Journal of Network and Computer Applications 204 (2022) 103414

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Review

A comprehensive survey of authentication methods in Internet-of-Things and

its conjunctions
Ashish Kumar a , Rahul Saha a,b , Mauro Conti b , Gulshan Kumar a,b ,∗, William J. Buchanan c ,
Tai Hoon Kim d
a
School of Computer Science and Engineering, Lovely Professional University, Punjab, India
b Department of Mathematics, University of Padua, 35131 Padua, Italy
c School of Computing, Edinburgh Napier University, Edinburgh, United Kingdom
d Glocal Campus, Konkuk University, 268 Chungwon-daero Chungju-si Chungcheongbuk-do, 27478, South Korea

ARTICLE INFO ABSTRACT

Keywords: Internet of Thing (IoT) is one of the most influential technologies in the present time. People, processes,
Internet-of-Things and things are connected with the Internet through IoT. With the increasing demands of user applications,
Authentication the number of connections is also increasing exponentially. Therefore, security becomes a critical issue in
Security
IoTs. Confidentiality, Integrity, and Availability (CIA) services are important for IoT applications. IoTs must
Cryptography
also ensure proper authentication mechanisms to ensure CIA in the second stage. Various researches in this
Research problems
direction address the authentication issues in IoTs.
In this paper, we survey the authentication aspects in IoTs and their allied domains. We analyze the
potentialities of the existing state-of-the art-approaches and also identify their limitations. We discuss the basics
of authentication and its related attacks for the ease of interpretability of the readers. We show a taxonomical
understanding of the approaches and try to connect the evolution of the solution strategies. These connections,
to the best of our knowledge, are novel as compared to the existing authentication surveys. Besides, the
multidimensional vision of this survey for IoT extensions is an add-on to the benefits. We also provide a
discussion on the future direction of research in this domain. In a nutshell, this survey is a one-stop solution
for academia and industry to understand the status quo of IoT authentication schemes/protocols.

1. Introduction The features on which we must focus while providing security to

Internet-of-Thing (IoT) is defined as a network of physical devices
interconnected with each other to collect, exchange, analyze and con-
trol the data with the help of sensors, biometrics, RFID tags, actuators
and using communication technology such as 5G and ZigBee. IoT helps
to develop a smart process or application such as smart homes, smart
cities, and smart parking system (Ashton et al., 2009; Wang et al., 2013;
Arasteh et al., 2016b). The existing analysis predicts about the existence
of 50 billion device connections in present; it also infers the probability
of 75.44 billion device connections by 2025 (Newgenapps, 2018).
IoTs prevail in all around the world in the form of either business
applications or enterprise applications as processes are connected with
people and things. It provides various advantages by the utilization
of resources efficiently, minimizing the efforts of human intervention,
enhancing the process of data collection, and ease of analysis. However,
on the other side, it fails for efficiency in terms of security, privacy,
complexity, and compatibility with the increasing number of devices
and connections (E27, 2018).
IoT networks include authentication, encryption, access-control, and
availability of the data (Jing et al., 2014). Security must be focused
on the IoT design while the process or application is developed. IoT is
not a single technology; it is a combination of different technologies
connected to provide seamless services. There are many heteroge-
neous devices connected in an IoT-based application. It works with
a backbone architecture. This architecture has a significant role in
providing the overall benefits in IoT infrastructure. From a centralized
server in a private network to the cloud-based distributed networks,
all need authentication (Shah and Venkatesan, 2018). The layers in
the architecture and their functionalities are continuously evolving
with the dynamic demands of the technology trends. It is important
because at every level security is a concern and needs to be addressed
appropriately. Therefore, we need to understand the architecture of
IoT.

∗ Corresponding author at: School of Computer Science and Engineering, Lovely Professional University, Punjab, India.
E-mail address: gulshan3971@gmail.com (G. Kumar).

https://doi.org/10.1016/j.jnca.2022.103414
Received 19 September 2021; Received in revised form 15 March 2022; Accepted 28 April 2022
Available online 13 May 2022
1084-8045/© 2022 Elsevier Ltd. All rights reserved.
A. Kumar et al.
Fig. 1. Evolution of IoT functional layers in architecture.
1.1. IoT architecture
Various authors and researchers have introduced various architec-
tures of IoTs; mainly they emphasize on 3-layer architecture (Frustaci
et al., 2017) and 5-layer architecture (Virat et al., 2018). In general,
the basic architecture of IoT is classified into three layers: application
layer, network layer, and perception layer as shown in Fig. 1 (Frustaci
et al., 2017). This is the most contemporary and popular architecture of
IoT and has been accepted by the research fraternity (Adat and Gupta,
2018). We first show the 3-layered architecture and then discuss about
the extended layers for 5-layered architecture.
• Perception layer: In this layer, heterogeneous devices connect.
These devices include physical devices such as sensors, Radio
Frequency Identification (RFID) and bluetooth and virtual devices
such as barcode, Quick Response (QR) codes, and Global Position-
ing System (GPS). This layer collects data from an end node and
transmits to the network layer. The devices in this layer are often
considered as resource constrained.
• Network layer: It collects the data transmitted by the device/end
node of the perception layer and transfers it to the application
layer. The main responsibility of this layer is to provide the
connectivity to the devices which are added in perception layer.
It uses various technology such as 4G and Wi-Fi. It secures the in-
formation received from the perception layer from various attacks
with the applied security mechanisms.
• Application layer: In this layer, the end-users use the applications.
It provides the service as per the users’ needs; users can interact
with technology based on the end node’s function.
Apart from the 3-layered architecture, we also observe some inter-
mediate architectures; this leads to a 5-layered architecture of IoT (Vi-
rat et al., 2018). These extra layers are oriented to the processing
of data collected from the perception layer and system management
perspectives. We show this transition in Fig. 1. It shows a sequence of
elements important for IoT architectural designs: identification, sens-
ing, communication, computation, services, and semantics. We can
understand that identification is the very first process in IoTs. There-
fore, identification of the devices in perception layer i.e., authentication
and its verification make a significant importance in IoT applications.
1.2. Motivation and contribution
IoT is one of the largest emphasizing dimension in the present world
of technology. It extends its application feasibilities towards industries,
vehicular networks, and medical alliances. Each of these application
2
Journal of Network and Computer Applications 204 (2022) 103414
domain customizes the basic authentication protocols for the respec-
tive domain requirements. As a result, the existing literature shows a
number of developments in the direction of IoT authentication. The
comprehensive summarization based on IoT applications is unavailable
in the literature. This survey is beneficial for IoT architecture designers
to understand the authentication status of IoTs and its allied domains
and select/design an appropriate solution of authentication. It also
provides a pathway to conceptualize the existing research gaps and
thus, moving towards to strengthen the IoT authentication. The major
contribution of this survey are as follows.
• We provide preliminary understanding of authentication in IoT
architectures and security perspectives of IoTs. This is helpful for
the novice readers to connect the methods with the basics of IoT
security.
• We show the evolution of the authentication solutions for IoTs to
understand the scope of the methods in future applications. We
analyze the state-of-the-art authentication schemes based on their
features, pros, and limitations. We consider the medical domains,
industrial applications, vehicular networks as the allied parts of
IoTs and also analyze their authentication methods.
• We derive the open research problems for the future researchers.
This is helpful in defining future research problems and obtaining
the solutions for a stronger IoT applicability.
1.3. Organization
In this present work, we emphasize on the perception layer and
its related authentication problems and solutions. As the perception
layer is the base layer where we add devices, it is more critical to
maintain the device’s security with a huge number of connections. We
classify the remaining part of this survey into the following sections.
Section 2 describes the objectives of IoT security, premium security
attacks in IoTs, and basic security measures. Section 3 reviews the
existing authentication protocols for Wireless Sensor Networks (WSNs)
and the evolution of these solutions. Section 4 shows authentication
protocols designed for Industrial IoTs. Section 5 shows the contem-
porary authentication approaches in IoT-based medical applications.
Section 6 reports the authentication schemes for vehicular ad hoc net-
works. Section 7 shows some significant contributions for generalized
applications of authentication schemes. Section 8 provides an analysis
of the review to summarize the total research works executed in this
domain of authentication and notifies some open research problems for
future researchers. Section 9 concludes the paper. We show the layout
of sections of the paper in Fig. 2.
A. Kumar et al.
Fig. 2. Layout of paper organization.
Fig. 3. Classification of authentication attacks.
2. IoT security perspectives
In networking, security is the property by which the network is
prevented or protected from unauthorized access, misuse, modification
of data or any other form of maliciousness (Brij B. Gupta, 2020).
Security can be a form of the rules, policies or configuration of tech-
nology designed to protect confidentiality, integrity, availability of
network (Singh et al., 2018; Stergiou et al., 2018). For being efficient,
IoTs also follow the security objectives. We discuss about the security
attacks applicable for IoTs and map them with the security objectives
under concern. We try to connect the generalized security features for
IoT authentication (Brij B. Gupta, 2020).
2.1. Security objectives
From an information security perspective, confidentiality–integrity–
availability is jointly known as CIA security model or CIA triad.
Confidentiality. The heterogeneous devices added in perception layer
consist of heterogeneous data. As this data propagates from devices
towards clouds through various layers, IoTs objectify to ensure that no
unauthorized third party gets access to these data.
Integrity. Integrity objectifies to the feature of security that the sender
and receiver having the same data sent and received respectively
without any intermediate unauthorized modification.
3
Journal of Network and Computer Applications 204 (2022) 103414
Availability. It ensures that the authorized devices in an IoT network
must get access to the data intended as per the security principles and
access controls.
From the above definitions, we can observe that in all the three as-
pects of CIA, it is necessary to distinguish authorized and unauthorized
users or nodes or devices. Therefore, we emphasize on authentication
in this survey. Apart from these, some other requirements are also
considered for IoTs: privacy, data separation, authorization and access
control, consistency, and trust; however, these requirements are out
of scope in our survey. Information assurance foundation balances
among these requirements and IoT processes. The overall mechanism
is controlled by security policies and finally, security assessment is
executed on the model.
2.2. Attacks on IoTs
IoT networks depend on heterogeneous devices and their related
connections. There is a prime possibility that these devices have some
inbuilt vulnerabilities which may affect the total network implicitly.
Moreover, using these devices’ data third party attackers are also able
to enter the IoT ecosystem camouflaging the identity or bypassing the
required checks. There are various types of attacks exist which often
affect IoT perception layer (Tewari and Gupta, 2020). Along with the
inherited security vulnerabilities and problems in wireless architecture,
various types of intrinsic and extrinsic security attacks are also possible
in IoT. Fig. 3 shows a categorization of such attacks. The basic two
categories are: active and passive.
A. Kumar et al.
Active attack. (Butani et al., 2014): An active attack is a malicious
act in which attackers alter the content of the information during the
transmission from the sender to the receiver. The examples include
Denial-of-Service (DoS), Man-In-Middle (MiM), brute force, etc.
Passive attack. (Butani et al., 2014): A passive attack is a malicious
act in which the attacker monitors the content of the information
during the communication between the sender and receiver. They
do not alter any data and tries to analyze traffic pattern to create
a specific attack vector in later stage. Passive MiM such as traffic
monitoring, information gathering are the examples of passive attack
in IoT network.
The main objective of an active attack is to modify the data or
the network parameters and disrupting the Quality-of-Service (QoS);
whereas, the passive attacks concentrate on footprinting the network
information and traffic analysis. Therefore, passive attacks are harder
for detection. Some important attacks for IoTs are listed below. We
show the classification of these attacks in Fig. 3.
Denial of Service (DoS) attack. (Liang et al., 2016): The attacker sends
an unwanted number of requests to a target host/server and the server
stops responding to the devices connected to it and all the resources are
exhausted. As a result, services get unavailable. In view of authentica-
tion, an unauthenticated node can attempt to disrupt the authentication
engine by sending the unwanted connection request and eventually
bypassing the security measures.
Impersonation attack. (Katz et al., 1996): Attacker uses the identity at
either end. It can use the identity of an authenticated end-user or the
end node. This identity helps the attackers to enter the network and
breach the security vulnerability further.
Replay attack. (Feng et al., 2017): Attacker creates a delay or repetition
of data transmission due to which source/destination must re-transmit
the packets accordingly. If authentication fails in IoTs, unauthenticated
nodes attempts for such attacks.
Smart-card stolen attack. (Lee, 2013): In this type of attack, when the
attacker gets any user’s lost/stolen smart card it uses that card for the
various unauthorized access in the network. It can launch various other
types of attacks such as offline data guessing attack.
Man-in-the-Middle attack (MiM). (Lin et al., 2017): The attacker puts
itself in the middle of the source and destination; it attempts to change
the message of the communication. Though this is the active version
of MiM, it can be also in the passive form where it only tries to infer
knowledge about the traffic pattern. Generally, a poor authentication
system leads to be vulnerable to this attack.
Eavesdropping and interference. (Lin et al., 2017; Yang et al., 2014): In
IoT, all the communication use wireless connection. So, the attacker
easily monitors the network and are not able to be detected by the
system. This is also a type of passive attacks and connected with MiM.
Key-based attack. (Lin et al., 2017; Yang et al., 2014): Attacker ob-
serves the ciphertext by using a random combination of the key used
for encryption or authentication. At the initial stage of the attack, key
is unknown but the attacker infers mathematical relationship between
the keys. Side Channel Attack (SCA) based on different parameters
such as power consumption, timing, cache, etc, also leads to infer
the statistical relationship between available data and assumed data.
This vulnerable keys further help the attackers for misleading the
authentication systems.
Node capture attack. (Lin et al., 2017; Yang et al., 2014): Attacker
captures the node or attacker replaces the original node with its del-
egated node with falsified authentication credentials. By doing this
attacker gets control on the devices and has access to the confidential
information like cryptographic keys leading to break the security of IoT
infrastructure.
4
Journal of Network and Computer Applications 204 (2022) 103414
Cloning attack. (Tuyls and Batina, 2006): The attacker makes a dupli-
cate/fake node with false identity and tries to get access in the network
as an authorized node with some harmful intention in disguise.
Brute-force attack. (Yang and Hu, 2012): Attacker tries all the possible
combination to get the authentication key, user login information and
any type of data which is helpful to bypass or get access to the authenti-
cation system. This type of attack is very powerful but time-consuming
attack; it can be done online as well as offline mode.
Tracking attack. (Lee et al., 2008): Attacker can trace the node and
execute the reconnaissance of the node’s information. This attack can
be like location tracking, authentication credential tracking and others.
Masquerade attack. (Liao and Hsiao, 2014): In this attack, the attacker
uses fake identity to get unauthorized access to the network using
permissible access identification. Once the access is granted, attacker
exploits the system for further attack generation process.
Message modification attack. (Jahankhani and Hosseinian-far, 2014):
Attacker gains unauthorized access into the network and changes or
modifies the data to affect the integrity of the information available in
the network.
De-synchronization attack. (Dass and Om, 2016): Attacker modifies the
message due to which some of the entities are updated asynchronously.
As a result, authentication in the network is no more valid and the
attacker can exploit the system.
Wormhole attack. (Hu et al., 2006): In this type of attack, many attack-
ers connect with a high-speed off-channel link. They receive several bits
of data at one end in the network and drill them to a different point in
that network and from that point, they replay into the network.
2.3. Security features
The basic problem in network security infrastructure is to gain
unauthorized access to the network resources in disguise directly or
indirectly. Therefore, to avoid the above security problems, strong
authentication mechanisms are required for IoTs. These mechanisms
should possess some basic features for the standard applicability.
Key agreement. (Wu et al., 2009): Sender and receiver use the keys
for signatures. These signatures depend on public-key cryptography.
Therefore, key agreement between sender and receiver must be strong
enough so that an unauthorized user cannot access the keys.
Mutual authentication. (Hammi et al., 2017): It is a two-way authenti-
cation, where both the communication parties authenticate each other
within the network. It helps in non-repudiation and authorized account-
ability.
Backward secrecy. (Quora, 2015): It ensures that a passive attacker
who knows a subset of group keys is unable to infer knowledge about
the preceding group keys. The correlation among the subsets must be
randomized enough that backward secrecy is maintained properly.
Forward secrecy. (Katz et al., 1996): It is a feature of a specific key
agreement protocol. If secrets of session key is compromised, forward
secrecy maintains the security of the overall session keys.
Anonymity. (Eklund, 2006): It is not a compulsory feature for au-
thentication system. However, connected with the nodes’ identities, an
authentication system should not reveal the private information of the
nodes or users. A complete privacy-preserved authentication system
must encourage anonymity of the users. Though there are other forms
of privacy parameters exist too. Mutual authentication, where both the
parties require to prove the individual identities, primarily urges for
anonymity.
When we talk about IoTs, the very first sub-domain that comes
in existence for the applications is Wireless Sensor Networks (WSNs).
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Apart from this, Industrial IoTs (IIoTs) and Vehicular Adhoc Networks
(VANETs) are also the extensions of IoTs and use the generic au-
thentication systems in majority. Internet of Medical Thing (IoMT)
is another addition in the direction of IoT, where medical devices
connect with the Internet and process human health data and calculate
the required parameters and analyze them. In each of the domains
mentioned above, security is an utmost things for its success. All such
domains are previously controlled with manual operations. With the
advent of IoT, manual operations have become ‘‘online’’ and things
become smarter and more efficient. The distributed technologies also
enhance the IoT operations paving the way towards decentralization
with blockhains. This proliferation of IoTs also opens up huge attack
surface. Thus, security concerns increase from pre-IoT to post-IoT time.
In the following sections, we try to analyze all the specific application-
based domains to obtain a clear understanding about the status of the
state-of-the-art approaches. We also discuss about the authentication
measures that are not specific for any application domain, rather those
authentications can be applied for any domain. Fig. 4. Evolution of TESLA.

