IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO.

3, MARCH 2015 657

Aggregated-Proof Based Hierarchical

Authentication Scheme for the Internet of Things
Huansheng Ning, Senior Member, IEEE, Hong Liu, Student Member, IEEE, and
Laurence T. Yang, Member, IEEE

Abstract—The Internet of Things (IoT) is becoming an attractive system paradigm to realize interconnections through the physical,
cyber, and social spaces. During the interactions among the ubiquitous things, security issues become noteworthy, and it is
significant to establish enhanced solutions for security protection. In this work, we focus on an existing U2IoT architecture (i.e., unit
IoT and ubiquitous IoT), to design an aggregated-proof based hierarchical authentication scheme (APHA) for the layered networks.
Concretely, 1) the aggregated-proofs are established for multiple targets to achieve backward and forward anonymous data
transmission; 2) the directed path descriptors, homomorphism functions, and Chebyshev chaotic maps are jointly applied for mutual
authentication; 3) different access authorities are assigned to achieve hierarchical access control. Meanwhile, the BAN logic formal
analysis is performed to prove that the proposed APHA has no obvious security defects, and it is potentially available for the U2IoT
architecture and other IoT applications.

Index Terms—Internet of Things (IoT), authentication protocol, security, U2IoT architecture

1 INTRODUCTION

T HE Internet of Things (IoT) is emerging as an attractive

system paradigm to integrate physical perceptions,
cyber interactions, and social correlations, in which the
or an industrial IoT for an industry. The local IoTs and
industrial IoTs are covered within a national IoT, and
jointly form the ubiquitous IoT.
physical objects, cyber entities, and social attributes are Towards the IoT security, related works mainly refer to
required to achieve interconnections with the embedded the security architectures and recommended countermeas-
intelligence [1]. During the interconnections, the IoT is ures [4], [5], [6], [7], [8], secure communication and network-
suffering from severe security challenges, and there are ing mechanisms [9], [10], [11], [12], [13], cryptography
potential vulnerabilities due to the complicated networks algorithms [14], [15], [16], [17], [18], [19], and application
referring to heterogeneous targets, sensors, and backend security solutions [20], [21], [22]. Current researches mainly
management systems [2]. It becomes noteworthy to address refer to three aspects: system security, network security, and
the security issues for the ubiquitous things in the IoT. application security.
Recent studies have been worked on the general IoT,
including system models, service platforms, infrastruc-
System security mainly considers a whole IoT system
ture architectures, and standardization. Particularly, a to identify the unique security and privacy chal-
human-society inspired U2IoT architecture (i.e., unit IoT lenges, to design systemic security frameworks, and
and ubiquitous IoT) is proposed to achieve the physical- to provide security measures and guidelines.
cyber-social convergence (as shown in Fig. 1) [3]. In the
Network security mainly focuses on wireless commu-
U2IoT architecture, mankind neural system and social nication networks (e.g., wireless sensor networks
organization framework are introduced to establish the (WSN), radio frequency identification (RFID), and
single-application and multi-application IoT frameworks. the Internet) to design key distribution algorithms,
Multiple unit IoTs compose a local IoT within a region, authentication protocols, advanced signature algo-
rithms, access control mechanisms, and secure rout-
ing protocols. Particularly, authentication protocols

H. Ning is with the School of Computer and Communication Engineering, are popular to address security and privacy issues in
University of Science and Technology Beijing, Beijing, China, and also the IoT, and should be designed considering the
with the School of Electronic and Information Engineering, Beihang
University, Beijing, China. E-mail: ninghuansheng@ustb.edu.cn. things’ heterogeneity and hierarchy.

H. Liu is with the School of Electronic and Information Engineering,
Application security serves for IoT applications (e.g.,
Beihang University, Beijing, China. E-mail: liuhongler@ee.buaa.edu.cn. multimedia, smart home, and smart grid), and

L.T. Yang is with the School of Computer Science and Technology,
Huazhong University of Science and Technology, Wuhan, HuBei, China,
resolves practical problems with particular scenario
and also with the Department of Computer Science, St. Francis Xavier requirements.
University, Antigonish, Canada. E-mail: ltyang@stfx.ca. However, the existing security solutions mainly pro-
Manuscript received 30 Oct. 2013; revised 17 Jan. 2014; accepted 28 Feb. vide security approaches for a general IoT, and there is
2014. Date of publication 13 Mar. 2014; date of current version 6 Feb. 2015. little authentication scheme particularly designed for the
Recommended for acceptance by G. Wang. U2IoT architecture. It becomes necessary to establish an
For information on obtaining reprints of this article, please send e-mail to:
reprints@ieee.org, and reference the Digital Object Identifier below. authentication scheme to realize its security protection.
Digital Object Identifier no. 10.1109/TPDS.2014.2311791 In this work, the main purpose is to provide bottom-up
1045-9219 ß 2014 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution
requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
658 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 3, MARCH 2015

