Enhanced Authentication Protocol for the Internet of Things Environment

*e Internet of *ings (IoT) is among the most promising technologies of the future, and its development has garnered attention worldwide. However, the rise of the IoT has been accompanied by a proportionate increase in security concerns regarding communication between IoT entities. Recently, Alzahrani et al. proposed an identity-based authentication and key agreement protocol for an IoT environment, wherein a physically unclonable function was employed. *ey claimed that their protocol can resist various types of attacks; however, after thorough analysis, we determined it to be ineffective against privileged internal attacks, physical IoTdevice capture attacks, stolen-verifier attacks, and known temporary information exposure attacks. To resolve these security weaknesses, we propose a new authentication and key agreement protocol. In addition, we demonstrate that the proposed protocol is provably secure in real-or-random (ROR) model and Burrows–Abadi–Needham (BAN) logic, resisting known attacks while incurring low communication and computation costs.


Introduction
e Internet of ings (IoT) [1][2][3] has become a popular topic since its conception at the end of the 20th century. e technology has developed from the simple application of a single sensor to a specific scene to the vast IoT that is currently a ubiquitous part of our lives [4]. e IoT has found application in many scenarios (shown in Figure 1), such as education [5], smart homes [6,7], healthcare [8,9], and VANETs [10,11]. In schools, teachers can use IoT devices to assist them with teaching to more actively engage students in the process of learning, and the IoT makes it easier for schools to troubleshoot students' problems more effectively. Ultimately, students' development would improve in all respects. e traffic police could use IoT devices such as intelligent cameras to detect vehicle movements, violations, vehicle-related crime, and security, which would enable them to manage the traffic more efficiently with safety in mind. In terms of medical treatment, doctors could use intelligent detection equipment to monitor patients' conditions in real time such that patients feel more at ease during treatment. erefore, IoT has become ubiquitous in our daily lives, with people becoming increasingly dependent on IoT devices. e IoT has made our lives more convenient. However, the IoT not only brings us convenience but also has significant hidden threats. For example, Amazon's Ring home surveillance camera has a security loophole, which has been hacked. A large number of videos and photos of users have been posted online by hackers. Another example is malware named Silex, which is able to attack thousands of IoTdevices, paralyzing these devices in a large area and causing considerable human, material, and financial losses. erefore, the security of IoT must be improved to prevent further danger to human life. Researchers have developed various solutions to solve the aforementioned security problems. e primary solution involves encrypting all messages/data transmitted through public channels. is would ensure that the data pertaining to each entity are not leaked during the communication phase. erefore, a secure and efficient authentication and key agreement (AKA) protocol is required.
In 2021, Alzahrani and Mahmood [12] demonstrated that Chikouche et al.'s AKA protocol [13] is insecure against device anonymity attacks and known temporary information exposure attacks and then designed a provable privacypreserving AKA protocol for IoT. eir protocol utilized a physical unclonable function (PUF) to encrypt transmitted data. e authors claimed that the use of PUF can ensure resistance to physical capture attacks on IoTdevices. Besides, the authors claimed that their protocol can resist various types of attacks and provide perfect forward security.
However, in this study, we further demonstrate that Alzahrani and Mahmood's AKA protocol [12] is still vulnerable to physical IoT device capture attacks, privileged insider attacks, known temporary information disclosure attacks, and stolen-verifier attacks. To address the security loopholes in Alzahrani and Mahmood's protocol [12], we further propose a new AKA protocol. In our design, we used an asymmetric encryption system to encrypt the identity of the device, considering that symmetric encryption is more efficient than asymmetric encryption. In addition, we added a login phase for IoT devices. It verifies the legality of an IoT device before it communicates with servers. e proposed protocol is then validated by a formal proof with the real-orrandom (ROR) model and Burrows-Abadi-Needham (BAN) logic. We also analyze that the proposed protocol provides robustness against various kinds of potential attacks. Finally, we present a performance analysis and compare it with other related protocols. Experimental results show that the proposed protocol has low computational and communication overhead. e remainder of this paper is organized as follows. Section 2 reviews related work. In Section 3, we briefly review the protocol of Alzahrani et al. [12]. Section 4 presents our demonstration that Alzahrani et al.'s protocol [12] is vulnerable to several attacks. e proposed protocol is described in Section 5. Sections 6 and 7 provide security and performance analyses and suitable comparisons. Finally, Section 8 concludes the paper.

