Certiﬁcate-Based Anonymous Device Access Control Scheme for IoT …iot.korea.ac.kr/file/ProfMinhojo/61. DownloadCompleted.pdf · 2019-08-21 · distributed pollution monitoring,

1

Certificate-Based Anonymous Device AccessControl Scheme for IoT Environment

Saurav Malani, Jangirala Srinivas, Member, IEEE, Ashok Kumar Das, Senior Member, IEEE,Kannan Srinathan, and Minho Jo, Senior Member, IEEE

Abstract—As the “Internet communications infrastructure”develops to encircle smart devices, it is very much essential fordesigning suitable methods for secure communications with thesesmart devices, in the future Internet of Things (IoT) applicationscontext. Due to wireless communication among the IoT smartdevices and the gateway node (GWN), several security threatsmay arise in the IoT environment, including replay, man-in-the-middle, impersonation, malicious devices deployment andphysical devices capture attacks. In this article, to mitigatesuch security threats we design a new certificate-based deviceaccess control scheme in IoT environment which is not onlysecure against mentioned attacks, but it also preserves anonymityproperty. A detailed security analysis using the widely-accepted“Real-Or-Random (ROR)” model-based formal security analysis,informal security analysis, and also formal security verificationbased on the broadly-accepted “Automated Validation of InternetSecurity Protocols and Applications (AVISPA)” tool has beenperformed on the proposed scheme to show that it is secureagainst various known attacks. In addition, a comprehensivecomparative analysis among the proposed scheme and otherrelevant schemes shows that a better trade-off among the security& functionality attributes, communication and computationalcosts is achieved for the proposed scheme as compared to otherschemes.

Index Terms—Internet of Things (IoT), device access control,key management, security, AVISPA.

I. INTRODUCTION

The Internet of Things (IoT) becomes possible due tonumerous physical objects that are being inter-connected atan unparalleled rate [1]. It is then considered as an inter-networking of several (physical and virtual) objects (things),and the network connectivity permits these objects to commu-nicate as well as exchange information, including “sensors,smart meters, smart phones, smart vehicles, radio-frequencyidentification (RFID) tags, personal digital assistants (PDAs),and other items (embedded with electronics, software andactuators)” [2]. Some examples of “physical objects” may beconsidered as “smartphone, sensor, camera, drone, vehicle,

This research was supported by the National Research Foundation of theKorean government (Grant#: NRF-2019R1I1A3A01057514). (CorrespondingAuthor: Minho Jo).

S. Malani, A. K. Das and K. Srinathan are with the Center for Security,Theory and Algorithmic Research, International Institute of Information Tech-nology, Hyderabad 500 032, India (e-mail: [email protected];[email protected], [email protected]; [email protected]).

J. Srinivas is with the Jindal Global Business School, O. P. Jindal GlobalUniversity, Haryana 131001, India (e-mail: [email protected], [email protected]).

M. Jo is with the Department of Computer Convergence Software, KoreaUniversity, Sejong Metropolitan 30019, South Korea

(e-mail: [email protected]).

and so on”, whereas “virtual objects” may be consideredas “agenda, electronic ticket, book, wallet, and so on”. Infuture, we expect that the majority of these IoT devices tobe smart so that the devices can automatically take the actionswithout much more human interventions. Since the “Internetcommunications infrastructure” is developed to encircle smartdevices, suitable methods are very much essential for securecommunications with these smart devices, in the future IoTapplications context, in areas as diverse as “health-care (e.g.,remote patient monitoring or monitoring of elderly people),smart grid, Internet of Vehicles (IoV), home automation (e.g.,security, heating and lightning control) and smart cities (e.g.,distributed pollution monitoring, smart lightning systems)” [3].

Internet of Vehicles (IoV) has emerged as a convergenceof IoT as well as mobile vehicles. Quan et al. [4] designeda “Software-defined Adaptive Transmission Control Protocol(SATCP)” for vehicular networks. Their scheme provideshow an “Software Defined Networking (SDN)” controller canselectively schedule various transmission control policies andalso arrange with control units at the base stations in order toadjust to differing vehicular requirements. Quan et al. [5] alsoexplored a new “Smart Identifier Networking (SINET)” pro-totype and designed a “SINET customized solution enablingcrowd collaborations for software defined vehicular networks(SINET-V)”. Through experiments, they demonstrated thatSINET-V has great prospective to assist powerful vehicu-lar networks. Cheng et al. [6] reviewed various “VehicularAdhoc Networks (VANETs)” technologies for efficient anddependable transmission of big data. They also discussedvarious mechanisms employing big data to study VANETscharacteristics and performance.

The growth of IoT will lead to creation of huge volume ofdata that will demand “massive computing resources, storagespace and communication bandwidth” [7]. According to theprediction made by Cisco, 50 billion IoT devices are expectedto be connected to the Internet by 2020 [8], and this numbermay hit to 500 billion by 2025 [9]. It is also predicted that“the data produced by human, machines and things wouldreach 500 zettabytes by 2019, but the IP traffic of global datacenters would only reach 10.4 zettabytes” [10]. Hence, basedon the observation in [11], “45% of IoT-created data would bestored, processed and analyzed upon close to, or at the edgeof network”.

The majority of the IoT devices by nature are resourceconstrained in the sense that they have limited computation andstorage capability. Furthermore, the majority of the devices arealso battery powered. This creates a challenging task to design

This is the author's version of an article that has been published in this journal. Changes were made to this version by the publisher prior to publication.The final version of record is available at http://dx.doi.org/10.1109/JIOT.2019.2931372

Copyright (c) 2019 IEEE. Personal use is permitted. For any other purposes, permission must be obtained from the IEEE by emailing [email protected].

MinhoJo

강조

2

security protocols that should be lightweight in computationand communication costs, while keeping high security andmaintaining the functionality attributes needed for designingthe protocols in IoT environment. Recently, Das et al. [12]discussed about a taxonomy of security protocols that isextremely needed to secure an IoT environment. They focusedon the following security mechanisms related to IoT environ-ment, such as “key management” [13], [14], [15]; “user/deviceauthentication” [16], [17]; “device access control” [18], [19],[20]; “user access control” [21], [22]; “privacy preservation”[23]; and “identity management” [24]. The detailed discussionof these security approaches is provided in [12].

In this article, we aim to address the device access controlissue, which is treated as one of the important research areasas highlighted in [12] due to the following consideration.A deployed IoT smart device may not always be legitimatebecause some illegal (malicious) IoT devices can be placedby an adversary in IoT environment. In this case, it turns outto be hard task in distinguishing illegal new smart devices fromthe legal smart devices in IoT environment. Hence, a “deviceaccess control mechanism” is very much required when newsmart devices are installed/deployed in IoT environment forpreventing illegal devices from entering the network [12].For this issue, we consider the device access control in IoTenvironment with the following two tasks [12]:• Device (node) authentication: This task needs that “a

newly deployed smart device must authenticate itself toits neighbor smart devices to prove that it is a legitimatesmart device for accessing the information from the othersmart devices”.

• Key management: This task needs that “a newly deployedsmart device needs to establish shared secret keys with itsexisting neighbor smart devices to assure secure commu-nication during the transmission of sensing information”.

Furthermore, it is also extremely needed, in the new smartdevice deployment phase, for the device access control in theIoT network because some IoT devices may be “physicallycaptured by an adversary due to hostile (unattended) environ-ment” in some IoT applications, such as “surveillance” and“healthcare”, or some IoT devices may drain out of power asthese devices may be battery powered.

A. System Models

The following models are considered in this article.1) Network Model: A generic IoT environment is con-

sidered in this article which is adopted from [25], [26].In Fig.1, the generic IoT environment contains three sub-systems: 1) front end, 2) communication infrastructure, and3) the gateway nodes (GWNs) as database repository thatare connected globally with the IoT enabled devices as theirconnectivity. In this architecture, various scenarios, such astransportation, community, smart home and smart healthcaresystems are shown. Each scenario has its own GWN andvarious IoT smart devices that connected to the GWN . Oncethe IoT devices are registered with the GWN , each smartdevice can communicate to other smart devices in real-timeby establishing the secret pairwise keys between them based

Fig. 1. A generic IoT environment [25], [26]

on the access control mechanism. Further, the participatingsmart devices prove their authenticity mutually, and once itis successful, two neighbor participating smart devices willestablish the secret keys for future communications.

2) Threat Model: We consider the following threat modelin analyzing the security of the proposed device access controlscheme in IoT environment. The “Dolev-Yao threat (DY)model” [27] in one of the broadly-accepted models that can beapplied in various networks, such as wireless sensor networks,general wire/wireless networks as well as IoT environment.The DY model assumes that the end-point communicatingparticipants (e.g., IoT smart devices in our proposed scheme)can not be taken as trusted nodes in the network, and com-munication among the devices are insecure as their commu-nication relies on wireless medium. Under the DY model,an adversary can also tamper the data being communicatedamong the participants including interception, modification,deletion and insertion of fake information in the communicatedmessages. Due to “hostile (unattended) environment” for someIoT applications, there is also a possibility of “physical smartdevices capture attack” by the adversary by extracting thecredentials stored in those captured devices by utilizing thepower analysis attacks [28], [29] to mount some other attacks,such as “impersonation and man-in-the-middle attacks” andalso for compromising secure communication among the non-compromised IoT devices in the network.

