Computers & Security 125 (2023) 103053

Contents lists available at ScienceDirect

Computers & Security

journal homepage: www.elsevier.com/locate/cose

A Systematic Security Assessment and Review of Internet of Things in

the Context of Authentication
Manasha Saqib∗, Ayaz Hassan Moon
School of Engineering and Technology, Islamic University of Science & Technology, Kashmir, India

a r t i c l e i n f o a b s t r a c t

Article history: The Internet of Things is emerging globally as an intriguing trend expected to connect 15 billion devices
Received 30 May 2022 by the end of 2022. Its ability to bring intelligence and automation to various application domains pro-
Revised 7 October 2022
vides a plethora of opportunities while posing severe security challenges. Lack of proper authentication
Accepted 4 December 2022
has been attributed to data disclosure’s perils over wireless communication channels. Therefore, authen-
Available online 6 December 2022
tication as an essential security tenet continues to be a highly researched area, especially in resource
Keywords: constraint networks like IoT and IIoT. This paper constructs a comprehensive systematic literature review
Internet of Things (IoT) to identify and synthesize security issues in IoT from the perspective of authentication mechanisms. Ini-
Systematic literature review tially, the prevalent security and privacy issues are identified, followed by the explanation of security
Security threats across various layers of the IoT architecture. Additionally, the countermeasures available for ad-
Authentication dressing security issues are also covered. The highlight of the review is to present a literature review of
various authentication mechanisms and different formal security evaluations holistically required for IoT
authentication. Moreover, a comparative analysis of some of the popular existing authentication mech-
anisms designed for the IoT in terms of various performance parameters like computational, communi-
cation overhead, and energy consumption has also been covered. Finally, the paper discusses the typical
methods for assessing network security and network simulator tools used to evaluate the performance
parameters of authentication schemes. This review paper attempts to assist researchers in identifying the
existing research gaps in various forms of authentication employed in a typical resource constraint net-
work like IoT that would lead them to develop new solutions. The protocol provided by Kitchenham and
Charters has been used to perform this Systematic Literature Review.
© 2022 Elsevier Ltd. All rights reserved.

1. Introduction lion by 2030 (Strategy Analytics 2022). Additionally, the prolifer-

The Internet of Things is defined as a global information in-
frastructure for the digital age in which connected objects, soft-
ware applications, and smart systems collect and process data
from the physical world, providing various services to end-users
(itu.int 2022). IoT is emerging as an important enabling tech-
nology to bring intelligence and automation to different applica-
tion fields. Smart cities, smart health, smart homes, smart manu-
facturing, smart environment, wearable devices, etc., use impact-
ful IoT technology (Zeng et al., 2017,Sosa-Reyna et al., 2018). The
premise of IoT is to enable access to anything by anyone, from
anywhere, at any time. Some key tailwinds identified for this ex-
pansion include maturing technologies like AI, 5 G, Cloud services,
etc. According to Strategy Analytics, more than 38 billion con-
nected objects will be connected by the end of 2025 and 50 bil-
∗
Corresponding author.
E-mail address: manasha.saqib@islamicuniversity.edu.in (M. Saqib).
ation of network-connected devices has considerably contributed
to the alarming security challenges confronting the IoT world. The
perpetual increase in the number of IoT devices creates additional
susceptibilities if these devices are not authenticated before com-
municating perilous data, with the risk of disclosing users’ private
information in a wireless environment. Its ability and ambient in-
telligence provides a plethora of opportunities to achieve Sustain-
ability Goals but pose several security challenges. The most signif-
icant challenges pertaining to the security and privacy of IoT de-
vices (Zhao and Ge, 2013). These devices lack adequate computing
platforms, and their communications are frequently wireless, mak-
ing them vulnerable to several attacks. In addition, the number of
devices that connect to the public network grows over time.
Proper security measures will protect both devices and data,
as the data will be relied upon to make informed decisions.
Inadequate security makes it easy for attackers to gain network
access and thereby compromise the confidentiality, integrity,
availability of both devices and data, and nonrepudiation which
can be life-threatening in some cases (El-Hajj et al., 2019). For

https://doi.org/10.1016/j.cose.2022.103053
0167-4048/© 2022 Elsevier Ltd. All rights reserved.
