A Secure and Anonymous User Authentication Scheme for IoT-Enabled Smart Home Environments Using PUF

With the continuous development of Internet of Things (IoT) technology, research on smart home environments is being conducted by many researchers. In smart home environments, home users can remotely access and control a variety of home devices such as smart curtains, lights, and speakers placed throughout the house. Despite providing convenient services, including home monitoring, temperature management, and daily work assistance, smart homes can be vulnerable to malicious attacks because all messages are transmitted over insecure channels. Moreover, home devices can be a target for device capture attacks since they are placed in physically accessible locations. Therefore, a secure authentication and key agreement scheme is required to prevent such security problems. In 2021, Zou et al. proposed a two-factor-based authentication and key agreement scheme using elliptic curve cryptography (ECC) in smart home environments. They claimed that their scheme provides user anonymity and forward secrecy. However, we prove that their scheme suffers from forgery, ephemeral secret leakage, and session key disclosure attacks. To overcome the security vulnerabilities of Zou et al.'s scheme and provide home users with secure communication in smart home environments, we propose a secure user authentication scheme using physical unclonable functions (PUF). We utilize Real-or-Random (ROR) model and Burrows-Abadi-Needham (BAN) logic to verify the session key security and mutual authentication of the proposed scheme, respectively. Furthermore, we use the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to simulate the resistance of our scheme to security attacks. After that, we analyze and compare the communication costs, computational consumption, and security functionalities along with related schemes.