2 RELATED WORK
2.1 System Security
Roman et al. [4] pointed out that the traditional security
mechanisms may not be competent for the heterogeneous
networks, therefore improved mechanisms should be
designed according to the IoT infrastructures. Particu-
larly, the authors introduced cryptology based guidance
to address the security challenges, referring to the iden-
tity management, trust governance frameworks, fault tol-
erance, cryptography protocol, identity ownership, and
privacy preservation.
Lampropoulos and Denazis [5] focused on the identity
management in future Internet to analyze the identification
Fig. 1. The U2IoT architecture. and authentication issues in the user-centric, federations,
and other orthogonal systems. Furthermore, a distributed
safeguard for the U2IoT architecture to realize secure dynamic identity mapping, association N’ discovery system
interactions. (DIMANDS) was established to achieve cross-federation
Towards the U2IoT architecture, a reasonable authenti- service delivery, and to authenticate an unknown entity in a
cation scheme should satisfy the following requirements. foreign network and online service payment. The proposed
1) Data CIA (i.e., confidentiality, integrity, and availability): DIMANDS can achieve trusted and secure associations in
The exchanged messages between any two legal entities heterogeneous contexts.
should be protected against illegal access and modifica- Heer et al. [6] considered IP-based IoT, discussed the
tion. The communication channels should be reliable for applicability and limitations of current Internet protocols,
the legal entities. 2) Hierarchical access control: Diverse and presented a thing lifecycle based security architec-
access authorities are assigned to different entities to pro- ture for the IP networks. Thereinto, security architecture,
vide hierarchical interactions. An unauthorised entity node security model, and security bootstrapping are con-
cannot access data exceeding its permission. 3) Forward sidered in the security solution. Moreover, the authors
security: Attackers cannot correlate any two communica- pointed that the security protocols should fully consider
tion sessions, and also cannot derive the previous inter- the resource-constrained heterogeneous communication
rogations according to the ongoing session. 4) Mutual environments. Meca et al. [7] proposed a security archi-
authentication: The untrusted entities should pass each tecture based on the host identity protocol (HIP) and
other’s verification so that only the legal entity can access multimedia Internet keying protocols to enhance secure
the networks for data acquisition. 5) Privacy preservation: network association and key management.
The sensors cannot correlate or disclose an individual Ning et al. [8] addressed the cyber-entity security to pres-
target’s private information (e.g., location). Considering ent the recommended security approaches according to a
above security requirements, we design an aggregated- cyber-entity’s activity cycle, and further established a secure
proof based hierarchical authentication scheme (APHA) interaction solution for three scenarios (i.e., secure data
for the unit IoT and ubiquitous IoT respectively, and the access interaction, privacy-preserving data sharing interac-
main contributions are as follows: tion, and secure access authority transfer interaction).
1) Aggregated-proofs are established by wrapping
multiple targets’ messages for anonymous data 2.2 Network Security
transmission, which realizes that individual infor- Hancke et al. [9] identified the security challenges for the
mation cannot be revealed during both backward user-oriented RFID systems in the IoT, and the major chal-
and forward communication channels, lenges (e.g., privacy, ownership, data integrity, application
2) Directed path descriptors are defined based on integrity, and security standardization) should be enhanced
homomorphism functions to establish correlation to achieve universal security. Yan and Wen [10] applied a
during the cross-layer interactions. Chebyshev cha- mobile RFID security protocol to guarantee the mobile RFID
otic maps are applied to describe the mapping rela- networks, and a trust third party (TTP) based key manage-
tionships between the shared secrets and the path ment protocol is introduced to construct a secure session
descriptors for mutual authentication, key. Toumi et al. [11] focused on the integration of RFID
3) Diverse access authorities on the group identifiers tags into IP networks, and proposed a HIP address transla-
and pseudonyms are assigned to different entities tion scheme. The scheme provides address translation serv-
for achieving the hierarchical access control through ices between the tag identifiers and IP addresses, which
the layered networks. presents a prototype of the cross-layer IoT networks. Chang
The remainder of the paper is organized as follows. and Chen [12] reviewed the trust-based mechanisms (e.g.,
Section 2 reviews the related work in the IoT security. cryptographic, and authentication) in WSNs. Raza et al. [13]
Section 3 presents the layered system model, and intro- presented Lithe, which is an integration of datagram trans-
duces the proposed authentication scheme. Section 4 port layer security (DTLS) and constrained application
introduces the BAN logic based formal analysis. Finally, protocol (CoAP) to protect the transmission of sensitive
Section 5 draws a conclusion. information in the IoT.
NING ET AL.: AGGREGATED-PROOF BASED HIERARCHICAL AUTHENTICATION SCHEME FOR THE INTERNET OF THINGS 659

TABLE 1 TABLE 2
The Shared Secrets Distribution Notations

Yao et al. [14] revised Nyberg’s fast one-way accumula-

tor to design a message authentication code (MAC) based
multicast authentication mechanism for small-scale IoT
applications. Roman et al. [15] considered WSNs to provide
key management mechanisms to allow that two remote
devices can negotiate certain security certificates (e.g.,
shared keys, Blom key pairs, and polynomial shares). The
authors analyzed the applicability of existing mechanisms,
including public key infrastructure (PKI) and pre-shared
keys for sensor nodes in IoT contexts. Ren and Ma [16] pro-
posed an attribute-based access control model according to communications. Furthermore, digital forensics, security
bilinear mappings. The scheme realizes anonymous access, incident and event management are applied for manage-
and minimizes the number of the exchanged messages in ment, and cyber-security evaluation and intrusion tolerance
the open channels. Chen et al. [17] proposed a fuzzy reputa- are also considered.
tion based trust management model (TRM-IoT) to enforce
the entities’ cooperation and interconnection. Wang et al. 3 THE AUTHENTICATION SCHEME: APHA
[18] proposed an anonymous authentication protocol, and
3.1 System Initialization
applied the pseudonym and threshold secret sharing mech-
anism to achieve the tradeoff between anonymity and certi- In the U2IoT architecture, the unit IoT refers to a basic net-
fication. Zhao et al. [19] proposed a mutual authentication work unit for a single application, and the ubiquitous
scheme, which is designed based on the feature extraction, IoT includes multiple applications within the centralized
secure hash algorithm (SHA), and elliptic curve cryptogra- national management [3]. Here, we consider an industry-
phy (ECC). Thereinto, asymmetric authentication scheme is oriented scenario, in which multiple industrial IoTs manage
established without compromising computation cost and the corresponding unit IoTs in diverse industries (e.g.,
communication overhead. smart grid). Meanwhile, the industrial IoTs are under the
jurisdiction of a national IoT to realize interconnections. In
the system model, there are heterogeneous sensors (S) and
2.3 Application Security
targets (T ), which are various according to different scenar-
Zhou and Chao [20] established a media-aware traffic secu- ios. Multiple unit data centers (DC) are under a particular
rity architecture for the IoT, and the architecture is based on industrial IoT’s jurisdiction, and industrial data centers
the current traffic classification to enable the heterogeneous (iDC) have relatively independent authorities on a certain
multimedia services becoming available in real-time mode. DC. Meanwhile, the trusted national data center (nDC) is
Concretely, key management, batch rekeying, authentica- introduced to manage multiple iDCs.
tion, watermarking, and distributed secret sharing are intro- Here, we consider fTj ; Sb ; DCa g ðj ¼ f1; . . . ; JgÞ in the
duced into the security architecture. unit IoT, and fDCa ; iDC; nDCg in the ubiquitous IoT. Each
Li et al. [21] established a smart community model for entity stores its assigned group identifiers and pseudonyms,
IoT applications, and a cyber-physical system with the as shown in Table 1. Meanwhile, the directed path descrip-
networked smart homes was introduced with security con- tors are introduced as authentication operators, and owned
siderations. Filtering false network traffic and avoiding by the subscript labeled entity to point to the superscript
unreliable home gateways are suggested for safeguard. labeled entity. It means that pxy is owned by Ey , and repre-
Meanwhile, the security challenges are discussed, including sents the path descriptor pointing from Ey to Ex . The
the cooperative authentication, unreliable node detection, detailed notations are introduced in Table 2.
target tracking, and intrusion detection. The APHA is designed based on two main cryptographic
Sridhar et al. [22] analyzed cyber infrastructure security primitives: a homomorphism function F ð:Þ, and Chebyshev
in the smart grid. A layered security scheme was estab- polynomials T  ð:Þ.
lished to evaluate security risks for the power applications.
The authors highlighted power generation, transmission,
Towards the homomorphism function.
distribution control and security, and introduced encryp- According to Fermat’s Little theorem: If q is a prime
tion, authentication, and access control to achieve secure number, and x is not a multiple of q, thus xq1  1 mod q.
660 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 3, MARCH 2015

Fig. 2. The authentication protocol in the unit IoT.