Recently, the widely-accepted “Canetti and Krawczyk’s ad-versary model (CK-adversary model)” [30] becomes the “cur-rent de facto standard model in modeling authenticated key-exchange protocols”. According to the CK-adversary model,“the adversary can not only deliver the messages (as in the DYmodel), but also can compromise the secret credentials, secretkeys and session states where these are stored in insecurememory”. Therefore, it becomes an essential requirementthat “the leakage of some forms of secret credentials, suchas session ephemeral secrets or secret key, should have theminimum possible consequence on the secrecy of other secretcredentials of the communicating participants” [31]. Finally, itis also a typical assumption that the GWN is trusted node and



3

it will not be compromised by the adversary [32], [33]. Hence,the GWN can be put under a physical locking system inthe IoT environment based on applications (e.g., smart home,healthcare and industrial IoT).

B. Research Contributions

In this article, the following contributions are made:

• To provide the real-time data access among the IoT smartdevices, a new Device Access Control Scheme in IoT(DACS-IoT) is presented. Since the lightweight opera-tions, such as “one-way cryptographic hash function” and“elliptic curve cryptography (ECC)” are applied, DACS-IoT is a lightweight security protocol.

• In the “device authentication” task of DACS-IoT, anytwo neighbor smart devices, say SDi and SDj will beable to do node authentication in order to prove thatSDi has right to access SDj and vice-versa. For thispurpose, both the devices SDi and SDj utilize their pre-loaded certificates created by their respective GWN andother secret credentials provided by the GWN beforethey are installed/deployed in the IoT environment. In the“key management” task of DACS-IoT, only after mutualauthentication performed in the “device authentication”task both SDi and SDj will establish a secret key SKij

for future communications securely.• The broadly-accepted “Real-Or-Random (ROR model)

based formal security analysis” [34] shows that DACS-IoT achieves the “secret key security (SK-security)”.Moreover, DACS-IoT is shown to be resilient againstother potential attacks with the help of “informal (non-mathematical) security analysis”. In addition, in DACS-IoT the anonymity property is preserved.

• To strengthen the security of DACS-IoT, we have furthertested it using “formal security verification using thewidely-accepted AVISPA tool” [35].

• Finally, we have evaluated the proposed DACS-IoT fora comprehensive comparative study on “communicationand computation costs, and also security and functionalityfeatures”, and this study reveals that DACS-IoT maintainsa better trade-off among the performance parameters,“communication and computation costs, and also securityand functionality features” as compared to those for otherrelated schemes in the IoT environment.

C. Paper Outline

The related work is briefly elaborated in Section II. Thedetailed phase-wise discussions on the proposed DACS-IoTare provided in Section III. A rigorous security analysisusing both formal & informal is shown in Section IV, whilethe “simulation-based formal security verification using theAVISPA tool” is provided in Section V. In the next section(Section VI), a comprehensive comparative analysis amongthe proposed DACS-IoT and other related schemes is carriedout. Finally, Section VII draws some important concludingremarks about the work.

II. RELATED WORK

Granjal et al. [3] presented a survey work that provides athorough analysis on various security protocols and methodsavailable to protect communications in the IoT environment.They also pointed out several future research directions andchallenges that need to be addressed in the IoT environment.

Islam et al. [36] provided a survey on various “IoT-basedhealth care technologies” and then reviewed various “state-of-the-art network architectures and platforms, applications,and industrial trends in IoT-based healthcare solutions”. Fur-thermore, they analyzed the “IoT security & privacy features,including several security requirements, threat models, andattack taxonomies from the health care perspective”.

Mosenia et al. [37] argued that the security attacks andthreats are not “well-recognized” in the IoT environment. Theypresented a survey that addresses several “security attacks orconcerns and countermeasures in a level-by-level fashion”.Yang et al. [38] also presented a survey work that exploresvarious security & privacy aspects in IoT domain in fourdifferent aspects. In the first aspect, they discussed variousrelevant drawbacks (limitations) of IoT smart devices andtheir respective solutions. In the second aspect, they presentedseveral classifications of existing IoT related attacks. In thethird aspect, they scrutinized various authentication as wellas access control mechanisms in the IoT environment. In thefourth aspect, they also analyzed various security approachesand issues related to several layers, such as “perception layer,network layer, transport layer, and application layer”.

Ni et al. [7] presented another interesting survey work inwhich they analyzed the “architecture and features of fog com-puting” and also studied “critical roles of fog nodes, includingreal-time services, transient storage, data dissemination anddecentralized computation”. In addition, they discussed vari-ous security & privacy threats that are for the IoT applications,and also the security & privacy aspects that are essential infog computing environment.

Zhou et al. [39] proposed a “certificate-based access controlscheme” that applies ECC along with the “bootstrappingtime” designed for “wireless sensor networks (WSNs)”. Later,another access control mechanism was proposed by Huang[40], which is based on the existing Schnorr signature [41] andthe expiration time of sensing devices. However, Chatterjee etal. [42] pointed out that Huang’s scheme was vulnerable to“man-in-the-middle attack”. To resolve this limitation, theyalso designed an efficient and more secure access controlmechanism that relies on “one-way cryptographic hash func-tion” as well as ECC.

Huang and Liu [43] designed a “certificateless access con-trol method” that has “hash-chain based” and “hash-chainless”mechanisms. Kim and Lee [44] cryptanalyzed Huang’s scheme[45], and showed that the scheme was vulnerable to “replayattack” and that does not support any method to regenerate thefinished hash chain. In addition, they designed an “enhancedaccess control scheme” that supports a “hash chain renewalphase”. However, Zeng et al. [46] also showed that Kim andLee’s scheme [44] contains two issues: 1) a new deployed



4

sensing device can masquerade itself and 2) a legal sensingdevice can also perform a “masquerading attack”.

Li et al. [18] proposed an access control scheme for WSNsin the IoT context by applying their proposed “heterogeneoussigncryption scheme (CI-HSC) that allows a sender in thecertificateless cryptography (CLC) environment to transmit amessage to a receiver in the identity-based cryptography (IBC)environment”. Their approach is also based on the “identity-based access control (IBAC)” model. Since their mechanismis based on IBC and bilinear pairing operations, it is costly interms of computation costs.

Braeken et al. [19] designed “efficient and distributedauthentication protocol (eDAAAS)” for accessing the end-nodes in IoT environment that is for “smart homes”. eDAAASrequires very low computation cost as it relies on lightweightcryptographic primitives, such as “symmetric cryptosystem”and “one-way cryptographic hash function”.

Recently, Luo et al. [20] also designed “efficient accesscontrol protocol for WSNs in the cross-domain context ofthe IoT that allows an Internet user in a CLC environment tocommunicate with an IoT smart device in an IBC environmentwith different system parameters”. Since this scheme is basedon IBC and bilinear pairing operations, it is also costly interms of computation costs. In addition, all the schemes [18],[19], [20] demand for involvement of the GWN in their accesscontrol mechanism between two IoT smart devices.

Most of the existing device access control schemes proposedin the literature for both IoT and related environment, such asin WSNs, are either insecure against various known attacksor they are inefficient in communication as well computation.In this paper, we design a novel secure anonymous deviceaccess control scheme for IoT environment using certificatesand signatures in order to eradicate the security pitfalls inthe existing device access mechanisms. The proposed schemealso supports addition of new IoT device deployment afterthe initial deployment in an IoT environment. The formalsecurity using ROR-based model and formal security verifica-tion using AVISPA-simulation based software tool can assurethat the proposed scheme be secure against various knownattacks. In addition, the informal security analysis has beencarried out to strengthen the security of the proposed scheme.Moreover, the proposed scheme provides better security andfunctionality attributes (see Section VI-A) including “deviceanonymity” property (see Section IV-B7) and resistance to“Ephemeral Secret Leakage (ESL)” attack (see Section IV-B6)that is treated as one of the very important security attributesin device access control mechanisms as compared to otherexisting device access control mechanisms in IoT and relateddomains.

In the next section, we discuss various phases related to theproposed device access control scheme.

III. THE PROPOSED SCHEME

In this section, we design a novel device access controlscheme for IoT deployment, called DACS-IoT, which islightweight in nature as it relies on “one-way cryptographichash function” and ECC. DACS-IoT contains various phases,

namely 1) setup, 2) device enrollment, 3) device accesscontrol, and 4) dynamic device addition. The details of thesephases are described in the following subsections. The no-tations along with their significance tabulated in Table I areutilized in describing and analyzing DACS-IoT. In addition,in order to assure resilience against replay attack, the currenttimestamps have been utilized in DACS-IoT. The clocks ofall the involved communicating entities are then assumed tobe synchronized. It is a typical assumption applied in theliterature, such as the schemes presented in [32], [33], [47],[48], [49].

TABLE INOTATIONS AND THEIR SIGNIFICANCE

Symbol SignificanceSDi, IDdevi ith IoT sensing device and its identity, respectivelyGWN , IDgwn Gateway node and and its identity, respectivelyEp(a, b) Non-singular elliptic curve: y2 = x3 + ax + b

(mod p)G A base point in Ep(a, b)x.P “ECC scalar (point) multiplication” of the point P ∈

Ep(a, b), x.P = P+P+· · ·+P (x times), x ∈ Z∗p

P + Q “ECC point addition”, P,Q ∈ Ep(a, b)(pgwn, Pgwn) Private and public keys pair of the GWN , respec-

tively, Pgwn = pgwn.G(kdevi , Kdevi ) Private and public keys pair of SDi, respectively,

Kdevi = kdevi .Gcertdevi Certificate of SDi generated by the GWNsigndevi Signature of SDi signed by its private key kdeviTSi Current timestamp of SDi

∆T “Maximum allowable transmission delay associatedwith a message”

SDi → SDj : M Device SDi sends message M to its neighbor deviceSDj

h(·) “Collision-resistant one-way cryptographic hashfunction”

⊕, ‖ “Bitwise XOR” & “string concatenation” operations,respectively

A Passive/active adversary

A. Setup Phase

The setup phase is executed by the “gateway node (GWN)”in order to select the system parameters with the followingsteps. It is worth noting that the GWN can be considered asa “Public Key Infrastructure (PKI)” in the proposed scheme(DACS-IoT).S1. The GWN fixes a “collision-resistant one-way crypto-

graphic hash function” h(·) defined by h: {0, 1}∗ →{0, 1}l, which takes an arbitrary length input string andproduces a fixed-length (l bits) hash output, called themessage digest or hash value. h(·) can be considered asSecure Hash Standard (SHA-1) algorithm or it can beSHA-2 for more security achievement [50].

