sensors

Article
A Secure IoT-Based Authentication System in Cloud
Computing Environment
Hsiao-Ling Wu 1 , Chin-Chen Chang 1 , Yao-Zhu Zheng 2 , Long-Sheng Chen 3, *
and Chih-Cheng Chen 4,5
1 Department of Information Engineering and Computer Science, Feng Chia University,
Taichung 40724, Taiwan; [email protected] (H.-L.W.); [email protected] (C.-C.C.)
2 Department of Computer Science, National Tsing Hua University, Hsinchu 30013, Taiwan;
[email protected]
3 Department of Information Management, Chaoyang University of Technology, Taichung 41349, Taiwan
4 Information and Engineering College, Jimei University, Fujian 361021, China; [email protected]
5 Department of Industrial Engineering and Management, Chaoyang University of Technology,
Taichung 413310, Taiwan
* Correspondence: [email protected]




Received: 18 August 2020; Accepted: 27 September 2020; Published: 30 September 2020


Abstract: The Internet of Things (IoT) is currently the most popular field in communication and
information techniques. However, designing a secure and reliable authentication scheme for IoT-based
architectures is still a challenge. In 2019, Zhou et al. showed that schemes pro-posed by Amin et
al. and Maitra et al. are vulnerable to off-line guessing attacks, user tracking attacks, etc. On this
basis, a lightweight authentication scheme based on IoT is proposed, and an authentication scheme
based on IoT is proposed, which can resist various types of attacks and realize key security features
such as user audit, mutual authentication, and session security. However, we found weaknesses in
the scheme upon evaluation. Hence, we proposed an enhanced scheme based on their mechanism,
thus achieving the security requirements and resisting well-known attacks.

Keywords: Internet of things (IoT); lightweight authentication; user anonymity; cloud computing

1. Introduction
With the rapid development of computer science and network technology, the concept of the
Internet of Things (IoT) has become a hot topic for research. A scientist named Ashton introduced this
concept in 1991. In IoT, numerous sensors have the capability of collecting data and communicating
with each other or providing data for human beings through the Internet.
Therefore, technology can be widely used in the smart power grid, smart home, and other fields.
In a smart grid, sensors monitor electric energy consumption and time-of-use rates for power stations.
Then, the stations can optimize power supply. In the intelligent transportation system, sensors monitor
traffic to optimize navigation. In the smart home, users can control, monitor, and access items remotely.
Though IoT is close to our lives, it suffers from security challenges due to the wireless nature of the
communication channel [1].
In order to protect against those security challenges in IoT, authentication is indispensable.
Authentication guarantees that the messages received by the receiver are from a legal message sender.
It serves as the first line of defense against potential attackers. Authentication is considered the key
requirement for IoT [2]. The cryptography in authentication falls into two broad categories: symmetric
encryption and asymmetric encryption. Common asymmetric encryption includes elliptic-curve
cryptography (ECC) and RSA encryption.

Sensors 2020, 20, 5604; doi:10.3390/s20195604 www.mdpi.com/journal/sensors

Sensors 2020, 20, 5604 2 of 14

Asymmetric encryption uses pairs of keys, i.e., public key and private key. Although, asymmetric
encryption is generally considered to have higher security, it requires a higher computational cost. On
the other hand, common symmetric encryption, e.g., the advanced encryption standard (AES) and data
encryption standard (DES), use a shared key between two or more parties. Symmetric encryption has
the advantages of low computational cost and fast encryption speed. Some authentication schemes have
been recently presented by using asymmetric encryptions [3–10]. However, traditional asymmetric
encryptions do not suit IoT devices due to limited resources of most IoT devices, which gives rise to
lightweight authentication schemes [11–21].
To solve security disadvantages, many lightweight authentication schemes have been proposed.
In 1981, Lamport [22] first suggested lightweight authentication using a password. The scheme
also uses hash chains to go through unsafe communication channel for remote user authentication.
However, the scheme relies on a password table, which makes it very easy to steal personal data.
After that, many user authentications with a password and key negotiation techniques have been put
forward [23–30]. In 2007, Liao et al. [31] proposed an authentication scheme based on a hash function
for a multi-server environment. Further, Hsiang et al. [32] pointed out that Liao et al.’s scheme [31] is
subject to multiple security threats, e.g., insider attack, masquerade attack, and user/server forgery
attacks. Hsiang et al. [32] then proposed a new authentication scheme and claimed their scheme has
fewer computations and higher security. In 2011, Sood et al. [33] proposed an authentication scheme
using a dynamic identity for multi-server circumstances and criticized Hsiang et al.’s scheme [32] for
having a wrong password change phase and not resisting replay and impersonation attacks. In the same
year, Lee et al. [34] assessed Sood et al.’s programme [33] and concluded that it was not safe. In 2014,
Xue et al. [35] pointed out that Lee et al.’s scheme [34] failed under the circumstances of pseudonym
attack and offline password guessing attack. Later, Amin et al. [36] criticized the scheme in [35], saying
that it lacked identity hiding features and could not resist offline password guessing attack. Recently,
some authentication schemes are also used in vehicular ad-hoc networks (VANETs) [37–40] or smart
grid [41]. It shows the universality of authentication. In 2019, Zhou and other [42] proposed their
scheme based on a hash function and exclusive or operation of the two-factor authentication scheme,
claiming their authentication scheme has been proven safe and could resist various attacks.
We reviewed the scheme of Zhou et al. [42] and pointed out the weaknesses such as the inability
of replay attacks to achieve user anonymity and provide mutual authentication. We proposed an
improved scheme that has a better balance between efficiency and security. Therefore, the scheme is
more suitable for IoT based environment. The contribution of this paper is to enhance the resistance
to replay attack, thus improving user anonymity and providing mutual authentication based on
Zhou et al.’s scheme [42].
The rest of this article is arranged as follows: Section 2 provides an overview of Zhou et al. ‘s
scheme, focusing on its registration and certification phases. Then, the security analysis of the scheme
proposed by Zhou et al. [42] was conducted. Section 3 introduces the scheme we proposed. Safety
analysis and performance evaluation are described in Sections 4 and 5. Section 6 gives the conclusion.

2. Related Works
In Section 2.1., we will introduce the authentication scheme proposed by Zhou et al. [42].
In addition, we will present the security issues of Zhou et al.’s scheme in Section 2.2.

2.1. Review of Zhou et al.’s Scheme

Zhou et al.’s scheme is divided into three stages: registration, authentication, and password
modification. Here, we introduce the first two phases.

2.1.1. Registration Phase

There are two parts in this phase: user registration and cloud server registration.
Sensors 2020, 20, 5604 3 of 14

User Registration
First, user Ui selects four values (i.e., identity IDi , pseudo-identity PIDi , password PWi , and a
random number bi to calculate HPi = h(PWi ||bi ). The Ui then sends the IDi and PIDi to the control
server CS. When CS receives (IDi , PIDi ), CS will check whether or not IDi is in the database. If not,
CS uses secret key x to calculate C1 * = h(PIDi ||IDcs||x) and C2 * = h(IDi ||x); otherwise, CS will stop the
authentication. CS stores IDi in its database and sends (C1 * , C2 * , IDcs) to Ui . When Ui receives (C1 * ,
C2 * , IDcs), Ui calculates three values, C1 = C1 * ⊕HPi , C2 = C2 * ⊕h(IDi ||HPi ), and C3 = bi ⊕h(IDi ||PWi ), then
stores (C1 , C2 , C3 , PIDi , IDcs ) in a smart card.