M. Saqib and A.H. Moon
example, maliciously compromising a node can result in the com-
plete failure of the network. Therefore, security must precede data
management, storage, and processing. Numerous security solutions
have been proposed and developed in recent years. But, due to the
unique nature of the IoT landscape, some of these solutions are
inept, unfeasible, and inapplicable. Authentication is one example
of a critical security tenet. It is necessary to consider the various
layers when addressing the security challenges of IoT. The Internet
of Things comprises 3 layers: perception layer, network layer, and
application layer, each of which presents unique challenges. The
application layer, nearest to users, should appropriately handle
authentication aspects while dealing with the heterogeneity of the
network devices (El-Hajj et al., 2019).
Authentication is considered the standard security measure
(Schiller et al., 2022). Each connected device must be authenticated
to ensure that the correct device has access to the proper resources
in the right location. It is a method for avoiding various common
attacks, including replay attacks, man-in-the-middle attacks, imper-
sonation attacks, and denial of service attacks (Ogonji et al., 2020). If
an authentication algorithm is not implemented correctly in a net-
work, an attacker can steal critical credentials, posing a risk to the
network or user. Thus, authentication is a vital security element for
IoT networks because it enables various devices to communicate
with one another and share data in a trusted manner. The user or
device can be validated in the network based on authentication.
Authentication is the initial and most critical step in establishing
secure communication between various IoT users/devices on a net-
work. IoT authentication validates the device/user’s identity. If the
device’s/identity user is negotiated, the network may become vul-
nerable to various attacks (Saqib et al., 2021).
Several studies have also demonstrated that authenticating de-
vices is challenging owing to the variety of connected devices.
Numerous authentication schemes for IoT devices have been pro-
posed and developed (El-Hajj et al., 2019). This paper presents a
Systematic Literature Review of the Internet of Things, emphasiz-
ing authentication-related issues and solutions. It should serve re-
searchers to know the state-of-art authentication frameworks, an-
alyze them, benchmark them against performance parameters, and
identify the research gaps to design appropriate solutions suitable
for resource constraint networks like IoT.
The layout of this paper consists of the following sections: The
applied research method comprises research questions, searching
strategy, and selection criteria are described in Section 2. The pre-
vailing security and privacy issues in IoT Environment are dis-
cussed in Section 3. The security threats and countermeasures
available to address them in an IoT environment are highlighted
in Section 4. Section 5 presents a literature review of various au-
thentication mechanisms in IoT. Section 6 deals with how IoT au-
thentication is subjected to formal security evaluations. A compar-
ative analysis of some of the popular existing authentication mech-
anisms designed for the IoT in terms of various performance pa-
rameters like computational, communication overhead, and the en-
ergy consumption is presented in Section 7. Section 8 discusses the
typical methods for assessing network security. Network simula-
tor tools used to evaluate the performance parameters of authen-
tication schemes is discussed in Section 9. Section 10 presents key
challenges and future opportunities of IoT. Lastly, Section 11 con-
cludes the paper.
2. Research method
After reviewing the available literature on authentication mech-
anisms in IoT, it was discovered that a systematic literature review
(SLR) is required to accurately assess the amount of work done
on IoT security. As a result, we conducted the same study to fill
a research gap. The protocol provided by Kitchenham and Charters
2
Computers & Security 125 (2023) 103053
(Kitchenham and Charters, 2007) is used to perform this SLR. They
defined systematic literature review as identifying, evaluating, and
interpreting all available research pertaining to a specific research
question, topic area, or phenomenon of interest. We attempted to
follow a logical sequence from planning to execution to reporting
to facilitate the formal assessment of the gathered literature.
2.1. Identification of requirements and research questions
The first step in conducting an SLR is recognizing the need for
the study. In our case, we accomplished this task by identifying
the need to identify gaps and patterns in the IoT security aspects
examined in this study. As a result, some research questions (RQ)
must be identified and addressed using the information gleaned
from the review of relevant studies, which will serve as the pri-
mary studies. The following are the proposed research questions
(RQs) for this study:
• RQ1: What are the most prevailing security and privacy issues
in IoT Environment?
• RQ2: What are the security threats, and what countermeasures
are available to address them in the IoT environment?