S2. Next, the GWN picks a “non-singular elliptic curveEp(a, b) of the form y2 = x3 + ax + b (mod p)having a large prime p and two constants a, b ∈ Zp

= {0, 1, . . . , p−1} such that the necessary and sufficientcondition 4a3 + 27b2 6= 0 (mod p) is satisfied”.

S3. The GWN then picks a base point G on Ep(a, b) whoseorder is as large as p, say n such that n.G = G+ G+· · · + G (n times) = O, where O is called the point atinfinity or zero point.



5

S4. Finally, the GWN generates a public-private key pair(Pgwn, pgwn) by selecting a private key pgwn randomly &then calculating its correspondingly public key as Pgwn =pgwn.G.

At the end of this phase, the GWN publishes the publicparameters {h(·), Ep(a, b), G, Pgwn} and keeps its private keypgwn as secret.

B. Device Enrollment Phase

In this phase, all the IoT sensing devices need to beregistered in offline mode by the GWN before these areinstalled in the IoT environment. The following steps areessential to serve this purpose:E1. For each IoT sensing device SDi, the GWN fixes a

unique ID IDdevi & generates a random private keykdevi ∈ Z∗p to calculate the corresponding public keyKdevi = kdevi .G, where Z∗p = {a | 0 < a < p,gcd(a, p) = 1} = {1, 2, . . . , p− 1}.

E2. The GWN then creates a certificate certdevi for ev-ery sensing device SDi as certdevi = pgwn.h(IDgwn

||Kdevi)+ kdevi (mod p) using its own private key pgwn.

It is worth noting that since the certificate certdevicontains pgwn, it is only created by the GWN .

E3. Finally, the GWN pre-loads the materials {IDdevi ,IDgwn, kdevi , Kdevi , h(·), Ep(a, b), G, certdevi , Pgwn}in the memory of each SDi.

The summary of this phase is illustrated in Fig. 2.

IoT sensing device (SDi)

{IDdevi , IDgwn, kdevi, Kdevi

, h(·),Ep(a, b), G, certdevi , Pgwn}

Fig. 2. Credentials stored in SDi during device enrollment phase

C. Device Access Control Phase

For secure communication between two neighbor IoT sens-ing devices SDi and SDj , node authentication needs to besuccessful before establishment of the secret pairwise keybetween them. This is achieved by executing the followingsteps:A1. SDi → SDj : msg1 = {certdevi , sigdevi , TSi, Ri,

Kdevi}A1.1. SDi first generates the current timestamp TSi and a

random secret ri ∈ Z∗p to calculate the correspondingpublic Ri = h(ri|| IDdevi || kdevi

|| TSi).G using itsown stored private key kdevi and identity IDdevi

.A1.2. SDi calculates the signature sigdevi on ri and IDdevi

as sigdevi = h(ri|| IDdevi || kdevi || TSi)+ kdevi .h(certdevi || Ri|| Kdevi

|| IDgwn ||TSi) (mod p).A1.3. SDi then dispatches the message authentication re-

quest message msg1 = {certdevi, sigdevi , TSi, Ri,

Kdevi} to its neighbor SDj over open channel.A2. SDj → SDi: msg2 = {certdevj , sigdevj , TSj , Rj ,

Kdevj , SKVij}After receiving the msg1 from SDi, SDj performs thefollowing sequence of verification steps:

A2.1. SDj firstly checks if the verification condition |TSi−TScurrent| < ∆T holds or not, where TScurrent isthe time when the message was received by SDj and∆T is the “maximum allowable transmission delay”.If this verification does not hold, SDj discards themessage and discontinues the phase promptly. Oncethis condition is satisfied, the certificate certdevi verifi-cation is done by checking the condition: certdevi .G =h(IDgwn|| Kdevi

)Pgwn+ Kdevi. Note that

certdevi .G = h(IDgwn||Kdevi)(pgwn.G) + kdevi.G

= h(IDgwn||Kdevi).Pgwn +Kdevi .

After the successful certificate verification, the sig-nature verification is done by SDj to check if thecondition sigdevi

.G = Ri+ h(certdevi || Ri|| Kdevi ||IDgwn|| TSi).Kdevi holds true. If the condition fails,the phase is discontinued promptly. It is also worthnoting that sigdevi .G = h(ri ||IDdevi ||kdevi ||TSi).G+(kdevi .G) h(certdevi ||Ri ||Kdevi ||IDgwn ||TSi) =Ri+ h(certdevi ||Ri ||Kdevi

||IDgwn ||TSi).Kdevi.

If the signature validation fails, the phase is alsodiscontinued promptly.

A2.2. SDj now generates a random secret rj ∈ Z∗p and thecurrent timestamp TSj , and calculates Rj = h(rj ||IDdevj

|| kdevj || TSj).G. After that SDj calculatesthe signature sigdevj

= h(rj ||IDdevj||kdevj ||TSj)

+kdevj.h(certdevj ||Rj ||Kdevj ||IDgwn ||TSj)

(mod p). Using the generated rj , certdevj and TSj ,SDj calculates the secret key shared with SDi asSKij = h(h(rj ||IDdevj

||kdevj||TSj).Ri ||certdevi

||certdevj ||IDgwn) and its verifier as SKVij =h(SKij ||TSj). Next, SDj dispatches the authentica-tion reply message msg2 = {certdevj , sigdevj , TSj ,Rj , Kdevj , SKVij} to SDi over an open channel.

A3. After receiving the msg2 from SDj , SDi performs thefollowing sequence of verification stages to check theauthenticity of the message msg2 as well as SDj .

A3.1. SDi verifies the validity of |TSj −TScurrent| < ∆T ,where TScurrent represents the time when the messagewas received. Once this condition is fulfilled, the cer-tificate certdevj verification is the next step by SDi bychecking the condition certdevj .G = Pgwn.h(IDgwn

||Kdevj ) +Kdevj . After this certificate verification, thesignature verification takes place using the conditionsigdevj .G = Rj+ h(certdevj ||Rj ||Kdevj ||IDgwn

||TSj).Kdevj. If the condition fails, SDi discontinues

this phase promptly. Note that sigdevj .G = h(rj||IDdevj ||kdevj

||TSj).G +(kdevj .G) h(certdevj||Rj

||Kdevj ||IDgwn ||TSj) = Rj+ h(certdevj||Rj

||Kdevj ||IDgwn ||TSj).Kdevj . Otherwise, the nextstep is executed by SDi.

A3.2. SDi calculates the secret key shared with SDj asSK ′ij = h(h(ri ||IDdevi

||kdevi||TSi).Rj ||certdevi

||certdevj ||IDgwn) and the secret key verifier asSKV ′ij = h(SK ′ij ||TSj), and checks if the computedsecret key verifier SKV ′ij matches with the receivedverifier SKVij . If the condition fails, SDj is not



6

authenticated by SDi. Otherwise, SDi treats SK ′ij(= SKij) as the valid secret key shared with SDj .In a similar way, SDj also keeps the secret key SKij

shared with SDi. It is worth noticing that

SK ′ij = h(h(ri||IDdevi ||kdevi ||TSi).Rj

||certdevi ||certdevj ||IDgwn)

= h((h(ri||IDdevi ||kdevi ||TSi).

h(rj ||IDdevj ||kdevj ||TSj).G)


= h(h(rj ||IDdevj ||kdevj ||TSj).Ri


= SKij .

The summary of the device access control phase of DACS-IoTis illustrated in Fig. 3.

Sensing Device (SDi) Sensing Device (SDj)

Generate current timestamp TSi.Randomly pick random secret ri.ComputeRi = h(ri|| IDdevi || kdevi

|| TSi).G,sigdevi = h(ri|| IDdevi || kdevi || TSi) Check if |TSi − TScurrent| ≤ ∆T ?+kdevi .h(certdevi || Ri|| Kdevi || If so, check if certdevi .G =IDgwn|| TSi) (mod p). h(IDgwn|| Kdevi).Pgwn+ Kdevi andmsg1 = {certdevi , sigdevi , sigdevi

.G = Ri+ h(certdevi ||TSi, Ri,Kdevi}−−−−−−−−−−−→

Ri|| Kdevi || IDgwn|| TSi).Kdevi?

(via open channel) If these hold, pick random secret rj ,and current timestamp TSj .Compute Rj = h(rj || IDdevj

||kdevj || TSj).G,signature sigdevj = h(rj ||IDdevj

Check if |TSj − TScurrent| ≤ ∆T ? ||kdevj ||TSj) +kdevj .h(certdevj ||Rj

If so, verify if ||Kdevj ||IDgwn ||TSj) (mod p),certdevj

.G = Pgwn.h(IDgwn secret key SKij = h(h(rj ||IDdevj

||Kdevj ) +Kdevj & ||kdevj||TSj).Ri ||certdevi

sigdevj .G = Rj+ h(certdevj ||certdevj||IDgwn) and its verifier

||Rj ||Kdevj||IDgwn ||TSj).Kdevj

. SKVij = h(SKij ||TSj).If all conditions are satisfied, msg2 = {certdevj , sigdevj , TSj ,compute SK ′ij = h(h(ri ||IDdevi Rj ,Kdevj , SKVij}←−−−−−−−−−−−−−||kdevi ||TSi).Rj ||certdevi (via open channel)||certdevj ||IDgwn) & verifierSKV ′ij = h(SK ′ij ||TSj).Check if SKV ′ij = SKVij?If so, SDj is authenticated.