Related Work
In 2015, Sun et al. [14] proposed an AKA protocol using hash functions. However, this protocol [14] did not provide secure identity verification. In 2018, Gope and Sikdar [15] proposed a lightweight privacy-preserving two-party AKA protocol, but this protocol is not vulnerable to desynchronization attacks and does not provide perfect forward security. Various AKA protocols that were designed to improve the level of security [16][17][18] are based on elliptic curve cryptography (ECC). Kalra and Sood [19] proposed an ECC-based AKA protocol for the IoT. ey claimed that this protocol provided perfect forward security. However, Chang et al. found that it was unable to provide basic authentication and session key agreement mechanisms. Consequently, in an attempt to address the security loopholes in the protocol of Kalra et al., Chang et al. improved the protocol such that it offered a higher level of security. In addition, Kumari et al. [20] found that Kalra et al.'s protocol is not resistant to device anonymity attacks, interest password-guessing attacks, and privileged insider attacks. Recently, Chikouche et al. [13] proposed another AKA protocol for IoT.

Review of Alzahrani et al.'s Protocol
In this section, we review the protocol proposed by Alzahrani and Mahmood [12] for the IoT environment. e protocol consists of two phases: a registration phase and a mutual authentication phase. e symbols used in the paper are listed in Table 1.

Registration Phase.
Assuming that an IoT device D i with the identity ID i desires to register on a server, the following steps are performed: (1) First, D i selects an identity ID i for itself; subsequently, it sends a registration request REG req to S, and outputs its identity ID i to S through a secure channel. us, S can identify whether the D i communicating with it during the authentication phase has been registered earlier.
(2) After S receives the registration request and the identity of D i , it first generates a valid period of time ETime and then calculates ereafter, S generates the PUF to request the information C i and TID i , and generates a series of S pseudo-identities SID i (i � 1, 2, 3, . . .). Subsequently, S sends the calculated CK, Q i , C i , and TID i to D i . (3) After D i receives the message CK, Q i , C i , TID i , it first uses the PUF to calculate the C i transmitted from S to obtain R i , and then stores its own identity ID i and pseudo-identities TID i , O i , and CK in its own memory, while transmitting R i to S. (4) Finally, S stores D i ′ s identities ID i , C i , R i , and RTime in its own memory. Consequently, the entire registration phase of D i is completed.

Mutual Authentication Phase
(1) D i must perform normal authentication and communication with S. First, S generates a random number N i and then calculates ereafter, D i transmits the calculated c, P 1 , and the pseudo-identity of D i to S through the public channel.
(2) After S receives the transmission information from D i , it first extracts the information ID i , C i , R i , ETime from its own memory and subsequently calculates the random number

en, it calculates
Subsequently, it is verified whether the received value of P 1 is equal to the value of h(O i ⊕ N i ⊕ CK). If equal, the authentication is successful, and subsequently, S generates its own random number N s and the pseudo- And finally, S generates the session key with D i .
en, the data stored in S is updated, and the pseudoidentity of D i is TID new i . Finally, S transmits P 2 , V to D i through the public channel.
ereafter, it is verified whether P 2 ′ is equal to the transmitted P 2 value; if equal, it implies that the S, that is, sending the information is legal. Subsequently, D i uses the physical IoTunclonable function to calculate the value of R i , and D i finally obtains the session key to communicate with S as follows:

Cryptanalysis of Alzahrani et al.'s Protocol
In this section, we first describe the attack model used in this study and then explain the vulnerability thereof against physical IoT device capture attacks, stolen verification attacks, privileged internal attacks, and known temporary information exposure attacks.  [21]. DY model is based on the hierarchical idea of security protocol. It first considers whether there are defects in the behavior logic of the security protocol itself, and then considers whether there are problems in the implementation method. e reason we select DY model is to offer the maximum capabilities to an adversary who is allowed to breach the security of the proposed protocol. In the DY model, the capabilities of an adversary A are as follows: (1) A can intercept, tamper with, and delete the information transmitted from D to S through the public channel (2) If D is captured by A, A can obtain the information stored in the memory of D and use the information to perform illegal operations (3) A can use power analysis to obtain the information stored in the smart card (4) A can extract the registration information of D stored in S as a privileged insider, that is, the information sent by D to S during the registration phase can be obtained by A (5) During the authentication phase of D and S, D and S generate temporary information to encrypt certain parameters, and A can obtain the random number generated by D or S