• RQ3: Which authentication schemes have been developed for
the IoT environment?
• RQ4: How is IoT authentication subjected to formal security
evaluations?
• RQ5: What are the authentication scheme’s overall computa-
tional, communication overhead, and energy consumption?
• RQ6: How security of the network in IoT is measured?
• RQ7: Which network simulator tools have been used to assess
the performance parameters of authentication schemes?
2.2. Search process
The complete search strategy used to carry out this SLR entails
the following step-by-step procedure:
2.2.1. Selection of databases
This survey included the following digital libraries:
• Springer (https://link.springer.com/)
• MDPI (https://www.mdpi.com/)
• ACM Digital Library (https://dl.acm.org/)
• Google Scholar (https://scholar.google.co.in/)
• Science Direct (https://www.sciencedirect.com)
• IEEE Xplore Digital Library (https://ieeexplore.ieee. org/)
2.2.2. Search terms
The search terms’ primary objective is to include as much liter-
ature as possible in the survey. The keywords focus on IoT security
and several parameters that affect privacy and security. The search
strings incorporated into the paper selection process to adhere to
specifications are (IoT OR Internet of Things) AND (Elliptical curve
cryptography OR Fuzzy) AND (Authentication OR Identity OR Data se-
curity OR lightweight) AND (Threat OR Attack OR Security).
2.2.3. Search procedure
The first step in the search is selecting the literature field using
the previous search string. The second step is to filter out rele-
vant titles and keywords from the literature. The third step entails
choosing the use of abstract selection. Finally, we obtain full-text
articles for review.
2.2.4. Selection criterion
To eliminate ambiguity during the selection process, the basis
for selecting a specific research article that corresponds to the pro-
M. Saqib and A.H. Moon
posed research work must be pre-defined. As a result, the follow-
ing inclusion and exclusion criteria must be followed:
➢ Inclusion criteria:
The following criteria are used to select research arti-
cles/papers:
• Discuss the IoT framework.
• Discuss security and privacy concerns related to the IoT frame-
work.
• Discuss security threats in the IoT environment.
• Discuss authentication schemes that address any security issue.
• Discuss authentication schemes based on Elliptical curve cryp-
tography and fuzzy commitment.
➢ Exclusion criteria:
If one or more of the following conditions are not met, the pa-
pers are rejected:
• The study is unrelated to the Internet of Things.
• The study is irrelevant to IoT security.
• The study does not address IoT authentication schemes
• No abstract is available for the study, or the full text is unavail-
able.
• The study is not written in English, the most frequently used
language in scientific publications.
• There is no proposal for resolving the issue in the study.
3. Security and privacy issues
While IoT offers a plethora of benefits to end-users, it also
raises many security concerns. Because personal data is trans-
mitted across the network for computational analysis and other
purposes, it is susceptible to various attacks. Before achieving
widespread adoption of the Internet of Things, security concerns
must be addressed. The following table summarizes the critical se-
curity issues in the IoT framework, as determined by the primary
studies reviewed, and is shown in Fig. 1.
3.1. Access control
Access control is a security system that enables an administra-
tor to restrict access to specific zones and resources within a given
installation. It protects confidentiality by limiting access to infor-
mation to authorized people and protecting integrity by ensur-
ing that the data is indeed what it appears to be. Recent propos-
als address access control through centralized methods in which
a central entity manages authorization mechanisms and approves
or denies requests from external entities (Hernández-Ramos et al.,
2013). These methods, however, do not ensure complete security
between devices and any Internet host. On the other hand, tra-
ditional access control models do not meet the requirements of
IoT scenarios, resulting in a shortage of flexibility, usability, and
scalability in frameworks with billions of devices. These concerns
can be addressed through a distributed method where "things"
make authorization decisions autonomously from another entity. In
(A.H. Moon et al., 2016), a complete Access Control framework by
leveraging computationally light Hash chains and Elliptical Curve
Cryptography has been proposed.
