Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment
<p>Flow chart for the proposed work.</p> "> Figure 2
<p>The designed 2L-MFA system.</p> "> Figure 3
<p>Matrix-based password panel: (<b>a</b>) intersection point ‘I’; (<b>b</b>) intersection point ‘o’; (<b>c</b>) intersection point ‘T’.</p> "> Figure 4
<p>Workflow of proposed 2L-MFA.</p> "> Figure 5
<p>Pipeline structure of the proposed 2L-MFA.</p> "> Figure 6
<p>Comparison of registration time, authentication time, and login time.</p> "> Figure 7
<p>Comparison of authentication success rate.</p> ">
Abstract
:1. Introduction
- The 2L-MFA blockchain technology protects IoT devices and cloud-stored data. Even with authentication, IoT data are secured using a lightweight elliptic curve Diffie–Hellman. Data management begins with IoT devices and user registration in the cloud. Logging onto the cloud authenticates users. IoT devices uploading data to the cloud are approved. Initial tiers authenticate IoT devices’ identification, secret key, location, and SRAM PUF. Blockchain verifies entities in the system PoAh authenticates lightly.
- Four individual-factor authentication sublevels are available for second-tier IoT user authentication. Level 1 verifies identity and password via matrix-based password enrolment. Biometrics is used at levels 3 and 4, whereas signatures are used at level 2. Moreover, XOR operations create a binary key from iris biometric data at level 3. Level 4 finger vein and biometric binary key authentication occur. Pixel difference equals finger vein.
- IoT user authentication is checked using fuzzy logic. If suspicious, the user’s next authentication is strengthened in level 2 on challenge–response. The proposed 2L-MFA in the cloud with blockchain is assessed for registration, login, authentication, and success rates.
2. Related Works
3. Problem Statement
- Authentication challenge: A specific issue with key updates arises when physical unclonable functions (PUFs) are used in security systems. This problem arises because PUF-derived keys are difficult to update compared to traditional cryptography keys. This intrinsic rigidity is a serious security risk, especially when it comes to the possibility of crucial exposure to potential threads.
- Insecure aggregation process: The aggregation process’s security and robustness are critical. Aggregation using trustworthy execution environments based on SGX is a step in the right direction. Nonetheless, ensuring the aggregation process’s total security and privacy continues to be a difficult and varied task.
- Insecure aggregating process: The security and resilience of the aggregating process are crucial. A positive step is an aggregation using reliable SGX-based execution environments. However, guaranteeing complete security and privacy of the aggregation process remains a challenging and multifaceted undertaking.
- offers robust security and employs multiple authentication factors beyond passwords, significantly reducing the risk of unauthorized access.
- Preserves user privacy: Minimises data collection and processing, protects user anonymity, and adheres to strict privacy regulations.
- Accommodates resource constraints: Considers many IoT devices’ limited processing power and storage capabilities.
- Ensures usability and seamless user experience: Offers convenient and user-friendly authentication methods that do not significantly impede legitimate access.
4. Proposed System
4.1. 2L-MFA System Model
4.2. First Layer Authentication
4.2.1. Phase 1: IoT Device Registration
- IoT device registers with , and the device type t, computes the secret key . The determined and are sent to the cloud via a secure channel.
- Once the cloud receives , it requests the location information of . denotes a random number. Then, computes its own location and sends it back as .
- Upon receiving the location information, the cloud manages .
- Then, the PUF key is generated from a pair of public and private keys, and . These keys are asymmetric and in this work, is stored in the ledger required for authentication. The SRAM-PUF constructs a data structure as . In this structure, is the encrypted biometric of the device, stands for attributes, and is the hash of the public key.
- Then, is signed with and gives . Thereby, this signed data structure is submitted.
4.2.2. Phase 2: IoT Device Authentication
- The IoT device collects information and sends it to the cloud for storage. Initially, the device generates an authentication request with the timestamp .
- Upon receiving the authentication request , the blockchain begins to authenticate by verifying the time interval . Here, and are the current and estimated timestamps for a particular transmission, respectively. If the timestamp condition fails, the authentication request is dropped; otherwise, it proceeds. Next, the validity of is checked, determined, and sent to .
- After receiving , checks the timestamp condition . If this condition is satisfied, the process proceeds. Device checks the received and computes , then sends .
