In recent years, the Internet of Things (IoT) has developed rapidly and gained attention both in academia and industry. By connecting sensors, tiny smart devices and everyday physical objects with the Internet, IoT provides a new form of communication for people and devices, which makes the virtual information world integrated seamlessly with the real world. IoT applications may involve environment monitoring, e-health, electric vehicle, and the smart house, in which appliances and services that provide notifications, security, energy-saving, automation, telecommunication, computers and entertainment are integrated into a single ecosystem with a shared user interface. IoT Devices are characterized by limited memory and storage capacity and low computational capability. For example, MSP430 16-bit MCU by Texas Instruments, which is used in many IoT applications such as wearable healthcare monitoring, has central processing unit (CPU) speed of 25 MHz, up to 512 KB flash memory, and 66 KB RAM. These limited resources impose constrains on the operations to be implemented by these devices. As many applications of IoT devices are related to daily life of a user, privacy and security aspects are very important. However, the nature of the complex and heterogeneous structure of IoT makes security issues very challenging. In addition, most nodes are resource-limited, as explained above, and therefore, necessitate lightweight IoT security mechanisms. In this context, lightweight means that the security solution features a much lower number of operations, lower number of communication times between parties, and a lower computation and communication overhead for both parties. These characteristics are particularly important when large number of messages are transmitted/exchanged in a short time interval. An illustrative example is a remote user accessing a particular node of the IoT. It is desirable to authenticate the user and allow the user to gather data from that node and/or send commands to that node.
An authentication mechanism is considered to be a central element in addressing the security issue in the above scenario. Authentication can prevent unauthorized users from gaining access to resources, prevent legitimate users from accessing resources in an unauthorized manner, and enable legitimate users to access resources in an authorized manner. Mutual authentication is also desirable since all parties should be sure of the legitimacies of all the entities involved.
There is a need for a lightweight authentication solution for secure transmission of consecutive messages in IoT. There are several security threats on IoT that the previous authentication solutions do not adequately address. In IoT, the possible communications are device to device, person to device and person to person giving connection between heterogeneous entities or networks.
Four categories of threats include:    T1. Man-in-the-Middle Attack: an active attacker can insert itself between the communicating parties, i.e. message sender (claimer) and message receiver (verifier), to gain access to the authentication protocol messages. Then the attacker can impersonate the verifier to the claimer while concurrently impersonating the claimer to the verifier. This may allow it to authenticate itself to both parties successfully.    T2. Eavesdropping attack: a passive attacker can listen to the communication channel in order to extract useful data from the information flow, i.e. secret keys.    T3. Denial of Service Attack: All the devices in IoT have limited computation and storage resources, thus they are vulnerable to resource exhaustion attack. Attackers can send messages or requests to specific device so as to consume their resources. For IoT, the attacker overwhelms the verifier with authentication requests.    T4. Replay Attack: an active attacker can capture authentication messages exchanged between a legitimate claimer and a verifier, and then replay them at a later time to be falsely authenticated as that claimer.
To establish an authenticated, secure, and continuous (time-bound) channel between two entities in IoT, it is desirable to meet the following security requirements:    S1. Message source authentication: The message receiver (verifier) should be able to authenticate the identity of the message sender (claimer), i.e. ensuring that the message was sent from the expected source. This addresses the Man-in-the-Middle attack T1.    S2. Continuous authentication: A secure transmission channel is to be set between both the communicating entities in a pre-determined time-frame. This allows performing the authentication handshake process conducted between entities only at the beginning of the communication session. Then, sender authentication is performed at any point in time during the communication session in a fast and efficient way, which is appealing in frequent message transmissions.    S3. Integrity of data ensures that the data has not been tampered with or changed while being transmitted over networks and stored by the entities.    S4. Confidentiality of the authentication key, i.e. the secret key S: Transmitting parts of the secret key, i.e. secret shares, should not reveal any information on the secret key itself.    S5. Access control: For this requirement, authentication plays a significant role in order to protect entities and resources against unauthorized access of internal and external entities. Fulfilling this requirement addresses the Denial-of-Service attack T3.    S7. Freshness: is to ensure that the claimer has just sent the message to the verifier for the first time, i.e. it was not replayed. Fulfilling this requirement protects the protocol against the Replay attack T4.
In addition to the security issues listed above, some functional characteristics are desirable to be fulfilled as well, including:    F1. Efficiency: the authentication solution should be lightweight taking into account the computation, storage, and power limitations of many of IoT devices.    F2. Scalability: The increasing number of entities in IoT application should be accommodated in the solution with minimum effort.
Therefore, there is a need in the industry to address one or more of the above mentioned shortcomings.