3.2. Authentication
Authentication is a vital security primitive in any type of
network both at the entity and message level (Moon and Um-
mer, 2016). Authentication is the process of clarifying and assur-
ing an object’s identity. Each object should be able to categorize
and authenticate all other objects in a specific part of the system
3
Computers & Security 125 (2023) 103053
it interacts with through key management systems in an IoT con-
text (Khan and Salah, 2018). Authentication primarily safeguards
the framework’s privacy, respectability, and accessibility. Suppose
an adversary authenticates as an authentic client. In that case, they
can access and modify any client information. They can see (bar-
gaining privacy), alter (compromise the trustworthiness), and delete
or restrict access (bargaining accessibility) in the same way the user
can (Maple, 2017). Client authentication and recognizable proof
remain critical in the Internet of Things. While username/secret
key pairs are the most frequently used structure for authenticat-
ing and distinguishing clients in electronic frameworks, other sys-
tems like shared keys or biometric qualifications can also be used
(Gessner et al., 2012Maple, 2017).
3.3. Authorization
Authorization entails defining access rights to information se-
curity and access control resources, such as healthcare devices.
Humans, services, machines, internal objects (network devices),
or external objects can all be users in the IoT (devices that are
present outside the network). Sensors, for example, should avoid
disclosing data collected to an unauthorised neighbouring node
(Abdmeziem and Tandjaoui, 2014; Aazam et al., 2016). How data
may be managed and controlled in a heterogeneous IoT framework
is another authorization-related challenge. The IoT users must be
aware of the data management mechanisms and the procedure or
administration. They should take steps to protect data throughout
the process (Moosavi et al., 2015).
3.4. Availability
Availability is determined by ensuring that data and resources
are available to authorized users when and where they are needed
(at any time and in any location). The IoT vision is to connect
as many smart devices as possible. Time is a factor that influ-
ences availability, which means making data available without de-
lay. Data is now stored either locally or in the cloud. Attackers
can disrupt availability by launching one of three malicious at-
tacks: a flooding attack, a black hole attack or denial of service
attack. Initially, it is almost certainly used in a situation of avail-
ability. Pirates can either conduct a simple DoS attack or a dis-
tributed DoS attack, which requires the cooperation of multiple
resources. The adversary can flood networks with unwanted mes-
sages to exhaust device resources in a flooding attack. This at-
tack degrades bandwidth, CPU, and memory performance. As a re-
sult, the device may become unavailable or slow communications
(Shah and Venkatesan, 2018).The impact of Route Request flood-
ing attacks on several network performance indicators was investi-
gated in (A.H. Moon et al., 2016). The Route Request flooding attack
degrades the performance of a wireless sensor network by rapidly
exhausting the network’s limited resources. This analysis will aid
in the development of necessary security procedures to counteract
Route Request flooding attacks.
3.5. Big data management
As connected devices grow exponentially, IoT-based solu-
tions generate an enormous amount of data called Big data
(Manyika et al., 2011) ( John Walker, 2014). The first consideration
for an IoT developer is data extraction, which is collecting data
from the appliances and extracting valuable information from
them. Extracting data can significantly impact such a framework,
particularly as the number of devices exceeds a certain threshold.
Data representation is a critical research area with data extrac-
tion because it enables the exchange of information between IoT
systems and other technologies, like ontology and semantic web
M. Saqib and A.H. Moon
Fig. 1. Security Issues in Internet of Things.
technologies (Das, 2015). To deal with the complex and large
amount of data collected from sensors installed on structures, big
data solutions are introduced in (Tokognon and Gao, 2017). Big
data service architecture is a new service economic model that
uses data as a resource to load and extract data from many data
sources. For service users, this service architecture offers a variety
of customizable data processing methods, data analysis, and visu-
alization capabilities. The general big data service architecture and
the technical processing framework encompassed data collecting
and storage was introduced in (J. Wang et al., 2020). They dis-
cussed big data processing and analysis concerning various service
requirements, which can provide useful data to service users.
3.6. Confidentiality
Confidentiality is confirming that only authorized individuals
have access to information. Wireless communication is the pri-
mary communication between devices and the gateway, which in-
troduces security risks. Eavesdropping, for example, is a significant
issue in WSN’s. Unfortunately, unlike many other WSN’s, like Wi-Fi
networks and cellular, IoT networks struggle to maintain the trans-
mission of data confidentiality owing to the limitations of low-end
devices that comprise the majority of IoT devices (Trappe et al.,
2015). Compared to traditional wired and wireless network de-
vices like smartphones, personal computers, tablets, and routers,
most IoT devices will be active sensors or passive Radio Frequency
Identification tags with extremely limited resources and capabili-
ties. Restraints on an IoT device’s power, storage, computational ca-
pacity, and other characteristics create a significant barrier to data
4
Computers & Security 125 (2023) 103053
confidentiality-related operations like encryption and key manage-
ment.