Physical
IoT Device Capture Attack. In our daily life and work, IoT devices are usually everywhere. People can easily obtain IoT devices. It means that an adversary A can also easily capture IoT devices. After this, A can capture the data in IoT devices through data analysis to attack [22]. In Alzahrani et al.'s protocol, during the registration and mutual authentication phases of D i and S, D i can easily be physically captured by a certain A. Subsequently, A is easily stored in the information in D i . ereafter, it performs certain calculations considering the information obtained from the memory of D i , and finally obtains the session key for the communication between D i and S. e specific steps of this attack are as follows: (1) After capturing D i , A obtains the information ID i , TID i , O i , CK stored in the memory and subsequently obtains the information c sent by D i to S through the public channel in the authentication phase. It then calculates (2) A obtains the value of V through the public channel. ereafter, Is calculated to obtain the random numbers N s and C i generated by S.
(3) With the value of C i obtained in the previous step, A uses the PUF to obtain the value of R i . (4) Finally, A obtains the session key Used for communication between S and D i according to the parameters N i , N s , C i , R i , ID i . erefore, A can successfully perform a physical IoT capture attack.

Privileged Insider Attack.
e whole process of the protocol includes various participants, and the staff are also part of the participants. However, it cannot ensure the credibility of the staff. In case the A sneaks into the staff, the secret data contacted by the staff will not be saved [23]. In Alzahrani et al.'s protocol, during the registration phase, D i sends a registration request and its own identity information to S through a secure channel.
In general, the registration information of D i is confidential and is not made available to others. However, should a certain A exist among the S administrators, the registration information would be readily accessible. Consequently, A could perform certain calculations based on the registration information and the information obtained through the public channel to finally obtain the session key between D i and S. e specific process is as follows: (1) As a privileged insider of S, A obtains the registration information ID i of D i . (2) ereafter, D i obtains the information C i and V transmitted by S and D i , respectively, through the common channel during the authentication phase. en, the parameters C i and ID i , which were obtained in this manner, are used to calculate N i . ereafter, is calculated using the calculated N i and V values to obtain the parameters N s and C i . (3) A PUF is used in the protocol and the method whereby this function is calculated is fixed. Provided that A obtains the value of C i , the value of R i can be obtained with the aforementioned method. (4) Consequently, according to the aforementioned parameters, A can easily obtain the session key between S and D i Equipped with this information, A can access the private content of the communication between S and D i based on the session key between the two parties. erefore, we can conclude that the protocol of Alzahrani and Mahmood [12] does not offer resistance against privileged insider attacks.

Known Temporary Information Disclosure Attack.
Temporary data will be generated during the operation of various devices, and these temporary data will be temporarily stored in the memory. A can easily obtain the temporarily stored data and further attack [24].
In general, when S and D i perform mutual authentication, D i transmits a certain amount of its own private information to S. en, D i is verified on the basis of this private information, which is stored in S and which cannot be accessed by other people. erefore, D i generates random numbers to encrypt the private information and then transmit the encrypted parameters to S. However, under certain circumstances, this temporary information may also be obtained by A, who could consequently use it to crack the session key based on the obtained temporary random number information. Here, we demonstrate that the protocol of Alzahrani et al. is not robust against temporary information disclosure attacks at all times. e attack could take place via the following steps.
(1) A obtains the random number N i generated by D i during the authentication phase with S through certain illegal channels and then obtains the parameter V transmitted by S to D i through the public channel.
Considering the obtained parameter information N i and V, A can easily obtain the random number N s generated by S and the parameter C i used by the PUF. us, R i can be calculated according to parameter C i .
(3) Regarding the session key SK for the communication between D i and S, according to certain parameters obtained by A earlier, information about the keys of both parties can be easily obtained. erefore, the protocol of Alzahrani et al. cannot resist known temporary information disclosure attacks.

Stolen-Verifier
Attack. e verifier stored in the server will also be leaked. When the server is unattended, the A can analyze and obtain the verifier stored in it, so as to further attack [25]. During the registration and authentication phases, S stores certain information in its own memory for subsequent calculations. A stolen verification attack implies that A accesses the information in the memory and then performs calculations to finally obtain the session key between the two parties.
e specific attack process is as follows: (1) In the registration phase, S stores the identity of D i , that is, ID i and C i used by the PUF, the result R i , and the validity period ETime in its own memory. However, A can gain access to the parameters in S ′ s memory through certain means. (2) Subsequently, A uses the acquired identity information ID i of D i to calculate the parameter N i , and the parameter V is used to derive the parameters N s and C i . (3) S and D i communicate using the session key SK. As A has obtained the parameters required to calculate the session key, it can thus access the session key of both parties. erefore, we can conclude that the protocol of Alzahrani et al. does not provide resistance against stolen verification attacks.