3. WSN-based authentication protocols

In this section, we concentrate on the authentication protocols that

majorly contributes in WSN maintaining the WSN objectives. We also
show the evolution of the methods and try to build the connection
among them.

3.1. TESLA

An authentication protocol for WSN called Time Efficient Stream

Loss-Tolerant Authentication (TESLA) is noteworthy here (Perrig et al.,
2000). It is a forward authentication protocol used for WSNs. It uses
a private key cryptographic scheme and the key is based on pseudo-
random function and Message Authentication Code (MAC). Various
features of TESLA include low computation and communication over-
head, no buffering at the sender side and high authenticity. Researchers
extend TESLA to 𝜇TESLA (Perrig et al., 2002). It is more effective
for a resource-constrained network. Due to these limited resources,
generic authentication process with a digital signature (DS) is not used
here. In place of DS at receiver end the comparison is done on unicast
initial key. We observe an advanced version of 𝜇TESLA as multi-level
𝜇TESLA (Liu and Ning, 2004). The motive for this protocol is to in-
crease the authentication of key chaining and decrease the complexity
of key chaining. Regular Predictable TESLA (RPT) is another version
of 𝜇TESLA (Luk et al., 2006). At the receiver end, it uses MAC for
authentication purpose. It fails to protect the network from DoS attacks.
Therefore, a version of 𝜇TESLA protocol is introduced called Long
Duration 𝜇TESLA (Liu et al., 2012). The main purpose of this protocol
is to increase the level of Key-Chaining (KC) in 𝜇TESLA. It replaces
the one-way key-chaining with multi-level key-chaining to overcome
against DoS attack. We show the evolution of TESLA features in Fig. 4.
3.2. Bins and Balls signature (BiBa)
The objective to provide better authentication in WSN has led to the
introduction of a protocol called Bins and Balls signature (BiBa) (Perrig,
2001). It is a one-time signature scheme. It emphasizes on the Birthday
paradox to attain efficiency and security during the authentication
process. The very first step in BiBa tells about the end device that
must generate self-authentication value (SEAL) with the help of the
one-way chain. It uses multiple SEAL for the authentication but has
failed to broadcast authentication. Signature size can be increased to
provide efficiency to the protocol. To overcome this problem a protocol
is introduced called HORS based on BiBa (Reyzin and Reyzin, 2002).
This protocol reduces the signature size, but the size of the public
key becomes large. HORS++ attempts to solve the problems faced in
HORS (Pieprzyk et al., 2003). The problem lies with the increasing
Fig. 5. Evolution of BiBa.
size of the message where HORS++ is unable to provide security to
the signature. To reduce the size of the public key in HORS, HORSIC
protocol has been developed (Lee et al., 2012). It is successful to
reduce the size of the public key but on the other side, computation
cost, signature generation and verification cost increase. Therefore, a
solution based on BiBa is introduced as PORS (Endignoux, 2017). It
follows HORS but eliminates the problems in HORSIC. We show the
evolution of BiBa in Fig. 5.
3.3. LEAP+
We observe a multi-level key management protocol called Localized
Encryption and Authentication protocol (LEAP+) (Zhu et al., 2006).
The calculation of a master key is crucial and considered at the top level
of the system with the utmost security. With the help of this master
key, all the other keys in the communication are computed. After the
node enters the network, LEAP+ removes this key. The main loophole
of LEAP+ is that if the attacker comes to know the master key, then
it can harm the network in every mean. To overcome this problem an
enhancement of LEAP+ is followed as Time-Based LEAP+ (Jang et al.,
2007). According to this protocol whenever a new end node becomes
the part of a network, it is distinguished into separate intervals. Every
interval has a different master key. As a result, if the attacker obtains
the master key, it is not possible to affect the entire network. There is
some advanced extension of LEAP+. Improved LEAP+ and LEAP-Initial
Protection (LEAP-IP) for reducing the computation and communication
overhead are worth mentioning here (Alsoufi et al., 2012; Yang et al.,
2014; Nesteruk and Bezzateev, 2018). LEAP-IP is different from other
LEAP based protocols due to its non-hierarchical nature of key genera-
tion. It decreases the complexity of the generic LEAP+ and makes the

5
A. Kumar et al.
Fig. 6. Evolution of LEAP.
communication simpler among the end nodes. We show the evolution
of LEAP and its variants in Fig. 6.
3.4. Other contributions for WSNs
Apart from the above three major evolution of methods, we have ob-
served some significant contributions of the researchers for authentica-
tion in WSNs. We have analyzed the approaches to identify the advan-
tages and disadvantages from application perspectives. We summarize
the methods in Table 1.
Smart card based protocols for WSNs. A smartcard-based security en-
hancement in WSN is introduced in Song (2010). The five phases of
this protocol includes initial phase, registration phase, login phase,
authentication phase and verification phase. It provides security from
various attacks such as a general online attack, impersonation attack,
replay attack, modification attack and parallel attack. Another such
protocol uses two phases for providing authenticity to WSN (Vaidya
et al., 2010). The protocol is unable to change or modify the password
and there is no mutual authentication among the nodes. Therefore,
various attacks are still possible. To overcome the security issues like
node by-passing attack and privileged-insider attack, a protocol exists
as mentioned in Khan and Alghathbar (2010).
Lightweight protocols for WSNs. The development of lightweight pro-
tocols also enhances the authentication in WSNs. Such a lightweight
mutual authentication protocol uses temporal-credential (Xue et al.,
2013). It has a three-phase authentication process i.e., registration,
login, and authentication along with the agreement of key. It provides
security from insider-attack, masquerade attack, smart-card stolen at-
tack, replay attack, and GWN replacing attack. It also has the feature of
securing the password of the user/client and modification of password.
We have checked another standardized protocol for WSNs (Kalra and
Sood, 2015a). It is a mutual authentication protocol based on dynamic
identity authentication. This protocol is executed in four different
phases: authentication and registration phase, login phase, authenti-
cation, and session key agreement phase and updates with password
change phase. It provides security from impersonation attack, smart-
card stolen attack, DoS attack, online and offline dictionary attack,
replay attack, modification of message attack, and protects the identity
of client/user.
ECC-based protocols for WSNs. Elliptic Curve Cryptography (ECC)-
based authentication protocols are worth mentioning here. Such an
example is Yeh et al. (2011). It works with five phases authentication
phase: registration phase, login phase, verification phase, and password
updating or modification phase. It provides security from insider attack,
masquerade attack, replay attack, forgery attack, change password
securely and brute force attack. The mutual authentication protocol
in Li et al. (2017) is based on ECC and biometric authentication for
6
Journal of Network and Computer Applications 204 (2022) 103414
WSN. It is a 3-phase authentication protocol that includes a registra-
tion phase (sensor registration and user registration), authentication
and agreement of key phase and changing of password phase. It
provides security from device lost attack, end node sensor attack, de-
synchronization attack, impersonation attack and replay attack. It has
some advantageous security features like untraceability of the node,
bi-directional authentication and key security, forward and backward
secrecy. The problem is that it does not provide a bio-metric updating
process. A lightweight mutual authentication protocol uses asymmetric
key cryptography which is commonly used for a different type of adhoc
WSN in IoTs (Turkanović et al., 2014). This scheme works in four way
authentication mode. The user logs in before the authentication of the
node. Once the login of the user is successful then the authentication
of the user is done in the last phase. This scheme provides low
computational cost and have an additional feature of dynamic node
addition. The scheme provides security from password-change attack,
repetition of different users with the same login-ID, stolen-smart card
and smart-card bleach attack, replay attack and MiM attack. Some
security problems in this work are identified as shown in Farash et al.
(2016). It shows an improved version of Turkanović et al. (2014).
In Amin et al. (2016), the authors identify some attacks in Farash
et al. (2016). They also provide a solution using smart-card based user
authentication and session key agreement. In Arasteh et al. (2016a), the
authors have proposed a lightweight mutual authentication protocol
based on Amin et al. (2016). It is a 3-phase authentication protocol
with the registration of sensor node and user, login phase and finally
authentication phase. It not only provides security from replay and DoS
attacks, but also handles traceability attack, impersonation attack (sen-
sor, gateway and node). In an improvement of Arasteh et al. (2016a),
the solution changes the session key agreement and authentication
phases (Fan and Niu, 2017).
4. IIoT authentication protocols
Industrial IoTs (IIoTs) are the extended version of IoT applications
which have revolutionized the industries. Using IoT as backbone, IIoTs
perform tasks with various sensor-based devices and equipment, and
control the operation locally or remotely. In both the cases, IIoTs
require to use proper authentication system to verify the device status;
any malicious device eventually can completely shut down with remote
attacks. Thus, IIoTs may face loss of resources and reputation. There-
fore, in this section we discuss contribution of the researchers towards
the authentication solutions explicitly for IIoTs. We also summarize the
pros and cons of the solutions in Table 2.
4.1. Authentication with three to five phases
The work proposed in Xiong et al. (2020) is a three-phase mutual
authentication protocol. These phases are initialization, registration,
and authentication phase. It provides various security features such as
user anonymity, perfect forward secrecy, non-reputation, and hetero-
geneity. It provides security from modification attack, replay attack,
and impersonation attack. The work done in Gu et al. (2020) is a
Physical Layer Authentication (PLA) mechanism for IIoT-based net-
work. This scheme helps to solve the power allocation problem. This
protocol helps in increasing the system reliability by decreasing the
impact on fading. The protocol provides security from jamming attack.
The protocol proposed in Shen et al. (2020) is based on blockchain
called as the BASA. BASA provides efficient communication but on the
cost of high communication overhead. The protocol proposed in Es-
fahani et al. (2019) is a lightweight two-phase mutual authentication
protocol. The first phase is registration phase and the second phase is
authentication phase. This scheme has low communication as well as
computational overhead. It provides various security features such as
key agreement and confidentiality. It also helps to secure the network
from various attacks such as replay attack, MiM attack, impersonation
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 1
Pros and cons for WSN authentication.
Reference Pros Cons
Song (2010) 5 phases, strong security Complexity high for WSNs
Vaidya et al. (2010) 2 phase, less complex No mutual authentication, no password update, prone
to cryptanalysis
Khan and Alghathbar (2010) Strong security, mutual authentication 2 factor authentication is cryptanalyzed
Xue et al. (2013) 3 phase, use of temporal credential, strong security, Centralized GWN is prone to failure and availability
light weight attacks
Kalra and Sood (2015a) 4 phase, Use of dynamic identity Random oracle must be tested
Yeh et al. (2011) 5 phase, complexity is higher WSNs applicability reduces with increased number of
nodes
Li et al. (2017) Combination of ECC and biometric, high measurement No biometric update, false-rate increases with stale
of security biometric
Turkanović et al. (2014) Lightweight and mutual authentication Storage cost higher
Farash et al. (2016) lightweight, supports dynamic growth of WSNs Storage cost is low
without performance degradation
Amin et al. (2016) Identity change, smart card revocation phase Computation cost and time consumption should be
minimized, replay and DoS attack vulnerability
Arasteh et al. (2016a) Key agreement protocol, more secure than Amin et al. GWN authentication required
(2016)
Fan and Niu (2017) Improvement over Arasteh et al. (2016a) Complexity analysis must be validated properly

Table 2
Pros and cons for IIoT authentication.
Reference Pros Cons
Xiong et al. (2020) Mutual authentication, 3 phase, heterogeneity Less security, no key agreement, high communication
and computational cost
Gu et al. (2020) PLA mechanism, jamming attack, power Less secure, no mutual authentication, no key
authentication problem, system reliability agreement, no security from major attacks
Shen et al. (2020) Mutual authentication, blockchain usage, key Less secure, high communication overhead
agreement, efficient communication
Esfahani et al. (2019) Mutual authentication, 2 phase, lightweight, key High storage overhead
agreement, security from attacks
Rezaeibagha et al. (2019) Lightweight, certificateless signature, chosen-message Less secure
attack, computationally efficient
Castiglione et al. (2021) Edge–fog–cloud architecture, capture dynamic facial No mutual authentication, no key agreement, less
patter, presentation attack secure
Abuhasel and Khan (2020) 4-layer architecture, less energy consumption No mutual authentication, less secure
Paliwal (2019) 3 phase, mutual authentication, key agreement, highly High execution cost, high communication cost
secure
Verma et al. (2020) 7 phase, strong unforgeability, verifiability, strong Less secure, no mutual authentication
identifiability
Li and Wang (2019) Honeywords technique, 6 phase, high security, mutual High communication and computational overhead
authentication, key agreement
Shuai et al. (2020) Rabin cryptosystem, 5 phase, mutual authentication, High computational, High communication overhead
key agreement, anonymity, Untraceability, forward
secrecy, low storage cost
Zhu et al. (2019) PPAG, 7-phases, leakage free, tree, DAG, updatable Probabilistic, inefficient

attack, and modification attack. However, storage overhead is more
as compared to another lightweight authentication scheme. The work
done in Rezaeibagha et al. (2019) is a lightweight CertificateLess Signa-
ture (CLS) scheme which is suitable for IIoT based network. It secures
the network form chosen-message attack. This scheme is computa-
tionally efficient. Another lightweight scheme is available in Paliwal
(2019). It has three phases. The first phase is registration phase, au-
thentication and key agreement phase, and finally, it has password
change phase. It provides security from various attacks such as re-
play attack, DoS attack, impersonation attack, MiM attack, privileged
insider attack, stolen card/device attack. It provides various security
features such as anonymity, unlinkability, and forward secrecy. The
execution cost is low; however, communication cost is high as compare
to other schemes. The authors in Abuhasel and Khan (2020) show
an approach based on SoftMax-DNN (Bridle, 1990) and the RSA im-
proved version. It has 4-layer architecture IIoT sensing layer, gateway
layer, for services layer and finally the cloud layer. Registration is
done at very first layer and authentication is being done at the cloud
layer. This framework helps to reduce the energy consumption. The
work done in Shuai et al. (2020) is a secure authentication scheme
based on the Rabin cryptosystem (Jiang et al., 2017). This scheme
is a five-phase mutual authentication scheme: initialization, registra-
tion, login, and authentication, password change and dynamic node
addition phase. It provides various security features such as key agree-
ment, anonymity and untraceability, and forward secrecy. It provides
security from various network-based attacks such as replay attack,
impersonation attack, stolen device attack, privileged insider attack,
and de-synchronization attack. However, it has higher computational
and communication overhead.