- The blockchain, upon receiving , first verifies the timestamp and then extracts it for authenticating the location information. If the location information is valid, a message for is sent, including .
- The device Upon receiving the valid authenticated factors of the secret key and location, the final authentication of the IoT device with PUF is performed. reconstructs the noisy PUF and a fresh approach, devices, and keys. The corresponding encrypted is then extracted from the ledger. After computation, sends via a secure channel.
- Upon receiving the last security factor from the device, authentication is performed by validating with respect to the blockchain ledger. If the security factor matches, the device is authenticated and allowed to store data in the cloud; otherwise, access is denied.
4.2.3. Phase 3: Data Storage
Algorithm 1: Elliptic Curve Diffie–Hellman |
1. Begin 2. Initialize authenticated IoT devices 3. computes and determine 4. sends to CS 5. CS computes and determine 6. CS sends to 7. If () is valid { Storage access granted. goto step 9 else Re-establish key exchange. } end if 8. Encrypt the data and transmit via secure channel 9. End |
4.3. Second Layer Authentication
4.3.1. Phase 1: IoT User Registration
- Let be the user whose identity and password are chosen by oneself as and , respectively. These are the two basic constraints that are initiated for registration. computes and sends it to the cloud via a secure channel.
- Upon receiving , the cloud server (CS) creates a block and then collects other factors from .
- Then, submits by computing from ECDSA, from iris, and from finger vein. computes and sends it to CS.
- After receiving all four factors from , they are uploaded into the blockchain, and further, the IoT user transactions are recorded and authenticated by the blockchain.
- Lastly, a successfully registered message is delivered to the IoT user, and further authentication is performed in the next phase.
4.3.2. Phase 2: IoT User Authentication
Level 1
Level 2
- Step 1:
- Let be the private key of user , be the ECC base point, and be the order of the corresponding selected base point. Considering these three security constraints, generates a signature.
- Step 2:
- Select a random integer that ranges between them, then determine . is defined as an integer, and if the estimate , then it begins with the selection of a different random number.
- Step 3:
- Compute and then calculate , and then transform this into an integer .
- Step 4:
- Determine . In the case where the computed signature is 00, then go to step 1. The generated signature is sent to the blockchain for authentication.
- Step 5:
- If the signature from user and the previously registered signature is validated and is original, the user authentication is taken to the next level, or else it is dropped.
Level 3
- Step 1:
- Assume the binary value is formed as a binary value. Let the binary matrix be
- Step 2:
- Let the selected pair of rows and columns be and . The corresponding binary values in and , are applied with the AND operator; similarly, on the other hand, and are also processed. The processing is expressed as
- Step 3:
- After estimation of individual binary values as from and , these values are correlated using the XOR operator for determining binary key . Lastly, in this level, is computed as follows:
- Step 4:
- The estimated 8 bit is hashed and sent to the blockchain for authentication. If the is valid, then the IoT user is authenticated with the final level.
- Step 5:
- As per this level, the computation is simpler with operators and complex for the intermediate party to determine this key. If the security is leaked, then the new binary key can be generated with the permitted access from the cloud. Later, the changed key is updated in the blockchain.