Cloud Server Registration

Cloud server Sj sends (SIDj , PSIDj ) to CS, where SIDj is the identity of Sj and PSIDj is the
pseudo-identity of Sj . When CS receives (SIDj , PSIDj ), CS calculates B1 = h(PSIDj ||IDcs ||x) and
B2 = h(SIDj ||x). Finally, CS stores SIDj in a database and sends (B1 , B2 , IDcs ) to Sj , and Sj stores (B1 , B2 ,
SIDj , PSIDj , IDcs ) in a memory.

2.1.2. Authentication Phase

When user Ui wants to connect with a cloud server, the user will perform the following five steps
with the cloud server (Sj ) and the control server (CS).
Step 1: User inputs his IDi and PWi . A smart card will select a random number ru and new
pseudo-identity PIDi new ; then, it calculates bi = C3 ⊕h(IDi ||PWi ), HPi = h(PWi ||bi ), C1 * = C1 ⊕HPi ,
and C2 * = C2 ⊕h(IDi ||HPi ). The smart card then calculates D1 = C1 * ⊕ru , D2 = h(ru ||PIDi ||IDcs )⊕IDi ,
D3 = C2 * ⊕h(IDi ||HPi )⊕ PIDi new ⊕h(ru ||IDi ), and D4 = h(IDi ||PIDi ||PIDi new ||ru ||D3 ). Ui sends the message
M1 = {PIDi , D1 , D2 , D3 , D4 } to Sj .
Step 2: When Sj receives M1 , Sj selects a new pseudo-identity PSIDj new and a random
number rs to calculate D5 = B1 ⊕rs , D6 = h(rs ||PSIDj ||IDcs )⊕SIDj , D7 = B2 ⊕PSIDj new ⊕h(rs ||PSIDj ),
and D8 = h(SIDj ||PSIDj ||PSIDj new ||rs ||D7 ). Sj sends the message M2 = {M1 , PSIDj , D5 , D6 , D7 , D8 } to CS.
Step 3: When CS receives M2 , CS calculates ru = D1 ⊕h(PIDi ||IDcs ||x), IDi = D2 ⊕h(ru ||PIDi ||IDcs ),
and PIDinew = D3 ⊕h(IDi ||x)⊕h(ru ||IDi ). CS checks whether IDi in the database and D4 ? =
h(IDi ||PIDi ||PIDinew ||ru ||D3 ). If IDi is in the database and D4 = h(IDi ||PIDi ||PIDinew ||ru ||D3 ), it means that CS
confirms Ui is a legal user. Otherwise, the authentication process will be terminated. Then, CS calculates
rs = D5 ⊕h(PSIDj ||IDcs ||x), SIDj = D6 ⊕h(rs ||PSIDj ||IDcs ), and PSIDj = D7 ⊕h(SIDj ||x)⊕h(rs ||SIDj ). CS checks
whether SIDj is in database and D8 = h(SIDj ||PSIDj ||PSIDj new ||rs ||D7 ). If SIDj is in the database and D8 =
h(SIDj ||PSIDj ||PSIDj new ||rs ||D7 ), it means that CS confirms the Sj is legal. Then, CS selects a random
number rcs to calculate the session key SK = h(ru ⊕rs ⊕rcs ), D9 = h(PSIDj new ||IDcs ||x)⊕h(rs ||PSIDj new ), D10 =
h(PSIDj new ||rs ||PSIDj )⊕(ru ⊕rcs ), D11 = h(SKcs ||D9 ||D10 ||h(SIDj ||x)), D12 = h(PIDi new ||IDcs ||x)⊕h(ru ||PIDi new ),
D13 = h(PIDi new ||ru ||PIDi )⊕(rs ⊕rcs ), and D14 = h(SKcs ||D12 ||D13 ||h(IDi ||x)). CS sends the message M3 =
{D9 , D10 , D11 , D12 , D13 , D14 } to Sj .
Step 4: When Sj receives M3 , Sj calculates (ru ⊕rcs = D10 ⊕h(PSIDj new ||rs ||PSIDj ). Hence, Sj can
compute SK = h(ru ⊕rs ⊕rcs ). Then, Sj checks D11 ? = h(SKs ||D9 ||D10 ||B2 ) to confirm that CS is a legal
control server or not. If CS is a legal control server, Sj calculates B1 new = D9 ⊕h(rs ||PSIDj new ), updates B1
and PSIDj as B1 new and PSIDj new in memory. Sj sends message M4 = {D12 , D13 , D14 } to Ui .
When Ui receives M4 , Ui calculates (rs ⊕rcs ) = D13 ⊕h(PIDi new ||ru ||PIDi ) and SK = h(ru ⊕rs ⊕rcs ). Then,
Ui checks D14 ? = h(SKu ||D12 ||D13 ||C2 * ) to confirm that CS is a legal control server or not. Ui calculates
C1 new = D12 ⊕h(ru ||PIDi new )⊕HPi , updates C1 and PIDi in memory to C1 new and PIDi new .

2.2. Analysis of Zhou et al.’s Scheme

We found three weaknesses in Zhou et al.’s scheme at the certification stage. First, Zhou et al.’s
scheme cannot achieve mutual authentication. Second, Zhou et al.’s scheme cannot work against a
replay attack. Third, Zhou et al.’s scheme cannot guarantee anonymity in the authentication phase.
Sensors 2020, 20, 5604 4 of 14

2.2.1. Zhou et al.’s Scheme Cannot Achieve Mutual Authentication

Mutual authentication refers to the mutual verification between two entities. In Zhou et al.’s
scheme, CS verifies Ui by checking D4 ? = h(IDi ||PIDi ||PIDi new ||ru ||D3 ) in Step 3 of the authentication
phase. We know D3 = C2 * ⊕h(IDi ||HPi )⊕PIDi new ⊕h(ru ||IDi ) and C2 * = h(IDi ||x) from Step 1 of the
authentication phase and the user registration. When CS computes D3 ⊕h(IDi ||x)⊕h(ru ||IDi ), CS only
can obtain h(IDi ||HPi )⊕PIDi new , where the parameter HPi is only known by Ui . CS cannot successfully
calculate PIDi new from D3 ⊕h(IDi ||x)⊕h(ru ||IDi ), even if the message M1 = {PIDi , D1 , D2 , D3 , D4 } is sent
from a legal user Ui . Therefore, Zhou et al.’s scheme was unable to complete mutual authentication.

