value sent by the place Content with key PK and send it to the transition CC_RAPD.
e transition CC_RAPD calculates the hash value of the RAPD packet, sends the hash value to the place C_RAPDU, and finally, sends it to the receiver through the place send_RAPDU. e place rec_APDI sends the received messages to the transition Store, which stores the received messages to the place Reply. Figure 6 shows the internal mode for the substitution transitions Comparation. e place rec_RAPDU represents receiving a hash value from the sender, and then, the transition Compare1 compares the received hash value with the hash value calculated by the receiver, and if the hash value is di erent, it is sent to the place Discard. If the hash values are the same, a success message will be sent to the sender via the place send_APDU, indicating that the identity authentication of the sender is successful. Figure 7 shows the internal model of the substitution transition Net. e transition Transmit_RPDU indicates that the sender sends an identity message to the receiver. e transition Transmit_CAPDU indicates that the receiver sends a random number to the sender. e transition Transmit_RAPDU indicates that the sender sends the calculated hash value to the receiver. e transition Trans-mit_APDU indicates that the receiver sends the result of hash value comparison to the sender.

LonTalk Model Consistency Analysis.
e CPN model of the LonTalk authentication protocol is veri ed by using the state-space analysis tool. By analyzing the results of state space in Table 2, it can be found that the number of nodes and directed arcs in state space is the same as that of strongly connected nodes and strongly connected arcs, indicating that the original model established by us does not have the condition that leads to state cycles. All state nodes are reachable; the dead node count is 1, indicating that all requests are executed by the slave. ere are two dead transitions DiscardID and Error_REPLY. e transition DiscardID is used to indicate that the identity authorization bit cannot activate the authentication service. e transition Error_REPLY indicates that the hash value on the receiving end is incorrect. ese two transitions are dead transitions, indicating that the model does not have the above two situations, consistent with the expected, indicating that the protocol can run normally.

Security and Communication Networks
intercepts the information during the rst transmission of the protocol. e place Distri can store decomposed and undecomposed information, and the transition TC indicates that an attacker after decomposition rules will form the atomic information saved to the place by the place P3. e transition TH saves the undecipherable information in the place P4, and the transition TD means that the attacker synthesizes atomic messages, saves the synthesized messages in the place P5, and uses concurrency control the place SP to limit the synthesis rules to the transition TD. e transition TF synthesizes the attacker's message and sends it to the channel port place. e expression on the red marked arc in Figure 8 simulates a tamper attack on the transition place. TAttack is introduced into the expression, and attacks are launched through the place Hash_Attack. e pink part in Figure 8 simulates spoo ng attack, including all transitions in the network transmissions process Transmit RPDU, Transmit CAPDU, Transmit RAPDU, and Transmit APDU.

Analysis of LonTalk Authentication Protocol Security
Attributes. From the state-space report of the attacker model shown in Table 3, the number of state-space nodes, directed arcs, and strongly connected nodes and strongly connected arcs is the same, indicating that all state nodes in the attacker model of this protocol are reachable. When the attacker model was introduced, the number of nodes and arcs in its state space increased less than the original model, indicating that the state space was not too large or exploded after the attacker model was introduced.
By comparing the original model with the state space after adding the attack model, it is found that the number of dead nodes and dead transitions does not change. After capturing the rst message sent by the sender, the attacker modi es the MSG in the message because the message is transmitted in plaintext. e modi ed message is sent to the receiver. After receiving the message, the receiver returns a random number to the sender, and the attacker eavesdrops on this random number. When the sender receives the random number, it is combined with the initial message to calculate the hash value and sends the calculated hash value to the receiver. e attacker intercepts the message and sends its calculated hash value to the receiver. After receiving the message, the receiver compares the hash values and nds that the result is the same. e identity authentication succeeds on the receiver, and the receiver sends the message.
After receiving the successful authentication message, the receiver con rms that it is successfully authenticated. e subsequent messages can be eavesdropped by the attacker.
rough the comparison of the state space, it can be found that the attacker can e ectively launch an e ective attack on the LonTalk authentication protocol, which re ects the existence of replay, tampering, and spoo ng vulnerabilities in the protocol, and the con dentiality, integrity, and validity of data in the process of message transmission cannot be guaranteed.