Level 4
4.3.3. Phase 3: Access Cloud Data
Algorithm 2: Pseudo Code: 2L-MFA |
1. Start L1 Authentication // Begin Level 1 authentication 2. Initialize d_n // IoT devices to be authenticated 3. 〖Rq(d〗_n)→Blockchain If (〖 T〗_i-T_j<∆T) // Timestamp verification { If 〖(ID〗_n=Valid) // Authenticating first factor ID { Check next factor // Verify second factor else Drop request // Invalid factor } else Drop request } end if 4. If 〖(T〗_b-T_j<∆T) // Timestamp verification { If (〖 S〗_1= True) //Authenticating second factor secret key { Check next factor // Verify third factor else Drop request // Failed authentication } else Drop request } end if 5. If (L_(n(x,y))=True) // Authenticating third factor location { Check next factor else Drop request } end if 6. If (E_(K_F ) (B)=True) // Authenticating fourth factor PUF { Store Encrypted Data // lightweight ECC Diffie-Hellman else Drop request } end if 7. Stop L1 Authentication // Finish level 1 IoT device authentication 8. Start L2 Authentication // Begin level 2 authentication 9. Initialize U_N // IoT users to be authenticated 10. If 〖(ID〗_(N,) 〖PW〗_N= valid) // Authenticating First factor ID, password { go to next factor // Verify the second factor else drop request } end if 11. If (k,s)= valid // Authenticating Second factor signature and CR { go to next factor // Verify the third factor else drop request } end if 12. If (b_KY=True) // Authenticating third factor binary key from iris { goto next factor // verify fourth factor else drop factor } end if 13. If (FV=valid) // Authenticating fourth factor finger vein { Access granted else Access denied } end if 14. Stop L2 Authentication // Finish level 2 IoT device authentication |
5. Result and Discussion
5.1. Performance Analysis and Comparison
5.1.1. Time
5.1.2. Authentication Success Rate
5.1.3. Security Constraints Analysis
5.2. Security Analysis
5.2.1. Forwarding Security
5.2.2. Resistance to Man-in-Middle Attack and Impersonation Attack
5.2.3. Integrity
5.2.4. Confidentiality
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
References
- Hao, P.; Wang, X.; Shen, W. A collaborative PHY-aided technique for end-to-end IoT device authentication. IEEE Access 2018, 6, 42279–42293. [Google Scholar] [CrossRef]
- Zhou, Y.; Liu, T.; Tang, F.; Tinashe, M. An Unlinkable Authentication Scheme for Distributed IoT Application. IEEE Access 2019, 7, 14757–14766. [Google Scholar] [CrossRef]
- Renuka, K.M.; Kumari, S.; Zhao, D.; Li, L. Design of a Secure Password-Based Authentication Scheme for M2M Networks in IoT Enabled Cyber-Physical Systems. IEEE Access 2019, 7, 51014–51027. [Google Scholar] [CrossRef]
- Chatterjee, U.; Govindan, V.; Sadhukhan, R.; Mukhopadhyay, D.; Chakraborty, R.S. Building PUF Based Authentication and Key Exchange Protocol for IoT without Explicit CRPs in Verifier Database. IEEE Trans. Dependable Secur. Comput. 2018, 16, 424–437. [Google Scholar] [CrossRef]
- Braeken, A. PUF Based Authentication Protocol for IoT. Symmetry 2018, 10, 352. [Google Scholar] [CrossRef]
- Salehi, A.; Han, R.; Rudolph, C.; Grobler, M. DACP: Enforcing a dynamic access control policy in cross-domain environments. Comput. Netw. 2023, 237, 110049. [Google Scholar] [CrossRef]
- Kumar, M.; Verma, H.K.; Sikka, G. A Secure Lightweight Signature Based Authentication for Cloud-IoT Crowdsourcing Environments. Trans. Emerg. Telecommun. Technol. 2019, 30, e3292. [Google Scholar] [CrossRef]
- Wang, K.-H.; Chen, C.-M.; Fang, W.; Wu, T.-Y. On the Security of a New Ultra-Lightweight Authentication Protocol in IoT Environment for RFID Tags. J. Supercomput. 2018, 74, 65–70. [Google Scholar] [CrossRef]
- Sharma, G.; Kalra, S. A Lightweight Multi-Factor Secure Smart Card Based Remote User Authentication Scheme for Cloud-IoT Applications. J. Inf. Secur. Appl. 2018, 42, 95–106. [Google Scholar] [CrossRef]