3.7. Heterogeneity
Data is frequently collected in IoT scenarios from many widely
distributed objects. The data contained in various ways and
through different protocols typically have a variety of formats. As
a result, such data cannot be effectively analyzed, processed, or
stored without a standard format. This lack of standardization also
complicates integrating data from disparate sources. As a result,
development is necessary.
1. Standardization of data encoding for unified data
2. Information-exchange protocols allow effective and continuous
data collection from heterogeneous IoT objects.
3.8. Identity management
Integrating zillions of objects into an IoT environment and
maintaining their details is time-consuming. How these issues are
addressed necessitates the presence of uniqueness, which is an-
other task that must be accomplished. Numerous critical technolo-
gies, including smart cards, tags and pins, are viewed as a means
of addressing IoT devices (Sicari et al., 2015). As a result, provid-
ing identities has become a more critical task in most IoT security
frameworks because they assist institutions and organizations in
detecting fraudulent activities. Thus, identity management ensures
that these intelligent entities in the Internet of Things applications
are who they claim to be (P.N. Mahalle et al., 2013).
M. Saqib and A.H. Moon
3.9. Integrity
Integrity ensures data consistency, precision, and dependability
throughout its life. Concerns about data integrity arise due to the
unattended nature of IoT devices. The majority of these devices
will be self-sufficient once deployed. Data manipulation is signif-
icantly more accessible in a supervised wired network, with little
or no maintenance. Additionally, whether due to natural calibra-
tion loss or deliberate manipulation by an adversary, IoT devices
collect data expected to be of poor quality and may contain en-
vironmental corruption. In short, data from the Internet of Things
can be unreliable and easily fabricated.
3.10. Lightweight solutions
Due to IoT devices’ computational and power limitations,
lightweight solutions are a new security feature. It is not a goal in
and of itself, but rather a constraint that must be considered while
designing and developing protocols for data transmission, encryp-
tion, and device authentication in the Internet of Things. Since
these algorithms are used on limited-capability IoT devices, they
must be compatible with those capabilities.
3.11. Non-Repudiation
Non-repudiation is a security feature that ensures commu-
nication participants can send and receive data in its entirety
(Umadevi et al., 2012). Additionally, it provides unmistakable data
transfer between two IoT objects (Samaila et al., 2018). Non-
repudiation ensures that a source node sends its data and that a
receiving node will authenticate that the data received matches the
source (Airehrour et al., 2016).
3.12. Policy enforcement
Policies and standards must be in place to confirm that data
is managed, protected, and transmitted efficiently. Still, even more
importantly, an enforcement mechanism must be in place to en-
sure that all entities adhere to the standards. Each service must
clearly define its SLAs (Service Level Agreements). Because the In-
ternet of Things is dynamic and heterogeneous, existing computer
and network security policies may be inapplicable. Implementing
such policies will increase public trust in the IoT paradigm, facili-
tating growth and scalability.
3.13. Privacy
The growing number of devices in IoT technology raises privacy
concerns. It is critical to secure data to increase IoT user’s ease of
use and comfort while resolving ownership issues related to data
privacy. As a result, whenever data is gathered, the primary objec-
tive should be to identify who owns it. This ensures that the per-
missions to use the shared data are restricted to the owner. Each
object can enforce its own privacy rules when communicating via
the internet (Whitmore et al., 2014).
3.14. Reliability
The tension that binds the process to the technology ecosys-
tem is "reliability." The reliability aspect is concerned with data
and communication management. The goal of reliability is to en-
sure the availability of information over time by employing effi-
cient methods of managing data repositories. The redundancy pro-
vided by multiple paths ensures the reliability of communication
links.
5
Computers & Security 125 (2023) 103053
3.15. Resource-Constrained nature
The key characteristics of IoT nodes are their processing, mem-
ory, and energy limitations. Any "viable" IoT-based solution should
consider these constraints from the start. This also makes such so-
lutions’ performance and energy consumption analysis critical ele-
ments for their initial acceptability and later deployment.