New LonTalk Authentication
Protocol Scheme   authentication protocol is proposed in this study. Neuron chip is the core of the LonTalk authentication protocol [25]. Each Neuron chip contains three 8-bit embedded CPUs, onboarded memory, and 11 general I/O pins. On the premise that the chip and memory performance are not high, a trusted third-party server is introduced for authentication. Before the device performs authentication, the server can send the master key, which is used for communication between the server and the device. Because hash functions and XOR operations do not require much computational performance [26], they are suitable for chips like Neuron that have limited storage, processing, and transmission capabilities. Using the hash function to calculate the hash value of messages can ensure the integrity of transmitted messages and reduce chip computing resource consumption. rough key negotiation between devices, two random numbers are used to calculate the session key.

LonTalk-SA Authentication Protocol Communication
Process. e improved protocol communication process of the message flow diagram is as follows, and the specific symbols are shown in Table 4 as follows: (1) When sender A and receiver B perform identity authentication, sender A generates random numbers X and N A , A encrypts two random numbers, ID A and ID B , with the master key K AS . ID A is sent to the server S along with the encrypted packets. (2) When the server receives the message from A, it uses the primary key K AS to decrypt it. After decryption, the server uses K BS to encrypt the two random numbers which are sent by A and adds the timestamp TS 1 and N A the encrypted packet which will send sent to B. Finally, the server sends an encrypted message to A. (3) After receiving the message from the server, A uses the primary key K AS to decrypt, and no change was found in N A , after decryption with the master key K AS . en, A sends the packets, which were sent from the server to B together with ID A and ID B to B. e specific process is shown in Figure 9.