2.2.2. Zhou et al.’s Scheme Cannot Guarantee Anonymity in Authentication Phase

A solution that provides anonymity must ensure that no one except the server knows the user’s
personal information. We assume that the attacker UA is a legitimate user. Hence, UA will obtain
(C∗1 = h(PIDA ||IDcs ||x), C∗2 = h(IDA ||x), IDcs ) from CS in the user registration phase. Once UA intercepts
the message M1 = {PIDi , D1 , D2 , D3 , D4 } from Ui and uses PIDi as new pseudo-identity to restart an
authentication session, UA can obtain the IDi of the user Ui . Details of the process are as follows.
Step 1: First, UA chooses a random number rA to calculate D1 = C1 * ⊕rA , D2 = h(rA ||PIDA ||IDcs )⊕IDA ,
D3 = C2 * ⊕h(IDA ||HPA )⊕PIDi ⊕h(rA ||IDA ), and D4 = h(IDA ||PIDA ||PIDi ||ru || D3 ). UA sends the message
M1 = {PIDA , D1 , D2 , D3 , D4 } to Sj .
Step 2: When UA receives M4 = { D12 , D13 , D14 }, UA can compute IDi = D2 ⊕h(D1 ⊕
D12 ⊕h(rA ||PIDi ) ||PIDi ||IDcs ), where D1 = h(PIDi ||IDcs ||x)⊕ru , D2 = h(ru ||PIDi ||IDcs )⊕IDi , and
D12 = h(PIDi ||IDcs ||x)⊕h(rA ||PIDi ).
Therefore, Zhou et al.’s scheme cannot guarantee anonymity in the authentication phase.

3. Proposed Scheme
After we reviewed the shortcomings of Zhou et al.’s scheme, an improved scheme is put forward.
The improvements include registration, authentication, and password modification.

3.1. Notations
The following is the introduction to the notations that will be used in our scheme.
Ui is the ith user.
IDi is the ith user’s identity.
PWi is the ith user’s password.
ni is a random number.
CS is the control server.
PIDi is the ith user’s pseudo-identity.
IDcs is the control server’s identity.
SIDj is the jth server’s identity.
PSIDj is the jth server’s pseudo-identity.
x is the secret key of CS.
h () is a one-way hash function.
ru , rs, rcs are the random numbers selected by Ui , Sj , and CS.
SKu , SKs, SKcs are the session keys for Ui , Sj , and CS.
M1 , M2 , M3 , M4 are the messages in the authentication.

3.2. Registration Phase

This phase is divided into two parts: user registration and cloud server registration. When a user
or a cloud server wants to join this system, he/she must run this phase first. After the user and the cloud
server successfully finish this phase, they can connect with each other to start the authentication phase.
 3.2. Registration Phase
This phase is divided into two parts: user registration and cloud server registration. When a user
or a cloud server wants to join this system, he/she must run this phase first. After the user and the
cloud server successfully finish this phase, they can connect with each other to start the authentication
Sensors 2020, 20, 5604 5 of 14
phase.

3.2.1.User
3.2.1. UserRegistration
Registration
UserUUi iselects
User selects their own own id idID IDi,i ,password
passwordPW PW i, random
i , random number
number ni. He/she
ni . He/she sends IDi toID
sends CSi to byCS the
secure
by channel.
the secure When When
channel. CS receives IDi, CSID
CS receives checks
i , CS it
checksfor its
it validity.
for its If it
validity.is invalid,
If it is CS
invalid,will stop
CS this
will
phase;
stop thisotherwise,
phase; otherwise, CS selectsCS a pseudo-identity
selects a pseudo-identity PIDi for UPID i and usesUthe
i for i and secret
useskey thexsecret
to compute key x A toi =
h(PIDi||ID
compute Ai cs=||x)
h(PID and i ||ID = ||x)
Bi cs h(ID i||x).
and = h(ID
Bi CS i ||x).IDCS
stores i instores
its databaseIDi in its and sends (A
database andi, Bisends
, PIDi, (A IDi ,cs)Bto Ui by
i , PID i,
the
ID cs ) secure
to U i by channel.
the secure Once
channel.U i obtains
Once U these
i obtains parameters,
these U
parameters, i calculates
U i C
calculates
1 = AC i ⊕h(ID
1 = A i ||n
⊕h(ID
i i), ||n
i i =
C 2),
CB ⊕h(PW
2 i= Bi ⊕h(PWi||nii||n
), C Cn3 i⊕h(ID
i ),3 = = ni ⊕h(IDi||PW i ||PW
i), and
i ), and 4 = h(ID
C4 =Ch(ID i||PW i ||PW
i||n i ||n
i) and
i ) and then
then stores
stores (C(C1, C1 ,2,CC23,, C
C34, CPID i, IDics
4 , PID ,)
incsa) in
ID smart
a smartcard.card.
The The flowchart
flowchart for user
for user registration
registration is shown is shown in Figure 1. 1.
in Figure

Figure1.1.The
Figure Theflowchart
flowchartofofthe
theuser
userregistration
registrationphase.
phase.

3.2.2.
3.2.2.Cloud CloudServer
ServerRegistration
Registration
AAcloud serverSjSsends
cloudserver its identity SIDj jand
j sends its identity SID pseudo-identityPSID
andaapseudo-identity toCS
PSIDj jto CSby
byaasecure
securechannel.
channel.
Then, CS uses the secret key x to compute A = h(PSID ||ID ||x)
Then, CS uses the secret key x to compute Aj j = h(PSIDjj||IDcscs||x) and jBj = h(SIDjj||x), storesSID
and B = h(SID ||x), stores j in
SID its
j in its
database,
database,and andsends
sends(A(Aj , jB
, jB, jID
, ID ) )totoSSj jby
cscs byaasecure
securechannel. WhenSSj jreceives
channel.When receivesthese parameters,SjSstores
theseparameters, j stores
(A(Aj , jB
, j
B , SID j , SPID j , IDcs ) in its memory. The flowchart of the cloud server registration
j, SIDj, SPIDj, IDcs) in its memory. The flowchart of the cloud server registration phase is shown
phase is shown
Sensors 2020, 20, x FOR PEER REVIEW 6 of 16
ininFigure
Figure2.2.

Figure 2. The flowchart of the cloud server registration phase.

3.3. Authentication Phase

Figure 2. The flowchart of the cloud server registration phase.
When the user Ui needs to retrieve services from the cloud server Sj , this authentication must
start to make sure of the legitimacy of both the user and the cloud server. After the authentication
phase is completed, the user will negotiate a session key SK. By this session key, Ui can connect with Sj
securely. The processes of the authentication phase are shown as follows and Figure 3.
3.2. Authentication Phase
When the user Ui needs to retrieve services from the cloud server Sj, this authentication must
start to make sure of the legitimacy of both the user and the cloud server. After the authentication
phase is completed, the user will negotiate a session key SK. By this session key, Ui can connect with
Sensors 2020, 20, 5604 6 of 14
Sj securely. The processes of the authentication phase are shown as follows and Figure 3.

Figure 3. The processes of the authentication phase.

