| With the rapid increase in the number and scale of the devices in the Internet of Things,communication security between device entities has become an important topic.Mutual authentication protocol is one of the crucial information security mechanisms in the communication process of the Internet of Things.According to the different number of involved entities,communication scenarios in the Internet of Things can be divided into the basic twoparty communication scenario and the more complex three-party communication scenario.As devices in the Internet of Things have low computational capacities and communication resources,it is particularly important to design efficient secure authentication protocols.ThreeFactor Authentication(3FA)protocol verifies the legality of users by combining three different factors: "knowledge factor","possession factor" and "intrinsic factor".Compared with the traditional One-Factor Authentication(1FA)and Two-Factor Authentication(2FA)protocols,Three-Factor Authentication protocols generally have higher security and have become a research hotspot in recent years.However,there is still a problem of incompatibility between security and efficiency.Some authentication protocols use time-consuming cryptographic primitives for security,which are not lightweight enough for the Internet of Things,and some lightweight protocols are efficient enough but not designed with certain security attributes,such as perfect forward security and resistance to specific attacks.In view of these problems,the paper takes two-party communication and three-party communication in the Internet of Things as the background and Three-Factor Authentication protocol as the technical means to carry out the following research work:(1)Aiming at the problem of insufficient security of authentication protocol in the twoparty communication scenario of the Internet of Things,the security analysis of RSA-based authorized access authentication scheme is carried out.The results show that the scheme has some security defects,such as the vulnerability to key compromise impersonation attack and denial of service attack,and the inability to guarantee perfect forward security.In order to solve these problems,the paper proposes a new anonymous Three-Factor Authentication protocol based on elliptic curve cryptography.The protocol adopts elliptic curve cryptography and symmetric key cryptography to improve the original scheme and ensure the secure communication between the two entities in case of long-term key leakage.In the paper,BAN logic and AVISPA are used to formally prove the security of the protocol,and the security attributes of the protocol are compared with those of akin protocols.The results show that the protocol can support various security requirements such as perfect forward security,and it has been significantly improved in security.By comparing the protocol with the same type of protocols in performance,it is found that our protocol requires less computational and communication resources,which ensures the running efficiency.(2)Aiming at the problem of resource waste of Three-Factor Authentication protocols in the three-party communication scenario of the Internet of Things,the paper proposes a lightweight and secure Three-Factor Authentication protocol by using one-way hash function.The protocol considers various security factors adequately and has the adaptive privacypreserving property,which allows users to freely choose the degree of privacy they need.In the paper,detailed informal security analysis,formal security proof under random oracle model and protocol security test using AVISPA are carried out.It is proved that the protocol has high security,can resist various known attacks,and has security advantages in adaptive privacypreserving property and attack resistance.In terms of performance,the paper compares our protocol with akin protocols and finds that our protocol has the lowest computational cost and relatively low communication cost,so it is suitable for the resource-constrained Internet of Things environment. |
PDF Full Text Request