A homomorphism encryption algorithm can be designed as Accordingly, a set of Chebyshev polynomials are
follows [23]. assigned to represent the relationships of the group identi-
fiers/pseudonyms and directed path descriptors:
1) Choose two large prime numbers p and q. and let
n ¼ pq, in which n is a public number, and p and q   
For T lTj ð:Þ: gidSb  T lTj F pbj ðmod qÞ;
are private numbers.   j 
2) A real number x is in a plaintext with the effective For T lSb ð:Þ : gidTj  T lSb F pb ðmod qÞ;
  
decimal digits d for g1 ðxÞ ¼ 10d x. Here, jg1 ðxÞj  For T lDCa ð:Þ: PIDTj  T lDCa F pja ðmod qÞ;
  
ðp  1Þ=2, and g2 ðg1 ðxÞÞ 2 Zp . Define a homomor- PIDSb  T lDCa F pba ðmod qÞ;
phism function F : F ðxÞ ¼ g2 ðg1 ðxÞÞkðp1Þþ1 mod   
gidiDC  T lDCa F pia ðmod qÞ;
n ¼ C.   a 
For T liDC ð:Þ: PIDDCa  T liDC F p ðmod qÞ;
3) The inverse operation F 1 ð:Þ satisfies that: For T lnDC ð:Þ: gidDCa  T lnDC F
i
 pn i  ðmod qÞ;
a
F 1 ðF ðxÞÞ ¼ g1 2 ðc mod pÞ=10 ¼ x.
d
PIDiDC  T lnDC F pn ðmod qÞ:
For fx; yg 2 R and fg1 ðxÞ; g1 ðyÞg  ðp  1Þ=4; F ðx þ yÞ ¼
F ðxÞ þ Fp ðyÞ holds.ffi Similarly, for fx; yg 2 R and fg1 ðxÞ;
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
g1 ðyÞg  ðp  1Þ=2; F ðxyÞ ¼ F ðxÞF ðyÞ holds. Besides, the group identifiers {gidiDC ; gidDCa } can be
N1
The homomorphism function F ð:Þ is applied to describe respectively extended into fgidniDC g (i.e., {gid1iDC ; . . . ; gidiDC })
and fgidDCa g (i.e., {gidDCa ; . . . ; gidDCa }) for fN1 ; N2 g 2 N
n 1 N2
the relationships of the directed path descriptors. For
instance, the pairwise path descriptors {pbj ; pjb } are respec- and fgidniDC ; gidnDCa g 2 Zq2 . There are the following relation-
tively owned by {Tj ; Sb }, and satisfy the following relation- ships for x 2 fiDC; DCa g and y 2 fhDCa ; ’nDC g:
ships, in which the secrets Cjb and Cbj are owned by {Tj ; Sb }
for Cjb ¼ Cbj 2 R . Here, Tj can obtain a mirroring path Y
N2
n

descriptor jpjb jb PIDx  ðyÞgidx ðmod q2 Þ:

aj j, which equals paj  PIDTj . n¼1

     
F pbj pjb ¼ F pbj F pjb ¼ Cjb ¼ Cbj ; In the trust model, nDC is an only entity trusted by all
        the other entities (i.e., Tj ; Sb ; DCa ; iDC). In the unit IoT, DCa
F pja þ pbj ¼ F pja þ F pbj ¼ F pjb 
aj : is trusted by {Tj ; Sb }, and is under iDC’s default jurisdiction.
In the ubiquitous IoT, iDC and nDC have relatively inde-

Towards the Chebyshev polynomials. pendent jurisdictions on DCa .
The Chebyshev chaotic maps can be applied for authenti-
cation [24], [25]. Assume that T l ðmÞ is a Chebyshev polyno- 3.2 The Authentication Protocol in the Unit IoT
mial in l of degree m, and T l ðmÞ : ½1; 1 ! ½1; 1 is Fig. 2 shows an interaction among {DCa ; Sb ; Tj }, in which Tj
defined as T l ðmÞ ¼ cosðl arccosðmÞÞ. The recurrence rela- represents multiple targets {T1 ; . . . ; TJ }.
tionships of Chebyshev polynomials are as follows:
3.2.1 Challenge-Response between Sb and Tj , and Sb ’s
T 0 ðmÞ ¼ 1; T 1 ðmÞ ¼ m; Verification on Tj
T l ðmÞ ¼ cosðl arccosðmÞÞ; ðl 2Þ: Sb generates a random number rSb , extracts its temp iden-
tity flag FSb , and transmits rSb kFSb to Tj as a challenge to
Let the degrees {l1 ; l2 } be positive integer numbers. The initiate a new session. Upon receiving the messages, Tj
Chebyshev polynomials T l1 ðmÞ and T l2 ðmÞ (m 2 ½1; 1) first ascertains Sb ’s identity by searching the matched iden-
satisfy the semigroup and chaotic properties: tity flag FSb , generates a random number rTj , and extracts a
set of values {FTj ; gidTj ; PIDTj ; Cja ; Cjb ; paj ; pbj }, in which
T l ðmÞ  ð2mT l1 ðmÞ  T l2 ðmÞÞ ðmod qÞ ; ðl 2Þ; {Cja ; Cjb } are shared secrets, and {paj ; pbj } are directed path
T l1 ðT l2 ðmÞÞ  T l1 l2 ðmÞ  T l2 ðT l1 ðmÞÞ ðmod qÞ: descriptors. Thereafter, Tj computes a positive integer
x ¼ ½rSb  ðmod eÞ for e 2 N as the maximum degree of a
NING ET AL.: AGGREGATED-PROOF BASED HIERARCHICAL AUTHENTICATION SCHEME FOR THE INTERNET OF THINGS 661

Chebyshev polynomial T x ð:Þ. Tj updates {paj ; pbj ; gidTj ; PIDSb  T lDCa ðF ðpba ÞÞ ðmod qÞ are applied for verification.
PIDTj } into {p0a 0b 0 0
j ; pj ; gidTj ; PIDTj }: If MS‘ b ¼ MSb holds, DCa will regard Sb as a legal sensor;
 a  a  otherwise, the APHA will terminate.
p0a
j ¼ T x Cj =F pj ðmod qÞ; DCa derives gidTj kVTj by an inverse operation J1 ð:Þ,
0b
 b  b  and checks Tj by re-computing VT‘j ¼ HðrTj kPID0‘Sb Þ. If
pj ¼ T x Cj =F pj ðmod qÞ;
VT‘j ¼ VTj holds, DCa will regard Tj as a legal target; other-
gid0Tj ¼ T x ðgidTj Þ ðmod qÞ; wise, the APHA will terminate:
PID0Tj ¼ T x ðPIDTj Þ ðmod qÞ :   
gidTj kVTj ¼ J1
j APb  H rSb kPID0‘Sb :
Tj computes MTj and VTj , in which MTj is an authentica-
tion operator, and VTj is further used to establish the back-
ward aggregated-proof APb : 3.2.3 Forwards Aggregated-Proof Response and Tj ’s
  Verification on Sb
MTj ¼ H rSb kgid0Tj ; DCa continues to extract {gidSb ; PIDSb ; PIDTj ; pjb
  aj } to com-
j
VTj ¼ H rTj kPID0Tj : pute VDC a
by the HMAC function:
j
VDC ¼ Hpjb ððrTj krSb Þ  gidSb Þ:
Tj transmits rTj kFTj kp0a 0b a
j kpj kMTj kVTj to Sb . Thereafter, Sb
aj

first ascertains Tj ’s identity by FTj , and locally re-computes DCa establishes a forward aggregated-proof APf by
gid0‘Tj . Theoretically, gid0‘Tj equals gid0Tj according to gidTj  j
wrapping PIDTj kVDC , and transmits APf to Sb :
T lSb ðF ðpjb ÞÞ ðmod qÞ: a

 j 
  APf ¼ JJj¼1 PIDTj kVDC  HðPIDSb Þ:
gid0‘Tj ¼ T lSb p0bj ðmod qÞ: a

Sb extracts {gidSb ; Cbj ; pjb } to obtain the updated values

Sb checks Tj by re-computing MT‘ j ¼ HðrSb kgid0‘Tj Þ. If {pb ; gid0Sb }, computes VSb , and further transmits p0jb kVSb to Tj
0j