Step
Step 1: 1: When
Whenuser userUU i attempts
i attempts to to connect
connect to cloud
to cloud server server Sj , he/she
Sj, he/she inserts inserts the smart
the smart card intocarda
into a reader machine and keys
reader machine and keys in IDi and i PWi. Then, in ID and PW i . Then, the smart card selects
the smart card selects a random number ru and a random number ru
and calculates n
calculates ni = C3⊕h(IDi = C ⊕h(ID ||PW
3 i||PWii). Then, i ). Then, the smart card
the smart card checks h(IDi||PWi||n checks h(ID ||PW ||n )?
i i)? i= Ci4 to verify= C to verify
4 the identity the
identity and password. If the verification passed,
and password. If the verification passed, the smart card will calculate Ai = C1⊕h(ID the smart card will calculate A i = C1 ⊕h(ID ||n ),
i||ni), i Bi i =
B = C
Ci2⊕h(PW2 ⊕h(PW ||n
i||nii), D
),
i 1=AD = A ⊕r , D
1 i⊕rui , Du2 = h(r =
2 u||PIDh(r ||PID
u i||ID ||ID
i cs)⊕IDcs )⊕ID i
i, and
, and D = h(ID
D3 =3 h(IDi||PID i ||PID ||r ). Finally, the
i uu). Finally, the smart
i||r
smart
card sends M 1 = {PID i , D 1
card sends M1 = {PIDi, D1, D2, D3} to Sj., D 2 , D 3 } to Sj .
0 and a random number r to
Step
Step 2: When SSjj receives
2: When receives M M11,, S Sjj selects
selects aa new pseudo-identity PSID j and
new pseudo-identity a random number rss to
calculate
calculate D D = A ⊕r
4 4 = j Aj⊕r , D = h(r ||PSID
s s,5 D5 =s h(rs||PSID j ||ID )⊕SID , D
cs j||IDcsj)⊕SID 6 = B ⊕ PSID
j , j D6 = B
0 ⊕h(r
j j⊕ s
||PSID ),
⊕h(r
j and D7 = h(SID
s||PSID j), andj ||PSID
D7 j =||
PSID j ||rs ||D6 ). Then, Sj sends message M2 = {M1 , PSIDj , D4 , D5 , D6 , D7 } to CS.
0
h(SIDj||PSIDj|| ||rs||D6). Then, Sj sends message M2 = {M1, PSIDj, D4, D5, D6, D7} to CS.
Step 3: Once CS receives M2 , CS uses the secret key x to compute ru = D1 ⊕h(PIDi ||IDcs ||x)
and IDi = D2 ⊕h(ru ||PIDi ||IDcs ) and then checks whether IDi is valid and D3 ? = h(IDi ||PIDi ||ru ) or
not. If the IDi is in its database and D3 = h(IDi ||PIDi ||ru ), it means that Ui is legal. For the cloud
server Sj , CS uses the sccret key x to compute rs = D4 ⊕h(PSIDj ||IDcs ||x), SIDj = D5 ⊕h(rs ||PSIDj ||IDcs ),
PSID0j =D6 ⊕h(SIDj ||x)⊕h(rs ||SIDj ), and then checks whether SIDj is in the database and D7 =
 Sensors 2020, 20, 5604 7 of 14

h(SIDj ||PSIDj || PSID0j ||rs ||D6 ). If both conditions hold, it means that Sj is legal. The processes
of authentication phase will be stopped when any verification is wrong; otherwise, CS selects a
random number rcs to compute the session key SKcs = h(ru ⊕rs ⊕rcs ) for this round. Subsequently,
for Sj , CS computes D8 = h( PSID0j ||IDcs ||x)⊕h(rs ||PSID0j ), D9 = h( PSID0j ||rs ||PSIDj )⊕(ru ⊕rcs ), and
D10 = h(SKcs ||D8 ||D9 ||h(SIDj ||x)). For Ui , CS selects a new pseudo-identity PID0i to compute D11 =
PID0i ⊕h(IDi ||x)⊕h(ru ||IDi ), D12 = h(PID0i ||IDcs ||x)⊕h(ru ||PID0i ), D13 = h(PID0i ||ru ||PIDi )⊕(rs ⊕rcs ), and D14
= h(SKcs ||D12 ||D13 ||h(IDi ||x)). Finally, CS sends the message M3 = {D8 , D9 , D10 , D11 , D12 , D13 , D14 } to Sj .
Step 4: While Sj receives M3 , Sj uses PSID0j and rs to extract (ru ⊕rcs ) from D9 , i.e., ru ⊕rcs =
D9 ⊕h(PSID0j ||rs ||PSIDj ). Then, Sj checks D10 ? = h(SKs ||D8 ||D9 ||Bj ), where SKs = h(ru ⊕rs ⊕rcs ). If this
equation holds, it means that CS is legal; otherwise, this authentication process will be terminated.
Sj continues to calculate A0j = D8 ⊕h(rs || PSID0j ) and updates Aj and PSIDj as A0j and PSID0j in the
memory. At the end of this step, Sj sends the message M4 = {D11 , D12 , D13 , D14 } to Ui .
Step 4: Once the smart card receives M4 , the smart card uses Bi , ru , and IDi to extract PID0i
and (rs ⊕rcs ) from D11 and D13 , respectively, i.e., PID0i = Bi ⊕D11 ⊕h(ru ||IDi ) and (rs ⊕rcs ) = D13 ⊕h(
PID0i ||ru ||PIDi ). The smart card will check whether or not D14 ? = h(SKu ||D12 ||D13 ||Bi ), where SKu =
h(ru ⊕rs ⊕rcs ). If this equation holds, it means that CS is legal; otherwise, this authentication process
will be terminated. The smart card uses the new pseudo-identity PID0i to calculate C01 = D12 ⊕h(ru ||
PID0i )⊕h(IDi ||ni ) and updates C1 and PIDi as C01 and PID0i . Finally, the smart card sends h(SKu ) to Sj .
Step 5: When Sj receives h(SKu ), Sj will check h(SKu )? = h(SKs ). If h(SKu ) = h(SKs ), this means that
they already correctly negotiate the session key.

3.4. Password Change Phase

If the user Ui needs to change the password, you may need to start the password change phase.
First, we assume that the smart card of Ui contains ( C01 , C2 , C3 , C4 , PID0i , IDcs ). The Ui inserts the
smart card into the card reader for key verification in identity IDi and the original password PWi .
The smart card will calculate ni = C3 ⊕h(IDi ||PWi ) and check h(IDi ||PWi ||ni )? = C4 . If the equation holds,
Ui can input the new password PWi0 . The smart card calculates C02 = C2 ⊕h(PWi ||ni )⊕h( PWi0 ||ni ), C03 =
C3 ⊕h(IDi ||PWi )⊕h(IDi || PWi0 ), and C04 = C4 ⊕h(IDi ||PWi ||ni )⊕h(IDi || PWi0 ||ni ) and replaces (C2 , C3 , C4 )
with (C02 , C03 , C04 ). Finally, there are (C01 , C02 , C03 , C04 , PID0i , IDcs ) in the smart card, and Ui can use the
new password
Sensors PWi0PEER
2020, 20, x FOR to perform
REVIEWthe authentication phase in the next round. The flowchart of password 9 of 16
modification phase is shown in Figure 4.