Proposed Protocol
is section proposes a new AKA protocol for the IoT environment. e protocol contains three phases, the predeployment phase, the IoT device registration phase, and the login and authentication phase. e proposed protocol considers two roles, IoT devices, and a server. In the predeployment phase, an IoT device and the server negotiate a shared key for later use. e IoT device registration phase enables IoT devices to register to the server. Devices and the server further authenticate each other and generate a session key.

Predeployment Phase.
Before D i and S are authenticated, a shared key K is first assigned to D i and S, such that D i can encrypt its own identity in the later registration phase. e shared key between the two is only known to D i and S and is inaccessible to other devices and personnel. Figure 2 illustrates the IoT device registration phase. e detailed steps are as follows:

IoT Device Registration Phase.
(1) First, D i selects an identity ID i and password PW i and then uses a symmetric encryption algorithm to encrypt the identity ID i of D to obtain the pseudoidentity of the IoT device.
ereafter, the IoT device transmits the registration request R q and pseudo-identity RID i to S through a secure channel.
(2) After S receives the registration information, it first generates a validity period ETime and subsequently decrypts the pseudo-identity to obtain the device identity.
Furthermore, S encrypts the identity of D i and the private key of S to obtain Consequently, S generates C i for D i and also generates a series of pseudo-identities SID i (i � 1, 2, 3 . . .) for its use. Finally, S sends the Security and Communication Networks calculated A, SID i , B, and C i to D i through a secure channel.
(3) D i encrypts the received C i using a PUF to obtain Subsequently, it encrypts its own identity and password to obtain V, which was used by D i during the login phase. Finally, the parameters ID i , SID i , A, B, V are stored in its own memory, and R i is sent to S. (4) S stores RID i , C i , R i , ETime in its own memory. Figure 3 shows the login phase of D i and the authentication phase with S. e specific details of the process are as follows.

Login and Authentication Phase.
(1) D i enters its own ID i and password PW i and generates a temporary random number N i . en, D i uses a symmetric encryption algorithm to encrypt its own identity to obtain a pseudo-identity as follows: e verification V 1 is passed, and D i stores it in its own memory to check whether it is equal to V, which already resides in the memory, to prove the legality of D i . If the values are equal, the login is successful and then the following is calculated.
Finally, D i sends c, SID i , U, T 1 to S through the public channel. (2) After receiving the information, S first verifies the freshness of the timestamp T 1 , and if T 2 −T 1 ≤ T ′ , then the authentication phase continues. e RID i is determined through SID i , and S uses a symmetric decryption algorithm to decrypt the RID i stored in the memory to obtain the real identity of D i as follows: Following which certain additional parameters are calculated as follows: Subsequently, it is verified whether U ′ is equal to the transmitted U; if equal, it implies that a legitimate D i is communicating with it. en, S generates a random number N s and calculates the following: Finally, the session key to communicate with D i is generated as whereupon S sends G, W, T 2 to D i through the public channel. (3) D i first checks the freshness of the timestamp T 2 generated by S and then obtains N s and C i through the parameters G and N i as D i compares the calculated W ′ with the received W and proves that if they are equal, S is legitimate. Finally, D i calculates the session key For the communication between S and D i according to R i , calculated by the PUF.
e aforementioned steps represent the entire process according to which D i registers with S and performs the key exchange.

Security Analysis
In this section, we present the analyses we conducted to prove that the proposed protocol is sufficiently secure.

