SKIA-SH: A Symmetric Key-Based Improved Lightweight Authentication Scheme for Smart Homes

Being one of the ﬁnest applications of the IoT, smart homes (SHs) with an aim to improve quality of life are taking over the traditional lifestyles. The entities within a SH communicate with each other and with the environment including the users to transform daily life seamlessly enjoyable and easy. However, owing to the public communication infrastructure, the advantages of SH are subject to security and privacy issues. Recently, Yu et al. presented a privacy and security solution for SH environment. The scheme of Yu et al. is based on lightweight symmetric key functions. Although the scheme of Yu et al. exhibits the lightweight property, it is proven in this paper that their scheme cannot provide mutual authentication due to a crucial design fault. An improved scheme using symmetric key functions for SH (SKIA-SH) is proposed in this paper. The security of the proposed scheme is furnished through formal BAN logic followed by brief discussion on security attribute provision of the proposed SKIA-SH. The comparisons show that the proposed SKIA-SH provides the required security on the cost of slight increase in computation and communication costs. The simulation results show that the SKIA-SH completes an authentication round by exchanging 216 bytes in just 5.34ms.


Introduction
e smart home (SH) is an emerging concept, and with the aid of 6G/IoT smart infrastructure, the SH concept is gradually overtaking traditional living styles. SH is a communication setup among the daily useable devices like lightbulbs, televisions, door lock, monitoring cameras, washing machines, and so on. e smart devices (SDs) within a SH interact with each other and with the users to provide seamless services and for transforming daily life more and more easy and enjoyable. e services include automatic door lock and unlock, switching on and off the lights and air conditioners, suspicious activity alarming, etc. In addition, the SH concept can be very useful for patients and elderly people through activity and health-related monitoring and support. e SDs in a SH communicate over the wireless insecure channel and the public Internet. Due to communication over insecure channels, the advantages of the SH are subject to several privacy and security issues [1,2]. Such security and privacy issues can enable an entity with malicious intentions also called as an attacker to expose user-related sensitive data including the daily routines, habits, and so on, and this information can be used with wicked intentions. In addition, the SDs are lightweight devices, and deploying public key-based infrastructure (PKI) is not a viable solution for the SH environments as PKI can pose high computation and communication costs on the low powered SDs [3][4][5].
secure smart home (SH) environments [9,10]. In 2021, Ali et al. explained the pitfalls of clogging attack and designed an elliptic curve-based authentication scheme to resist clogging attack. Physical capturing is also among the crucial class of attacks [11], and physical capturing of a smart device can lead to exposure of private information of the device and it can also lead to exposure of related and communicative devices present in the smart IoT environments. Irshad et al. [12] also proved that the authentication scheme of Tsai and Lo [13] lacks required security against server forgery and impersonation attack. Moreover, Maitra et al. [14] also proposed an improvement over Lee et al.'s ElGamal-based authentication method [15]. In 2020, Ali Khan et al. [16] and Wei et al. [17] proposed two separate methods to secure smart grid and USB mass storage communication, respectively. However, these schemes were proved insecure and impractical in [18,19]. Using elliptic curve cryptography (ECC), Vaidya et al. [9] presented their designed authentication scheme for SH. Despite their claim of security and lightweight property, the scheme presented in [9] is prone to several attacks including user forgery, privileged insider (PI), and password guessing (PG) attacks. Santoso and Vun [10] also proposed an authentication scheme for smart devices in the SH environments. Yu et al. [20] in their recent study claimed that the scheme presented in [10] has weaknesses against PI and stolen verifier (SV) attacks. Wazid et al. [21] also proposed an authentication scheme, and in 2019, Lyu et al. [22] claimed that Wazid et al.'s scheme is prone to desynchronization and related attacks. Another authentication scheme was also proposed by Lyu et al. [22]. After that, in the same year, Shuai et al. [23] presented another authentication scheme. e scheme of Shuai et al. was also structured upon ECC, and despite the claims presented in [23], in 2021, Kaur and Kumar [24] simulated the insecurity of the scheme of Shuai et al. against PI, replay, session key exposure, and related attacks. Kaur and Kumar [24] also presented an improved authentication scheme using ECC and claimed that their ECC-based scheme not only extends security but is also lightweight. However, in 2021, Yu et al. [20] proved that the scheme presented by Kaur and Kumar is prone to several weaknesses including exposure of session key and insecurity against impersonation attack. Moreover, Yu et al. also claimed that the scheme of Kaur and Kumar cannot provide mutual authentication.