Both SDi and SDj maintain secret key SKij (= SK ′ij).

Fig. 3. Summary of device access control phase between SDi and SDj

D. Dynamic Device Addition Phase

To install a new IoT sensing device, say SDnew in the exist-ing network, the GWN requires the following pre-deploymentsteps in the offline mode:D1. The GWN needs to fix a unique ID, say IDnew &

generate a random private key knew ∈ Z∗p in order tocalculate the corresponding public key Knew = knew.G.

D2. The GWN creates a certificate certnew for new deviceSDnew as certnew = pgwn.h(IDgwn ||Knew)+ knew(mod p) using its own private key pgwn.

D3. The GWN then pre-loads the materials {IDnew, IDgwn,knew, Knew, h(·), Ep(a, b), G, certnew, Pgwn} in thememory of SDnew.

Once the pre-deployment steps are performed successfully,the new sensing device SDnew can be deployed in theexisting network and it starts secure communication with itsneighboring sensing devices using the device access controlphase stated in Section III-C.

IV. SECURITY ANALYSIS

To analyze the security of the proposed DACS-IoT, wedefine the “one-way cryptographic hash function” and “ellip-tic curve decisional Diffie-Hellman problem (ECDDHP)” asfollows.

Definition 1 (Collision-resistant cryptographic one-way hashfunction). A “collision-resistant cryptographic one-way hashfunction” h: {0, 1}∗ → {0, 1}l is treated as a “deterministicfunction that on a variable length input string produces a fixedlength output string of l bits, say”. Let AdvHASH

(A) (rt) denotethe “advantage of an adversary A in finding a hash colli-sion” in h(· · · ). Then, AdvHASH

(A) (rt) = Pr[(i1, i2) ∈R A:i1 6= i2, h(i1) = h(i2)], where Pr[E] is the “probability of arandom event E”, and the input pair (i1, i2) ∈R A means thatthe input strings i1 and i2 will be randomly picked by A. Wesay “an (ζ, rt)-adversary A attacking the collision resistanceof h(·)” means that A’s runtime is at the most rt and thatAdvHASH

(A) (rt) ≤ ζ.

Definition 2 (Elliptic curve decisional Diffie-Hellman problem(ECDDHP)). Let Ep(a, b) be an elliptic curve over a primep: y2 = x3 + ax + b (mod p) and P ∈ Ep(a, b) be a point.The ECDDHP is that given a quadruple (P, x.P, y.P, z.P ),determine if z = xy or a uniform random value, where x, y,z ∈ Z∗p and Z∗p = {1, 2, . . . , p− 1}.

The ECDDHP turns out to be “computationally infeasible”if p is chosen large. For intractability of ECDDHP, p shouldbe selected as at least 160-bit prime.

A. Formal Security Analysis using ROR Model

The “broadly-accepted Real-Or-Random (ROR) model”[34] has been applied in order to prove the semantic securityof the proposed scheme (DACS-IoT). Using the ROR model,we prove the ‘secret key security (SK-security)” of DACS-IoTin this section.

Under the ROR model, an adversaryA is connected with thesth instance of an executing participant, say Ps. In DACS-IoT,the IoT smart device SDi or SDj can be considered as Ps.Suppose Ps

SDiand Pt

SDjwill denote the sth and tth instances

of SDi and SDj , respectively. Various queries simulating areal attack, such as Execute, Reveal and Test are tabulatedin Table II. In addition, we assume that a “collision-resistantcryptographic one-way hash function h(·) can be modeled asa random oracle, say Hash”, which is accessible by all thecommunicating participants including A.

In Theorem 1, we now prove that DACS-IoT achieves theSK-security.

Theorem 1. Let an adversary A run in “polynomial time t”against the proposed scheme (DACS-IoT). If qhash, |Hash|and AdvECDDHP

A (t) be “number of hash queries, range



7

TABLE IIVARIOUS QUERIES AND THEIR SIGNIFICANCE

Query SignificanceExecute(Ps

SDi,Pt

SDj) Using this query, A can intercept the mes-

sages exchanged between SDi and SDj

Reveal(Ps) This query execution allows to reveal thecurrent secret key SKij between Ps andits partner to the adversary A

Test(Ps) A pleas Ps for the secret key SKij andPs responses with a probabilistic outcomeof a flipped unbiased coin, say c

space of one-way hash function h(·) and A’s advantage inbreaking ECDDHP”, respectively, A’s “advantage in break-ing DACS-IoT’s semantic security in order to derive thesecret key SKij between any two neighbor IoT smart devicesSDi and SDj during the access control and key agreementphase” can be estimated as AdvDACS−IoT

A (t) ≤ q2hash

|Hash| +

2AdvECDDHPA (t).

Proof. The following three games, say Gj , j ∈ [0, 2] areconsidered in proving this theorem, where Succ

Gj

A denotes“an event wherein A can guess the random bit c in the Gj

correctly”. We also denote “advantage of A in winning thegame Gj as AdvDACS−IoT

A,Gj= Pr[Succ

Gj

A ]”. The proof ofthis theorem is similar to that presented in other schemes [32],[33]. The detailed descriptions of these games Gj , j ∈ [0, 2]are given below.

Game G0: In fact, this game is the “actual attack executedby A against the proposed DACS-IoT in the ROR sense” forthe game G0. Since the bit c is selected randomly before thegame G0 starts, it follows from the semantic security that

AdvDACS−IoTA (t) = |2.AdvDACS−IoT

A,G0− 1| (1)

Game G1: This game modeled as “an eavesdropping at-tack”, where A can eavesdrop all the communicated messagesmsg1 = {certdevi , sigdevi , TSi, Ri, Kdevi} and msg2 ={certdevj , sigdevj , TSj , Rj , Kdevj , SKVij} during the accesscontrol & key agreement phase (Section III-C) with the helpof the Execute query mentioned in Table II. At the endof the game, A can execute the Reveal and Test queriesto verify “if the calculated secret key SKij between SDi

and SDj is actual or a random key”. SKij among SDi

and SDj is calculated as SKij = h(h(rj ||IDdevj ||kdevj||TSj).Ri ||certdevi ||certdevj ||IDgwn) = h(h(ri ||IDdevi

||kdevi||TSi).Rj ||certdevi ||certdevj ||IDgwn) = SK ′ij . The

security of the secret key SKij is dependent on the temporal(short term) secrets (ri & rj) and long term secrets (IDdevi

,IDdevj , IDgwn, kdevi & kdevj ) which are unknown to A.Thus, only the eavesdropping of the messages msg1 and msg2will not at all increase A’s winning probability in the gameG1. As the games G0 and G1 are indistinguishable, we havethe following result:

AdvDACS−IoTA,G1

= AdvDACS−IoTA,G0

(2)

Game G2: The simulation of the Hash query is added inthis game G2. This game is modeled as “an active attack”.In the message msg1, the credentials ri, IDdevi

, IDgwn and

kdevi are protected by the “collision-resistant cryptographicone-way hash function h(·) (see Definition 1)”. Also, in themessage msg2, the credentials rj , IDdevj

, IDgwn and kdevjare safeguarded by h(·). Again, from the intercepted Ri =h(ri|| IDdevi

|| kdevi|| TSi).G and Rj = h(rj || IDdevj ||

kdevj || TSj).G, it is a “computationally infeasible task”for A to calculate h(rj ||IDdevj ||kdevj ||TSj).Ri or h(ri||IDdevi ||kdevi ||TSi).Rj , and hence, the secret key SKij

(= SK ′ij) due to intractability of ECDDHP (see Definition 2).Furthermore, deriving ri, IDdevi , IDgwn, kdevi

, rj , IDdevj

and kdevjfrom the intercepted messages msg1 and msg2 is

also a “computationally infeasible problem” due to “collision-resistant property of h(·)”. Since all the random numbers, cur-rent timestamps, identities and secret credentials are utilizedin the messages msg1 and msg2, we have no collision if theHash query is executed by A. As both the games G1 and G2

are “indistinguishable” except the inclusion of the simulationof the Hash query in the game G2, the birthday paradox andthe intractability of ECDDHP will deduce the following result:

|AdvDACS−IoTA,G1

−AdvDACS−IoTA,G2

| ≤ q2hash2|Hash|

(3)

+AdvECDDHPA (t)

All the queries have been simulated by A and only guessingthe bit c is left to win the game once the Reveal query alongwith Test query are executed. Therefore, we have

AdvDACS−IoTA,G2

=1

2(4)

Eqs. (1)–(4) give the following result:

1

2.AdvDACS−IoT

A (t) = |AdvDACS−IoTA,G0

− 1

2|

= |AdvDACS−IoTA,G1

−AdvDACS−IoTA,G2

|

≤ q2hash2|Hash|

+AdvECDDHPA (t) (5)

Finally, simplifying Eq. (5) by multiplying both sides by afactor of 2, we arrive into the required result:AdvDACS−IoT

A (t) ≤ q2hash

|Hash| + 2AdvECDDHPA (t).