BAN Logic Analysis.
Burrows-Abadi-Needham logic has been used in several studies to prove whether a protocol can be executed securely. is section uses BAN logic to prove the security and reliability of our proposed protocol.
is proof verifies that our protocol can successfully establish and share a session key between the server and IoT device. D represents an IoT device in the following proof, and S represents the server. e specific proof rules and process are as follows:    Security and Communication Networks 7

Detailed
Steps. By considering the message M1 and using the seeing rule, we get S1: Using S1, we get the following: Under the assumption of A2, using S2, R1 can be used to obtain: With conclusion R2, using A4 and S3, the following can be obtained: Using A6, R3, and conclusion S4, the following can be obtained: S5: S| ≡ (ID i ) According to conclusion S1, the following can be obtained: Using A2, R1, and conclusion S6, the following can be obtained: Using A4, R2, and conclusion S7, the following can be obtained: Using A6, R2, and conclusion S3, the following can be obtained: , using A5, S5 and S9, we obtain : S10: S| ≡ D↔ SK S (G2) Using A4 and R4, we can obtain: S11: In addition, considering the message M2, we obtain: S12: D⊲ 〈N s , C i 〉 K s , T 2 Using S12, we get the following: S13: D⊲ 〈N s , C i 〉 K s By using A1, S13, and R1, we obtain: S14: D| ≡ S| ∼ (N s , C i ) With conclusion S14, using A3 and applying R2, we obtain: S15: D| ≡ S| ≡ (N s , C i ) Applying A8, S15 and R3 we obtain: S16: , using A7 and S16, we obtain: S17: D| ≡ D↔ SK S (G1) With conclusion S17, using A3 and R4, we can obtain: S18: U| ≡ S| ≡ U↔ SK S (G3)

ROR Security Analysis.
e real-or-random (ROR) [26] model is a function that randomly maps all possible inputs and outputs. ROR model is a popular security proof method, which can be used for evaluating the security of protocols. [27]. To prove that our proposed protocol offers the necessary security, we use the ROR model [26] to analyze the protocol. eorem: assuming that A desires to obtain the session key SK � h(ID i ‖ N i ‖ N s ‖ C i ‖ R i ) in the authentication phase of S and D i , the advantage A has to successfully obtain the session key within the polynomial time t, Here, b represents the password length of D i during the login phase, E ′ and x ′ represent two constants, q h represents the number of hash functions in the protocol, |H| represents the range of Hash functions, and q s represents the number of Send functions.

Security Proof
Proof: in the proof process, we defined four games GM i (i � 0, 1, 2, 3) to prove the security of the protocol, of which SUCC(GM i )(i � 0, 1, 2, 3) represents the probability of winning the game. e specific description of the process is as follows. GM 0 : in the initial game, A must compete with legal D and S. At the beginning of the game, A does not perform any query operations; therefore, GM 1 : in the second game, A executes the Execute query operation to obtain the messages c, U, T 1 and G, W, T 2 transmitted by S and D through the public channel, and A needs to perform Reveal and Test operations to verify whether the session key contains long-term keys and randomness, which can be easily determined.
erefore, messages transmitted via the public channel must be monitored continuously to ensure that A cannot obtain this information. us, we can conclude Pr[Succ GM 2 : in this game, we simulate an attack. During the attack, A continues to submit Sen d queries. In addition, A also obtains the information exchanged between S and D i during the authentication phase. However, to obtain the session key of both parties, A must know the identity of D i and the random number of S. However, it is impossible for A to obtain the identity of D i because A only has access to the identity after symmetric encryption. Moreover, because of the existence of PUFs, obtaining C i and R i is also a challenging proposition. erefore, we can prove that GM 2 and GM 1 are different, and furthermore, we can also derive the following relationship based on the birthday paradox principle: GM 3 : in the last game, A uses Send and Corrupt to query the information ID i , A, B, V stored in the memory of D i . A attempts to obtain the random numbers N s and N i used in the session key, but to obtain N i , it must obtain the key K that encrypts the identity of D i . After A performs these operations, we obtain the following relationship: It is well known that when we toss a coin with a uniform texture, the probability of getting a heads or tails is (1/2); thus, the probability of A guessing the correct session key is Pr Succ Based on the aforementioned drawn conclusions, we can derive the relationship: Subsequently, we can obtain (31)

Security Analysis.
In this section, we evaluate the proposed protocol to prove its ability to withstand a privileged insider attack, known temporary information disclosure attack, stolen verification attack, physical IoT device capture attack, and a perfect forward security and IoTdevice simulation attack.