Motivations and Contributions.
Very recently in 2020, Yu et al. [20] presented their designed authentication scheme for smart home. e scheme of Yu et al. was built on lightweight symmetric key operations (SKOs). ey claimed that due to avoidance of PKI and usage of only SKO, their scheme not only is lightweight but also provides privacy and security to the SH devices. In this study, we analyze that in contrast to the claims of Yu et al., the scheme of Yu et al. cannot extend authentication among SH devices due to a crucial design flaw of their scheme. Hence, their scheme is not practical, and to fill the gap, we proposed a symmetric key-based improved lightweight authentication scheme for smart homes (SKIA-SH).

System Architecture.
A standard smart home (SH) as adopted from Yu et al.'s scheme [20] is depicted in Figure 1. e authentication entities in a SH network consist of user/s with mobile device/s, the gateway, and the smart devices (SDs). e users can control the SDs remotely, and before deployment, the registration authority registers users and SDs and deploys secret and public parameters on the memory of users and SDs. e user monitors the working of SDs, and SDs communicate with user/s through the facilitation of gateways. e entities (smart devices) of a SH network are equipped with Wi-Fi and connect with each other and with gateway through public wireless channel. Moreover, the user connects with smart devices through gateway, and the channel used between a user and a gateway is the public Internet, which allows the communication administered remotely and globally. e communication of the entities of a SH through public wireless and Internet channels calls for a secure channel through authentication and key establishment between user/s and the gateway. e authentication and key exchange protect the information exchange through public wireless channel.

Adversarial Model.
In a smart home (SH) communication architecture, one or more users communicate with smart devices (SDs) through facilitation of the gateway and on the public wireless channel. erefore, SH is an attractive environment for malicious adversaries to launch several attacks including impersonation and forgery. As per the common adversary model DY [25], an adversary has the capabilities to listen to the channel and can read, modify, and jam a message exchanged between the entities of the SH [26,27]. Moreover, the adversary can generate and send a fake message to any entity, whereas the current de facto adversary model CY [28] is adopted in this paper and in several other proposals [29,30]. e CK adversary model considers a more strong attacker, where in addition to adversarial capabilities of DY model, the attacker can either compromise the long-term or short-term secrets both but not at the same time [31,3232]. e CY model suggests to construct the session keys using both the long and shortterm secrets and the session keys should be independent to each other.

Revisiting Yu et al.'s Scheme
In the following subsections, we revisit the scheme of Yu et al. [20], which provides the authentication among the IoTbased smart devices and the user with the help of gateway. e scheme is based on lightweight symmetric key operations. Before moving to the description of the Yu et al.' scheme, Table 1 is provided to explain the notations used throughout the whole paper.

Initialization.
During manufacturing, the TP generates a private key K GR and stores it in the memory of GK r . Moreover, all the IoT-based smart devices SD q : q � 1, 2, . . . , n} are assigned unique identities ID sq : q � 1, 2 . . . n . e TP also generates and stores the secret keys e TP computes X pr � h (RID up ‖K GR ‖α up ), A 1 � X PR ⊕h(α up ‖RPW up ) and sends X pr to GK r . e GK r now computes L up � h(GID gr ‖K GR ) ⊕ X pr . e GK r stores L up into its own memory and the TP sends , and A 4 � h (RID up ‖RPW up ‖α up ) and deletes A 1 and stores A 2 , A 3 , A 4 in the memory of SD q .