- Dhillon, P.K.; Kalra, S. Secure Multi-Factor Remote User Authentication Scheme for Internet of Things Environments. Int. J. Commun. Syst. 2017, 30, e3323. [Google Scholar] [CrossRef]
- Salehi Shahraki, A.; Lauer, H.; Grobler, M.; Sakzad, A.; Rudolph, C. Access Control, Key Management, and Trust for Emerging Wireless Body Area Networks. Sensors 2023, 23, 9856. [Google Scholar] [CrossRef]
- Xue, Q.; Ju, X.; Zhu, H.; Zhu, H.; Li, F.; Zheng, X. A Biometric-Based IoT Device Identity Authentication Scheme. In Artificial Intelligence for Communications and Networks: Proceedings of the First EAI International Conference, AICON 2019; Springer International Publishing: Cham, Switzerland, 2019; Volume 1, pp. 139–149. [Google Scholar]
- Dhillon, P.K.; Kalra, S. A Lightweight Biometrics Based Remote User Authentication Scheme for IoT Services. J. Inf. Secur. Appl. 2017, 32, 255–270. [Google Scholar] [CrossRef]
- Mohammed, F.F.; Qyser, A.A.M. A Hybrid Approach for Secure Iris-Based Authentication in IoT. In ICICCT 2019–System Reliability, Quality Control, Safety, Maintenance and Management; Springer: Singapore, 2019; pp. 159–167. [Google Scholar]
- Kumar, D.; Jain, S.; Khan, A.; Pathak, P.S. An Improved Lightweight Anonymous User Authenticated Session Key Exchange Scheme for Internet of Things. J. Ambient. Intell. Humaniz. Comput. 2023, 14, 5067–5083. [Google Scholar] [CrossRef]
- Alam, I.; Kumar, M. A Novel Protocol for Efficient Authentication in Cloud-Based IoT Devices. Multimed. Tools Appl. 2022, 81, 13823–13843. [Google Scholar] [CrossRef]
- Ebrahimpour, E.; Babaie, S. A Lightweight Authentication Approach Based on Linear Feedback Shift Register and Majority Function for Internet of Things. Peer-to-Peer Netw. Appl. 2023, 16, 1900–1915. [Google Scholar] [CrossRef]
- Wang, C.; Wang, D.; Duan, Y.; Tao, X. Secure and Lightweight User Authentication Scheme for Cloud-Assisted Internet of Things. IEEE Trans. Inf. Forensics Secur. 2023, 18, 2961–2976. [Google Scholar] [CrossRef]
- Tanveer, M.; Badshah, A.; Alasmary, H.; Chaudhry, S.A. CMAF-IIoT: Chaotic Map-Based Authentication Framework for Industrial Internet of Things. Internet Things 2023, 23, 100902. [Google Scholar] [CrossRef]
- Lee, H.; Ryu, J.; Won, D. Secure and Anonymous Authentication Scheme for Mobile Edge Computing Environments. IEEE Internet Things J. 2023, 1, 5798–5815. [Google Scholar] [CrossRef]
- Salehi, S.A.; Razzaque, M.A.; Tomeo-Reyes, I.; Hussain, N.; Kaviani, V. Efficient high-rate key management technique for wireless body area networks. In Proceedings of the 2016 22nd Asia-Pacific Conference on Communications (APCC), Yogyakarta, Indonesia, 25–27 August 2016; pp. 529–534. [Google Scholar]
- Vhaduri, S.; Dibbo, S.V.; Cheung, W. Implicit IoT Authentication Using On-Phone ANN Models and Breathing Data. Internet Things 2023, 24, 101003. [Google Scholar] [CrossRef]
- Zhou, Q.; He, Y.; Yang, K.; Chi, T. Physical-Layer Identification of Wireless IoT Nodes Through PUF-Controlled Transmitter Spectral Regrowth. IEEE Trans. Microw. Theory Tech. 2023, 72, 1045–1055. [Google Scholar] [CrossRef]
- Huang, Z.; Wang, Q. A PUF-Based Unified Identity Verification Framework for Secure IoT Hardware via Device Authentication. World Wide Web 2020, 23, 1057–1088. [Google Scholar] [CrossRef]
- Shahraki, A.S.; Rudolph, C.; Grobler, M. Attribute-based data access control for multi-authority system. In Proceedings of the 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Guangzhou, China, 29 December–1 January 2020; pp. 1834–1841. [Google Scholar]
- Liu, Y.; Hao, X.; Ren, W.; Xiong, R.; Zhu, T.; Choo, K.K.R.; Min, G. A Blockchain-Based Decentralized, Fair and Authenticated Information Sharing Scheme in Zero Trust Internet-of-Things. IEEE Trans. Comput. 2022, 72, 501–512. [Google Scholar] [CrossRef]