3.16. Scalability
There is a strong possibility that IoT will face scalability issues.
The rapid growth of IoT devices such as sensors has dramatically
increased data collected (Das, 2015). One strategy for expanding
the IoT environment is to ensure the devices’ longevity and secu-
rity. As a result, addressing scalable issues highly depends on the
network’s number of entities and the information they generate
(P.N. Mahalle et al., 2013).
3.17. Secure middleware
Because different types of devices interact in IoT, various mid-
dleware layers affect the security and integrity of data and devices
used within the same network. Data is provided in IoT by estab-
lishing interactions between machine-to-machine, consumers and
machines, and users. As a result, the design and development of
middleware are critical regarding security concerns.
3.18. Security
Because of the rapid integration of IoT in various aspects of our
daily lives and their use in critical infrastructures, IoT security is
vital, if not necessary, given that insecurity can be life-threatening.
IoT systems are becoming a popular target for attackers, either as
a target or an attacking tool. Owing to the increasing popularity of
IoT systems as a target for hackers looking to create IoT botnets,
the latter is no longer a hypothetical threat model. An IoT bot-
net comprises compromised devices used to execute various tasks
without the knowledge of their legitimate users. As a result, mali-
cious attackers increasingly use IoT networks as attack platforms.
3.19. Standardization and interoperability
Any practical application of the Internet of Things involves
a symbiotic relationship between infrastructure actors, such as
things and users. As a result, the roles of these elements vary
according to application types, such as aggregation or collection.
Their primary contribution to the IoT is their ability to communi-
cate. As a result, standards and interactions are critical for achiev-
ing IoT communication goals. (Sarkar et al., 2015).
3.20. Trust establishment
A considerable trust mechanism is necessary to develop trust
among physical entities and IoT events, for example, intercon-
nected wireless sensor networks, mobile phones, and RFID-based
systems (Akhunzada et al., 2016). The application server’s sensi-
tive user data may be compromised, resulting in the forging of
legitimate user credentials across the network. The network de-
vices have validation mechanisms in place. However, no effective
tool for establishing trust in network application verification ex-
ists. As a result, trust is necessary for proper device interoperabil-
ity. Trust entails the adaptability of user privacy, for example, per-
sonal user data, to the Internet of Things user’s policies and expec-
tations (Jøsang et al., 2007). Due to the portability and mobility of
IoT devices, they are physically transferred from one owner to an-
other; as a result, trust between both parties is required to ensure
that access control and authorization function properly.
M. Saqib and A.H. Moon
4. Security threats and countermeasures
A security threat is an act that exploits a system’s security flaws
and has a detrimental effect on the system by lowering its quality
of service. Each layer of IoT, corresponding to the perception, net-
work, and application layers, is susceptible to security threats and
attacks (M. Saqib et al., 2020). These attacks can be either active
or passive, and they can originate from either external or internal
sources. A passive attack analyses the IoT’s network data without
interfering with its operation, whereas an active assault immedi-
ately disables the service. The following sections detail the security
threats at different levels of IoT architecture.
4.1. Perception layer security threats
Fundamental technologies such as WSN’s, Zigbee, RFID, and
other identification and sensing techniques are used in the per-
ception layers. Because of the impetus offered by the internet of
things and cyber-physical systems, the antenna and sensor com-
munities have seen significant integration of radio frequency iden-
tification tag antennas and sensors in recent years. Because of their
passive, wireless, simple, tiny size, and multimodal nature, such
sensors have potential uses in structural health monitoring, partic-
ularly in large-scale infrastructures throughout their existence. The
massive data generated by these ubiquitous sensors is likely to im-
pact intelligent monitoring (Zhang et al., 2017) significantly. The
processing and storage capabilities of sensors are their main draw-
backs. Data collection involves wireless transmission of the infor-
mation, which makes it susceptible to eavesdropping. Fig. 2 illus-
trates the available countermeasures to the perception layer secu-
rity threats. The following are the primary security threats identi-
fied at the perception layer (Li and Zhang, 2008):
a. Node Capture: The attacker can easily control nodes such as
the gateway node, critical information leakage such as the ra-
dio key, matching key, group communication key, and so on,
endangering the security of the entire network.