Figure 4. The flowchart of the password change phase.

Figure 4. The flowchart of the password change phase.

4. Security Analysis
In this section, we will analyze nine fundamental security requirements in which an
authentication scheme should be achieved.
Sensors 2020, 20, 5604 8 of 14

4. Security Analysis
In this section, we will analyze nine fundamental security requirements in which an authentication
scheme should be achieved.

4.1. Mutual Authentication

As we discussed in Section 2.2.1., mutual authentication means that the identities of the two
entities should be recognized before they connect. In our scheme, CS can be mutually authenticated
with Ui and Sj , respectively.

4.1.1. CS Verifies the Identity of Ui through Checking D3? = h(IDikPIDikru)

In the user registration phase, CS computes Ai = h(PIDi ||IDcs ||x) and Bi = h(IDi ||x) for Ui , and two
parameters are only known by CS and Ui . When Ui uses Ai to hide the random number ru in the
authentication phase, i.e., D1 = Ai ⊕ru , CS can use h(PIDi ||IDcs ||x) to extract ru . Finally, CS can verify the
identity of Ui by equation D3 = h(IDi kPIDi kru ).

4.1.2. CS Verifies the Identity of Sj through Checking D7? = h(SIDjkPSIDjkPSIDj’krskD6)

In the cloud server registration phase, CS computes Aj = h(PSIDj ||IDcs ||x) and Bj = h(SIDj ||x) for Sj ,
and two parameters are only known by CS and Sj . When Sj uses Aj to hide the random number rs
in the authentication phase, i.e., D4 = Aj ⊕rs , CS can use h(PSIDj ||IDcs ||x) to extract rs . Finally, CS can
verify the identity of Sj by equation D7 = h(SIDj kPSIDj kPSIDj ’ krs kD6 ).

4.1.3. Sj Verifies the Identity of CS through Checking D10? = h(SKskD8kD9kBj)

Because Bj is only shared between Sj and CS, they only have the capability of computing
h(SKs kD8 kD9 kBj ). Therefore, Sj can verify the identity of CS by equation D10 = h(SKs kD8 kD9 kBj ).

4.1.4. Ui Verifies the Identity of CS through Checking D14? = h(SKukD12kD13kBi)

Because Bi only shares between Ui and CS, they only have the capability of computing
h(SKu kD12 kD13 kBi ). Therefore, Ui can verify the identity of CS by equation D14 = h(SKu kD12 kD13 kBi ).

4.2. Session Key for All Entities

In the authentication phase, Ui , Sj , and CS generate ru , rs , and rcs , respectively. In addition, Ui ,
Sj , and CS obtain (rs ⊕rcs ), (ru ⊕rcs ), and (ru , rs ) from D13 , D9 , and (D1 , D4 ), respectively. Therefore,
all entities can compute one same session key SK = SKcs = SKs = SKu = (ru ⊕rs ⊕rcs ) in one session.

4.3. User Anonymity

The attacker’s use of user anonymity means that the user Ui cannot be identified through the
messages in the communication session [43]. In our authentication phase, Ui ’s identity IDi is protected
by a hash function D2 = h(ru ||PIDi ||IDcs )⊕IDi . Therefore, if an attacker wants to obtain Ui ’s identity,
he/she must compute h(ru ||PIDi ||IDcs ). However, he/she cannot acquire the ru because he/she does
not have the secret key x of CS to derive ru from D1 = Ai ⊕ru , where Ai = h(PSIDj ||IDcs ||x). Even if
the attacker is a legal user, he/she still cannot obtain h(ru ||PIDi ||IDcs ) by adopting the strategy shown
in Section 2.2.2. Therefore, the attacker cannot identify Ui ’s identity; furthermore, it shows that our
proposed scheme has user anonymity.

4.4. Resistance to Off-Line Guessing Attack

Off-line guesswork attacks happen when an attacker obtains all the information stolen from the
user, pass through insecure channels, and store in smart CARDS. The attacker can use the information
held to guess the user’s identity and password.
Sensors 2020, 20, 5604 9 of 14

We assume that an attacker gets (C1 , C2 , C3 , C4 , PIDi , IDcs ) that is stored in the user Ui ’s smart card
and all messages (M1 , M2 , M3 , M4 ) that pass by a nonsecure channel in the last session. Then, the attacker
wants to guess a pair (IDi , PWi ) from information. He/she can use the equation D2 = h(ru ||PIDi ||IDcs )⊕IDi
to confirm her/his guess IDi . According to the above hypothesis, the attacker has PIDi and D2 from M2 ;
IDcs is from the smart card. Therefore, he/she needs to get ru . Then, ru can be derived by rearranging
D1 = Ai ⊕ru to ru = Ai ⊕D1 . However, the attacker cannot compute Ai = h(PSIDj ||IDcs ||x) without the
secret key x of CS. Therefore, he/she cannot successfully guess IDi . In addition, PWi only appears on
C2 = h(IDi ||x)⊕h(PWi ||ni ), C3 = ni ⊕h(IDi ||PWi ), and C4 = h(IDi ||PWi ||ni ). If the attacker wants to guess
it, he/she needs to obtain IDi , x or ni first. However, the attacker cannot extract those values from
intercepted messages. Therefore, he/she cannot successfully guess PWi . The results show that the
scheme can resist offline guessing attack.

4.5. Resistance to Insider Attack

An insider attack means that an attacker is an inside member of the company of CS. He has the
right to access the data stored in the CS’s database, e.g., the registered users’ identities and passwords.
Then, he/she can use the information to simulate a legitimate user or cloud server. In our proposed
scheme, only IDi and SIDj are stored in CS for registration. There is no any other information for
authentication stored in CS, i.e., Ai , Bi , Aj , Bj . Therefore, even if the inside attacker accesses the database
of CS, he/she only can obtain the identity IDi of Ui and SIDj of Sj ; besides, the inside attacker still
cannot impersonate the user Ui or the cloud server Sj . Thus, the scheme is able to resist internal attack.

4.6. Resistance to Stolen Smart Card Attack

Stolen card attack points to an attacker who steals the user’s smart card and extracts data stored in
a smart card. Then, he/she uses these data to impersonate the user whose smart card was stolen. Here,
we assume that an attacker already extracts the data (C1 , C2 , C3 , C4 , PIDi , IDcs ) from user Ui ’s smart
card. In our proposed scheme, if the attacker wants to impersonate user Ui , he/she needs to perform
the authentication phase. According to the description of Step 1 in Section 3.2., the attacker needs to
key in the correct IDi and PWi for checking the equation h(IDi ||PWi ||ni )? = C4 . However, he/she does
not have IDi and PWi . Therefore, when the attacker initiates an authentication run, he/she cannot
pass the check h(IDi ||PWi ||ni )? = C4 in this step, then his/her authentication process will be terminated.
The results show that the scheme can resist the attack of stolen smart cards.