Smart Device Registration.
A SD q generates α sq , computes PID sq � h(SD q ‖α sq ), and sends the duo PID sq , α sq to TP.
e TP now computes X pr � h(PID sq ‖K GR ‖α sq ) and stores PID sq , α uq in GK r 's database and sends X pr to SD q . e SD q now computes B 1 � h(SID sq ‖K SQ ) ⊕ α sq and B 2 � h(K SQ ‖α sq ) ⊕ X qr and stores B 1 , B 2 in its own memory. Figure 2, the user U p initiates authentication phase by entering the pair of his own identity and password ID up , PW up . e user terminal device computes c up � Rep(Bio up , β up ), RID up � h(ID up ‖c up ), RPW up � h(PW up ‖c up ), and K UP � h(ID up ‖PW up ‖c up ). Now U p extracts A 2 , using K UP decrypts A 2 , and gets A 1 � D K UP (A 2 ). U p further computes α up � A 3 ⊕ h(RID up ‖RPW up ) and X pr � A 1 ⊕ h(α up ‖RPW up ). Now, U p checks the equality A 4 � ? h(RID up ‖RPW up ‖α up ), and if it holds, U p selects/generates T 1 , r up and proceeds with the authentication phase through execution of the following steps:

Authentication. As summarized in
⊕h(X pr ‖r up ‖T 1 ), and M pr � h(RID up ‖X pr Vert|r up ‖T 1 ) and sends request message where T c is current timestamp recorded at GK r and ΔT is the allowable time delay. On the successful validation of timestamp, GK r extracts L up and computes X pr � h(GID gr ‖K GR ) ⊕ L up , (SID sq ‖r up ) � M 1 ⊕X pr ⊕T 1 , and RID up � M 2 ⊕h(X pr ‖r up ‖T 1 ). Now, GK r checks validity of M pr � ? h(RID up ‖X pr ‖r up ‖T 1 ), and if it holds, GK r selects/generates T 2 , r gr . Now, and M qr � h (RID up ‖GID gr ‖X qr ‖r up ‖r gr ‖T 2 ). GK r completes this step by sending R 2 � M 3 , M qr , T 2 to SD q . AY 3: SD q ⟶ GK r : SD q on receiving R 2 � M 3 , M qr , T 2 checks |T c − T 2 | ≤ ΔT, and on successful validation of timestamp, SD q extracts B 1 , B 2 from its memory and computes α sq � and on successful validation of timestamp, GK r computes r sq � M 4 ⊕ h(X qr ‖RID sq ‖GID gr ‖T 3 ) and SK � h(r up ‖r gr ‖r sq ‖RID up ‖GID gr ‖SID sq ). Now, GK r checks validity of M rq � ? h(SID sq ‖r sq ‖X qr ‖SK‖T 3 ). On successful validation, GK r generates T 4 and computes M 5 � (GID gr ‖r gr ‖r sq ) ⊕ h(RID up ‖X pr ‖r up ‖T 4 ) and M rp � h(RID up ‖GID gr ‖r up ‖r gr ‖SK‖T 4 ). Now, GK r sends

βup) RID up = h(IDup||γup), RPWup = h(PWup||γup) KUP = h(ID up||PWup||γup)
Extract A 2 and compute: Generate T 2 and rgr ) and session key SK � h(r up ‖r gr ‖ r sq ‖RID up ‖ GID gr ‖SID sq ). U p checks the validity of M rp � ? h(RID up ‖GID gr ‖r up ‖r gr ‖SK‖T 4 ). On successful validation, U p considers SD q and GK r authenticates and keeps SK as the session key for future secure communication.

Weaknesses of Yu et al.'s Scheme
In this section, it is shown that the scheme of Yu et al. [20] cannot provide mutual authentication among the smart devices (SDs) of a smart home (SH (1) U p first completes a login by entering his password, identity, and biometrics, and the user device computes and sends request message (1) On successful validation of T 1 , GK r extracts L up from its database and computes (3) GK r computes the shared key X pr through equation (2), and for this, GK r needs to extract L up , from the database stored on the memory of GK r . e database has the entries of the form ID up , L up : p: 1, 2 . . . m, if there are m users. To extract L up from the database, GK r first needs to recognize the specific user U p with identity ID up . However, GK r does not recognize U p because it does not receive identity or any other user-related information in the request message R 1 . erefore, GK r cannot extract L up and equations (2)

SKIA-SH: Proposed Scheme
In this section, we present the improved scheme over Yu et al.'s scheme. For designing improved scheme, we take the initialization phase of Yu et al. as it was designed by Yu et al. Furthermore, the smart device registration phase is also taken as it is. e proposed scheme amends some steps in user registration and authentication phases to provide a scalable and correct mechanism for the provision of secure channel among a user and a smart device. e proposed symmetric key-based improved authentication scheme for smart homes (SKIA-SH) is described below.