B. Informal Security Analysis and Other Discussions

We also show that DACS-IoT can resist the followingimportant attacks and supports other functionality features(anonymity property) through the non-mathematical (informal)security investigation.

1) Device Impersonation Attack: In this attack, an adver-sary, say A will try to impersonate a smart (sensing) deviceSDj on behalf of another device SDi so that SDj will beforced to believed that the valid message(s) came from thevalid SDi only. To perform such a task, A may generate acurrent timestamp, say TSa and random number ra, and mayattempt to construct a legitimate message msg1a = {certdevi

,sigdevi , TSa, Ra, Kdevi} on behalf of SDi. However, it isworth noticing that computing Ra = h(ra|| IDdevi || kdevi ||TSa).G and sigdevi = h(ra|| IDdevi || kdevi || TSa)+ kdevi .h(certdevi

|| Ra|| Kdevi|| IDgwn ||TSa) (mod p) need the

secret credentials IDdevi , kdevi and IDgwn. Therefore, it is a



8

“computationally feasible task” for A to create valid messagemsg1a on behalf of SDi. The similar situation happenswhen A also attempts to create a valid message msg2 onbehalf of SDj . Thus, in both cases A will not succeed toimpersonate either SDi or SDj . This clearly indicates that“device impersonation attack” is protected in DACS-IoT.

2) Replay Attack: In replay attack, an adversary A eaves-drops the communicated message among two entities and thenfraudulently re-sends or replays it to gain secret credentials.Suppose A intercepts all the communicated messages msg1 ={certdevi , sigdevi , TSi, Ri, Kdevi} and msg2 = {certdevj ,sigdevj , TSj , Rj , Kdevj , SKVij} during the access control &key agreement phase (Section III-C). SDj checks the validityof received timestamp TSi in msg1 by the condition |TSi −TScurrent| < ∆T . Since ∆T is typically short, the adversaryA will not succeed in replaying the same old message msg1.Similarly, the validation condition |TSj − TScurrent| < ∆Tat SDi discards the old replayed message msg2 by A. Thus,the replay attack protection is assured in DACS-IoT.

3) Man-in-the-Middle Attack: In this attack, the adversaryA will intercepts the communicating messages and then tryto modify the messages in such a way that the modifiedmessages will be treated as valid ones by the recipient. Sup-pose A intercepts the messages msg1 = {certdevi , sigdevi ,TSi, Ri, Kdevi} and msg2 = {certdevj , sigdevj , TSj , Rj ,Kdevj , SKVij} during the access control & key agreementphase (Section III-C). To convert it into another valid mes-sage, say msg2a = {certdevj

, sigdevj , TSa, Ra, Kdevj ,SKVij}, A can create current timestamp Ta and randomnumber ra, and try to compute Ra = h(ra|| IDdevj || kdevj ||TSa).G, the signature sigdevj = h(ra ||IDdevj ||kdevj ||TSa)+kdevj .h(certdevj ||Ra ||Kdevj ||IDgwn ||TSa) (mod p),the secret key SKij = h(h(ra ||IDdevj

||kdevj ||TSa).Ri

||certdevi ||certdevj ||IDgwn) and its verifier as SKVij =h(SKij ||TSa). However, these tasks are “computationallyinfeasible” by A because secret credentials IDdevj , kdevj andIDgwn are unknown to A. A similar scenario arises whenA will also try to modify the message msg1. This resultsinto conclusion that “man-in-the-middle attack” is protectedin DACS-IoT.

4) Malicious Device Deployment Attack: In this attack,suppose the adversary A will try to deploy a fake (malicious)IoT smart device, say SDf into the existing network. Toachieve this task, A may attempt to pick an identity IDf

and a random private key kdevf∈ Zp∗ for calculating the

corresponding public key Kdevf = kdevf .G using the publicsystem parameters {h(·), Ep(a, b), G, Pgwn}. However, gener-ation of a valid certificate on behalf of the trusted GWN of theform certdevf

= pgwn.h(IDgwn ||Kdevf)+ kdevf

(mod p)will be “computationally infeasible task” as the private keypgwn of the GWN is only known to the GWN . This will thenrestrict to deploy a malicious device in the existing network,and hence, DACS-IoT is resilient against “malicious devicedeployment attack”.

5) Resilience against Device Physical Capture Attack:Suppose n smart devices can be physically captured bythe adversary A because the smart devices are deployed in“unattended/hostile environment” in some IoT applications,

such as healthcare and military. Once a smart device, saySDi is captured, A can easily extract all the information{IDdevi , IDgwn, kdevi , Kdevi

, h(·), Ep(a, b), G, certdevi ,Pgwn} from its memory by the power analysis attacks [28],[29] as discussed in the attack model (Section I-A2). However,the credentials {IDdevi

, kdevi, Kdevi

, certdevi} loaded in thememory of other devices SDj are completely distinct and alsounique as compared to those for the compromised credentialsof captured device SDi. The compromised credentials willnot then help in computing the secret keys SKjk between anytwo non-compromised smart devices SDj and SDk in theIoT environment. Hence, compromise of n smart devices donot lead to compromise the secure communications among thenon-compromised devices in the network by A. This propertyis known as “unconditional security against device physicalcapture attack”. Thus, the “device physical capture attack” isprotected in DACS-IoT.

6) Ephemeral Secret Leakage (ESL) Attack: In our DACS-IoT scheme, the secret key established between two neighborsmart devices SDi and SDj during the access control &key agreement phase (Section III-C) is SKij = h(h(rj||IDdevj ||kdevj ||TSj).Ri ||certdevi ||certdevj ||IDgwn)= h(h(ri ||IDdevi ||kdevi ||TSi).Rj ||certdevi ||certdevj

||IDgwn) = SK ′ij . This secret key SKij is now dependent onboth the “ephemeral (session-temporary or short term) secretcredentials” ri and rj , and the long-term (permanent) secretcredentials kdevi , kdevj , IDdevi , IDdevj and IDgwn. We nowconsider the following two cases:• Case 1. Even if the ephemeral secrets ri and rj are

known through compromise of session states accordingto the CK-adversary model discussed in the attack model(Section I-A2) to the adversary A, it becomes “compu-tationally difficult task” for A to calculate the secret keySKij without having the “long-term secrets kdevi

, kdevj,

IDdevi , IDdevjand IDgwn”.

• Case 2. Even if the long term secrets kdevi , kdevj,

IDdevi , IDdevjand IDgwn are somehow leaked to A,

it also becomes “computationally difficult task” for A tocalculate the secret key SKij without having the “short-term secrets ri and rj”.

From the above two cases, it is a clear evident that the SKij

is only compromised when A compromises both short & longterm secrets. In DACS-IoT, the established secret keys betweenany two smart devices are unique and distinct, and hence,a secret key leakage to A in a particular session does notlead to derivation of other secret keys in other sessions asboth short & long term secrets are applied in construction ofsecret keys. Furthermore, due to intractability of ECDDHP(see Definition 2), it is “computationally infeasible task forA to derive h(rj ||IDdevj ||kdevj ||TSj).Ri or h(ri ||IDdevi

||kdevi||TSi).Rj from the intercepted Ri = h(ri|| IDdevi ||

kdevi|| TSi).G and Rj = h(rj || IDdevj

|| kdevj|| TSj).G. As

a result, “session-temporary information attack” is protectedin DACS-IoT, and DACS-IoT also preserves “perfect forwardsecrecy”. Thus, DACS-IoT is secure against “ESL attack”.

7) Anonymity: In an “anonymous communication”, theusers are permitted to transmit the messages to each otherwithout disclosing their identity. Assume that there are three



9

parties, namely A and B as the senders and R as the receiver.We say a protocol permitting A and B to transmit messagesto R is “anonymous” if the following properties are met [51]:1) “If A and B are honest then their anonymity is preserved”and 2) “If an adversary corrupts only one sender then it cannotviolate the privacy or the correct delivery of the message sentby the other sender, nor it can correlate its own message withthe other message”.

The exchanged messages msg1 = {certdevi , sigdevi , TSi,Ri, Kdevi} and msg2 = {certdevj

, sigdevj, TSj , Rj , Kdevj

,SKVij} during the access control & key agreement phase(Section III-C) do not contain any identities IDdevi andIDdevj of the smart devices SDi and SDj , respectively.Here, the used signatures are sigdevi

= h(ri|| IDdevi ||kdevi

|| TSi)+ kdevi . h(certdevi || Ri|| Kdevi || IDgwn ||TSi)(mod p) and sigdevj = h(rj ||IDdevj ||kdevj ||TSj)+kdevj .h(certdevj ||Rj ||Kdevj ||IDgwn ||TSj) (mod p).The certificate certdevi and identity IDdevi

are attached withsigndevi , and the certificate certdevj and identity IDdevj

arealso attached with sigdevj . Thus, de-anonymization attacksare prevented in DACS-IoT. Furthermore, during the entirecommunication the identities of both SDi and SDj are kepthidden from the adversary A, and also the messages arenot correlated by A. As a result, DACS-IoT achieves theanonymity property.