7
A. Kumar et al.
4.2. Authentication with more than five phases
The work proposed in Castiglione et al. (2021) is based on edge–
fog–cloud based authentication scheme. It is capturing the dynamic
facial pattern from the edge of the IoT based device. This scheme
helps to improve the robustness of the presentation attack. The work
proposed in Verma et al. (2020) is a certificate based proxy signature
(PFCBPS) has seven phases: parameter generation, key generation,
certification, delegation, DelVerification, ProxySigning, and PSignVeri-
fication. It provides various security features such as strong unforge-
ability, verifiability, strong identifiability, prevention of misuse, and
strong undeniability. Also, it helps to secure the network form MiM
attack. The authentication protocol proposed for IIoT based network
in Li and Wang (2019) is a six-phase authentication scheme: pre-
deployment, registration, login, authentication, password change, and
dynamic node addition phase. It uses honeywords technique for pro-
viding the security. It helps to secure the network from node capture
attack, impersonation attack, replay attack and DoS attack. It helps
to provide various security features such as user anonymity, mutual
authentication, password protection, session key secrecy. High com-
munication and computational overhead are the drawbacks of this
approach. The authentication scheme proposed in Zhu et al. (2019) is
privacy preserving authentication for general directed graphs (PPAG).
It is a seven-phase authentication protocol. It provides security features
such as unforgeability, leakage free. It also uses tree, DAG, directed
cyclic graph data structure and has the property of update.
5. IoMT authentication protocols
Internet-of-Medical Things (IoMTs) and other e-healthcare infras-
tructure use IoT as their baseline. Therefore, it is also necessary to
understand the status of authentication in this domain as IoMTs are
closely connected with IoTs.
5.1. Three-phased authentication schemes
The work in Aghili et al. (2019) shows the use of lightweight
authentication protocol for e-medical system. It consists of three factors
i.e., authentication of user, access control and changing the ownership
and this protocol is called as Light-weight three-factor authentication,
Access Control and Ownership transfer scheme (LACO). The work
done in Ayub et al. (2020) is a three-phase lightweight authentication
protocol. These phases are registration phase, login and authentication
phase, and password modification phase. There is various security
analysis has been done such as informal and formal security analysis. It
provides various security features such as mutual authentication, server
impersonation, user impersonation, no violation of user anonymity,
stolen smart card attack, stolen verifier and privileged insider attack,
and no clock synchronization. It has low storage cost and less compu-
tational cost. However, the method fails to reduce the communication
cost and to provide security features such as key agreement. The work
proposed in Odelu et al. (2019) is a three-phase mutual authentication
protocol. These phases are initialization phase, registration phase, and
finally authentication and key establishment phase. It provides various
security features such as key agreement, credential privacy, anonymity,
forward secrecy, unlinkability and non-traceability, non-repudiation,
and no key escrow. It helps to secure the network from impersonation
attack.
5.2. More than three phases of authentication
The protocol proposed in Deebak and Al-Turjman (2021) is a single
user single sign-in (S-USI) scheme. It is a five-phased mutual au-
thentication protocol and provides various security features such as
key agreement, user anonymity, identity protection, traceability, se-
cret key update, free password selection, and strong forward secrecy.
8
Journal of Network and Computer Applications 204 (2022) 103414
It also helps to protect from various attacks such as replay attack,
DoS attack, privileged-insider attack, eavesdropping attack, masquer-
ade attack, offline password guessing attack, impersonation attack,
server-spoofing attack. It has low communication cost. BAKMP-IoMT is
an eight-phase mutual authentication protocol based on the blockchain
technique (Garg et al., 2020). This scheme helps secures the network
from various attacks such as replay attack, MiM attack, imperson-
ation attack, ephemeral secret leakage attack, privileged insider at-
tack, device capture attack, and data modification attack. It provides
anonymity and untraceability properties. It fails in computational and
communication costs as compare with Deebak and Al-Turjman (2021).
The authors in Fotouhi et al. (2020) proposes a lightweight and two-
factor authentication to meet various security requirements. It is a
4-phase authentication scheme: initialization, registration phase, au-
thentication, and password change phase. It provides various security
features such as mutual authentication, forward secrecy, anonymity
and untraceability. It secures the network from insider attack, offline
guessing attack, user forgery attack, sensor capture attack, gateway
forgery attack, and key disclosure attacks. However, the storage cost
is more for the proposed work. The work done in Soni et al. (2019) is a
wireless sensor based mutual authentication protocol for health care. It
is an eight-phase authentication scheme these phases are initialization
phase, sensor node registration phase, user registration phase, login
phase, authentication phase, user revocation and re-registration phase
and dynamic sensor node addition phase. It provides security from
insider attack, DoS attack, replay attack, MiM attack, offline identity
and password guessing attack, known session temporary information
attack, smartcard stolen attack, node capture attack, message modifica-
tion attack. It ensures forward secrecy and user anonymity. However,
it has high communication cost.
5.3. Other schemes in IoMT
The work in Almogren et al. (2021) is a fuzzy logic-based mutual au-
thentication protocol. The protocol is free from sybil attack. However,
the computation overhead is high. SAMS, a Seamless and Authorised
Multimedia Streaming framework is also noteworth here (Jan et al.,
2019). It is a two-way authentication scheme and helps to secure the
network from various attacks such as replay attack, DoS attack, Sybil
attack, eavesdropping attack and insider attack. However, it has high
communication and computational overhead. Secure Vector Machine
(SVM) authentication protocol proposed in Mawgoud et al. (2019) is
based on machine learning technique. It is a two-phase authentication
scheme such as key generation and the authentication phase. The
computing overhead is better than PUF protocol. However, the crypto-
graphic security is not measured in this protocol. The protocol proposed
in Huang et al. (2019) is a privacy preserving authentication based on
ECG signal. In this scheme, user is able to authenticate using its ECG
signals. It provides reliable authentication and indistinguishability. This
scheme is tested on both online database as well as real time data.
However, it fails to protect the network from various other attacks such
as replay attack, DoS attack, privileged-insider attack, eavesdropping
attack, masquerade attack, offline password guessing attack, imperson-
ation attack, etc. The protocol proposed in Lu et al. (2021), named
as xTSeH, works with three different protocols to achieve integrity,
verification, and inter-SED authentication. These protocols are trusted
booting, remote verification, and node authentication protocol. In node
authentication protocol it uses four different phases such as creating
new request, verification, authentication, and the session key distribu-
tion. The communication cost for the node authentication protocol is
more as compared to Garg et al. (2020) and Deebak and Al-Turjman
(2021). The authentication protocol proposed in Hamadaqa and Adi
(2020) is based on Secret Unknown Cipher (SUC). This protocol helps to
secure the network form various attacks such as eavesdropping attack,
replay attack, impersonation attack, and MiM attack. However, this
protocol fails at various security features such as key agreement and
mutual authentication (see Table 3).
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 3
Pros and cons for IoMT authentication.
Reference Pros Cons
Aghili et al. (2019) Mutual authentication, 5 phase, strong security High communication overhead
Deebak and Al-Turjman (2021) Mutual authentication, 5 phase, strong security, low High computational overhead
communication overhead
Garg et al. (2020) Uses Blockchain technique, 8 phases, strong security High communication and computational overhead,
high storage cost
Almogren et al. (2021) Fuzzy logic, mutual authentication, sybil attack High computational over
Jan et al. (2019) 2-way authentication, multi-media streaming No mutual authentication, no key agreement, high
framework, low storage cost communication and computational overhead
Mawgoud et al. (2019) 2 phase, key agreement, authentication, uses ML No cryptographic security
technique
Huang et al. (2019) ECG signal, authentication and in-distinguish-ability No security from attacks, no key agreement
Lu et al. (2021) Integrity, verification, inter-SED authentication, 4 High communication overhead, no security from
phase attacks
Hamadaqa and Adi (2020) Secure from attacks: eavesdropping, replay, No mutual authentication, no key agreement
impersonation and MiM
Fotouhi et al. (2020) Lightweight, mutual authentication, 4 phase, strong High storage cost, high communication cost
security, forward secrecy, anonymity and
untraceability
Soni et al. (2019) Mutual authentication, 8 phase, strong security, High communication cost
forward secrecy, user anonymity
Ayub et al. (2020) Lightweight, 3 phases, mutual authentication, formal No key agreement, high communication cost
and informal security analyses, low computational
cost, low storage cost
Odelu et al. (2019) Mutual authentication, 3 phase, key agreement, High communication overhead, high storage overhead
credential privacy, anonymity, forward secrecy,
unlikability, non-traceability, non-repudiation, no key
escrow

6. VANET authentication protocols
Vehicular Adhoc Networks (VANETs) are changing the status of
vehicular network and advancing with smart features. VANETs fol-
low the communication process based on IoT backbone. Therefore,
it is necessary to discuss the authentication schemes for VANETs. In
this section, we show the features of some important contribution in
VANET authentication services and also analyze their advantages and
disadvantages.
The protocol proposed in Li et al. (2019) is a privacy preserving
authentication protocol. The has six phases to properly authenticate
the device or the user. These phases are system initialization phase,
user and RSU registration phase, key distribution phase, message gen-
eration phase, message authentication and vehicle password change
phase. It provides various security features such as integrity, privacy-
preservation, conditional privacy, and unlinkability. It provides secu-
rity from various attacks such as replay, forgery, modification. The
work in Alfadhli et al. (2020) is a five-phase authentication scheme.
These phases include vehicle setup phase, vehicle-to-infrastructure mu-
tual authentication phase, beacons exchange phase, vehicle revocation,
and finally the regional key updation phase. It provides various se-
curity features such as mutual authentication and integrity, privacy-
preservation, traceability, unlinkability, non-repudiation, and revoca-
tion. It secures from various attacks such as impersonation attack,
replay attack, and cloning attack. The protocol proposed in Zhou
et al. (2020) is based on MCOS and LSPC. It is lightweight privacy
preservation scheme. There are four different algorithms which work
for the proposed scheme: setup, message generation, message filtering,
and message decryption and verification. The authentication protocol
proposed in Zhang et al. (2019) has five different phases: system setup
phase, join region phase, message broadcast and authentication phase,
and update Group Session Key (GSK) and track real identity. It provides
security from various attacks such as impersonation attack, tracking
attack, Sybil attack, replay attack, and DoS attack. The computation
and communication cost of this method are less than the other schemes
in VANETs.
The authentication protocol proposed in Alshudukhi et al. (2020) is
based on ECC; it uses four different phases. These phases are the ini-
tialization phase, joining phase, signing phase, and verification phase.
It provides various security features such as privacy preservation, mes-
sage integrity, authentication, tractability, revocability, and unlinkabil-
ity. The method helps to reduce the computational cost. However, it
fails to reduce the communication cost. The protocol proposed in Liu
et al. (2020) is a hybrid proxy authentication-based scheme. It has
four phases; these include initialization of the system, the generation of
group keys, the authentication of the system, and the tracking of real
identity. It provides various security features such as BAN logic is used
to provide mutual authentication, privacy preservation, and traceabil-
ity. It also helps to protect the network from replay attack. It provides
efficient communication and computational overhead. The protocol
proposed in Lu et al. (2019) is based on a blockchain called BPPA. The
scheme uses the Chronological Merkle Tree (CMT) and Merkle Patricia
Tree (MPT) to extend the structure of blockchain. It provides security
from various attack models such as MiM attack, replay attack, forgery
attack, identity revealing attack, and authority abuse attack. Moreover,
this scheme features authentication security, privacy, certificate, revo-
cation transparency, scalability, and efficiency. The work done in Tan
and Chung (2020) is classified into two sub-groups i.e., authentication
and key management using the blockchain. The authentication scheme
has two phases i.e., the offline registration phase and the authentica-
tion phase. The key management scheme uses vehicle-to-vehicle group
construction employing CRT, and dynamic key updating. It provides
security from message chosen attack, and replay attack. It provides
various security features such as anonymity, key establishment, iden-
tity privacy preservation, certificateless authentication. The storage
overhead of this scheme is less. However, communication cost and
computational cost for both vehicle and roadside unit are high.
The work proposed in Mundhe et al. (2020) is a Lattice-based Ring
signature scheme for Message Authentication (LRMA). It has three
phases; these are key generation, signature generation, and signature
verification. It provides various security features such as anonymity

9
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 4
Pros and cons for VANETs authentication.
Reference
Li et al. (2019)
Alfadhli et al. (2020)
Zhou et al. (2020)
Zhang et al. (2019)
Alshudukhi et al. (2020)
Liu et al. (2020)
Lu et al. (2019)
Tan and Chung (2020)
Mundhe et al. (2020)
Li et al. (2020)
Cui et al. (2019)
Wang and Liu (2021)
Pros Cons
6 phase, mutual authentication, integrity, No key agreement, less secure
privacy-preservation
Mutual authentication, key agreement, 5 phase, Less secure
privacy-preservation, revocation
Lightweight, 4-algorithm, privacy-preservation Less security, no key agreement, no mutual
authentication
5 phases, GSK, authentication, non-repudiation Less efficient, trustworthiness issue
4 phases, ECC, BAN logic, privacy-preservation, No key agreement, less secure, No analysis on
mutual authentication network attacks
4 phases, mutual authentication, privacy-preservation, Less secure, no key agreement
efficient communication overhead, efficient
computational overhead
authentication security, privacy, certificate, revocation No key agreement, performance could be enhanced
transparency, scalability, efficiency
2 sub protocol, certificateless authentication, key Less secure, high communication cost, high
agreement, privacy-preservation, efficient storage computational cost
overhead
3 phase, anonymity, unforgeability, cost effectiveness Less security features
Lightweight, 4 phases, privacy-preservation, mutual No key agreement, High communication cost
authentication
8 phase, message integrity, non-repudiation, identity No key agreement, less secure from network attack
privacy protection, traceability, revocability, efficient
communication overhead, efficient computational
overhead
4 phase, integrity preservation, trajectory, Less secure, no key agreement
privacy-preservation, traceability, mutual
authentication

and unforgeability. It also secures from various network-based attacks
such as identity revealing attack, impersonation attack, forgery at-
tack, and replay attack. In Li et al. (2020), the authors propose a
lightweight privacy preservation authentication scheme. It has four
different phases: initialization, RSU registration, vehicle registration,
and message authentication. The method ensures anonymity, unlink-
ability, traceability, and mutual authentication. It provides security
from various network-based attacks such as forgery attack, message
modification, modification attack, and replay attack. However, it failed
to give efficient communication costs. The authentication scheme pro-
posed in Cui et al. (2019). It is an eight-phase authentication protocol;
these phases are system initialization, RSU initialization, vehicle ini-
tialization, partial key generation, group key obtaining, key generation,
message signature, message authentication and malicious vehicle revo-
cation, and group key update. It provides security from resist forgery
attack, MiM attack, modification attack, and replay attack. It provides
efficient communication and computational overhead. The authenti-
cation scheme in Wang and Liu (2021) is called Secure and Efficient
Message Authentication (SEMA). It has four phases: initialization, au-
thentication, identity revealing, and revocation. Various security analy-
sis has been performed on this scheme: message integrity preservation,
trajectory, privacy-preservation, and traceability. It also secures the
network from various attacks such as frame attack and replay attack.
We summarize the pros and cons of the authentication methods in
VANETs in Table 4.
7. Other authentication protocols
Apart from the sensor networks and its allied versions, perception
layer in IoTs also deal with various enablers such as RFIDs, tags, smart
cards. Moreover, as an recent extension blockchains also help IoTs in
providing authentication. In this section, we discuss all such authenti-
cation protocols which are not specific for any particular application
domain of WSNs, IIoTs or VANETs rather, these protocols are general
in their configurations and can be applied as required. However, we
need to check their application feasibility.
7.1. Authentication for RFID enablers
RFIDs are one of the perception layer technology enablers. It con-
nects the identities of the devices to the clouds and verifies for its
usage. One such example of RFID application uses ECC-based au-
thentication technique (Cong et al., 2014). It provides a solution for
anti-counterfeiting which is based on RFID tags and Physical Unclon-
able Function (PUF). Using this scheme, it provides security from
active as well as passive attacks during the process of verification of
tags. It is able to work in both online and offline modes. RFID tag
authentication protocol also extends towards a lightweight version (Fu
et al., 2010). This protocol is called as Scalable Pseudo-Random RFID
Private Mutual Authentication (SPRA). It is based on Pseudo-Random
Number Generator (PRNG). In the work (Lee et al., 2008), the authors
have described an Elliptic Curve-based Random Access Control (EC-
RAC) scheme. This scheme fulfills the basic security requirement of
RFID tags i.e., scalability, anticloning, anonymity, and provides security
from tracking attack. A revised version of ECC-based Random Access
Control (EC-RAC) uses public key cryptography (Lee et al., 2009). Two
basic protocols are used: Schnorr and Diffie–Hellman protocol. This
protocol provides server-based authentication to the RFID tags. Another
such example uses offline mode of authentication (Batina et al., 2007).
It provides security from eavesdropping and replay attacks; however, it
fails to provide mutual authentication. There are other vulnerabilities
in this protocol such as the inability to trace the tag and no forward
security. The solution shown in Lee et al. (2010) solves these problems.
It uses ECC-based asymmetric cryptography.
Researchers in Batina et al. (2012) uses ECC and symmetric key
cryptography for authentication of RFID tags. Using this protocol, an
unauthorized verifier is unable to trace the tags, only the trusted
verifier is having permissions to check the recently added tags. It uses
Round Trip Time (RTT) based parameter for processing. The protocol
focuses on prevention from wide–narrow attacks and weak–strong at-
tacks (Vaudenay, 2007). RTT mechanism provides an advantage with
reduced complexity when already scanned tag access is refused for an
adversarial reader. In Yang (2012) authors describe Secure Multiple