4.7. Resistance to De-Synchronization Attack

An anti-synchronization attack means that an attacker interrupts and modifies the response
message from the control server during the authentication phase, so that the authentication data
between the client and the database of the control server are not synchronized [44]. Then, even if he/she
is a legitimate user passing through the controlled server, all future authentication processes will fail.
In our proposed scheme, only users’ identities are stored in the control server’s database.
In addition, those identities will not be changed in any phases, i.e., the authentication and password
change phases. For the user, data changes occurred in the authentication stage and the last step of
the password change phase. However, password change only needs to be involved on the user side;
thus, the attacker cannot interfere. In the last step of the authentication phase, the data in the user’s
smart card will be updated (C1 , PIDi ) to (C01 , PID0i ) when authentication processes are successfully
finished. If the update was interrupted, the user can still use the old data (C1 , PIDi ) to run a successful
authentication process. It can be concluded that the scheme can resist synchronous attack.
Sensors 2020, 20, 5604 10 of 14

4.8. Resistance to Forgery Attack

Counterfeit attack points to the attacker in the session is sent to the user, the cloud server and
control server message, then the receiver will believe these messages are sent from a legal user, a cloud
server, or the control server.
In our scenario, if an attacker wants to forge a user Ui, he/she would need to forge a message
M1 to pass the equation D3? = h(IDikPIDikru). However, the attacker cannot forge D1 = Ai ⊕ru
because Ai = h(PIDi ||IDcs ||x) contains the secret key x of a control server. If the attacker wants to
forge a cloud server, he/she needs to fabricate two messages, M2 and M4 . To pass the equation
D7 ? = h(SIDj kPSIDj kPSIDj ’ krs kD6 ) and D14 ? = h(SKu kD12 kD13 kBi ); however, he/she cannot forge
D4 = Aj ⊕rs , D6 = Bj ⊕ PSID0j ⊕h(rs ||PSIDj ) and D14 = h(SKcs ||D12 ||D13 ||h(IDi ||x)) because Aj and Bj both
contain the secret key x of control server. If the attacker wants to forge the control server, he/she needs
to make up a message M3 to pass the equation D10 ? = h(SKs kD8 kD9 kBj ). However, he/she cannot
forge D8 = h( PSID0j ||IDcs ||x)⊕h(rs || PSID0j ) and D10 = h(SKcs ||D8 ||D9 ||h(SIDj ||x)) because those messages
contain the secret key x of the control server. As a result, we provide a solution to staying away from
forgery attacks.

4.9. Resistance to User Tracking Attack

In terms of user tracking attacks, when an attacker eavesdrops on the delivered messages in
different sessions, and then the attacker can confirm that two messages are from a fixed user according
to a stable pseudo-identity being used. In our proposed scenario, the user Ui’s pseudo-identity would
change in different sessions. Therefore, the attacker cannot ensure that any two messages are from the
same user. The results show that the scheme can resist the user tracking attack.

5. Performance Evaluation
In this section, we will present the schemes of Maitra et al. [45], Amin et al. [36], Zhou et al. [42],
and the performance evaluation of our schemes. Four authentication schemes only use a one-way
hash operation, exclusive or operation, and concatenate operation. By comparing the execution time of
an exclusive or operation to that of a one-way hash function or a symmetric algorithm, we ignored
the execution time of an exclusive or operation., We chose SHA-2(256 bits) and AES as one-way hash
functions and symmetric encryption/decryption algorithms, two of which are the most commonly
used encryption methods in secure communications.
Tables 1–3 show a comparison of the security properties, computation cost, and communication
cost among four respective authentication schemes. In Table 1, “O” means that the scheme can achieve
a security requirement or resist the attack; “X” means that the scheme cannot achieve a security
requirement or resist the attack. In Table 2, “Th ” is one computation time of one-way hash function
operation, and “Ts ” is one computation time of symmetric encryption/decryption. The “Th ” and “Ts ” s’
values are 0.00517 ms and 0.02148 ms, respectively according to Zhou et al. [42].

Table 1. Comparison of Security Properties among Four Authentication Schemes.

Property R1 R2 R3 R4 R5 R6 R7 R8 R9
Amin et al.’s scheme [36] O O O X O O O O X
Maitra et al.’s scheme [45] O X O X O O O O X
Zhou et al.’s [42] X O X O O O O O O
Ours O O O O O O O O O
R1: Mutual authentication. R2: Session key for all entities. R3: User anonymity. R4: Resistance to off-line
guessing attack. R5: Resistance to insider attack. R6: Resistance to stolen smart card attack. R7: Resistance to
de-synchronization attack. R8: Resistance to forgery attack. R9: Resistance to user tracking attack.
Sensors 2020, 20, 5604 11 of 14

Table 2. Calculation cost comparison of four certification schemes.

Registration Authentication Password Change Total Operations of Login

Entities Login Phase
Phase Phase Phase and Authentication
Ui 2 Th 6 Th 3 Th 7 Th
Amin et al.’s
23 Th
scheme [36] Sj 0 Th 0 Th 4 Th 0 Th
CS 4 Th 0 Th 10 Th 0 Th
Ui 3 Th 6 Th 4 Th 9 Th
Maitra et al.’s
19 Th + 6 Ts
scheme [45] Sj 0 Th 0 Th + 1 Ts 4 Th + 2 Ts 0 Th
CS 3 Th + 1 Ts 0 Th 5 Th + 3 Ts 2 Th + 2 Ts
Ui 3 Th 0 Th 10 Th 11 Th
Zhou et al.’s
36 Th
[42] Sj 0 Th 0 Th 7 Th 0 Th
CS 4 Th 0 Th 19 Th 8 Th
Ui 4 Th 0 Th 12 Th 6 Th
Ours 39 Th
Sj 0 Th 0 Th 8 Th 0 Th
CS 4 Th 0 Th 19 Th 0 Th

Table 3. Communication cost comparison of four authentication schemes.

Schemes Communication Cost of L and A

Amin et al.’s scheme [36] 4736 bits
Maitra et al.’s scheme [45] 3072 bits
Zhou et al.’s [42] 5760 bits
Ours 6016 bits
Sensors 2020, 20, x FOR PEER REVIEW 13 of 16

Table 2 shows that our proposed scheme is in the middle regarding calculating costs. However,
CS 4 Th 0 Th 19 Th 0 Th
it is important to consider the trade-off between security and efficiency when we were designing a
secure communication scheme. As can be seen from Table 1, the scheme proposed by us has better
Table 3. Communication
security than other schemes. We also assessedcost comparison of four authentication
the communication costs schemes.
of our scheme and other
schemes, as shown in Table 3. Schemes The communication costs are the bits of
Communication Cost of L and Aparameters which passed
during authentication. The Amin Figure
et al.’s5scheme
shows [36]
the bar chart of the
4736comparison
bits of total calculation cost.
Our scheme gets more cost than
Maitra et Zhou et al.’s[45]
al.’s scheme [42] because we3072addbits
an additional step at the last of the
authentication phase to achieve Zhou mutual authentication. We only
et al.’s [42] 5760calculate
bits the communication cost in
the login and authentication phases Ours 6016 bitsof times in the registration phase
due to the use of fewer number
and password change phase. Therefore, in terms of security and efficiency, we can argue that our
Note that the outputs of the one-way hash function and the AES algorithm are 256 bits, and
proposed scheme is more suitable for the Internet of Things environment than other related schemes.
identities, pseudo-identities, and random numbers are 128 bits.