SKIA-SH: User Registration.
To initiate a registration request, the user U p generates α up , selects ID up and PW up , computes Gen(Bio up ) � (c up , β up ), RID up � h(ID up ‖c up ), and RPW up � h(PW up ‖c up ) and sends RID up , RPW up , α up to TP through a private channel. TP computes X pr � h (RID up ‖K GR ‖α up ) and A 1 � X PR ⊕h(α up ‖RPW up ) and sends X pr to GK r . GK r now computes L up � h(GID gr ‖K GR )⊕X pr and PID up � h(ID up ‖α up ‖X pr ). GK r stores L up and PID up � h(ID up ‖α up ‖X pr ) into its own memory, and TP sends

SKIA-SH: Authentication.
e user U p initiates authentication phase as shown in Figure 3

h(IDup||γup), RPWup = h(PWup||γup) KUP = h(ID up||PWup||γup)
Extract A 2 and compute: to PIDup Extract Lup corresponding Generate PID up is the old identity. GK r keeps identity pair PID up , PID new up until it receives next authentication to avoid any identity de-synchronization, and on next successful login, both identities are updated. Finally, GK r sends R 4 � M 5 , M rp , T 4 to U p . AP 5: U p on receiving R 4 � M 5 , M rp , T 4 checks |T c − T 4 | ≤ ΔT, and on successful validation of timestamp, U p computes (GID gr ‖r gr ‖r sq ) � M 5 ⊕h(RID up ‖X pr ‖r up ‖ T 4 ) and session key SK � h(r up ‖r gr ‖r sq ‖RID up ‖ GID gr ‖SID sq ). U p checks the validity of M rp � ? h(RID up ‖GID gr ‖r up ‖r gr ‖SK‖T 4 ). On successful validation, U p computes PID new up � h(ID up ‖r gr ‖X pr ) and updates PID up with PID new up and considers SD q and GK r authenticates and keeps SK as the session key for future secure communication.

Formal Security Analysis through BAN
We present the formal security analysis of the proposed scheme through employing the Burrows-Abadi-Needham logic (BAN) logic [33]. In this BAN logic analysis, we discuss the security evaluation with an emphasis on mutual authenticity among legal participants, protection of session key, and the key distribution among the participants.
(ii) S ⊲X: S sees X. (iii) S| ∼ X: S once said X and believes that X is true. (iv) S|⇒X: S has jurisdiction over X.
(v) (#(X)): X is not replayed and is fresh. (vi) (X, X ′ ): X and X ′ are parts of a hash digest message. (vii) 〈X, X ′ 〉 k : X and X ′ are exchanged using mutually agreed key k. (viii) S↔ K S ′ : the communication among S and S ′ is secured using K as the key. Some rules that are used in the analysis are given below: R 1 : message meaning rule: R 2 : nonce verification rule: Rule 3: jurisdiction rule: Rule 4: freshness conjunction rule: Rule 5: belief rule: Rule 6: session key rule: . e idealized form of the communication messages is given below: To prove the model, we construct the following premises.
Next we use the designed idealizations in the following formulations. Considering R 1 and R 2 of the idealized formalization: (i) R 1 : U p ⟶ GK r : M 1 , M 2 , M pr , T 1 : 〈SID sq , r up , T 1 〉 X pr , 〈RID up 〉 h(X pr ,r up ,T 1 ) , (RID up , r up , \\T 1 ) X pr , T 1 }.
rough F 17 , we apply the session key rule as By applying F 18 , κ 2 , κ 14 , we use the session key rule as is BAN logic analysis proves sufficiently that our contributed model achieves the targeted goals by attaining mutual authenticity among the legal entities of the system.

