Dynamic Three-Factor Authentication Key Agreement Protocol for IoT Scenarios

doi:10.3969/j.issn.1671-1122.2025.09.009

Abstract

Abstract:

In recent years, the widespread adoption of Internet of Things (IoT) devices has significantly enhanced both the quality of life and work efficiency. However, the data sharing between IoT devices occurs over networks, making it susceptible to attacks and breaches. This paper aims to enhance the security of data exchange among IoT devices, focusing on Multi-Factor Authentication and Key Agreement (MFAKA) protocols. The research was centered on the security of data sharing between IoT devices, utilizing BioHash technology and Elliptic Curve Cryptography (ECC), and conducting theoretical analysis based on the Real-Or-Random (ROR) model in provable security. A novel dynamic three-factor authentication and key agreement protocol, named D3FAKAP, was proposed. This protocol integrated BioHash technology and ECC to achieve genuine three-factor authentication, This ensures user anonymity and unlinkability during the login process. Additionally, the proposed scheme is proven to be semantically secure under the Real-Or-Random model. Performance analysis indicates that the proposed scheme is well-suited for IoT environments in terms of security and resource efficiency.

Key words: IoT, multi-factor authentication, authentication key agreement protocol, provable security

CLC Number:

TP309

YANG Yukun, XIAO Weien, LIANG Boxuan, HUANG Xin. Dynamic Three-Factor Authentication Key Agreement Protocol for IoT Scenarios[J]. Netinfo Security, 2025, 25(9): 1407-1417.

Figures/Tables 9

References 27

[1]	XIE Qi, WONG D S, WANG Guilin, et al. Provably Secure Dynamic ID-Based Anonymous Two-Factor Authenticated Key Exchange Protocol with Extended Security Model[J]. IEEE Transactions on Information Forensics & Security, 2017, 12(6): 1382-1392.
[2]	GOPE P. PMAKE: Privacy-Aware Multi-Factor Authenticated Key Establishment Scheme for Advance Metering Infrastructure in Smart Grid[J]. Computer Communications, 2020, 152: 338-344.
[3]	ZHOU Lu, GE Chunpeng, SU Chunhua. A Privacy Preserving Two-Factor Authentication Protocol for the Bitcoin SPV Nodes[J]. Science China Information Sciences, 2020, 63(3): 34-48.
[4]	HAQ I U, WANG Jian. Secure Two-Factor Lightweight Authentication Protocol Using Self-Certified Public Key Cryptography for Multi-Server 5G Networks[EB/OL]. (2020-07-01)[2025-03-21]. https://www.sciencedirect.com/science/article/abs/pii/S108480452030134X.
[5]	BADAR H M S, QADRI S, SHAMSHAD S, et al. An Identity Based Authentication Protocol for Smart Grid Environment Using Physical Uncloneable Function[J]. IEEE Transactions on Smart Grid, 2021, 12(5): 4426-4434.
[6]	ZHANG Xin, HUANG Xin, YIN Haotian, et al. LLAKEP: A Low-Latency Authentication and Key Exchange Protocol for Energy Internet of Things in the Metaverse Era[EB/OL]. (2022-07-21)[2025-03-21]. https://www.mdpi.com/2227-7390/10/14/2545.
[7]	QI Mingping. An Improved Three-Factor Authentication and Key Agreement Protocol for Smart Grid[J]. Journal of Ambient Intelligence and Humanized Computing, 2023, 14(12): 16465-16476.
[8]	MEHTA P J, PARNE B L, PATEL S J. MAKA: Multi-Factor Authentication and Key Agreement Scheme for LoRa-Based Smart Grid Communication Services[J]. IETE Journal of Research, 2023, 70(5): 4989-5005.
[9]	SHUKLA S, PATEL S J. A Novel ECC-Based Provably Secure and Privacy-Preserving Multi-Factor Authentication Protocol for Cloud Computing[J]. Computing, 2022, 104(5): 1173-1202.
[10]	SHUKLA S, PATEL S J. A Design of Provably Secure Multi-Factor ECC-Based Authentication Protocol in Multi-Server Cloud Architecture[J]. Cluster Computing, 2024, 27(2): 1559-1580.
[11]	BRAEKEN A. Highly Efficient Bidirectional Multifactor Authentication and Key Agreement for Real-Time Access to Sensor Data[J]. IEEE Internet of Things Journal, 2023, 10(23): 21089-21099.
[12]	ZHANG Shiwen, YAN Ziwei, LIANG Wei, et al. BAKA: Biometric Authentication and Key Agreement Scheme Based on Fuzzy Extractor for Wireless Body Area Networks[J]. IEEE Internet of Things Journal, 2023, 11(3): 5118-5128.
[13]	MALL P, AMIN R, DAS A K, et al. PUF-Based Authentication and Key Agreement Protocols for IoT, WSNs, and Smart Grids: A Comprehensive Survey[J]. IEEE Internet of Things Journal, 2022, 9(11): 8205-8228.
[14]	DEVANAPALLI S, PHANEENDRA K. Security Analysis of Three-Factor Authentication Protocol Based on Extended Chaotic-Maps[C]// IEEE. 2022 OPJU International Technology Conference on Emerging Technologies for Sustainable Development (OTCON). New York: IEEE, 2023: 1-6.
[15]	QIU Shuming, WANG Ding, XU Guoai, et al. Practical and Provably Secure Three-Factor Authentication Protocol Based on Extended ChaoticMmaps for Mobile Lightweight Devices[J]. IEEE Transactions on Dependable and Secure Computing, 2020, 19(2): 1338-1351.
[16]	LEE J, YU S, KIM M, et al. On the Design of Secure and Efficient Three-Factor Authentication Protocol Using Honey List for Wireless Sensor Networks[J]. IEEE Access, 2020, 8: 107046-107062.
[17]	CHAKRABORTY N, LI Jiangqiang, LEUNG V C M, et al. Honeyword-Based Authentication Techniques for Protecting Passwords: A Survey[J]. ACM Computing Surveys, 2022, 55(8): 1-37.
[18]	HUANG Zonghao, BAUER L, REITER M K. The Impact of Exposed Passwords on Honeyword Efficacy[C]// USENIX. 33th USENIX Security Symposium. Berkeley:USENIX,2024: 559-576.
[19]	FAN C, LIN Yihui. Provably Secure Remote Truly Three-Factor Authentication Scheme with Privacy Protection on Biometrics[J]. IEEE Transactions on Information Forensics and Security, 2009, 4(4): 933-945.
[20]	ZHANG Liping, ZHANG Yixin, TANG Shanyu, et al. Privacy Protection for E-Health Systems by Means of Dynamic Authentication and Three-Factor Key Agreement[J]. IEEE Transactions on Industrial Electronics, 2017, 65(3): 2795-2805.
[21]	KOBLITZ N. Elliptic Curve Cryptosystems[J]. Mathematics of Computation, 1987, 48(177): 203-209.
[22]	MILLER V S. Use of Elliptic Curves in Cryptography[C]// Springer. Conference on the Theory and Application of Cryptographic Techniques. Heidelberg: Springer, 1985: 417-426.
[23]	JIN A T B, LING D N C, GOH A. Biohashing: Two Factor Authentication Featuring Fingerprint Data and Tokenised Random Number[J]. Pattern Recognition, 2004, 37(11): 2245-2255.
[24]	RATHA N, CONNELL J, BOLLE R M, et al. Cancelable Biometrics: A Case Study in Fingerprints[C]// IEEE.18th International Conference on Pattern Recognition (ICPR’06). New York: IEEE, 2006: 370-373.
[25]	LUMINI A, NANNI L. An Improved Biohashing for Human Authentication[J]. Pattern Recognition, 2007, 40(3): 1057-1065.
[26]	TEOH A B J, KUAN Y W, LEE S. Cancellable Biometrics and Annotations on Biohash[J]. Pattern Recognition, 2008, 41(6): 2034-2044.
[27]	HANKERSON D, MENEZES A. NIST Elliptic Curves[M]. Heidelberg: Springer, 2025.