MTj ¼ MTj holds, Sb will regard Tj as a legal target; other-

‘
for authentication:
wise, the APHA will terminate.   
p0jb ¼ T y Cbj =F Pbj mod q;
 
gid0Sb ¼ T y gidSb mod q;
3.2.2 Backward Aggregated-Proof Challenge  
and DCa ’s Verification on {Tj ; Sb } VSb ¼ APf  HðPIDSb Þ  H rTj kgid0Sb :
Sb extracts {gidTj ; PIDSb ; Cba ; pab }, and computes a random
integer y ¼ ½rTj  ðmod eÞ to denote the degree of the Cheby- Tj computes jpjb 0‘ j
aj j and gidSb to derive PIDTj kVDCa . Here,
shev polynomial T y ð:Þ. Afterwards, Sb obtains the updated jpjb
aj j
is a mirroring directed path descriptor from DCa to Sb
values {p0a 0
b ; PIDSb }, and computes an authentication opera- via Tj :
tor MSb :
 a  a  
 a  a  jpjb
aj j ¼ F
1
Cj =F pj þ F pbj ;
p0a
b ¼ T y Cb =F pb ðmod qÞ;  
0
PIDSb ¼ T y ðPIDSb Þ ðmod qÞ; gid0‘Sb ¼ T lTj p0jb mod q;
  1   
MSb ¼ H rTj kPID0Sb : PIDTj kVDCa ¼ Jj VSb  H rTj kgid0‘Sb :
j

Sb aggregates {T1 ; . . . ; TJ }’s messages {gidTj kVTj } to estab-

Afterwards, Tj extracts gidSb to check the validity of Sb by
lish a backward aggregated-proof APb for anonymous data j‘
transmission. Here, “J” is defined as the multi-element cas- re-computing VDC a
¼ Hjpjb jPID ððrTj krSb Þ  gidSb Þ. If
aj Tj
j‘ j
cade operation: VDC a
¼ VDC a
holds, Tj will regard Sb as a legal sensor; other-
wise, the APHA will terminate.
APb ¼ HðrSb kPID0Sb Þ  JJj¼1 ðgidTj kVTj Þ: Till now, Sb and Tj have established the mutual authenti-
cation, and DCa has authenticated {Tj ; Sb } as legal entities.
Sb further transmits rSb krTj kFSb kFTj kp0a 0a The backward and forward aggregated-proofs are respec-
j kpb kMSb kAPb to
DCa . Upon receiving the messages, DCa ascertains {Sb ; Tj } tively established to wrap multiple targets {T1 ; . . . ; TJ }’s
according to the identity flags {FSb ; FTj }, and locally re-com- identity related information.
putes {PID0‘Tj ; PID0‘Sb }:
 
PID0‘Tj ¼ T lDCa p0a
j ðmod qÞ; 3.3 The Authentication Protocol in the Ubiquitous
0‘
 0a  IoT
PIDSb ¼ T lDCa pb ðmod qÞ: Fig. 3 shows an interaction among {DCa ; iDC; nDC}, in
Thereafter, DCa verifies Sb by re-computing MS‘ b ¼ which DCa is under iDC’s jurisdiction, and {DCa ; iDC} are
HðrTj kPID0‘Sb Þ. Here, PIDTj  T lDCa ðF ðpja ÞÞ ðmod qÞ, and within nDC’s management range.
662 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 3, MARCH 2015

Fig. 3. The authentication protocol in the ubiquitous IoT.

3.3.1 Challenge-Response between DCa and iDC the updated values {p0ia ; p0n 0 0
a ; PIDDCa ; gidDCa } for further
DCa generates a random number rDCa , extracts its iden- authentication:
tity flag FDCa , and transmits rDCa kFDCa to query iDC. 
Upon receiving the messages, iDC ascertains DCa ’s iden- p0ia ¼ T v Cia =F ðpai ÞÞ ðmod qÞ;
tity by searching the matched FDCa . Thereafter, iDC p0n
a ¼ T v ðCa =F ðpa ÞÞ ðmod qÞ;
n n

generates a random number riDC , and extracts PID0DCa ¼ T v ðPIDDCa Þ ðmod qÞ;
{FiDC ; gidiDC ; Cia ; pai }. iDC further computes an integer
gid0DCa ¼ T v ðgidDCa Þ ðmod qÞ :
u ¼ ½rDCa  ðmod eÞ , and updates {pai ; gidiDC } into
0a 0
{pi ; gidiDC }:
DCa extracts gidiDC and fgidnDCa g to compute {MDCa ;
 a  a  VDCa }, and transmits p0ia kp0n
a kMDCa kVDCa to iDC:
p0a
i ¼ T u Ci =F pi ðmod qÞ;
0
gidiDC ¼ T u ðgidiDC Þ ðmod qÞ:  
MDCa ¼ H riDC kPID0DCa ;
X
N2
 n 
VDCa ¼ gidiDC gid0DCa þ
N
iDC extracts the values fgidniDC g ¼ fgid1iDC ; . . . ; gidiDC
1
g, gidDCa rDCa ðmod q2 Þ:
the pseudonyms {PIDDCa ; PIDiDC }, and an authentication n¼1
key ka to compute {MiDC ; ViDC }. Afterwards, iDC transmits
riDC kFiDC kp0a
i kMiDC kViDC to DCa for authentication:
iDC locally re-computes PID0‘DCa ¼ T liDC ðp0ia Þ and MDC
‘
a
¼
0‘
HðriDC kPIDDCa Þ. According to PIDDCa  T liDC ðF ðpai ÞÞ
ðmod qÞ; iDC verifies DCa by comparing whether MDC ‘
MiDC ¼ E ka ðrDCa  PIDiDC Þ; a
equals MDCa . If it holds, iDC will regard DCa as a legal unit
X
N1
    data center; otherwise, the APHA will terminate.
ViDC ¼ PIDDCa gid0iDC þ gidniDC rDCa mod q2 :
n¼1
3.3.4 nDC’s Verification on iDC and DCa
iDC extracts {Cin ; pni ; kn } to update {pni ; PIDiDC } into {p0n
i ;
3.3.2 DCa ’s Verification on iDC PID0iDC }, and computes UiDC . Thereafter, iDC transmits
DCa extracts {hDCa ; ka }, locally re-computes gid0‘iDC , and rDCa kriDC kFDCa kFiDC kp0n 0n
a kpi kUiDC to nDC for authentica-
derives PID‘iDC by decryption operation: tion:
 n  n 
  p0n
i ¼ T u Ci =F pi ðmod qÞ;
gid0‘iDC ¼ T lDCa p0a ðmod qÞ;
i
PID0iDC ¼ T u ðPIDiDC Þ ðmod qÞ;
PID‘iDC ¼ E 1
ka ðMiDC Þ  rDCa : UiDC ¼ E kn ðriDC  VDCa Þ  HðrDCa kPID0iDC Þ:

iDC checks DCa by the following equation according nDC ascertains {iDC; DCa }’s identities according to
{FiDC ; FDCa }, and extracts {’nDC ; gidiDC ; PIDDCa ; Cni ; pin ; kn }
QN1 gidiDCgid
to T lDCa ðF ðpia ÞÞ ðmod qÞ and PIDiDC 
ðh Þ
n
iDC ðmod q 2 Þ. If it holds, DCa will regard iDC to re-compute {PID0‘iDC ; gid0‘DCa ; VDC
‘
}:
n¼1 DCa a
as a legal industrial data center; otherwise, the APHA will
 
terminate: PID0‘iDC ¼ T lnDC p0n
i ðmod qÞ;
0‘
 0n 
? 0‘ gidDCa ¼ T lnDC pa ðmod qÞ;
ðhDCa ÞViDC ¼ ðhDCa ÞPIDDCa gidiDC   
1
VDCa ¼ E kn UiDC  H rDCa kPID0‘iDC  riDC :
‘
ðPID‘iDC ÞriDC ðmod q2 Þ:

nDC checks the validity of iDC and DCa by verifying

3.3.3 iDC’s Verification on DCa the following equation according to PIDiDC  T lnDC
DCa extracts {gidDCa ; PIDDCa ; Cia ; Can ; pia ; pna }, and computes ðF ðpi ÞÞ; gidDCa  T lnDC ðF ðpan ÞÞ ðmod qÞ , and PIDDCa 
QN2 n gidn
an integer v ¼ ½riDC  ðmod eÞ . Thereafter, DCa obtains n¼1 ð’nDC Þ
DCa ðmod q2 Þ: If it holds, nDC will regard
NING ET AL.: AGGREGATED-PROOF BASED HIERARCHICAL AUTHENTICATION SCHEME FOR THE INTERNET OF THINGS 663

iDC and DCa as legal entities; otherwise, the APHA will industrial data center with the appointed group
terminate: identifier can access DCa ’s data.

For iDC. iDC owns DCa ’s pseudonym PIDDCa to
‘
VDC ? gidiDC gid0‘ realize that iDC can ascertain DCa ’s detailed identity
ð’nDC Þ a ¼ ð’nDC Þ DC a

rDCa
in an industry application.
ðPIDDCa Þ ðmod q2 Þ:
For nDC. nDC owns access authorities on both unit
IoT and industrial IoT. DCa ’s pseudonym PIDDCa
Till now, DCa and iDC have established mutual authen- and iDC’s group identifier gidiDC are available to
tication, and nDC has authenticated {DCa ; iDC} as legal realize the centralized management.
entities. Thereinto, iDC and nDC have different access
authorities on DCa ’s group identifier and pseudonym to
3.4.3 Forward Unlinkability
achieve hierarchical access control.
The pseudo-random numbers are generated as session-sen-
sitive operators to provide session freshness and randomi-
3.4 Security Properties zation. Additionally, the identity related values (e.g.,
3.4.1 Data Confidentiality and Data Integrity identify flags, group identifier, and pseudonym) are
Data confidentiality is mainly achieved by the Chebyshev dynamically updated during each session. Such variables
chaotic maps, in which the polynomials {T lTj ; T lSb ; T lDCa ; are applied to obtain the authentication operators (e.g.,
T liDC ; T lnDC } are defined to represent the relationships of VTj ; MSb ; MDCa , and ViDC ), the aggregated-proofs, and other
the group identifiers, pseudonyms and directed path intermediate variables (e.g., VSb ). The transmitted messages
descriptors. During the maps, the directed path descrip- are mainly computed based on the random numbers
tors are wrapped by the homomorphism function F ð:Þ. {rTj ; rSb ; rDCa ; riDC }, which make that the exchanged mes-
Besides, the pseudo-random numbers (i.e., rTj ; rSb ; rDCa ; sages can be regarded as dynamically variables with perfect
riDC ) are applied to obtain the degree of the Chebyshev forward unlinkability, and an attacker cannot correlate the
polynomials {T x ; T y ; T u ; T v } for enhancing session ongoing session with former sessions in the open channels.
randomization.
Data integrity is realized by the one-way hash and HMAC 3.4.4 Mutual Authentication
j
functions. In the unit IoT, {MTj ; MSb ; VTj ; VDC a
} are transmit- In the unit IoT, the mutual authentication is established
ted in the terms of Hð:Þ and Hpjb ð:Þ for identify declaration between Tj and Sb , and authentication operators are
aj
and verification. In the ubiquitous IoT, {MDCa ; UiDC } are applied to check the identity correctness and consistency.
The Chebyshev chaotic maps gidTj  T lSb ðF ðpjb ÞÞ ðmod qÞ
respectively challenged to wrap PID0DCa and PID0iDC into
and gidSb  T lTj ðF ðpbj ÞÞ ðmod qÞ are used for authentica-
hash functions for verifying DCa and iDC. Note that the
tion; The pairwise directed path descriptors {pjb ; pbj } can
one-way values apply pseudo-random numbers, which can be derived by F ðpbj pjb Þ ¼ F ðpbj ÞF ðpjb Þ ¼ Cbj ¼ Cjb ; The mir-
ensure that attackers cannot derive the private values for roring directed path descriptor jpjb aj j is obtained by
data corruption. F ðjpjb
aj jÞ ¼ F ðpb
j þ p j
a Þ ¼ F ðp b
j Þ þ F ðp j
a Þ.
In the ubiquitous IoT, hybrid authentications are estab-
lished among {DCa ; iDC; nDC}. The Chebyshev chaotic
3.4.2 Hierarchical Access Control maps {T lDCa ; T liDC ; T lnDC } are introduced for authentication.
Two-layered interactions of {Tj ; Sb ; DCa } and {DCa ; iDC; Besides, the group identifiers {gidiDC ; gidDCa } can be
N1 N2
nDC} are performed in relatively independent modes, dur- extended into {gid1iDC ; . . . ; gidiDC } and {gid1DCa ; . . . ; gidDC a
},
ing which DCa acts as a media to connect the unit IoT and which satisfy the pre-shared relationships with the corre-
ubiquitous IoT. According to the practical application sponding pseudonyms {PIDiDC ; PIDDCa }.
requirements, {Tj ; Sb ; DCa ; iDC; nDC} are assigned the dif-
ferent access authorities in the U2IoT.
3.4.5 Privacy Preservation

For Tj . Tj owns Sb ’s group identifier gidSb to ascertain The backward aggregated-proof APb is established by Sb to
the general group attribute, and ensure that only an wrap multiple targets {T1 ; . . . ; TJ }’s identity related values,
in-group sensor can access Tj ’s data. and the cascaded value JJj¼1 ðgidTj kVTj Þ is further XORed by