10
A. Kumar et al.
Table 5
Pros and cons for RFID authentication.
Reference Pros
Cong et al. (2014) ECC, anti-counterfeiting, PUFs
Fu et al. (2010) Lightweight, PRNG-based, tag anonymity
Lee et al. (2008) Scalability, anti-cloning, anonymity, security from
tracing attacks
Lee et al. (2009) Separated authentication schemes for tags, password
transfer and server-to-tag
Batina et al. (2007) Strong authentication
Batina et al. (2012) Small keysize, privacy-preserving two-party
grouping-proof, scalable
Yang (2012) Support for mobile RFID, cross different authorities,
and assign transfer targets
Gui and Zhang (2013) Lightweight
Lee et al. (2010) A server (or a reader) can efficiently query for a
specific tag without compromising the tag’s privacy
Liao and Hsiao (2014) Small keys, mutual authentication, ID-verifier
protocol, challenge-response protocol for refreshed
communication messages
Wang et al. (2017) Random oracle, based on Lee et al. (2010) and Liao
and Hsiao (2014)
Tewari and Gupta (2018) Lesser computation overhead,
Group Ownership Transfer Protocol (SMGOTP) which is suitable for
mobile-based RFID tags. This protocol transfers the ownership tag from
one authority to another in the network which helps to secure RFID tags
from different types of attacks. It can perform transmission of group
ownership from one-to-many. It provides additional security features
like forward secrecy and backward secrecy and protects the location
of tags from the intruder. In Gui and Zhang (2013), the protocol
provides mutual authentication between RFID tags and the database.
This protocol provides various security features like forward security
as well as backward security and protects from various attacks like
replay attacks and DoS attacks. It also provides an additional feature
to transfer the ownership to tags. Another RFID-based authentication
protocol has been proposed in Cong et al. (2014), it uses ECC and
symmetric key cryptography techniques. This is basically a grouped
RFID authentication protocol introduced for the perception layer. This
protocol increases security when a group of RFID tag enters the net-
work. In Liao and Hsiao (2014), the authors have proposed a mutual
authentication protocol which is based on ECC. This protocol provides
mutual authentication between the tag and the server, and provides
confidentiality, anonymity and availability. Wang et al. (2017) shows
an authentication scheme based on Lee et al. (2010) and Liao and
Hsiao (2014). It uses Random Oracle Model (ROM) and one-sided hash
function makes the process robust against attackers (Bellare and Rog-
away, 1993). The password which is not used in the security protocol
is removed further. The proposed protocol overcomes the problems
caused by replay attack, session key attack; it provides forward secrecy
and better performance in terms of security as shown by Liao and
Hsiao (2014). In Tewari and Gupta (2018), the authors have proposed a
protocol based on various cryptography techniques such as ECC, hash
function, PRNGs, public-key cryptography for encryption/decryption.
It provides mutual authentication to both the server and the RFID tag,
confidentiality to the RFID tag information, inability to trace the tag,
and forward secrecy. This scheme protects the network from DoS attack
but fails to protect from DDoS attack as attackers can intrude the IoT
device to use them as Botnets. We summarize the pros and cons of these
approaches in Table 5.
7.2. Lightweight authentication for RFID enablers
The protocol proposed in Moosavi et al. (2014) is based on ECC and
D-Quark lightweight hashing techniques. It has three authentication
11
Journal of Network and Computer Applications 204 (2022) 103414
Cons
PUFs require obfuscated interfaces, stolen identities
are not preventive
High cost, low scalability
Server-load increases, server failure can lead to
deauthentication of tags
Selection of protocol with increased RFIDs
No mutual authentication
Group inclusion is not authenticated separately
High complexity, group authentication key verification
required
Database search technique may create bottleneck with
increased number of RFIDs
Prone to side-channel analysis
Complexity, compromised reader possibility controlled
by third party
Side-channel analysis, compromised reader possibility
controlled by third party
Prone to DDoS and spamming attacks
phases: authentication, verification and identification. Authentication
and verification id are based on Elliptic Curve Discrete Logarithm
Problem (ECDLP) while verification of tag and identification of tag is
based on Elliptic Curve Digital Signature Algorithm (ECDSA) with the
help of Quark Light. It protects the network from eavesdropping attack,
impersonation attack and replay attack.
In Porambage et al. (2014), the authors show a two-way lightweight
authentication protocol. The first phase is registration phase and other
is the authentication phase. Although the protocol is lightweight it
protects the network from session key attacks but fails against DoS
attacks, insider attacks, impersonation attacks, replay attacks and MiM
attacks. Its features include forward secrecy and mutual authentication.
The authors have proposed a protocol in Chen and Chen (2015) which
is based on Dynamic Token Based Authentication Protocol (DTAP).
It uses three-step mutual authentication: request, token and respond.
In Gope and Hwang (2015), a light-weight RFID mutual authentication
protocol uses a hash function; authentication is done when RFID tag
is moving to different cluster and each cluster authenticates each of
the tags. It is a two-phase authentication process that includes regis-
tration and authentication phase. The main purpose of this solution
is to protect the network from the forgery attack and cloning attack.
Apart from this, the presented protocol secures the network from DoS
attack, replay and tracking of location attack and provides forward
secrecy to the network. In Dass and Om (2016), authors use some
lightweight cryptographic function, PRNGs and hash function. This
protocol focuses on the authentication of RFID tags. Other commu-
nication is assumed to be secure. This protocol helps to secure the
network from replay attack, de-synchronization attack, MiM attack and
DoS attack. It provides mutual authentication; tracing of tag infor-
mation is not possible here. The researchers have proposed another
light-weight RFID authentication protocol based on hash function and
symmetric key encryption technique in Yin et al. (2017). It uses three-
phase authentication technique starting with registration of RFID tags,
authentication of tag while moving in different clusters, authentication
if tags while moving in different networks. It provides security from
various attacks like replay attack, DoS attack and location tracking at-
tack. This protocol is unable to protect the system from a forgery attack
and cloning attack. Cryptanalysis of such lightweight authentication
of RFID tags notifies that there is still scope of improvement in this
direction (Aakanksha Tewari, 2017). Tewari and Gupta (2017) uses
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 6
Pros and cons for RFID lightweight authentication.
Reference
Moosavi et al. (2014)
Porambage et al. (2014)
Chen and Chen (2015)
Gope and Hwang (2015)
Dass and Om (2016)
Yin et al. (2017)
Aakanksha Tewari (2017)
Tewari and Gupta (2017)
Khor and Sidorov (2018)
Fan et al. (2016)
Li et al. (2018)
Pros
Small keysize, lightweight, mutual authentication
Lightweight certificates
Dynamic tokens, anonymous authentication
Anonymous authentication
PRNG, tag information follows CIA
Randomness parameter in the transmitted data
Ultra-lightweight with bitwise operations only, ensures
untraceability
Ultra-lightweight with bitwise operations
Three pass mutual authentication, improvement over
Tewari and Gupta (2017)
Ultra-lightweight
Secret key for each legal reader, improvement over
Fan et al. (2016)
Cons
Computational time optimization required, feasibility
of lightweight techniques must be checked
Implicit certificates for access control, multicast with
scalability issues
Seed value is static leads to cryptanalysis
Storage and computational overhead
Seed value is static leads to cryptanalysis
Cache collision may increase the search time and
eventually the complexity
Bit manipulation and bit masking problems need
validation
Prone to DoS attack at tag and reader
Repudiation of tag transfer between tag and reader is
not validated
It is vulnerable for reader impersonation attack, tag
forgery attack and message eavesdropping attack. It
fails to preserve mutual authentication
Higher computation and database time consumption,
tag impersonation and information disclosure

an ultra-lightweight mutual authentication protocol. It applies only
bitwise operator (XOR) and left rotation operation due to which it
gives an ultra-light-weight solution. It provides security from various
other attacks such as MiM attack, replay attack, de-synchronization
attack, disclosure attack and DDoS attack. It provides confidentiality
and integrity along with authentication. Some security issues have
been noticed in Tewari and Gupta (2017) which are addressed in Khor
and Sidorov (2018). Ultra-lightweight solution for RFID authentication
is also noteworthy (Fan et al., 2016). It uses GNY logic for security
purpose. Researchers show an improvement of this work in Li et al.
(2018). It modifies the former approach with providing the secret keys
for each of the readers. Some security flaws are identified in it and
further improvements are proposed in Yin et al. (2017). It is able to
secure the network from disclosure attack, impersonation attack and
replay attack. We summarize the pros and cons of these methods in
Table 6.
7.3. Authentication protocols for non-RFID applications
Researchers use HTTP cookies for authentication (Kalra and Sood,
2015b). This protocol uses 3-step authentication process with regis-
tration, login and checking the authenticity of the device. It provides
security from many attacks either on the device or on the system
like replay attack, MiM, cookies theft attack, eavesdropping attack,
brute force attack, offline dictionary attack and leak of verifier attack.
However, it fails at two major points; it is unable to provide mutual
authentication and problems exist in session key agreement. The work
in Chang et al. (2017) solves these problems. Authors in Jablon (1996)
show a method of building hybrid two-factor authentication systems.
Independent password-only and key-based methods can survive a single
event of either key theft or password compromise. In Daddala et al.
(2017), the authors show a protocol based on asymmetric crypto-
graphic technique; it is a customized form of AES. It has various
security features such as confidentiality, authentication, integrity and
provides security form MiM attack. The authentication mechanism
in Hao et al. (2018) is based on Multi-Attribute Multi-Observation
(MAMO) technique and PHY-IBC protocol with the enhancement of
two-way asymmetric authentication protocols (Wang et al., 2016).
There are some pre-requirements for this approach, such as the Serial
Number (SN) should have a unique ID of the end device and the device
should be publicly verified and accessible. Another pre-requirement is
the classification of PHY characterization is based on channel and Radio
Frequency (RF). PHY-AIDED is an asymmetric authentication protocol
that uses a one-way digital signature. Authentication time is also re-
duced even if the system is under the presence of attackers. The work
in Choi et al. (2019) has proposed a light-weight mutual authentication
protocol which is based on Single Instruction Multiple Data (SIMD) and
applicable to Advance RISC Machine (ARM) processor. To increase the
processing speed for authentication the authors use MAC algorithm.
It provides security from eavesdropping attack, replay attack and the
modification of message attack. We summarize the discussed methods
in Table 7.
7.4. Lightweight authentication protocols for non-RFID applications
In the work (Hammi et al., 2017), the authors provide a mutual
authentication-based protocol that uses an asynchronous One-Time
Password (OTP). It is a light-weight authentication protocol and there-
fore, it is applicable to any IoT framework. This protocol protects
the network from a replay attack and DoS attack but does not pro-
vide confidentiality of data. A signature-based mutual authentication
protocol uses eight different phases: Starting with the setting up the
system followed by registration of the device (Challa et al., 2017). Then
registration of the user is executed with login phase and authentication
and agreement of key with a bio-metric and password setup. Revocation
of smart-cards are allowed in the phase and finally, a new device is
added in the network. It uses Burrows–Abadi–Needham (BAN) logic
for providing the security to the system. It exhibits security features
like key agreement, forward secrecy and intruder cannot trace the end-
devices. End users have permission to update the password too which
is advantageous from a user perspective. The authentication scheme
in Amin et al. (2018) also uses the BAN logic and security validation is
done by AVISPA tool (Glouche et al., 2006; Armando, 2018). It protects
from various attacks like impersonation attack, replay attack, offline
brute-force attack, insider attack and disclosure of session key attack.
In the work (Dhillon and Kalra, 2017), the authors show a key-
agreement based lightweight authentication protocol; it uses one-way
hash along with perceptual hashing and XOR technique. It has four
phases that starts with user registration followed by login. Then au-
thentication is done and finally, the user has the right to update
the password for better security. Another light-weight authentication
protocol in Lavanya and Natarajan (2017), it uses symmetric key
cryptographic technique for various encryption/decryption; it is based
on IKv2 (Cremers, 2006). In this protocol, the authors use Advanced
Encryption Standard with Cipher Block Chaining (AES-CBC) for encryp-
tion and ECC-based Diffie–Hellman for the generation of key and hash

12
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 7
Summary of authentication protocols for non-specific enablers.
Reference
Kalra and Sood (2015b)
Chang et al. (2017)
Jablon (1996)
Daddala et al. (2017)
Hao et al. (2018)
Choi et al. (2019)
Feature
3 layer of authentication, enhancement of security
against cookie-based authentications
Solution to the problems (Kalra and Sood, 2015b)
Two-factor authentication
Customized AES, less complex keys
Integration of Device-to-device (D2D) PHY
fingerprinting with asymmetric cryptography-based
End-to-End (E2E) IoT
LEA-128-CTR and Chaskey algorithms, high-speed
parallelism, lightweight
Future extension(s)
Redirection of cookies, authenticated cookies
management, session key problem
Collusion attacks validation can be exploited further
on hash exchange and with compromised session keys
Possibility of dictionary attack on password based
must be exploited
Periodic keys update required
Design of an optimal PHY entropy-based
authentication scheme
Heterogeneity of devices must be exploited