Informal Security
Analysis. An informal security discussion on the security features of the proposed scheme is provided in the following.

Mutual Authentication.
In the proposed scheme, all participating entities such as U p , GK r , and SD q mutually authenticate one another. GK r authenticates U p after extracting L up , computing X pr , and verifying M pr factor with a fresh timestamp T 1 . Similarly, GK r authenticates SD q after computing and evaluating the correctness of M rq parameter. No malicious entity may compute r sq factor without applying the shared secret X qr . Likewise, U p authenticates GK r and SD q on account of verification of M rp factor. U p knows that no adversary may calculate the constituent factors including SK, GID gr , r gr , and r sq in further computing M rp without using the shared secret X pr . Finally, SD q endorses both U p and GK r entities after verification of M qr parameter. SD q verifies the validity of RID up , GID gr , r up , and r gr factors due to the shared secret X qr .

Anonymity and Untraceability.
e proposed scheme remains anonymous due to the fact that U p does not send its real identity ID up in plaintext on insecure channel. To achieve this property, it computes RID up by taking hash of real identity ID up along with high entropy random integer c up . Moreover, this hidden identity is submitted to GK r under the cover of shared secret X pr . An adversary may eavesdrop M 2 message from open channel; however, it may not extract either RID up or the hidden identity ID up from M 2 . Similarly, our scheme is untraceable since no adversary can distinguish or trace the similarity among messages of various sessions of the same user. us, our scheme supports anonymity and untraceability for the user U p .

Impersonation Attacks.
Our scheme is resistant to U p as well as GK r impersonation attacks. e adversary may attempt to impersonate as U p and for this, it can replay R 1 � M 1 , M 2 , M pr , T 1 or can modify R 1 and send the R 1 to GK r , the later may come to know the possibility of the impersonation attack if the M pr is not satisfied. Similarly, if an adversary attempts to initiate GK r impersonation attack towards U p by manipulating the R 4 message, U p may come to know about any forgery on part of adversary by constructing session key SK and verifying the M rp equation. Hence, the proposed scheme resists any possibility of impersonation attack.

Replay Attack.
e attacker may eavesdrop the contents exchanged on the public channel, and it can replay the eavesdroped contents. e proposed scheme may resist replay attack successfully since it employs timestamps T 1 − T 4 to ensure the freshness of each constructed and submitted message R 1 − R 4 , respectively. An adversary may not compute fresh messages R 1 − R 4 without accessing the shared secrets X pr as well as X qr which are possessed by the legitimate entities of the system.

Stolen Verifier Attack.
e proposed scheme is immune to stolen verifier attack by a possible malicious attacker. In our scheme, even if the adversary comes to know about the users' verifiers such as L up , the adversary must need private key K GR to compute X pr and recover further information. It is too hard to guess the private secret key K GR of GK r for polynomial time adversary. us, our scheme is resistant to stolen verifier attack.

Man in the Middle Attack.
In our scheme, if an attacker attempts to act as a malicious intermediary among U p , GK r , and SD k entities by manipulating the messages R 1 − R 4 , it will be detected in the verification procedures such as M pr , M qr , M rp , and M rq of respective entities. It is obvious from the subsection related to resistance from impersonation attacks that if an attacker attempts to replay or modify the parameters of intermediate messages, it will not succeed in these malicious attempts. Hence, our scheme can resist man in the middle attack successfully.

Perfect Forward Secrecy.
e proposed scheme supports perfect forward secrecy because even if the private secret key K GR of GK r is revealed to the adversary, the latter will not be able to compute X pr without accessing the parameter L up which is stored in the repository of GK r . us, the adversary may not compute current, previous, or future session keys, in case the long-term private secret of GK r is exposed to the adversary. 5.1.8. SD q Physical Capture. In proposed scheme, if the device SD q is physically captured by the adversary while the latter extracts B 1 and B 2 from the memory of device, it will not be able to recover the shared secret X qr for lacking access to the private key of SD q . Moreover, even if the adversary is able to access the SD q 's private key, it will only be able to compute the session key of a particular device while the rest of the smart devices SD q in the system will remain protected and the attacker will not be able to compute their session keys.