% OFMC

% Version of 2006/02/13

SUMMARY

SAFE

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

PROTOCOL

C:\progra~1\SPAN\testsuite

\results\device_accesscontrol.if

GOAL

as_specified

BACKEND

OFMC

COMMENTS

STATISTICS

parseTime: 0.00s

searchTime: 0.04s

visitedNodes: 8 nodes

depth: 3 plies

SUMMARY

SAFE

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

TYPED_MODEL

PROTOCOL

C:\progra~1\SPAN\testsuite

\results\device_accesscontrol.if

GOAL

As Specified

BACKEND

CL−AtSe

STATISTICS

Analysed : 4 states

Reachable : 0 states

Translation: 0.11 seconds

Computation: 0.00 seconds

Fig. 4. Analysis of simulation results under OFMC & CL-AtSe backends

V. FORMAL SECURITY VERIFICATION USING AVISPA:SIMULATION STUDY

AVISPA stands for “Automated Validation of Internet Se-curity Protocols and Applications” tool which is consideredas a popular “push-button tool for the automated validationof Internet security-sensitive protocols and applications and itprovides a modular and expressive formal language for spec-ifying protocols and their security properties, and integratesdifferent back-ends that implement a variety of state-of-the-art automatic analysis techniques [35]”.

In AVISPA, there are four backends, namely 1) “On-the-fly Model-Checker (OFMC) that does several symbolictechniques to explore the state space in a demand-driven way”,2) “CL-AtSe (Constraint-Logic-based Attack Searcher) thatprovides a translation from any security protocol specificationwritten as transition relation in intermediate format into a

set of constraints which are effectively used to find whetherthere are attacks on protocols”, 3) “SAT-based Model-Checker(SATMC) that builds a propositional formula which is thenfed to a state-of-the-art SAT solver and any model found istranslated back into an attack”, and 4) “TA4SP (Tree Automatabased on Automatic Approximations for the Analysis ofSecurity Protocols) that approximates the intruder knowledgeby using regular tree languages”.

A tested security protocol needs to be implemented usingthe “High-Level Protocol Specification Language (HLPSL)[52]”. The HLPSL code is first transferred into the “Intermedi-ate Format (IF)” using the HLPSL2IF translator which is thenfed as an input to one of the four backends. The IF then outputsthe “Output Format (OF)”. The OF has the following importantcharacteristics: “when the analysis of a security protocol hasbeen successful (by finding an attack or not), the OF describesprecisely what is the result, and under what conditions it hasbeen obtained [8]”. The OF contains several sections that aredescribed in [35].

In our HLPSL implementation of DACS-IoT, there are threebasic roles for the GWN , and two smart devices SDi andSDj . Apart from these basic roles, we have also implementedthe composition roles (session and goal & environment) arethe mandatory roles where various scenarios involving basicroles are included.

Finally, we have applied the broadly accepted “SPAN (Se-curity Protocol ANimator for AVISPA)” tool [53] to performthe formal security verification part through simulation studyon our proposed DACS-IoT scheme. The simulation resultsunder the broadly-used OFMC as well as CL-AtSe backendsillustrated in Fig. 4 assure that DACS-IoT is secure againstboth replay & man-in-the-middle attacks.

VI. COMPARATIVE STUDY

In this section, we analyze the performance of our proposedDACS-IoT with the relevant recent schemes, such as theschemes proposed by Luo et al. [20], Li et al. [18], Zhouet al. [39], Huang [45], and Kim and Lee [44].

A. Security and Functionality Attributes Comparison

In Table III we tabulate the comparative study on “function-ality & security attributes” for the proposed DACS-IoT andother schemes [18], [20], [39], [44], [45]. It is worth notingthat both the schemes of Luo et al. [20] and Li et al. [18]do not fulfill FSA3, SFA8, SFA10–SFA12, while Zhou etal.’s scheme [39] fails to support FSA8, FSA9, FSA11 andFSA12, Huang’s scheme [45] does not fulfill FSA1, FSA6,FSA8, FSA9, FSA11 and FSA12, and Kim-Lee’s scheme[44] does not support FSA5, FSA6, FSA8, FSA9, FSA11

and FSA12. However, DACS-IoT fulfills all the mentionedattributes FSA1–FSA11 in Table III.

B. Communication Costs Comparison

For communication costs comparison among the proposedDACS-IoT and other schemes, we assume that an identity is160 bits, a random number is 160 bits, hash output (if SHA-1



10

TABLE IIICOMPARISON OF FUNCTIONALITY & SECURITY ATTRIBUTES

Attribute Luo et al. [20] Li et al. [18] Zhou et al. [39] Huang [45] Kim-Lee [44] DACS-IoTFSA1 X X X × X XFSA2 X X X X X XFSA3 × × X X X XSFA4 X X X X X XSFA5 X X X X × XSFA6 X X X × × XSFA7 X X X X X XSFA8 × × × × × XSFA9 X X × × × XSFA10 × × X X X XFSA11 × × × × × XFSA12 × × × × × X

FSA1: replay attack; FSA2: man-in-the-middle attack; FSA3: mutual authentication; FSA4: key agreement; FSA5: device impersonation attack; FSA6:malicious device deployment attack; FSA7: resilience against device physical capture attack; SFA8: formal security verification using AVISPA tool; FSA9:formal security analysis; FSA10: whether works without involving gateway node during the authentication (access control) phase; FSA11: anonymitypreservation; FSA11: ESL attack under the CK-adversary model.X: “a scheme is secure or it supports a functionality feature”; ×: “a scheme is insecure or it does not support a functionality feature”.

hashing algorithm [50] is applied) is 160 bits and timestamp is32 bits. Furthermore, it is also assumed that an elliptic curvepoint P = (Px, Py), with Px and Py denoting the x and y co-ordinates, respectively, takes (160 +160) = 320 bits assumingthat “160-bit ECC security remains same as that for an 1024-bit RSA public key cryptosystem [54]”. In addition, we assumethat a message size is 1024 bits in [18], [20].

In the proposed DACS-IoT, two exchanged messagesmsg1 = {certdevi

, sigdevi , TSi, Ri, Kdevi} and msg2 ={certdevj , sigdevj , TSj , Rj , Kdevj , SKVij} between two IoTsmart devices SDi and SDj need the communication costs as|MSG1| = (160 + 160 + 32 + 320 + 320) = 992 bits and|MSG2| = (160 + 160 + 32 + 320 + 320 + 160) = 1152bits, respectively. As a result, the total communication cost re-quired for DACS-IoT becomes

∑2i=1 |MSGi| = (992+1152)

= 2144 bits.Table IV tabulates the “comparison of communication

costs” for the proposed DACS-IoT and other schemes. Thetotal communication costs needed for the schemes of Luo et al.[20], Li et al. [18], Zhou et al. [39], Huang [45], and Kim andLee [44] are 3040 bits, 3488 bits, 4608 bits, 1920 bits and 1920bits, respectively. DACS-IoT demands less communicationcost as compared to other schemes, such as the schemes ofLuo et al. [20], Li et al. [18] and Zhou et al. [39]. Thoughthe schemes [44], [45] demand less communication costs ascompared to DACS-IoT, they fail to preserve or support several“security and functionality attributes” as mentioned in TableIII while those are compared with DACS-IoT including theSK-security under the CK-adversary model and anonymityproperty.

TABLE IVCOMPARISON OF COMMUNICATION COSTS

Protocol No. of messages Total cost (in bits)DACS-IoT 2 2144Luo et al. [20] 2 3040Li et al. [18] 2 3488Zhou et al. [39] 5 4608Huang [45] 4 1920Kim-Lee [44] 4 1920

C. Computation Costs Comparison

To evaluate the “computation costs comparison amongthe proposed DACS-IoT and other schemes”, the followingsymbols are used: Th to denote the “time needed to executea one-way cryptographic hash function”, Tecm to denotethe “time needed to execute an elliptic curve point (scalar)multiplication”, Teca to denote the “time needed to executean elliptic curve point addition”, Tece to denote the “timeneeded to execute an ECC encryption”, Tecd to denote the“time needed to execute an ECC decryption”, and Tme todenote “time needed to execute a modular exponentiationoperation in Z∗p”. Note that Tece = 2Tecm + Teca and Tecd =2Tecm + Teca. During the device access control phase ofthe proposed DACS-IoT, the device SDi needs 6Tecm + 7Th+2Teca computation cost, whereas its neighbor device SDj

also requires 6Tecm + 8Th +2Teca computation cost. Thus,the average computation cost needed for an IoT smart devicefor node authentication and also establishment of secret keywith one of its neighbor devices is 6Tecm + 7.5Th + 2Teca.

TABLE VCOMPARISON OF COMPUTATION COSTS

Protocol Smart (sensing) Total cost Total rough costdevice cost (in milliseconds)

DACS-IoT 6Tecm + 7Th/8Th 6Tecm + 7Th/8Th 81.012+2Teca +2Teca

Luo et al. [20] Tbp + Th 3Tecm + 4Tbp+ 173.6214Th + Teca + Tme

Li et al. [18] Tbp + Th 3Tecm + 5Tbp+ 204.0542Th + 2Teca

Zhou et al. [39] 3Tecm + Th 3Tecm + Th 94.053+2Tece/Tecd +2Tece/Tecd

Huang [45] 2Tecm + 4Th 2Tecm + 4Th 27.034

Kim-Lee [44] 2Tecm + 9Th 2Tecm + 9Th 27.314

In order to have “rough estimation of computation time (inmilliseconds)”, we utilize the experimental results based theuser’s device in [55] as Tecm ≈ 13.405 ms, Teca ≈ 0.081 ms,Th ≈ 0.056 ms, Tbp ≈ 32.713 ms, and Tme ≈ 2.249 ms. In



11

the proposed DACS-IoT, a smart device’s average computationtime becomes 6Tecm + 7.5Th + 2Teca ≈ 81.012 ms.

Table V shows the “comparative study on computationcosts and also rough estimated time in milliseconds” for theproposed DACS-IoT and other schemes. DACS-IoT needsless computation cost as compared with other schemes [18],[20], [39]. On the other hand, though the schemes [44], [45]require less computation cost as compared to DACS-IoT, theseschemes fail to preserve or support several “security andfunctionality attributes” as mentioned in Table III while thoseare compared with DACS-IoT including the SK-security underthe CK-adversary model and anonymity property.