Table 8
Summary of lightweight authentication for non-specific enablers.
Reference Features Extension(s)
Hammi et al. (2017) Mutual authentication, asynchronous OTP, lightweight Confidentiality problem must be exploited after the
MAC sub-layer association and authentication
procedure
Challa et al. (2017) Signature-based, lightweight, BAN logic Delay and scalability correlation should be extended
Amin et al. (2018) Mutual authentication with BAN logic, easy to update Communication cost must be optimized for resource
password and identity from user perspective constrained IoTs
Dhillon and Kalra (2017) Key-agreement based light-weight authentication, Effect of compromised GWN should be experimented
one-way hash along with perceptual hashing, use of
XOR, register through GWN
Lavanya and Natarajan (2017) Advanced Encryption Standard with Cipher Block Collaborative key exchange and TLS-based key
Chaining (AES-CBC) for encryption, ECC based protocols can be compared on the same scheme
Diffie–Hellman for key generation and hash code
generation
Feng et al. (2018) Authentication–attestation, PUFs Collision attack and impersonation attack must be
analyzed on this scheme
Zhou et al. (2019) Lightweight crypto-modules Cryptanalysis of XOR operations, timing attacks,
side-channel analysis can be exploited

code generation. It protects from all the attacks within the bounds.
The lightweight mutual authentication–attestation protocol called as
Attestation and Authentication of Low-Resources Things (AAoT) pro-
tocol uses PUFs (Feng et al., 2018). PUFs fill the memory randomly to
reduce memory resources. It creates a trust zone for every end-node
(device) connected in the system. This trust zone is called PUF-based
Root-of-trust (PUFRoT). A single-way hash function based lightweight
authentication protocol is proposed in Zhou et al. (2019). It uses
three phases: registration phase, user and cloud-server registration,
and authentication phase. It provides mutual authentication and able
to provide security against from offline brute-force attack, insider at-
tack, de-synchronization attack and forgery attack. We summarize the
discussed methods in Table 8 and show some possible extensions for
research problems.
7.5. Authentication protocols for blockchain-based enablers
The newest extension of IoT uses blockchains. There are various
applications emerging everyday that are using blockchains in any form
for IoT applications (Uddin et al., 2021). Therefore, it is necessary
to account such applications and their related authentication meth-
ods. One such solution uses the concept of Bubble of Trust (Hammi
et al., 2018). It provides mutual authentication based on ECC and
asymmetric key cryptographic technique. Each device communicates in
the bubble of trust. Being the blockchain-based application inherited
security features strengthen the authentication. A recent interesting
solution for blockchain-based IoTs uses two types of mutual authen-
tication (Aghili et al., 2021). These authentication methods are ap-
plicable for decentralized closed loop and open loop RFIDs. It uses
BAN-logic to approve the security for the loop-controlled mechanisms.
SCAB-IoTA uses the blockchain and hybrid cryptosystem to enhance
the security of IoT applications (Vishwakarma and Das, 2021). The
hybrid cryptosystem functions with Advanced Encryption Standard
(AES) and ECDSA. Furthermore, it produces a secure cluster of IoT
devices based on Angular Distance (AD). Each devices authenticates
itself before joining the cluster. Another solution in the direction of
blockchain uses the tamper-resistance keys (Fan et al., 2021). Authen-
tication schemes also requires to be privacy preserving. Such a solution
uses blockchain technology and the secret computational model of PUF
model (Patil et al., 2020). The protocol guarantees that IoT devices
and the miner are authenticated in a faster authentication process
compared to current blockchain techniques. The solution ensures data
provenance and data transparency in IoT networks. Following the same
line of research, another privacy preserving PUF-based solution uses
real correlations of challenge-response pairs that are double-encoded
into mapping correlations by a one-time physical identity and the
keyed-hash function (Zhang et al., 2021). In this solution, the used
blockchain stores MCs, synchronize them efficiently, and incorporate
the multi-receiver encryption to share the physical identity securely.
Apart from one time authentication, continuous authentication pro-
cess is stronger. On this, a distributed and scalable continuous authenti-
cation solution, called as CAB-IoT, enables fog nodes layer to tackle the
limitations of IoT resources (Hussain Al-Naji and Zagrouba, 2020). It
utilizes localized processing of heavy continuous authentication-related
tasks for a group of IoT devices. It also adds on a trust module that
depends on the face recognition machine learning model to detect
outliers and abnormal access. Moreover, mutual authentication takes
place between end-users and fog nodes. It is a lightweight proto-
col. Guo et al. (2020b) shows a master–slave blockchain architecture
to support distributed cross-domain authentication in IoT. It proposes

13
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 9
Summary of authentication for blockchain-based enablers.
Reference Features Gaps or Extension(s)
Hammi et al. (2018) Bubble of trust Decentralized trust calculation
Vishwakarma and Das (2021) lightweight authentication, hybrid cryptosystem Angular distance validity, coordinates verification
Aghili et al. (2021) RFID-based closed loop applications, hybrid Energy-optimization
crypto-systems
Fan et al. (2021) ID-based signature authentication Privacy, anonymous authentication
Patil et al. (2020) Blockchain and PUF combination, smart contracts Energy consumption , federation identity
Zhang et al. (2021) Authentication protocol for the multi-server, Energy consumption
cloud–edge IoT systems
Hussain Al-Naji and Zagrouba (2020) localized processing of heavy continuous Scalability, load balance of fog nodes
authentication-related tasks, trust module uses face
recognition machine learning model
Guo et al. (2020b) Master–slave blockchain, distributed cross-domain sybil problem, eclipse attack, double spending on
support, reputation value model, an improved reputation
Byzantine Fault Tolerance algorithm based on
reputation
Wang et al. (2020) Identity security, cross-domain authentication Deep learning methods for adaptive and dynamic
credibility matrix credibility matrix
Dong et al. (2020) Cross-domain authentication, cosmos network model Scalability, privacy
Alzubi (2021) Lamport Merkle Digital Signature Generation Signature size optimization
(LMDSG), hash of records
Tian et al. (2020) Identity authentication Selection of consensus mechanism
Huang et al. (2020) ECC-based key generation, hash of public key works as Complexity optimization, lightweight
identity, accounting input information into the block,
Cui et al. (2020) Local blockchain and public blockchain Conditional blockchain merging
Zhaofeng et al. (2021) Avoidance of single side fault Complex for resource constrained devices
Fayad et al. (2019) Mutual authentication Authorization management, security analysis
Cheng et al. (2021) mutual authentication with blockchain, certificateless Complexity, energy utilization
cryptography, elliptic curve cryptography, and
pseudonym-based cryptography
Guo et al. (2020a) Optimized practical Byzantine fault tolerance (PBFT) Scalability and availability
consensus, dynamic name resolution strategy, caching
strategy based on belief propagation
Khalid et al. (2020) Decentralized authentication and access control, Lightweight consensus, trust-based miners
public blockchain
Yavari et al. (2020) Security access management, anonymity Blockchain-based ownership transfer protocols
Vangala et al. (2021) Persistence and auditability, confidence of using the Oracle data feed to smart contract
correct data
Lin et al. (2020) Traceability, Privacy, group signature Attribute-based cryptography for fine-grained access
control

a reputation value model for slave chain and also designs an improved
Byzantine Fault Tolerance algorithm based on this reputation value
model (RIBFT) to improve efficiency of authentication and minimize
time delay. Another cross-domain based authentication solution for
power terminals in IoTs is researched recently (Wang et al., 2020).
It analyzes the power communication network. It shows three types
of processes: identity, in-domain authentication, and cross-domain au-
thentication for terminals. Various security levels in cross-certification
increases the security. It uses a cross-domain authentication credibility
matrix. The work in Dong et al. (2020) also supports the cross-domain
authentication solution. It uses the cosmos network model to encourage
mobility of the devices and ensures reliability of accessing external
domain networks. In a recent work, the solution uses Lamport Merkle
Digital Signature (LMDS) (Alzubi, 2021). It is applicable for healthcare
IoTs. LMDSG model performs the task of authentication of IoT devices
by constructing a tree in which the leaves symbolize sensitive pa-
tient medical data’s hash function. A Centralized Healthcare Controller
(CHC) performs the task of determining the root of the LMDSG by
using Lamport Merkle Digital Signature Verification (LMDSV). In this
verification process, when the hash of the public key is equal to leaf,
then it is the root of the tree, and it considers the signature to be valid.
Identity authentication is a beneficial option for IoT security. Combin-
ing the blockchain security with this, a decentralized system framework
for IoT identity authentication is much more efficient as compared to
the traditional authentication approaches (Tian et al., 2020). In the
same direction of identity based authentication, terminal connection
based experiments the feasibility of the decentralized authentication in
IoTs (Huang et al., 2020). A recent work of identity authentication in
multi-WSNs is also noteworthy (Cui et al., 2020). The nodes of WSN-IoT
are divided into base stations, cluster head nodes and ordinary nodes.
A hybrid blockchain network is constructed including local chain and
public chain. Local blockchain helps in authenticating ordinary nodes’
identities and public blockchain helps in cluster head nodes’ identity
authentication.
Some other blockchain-based proposals are also contributory. For
example, BlockAuth uses a secure registration and authentication strat-
egy (Zhaofeng et al., 2021). A lightweight version of blockchain-based
authentication solution is shown in Fayad et al. (2019). In a recent
literature, we observe a distributed and trusted authentication sys-
tem based on blockchain and edge computing (Guo et al., 2020a).
This system consists of physical network layer, blockchain edge layer
and blockchain network layer. Through the blockchain network, an
optimized practical Byzantine fault tolerance consensus algorithm is
designed to construct a consortium blockchain for storing authentica-
tion data and logs. In an example of collaborative edge computing,
the researchers use blockchain, certificateless cryptography, elliptic

14
A. Kumar et al.
Fig. 7. Evolution of authentication mechanisms from 2005 to present.
curve cryptography, and pseudonym-based cryptography to enhance
mutual authentication efficiency between edge servers and IoT de-
vices (Cheng et al., 2021). A lightweight extension for blockchain-based
authentication is shown in Khalid et al. (2020). Devices register in
initialization phase and maintains proof-of-concept smart contract for
proper functioning of authentication. Another similar type of approach
is also shown in Yavari et al. (2020). As we have mentioned before,
IoTs are closely connected with smart applications. Perception layer
also deals with the devices from smart homes, smart farming, etc. Two
solutions from literature are well notifying here. The first one shows a
blockchain-based authentication is smart farming Vangala et al. (2021)
and the second one shows a blockchain-based mutual authentication
for smart homes (Lin et al., 2020). We summarize the blockchain-based
authentication in Table 9.
From the above discussion of the existing authentication protocols,
we observe that authentication approaches are important in IoTs and it
has been evolving around with various methods to achieve the lighter
version day by day in terms of computational complexity. We have
summarized the logical evolution of the authentication solutions in
Fig. 7.
7.6. Comparison with existing surveys
In the existing literature, we have observed some surveys connected
with IoT security. Here, we summarize them and also compare the
attribute of the existing surveys and our present survey. We show
the inferred information in Table 10. We observe that our survey is
multidimensional as we cover all the IoT-based domains, its direct and
indirect enablers to create effect on authentication protocols.
8. Open research dimensions
The analysis of the various authentication methods and their en-
ablers, and the comparative study of the existing surveys pop out
some useful research direction in this field of IoT and its security.
The cons of the authentication methods discussed in different sections
also infer that IoTs and its allied domains still require the solutions
for authentication as applications are diversified. Based on the appli-
cation domain, the cons must be addressed by the future researchers.
These cons derive the research problems and need to be addressed for
the maturity and sustainability of IoT security in future. These open
research problems are helpful for algorithm developers, industry and
academia. In the previous sections, we discuss various research gaps or
scope of extensions for each of the existing authentication protocols. In
this section, we discuss a summarized list of directions for future work.
• Architectural aspects: The review of the research works signifies
the fact that the three-layered architecture is the most popular
one. Though other architectures are also available but have not
been researched significantly. Five-layered architecture can be a
candidate for future IoT frameworks. We notice that, with the
increasing number of functionalities, IoT designers come up with
additional layers for IoT for handling operations. These add on
15
Journal of Network and Computer Applications 204 (2022) 103414
layers are, no doubt, provides granularity to the system; how-
ever, the underlying dependencies must be understood clearly
for gathering the security requirements and applying the suitable
methods. Therefore, the merits and demerits need to be under-
stood properly so that well-defined functions can be associated
with the layers for obtaining the architectural advantages.
• Security requirements:Authentication of the sender or the data is
important for a secure communication. Along with these, it is
also necessary to use attestation process for maintaining the in-
tegrity and authentication intact. Foe example, remote attestation
for IIoT related patches and software. Though various remote
authentications are already existing, still there is scope of fur-
ther developments in this direction and using some decentralized
framework.
• Decentralization aspects: Generally authentication is proved with
digital signature. Digital signature uses cryptographic keys. The
key generation process in traditional systems are centralized and
prone to failure. Researchers have already initiated to explore
the distributed key generation process, but still it needs suitable
developments for applicability in resource constrained environ-
ments. Moreover, in blockchain-based authentication schemes,
consensus is a big issues. We need to look for lightweight con-
sensus or proof of X for such authentications.
• Requirement of randomness: The reports from security protocol
developers and NIST requirements have urged the development
of suitable random and pseudo-random number generators. In the
state-of-the-art security protocols random numbers are missing
links and therefore some less complex random number generators
need to be developed. The inclusion of such random numbers
and analyzing the behavior of the existing security algorithms is
another part of the future research aspect.
• Authentication phase aspects: The presented survey clearly shows
that four to eight phases are rarely used for authentication pro-
tocols. Though they have been initially started with efficiency,
multiple drawbacks have create a set back for the phase struc-
tures in the research domain. Therefore, the reasons need to be
identified for these phase structures and algorithms or functions
need to be developed to revive them. We also need to understand
that increasing number of phases of a single operation, such
as authentication, may also increase the complexity and other
resource consumption; this may lead to the failure of the system.
• Authentication type aspects: IoTs and WSNs both have utilized
the generic and standard security protocols for providing au-
thentication services. IIoTs, IoMTs also follow the same line of
developments and also uses customized authentications specifi-
cally for their respective domains. However, with the increasing
sophistication of the devices and limited resource availability
have shifted the demand of security protocols from generic to
lightweight and moreover into ultra-lightweight. The future secu-
rity protocol designers should take care of the aspect of designing
more robust algorithms with lightweight and ultra-lightweight
features.
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Table 10
Summary and comparison of surveys.
Reference
Arasteh et al. (2016b)
Butani et al. (2014)
Lin et al. (2017)
Uddin et al. (2021)
Roy and Kalita (2017)
Hameed and Alomary (2019)
Meneghello et al. (2019)
Sharma et al. (2020)
Al-Garadi et al. (2020)
Albalawi et al. (2019)
Mohammad et al. (2019)
Bastos (2019)
Mohammed et al. (2019)
Jiao and Liu (2019)
Babun et al. (2021)
Present survey
Attributes
Security, privacy, heterogeneity, reliability
Attacks, security features
Architecture, security, privacy, enabling technologies
Digital signature, performance analysis, tools, simulators, challenges
Cyber-attacks, security features
Cyber-attacks, security features
Security requirements, security attacks, encryption mechanism, lightweight
cryptography, secure hardware, security on IoT communication technologies
Protocol security, handover security, framework security, attacks, ideology,
encryption
Supervised approach, un-supervised approach, semi-supervised approach, attack
surfaces, threat detected
Authentication methods, attacks prevented
Attacks, security features
Authentication, authorization, data protocols, encryption in transit, encryption at
rest, cloud service type
Crypto-techniques, authentication techniques, blockchain techniques, data privacy
preservation technique
PUF types, process scale, source of variation, source of authentication
Topology design, programming language, third party support, extended protocol
support, event handling, security, privacy
IoT layers, Security perspectives and attacks, WSN-based authentication, IIoT
authentication, IoMT authentication, VANET authentication, Non-specific applications
of authentication, Lightweight authentication, blockchain-based enablers, open issues

• Attack orientation: The survey in this presented work shows that
IoTs are vulnerable for de-synchronization attacks, message mod-
ification attacks, cloning attacks, masquerading problems, node
compromise problems, wormhole problems, and smart card prob-
lems. However, research works to handle such attacks are not
significantly researched and having ample scope of advancement
in the future.
• Password problem: The whole world is having password problem.
The usability and security dilemma always has affected the secu-
rity of the IoT systems. OTPs also follow the same line and add
on the phishing issues with shared secret habits. Therefore, IoTs
seek for a full-proof authentication system which can address all
these problems.
• Authentication requirements: As per the requirements of the authen-
tication protocols, backward secrecy and anonymity are desired
for providing suitable authentication features. However, these
two properties are less researched and need significant attention
for enhancements. Besides, end-to-end lightweight authentica-
tions are more welcome in IoT systems.
• Oracles: Blockchains are using oracles for data feed in smart con-
tracts. However, authenticity proofs for these oracles are not well
developed. Therefore, it opens up a research direction to analyze
the existing state-of-the-art oracle authentication methods and
developing an efficient approach.
• Authentication overhead: Developing an authentication protocol
is easy but, developing an efficient authentication protocol is
difficult. An efficient authentication must not produce overhead
by exchanging huge number of messages. In IoTs, this number
exponentially increases with the increasing number of devices.
Moreover, the message size should not be large; therefore, the
authentication protocol designers must use limited number of
messages with an efficient size limit for the better productivity
of the authentication system.
• Post-quantum sustainability: One of the biggest problem arises with
the progress of the quantum computing is that the insecurity
of sustainability of the existing cryptosystems. To enable the
robustness of the authentication protocols, the designers must
emphasize the development of quantum-based constructions for
authentication keys or derivatives.
• Hardware-TPM solutions: As we know, the keys for authentications
must be secure, we must use the embedded hardware or Trusted
Platform Module (TPM) for the purpose of key storage. In IIoTs,
IOMTs these options are plenty and therefore, a rigorous research
on these can raise some valuable points to address.
• Privacy-awareness: Privacy is another important part of security.
Even an authenticated entity can breach the privacy of a data.
Therefore, researchers should design an authentication mech-
anism that will handle privacy efficiently; besides, the inter-
dependencies of the privacy parameters should also be in con-
sideration for authentication.
• Authorization integration: We often notice that the legitimate users
are more vulnerable for misusing the authorization process. This
is very hard to detect if a user is authenticated and not authorized
for a specific operation. The majority of the authentication veri-
fies the identity of the nodes or users and leaves the authorization
scope under assumption or as a separated module. However,
it is the best option to integrate an authentication mechanism
that provides authorization features as a coherent process of the
authentication.
• Scalability: In the literature, we observe that the majority of the
authentication schemes claim that they are scalable. However, in
practical scenarios, those claims fail. Therefore, the correlation to
scalability with valid proofs is necessary.
• Load balance: There are various algorithms for authentication
exist using fog layer as for computing heavy tasks for authentica-
tion. We need to keep in mind that with the increasing device con-
nections, the load on those fog layer devices increases; therefore,
it is necessary to check the load balance factor in authentication
for edge–cloud computing.
• Authentication as a service (AaaS): Authentication as a Service
(AaaS) provides various authentication services such as multi-
factor authentication, single sign-on, and password management
in the cloud. Though the clouds provide such authentication,
clouds inherit some intrinsic security loopholes for security breach.