Figure 5. Comparison of total calculation cost (ms).

Figure 5. Comparison of total calculation cost (ms).
6. Conclusions
In this paper, we demonstrated that Zhou et al.’s scheme is not fully secure. Mutual
authentication and anonymity cannot be guaranteed in the authentication phase. Then, we designed
Sensors 2020, 20, 5604 12 of 14

Note that the outputs of the one-way hash function and the AES algorithm are 256 bits,
and identities, pseudo-identities, and random numbers are 128 bits.

6. Conclusions
In this paper, we demonstrated that Zhou et al.’s scheme is not fully secure. Mutual authentication
and anonymity cannot be guaranteed in the authentication phase. Then, we designed a new certification
scheme to compensate for Zhou et al.’s scheme. The proposed scheme can resist common attacks
and provide important features such as user anonymity and mutual authentication. We also added a
new parameter in the first step of the authentication phase; moreover, it can detect whether or not
the input identity and password are right at an early stage. Improved IoT-based authentication for
cloud computing is also proposed, and the performance evaluation results show that the scheme has
acceptable computation and good security. Therefore, we believe that this authentication scheme is
applicable to real-world IoT devices.
In the future, we will investigate how to apply our IoT-based authentication mechanism in
different computing environments, such as mobile environment and grid computing environment, etc.
Furthermore, we are investigating how to make our system lightweight so that it can be widely used in
the mobile computing world.

Author Contributions: Conceptualization, H.-L.W.; Data curation, H.-L.W.; Formal analysis, H.-L.W.; Funding
acquisition, C.-C.C. (Chin-Chen Chang); Investigation, C.-C.C. (Chin-Chen Chang) and L.-S.C.; Methodology,
C.-C.C. (Chin-Chen Chang); Project administration, L.-S.C.; Resources, Y.-Z.Z. and L.-S.C.; Software, Y.-Z.Z.;
Validation, Y.-Z.Z. and C.-C.C. (Chih-Cheng Chen); Visualization, C.-C.C. (Chih-Cheng Chen); Writing—review &
editing, C.-C.C. (Chih-Cheng Chen). All authors have read and agreed to the published version of the manuscript.
Funding: This research received no external funding.
Conflicts of Interest: The authors declare no conflict of interest.

References
1. Jing, Q.; Vasilakos, A.V.; Wan, J. Security of the Internet of Things: Perspectives and challenges. Wirel. Netw.
2014, 20, 2481–2507. [CrossRef]
2. Atzori, L.; Iera, A.; Morabito, G. The Internet of Things: A survey. Comput. Netw. 2010, 54, 2787–2805. [CrossRef]
3. Qi, M.; Chen, J.; Chen, Y. A secure authentication with key agreement scheme using ECC for satellite
communication systems. Int. J. Satell. Commun. Netw. 2019, 37, 234–244. [CrossRef]
4. Kothmayr, T.; Schmitt, C.; Hu, W.; Brünig, M.; Carle, G. DTLS based security and two-way authentication for
the Internet of Things. Ad Hoc Netw. 2013, 11, 2710–2723. [CrossRef]
5. Pranata, I.; Athauda, R.; Skinner, G. Securing and governing access in ad-hoc networks of Internet of Things.
In Proceedings of the IASTED International Conference on Engineering and Applied Science, Colombo,
Sri Lanka, 27–29 December 2012; pp. 27–29.
6. Durairaj, M.; Muthuramalingam, K. A new authentication scheme with elliptical curve cryptography for
Internet of Things (IoT) environments. Int. J. Eng. Technol. 2018, 7, 119. [CrossRef]
7. Hong, N. A security framework for the Internet of Things based on public key infrastructure. Adv. Mater. Res.
2013, 671–674, 3223–3226. [CrossRef]
8. Hao, P.; Wang, X.; Shen, W. A collaborative PHY-aided technique for end-to-end IoT device authentication.
IEEE Access 2018, 6, 42279–42293. [CrossRef]
9. Mahmood, K.; Chaudhry, S.A.; Naqvi, H.; Shon, T.; Ahmad, H.F. A lightweight message authentication
scheme for smart grid communications in power sector. Comput. Electr. Eng. 2016, 52, 114–124. [CrossRef]
10. Challa, S.; Das, A.K.; Odelu, V.; Kumar, N.; Kumari, S.; Khan, M.K.; Vasilakos, A.V. An efficient ECC-based
provably secure three-factor user authentication and key agreement protocol for wireless healthcare sensor
networks. Comput. Electr. Eng. 2018, 69, 534–554. [CrossRef]
11. Chung, Y.; Choi, S.; Lee, Y.; Park, N.; Won, D. An enhanced lightweight anonymous authentication scheme
for a scalable localization roaming service in wireless sensor networks. Sensors 2016, 16, 1653. [CrossRef]
Sensors 2020, 20, 5604 13 of 14