LonTalk-SA Authentication Protocol
Formal Analysis

LonTalk-SA Authentication Protocol HCPN Model.
e CPN modeling is carried out for the LonTalk-SA authentication protocol. e top-level CPN model of the LonTalk-SA authentication protocol is shown in Figure 10.
e top-level model simulates the entire session process of the protocol, including the protocol communicator, communication network, and packet transmission. e substitution transitions A and B represent two communication parties, the substitution transition Server represents the trusted third-party server, and the substitution transition Net represents the communication network.
e mid-level model of the LonTalk-SA authentication protocol consists of 8 substitution transitions and 19 places. e process by which A sends an authentication request to Server is represented by the substitution transition A_To_Server. e process by which the server responds to A request sent by A is represented by the substitution transition RequestA. e process of B sending an authentication Secret key between sender and server K BS Secret key between receiver and server K Session key between sender and receiver TS 1 , TS 2 e current timestamp E(key, M) e message M is encrypted using the key H(.) One-way hash function | | Concatenation operation 8 Security and Communication Networks request to the server is represented by the substitution transition B_To_Server, and the process of Server replying to the request sent by B is represented by the substitution transition RequestB. e process of A sending encrypted packets to B and obtaining random numbers is constituted by the substitution transition A_To_B. e process of B sending encrypted packets is represented by the substitution transition B_To_A. e process by which A calculates the session key and hash is represented by the substitution transition A_HashTo_B. e process by which B calculates   Figure 11. Figure 12 details the internal model of the substitution transition A_To_Server. Sender A combines ID A and ID B with the transition Unite_ID and sends it to the place ID_AB. e transition Unite_Msg1Con combines ID A and ID B and the two random numbers generated by A and sends it to the transition Encry_Msg1Con. e transition Encry_Msg1Con encrypts the information using the master key between A and Server and sends it to the transition Unite_Msg1. e transition Unite_Msg1 nally combines A identity information with the message sent by the place S_MSG1 to the place Send_MSG1. When the place Send_MSG2 receives the message, it sends it to the transition Decry_Msg2 and decrypts it with the key K AS . e transition Decry_Msg2Con sends a random number in the received message to the place R_A'. e transition Send_B uses a guard function to decide   whether to send messages from the place Msg2SendB to the place S_Enc. e pseudocode of the substitution transition A_To_Server is shown in Algorithms 1 and 2. Figure 13 details the internal model of the substitution transition RequestA. e transition Decry_Msg1Send sends the decrypted results to the transition Divide_Msg1Con with the key K AS . e transition Divide_Msg1Con splits the received message and sends the decomposed X and N A to transition Unite_Msg2SendBCon. e transition Encry_Msg 2SendBCon encrypts the message with the key K BS and sends the encrypted message to the transition Unite_Msg2Con. Finally, the transition Encry_Msg2Con encrypts the received message with the key K AS and sends it to the place Send_MSG2. Figure 14 details the internal model of the substitution transition A_To_B. e place Send_MSG6' receives the message and sends it to the transition Divide_Msg6. e transition Divide_Msg6 splits the message into id and msg5senda, id is sent to the place ID_BA, and msg5senda is sent to the place MSg5senda. e transition Divide_ID2 saves id to the place ID_A and the place ID_B, respectively. After the transition, Decry_Msg5SendACon receives the message from the place Msg5SendA, decrypts the message using the key K AS , and sends the decrypted data to the     respectively. e transition Encry_Msg4Send encrypts the received message with the master key K BS to the place Msg4Send.
e place Timestamp determines the stored timestamp and sends the result to the transition Uni-te_Msg4. e place Send_MSG5' sends the received message to the transition Decry_Msg5, the transition Decry_Msg5 decrypts the message with the key and sends the decrypted message to the transition Divide_Msg5Con, and the transition Divide_Msg5Con splits the received messages to the place R_B' and the place Msg5SendA. e place XOR_X and the place XOR_Y send the received information to the transition XOR, which calculates the session key. e transition Compare_RB compares the messages sent by the place R_B with those sent by the place R_B' and sends the comparison to transition Send_Msg5SendA. Place Msg5SendA sends the result to the transition Send_Msg5SendA, which ultimately sends the result to the place S_Enc'. e pseudocode of the substitution transition B_To_Server is shown in Algorithms 3 and 4. Figure 16 details the internal model, that is, the substitution transition RequestB. e place Send_MSG4' sends the message to the transition Divide_Msg4, and the transition Divid-e_Msg4 splits the message to the place ID_B and the place Msg4Send. e transition Unite_Msg5SendACon combines N A , N B , Y, and timestamp and sends them to the transition Encry_Msg5SendA, and the transition Encry_Msg5SendA  (1) id2, msg2sendb Split (msg3), where msg3 is sent from Server (2)  encrypts received messages using the master key K AS , sending the encrypted message to the transition Unite_Msg5Con. e transition Unite_Msg5Con combines the received message with N B and sends it to the transition Encry_Msg5. Finally, the transition Encry_Msg5 encrypts the received message using the master key K BS and sends the encrypted message to the place Send_MSG5. e pseudocode of the substitution transition RequestB is shown in Algorithm 5. Figure 17 details the internal model, that is, the substitution transition B_To_A. e place S_Enc' receives the message and sends it to the transition Unite_Msg6, which sends id from the received message to the transition Uni-te_ID. e place Send_MSG6 sends the message to the receiver. Figure 18   e transition Encry_Msg8 encrypts the received message using the session key K and sends the decrypted message to the place Send_MSG8. e place Send_MSG7' sends the received message to the transition Decry_Msg7, which decrypts the received message using the session key K and sends the decrypted message to the transition Send_Msg7Con. e transition Send_Msg7Con extracts the message hash from the received message and sends it to the place Hash'. e place Hash and the place Hash' send the two hashes to the transition Compare_Hash, which compares the two hashes. If the hash values are the same, the authentication succeeds and the message is saved to the store of the place. Otherwise, the message is saved to the place Discard.

Security Assessment of LonTalk-SA Authentication
Protocol.
e Dolev-Yao attacker model is introduced to carry out man-in-the-middle attack on the network level of the new scheme model, including tampering, spoo ng, and replay attacks. e blue part simulates replay attack, the red part simulates tamper attack, and the purple part simulates spoo ng attack. e details are shown in Figure 20.