VII. CONCLUDING REMARKS

In this article, we presented a novel lightweight deviceaccess control mechanism in IoT environment to preventmalicious smart devices, which can be directly deployed inthe network or they can be old devices manipulated by anadversary, from participating in IoT environment. The pro-posed scheme (DACS-IoT) utilizes certificates that are loadedinto the smart devices prior to their deployment in the IoTenvironment. The certificates for smart devices are solelycreated by the trusted GWN ’s private key only. DACS-IoTis secure against various attacks, such as “replay, man-in-the-middle, device impersonation, malicious device deployment,device physical capture and ESL attacks” that are shownthrough formal security using ROR model, informal and for-mal security verification tool, known as AVISPA. In addition,the SK-security and anonymity property are only maintainedin DACS-IoT, whereas other considered existing approachesdo not fulfill these requirements (see Table III). Moreover, acomprehensive comparative study among DACS-IoT and otherexisting schemes reveals that a better trade-off among security& functionality attributes, communication and computationcosts is achieved in DACS-IoT as compared to those factors inother schemes (see Tables III–V). Hence, DACS-IoT is veryadoptable for the resource-constrained IoT smart devices thatare limited in power, bandwidth and computational capacities.Finally, we plan to implement DACS-IoT in a real-worldenvironment using testbed experiments, which remains one ofour future research agendas.

ACKNOWLEDGMENTS

The authors would like to thank the anonymous reviewersand the Associate Editor for their valuable feedback on thepaper which helped us to improve its quality as well aspresentation.

REFERENCES

[1] A. Al-Fuqaha, M. Guizani, M. Mohammadi, M. Aledhari, andM. Ayyash, “Internet of Things: A Survey on Enabling Technologies,Protocols, and Applications,” IEEE Communications Surveys Tutorials,vol. 17, no. 4, pp. 2347–2376, 2015.

[2] J. Gubbi, R. Buyya, S. Marusic, and M. Palaniswami, “Internet of Things(IoT): A vision, architectural elements, and future directions,” FutureGeneration Computer Systems, vol. 29, no. 7, pp. 1645–1660, 2013.

[3] J. Granjal, E. Monteiro, and J. S. Silva, “Security for the Internet ofThings: A Survey of Existing Protocols and Open Research Issues,”IEEE Communications Surveys Tutorials, vol. 17, no. 3, pp. 1294–1312,2015.

[4] W. Quan, N. Cheng, M. Qin, H. Zhang, H. A. Chan, andX. Shen, “Adaptive Transmission Control for Software Defined Vehic-ular Networks,” IEEE Wireless Communications Letters, 2018, DOI:10.1109/LWC.2018.2879514.

[5] W. Quan, Y. Liu, H. Zhang, and S. Yu, “Enhancing Crowd Collabora-tions for Software Defined Vehicular Networks,” IEEE CommunicationsMagazine, vol. 55, no. 8, pp. 80–86, 2017.

[6] N. Cheng, F. Lyu, J. Chen, W. Xu, H. Zhou, S. Zhang, and X. S. Shen,“Big Data Driven Vehicular Networks,” IEEE Network, vol. 32, no. 6,2018.

[7] J. Ni, K. Zhang, X. Lin, and X. S. Shen, “Securing Fog Computingfor Internet of Things Applications: Challenges and Solutions,” IEEECommunications Surveys Tutorials, vol. 20, no. 1, pp. 601–628, 2018.

[8] D. Evans, “The Internet of Things: How the next evolution of the Internetis changing everything,” 2011, Cisco, San Jose, CA, USA, White Paper.

[9] J. Camhi, “Former Cisco CEO John Chambers Predicts 500 BillionConnected Devices by 2025,” 2015, Bus. Insider, New York, NY, USA.

[10] “Cisco Global Cloud Index: Forecast and Methodology,” 2014,20142019, Cisco, San Jose, CA, USA, White Paper.

[11] C. MacGillivray et al., “IDC FutureScape: Worldwide Internet ofThings 2017 Predictions,” 2016, Document US40755816, IDC Fu-tureScape,Framingham, MA, USA.

[12] A. K. Das, S. Zeadally, and D. He, “Taxonomy and analysis of securityprotocols for Internet of Things,” Future Generation Comp. Syst.,vol. 89, pp. 110–125, 2018.

[13] L. Eschenauer and V. D. Gligor, “A Key Management Scheme forDistributed Sensor Networks,” in 9th ACM Conference on Computerand Communication Security (CCS’02), Washington, DC, USA, 2002,pp. 41–47.

[14] A. K. Das, “A random key establishment scheme for multi-phasedeployment in large-scale distributed sensor networks,” InternationalJournal of Information Security, vol. 11, no. 3, pp. 189–211, 2012.

[15] I. C. Tsai, C. M. Yu, H. Yokota, and S. Y. Kuo, “Key Management inInternet of Things via Kronecker Product,” in 22nd Pacific Rim Interna-tional Symposium on Dependable Computing (PRDC’17), Christchurch,New Zealand, 2017, pp. 118–124.

[16] S. Challa, M. Wazid, A. K. Das, N. Kumar, A. G. Reddy, E. J. Yoon, andK. Y. Yoo, “Secure Signature-Based Authenticated Key EstablishmentScheme for Future IoT Applications,” IEEE Access, vol. 5, pp. 3028–3043, 2017.

[17] P. Porambage, A. Braeken, C. Schmitt, A. Gurtov, M. Ylianttila, andB. Stiller, “Group Key Establishment for Enabling Secure MulticastCommunication in Wireless Sensor Networks Deployed for IoT Ap-plications,” IEEE Access, vol. 3, pp. 1503–1511, 2015.

[18] F. Li, Y. Han, and C. Jin, “Practical access control for sensor networksin the context of the Internet of Things,” Computer Communications,vol. 89-90, pp. 154–164, 2016.

[19] A. Braeken, P. Porambage, M. Stojmenovic, and L. Lambrinos,“eDAAAS: Efficient distributed anonymous authentication and accessin smart homes,” International Journal of Distributed Sensor Networks,vol. 12, no. 12, pp. 1–11, 2016.

[20] M. Luo, Y. Luo, Y. Wan, and Z. Wang, “Secure and efficient accesscontrol scheme for wireless sensor networks in the cross-domain contextof the IoT,” Security and Communication Networks, vol. 2018, pp.1–10, 2018. [Online]. Available: https://doi.org/10.1155/2018/6140978

[21] X. H. Le, S. Lee, I. Butun, M. Khalid, R. Sankar, M. Kim, M. Han,Y.-K. Lee, and H. Lee, “An Energy-Efficient Access Control Schemefor Wireless Sensor Networks based on Elliptic Curve Cryptography,”Journal of Communications and Networks, vol. 11, no. 6, pp. 599–606,2009.

[22] D. He, J. Bu, S. Zhu, S. Chan, and C. Chen, “Distributed Access Controlwith Privacy Support in Wireless Sensor Networks,” IEEE Transactionson Wirless Communications, vol. 10, no. 10, pp. 3473–3481, 2011.

[23] T. Song, R. Li, B. Mei, J. Yu, X. Xing, and X. Cheng, “A PrivacyPreserving Communication Protocol for IoT Applications in SmartHomes,” IEEE Internet of Things Journal, vol. 4, no. 6, 2017.

[24] J. B. Bernabe, J. L. Hernandez-Ramos, and A. F. S. Gomez, “HolisticPrivacy-Preserving Identity Management System for the Internet ofThings,” Mobile Information Systems, vol. 2017, pp. 1–20, 2017, ArticleID 6384186, DOI: 10.1155/2017/6384186.

[25] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Designof Secure User Authenticated Key Management Protocol for Generic IoTNetworks,” IEEE Internet of Things Journal, vol. 5, no. 1, pp. 269–282,Feb 2018.

[26] M. Wazid, A. K. Das, R. Hussain, G. Succi, and J. J. Rodrigues,“Authentication in cloud-driven IoT-based big data environment:



https://doi.org/10.1155/2018/6140978

12

Survey and outlook,” Journal of Systems Architecture, 2018. [Online].Available: https://doi.org/10.1016/j.sysarc.2018.12.005

[27] D. Dolev and A. C. Yao, “On the security of public key protocols,”IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208,1983.

[28] P. Kocher, J. Jaffe, and B. Jun, “Differential Power Analysis,” inProceedings of 19th Annual International Cryptology Conference(CRYPTO’99), LNCS, vol. 1666, Santa Barbara, California, USA, 1999,pp. 388–397.

[29] T. S. Messerges, E. A. Dabbish, and R. H. Sloan, “Examining smart-cardsecurity under the threat of power analysis attacks,” IEEE Transactionson Computers, vol. 51, no. 5, pp. 541–552, 2002.

[30] R. Canetti and H. Krawczyk, “Universally Composable Notions of KeyExchange and Secure Channels,” in International Conference on theTheory and Applications of Cryptographic Techniques– Advances inCryptology (EUROCRYPT’02), Amsterdam, The Netherlands, 2002, pp.337–351.

[31] J. Srinivas, A. K. Das, N. Kumar, and J. P. C. Rodrigues, “CloudCentric Authentication for Wearable Healthcare Monitoring System,”IEEE Transactions on Dependable and Secure Computing, 2018, doi:10.1109/TDSC.2018.2828306.