For Sb . Sb can only determine Tj ’s group identifier the hash value HðrSb kPID0Sb Þ for anonymous data transmis-
gidTj by the challenged pseudo-random identity flag sion. Here, APb covers the wrapped values T x ðPIDTj Þ and
FTj without obtaining the pseudonym PIDTj to T y ðPIDSb Þ. Here, the multi-element cascade operators
J 1
restrain Sb ’s access authority on Tj . Jj¼1 ð:Þ and its inverse operation Jj are defined for aggre-

For DCa . In the unit IoT, DCa owns reinforced access gation and derivation. The forward aggregated-proof APf
authorities on {Tj ; Sb }, and can ascertain {Tj ; Sb }’s is established by DCa to respond {T1 ; . . . ; TJ }. Note that APf
detailed group identifiers {gidTj ; gidSb } based on the includes the cascaded value ðPIDT1 kVDC 1
a
Þk; . . . ; k ðPIDTJ k
j
flags. Additionally, DCa can further determine J
VDC a
Þ, and {Tj } can respectively derive {PID Tj k VDCa } to
{Tj ; Sb }’s pseudonyms {PIDTj ; PIDSb } for further authenticate Sb .
management. In the ubiquitous IoT, DCa owns The aggregated-proofs have two main functions: one is to
iDC’s group identifier gidiDC to ensure that only the pack multiple targets’ challenges into a group, and the other
664 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 3, MARCH 2015

TABLE 3 4.2 Initial Assumptions

The Formal Notations In the APHA, an entity believes that: 1) the shared secrets
and keys are obtained by the assigned entities, 2) the pseudo
random numbers, identity flags, pseudonyms, and directed
path descriptors are fresh, and 3) the trusted entity has juris-
diction on the entitled values. The initiative assumptions,
including initial possessions and entity abilities are
obtained as follows:

For Tj :
FTj ;FSb ;gidTj ;gidSb ;Cjb
P1.1: Tj j  Sb () Tj ,
FTj ;gidTj ;PIDTj ;Cja
Tj j  DC a () Tj;
P1.2: Tj j  ] rTj ; FTj ; PID ; pa b
 Tj j pj ;
; 
is to pack DCa ’s responses into a group. Such aggregated P1.3: Tj j  DCa j ) FTj ; gidTj ; PIDTj ; pjb
aj .
data transmission realizes that {Tj }’s individual identity
related information cannot be revealed, and attackers can-
For Sb :
not derive individual sensitive information according to the FTj ;FSb ;gidTj ;gidSb ;Cb
j

intercepted messages. It turns out that only the legal unit P2.1: Sb j  Tj () Sb ,
data center can derive each target’s identity information by FSb ;gidSb ;PIDSb ;Cba
APb , and only the legal target can derive its authorized Sb j  DC a () Sb ;
fields by APf . P2.2: Sb j  ] rSb ; FSb ; PID
 S b
; p a
b ; 
P2.3: Sb j  DCa j ) FSb ; gidSb ; PIDSb .

For DCa :
4 FORMAL ANALYSIS WITH THE BAN LOGIC FTj ;gidTj ;PIDTj ;Ca
j

In this section, Burrows-Abadi-Needham (i.e., BAN) logic P3.1: DCa j  Tj () DCa ,

[26] is applied to analyze the design correctness for security FSb ;gidSb ;PIDSb ;Cab
proof, and it is a rigorous evaluation method to detect subtle DCa j  Sb () DCa ,
defects for authentication scheme. The formal analysis FDCa ;FiDC ;gidiDC ;PIDDCa ;Cai
DCa j  iDC FDC ;PIDDC() DCa ,
focuses on belief and freshness, involving the following a a
DCa j  nDC () DCa ;
steps: message formalization, initial assumptions declara- ka
P3.2: DCa j  iDC
 ! DCa , 
tion, anticipant goals declaration, and logic verification.
P3.3: DCa j  ] rDCa ; FDCa ; gidDCa ; PIDDCa ,
Table 3 shows formal notations in the BAN logic.
DCa j  ] pjb i n
aj ; pa ; pa ; 
P3.4: DCa j  nDC j ) FDCa ; PIDDCa .
4.1 Message Formalization

For iDC:
Message formalization is to specify the exchanged mes- FDCa ;FiDC ;gidiDC ;PIDDCa ;Cia
sages. In the unit IoT, the formalized messages among P4.1: iDC j  DCa () iDC,
{DCa ; Sb ; Tj } are obtained as follows: FiDC ;gidiDC ;Cin
M1.1: Tj C rSb ; Tj C FSb ; iDC j  nDC () iDC;
ka
M1.2: Sb C rTj ; Sb C P4.2: iDC j  DCa ! iDC,
 FTj ,   iDC j
kn
 nDC ! iDC;
Sb C rSb ; paj C a ; Sb C rSb ; pbj C b ,
j j P4.3: iDC j  ]ðriDC ; FiDC ; gidiDC ; PIDiDC ; pai ; pni Þ;
Sb C MTj ; Sb C VTj ; P4.4: iDC j  ðnDC j ) ðFiDC ; gidiDC ÞÞ.
M1.3: DCa C rSb ; DCa C rTj ,
DCa C F  Sb ; DCa C FTj ,  
For nDC: FDCa ;PIDDCa
DCa C rSb ; paj C a ; DCa C rTj ; pab C a , P5.1: nDC j  DCa () nDC,
DCa C MSb ; DCa C APb ;
j b
FiDC ;gidiDC ;Cni
M1.4: Sb CAPf ;  nDC j  iDC () nDC;
kn
M1.5: Tj C rTj ; pjb C j ; Tj C VSb . P5.2: nDC j  iDC
  ! nDC;
b P5.3: nDC j  ] pin ;
In the ubiquitous IoT, the formalized messages among
{DCa ; iDC; nDC} are obtained as follows:
4.3 Anticipant Goals
M2.1: iDC C rDCa ; iDC C FDCa ;  
M2.2: DCa C riDC ; DCa C FiDC ; DCa C rDCa ; pai C a , The security goals refer to belief and freshness, in which
DCa C frDCa ; PID the exchanged messages are transmitted from authenti-
 iDC gka ; DC
 a C ViDC
i
; cated entities, and the messages were never used in for-
M2.3: iDC C riDC ; pa C i ; iDC C riDC ; pa C n ,
i n
a a mer sessions. In the APHA, the anticipant goals are
iDC C MDCa ; iDC C VDCa ; obtained as follows:
M2.4: nDC C rDCa ; nDC C riDC ,
nDC CFDCa ; nDC C FiDC ,  
In the unit IoT:
iDC C riDC ; pna C n ; iDC C rDCa ; pni C n , G1.1: Tj j  Sb j pjb ,
a
nDC C UiDC . G1.2: Tj j  ]VSb ,
i
NING ET AL.: AGGREGATED-PROOF BASED HIERARCHICAL AUTHENTICATION SCHEME FOR THE INTERNET OF THINGS 665