符号	描述
$E/{{F}_{p}}$	定义在有限素数域${{F}_{p}}$上的椭圆曲线$E$，其中${{F}_{p}}$包含所有模一个素数$p$的整数集合的元素
$p$	${{F}_{p}}$中的基点
$I{{D}_{U}},P{{W}_{U}}$	用户的身份标识和密码
$SC$	拥有一定存储和计算能力的智能卡
$B$	用户输入的生物特征
$Tp$	用户注册时录入的生物特征模板
$H\left( \cdot \right)$	无碰撞哈希函数
${{h}_{bio}}\left( \cdot \right)$	生物哈希函数
$\oplus $	异或操作
$\parallel $	连接操作
$sk$	会话密钥

攻击/安全特性	文献[1]	文献[3]	文献[12]	D3FAKAP
认证因子数量	2	2	3	3
用户匿名性	√	√	√	√
不可链接性	×	×	×	√
密码更新	无关	无关	√	√
生物特征更新	无关	无关	√	√
会话密钥验证	√	√	√	√
重放攻击	×	√	√	√
智能卡偷窃攻击	×	√	√	√
离线密码猜测攻击	√	√	√	√
形式化的安全证明	√	√	√	√
真正三因素认证	×	×	×	√

开销方案	U端开销	S端开销	通信开销/bit
文献[1]	$3M+A+6H$	$3M+A+2SED+5H$	2112
文献[3]	$3M+6H$	$3M+6H$	2210
文献[12]	$3M+F+3SED+3H$	$3M+3SED+4H$	2752
D3FAKAP	$2M+11H$	$4M+7H$	2172