16
A. Kumar et al.
Therefore, efficient AaaS can be developed further maintaining
the cloud security explicitly.
The aforesaid aspects of future research work are the factors for
the sustainable development of IoT environment and therefore must
be addressed significantly to improve the efficiency of the IoT appli-
cations. Future researchers must be considering such problems for the
IoT developments either as a service or as a product.
9. Conclusions
IoT is a demanding and the most promising technology in the
present world of communication. Along with its increasing demands
and developments, IoTs face several security problems. In this pre-
sented work, we have considered the authentication factor as one
of them. We have surveyed various security requirements and objec-
tives for IoTs. The survey of the authentication protocols has been
executed systematically following a multidimensional analysis. This
analysis helps the IoT research fraternity to understand the present
status of the authentication protocols in IoTs. Moreover, the discussed
open research problems are beneficial for the strategic design of the
authentication protocols in the future to output a robust and secure
IoT framework.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Acknowledgments
This work was supported by: ‘‘Fondazione Cassa di Risparmio di
Padova e Rovigo’’ with the project QUASAR funded within the call
“Ricerca Scientifica di Eccellenza and 2018” and also funded by the
European Union’s Horizon 2020 Research and Innovation Program for
the project COLLABS under grant agreement No. 871518.
References
Aakanksha Tewari, B.B.G., 2017. Cryptanalysis of a novel ultra-lightweight mutual
authentication protocol for IoT devices using RFID tags. J. Supercomput. 73,
1085–1102.
Abuhasel, K.A., Khan, M.A., 2020. A secure industrial Internet of Things (IIoT)
framework for resource management in smart manufacturing. IEEE Access 8,
117354–117364. http://dx.doi.org/10.1109/ACCESS.2020.3004711.
Adat, V., Gupta, B., 2018. Security in Internet of Things: issues, challenges, taxonomy,
and architecture. Telecommun. Syst. 67, 423–441.
Aghili, S.F., Mala, H., Schindelhauer, C., Shojafar, M., Tafazolli, R., 2021. Closed-
loop and open-loop authentication protocols for blockchain-based IoT systems. Inf.
Process. Manage. 58 (4), 102568.
Aghili, S.F., Mala, H., Shojafar, M., Peris-Lopez, P., 2019. LACO: Lightweight three-
factor authentication, access control and ownership transfer scheme for e-health
systems in IoT. Future Gener. Comput. Syst. 96, 410–424.
Al-Garadi, M.A., Mohamed, A., Al-Ali, A.K., Du, X., Ali, I., Guizani, M., 2020. A survey
of machine and deep learning methods for Internet of Things (IoT) security. IEEE
Commun. Surv. Tutor. 22 (3), 1646–1685. http://dx.doi.org/10.1109/COMST.2020.
2988293.
Albalawi, A., Almrshed, A., Badhib, A., Alshehri, S., 2019. A survey on authentication
techniques for the Internet of Things. In: 2019 International Conference on
Computer and Information Sciences. ICCIS. pp. 1–5. http://dx.doi.org/10.1109/
ICCISci.2019.8716401.
Alfadhli, S.A., Lu, S., Chen, K., Sebai, M., 2020. MFSPV: A multi-factor secured and
lightweight privacy-preserving authentication scheme for VANETs. IEEE Access 8,
142858–142874. http://dx.doi.org/10.1109/ACCESS.2020.3014038.
Almogren, A., Mohiuddin, I., Din, I.U., Almajed, H., Guizani, N., 2021. FTM-IoMT:
Fuzzy-based trust management for preventing sybil attacks in internet of medical
things. IEEE Internet Things J. 8 (6), 4485–4497. http://dx.doi.org/10.1109/JIOT.
2020.3027440.
Alshudukhi, J.S., Mohammed, B.A., Al-Mekhlafi, Z.G., 2020. Conditional privacy-
preserving authentication scheme without using point multiplication operations
based on elliptic curve cryptography (ECC). IEEE Access 8, 222032–222040. http:
//dx.doi.org/10.1109/ACCESS.2020.3044961.
17
Journal of Network and Computer Applications 204 (2022) 103414
Alsoufi, D., Elleithy, K.M., Abuzaghleh, T., Nassar, A., 2012. Security in wireless sensor
networks-improving the leap protocol. Int. J. Comput. Sci. Eng. Surv.
Alzubi, J.A., 2021. Blockchain-based Lamport Merkle digital signature: Authentication
tool in IoT healthcare. Comput. Commun. 170, 200–208.
Amin, R., Islam, S.H., Biswas, G., Khan, M.K., Leng, L., Kumar, N., 2016. Design of an
anonymity-preserving three-factor authenticated key exchange protocol for wireless
sensor networks. Comput. Netw. 101, 42–62.
Amin, R., Kumar, N., Biswas, G., Iqbal, R., Chang, V., 2018. A light weight authentica-
tion protocol for IoT-enabled devices in distributed cloud computing environment.
Future Gener. Comput. Syst. 78, 1005–1019.
Arasteh, S., Aghili, S.F., Mala, H., 2016a. A new lightweight authentication and key
agreement protocol for Internet of Things. In: 2016 13th International Iranian
Society of Cryptology Conference on Information Security and Cryptology. ISCISC.
IEEE, pp. 52–59.
Arasteh, H., Hosseinnezhad, V., Loia, V., Tommasetti, A., Troisi, O., Shafie-Khah, M.,
Siano, P., 2016b. IoT-based smart cities: a survey. In: 2016 IEEE 16th International
Conference on Environment and Electrical Engineering. EEEIC. IEEE, pp. 1–6.
Armando, A., 2018. AVISPA: Automated Validation of Internet Security Protocols
and Applications. https://www.ercim.eu/publication/Ercim_News/enw64/armando.
html. [Online; accessed 01-Sept-2019].
Ashton, K., et al., 2009. That ‘ Internet of Things’ thing. RFID J. 22 (7), 97–114.
Ayub, M.F., Mahmood, K., Kumari, S., Sangaiah, A.K., et al., 2020. Lightweight
authentication protocol for e-health clouds in IoT based applications through 5G
technology. Digit. Commun. Netw.
Babun, L., Denney, K., Celik, Z.B., McDaniel, P., Uluagac, A.S., 2021. A survey on IoT
platforms: Communication, security, and privacy perspectives. Comput. Netw. 192,
108040.
Bastos, D., 2019. Cloud for IoT – A survey of technologies and security features of
public cloud IoT solutions. In: Living in the Internet of Things (IoT 2019). pp. 1–6.
http://dx.doi.org/10.1049/cp.2019.0168.
Batina, L., Guajardo, J., Kerins, T., Mentens, N., Tuyls, P., Verbauwhede, I., 2007.
Public-key cryptography for RFID-tags. In: Fifth Annual IEEE International Confer-
ence on Pervasive Computing and Communications Workshops. PerComW’07. IEEE,
pp. 217–222.
Batina, L., Lee, Y.K., Seys, S., Singelée, D., Verbauwhede, I., 2012. Extending ECC-based
RFID authentication protocols to privacy-preserving multi-party grouping proofs.
Pers. Ubiquitous Comput. 16 (3), 323–335.
Bellare, M., Rogaway, P., 1993. Random oracles are practical: A paradigm for designing
efficient protocols. In: Proceedings of the 1st ACM Conference on Computer and
Communications Security. ACM, pp. 62–73.
Bridle, J.S., 1990. Probabilistic interpretation of feedforward classification network
outputs, with relationships to statistical pattern recognition. In: Neurocomputing.
Springer, pp. 227–236.
Brij B. Gupta, A.T., 2020. A Beginner’s Guide To Internet of Things Security Attacks,
Applications, Authentication, and Fundamentals. CRC Press.
Butani, B., Shukla, P.K., Silakari, S., 2014. An exhaustive survey on physical node
capture attack in WSN. Int. J. Comput. Appl. 95 (3).
Castiglione, A., Nappi, M., Ricciardi, S., 2021. Trustworthy method for person identifi-
cation in IIoT environments by means of facial dynamics. IEEE Trans. Ind. Inf. 17
(2), 766–774. http://dx.doi.org/10.1109/TII.2020.2977774.
Challa, S., Wazid, M., Das, A.K., Kumar, N., Reddy, A.G., Yoon, E.-J., Yoo, K.-Y.,
2017. Secure signature-based authenticated key establishment scheme for future
IoT applications. IEEE Access 5, 3028–3043.
Chang, C.-C., Wu, H.-L., Sun, C.-Y., 2017. Notes on ‘‘secure authentication scheme for
IoT and cloud servers’’. Pervasive Mob. Comput. 38, 275–278.
Chen, M., Chen, S., 2015. An efficient anonymous authentication protocol for RFID
systems using dynamic tokens. In: 2015 IEEE 35th International Conference on
Distributed Computing Systems. IEEE, pp. 756–757.
Cheng, G., Chen, Y., Deng, S., Gao, H., Yin, J., 2021. A blockchain-based mutual
authentication scheme for collaborative edge computing. IEEE Trans. Comput. Soc.
Syst. 1–13.
Choi, S.-K., Ko, J.-S., Kwak, J., 2019. A study on IoT device authentication protocol
for high speed and lightweight. In: 2019 International Conference on Platform
Technology and Service. PlatCon. IEEE, pp. 1–5.
Cong, G., Zhang, Z.-j., Zhu, L.-h., Tan, Y.-a., Zhen, Y., 2014. A novel secure group RFID
authentication protocol. J. China Univ. Posts Telecommun. 21 (1), 94–103.
Cremers, C.J.F., 2006. Scyther: Semantics and Verification of Security Protocols.
Eindhoven University of Technology Eindhoven, Netherlands.
Cui, J., Wu, D., Zhang, J., Xu, Y., Zhong, H., 2019. An efficient authentication scheme
based on semi-trusted authority in VANETs. IEEE Trans. Veh. Technol. 68 (3),
2972–2986. http://dx.doi.org/10.1109/TVT.2019.2896018.
Cui, Z., XUE, F., Zhang, S., Cai, X., Cao, Y., Zhang, W., Chen, J., 2020. A hybrid
BlockChain-based identity authentication scheme for multi-WSN. IEEE Trans. Serv.
Comput. 13 (2), 241–251.
Daddala, B., Wang, H., Javaid, A.Y., 2017. Design and implementation of a customized
encryption algorithm for authentication and secure communication between de-
vices. In: 2017 IEEE National Aerospace and Electronics Conference. NAECON.
IEEE, pp. 258–262.
Dass, P., Om, H., 2016. A secure authentication scheme for RFID systems. Procedia
Comput. Sci. 78, 100–106.
A. Kumar et al.
Deebak, B., Al-Turjman, F., 2021. Secure-user sign-in authentication for IoT-based
eHealth systems. Complex Intell. Syst. 1–21.
Dhillon, P.K., Kalra, S., 2017. A lightweight biometrics based remote user authentication
scheme for IoT services. J. Inf. Secur. Appl. 34, 255–270.
Dong, S., Yang, H., Yuan, J., Jiao, L., Yu, A., Zhang, J., 2020. Blockchain-based cross-
domain authentication strategy for trusted access to mobile devices in the IoT. In:
2020 International Wireless Communications and Mobile Computing. IWCMC. pp.
1610–1612.
E27, 2018. The advantages and disadvantages of Internet of Things. https:
//e27.co/advantages-disadvantages-internet-things-20160615/. [Online; accessed
01-Sept-2019].
Eklund, E., 2006. Controlling and securing personal privacy and anonymity in the
information society. In: Seminar on Network Security.
Endignoux, G., 2017. Design and Implementation of a Post-Quantum Hash-Based
Cryptographic Signature Scheme (Master’s thesis). École Polytechnique Fédérale
de Lausane.
Esfahani, A., Mantas, G., Matischek, R., Saghezchi, F.B., Rodriguez, J., Bicaku, A., Mak-
suti, S., Tauber, M.G., Schmittner, C., Bastos, J., 2019. A lightweight authentication
mechanism for M2M communications in industrial IoT environment. IEEE Internet
Things J. 6 (1), 288–296. http://dx.doi.org/10.1109/JIOT.2017.2737630.
Fan, Q., Chen, J., Deborah, L.J., Luo, M., 2021. A secure and efficient authentication
and data sharing scheme for Internet of Things based on blockchain. J. Syst. Archit.
117, 102112.
Fan, K., Gong, Y., Liang, C., Li, H., Yang, Y., 2016. Lightweight and ultralightweight
RFID mutual authentication protocol with cache in the reader for IoT in 5G. Secur.
Commun. Netw. 9 (16), 3095–3104.
Fan, X., Niu, B., 2017. Security of a new lightweight authentication and key agreement
protocol for Internet of Things. In: 2017 IEEE 9th International Conference on
Communication Software and Networks. ICCSN. IEEE, pp. 107–111.
Farash, M.S., Turkanović, M., Kumari, S., Hölbl, M., 2016. An efficient user authentica-
tion and key agreement scheme for heterogeneous wireless sensor network tailored
for the Internet of Things environment. Ad Hoc Netw. 36, 152–176.
Fayad, A., Hammi, B., Khatoun, R., Serhrouchni, A., 2019. A blockchain-based
lightweight authentication solution for IoT. In: 2019 3rd Cyber Security in
Networking Conference. CSNet. pp. 28–34.
Feng, W., Qin, Y., Zhao, S., Feng, D., 2018. AAoT: Lightweight attestation and
authentication of low-resource things in IoT and CPS. Comput. Netw. 134, 167–182.
Feng, Y., Wang, W., Weng, Y., Zhang, H., 2017. A replay-attack resistant authentication
scheme for the internet of things. In: 2017 IEEE International Conference on
Computational Science and Engineering (CSE) and IEEE International Conference
on Embedded and Ubiquitous Computing (EUC), vol. 1. IEEE, pp. 541–547.
Fotouhi, M., Bayat, M., Das, A.K., Far, H.A.N., Pournaghi, S.M., Doostari, M., 2020.
A lightweight and secure two-factor authentication scheme for wireless body area
networks in health-care IoT. Comput. Netw. 177, 107333.
Frustaci, M., Pace, P., Aloi, G., Fortino, G., 2017. Evaluating critical security issues
of the IoT world: Present and future challenges. IEEE Internet Things J. 5 (4),
2483–2495.
Fu, J., Wu, C., Chen, X., Fan, R., Ping, L., 2010. Scalable pseudo random RFID
private mutual authentication. In: 2010 2nd International Conference on Computer
Engineering and Technology, vol. 7. IEEE, pp. V7–497.
Garg, N., Wazid, M., Das, A.K., Singh, D.P., Rodrigues, J.J.P.C., Park, Y., 2020. BAKMP-
IoMT: Design of blockchain enabled authenticated key management protocol for
internet of medical things deployment. IEEE Access 8, 95956–95977. http://dx.
doi.org/10.1109/ACCESS.2020.2995917.
Glouche, Y., Genet, T., Heen, O., Courtay, O., 2006. A security protocol animator tool
for AVISPA. In: ARTIST2 Workshop on Security Specification and Verification of
Embedded Systems, Pisa.
Gope, P., Hwang, T., 2015. A realistic lightweight authentication protocol preserving
strong anonymity for securing RFID system. Comput. Secur. 55, 271–280.
Gu, Z., Chen, H., Xu, P., Li, Y., Vucetic, B., 2020. Physical layer authentication for non-
coherent massive SIMO-enabled industrial IoT communications. IEEE Trans. Inf.
Forensics Secur. 15, 3722–3733. http://dx.doi.org/10.1109/TIFS.2020.2998947.
Gui, Y.-Q., Zhang, J., 2013. A new authentication RFID protocol with ownership
transfer. In: 2013 International Conference on ICT Convergence. ICTC. IEEE, pp.
359–364.
Guo, S., Hu, X., Guo, S., Qiu, X., Qi, F., 2020a. Blockchain meets edge computing:
A distributed and trusted authentication system. IEEE Trans. Ind. Inf. 16 (3),
1972–1983.
Guo, S., Wang, F., Zhang, N., Qi, F., Qiu, X., 2020b. Masterslave chain based trusted
cross-domain authentication mechanism in IoT. J. Netw. Comput. Appl. 172,
102812.
Hamadaqa, E., Adi, W., 2020. Clone-resistant authentication for medical operating
environment. In: 2020 Fourth World Conference on Smart Trends in Systems,
Security and Sustainability. WorldS4. pp. 757–762. http://dx.doi.org/10.1109/
WorldS450073.2020.9210306.
Hameed, A., Alomary, A., 2019. Security issues in IoT: A survey. In: 2019 Interna-
tional Conference on Innovation and Intelligence for Informatics, Computing, and
Technologies. 3ICT. pp. 1–5. http://dx.doi.org/10.1109/3ICT.2019.8910320.
Hammi, M.T., Hammi, B., Bellot, P., Serhrouchni, A., 2018. Bubbles of Trust: A
decentralized blockchain-based authentication system for IoT. Comput. Secur. 78,
126–142.
18
Journal of Network and Computer Applications 204 (2022) 103414
Hammi, M.T., Livolant, E., Bellot, P., Serhrouchni, A., Minet, P., 2017. A lightweight
mutual authentication protocol for the IoT. In: International Conference on Mobile
and Wireless Technology. Springer, pp. 3–12.
Hao, P., Wang, X., Shen, W., 2018. A collaborative PHY-aided technique for end-to-end
IoT device authentication. IEEE Access 6, 42279–42293.
Hu, Y.-C., Perrig, A., Johnson, D., 2006. Wormhole attacks in wireless networks. IEEE
J. Sel. Areas Commun. 24 (2), 370–380.
Huang, P., Guo, L., Li, M., Fang, Y., 2019. Practical privacy-preserving ECG-based