- Deep, A.; Perrusquía, A.; Aljaburi, L.; Al-Rubaye, S.; Guo, W. A Novel Distributed Authentication of Blockchain Technology Integration in IoT Services. IEEE Access 2024, 12, 9550–9562. [Google Scholar] [CrossRef]
- Cheikhrouhou, O.; Mershad, K.; Jamil, F.; Mahmud, R.; Koubaa, A.; Moosavi, S.R. A Lightweight Blockchain and Fog-Enabled Secure Remote Patient Monitoring System. Internet Things 2023, 22, 100691. [Google Scholar] [CrossRef]
- Ryu, J.H.; Sharma, P.K.; Jo, J.H.; Park, J.H. A Blockchain-Based Decentralized Efficient Investigation Framework for IoT Digital Forensics. J. Supercomput. 2019, 75, 4372–4387. [Google Scholar] [CrossRef]
- Hammi, M.T.; Hammi, B.; Bellot, P.; Serhrouchni, A. Bubbles of Trust: A Decentralized Blockchain-Based Authentication System for IoT. Comput. Secur. 2018, 78, 126–142. [Google Scholar] [CrossRef]
- Ding, S.; Cao, J.; Li, C.; Fan, K.; Li, H. A Novel Attribute-Based Access Control Scheme Using Blockchain for IoT. IEEE Access 2019, 7, 38431–38441. [Google Scholar] [CrossRef]
- Kumari, S.; Karuppiah, M.; Das, A.K.; Li, X.; Wu, F.; Kumar, N. A Secure Authentication Scheme Based on Elliptic Curve Cryptography for IoT and Cloud Servers. J. Supercomput. 2018, 74, 6428–6453. [Google Scholar] [CrossRef]
- Rao, V.; Prema, K.V. Lightweight Hashing Method for User Authentication in Internet-of-Things. Ad Hoc Netw. 2019, 89, 97–106. [Google Scholar] [CrossRef]
- Gope, P.; Sikdar, B. Lightweight and Privacy-Preserving Two-Factor Authentication Scheme for IoT Devices. IEEE Internet Things J. 2019, 6, 580–589. [Google Scholar] [CrossRef]
- SRAM PUF: The Secure Silicon Fingerprint. White Paper. Available online: https://www.intrinsic-id.com/physical-unclonable-functions/free-white-paper-sram-puf-secure-silicon-fingerprint/ (accessed on 10 March 2023).
- Internet of Things Authentication: A Blockchain Solution Using SRAM Physical Unclonable Functions. White Paper. 2017. Available online: https://www.intrinsic-id.com/wp-content/uploads/2017/05/gt_KSI-PUF-web-1611.pdf (accessed on 15 April 2023).
- Dhillon, P.K.; Kalra, S. Multi-factor User Authentication Scheme for IoT-Based Healthcare Services. J. Reliab. Intell. Environ. 2018, 4, 141–160. [Google Scholar] [CrossRef]
- Sharma, G.; Kalra, S. Advanced Lightweight Multi-factor Remote User Authentication Scheme for Cloud-IoT Applications. J. Ambient. Intell. Humaniz. Comput. 2019, 11, 1771–1794. [Google Scholar] [CrossRef]
- Puthal, D.; Mohanty, S.P. Proof of Authentication: IoT-Friendly Blockchains. IEEE Potentials 2019, 38, 26–29. [Google Scholar] [CrossRef]
Symbol | Description |
---|---|
IoT device | |
IoT user | |
Device identity | |
User identity | |
Device secret key | |
Location of IoT device | |
PUF key | |
SRAM-PUF-based public key | |
SRAM-PUF-based private key | |
Signature | |
Block identity | |
Block timestamp |
Specification | Value |
---|---|
Number of IoT device samples | 100–200 |
Number of IoT users | 10–100 |
User password length | 4–10 (alphabets/integer) |
ECDSA length | 192 bits |
ECC key size | 256 bits |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Bamashmos, S.; Chilamkurti, N.; Shahraki, A.S. Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment. Sensors 2024, 24, 3575. https://doi.org/10.3390/s24113575
Bamashmos S, Chilamkurti N, Shahraki AS. Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment. Sensors. 2024; 24(11):3575. https://doi.org/10.3390/s24113575
Chicago/Turabian StyleBamashmos, Saeed, Naveen Chilamkurti, and Ahmad Salehi Shahraki. 2024. "Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment" Sensors 24, no. 11: 3575. https://doi.org/10.3390/s24113575
APA StyleBamashmos, S., Chilamkurti, N., & Shahraki, A. S. (2024). Two-Layered Multi-Factor Authentication Using Decentralized Blockchain in an IoT Environment. Sensors, 24(11), 3575. https://doi.org/10.3390/s24113575