G1.3: Sb j  Tj j pbj ,  According to M2.2: DCa C frDCa ; PIDiDC gka , it turns
G1.4: Sb j  ] p0a 0b
j ; pj ; MTj ; APf , out that DCa receives frDCa ; PIDiDC gka , in which a secret
gidTj ;PIDTj
key ka is applied for establishing the ciphertext. Apply-
G1.5: Sb j  DCa () Tj , K

G1.6: DCa j  Tj j paj , ing the message-meaning rule (RM1): P j QP j ! P;P CfXgK
Q j X
, we
G1.7: DCa j  Sb j pab . obtain that,

In the ubiquitous IoT: DCa j  iDC j ðrDCa ; PIDiDC Þ:

G2.1: DCa j  iDC j ðpai ; PIDiDC Þ,
G2.2: DCa j  ]ðp0a
i ; MiDC Þ, If DCa believes that ka is a shared key with iDC, and
G2.3: iDC j  DCa j pia , DCa receives the wrapped message frDCa ; PIDiDC gka ;
G2.4: iDC j  ]ðp0ia ; p0n
a ; MDCa Þ,
PIDDCa
DCa will believe that Sb conveyed ðrDCa ; PIDiDC Þ. Apply-
G2.5: iDC j  nDC () DCa , ing the belief rule (RB4): P Pj Q j ðX;Y Þ
j Q j X , we obtain that,
G2.6: nDC j  DCa j pna ,
G2.7: nDC j  iDC j ðpni ; VDCa Þ. DCa j  iDC j PIDiDC :

4.4 Logic Verification If DCa believes that Sb once conveyed the message
Logic verification is performed according to the formalized ðrDCa ; PIDiDC Þ; DCa will believe that Sb conveyed the
messages, initial assumptions, and the related rules of the sub-message PIDiDC . Till now, G2.1 has been proven,
BAN logic. and G2.7 can be achieved via the similar
Theorem 1.1. Tj believes that Sb conveyed pbj . procedures. u
t
Cjb
Proof: According to P1.1: Tj j  Sb () Tj , it turns out that Theorem 2. Tj believes that VSb is fresh.
Tj believes that Cjb is a shared secret with Sb . Proof. According to P1.2: Tj j  ]ðrTj ; PIDTj Þ, it turns out
According to M1.5: Tj C hrTj ; pjb iC j , it turns out that Tj that Tj believes that {rTj ; PIDTj } are fresh.
b
receives hrTj ; pjb iC j . Due to Cbj ¼ Cjb , we obtain that According to M1.5: Tj C VSb , in which VSb contains the
b
Tj C hrTj ; pjb iC b . Applying the message-meaning rule elements {pjb aj ; rTj ; rSb ; gidSb ; PIDTj ; PIDSb }, and it is ran-
j
(RM3): domized by {rTj ; PIDTj }. Applying the freshness rule
j ]ðXÞ
Y
(RF1): PPj ]ðX;Y Þ, we obtain that,
P j  Q () P; P C hXiY
;
P j  Qj X Tj j  ]VSb :

we obtain that, If Tj believes that {rTj ; PIDTj } are fresh, Tj will also
 
Tj j  Sb j rTj ; pjb : believe that VSb is fresh. Till now, G1.2 has been proven,
and G1.4, G2.2, and G2.4 can be achieved via the similar
procedures. u
t
If Tj believes that Cjb is a shared secret with Sb , and Tj
receives hrTj ; pjb iC j ; Tj will believe that Sb once conveyed Theorem 3. Sb believes that gidTj and PIDTj are secrets shared
b by {DCa ; Tj }.
the message ðrTj ; pjb Þ. Thereafter, applying the belief
rule (RB4): P Pj Q j ðX;Y Þ Proof. According to the secure communication channel
j Q j X , we obtain that,
between Sb and DCa , we obtain that,
Tj j  Sb j pjb :
Sb j  DCa j ) ðDCa j  Þ;
If Tj believes that Sb conveyed the message Sb j  DCa j  ðDCa j  Þ:
ðrTj ; pjb Þ; Tj will believe that Sb conveyed the sub-mes-
sage pjb . Note that the postulate is sound because the gidTj ;PIDTj
According to P3.1: DCa j  Tj () DCa , it
rules for C guarantee that pjb was not just uttered by
turns out that DCa believes that {gidTj ; PIDTj } are
Tj . Till now, G1.1 has been proven, and G1.3, G1.6,
shared by {DCa ; Tj }. Applying the secret sharing rule
G1.7, G2.3, and G2.6 can be achieved via the similar
(RK3):
procedures. u
t
Theorem 1.2. DCa believes that iDC conveyed pai and PIDiDC . X
P j  R () R0
Cai :
Proof. Similarly, according to DCa j  iDC () P j  R0 () R
X

DCa ; DCa C hrDCa ; pai iC a , RM3, and RB4, we obtain that

i
DCa j  iDC j pai . gidTj ;PIDTj
ka
According to P3.2: DCa j  iDC ! DCa , it turns out We obtain that DCa j  DCa () Tj . According to
that DCa believes that ka is a good key shared by iDC Sb j  DCa j ) ðDCa j  Þ and Sb j  DCa j  ðDCa j 
and DCa . Þ, we obtain that,
666 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 26, NO. 3, MARCH 2015