authentication for IoT-based healthcare. IEEE Internet Things J. 6 (5), 9200–9210.
http://dx.doi.org/10.1109/JIOT.2019.2929087.
Huang, J.-C., Shu, M.-H., Hsu, B.-M., Hu, C.-M., 2020. Service architecture of IoT
terminal connection based on blockchain identity authentication system. Comput.
Commun. 160, 411–422.
Hussain Al-Naji, F., Zagrouba, R., 2020. CAB-IoT: COntinuous authentication architec-
ture based on blockchain for Internet of Things. J. King Saud Univ. Comput. Inf.
Sci.
Jablon, D.P., 1996. Strong password-only authenticated key exchange. ACM SIGCOMM
Comput. Commun. Rev. 26 (5), 5–26.
Jahankhani, H., Hosseinian-far, A., 2014. Digital forensics education, training and
awareness. In: Cyber Crime and Cyber Terrorism Investigator’s Handbook. Elsevier,
pp. 91–100.
Jan, M.A., Usman, M., He, X., Ur Rehman, A., 2019. SAMS: A seamless and authorized
multimedia streaming framework for WMSN-based IoMT. IEEE Internet Things J.
6 (2), 1576–1583. http://dx.doi.org/10.1109/JIOT.2018.2848284.
Jang, J., Kwon, T., Song, J., 2007. A time-based key management protocol for wireless
sensor networks. In: International Conference on Information Security Practice and
Experience. Springer, pp. 314–328.
Jiang, Q., Zeadally, S., Ma, J., He, D., 2017. Lightweight three-factor authentication
and key agreement protocol for internet-integrated wireless sensor networks. IEEE
Access 5, 3376–3392.
Jiao, S., Liu, R.P., 2019. A survey on physical authentication methods for smart objects
in IoT ecosystem. Internet of Things 6, 100043.
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D., 2014. Security of the Internet of
Things: perspectives and challenges. Wirel. Netw. 20 (8), 2481–2501.
Kalra, S., Sood, S.K., 2015a. Advanced password based authentication scheme for
wireless sensor networks. J. Inf. Secur. Appl. 20, 37–46.
Kalra, S., Sood, S.K., 2015b. Secure authentication scheme for IoT and cloud servers.
Pervasive Mob. Comput. 24, 210–223.
Katz, J., Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A., 1996. Handbook of Applied
Cryptography. CRC Press.
Khalid, U., Asim, M., Baker, T., Hung, P.C., Tariq, M.A., Rafferty, L., 2020. A decen-
tralized lightweight blockchain-based authentication mechanism for IoT systems.
Cluster Comput. 1–21.
Khan, M.K., Alghathbar, K., 2010. Cryptanalysis and security improvements of
‘two-factor user authentication in wireless sensor networks’. Sensors 10 (3),
2450–2459.
Khor, J.H., Sidorov, M., 2018. Weakness of ultra-lightweight mutual authentication
protocol for IoT devices using RFID tags. In: 2018 Eighth International Conference
on Information Science and Technology. ICIST. IEEE, pp. 91–97.
Lavanya, M., Natarajan, V., 2017. Lightweight key agreement protocol for IoT based
on IKEv2. Comput. Electr. Eng. 64, 580–594.
Lee, Y., 2013. Smart-card-loss-attack and improvement of Hsiang et al.’s authentication
scheme. J. Appl. Res. Technol. 11 (4), 597–603.
Lee, Y.K., Batina, L., Singelee, D., Preneel, B., Verbauwhede, I., 2010. Anti-
counterfeiting, untraceability and other security challenges for RFID systems:
Public-key-based protocols and hardware. In: Towards Hardware-Intrinsic Security.
Springer, pp. 237–257.
Lee, Y.K., Batina, L., Verbauwhede, I., 2008. EC-RAC (ECDLP based randomized access
control): Provably secure RFID authentication protocol. In: 2008 IEEE International
Conference on RFID. IEEE, pp. 97–104.
Lee, Y.K., Batina, L., Verbauwhede, I., 2009. Untraceable RFID authentication protocols:
Revision of EC-RAC. In: 2009 IEEE International Conference on RFID. IEEE, pp.
178–185.
Lee, J., Kim, S., Cho, Y., Chung, Y., Park, Y., 2012. HORSIC: An efficient one-time
signature scheme for wireless sensor networks. Inform. Process. Lett. 112 (20),
783–787.
Li, C.-T., Lee, C.-C., Weng, C.-Y., Chen, C.-M., 2018. Towards secure authenticating of
cache in the reader for RFID-based IoT systems. Peer-To-Peer Netw. Appl. 11 (1),
198–208.
Li, X., Liu, T., Obaidat, M.S., Wu, F., Vijayakumar, P., Kumar, N., 2020. A lightweight
privacy-preserving authentication protocol for VANETs. IEEE Syst. J. 14 (3),
3547–3557. http://dx.doi.org/10.1109/JSYST.2020.2991168.
Li, X., Liu, Y., Yin, X., 2019. An anonymous conditional privacy-preserving au-
thentication scheme for VANETs. In: 2019 IEEE 21st International Conference
on High Performance Computing and Communications; IEEE 17th International
Conference on Smart City; IEEE 5th International Conference on Data Science and
Systems. HPCC/SmartCity/DSS. pp. 1763–1770. http://dx.doi.org/10.1109/HPCC/
SmartCity/DSS.2019.00242.
Li, X., Niu, J., Bhuiyan, M.Z.A., Wu, F., Karuppiah, M., Kumari, S., 2017. A robust ECC-
based provable secure authentication protocol with privacy preserving for industrial
Internet of Things. IEEE Trans. Ind. Inf. 14 (8), 3599–3609.
A. Kumar et al.
Li, W., Wang, P., 2019. Two-factor authentication in industrial Internet-of-Things:
Attacks, evaluation and new construction. Future Gener. Comput. Syst. 101,
694–708.
Liang, L., Zheng, K., Sheng, Q., Huang, X., 2016. A denial of service attack method for
an IoT system. In: 2016 8th International Conference on Information Technology
in Medicine and Education. ITME. IEEE, pp. 360–364.
Liao, Y.-P., Hsiao, C.-M., 2014. A secure ECC-based RFID authentication scheme
integrated with ID-verifier transfer protocol. Ad Hoc Netw. 18, 133–146.
Lin, C., He, D., Kumar, N., Huang, X., Vijayakumar, P., Choo, K.-K.R., 2020. HomeChain:
A blockchain-based secure mutual authentication system for smart homes. IEEE
Internet Things J. 7 (2), 818–829.
Lin, J., Yu, W., Zhang, N., Yang, X., Zhang, H., Zhao, W., 2017. A survey on Internet of
Things: Architecture, enabling technologies, security and privacy, and applications.
IEEE Internet Things J. 4 (5), 1125–1142.
Liu, Y., Li, J., Guo, M., 2012. Long duration broadcast authentication for wireless sensor
networks. In: 2012 IEEE 75th Vehicular Technology Conference. VTC Spring. IEEE,
pp. 1–5.
Liu, D., Ning, P., 2004. Multilevel 𝜇TESLA: Broadcast authentication for distributed
sensor networks. ACM Trans. Embedded Comput. Syst. (TECS) 3 (4), 800–836.
Liu, H., Wang, H., Gu, H., 2020. HPBS: A hybrid proxy based authentication scheme in
VANETs. IEEE Access 8, 161655–161667. http://dx.doi.org/10.1109/ACCESS.2020.
3021408.
Lu, D., Han, R., Shen, Y., Dong, X., Ma, J., Du, X., Guizani, M., 2021. xTSeH: A trusted
platform module sharing scheme towards smart IoT-ehealth devices. IEEE J. Sel.
Areas Commun. 39 (2), 370–383. http://dx.doi.org/10.1109/JSAC.2020.3020658.
Lu, Z., Wang, Q., Qu, G., Zhang, H., Liu, Z., 2019. A blockchain-based privacy-
preserving authentication scheme for VANETs. IEEE Trans. Very Large Scale Integr.
(VLSI) Syst. 27 (12), 2792–2801. http://dx.doi.org/10.1109/TVLSI.2019.2929420.
Luk, M., Perrig, A., Whillock, B., 2006. Seven cardinal properties of sensor network
broadcast authentication. In: Proceedings of the Fourth ACM Workshop on Security
of Ad Hoc and Sensor Networks. ACM, pp. 147–156.
Mawgoud, A.A., Karadawy, A.I., Tawfik, B.S., 2019. A secure authentication technique
in internet of medical things through machine learning. ArXiv preprint arXiv:
1912.12143.
Meneghello, F., Calore, M., Zucchetto, D., Polese, M., Zanella, A., 2019. IoT: Internet
of threats? A survey of practical security vulnerabilities in real IoT devices.
IEEE Internet Things J. 6 (5), 8182–8201. http://dx.doi.org/10.1109/JIOT.2019.
2935189.
Mohammad, Z., Abusukhon, A., Qattam, T.A., 2019. A survey of authenticated key
agreement protocols for securing IoT. In: 2019 IEEE Jordan International Joint
Conference on Electrical Engineering and Information Technology. JEEIT. pp.
425–430. http://dx.doi.org/10.1109/JEEIT.2019.8717529.
Mohammed, R.S., Mohammed, A.H., Abbas, F.N., 2019. Security and privacy in
the Internet of Things (IoT): Survey. In: 2019 2nd International Conference on
Electrical, Communication, Computer, Power and Control Engineering. ICECCPCE.
pp. 204–208. http://dx.doi.org/10.1109/ICECCPCE46549.2019.203774.
Moosavi, S.R., Nigussie, E., Virtanen, S., Isoaho, J., 2014. An elliptic curve-based
mutual authentication scheme for RFID implant systems. Procedia Comput. Sci.
32, 198–206.
Mundhe, P., Yadav, V.K., Verma, S., Venkatesan, S., 2020. Efficient lattice-based ring
signature for message authentication in VANETs. IEEE Syst. J. 14 (4), 5463–5474.
http://dx.doi.org/10.1109/JSYST.2020.2980297.
Nesteruk, S., Bezzateev, S., 2018. Location-based protocol for the pairwise authenti-
cation in the networks without infrastructure. In: 2018 22nd Conference of Open
Innovations Association. FRUCT. IEEE, pp. 190–197.
Newgenapps, 2018. 13 IoT statistics defining the future of Internet of
Things. https://www.newgenapps.com/blog/iot-statistics-internet-of-things-future-
research-data. [Online; accessed 01-Sept-2019].
Odelu, V., Saha, S., Prasath, R., Sadineni, L., Conti, M., Jo, M., 2019. Efficient privacy
preserving device authentication in WBANs for industrial e-health applications.
Comput. Secur. 83, 300–312.
Paliwal, S., 2019. Hash-based conditional privacy preserving authentication and key
exchange protocol suitable for industrial Internet of Things. IEEE Access 7,
136073–136093. http://dx.doi.org/10.1109/ACCESS.2019.2941701.
Patil, A.S., Hamza, R., Hassan, A., Jiang, N., Yan, H., Li, J., 2020. Efficient privacy-
preserving authentication protocol using PUFs with blockchain smart contracts.
Comput. Secur. 97, 101958.
Perrig, A., 2001. The BiBa one-time signature and broadcast authentication protocol.
In: Proceedings of the 8th ACM Conference on Computer and Communications
Security. ACM, pp. 28–37.
Perrig, A., Canetti, R., Tygar, J.D., Song, D., 2000. Efficient authentication and signing
of multicast streams over lossy channels. In: Proceeding 2000 IEEE Symposium on
Security and Privacy. S&P 2000. IEEE, pp. 56–73.
Perrig, A., Szewczyk, R., Tygar, J.D., Wen, V., Culler, D.E., 2002. SPINS: Security
protocols for sensor networks. Wirel. Netw. 8 (5), 521–534.
Pieprzyk, J., Wang, H., Xing, C., 2003. Multiple-time signature schemes against
adaptive chosen message attacks. In: International Workshop on Selected Areas
in Cryptography. Springer, pp. 88–100.
19
Journal of Network and Computer Applications 204 (2022) 103414
Porambage, P., Schmitt, C., Kumar, P., Gurtov, A., Ylianttila, M., 2014. Two-phase
authentication protocol for wireless sensor networks in distributed IoT applications.
In: 2014 IEEE Wireless Communications and Networking Conference. WCNC. IEEE,
pp. 2728–2733.
Quora, 2015. What is exactly backward secrecy property in cryptography,
attribute-based encryption? https://www.quora.com/What-is-exactly-backward-
secrecy-property-in-cryptography-attribute-based-encryption. [Online; accessed
01-Sept-2019].
Reyzin, L., Reyzin, N., 2002. Better than BiBa: Short one-time signatures with fast
signing and verifying. In: Australasian Conference on Information Security and
Privacy. Springer, pp. 144–153.
Rezaeibagha, F., Mu, Y., Huang, X., Yang, W., Huang, K., 2019. Fully secure lightweight
certificateless signature scheme for IIoT. IEEE Access 7, 144433–144443. http:
//dx.doi.org/10.1109/ACCESS.2019.2944631.
Roy, K.S., Kalita, H.K., 2017. A survey on authentication schemes in IoT. In: 2017
International Conference on Information Technology. ICIT. pp. 202–207. http:
//dx.doi.org/10.1109/ICIT.2017.56.
Shah, T., Venkatesan, S., 2018. Authentication of IoT device and IoT server using secure
vaults. In: 2018 17th IEEE International Conference on Trust, Security and Privacy
in Computing and Communications/12th IEEE International Conference on Big Data
Science and Engineering. TrustCom/BigDataSE. IEEE, pp. 819–824.
Sharma, V., You, I., Andersson, K., Palmieri, F., Rehmani, M.H., Lim, J., 2020. Security,
privacy and trust for smart mobile- Internet of Things (M-IoT): A survey. IEEE
Access 8, 167123–167163. http://dx.doi.org/10.1109/ACCESS.2020.3022661.
Shen, M., Liu, H., Zhu, L., Xu, K., Yu, H., Du, X., Guizani, M., 2020. Blockchain-assisted
secure device authentication for cross-domain industrial IoT. IEEE J. Sel. Areas
Commun. 38 (5), 942–954. http://dx.doi.org/10.1109/JSAC.2020.2980916.
Shuai, M., Xiong, L., Wang, C., Yu, N., 2020. A secure authentication scheme with
forward secrecy for industrial Internet of Things using Rabin cryptosystem. Comput.
Commun. 160, 215–227.
Singh, K.P., Rishiwal, V., Kumar, P., 2018. Classification of data to enhance data
security in cloud computing. In: 2018 3rd International Conference on Internet
of Things: Smart Innovation and Usages. IoT-SIU. IEEE, pp. 1–5.
Song, R., 2010. Advanced smart card based password authentication protocol. Comput.
Stand. Interfaces 32 (5–6), 321–325.
Soni, P., Pal, A.K., Islam, S.H., 2019. An improved three-factor authentication scheme
for patient monitoring using WSN in remote health-care system. Comput. Methods
Programs Biomed. 182, 105054.
Stergiou, C., Psannis, K.E., Gupta, B.B., Ishibashi, Y., 2018. Security, privacy &
efficiency of sustainable cloud computing for big data & IoT. Sustain. Comput.:
Inform. Syst. 19, 174–184.
Tan, H., Chung, I., 2020. Secure authentication and key management with blockchain
in VANETs. IEEE Access 8, 2482–2498. http://dx.doi.org/10.1109/ACCESS.2019.
2962387.
Tewari, A., Gupta, B., 2017. Cryptanalysis of a novel ultra-lightweight mutual au-
thentication protocol for IoT devices using RFID tags. J. Supercomput. 73 (3),
1085–1102.
Tewari, A., Gupta, B., 2018. A robust anonymity preserving authentication protocol
for IoT devices. In: 2018 IEEE International Conference on Consumer Electronics.
ICCE. IEEE, pp. 1–5.
Tewari, A., Gupta, B., 2020. Security, privacy and trust of different layers in
Internet-of-Things (IoTs) framework. Future Gener. Comput. Syst. 108, 909–920.
Tian, Z., Yan, B., Guo, Q., Huang, J., Du, Q., 2020. Feasibility of identity authentication
for IoT based on blockchain. Procedia Comput. Sci. 174, 328–332.
Turkanović, M., Brumen, B., Hölbl, M., 2014. A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based on
the Internet of Things notion. Ad Hoc Netw. 20, 96–112.
Tuyls, P., Batina, L., 2006. RFID-tags for anti-counterfeiting. In: Cryptographers’ Track
at the RSA Conference. Springer, pp. 115–131.
Uddin, M.A., Stranieri, A., Gondal, I., Balasubramanian, V., 2021. A survey on the
adoption of blockchain in IoT: Challenges and solutions. Blockchain: Res. Appl.
100006.
Vaidya, B., Makrakis, D., Mouftah, H.T., 2010. Improved two-factor user authentication
in wireless sensor networks. In: 2010 IEEE 6th International Conference on Wireless
and Mobile Computing, Networking and Communications. IEEE, pp. 600–606.
Vangala, A., Sutrala, A.K., Das, A.K., Jo, M., 2021. Smart contract-based blockchain-
envisioned authentication scheme for smart farming. IEEE Internet Things J.
1.
Vaudenay, S., 2007. On privacy models for RFID. In: International Conference on
the Theory and Application of Cryptology and Information Security. Springer, pp.
68–87.
Verma, G.K., Singh, B., Kumar, N., Obaidat, M.S., He, D., Singh, H., 2020. An efficient
and provable certificate-based proxy signature scheme for IIoT environment.
Inform. Sci. 518, 142–156.
Virat, M.S., Bindu, S., Aishwarya, B., Dhanush, B., Kounte, M.R., 2018. Security and
privacy challenges in Internet of Things. In: 2018 2nd International Conference on
Trends in Electronics and Informatics. ICOEI. IEEE, pp. 454–460.
Vishwakarma, L., Das, D., 2021. SCAB - IoTA: Secure communication and authentication
for IoT applications using blockchain. J. Parallel Distrib. Comput. 154, 94–105.
A. Kumar et al. Journal of Network and Computer Applications 204 (2022) 103414