Ability to Withstand Privileged Insider Attack.
If A was to succeed in obtaining the registration information RID i that was sent by D i to S during the registration phase, the value of N i could be calculated based on the pseudo-identity of D i , while the parameter c could be intercepted on the public channel. Furthermore, the parameters N s and C i can be derived from N i and V; however, the real identity of D i is only available after being encrypted by a symmetric encryption algorithm, which A is unable to decrypt. erefore, even if A was to obtain the registration information sent by D i to S during the registration phase, it would not succeed in obtaining the session key for communication between D i and S. erefore, the proposed protocol offers protection against privileged insider attacks.

Ability to Withstand Known Temporary Information
Disclosure Attack. We assume that A obtains the temporary information N i generated by D i during the login authentication phase. Consequently, A can also easily obtain the pseudo-identity of D i , that is RID i , based on the information on the public channel. However, the session key of D i and S is based on the real identity of D i and is composed of ID i , such that A cannot obtain the key K, which would be necessary to decrypt the real identity. erefore, despite A having obtained N i , it would not be able to access the value of the session key. In addition, we assume that A obtains the temporary information N s generated by S in the authentication phase, which is used by D i to verify the legality of S by encrypting A. As A does not know the values of the parameters A and B, obtaining temporary information from S would not allow A to crack the session key. In summary, our proposed protocol can effectively resist known temporary information exposure attacks.

Ability to Withstand Stolen Verification Attack.
We assume that A obtains certain parameters [RID i , C i , R i , ETime] stored in the memory of S, which A can use to calculate the value of R i . e session key of D i and S is set by D i . e real identity ID i is composed of random numbers N i , N s , C i , and R i generated by D i and S, during the authentication phase and thus cannot be obtained. erefore, even if the information in the S memory was to be obtained, it would not be possible to successfully launch the attack. us, our proposed protocol provides resistance against stolen verification attacks.

Physical IoT Device Capture Attack.
Assuming that D i is physically captured by A, the latter can obtain the information ID i , B, A, V stored in the memory of D i , according to the power analysis. However, A cannot obtain the information generated by D i and S during the login authentication phase. Furthermore, the random numbers N i and N s , and the keyvalue pairs C i and R i used by the PUF are also not available.
erefore, A cannot carry out the attack despite capturing D i and obtaining the information in the memory.
us, our protocol can resist physical IoT device capture attacks.

Perfect Forward Security.
Consider that A obtains the shared key K of D i and S in the predeployment phase; however, the key K is only used to encrypt the identity ID i of D i . Although the value of the shared key K is known, the identity of D i , that is ID i , cannot be obtained by A. erefore, A cannot crack the session key SK of D i and S, and thus the K obtained in this manner is of no value. In summary, the proposed protocol has perfect forward security.
6.3.6. IoT Device Simulation Attack. Assume that A captures an IoT device and attempts to tamper with certain information in the memory, thereby establishing a session key with S. First, A must log in after obtaining D i . However, during the login phase, the login password of D i must be known, which is not stored in the memory of D i . erefore, A cannot log in successfully and thus cannot simulate the operation of networked devices. erefore, our proposed protocol can effectively resist IoT device simulation attacks.

Security and Performance Comparisons
In this section, we present a comparison of the proposed protocol with existing protocols [12,13,20,[28][29][30] in related fields. We compared the performance of the protocol considering its running time and communication cost. In addition, protocols were compared in terms of security. Comprehensive performance and security analyses prove that the proposed protocol has significant advantages in both respects. e specific evaluation and comparison process is as follows.
We drew on the experimental environment of a published protocol [12]. As physical IoTdevices and servers are involved in the protocol, artificial devices can be used to implement the encryption operation of the IoT devices in the authentication phase. Moreover, a desktop system can be used to implement the encryption operation on the server. In the case of the specific implementation process, only the running time of the hash function is considered in the protocol authentication phase, whereas the connection operation and the XOR operation are ignored for the moment. According to the previous experimental results [12], the single hash operation time for using artificial equipment for the realization of D i is 1.063 ms, whereas that for realizing the encryption operation on S is 0.0027 ms. Furthermore, the communication cost was determined by only considering the cost incurred during the login authentication phase. We specify the identity of D i , XOR operation, timestamp, symmetric encryption, symmetric decryption, connection operation, and memory occupied using the hash function in the transmission process as 160, 160, 160, 128, 128, 160, 160, and 256 bits, respectively. T h represents the time consumed by a single hash operation, and T p represents the time consumed by a single dot multiplication operation.