[32] A. K. Das, M. Wazid, N. Kumar, A. V. Vasilakos, and J. J. P. C.Rodrigues, “Biometrics-Based Privacy-Preserving User AuthenticationScheme for Cloud-Based Industrial Internet of Things Deployment,”IEEE Internet of Things Journal, vol. 5, no. 6, pp. 4900–4913, 2018.

[33] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Designof secure user authenticated key management protocol for generic IoTnetworks,” IEEE Internet of Things Journal, vol. 5, no. 1, pp. 269–282,2018.

[34] M. Abdalla, P. Fouque, and D. Pointcheval, “Password-based authenti-cated key exchange in the three-party setting,” in Public Key Cryptog-raphy (PKC’05), Lecture Notes in Computer Science, vol. 3386. LesDiablerets, Switzerland: Springer, Berlin, Heidelberg, 2005, pp. 65–84.

[35] AVISPA, “Automated Validation of Internet Security Protocols andApplications,” 2019, accessed on March 2019. [Online]. Available:http://www.avispa-project.org/

[36] S. M. R. Islam, D. Kwak, M. H. Kabir, M. Hossain, and K. Kwak,“The Internet of Things for Health Care: A Comprehensive Survey,”IEEE Access, vol. 3, pp. 678–708, 2015.

[37] A. Mosenia and N. K. Jha, “A Comprehensive Study of Security ofInternet-of-Things,” IEEE Transactions on Emerging Topics in Comput-ing, vol. 5, no. 4, pp. 586–602, 2017.

[38] Y. Yang, L. Wu, G. Yin, L. Li, and H. Zhao, “A Survey on Security andPrivacy Issues in Internet-of-Things,” IEEE Internet of Things Journal,vol. 4, no. 5, pp. 1250–1258, 2017.

[39] Y. Zhou, Y. Zhang, and Y. Fang, “Access control in wireless sensornetworks,” Ad Hoc Networks, vol. 5, pp. 3–13, 2007.

[40] H. F. Huang, “A New Design of Access Control in Wireless SensorNetworks,” International Journal of Distributed Sensor Networks, vol.2011, 2011, article ID 412146, 7 pages, DOI: 10.1155/2011/412146.

[41] C. P. Schnorr, “Efficient signature generation by smart cards,” Journalof Cryptology, vol. 4, no. 3, pp. 161–174, 1991.

[42] S. Chatterjee, A. K. Das, and J. K. Sing, “An Enhanced Access ControlScheme in Wireless Sensor Networks,” Ad Hoc & Sensor WirelessNetworks, vol. 21, no. 1-2, pp. 121–149, 2014.

[43] H. F. Huang and K. C. Liu, “A New Dynamic Access Control in WirelessSensor Networks,” in IEEE Asia-Pacific Services Computing Conference(APSCC’08), Yilan, Taiwan, 2008, pp. 901–906.

[44] H. S. Kim and S. W. Lee, “Enhanced novel access control protocol overwireless sensor networks,” IEEE Transactions on Consumer Electronics,vol. 55, no. 2, pp. 492–498, 2009.

[45] H. F. Huang, “A novel access control protocol for secure sensornetworks,” Computer Standards & Interfaces, vol. 31, pp. 272–276,2009.

[46] P. Zeng, K.-K. Choo, and D.-Z. Sun, “On the Security of an EnhancedNovel Access Control Protocol for Wireless Sensor Networks,” IEEETransactions on Consumer Electronics, vol. 56, no. 2, pp. 566–569,2010.

[47] M. Wazid, A. K. Das, V. Odelu, N. Kumar, and W. Susilo, “SecureRemote User Authenticated Key Establishment Protocol for SmartHome Environment,” IEEE Transactions on Dependable and SecureComputing, 2018, DOI: 10.1109/TDSC.2017.2764083.

[48] C.-C. Chang and H.-D. Le, “A provably secure, efficient, and flexibleauthentication scheme for ad hoc wireless sensor networks,” IEEETransactions on Wireless Communications, vol. 15, no. 1, pp. 357–366,2016.

[49] M. Wazid, A. K. Das, N. Kumar, A. V. Vasilakos, and J. J.P. C. Rodrigues, “Design and Analysis of Secure Lightweight Re-mote User Authentication and Key Agreement Scheme in Internet ofDrones Deployment,” IEEE Internet of Things Journal, 2018, DOI:10.1109/JIOT.2018.2888821.

[50] “Secure Hash Standard,” FIPS PUB 180-1, National Institute ofStandards and Technology (NIST), U.S. Department of Commerce,April 1995. Accessed on January 2019. [Online]. Available: http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

[51] Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai, “Cryptographyfrom Anonymity,” in 47th Annual IEEE Symposium on Foundations ofComputer Science (FOCS’06), Berkeley, CA, USA, 2006, pp. 239–248.

[52] D. von Oheimb, “The high-level protocol specification language hlpsldeveloped in the eu project avispa,” in Proceedings of 3rd APPSEMII (Applied Semantics II) Workshop (APPSEM’05), Frauenchiemsee,Germany, 2005, pp. 1–17.

[53] AVISPA, “SPAN, the Security Protocol ANimator for AVISPA,”2019, accessed on March 2019. [Online]. Available: http://www.avispa-project.org/

[54] E. Barker, “Recommendation for Key Management,” Special Publication800-57 Part 1 Rev. 4, NIST, 01/2016. Accessed on May 2018.

[55] L. Wu, J. Wang, K. K. R. Choo, and D. He, “Secure Key Agreementand Key Protection for Mobile Device User Authentication,” IEEETransactions on Information Forensics and Security, vol. 14, no. 2, pp.319–330, 2019.

Saurav Malani is currently an MS (dual) degreestudent in computer science and engineering at theCenter for Security, Theory and Algorithmic Re-search, International Institute of Information Tech-nology (IIIT), Hyderabad, India. His research inter-ests are cryptography and network security includingInternet of Things security.

Jangirala Srinivas completed his Bachelor of Sci-ence in 2003 from Kakatiya University, India, theMaster of Science degree from Kakatiya Universityin 2008, the Master of Technology degree fromIIT Kharagpur in 2011, and then his PhD degreefrom the Department of Mathematics, IIT Kharagpurin 2017. He is currently working as an assistantprofessor with the Jindal Global Business School,O. P. Jindal Global University, Haryana, India. Priorto that he worked as a research assistant with theCenter for Security, Theory and Algorithmic Re-

search, IIIT Hyderabad, India. His research interests include authenticationprotocols, information security, digital rights management, cloud computingand management of information technology. He has authored 16 papers ininternational journals and conferences in his research areas.

Ashok Kumar Das (M’17–SM’18) received thePh.D. degree in computer science and engineering,the M.Tech. degree in computer science and dataprocessing, and the M.Sc. degree in mathematicsfrom IIT Kharagpur, India. He is currently an Asso-ciate Professor with the Center for Security, Theoryand Algorithmic Research, IIIT Hyderabad, India.His current research interests include cryptographyand network security. He has authored over 195papers in international journals and conferences inthe above areas, including more than 170 reputed

journal papers. Some of his research findings are published in top citedjournals, such as the IEEE Transactions on Information Forensics and Security,IEEE Transactions on Dependable and Secure Computing, IEEE Transactionson Smart Grid, IEEE Internet of Things Journal, IEEE Transactions onIndustrial Informatics, IEEE Transactions on Vehicular Technology, IEEETransactions on Consumer Electronics, IEEE Journal of Biomedical andHealth Informatics, IEEE Consumer Electronics Magazine, IEEE Access andIEEE Communications Magazine. He was a recipient of the Institute SilverMedal from IIT Kharagpur.



https://doi.org/10.1016/j.sysarc.2018.12.005

http://www.avispa-project.org/

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf

http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf



13

Kannan Srinathan is currently an assistant pro-fessor at the Center for Security, Theory and Al-gorithmic Research, IIIT Hyderabad, India. He didhis Ph.D. and M.S. from Indian Institute of Tech-nology, Madras, India. His research interests arecryptography, quantum algorithms and all aspects oftheoretical computer science. He has authored over120 papers in international journals and conferencesin the above areas.

Minho Jo (M’07, SM’16) is now a Professor inthe Department of Computer Convergence Software,Korea University, Sejong Metropolitan City, S. Ko-rea. He received his BA in the Dept. of IndustrialEngineering, Chosun Univ., S. Korea in 1984, andhis Ph.D. in the Dept. of Industrial and SystemsEngineering, Lehigh University, USA, in 1994, re-spectively. Prof. Jo is the recipient of the IET BestPaper Premium Award 2018. He was awarded withHeadong Outstanding Scholar Prize 2011. He is oneof founders of Samsung Electronics LCD Division.

He is the Founder and Editor-in-Chief of the KSII Transactions on Internetand Information Systems (SCI and SCOPUS indexed). He is currently anEditor of IEEE Wireless Communications, Associate Editor of IEEE Internetof Things Journal, an Associate Editor of IEEE Access, an Associate Editor ofSecurity and Communication Networks, and an Associate Editor of WirelessCommunications and Mobile Computing, respectively. He is now the VicePresident of the Institute of Electronics and Information Engineers (IEIE),and was Vice President of the Korea Information Processing Society (KIPS).Areas of his current interests include IoT, AI and big data, blockchain,LTE-Unlicensed, network security, machine learning in IoT, HetNets in 5G,cloud/edge computing, wireless energy harvesting, and optimization andprobability in networks.



Documents

Certiﬁcate-Based Anonymous Device Access Control Scheme for IoT …iot.korea.ac.kr/file/ProfMinhojo/61. DownloadCompleted.pdf · 2019-08-21 · distributed pollution monitoring,