[8] H. Ning, H. Liu, and L. T. Yang, “Cyberentity security in the inter-

 gidTj ;PIDTj  net of things,” Comput., vol. 46, no. 4, pp. 46–53, 2013.
Sb j  DCa j ) DCa () Tj ; [9] G. P. Hancke, K. Markantonakis, and K. E. Mayes, “Security chal-
 gidTj ;PIDTj  lenges for user-oriented RFID applications within the “internet of
Sb j  DCa j  DCa () Tj : things”,” J. Internet Technol., vol. 11, no. 3, pp. 307–313, 2010.
[10] T. Yan and Q. Wen, “Building the internet of things using a mobile
RFID security protocol based on information technology,” Adv.
Thereafter, applying the jurisdiction rule (RJ1): Intell. Soft Comput., vol. 104, pp. 143–149, 2011.
P j Q j )X;P j Q j X
P j X , we obtain that, [11] K. Toumi, M. Ayari, L. A. Saidane, M. Bouet, and G. Pujolle,
“HAT: HIP address translation protocol for hybrid RFID/IP inter-
gidTj ;PIDTj net of things communication,” in Proc. Int. Conf. Commun. Wireless
Sb j  DCa () Tj : Environ. Ubiquitous Syst.: New Challenges, 2010, pp. 1–7.
[12] K. Chang and J. Chen, “A survey of trust management in WSNs,
internet of things and future internet,” KSII Trans. Internet Inform.
Syst., vol. 6, no. 1, pp. 5–23, 2012.
If Sb believes that DCa is trusted, Sb believes that DCa [13] S. Raza, H. Shafagh, K. Hewage, R. Hummen, and T. Voigt,
believes that the secrets {gidTj ; PIDTj } are shared by “Lithe: Lightweight secure CoAP for the internet of things,” IEEE
Sens. J., vol. 13, no. 10, pp. 3711–3720, Oct. 2013.
{DCa ; Tj }, and Sb believes that DCa has jurisdiction over [14] X. Yao, X. Han, X. Du, and X. Zhou, “A lightweight multicast
FMC FMC
aj aj
DCa () Tj ;Sb will trust DCa on the truth of DCa () Tj . Till authentication mechanism for small scale IoT applications,” IEEE
Sens. J., vol. 13, no. 10, pp. 3693–3701, Oct. 2013.
now, G1.5 has been proven, and G2.5 can be achieved via [15] R. Roman, C. Alcaraz, J. Lopez, and N. Sklavos, “Key manage-
the similar procedures. ment systems for sensor networks in the context of the internet of
things,” Comput. Elect. Eng., vol. 37, no. 2, pp. 147–159, 2011.
Thus, the BAN logic based security proof is demon- [16] F. Ren and J. Ma, “Attribute-based access control mechanism for
strated for formal analysis. In APHA, {Tj ; Sb } and {DCa ; perceptive layer of the internet of things,” Int. J. Digital Content
iDC} can respectively establish beliefs via the mutual Technol. Appl., vol. 5, no. 10, pp. 396–403, 2011.
[17] D. Chen, G. Chang, D. Sun, J. Li, J. Jia, and X. Wang, “TRM-IoT: A
authentication, and the APHA is proved to be correct
trust management model based on fuzzy reputation for internet
and ensures nonexistence of obvious design defects. u
t of things,” Comput. Sci. Inform. Syst., vol. 8, no. 4, pp. 1207–1228,
2011.
[18] X. Wang, X. Sun, H. Yang, and S. A. Shah, “An anonymity and
authentication mechanism for internet of things,” J. Convergence
5 CONCLUSION Inform. Technol., vol. 6, no. 3, pp. 98–105, 2011.
[19] G. Zhao, X. Si, J. Wang, X. Long, and T. Hu, “A novel mutual
In this paper, we have proposed an aggregated-proof based authentication scheme for internet of things,” in Proc. Int. Conf.
hierarchical authentication scheme for the U2IoT architec- Model., Identification Control, 2011, pp. 563–566.
[20] L. Zhou and H. C. Chao, “Multimedia traffic security architecture
ture. In the APHA, two sub-protocols are respectively for the internet of things,” IEEE Netw., vol. 25, no. 3, pp. 35–40,
designed for the unit IoT and ubiquitous IoT to provide bot- May/Jun. 2011.
tom-up security protection. The proposed scheme realizes [21] X. Li, R. Lu, X. Liang, X. Shen, J. Chen, and X. Lin, “Smart commu-
nity: An internet of things application,” IEEE Commun. Mag.,
data confidentiality and data integrity by the directed path vol. 49, no. 11, pp. 68–75, Nov. 2011.
descriptor and homomorphism based Chebyshev chaotic [22] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-physical system
maps, establishes trust relationships via the lightweight security for the electric power grid,” Proc. IEEE, vol. 100, no. 1,
mechanisms, and applies dynamically hashed values to pp. 210–224, Jan. 2012.
[23] T. Zhang, Q. Wu, W. Liu, and L. Chen, “Homomorphism encryp-
achieve session freshness. It indicates that the APHA is suit- tion algorithm for elementary operations over real number
able for the U2IoT architecture. domain,” in Proc. Int. Conf. Cyber-Enabled Distrib. Comput. Knowl.
Discov., pp. 166–169, 2012.
[24] J. C. Mason and D. C. Handscomb, Chebyshev Polynomials. Boca
ACKNOWLEDGMENTS Raton, FL, USA: CRC Press, 2003.
This work was funded by DNSLAB, China Internet Net- [25] L. Zhang, “Cryptanalysis of the public key encryption based on
multiple chaotic systems,” Chaos, Solitons Fractals, vol. 37, no. 3,
work Information Center, Beijing 100190, China. pp. 669–674, 2008.
[26] M. Burrows, M. Abadi, and R. Needham, “A logic of
REFERENCES authentication,” ACM Trans. Comput. Syst., vol. 8, no. 1, pp. 18–36,
Feb. 1990.
[1] B. Guo, D. Zhang, Z. Yu, Y. Liang, Z. Wang, and X. Zhou, “From
the internet of things to embedded intelligence,” World Wide Web Huansheng Ning received the BS degree from
J., vol. 16, no. 4, pp. 399–420, 2013. Anhui University and the PhD degree from Bei-
[2] R. H. Weber, “Internet of things—New security and privacy hang University, in 1996 and 2001, respectively.
challenges,” Comput. Law Security Rev., vol. 26, no. 1, pp. 23–30, 2010. He is a professor in the School of Computer and
[3] H. Ning and Z. Wang, “Future internet of things architecture: Like Communication Engineering, University of Sci-
mankind neural system or social organization framework?” IEEE ence and Technology Beijing, China. His current
Commun. Lett., vol. 15, no. 4, pp. 461–463, Apr. 2011. research interests include internet of things, avia-
[4] R. Roman, P. Najera, and J. Lopez, “Securing the internet of tion security, electromagnetic sensing, and com-
things,” Comput., vol. 44, no. 9, pp. 51–58, 2011. puting. He has published more than 50 papers in
[5] K. Lampropoulos and S. Denazis, “Identity management direc- journals, international conferences/workshops.
tions in future internet,” IEEE Commun. Mag., vol. 49, no. 12, He is a senior member of the IEEE.
pp. 74–83, Dec. 2011.
[6] T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar,
and K. Wehrle, “Security challenges in the IP-based internet of
things,” Wireless Pers. Commun., vol. 61, no. 3, pp. 527–542, 2011.
[7] F. V. Meca, J. H. Ziegeldorf, P. M. Sanchez, O. G. Morchon, S. S.
Kumar, and S. L. Keoh, “HIP security architecture for the IP-based
internet of things,” in Proc. 27th Int. Conf. Adv. Inform. Netw. Appl.
Workshops, 2013, pp. 1331–1336.
NING ET AL.: AGGREGATED-PROOF BASED HIERARCHICAL AUTHENTICATION SCHEME FOR THE INTERNET OF THINGS 667

Hong Liu is currently working toward the PhD Laurence T. Yang received the BE degree in
degree from the School of Electronic and Infor- computer science from Tsinghua University,
mation Engineering, Beihang University, China. China, and the PhD degree in computer science
She focuses on the security and privacy issues from the University of Victoria, Canada. He is a
in radio frequency identification, vehicle-to-grid professor in the School of Computer Science and
(V2G) networks, and internet of things. Her Technology at the Huazhong University of
research interests include authentication proto- Science and Technology, China, and in the
col design, and security formal modeling and Department of Computer Science, St. Francis
analysis. She is a student member of the IEEE. Xavier University, Canada. His research interests
include parallel and distributed computing, and
embedded and ubiquitous/pervasive computing.
His research is supported by the National Sciences and Engineering
Research Council and the Canada Foundation for Innovation. He is a
member of the IEEE.

" For more information on this or any other computing topic,

please visit our Digital Library at www.computer.org/publications/dlib.