Comparisons
In the following subsections, we provide the comparisons of the proposed SKIA-SH and relevant schemes of Wazid et al. [21], Shuai et al. [23], Kaur and Kumar [24], and Yu et al. [20].

Security Features.
e security attribute provision of the proposed SKIA-SH and related schemes [20,21,23,24] is shown in Table 2. Referring to Table 2, except the proposed SKIA-SH scheme, all the related schemes presented in [20,21,23,24] entail one or more weaknesses: the scheme of Yu et al. [20] has a faulty design and it cannot provide mutual authentication between a user and smart devices (SDs), which is proved in Section 3 of this paper. e scheme of Kaur and Kumar [24] has weaknesses against session key disclosure attack and it cannot provide mutual authentication between a user and SDs. e scheme of Shuai et al. [23] cannot resist offline password guessing, insider, replay, and session disclosure attacks, whereas, the scheme of Wazid et al. cannot provide forward secrecy and it cannot resist replay and de-synchronization attacks. Only proposed SKIA-SH provides requisite security attributes and is well suited for smart home (SH) environments.

Computation
Cost. In this section, using a real-time experiment, we provide a comparative computation cost of our SKIA-SH and some of the recent schemes [20,21,23,24]. We conducted the experiment using three devices and corresponding underneath hardware and softwares: ① A Xiaomi Redmi-Note-8 equipped with 4 GB RAM and with an Octa-core 2.01-GHz mprocessor and v-9 andriod MUI-V.11.0.7 operating system, the smart phone simulates a user/mobile-device, ② for GK r , we adopted an Elite-Book HP 8460P equipped with 4 GB RAM and intel ③ 2.7 GHz mprocessor and th OS used is Ubuntune V.LTS-16, ④ the smart device SD q is simulated through a Cortex:A53-ARMv8, Pi-B+, 64 bit: SoC, 1 GB: LPDDR2 SDRAM and 1.4 GHz mprocessor. Among other operations, the biohashing/fuzzy extraction T fb is approximated with an elliptic-curve point multiplication T em . e notations and

Communication Cost.
is section shows the comparisons of our SKIA-SH and the schemes of [20,21,23,24], and for computation cost (CC) comparisons, we adopted SHA-1 with 20-byte output size. e identities and time stamps are kept 8 bytes and 4 bytes, respectively. e random numbers are taken 20 bytes long, and the adopted encryption/decryption algorithm AES-128 also takes 16-byte input and 16-byte output. e size of a coordinate of elliptic curve point (ECP) is 20 bytes and the total length of an ECP is 20 + 20 � 40 bytes. e SKIA-SH (proposed scheme) completes an authentication round by exchanging four (4)  e computation and communication cost comparisons are also depicted in Table 4.

Conclusion
In this article, we highlighted the need of secure and communication between the smart devices and users through the facilitation of the gateway in the smart home (SH) settings of the IoT. We then reviewed a very recent authentication scheme of Yu et al. We proved that the symmetric key-based efficient and secure authentication scheme entails a critical design flaw, and owing to the explored design flaw, the scheme of Yu et al. cannot complete a cycle of authentication process. An improved scheme free of design flaws and based on only symmetric key function for SH (SKIA-SH) is proposed to mitigate the security and efficiency issues of the SH environments. e security of the SKIA-SH is substantiated through BAN logic. Moreover, we provided a brief discussion of the security attribute provision of the proposed SKIA-SH. To measure the performance, we set up a real-time experiment, and the results show that the SKIA-SH is more secure while it has slight over computation and communication costs when compared with original scheme of Yu et al. e SKIA-SH accomplishes the authentication among a user and a smart device involving gateway in 5.34 ms and by exchanging 216 bytes. As a future work, we intend to extend the proposed method to work in a building area network to provide central and apartmentbased services.

Data Availability
e data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
e authors declare that they have no conflicts of interest.