12. Turkanović, M.; Brumen, B.; Hölbl, M. A novel user authentication and key agreement scheme for
heterogeneous ad hoc wireless sensor networks, based on the Internet of Things notion. Ad Hoc Netw. 2014,
20, 96–112. [CrossRef]
13. Jan, M.A.; Khan, F.; Alam, M.; Usman, M. A payload-based mutual authentication scheme for Internet of
Things. Future Gener. Comput. Syst. 2019, 92, 1028–1039. [CrossRef]
14. Sun, X.; Men, S.; Zhao, C.; Zhou, Z. A security authentication scheme in machine-to-machine home network
service. Secur. Commun. Netw. 2015, 8, 2678–2686. [CrossRef]
15. Lyu, C.; Gu, D.; Zeng, Y.; Mohapatra, P. PBA: Prediction-based authentication for vehicle-to-vehicle
communications. IEEE Trans. Dependable Secur. Comput. 2016, 13, 71–83. [CrossRef]
16. Gope, P.; Lee, J.; Quek, T.Q.S. Lightweight and practical anonymous authentication protocol for RFID systems
using physically unclonable functions. IEEE Trans. Inf. Forensics Secur. 2018, 13, 2831–2843. [CrossRef]
17. Xu, H.; Ding, J.; Li, P.; Zhu, F.; Wang, R. A lightweight RFID mutual authentication protocol based on physical
unclonable function. Sensors 2018, 18, 760. [CrossRef]
18. Wazid, M.; Das, A.K.; K, V.B.; Vasilakos, A.V. LAM-CIoT: Lightweight authentication mechanism in
cloud-based IoT environment. J. Netw. Comput. Appl. 2020, 150, 102496. [CrossRef]
19. Wazid, M.; Das, A.K.; Kumar, N.; Vasilakos, A.V. Design of secure key management and user authentication
scheme for fog computing services. Future Gener. Comput. Syst. 2019, 91, 475–492. [CrossRef]
20. Jangirala, S.; Das, A.K.; Vasilakos, A.V. Designing secure lightweight blockchain-enabled RFID-based
authentication protocol for supply chains in 5G mobile edge computing environment. IEEE Trans. Ind. Inform.
2020, 16, 7081–7093. [CrossRef]
21. Wazid, M.; Das, A.K.; Kumar, N.; Vasilakos, A.V.; Rodrigues, J.J.P.C. Design and Analysis of Secure
Lightweight Remote User Authentication and Key Agreement Scheme in Internet of Drones Deployment.
IEEE Internet Things J. 2019, 6, 3572–3584. [CrossRef]
22. Lamport, L. Password authentication with insecure communication. Commun. ACM 1981, 24, 770–772. [CrossRef]
23. Katz, J.; MacKenzie, P.; Taban, G.; Gligor, V. Two-server password-only authenticated key exchange.
J. Comput. Syst. Sci. 2012, 78, 651–669. [CrossRef]
24. Xiang, T.; Wong, K.; Liao, X. Cryptanalysis of a password authentication scheme over insecure networks.
J. Comput. Syst. Sci. 2008, 74, 657–661. [CrossRef]
25. Sun, H.-M.; Yeh, H.-T. Password-based authentication and key distribution protocols with perfect forward
secrecy. J. Comput. Syst. Sci. 2006, 72, 1002–1011. [CrossRef]
26. Chien, H.-Y.; Jan, J.-K.; Tseng, Y.-M. An efficient and practical solution to remote authentication: Smart card.
Comput. Secur. 2002, 21, 372–375. [CrossRef]
27. Xu, J.; Zhu, W.-T.; Feng, D.-G. An improved smart card based password authentication scheme with provable
security. Comput. Stand. Interfaces 2009, 31, 723–728. [CrossRef]
28. Kumar, M.; Gupta, K.; Kumari, S. An improved efficient remote password authentication scheme with smart
card over insecure networks. Int. J. Netw. Secur. 2011, 13, 167–177.
29. Challa, S.; Das, A.K.; Gope, P.; Kumar, N.; Wu, F.; Vasilakos, A.V. Design and analysis of authenticated
key agreement scheme in cloud-assisted cyber–physical systems. Future Gener. Comput. Syst. 2020, 108,
1267–1286. [CrossRef]
30. Lin, C.; He, D.; Huang, X.; Choo, K.-K.R.; Vasilakos, A.V.; BSeIn: A blockchain-based secure mutual
authentication with fine-grained access control system for industry 4.0. J. Netw. Comput. Appl. 2018, 116,
42–52. [CrossRef]
31. Liao, Y.-P.; Wang, S.-S. A secure dynamic ID based remote user authentication scheme for multi-server
environment. Comput. Stand. Interfaces 2009, 31, 24–29. [CrossRef]
32. Hsiang, H.-C.; Shih, W.-K. Improvement of the secure dynamic ID based remote user authentication scheme
for multi-server environment. Comput. Stand. Interfaces 2009, 31, 1118–1123. [CrossRef]
33. Sood, S.K.; Sarje, A.K.; Singh, K. A secure dynamic identity based authentication protocol for multi-server
architecture. J. Netw. Comput. Appl. 2011, 34, 609–618. [CrossRef]
34. Lee, C.-C.; Lin, T.-H.; Chang, R.-X. A secure dynamic ID based remote user authentication scheme for
multi-server environment using smart cards. Expert Syst. Appl. 2011, 38, 13863–13870. [CrossRef]
35. Xue, K.; Hong, P.; Ma, C. A lightweight dynamic pseudonym identity based authentication and key agreement
protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci. 2014, 80, 195–206.
[CrossRef]
Sensors 2020, 20, 5604 14 of 14

36. Amin, R.; Kumar, N.; Biswas, G.P.; Iqbal, R.; Chang, V. A light weight authentication protocol for IoT-enabled
devices in distributed cloud computing environment. Future Gener. Comput. Syst. 2018, 78, 1005–1019. [CrossRef]
37. He, D.; Zeadally, S.; Xu, B.; Huang, X. An Efficient Identity-Based Conditional Privacy-Preserving Authentication
Scheme for Vehicular Ad Hoc Networks. IEEE Trans. Inf. Forensics Secur. 2015, 10, 2681–2691. [CrossRef]
38. Zhang, J.; Cui, J.; Zhong, H.; Chen, Z.; Liu, L. PA-CRT: Chinese Remainder Theorem Based Conditional
Privacy-preserving Authentication Scheme in Vehicular Ad-hoc Networks. IEEE Trans. Dependable Secur. Comput.
2019, 1. [CrossRef]
39. Cui, J.; Zhang, J.; Zhong, H.; Xu, Y. SPACF: A Secure Privacy-Preserving Authentication Scheme for VANET
with Cuckoo Filter. IEEE Trans. Veh. Technol. 2017, 66, 10283–10295. [CrossRef]
40. Azees, M.; Vijayakumar, P.; Deboarh, K.J. EAAP: Efficient Anonymous Authentication with Conditional
Privacy-Preserving Scheme for Vehicular Ad Hoc Networks. IEEE Trans. Intell. Transp. Syst. 2017, 18, 2467–2476.
[CrossRef]
41. Kong, W.; Shen, J.; Vijayakumar, P.; Cho, Y.; Chang, V. A practical group blind signature scheme for privacy
protection in smart grid. J. Parallel Distrib. Comput. 2020, 136, 29–39. [CrossRef]
42. Zhou, L.; Li, X.; Yeh, K.-H.; Su, C.; Chiu, W. Lightweight IoT-based authentication scheme in cloud computing
circumstance. Future Gener. Comput. Syst. 2019, 91, 244–251. [CrossRef]
43. Li, C.-T.; Weng, C.-Y.; Lee, C.-C.; Wang, C.-C. Secure user authentication and user anonymity scheme based
on quadratic residues for the integrated EPRIS. Procedia Comput. Sci. 2015, 52, 21–28. [CrossRef]
44. Yeh, K.-H.; Lo, N.-W.; Kuo, R.-Z.; Su, C.; Chen, H.-Y. Formal analysis on RFID authentication protocols
against de-synchronization attack. J. Internet Technol. 2017, 18, 765–773.
45. Maitra, T.; Islam, S.H.; Amin, R.; Giri, D.; Khan, M.; Kumar, K.N. An enhanced multi-server authentication
protocol using password and smart-card: Cryptanalysis and design. Secur. Commun. Netw. 2016, 9,
4615–4638. [CrossRef]

© 2020 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access
article distributed under the terms and conditions of the Creative Commons Attribution
(CC BY) license (http://creativecommons.org/licenses/by/4.0/).