LonTalk-SA Authentication Protocol Security Evaluation.
e state-space report of the LonTalk-SA authentication protocol is compared with the state-space report of the LonTalk authentication protocol after adding the attack. e speci c content is shown in Table 5. ere are two dead transitions found in the state-space report of LonTalk-SA. ese two dead transitions are since no attacker was introduced in the protocol and no security attack occurred, so the authentication of the two nodes was successful. e attacker model is introduced into the LonTalk-SA authentication protocol, and the number of nodes and places is reduced. e tampering attack T_Att is introduced into the protocol. Due to the wrong judgment of the Hash value, the protocol authentication fails, and the 9 dead transitions are all di erent in the Hash value, resulting in the failure of identity authentication. A replay attack R_Att is introduced into the protocol. e attacker resends the intercepted message to the receiver. After receiving the message, the receiver nds that the value of the timestamp in the message has exceeded the time range, so it is determined that a replay attack occurs, and 43 dead transitions occur. All are caused by wrong timestamp judgment. e spoo ng attack S_Att is introduced into the protocol, the transition Send_MSG7' cannot be red, and seven dead transitions are all caused by spoo ng attacks. Since the transmission of the message is encrypted by the key, the attacker cannot decrypt the obtained information and cannot know the speci c content in the message, so the attacker cannot launch tampering, replaying, and spoo ng attacks on the LonTalk-SA authentication protocol.
e new protocol guarantees the security of the message transmission process.

Security Analysis of the New Scheme
(1) Antimalicious instruction: this kind of attack means that the attacker sends malicious packets to the node in order to destroy the system with malicious instructions. However, in the LonTalk-SA authentication protocol, the attacker cannot obtain the master key between the node and the server or the session key between nodes, so the packets sent by the attacker cannot be veri ed and the system cannot be damaged. (2) Antieavesdropping attack: the attacker adopts the passive attack method to eavesdrop on the data transmitted in the network, analyze the data, and launch an attack on the node. Since all messages transmitted in the LonTalk-SA authentication protocol are encrypted with a key, the attacker cannot eavesdrop on the transmitted data. (3) Antireplay attack: the attacker eavesdrops on the transmitted data and resends the intercepted data to the receiver in the next round of communication between nodes to deceive the receiver. e timestamp is added to the LonTalk-SA authentication protocol. If the timestamp in a packet exceeds the time range, the receiver directly discards the packet. (4) Bidirectional authentication: in LonTalk-SA, the sender and receiver use the challenge-response mechanism to authenticate the identities of the communication parties. (5) Perfect forward security: each communication party generates a random number for the calculation of the session key. Each authentication operation generates a new random number for the calculation of the session key, ensuring that historical communication messages will not be a ected if the current session key is leaked. Table 6 analyzes and compares the security of LonTalk-SA and LonTalk authentication protocols for security problems such as eavesdropping, replay, and bidirectional authentication. e data in the table fully show that LonTalk-SA provides better security.
In view of the security vulnerabilities in the LonTalk authentication protocol, and according to the insu cient computing performance of Neuron chips mentioned in the relevant literature, a trusted third-party server is introduced Decry_Msg7 Figure 19: Substitution transition B_HashTo_A internal model.
into the new protocol, and the third-party server completes the identity authentication of the interactive nodes. irdparty servers can add timestamps to messages to prevent replay attacks by attackers. e traditional protocol security improvement scheme usually adopts the third-party server to generate the session key and then transmit it to the communication node. is method saves the performance of the node to a certain extent; however, when an attacker launches  an attack on a third-party server, the session key may be leaked. erefore, the LonTalk-SA authentication protocol adopts the key negotiation method. Each authentication node generates a random number and securely transmits the random number to the communicating party. e communicating parties perform the XOR operation on the two random numbers to calculate the session key. When the two communicating parties perform identity authentication again, a new session key can be calculated. e key agreement method also ensures the freshness of the session key.

Summary and Outlook
e LonTalk protocol is a standard protocol widely used in smart buildings, and its inherent security needs to be further studied. is study takes the LonTalk authentication protocol as the object. First, aiming at the security problems existing in the LonTalk authentication protocol mentioned in the relevant literature, the CPN Tools is used to model the protocol, and the Dolev-Yao attacker model is introduced to evaluate the security of the protocol. ere are three types of attack vulnerabilities: tampering, replay, and spoofing. In view of the above security issues, and considering the low performance of Neuron chips in the LonTalk authentication protocol, in the new LonTalk-SA authentication protocol, a thirdparty server is introduced, and key negotiation is used to ensure the confidentiality, integrity, and authentication of the data in transmission process. e formalized security analysis of the LonTalk-SA authentication protocol shows that the new scheme can effectively defend against the above three attack methods. Timestamps are added to the LonTalk-SA authentication protocol to prevent replay attacks. erefore, the synchronization of device clocks must be ensured when using time stamps. In the future work, we will consider whether the protocol meets the real-time requirements under the premise of ensuring security.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.