Wang, K.-H., Chen, C.-M., Fang, W., Wu, T.-Y., 2017. A secure authentication scheme Ashish Kumar received his M.Tech degree from Lovely Professional University. His
for Internet of Things. Pervasive Mob. Comput. 42, 15–26. main research areas are Internet of Things, Cyber Physical Systems and Blockchain
Wang, X., Gao, F., Zhang, J., Feng, X., Hu, X., 2020. Cross-domain authentication Technology.
mechanism for power terminals based on blockchain and credibility evaluation.
In: 2020 5th International Conference on Computer and Communication Systems.
ICCCS. pp. 936–940. Rahul Saha is working as a Post Doctoral Researcher at University of Padua and
Wang, X., Hao, P., Hanzo, L., 2016. Physical-layer authentication for wireless security Associate Professor in Lovely Professional University, Punjab India and did his B.Tech
enhancement: current challenges and future developments. IEEE Commun. Mag. 54 from Academy of Technology, West Bengal in Computer Science Engineering, M.Tech
(6), 152–158. and Ph.D. from Lovely Professional University, Punjab India with area of specialization
Wang, P., Liu, Y., 2021. SEMA: Secure and efficient message authentication protocol in Cryptography, Position and Location computation in Wireless Sensor Networks. He
for VANETs. IEEE Syst. J. 15 (1), 846–855. http://dx.doi.org/10.1109/JSYST.2021. has many publications in well renowned International journals and Conferences.
3051435.
Wang, M., Zhang, G., Zhang, C., Zhang, J., Li, C., 2013. An IoT-based appliance control
Mauro Conti received his M.Sc. and his Ph.D. in Computer Science (advisor Prof. Luigi
system for smart homes. In: 2013 Fourth International Conference on Intelligent
V. Mancini) from Sapienza University of Rome, Italy , in 2005 and 2009, respectively.
Control and Information Processing. ICICIP. IEEE, pp. 744–747.
In 2008, he was Visiting Researcher (supervised by Prof. Sushil Jajodia) at the Center
Wu, Q., Mu, Y., Susilo, W., Qin, B., Domingo-Ferrer, J., 2009. Asymmetric group key
for Secure Information Systems (CSIS) at George Mason University, Fairfax, VA, USA .
agreement. In: Annual International Conference on the Theory and Applications of
In 2009 he was selected for the ERCIM (European Research Consortium for Informatics
Cryptographic Techniques. Springer, pp. 153–170.
and Mathematics) ‘‘Alain Bensoussan’’ Fellowship (currently a EU Marie Curie COFUND
Xiong, H., Wu, Y., Jin, C., Kumari, S., 2020. Efficient and privacy-preserving authenti-
action) . From 2009 to 2011 he was Post Doctoral Researcher (supervised by Prof.
cation protocol for heterogeneous systems in IIoT. IEEE Internet Things J. 7 (12),
Andrew S. Tanenbaum and Prof. Bruno Crispo) at Vrije Universiteit Amsterdam, The
11713–11724. http://dx.doi.org/10.1109/JIOT.2020.2999510.
Netherlands . In November 2010, he was visiting researcher at UCLA — University
Xue, K., Ma, C., Hong, P., Ding, R., 2013. A temporal-credential-based mutual
of California, Los Angeles, CA, USA (working with Prof. Mario Gerla). In 2011, he
authentication and key agreement scheme for wireless sensor networks. J. Netw.
joined University of Padua, Italy , (among the best Italian universities) as Assistant
Comput. Appl. 36 (1), 316–323.
Professor (tenured faculty). In the summer of 2012, 2013, and 2014 he was visiting
Yang, M.H., 2012. Secure multiple group ownership transfer protocol for mo-
Assistant Professor at UCI — University of California, Irvine, CA, USA (working with
bile RFID. Electron. Commer. Res. Appl. 11 (4), 361–373, https://doi.org/10.
Prof. Gene Tsudik). From 2012, he is a EU Marie Curie Fellow . In October–November
1016/j.elerap.2012.01.004. URL: https://www.sciencedirect.com/science/article/
2013 he was a DAAD Fellow at the Center for Advance Security Research Darmstadt
pii/S1567422312000142.
(CASED), TU Darmstadt, Germany (working with Prof. Ahmad-Reza Sadeghi). In 2014,
Yang, M.H., Hu, H.Y., 2012. Protocol for ownership transfer across authorities: with
he was elevated to the IEEE Senior Member grade and in 2020 to the ACM Senior
the ability to assign transfer target. Secur. Commun. Netw. 5 (2), 164–177.
Member grade. In 2015 he became Associate Professor, and Full Professor in 2018. He
Yang, X., Shi, P., Tian, B., Zeng, B., Xiao, W., 2014. Trust-e: a trusted embedded
is member of the Blockchain Expert Panel of the Italian Government. In 2021 he was
operating system based on the arm trustzone. In: 2014 IEEE 11th Intl Conf on
nominated Fellow of the Young Academy of Europe (YAE). From 2020, he is Head of
Ubiquitous Intelligence and Computing and 2014 IEEE 11th Intl Conf on Autonomic
Studies of the Master Degree in Cybersecurity at University of Padua.
and Trusted Computing and 2014 IEEE 14th Intl Conf on Scalable Computing and
His research interests are mainly in the area of security and privacy. In this
Communications and Its Associated Workshops. IEEE, pp. 495–501.
area, he published more than 400 papers in topmost international peer-reviewed
Yavari, M., Safkhani, M., Kumari, S., Kumar, S., Chen, C.-M., 2020. An improved
journals and conferences, including IEEE TIFS, IEEE TDSC, ACM TOPS, IEEE TPDS,
blockchain-based authentication protocol for IoT network management. Secur.
ACM TWEB, ACM/IEEE TON, IEEE TSC, IEEE COMST, ACM CCS, IEEE S&P, Usenix
Commun. Netw. 2020.
Security, NDSS, ACM AsiaCCS, ACM WiSec, ACM SACMAT, ACM MobiHoc, ACNS,
Yeh, H.-L., Chen, T.-H., Liu, P.-C., Kim, T.-H., Wei, H.-W., 2011. A secured authen-
IEEE ICDCS, and ESORICS. He is Area Editor in Chief for IEEE COMST- Vehicular and
tication protocol for wireless sensor networks using elliptic curves cryptography.
Sensor Communications, and has been Associate Editor for several journals, including
Sensors 11 (5), 4767–4779.
IEEE COMST, IEEE TIFS, IEEE TNSM, IEEE TDSC and Elsevier Computer Networks,
Yin, Y., Xu, M., Zhang, Q., Chen, J., 2017. Cryptanalysis of a new lightweight
and he served as Program Committee member of several conferences, including ACM
RFID mutual authentication protocol with cache in reader for IoT. In: 2017
AsiaCCS, ACM WiSec, ACM CODASPY, ACM SACMAT, IEEE INFOCOM, IEEE CNS,
IEEE 2nd Information Technology, Networking, Electronic and Automation Control
IEEE PASSAT, IEEE MASS, and ACNS. He was General Chair for several conferences,
Conference. ITNEC. IEEE, pp. 909–913.
including SecureComm 2012, ACM SACMAT 2013 and ACSN 2022, and Program Chair
Zhang, Y., Li, B., Liu, B., Hu, Y., Zheng, H., 2021. A privacy-aware PUFs-based multi-
for several conferences, including ICISS 2016, WiSec 2017, ACNS 2020 and CANS 2021.
server authentication protocol in cloud-edge IoT systems using blockchain. IEEE
Internet Things J. 1.
Zhang, C., Xue, X., Feng, L., Zeng, X., Ma, J., 2019. Group-signature and group session Gulshan Kumar is working as a Post Doctoral Researcher at University of Padua
key combined safety message authentication protocol for VANETs. IEEE Access 7, and Associate Professor in Lovely Professional University, Punjab India and did his
178310–178320. http://dx.doi.org/10.1109/ACCESS.2019.2958356. B.Tech from Amritsar College of Engineering, Amritsar (2009) in Computer Science
Zhaofeng, M., Jialin, M., Jihui, W., Zhiguang, S., 2021. Blockchain-based decentralized Engineering, M.Tech and Ph.D. from Lovely Professional University, Punjab India
authentication modeling scheme in edge and IoT environment. IEEE Internet Things with area of specialization in Position and Location computation in Wireless Sensor
J. 8 (4), 2116–2123. http://dx.doi.org/10.1109/JIOT.2020.3037733. Networks. He has many publications in well renowned International journals and
Zhou, J., Cao, Z., Qin, Z., Dong, X., Ren, K., 2020. LPPA: Lightweight privacy-preserving Conferences.
authentication from efficient multi-key secure outsourced computation for location-
based services in VANETs. IEEE Trans. Inf. Forensics Secur. 15, 420–434. http:
//dx.doi.org/10.1109/TIFS.2019.2923156. William J. Buchanan is currently a Professor of cryptography, and was awarded
Zhou, L., Li, X., Yeh, K.-H., Su, C., Chiu, W., 2019. Lightweight IoT-based authenti- an OBE for his services to Cybersecurity, in 2017. He also leads the Blockpass ID
cation scheme in cloud computing circumstance. Future Gener. Comput. Syst. 91, Lab, Edinburgh Napier University. He has authored 30 academic books and over 250
244–251. research articles. His main research interests include distributed ledger technology,
Zhu, S., Setia, S., Jajodia, S., 2006. LEAP+: Efficient security mechanisms for large-scale identity systems, trust-based infrastructures, and cryptography. Along with this his work
distributed sensor networks. ACM Trans. Sensor Netw. 2 (4), 500–528. has supported the creation of a number of spin-out companies and international patents.
Zhu, F., Wu, W., Zhang, Y., Chen, X., 2019. Privacy-preserving authentication for
general directed graphs in industrial IoT. Inform. Sci. 502, 218–228.
Tai-hoon Kim received B.E., and M.E., degrees from Sungkyunkwan University in Korea
and Ph.D. degrees from University of Bristol in UK and University of Tasmania in
Australia. His main research areas are security engineering for IT products, IT systems,
development processes, and operational environments.

20