Security
Comparisons. Security analysis: although the time and communication performance of the proposed protocol was not analyzed, we performed a security analysis of the protocol. We compared the proposed protocol with related protocols and proved that our protocol offers the required security by evaluating whether the protocols can resist certain attacks during the login authentication phase. e main attacks included in the comparison were: A1-privileged insider attack, A2-IoT device capture attack, A3-stolen verification attack, A4-IoT device simulation attack, A5-perfect forward security, and A6-desynchronization attack. e results in Table 2 confirm that our protocol can resist various attacks and has significant advantages over other protocols in terms of security. In the table, "Yes" implies that the protocol can resist the attack, whereas "No" indicates that it cannot.

Performance Comparisons.
Time consumption cost analysis: time consumption cost represents the time consumed by the encryption operations used in the authentication phase of D i and S. We compared the proposed protocol with existing protocols [12,13,20,[28][29][30] in related fields. In the login and authentication phase of the proposed protocol, D i uses four hash functions; thus, the time consumed by the IoT device is 4 × 1.063 � 4.252 ms, while S uses five hash functions, resulting in a time consumption of 5 × 0.0027 � 0.0135 ms by S on the desktop system. us, the total time consumed by our proposed protocol is 4.252 + 0.0135 � 4.2655 ms. Furthermore, the time consumed by each entity of other related protocols and the total time consumed are shown in Figure 4. In addition, Table 3 shows the time consumed by each protocol more intuitively.  [20] Yes Yes Yes Yes Yes No Chikouche et al. [13] Yes Yes Yes Yes Yes No Chaudhry et al. [28] Yes Yes Yes Yes Yes No Melki et al. [29] Yes Yes Yes Yes No No Panda et al. [30] Yes Yes Yes Yes Yes No Ours Yes Yes Yes Yes Yes Yes 10 Security and Communication Networks   [20] 3 T h + 6 T p ≈ 9.861 ms 4 T h + 6 T p ≈ 0.0354 ms 9.8964 ms Chikouche et al. [13] 5 T h + 5 T p ≈ 10.874 ms 4 T h + 5 T p ≈ 0.0313 ms 10.9053 ms Chaudhry et al. [28] 7 T h + 2 T p + 2 T b ≈ 12.107 ms 6 T h + 2 T p + 2 T b ≈ 0.0298 ms 12.1368 ms Melki et al. [29] 5 T h ≈ 5.314 ms 5 T h ≈ 0.0135 ms 5.3275 ms Panda and Chattopadhyay [30] 4 T h + 5 T p ≈ 9.812 ms 5 T h + 5 T p ≈ 0.034 ms 9.8460 ms Communication cost analysis: communication cost refers to the information transmitted between D i and S during the login authentication phase. First, D i transmits the information c, V, T 1 to S, and S sends the information G, W, T 2 to D after authenticating it as legitimate D. As c � RID i ⊕ N i and u � h(B ⊕ N i ⊕ A ⊕ T 1 ), the communication cost consumed by D in the authentication phase is 160 + 256 + 160 � 576 bits. In addition, G � N i ⊕ (N s ⊕ C i ) and W � h(B‖ A‖ N i ‖ N s ), and thus the communication cost consumed by S in the authentication phase is 160 + 256 � 416 bits. Considering these results, we can conclude that the overall communication cost incurred by the proposed protocol during the login authentication phase is 992 bits. Figure 5 shows the communication costs incurred by various entities of other related protocols [12,13,20,[28][29][30]. Furthermore, Table 4 presents a more intuitive comparison of the communication costs incurred by our proposed protocol and other protocols.
Based on the aforementioned analysis of the protocol, it is evident that the proposed protocol is superior to other related protocols in terms of time and security performance.

Conclusion
e development of IoT has increasingly focused attention on security issues related to IoT communication. Alzahrani et al. proposed an identity-based authentication and key exchange protocol to address the key exchange network problem experienced by IoT devices and servers. However, we identified many security vulnerabilities in their protocol, and the IoT device login phase was absent. erefore, we designed a two-factor encryption protocol using the symmetric key method based on an identity password. Using the ROR model, we proved that our proposed protocol could resist various attacks. In addition, we observed that our protocol is significantly advantageous in terms of time and communication cost through comparison with other related protocols.
erefore, future developments in the IoT industry are anticipated to benefit from our protocol, which is expected to provide more efficient security for smart devices. Owing to the possibility of improving the communication efficiency of this protocol, we will enhance this protocol in future work to help provide more efficient communication efficiency.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.