b. Malicious Data and Fake Node: The adversary introduces a fake
node and malicious data into the system. They avoid actual data
transmission and keep the energy-constrained node from sleep-
ing. The valuable energy of nodes is consumed, with the poten-
tial to control or destroy the entire system.
c. Replay Attack: The adversary transmits a message that has al-
ready been received by the destination host to undermine sys-
tem trust.
d. Denial of Service Attack: Denial of Service and Distributed De-
nial of Service attacks are dangerous in Wireless Sensor Net-
works and the Internet (Tewari and Gupta, 2020). These attacks
diminish network resources, causing the service to become un-
available. A multi-objective optimization-based feature selec-
tion (FS) method has been presented for detecting distributed
denial of service (DDoS) attacks in an internet of things (IoT)
network (Roopak et al., 2020).
e. Side Channel Attack: A side-channel leakage of information in
the device operating process, such as time and power consump-
tion, or electromagnetic radiation, is used by an attacker to at-
tack encryption devices.
f. Tampering: The adversary can harm the IoT device physically
to result in a denial of service. When used in open and closed
locations, IoT devices are susceptible to physical damage.
g. Social Engineering: In a Social Engineering attack, the at-
tacker exploits an IoT system user to obtain secret and valu-
able information and complete a task using private informa-
tion (Ghafir, 2016). Social Engineering is a physical attack as
the attacker communicates with the IoT network to complete
his task.
6
Computers & Security 125 (2023) 103053
4.2. Network layer security threats
The typical threats at the network layer are summarized below:
a. Traffic Analysis Attack: When using any web browser, the pri-
mary security attack on the network layer is the traffic analy-
sis attack. Due to the wireless nature of RFID technology, the
adversary has access to confidential information and other use-
ful data. The attacker gathers information and data about the
network to which it is connected before launching this attack
(Hossain et al., 2015). This work uses sniffing operations such
as port scanning and packet sniffing applications.
b. Routing attacks: An attacker can modify and distribute routing
information throughout the network to create loops for rout-
ing, advertise bogus routes, drop network traffic, or send error
messages (Wu et al., 2008).
c. Sinkhole Attack: The attacker constructs a sinkhole and lures
all traffic from wireless sensor network nodes into it. The sink-
hole attack jeopardizes data confidentiality and privacy, and by
interrupting packet transmission (Jing et al., 2014) rather than
delivering them to their destination, the network is denied a
resource.
d. Man in the Middle Attack: By controlling, monitoring, and in-
terfering with the network, the adversary can gain access to
confidential data, violate node privacy, and cause communica-
tion between two sensor nodes to fail. Compared to other phys-
ical attacks, the attacker need not be physically close to the
target but must focus on network protocol communication be-
tween nodes in an IoT system at the network layer (Conti et al.,
2016).
e. Wormhole attack: Bits can be redirected away from their origi-
nal network location (Pongle and Chavan, 2015). The relocation
mechanism is carried out from the bits channel with the lowest
latency.
f. Sybil attack: This type of attack occurs when a single malicious
node assumes the identity of several nodes and pretends to be
them. These malicious nodes cause significant damage by de-
laying Wireless Sensor Networks’ election process or dissemi-
nating erroneous routing information (Newsome et al., 2004).
g. Eavesdropping Attack: Information is gathered through sniffing
tools such as packet sniffers.
h. Hello Flood attack: A Hello Flood attack involves the attacker
broadcasting a hello message to the network via a power-
ful transmitting antenna (Karlof and Wagner, 2003). When a
node receives a message via a routing protocol, it considers the
source a neighbor and incorporates it into its routing. However,
the source is beyond a typical node’s radio range. As a result,
the authentic node repeatedly tries to connect to the fake node
and finally dies.
i. Scalability Issues: The IoT is a vast network of connected de-
vices. More devices enter and exit the network, causing security
issues such as congestion, lack of authentication, etc. It depletes
resources as well.
Fig. 3 shows the available countermeasures to the network layer
security threats.
4.3. Application layer security threats
The different application layer security threats are summarized
below. Fig. 4 shows the available countermeasures to the applica-
tion layer security threats.
a. Data Access Permissions: This attack entails the unauthorised
access and manipulation of sensitive data, thus invading user
privacy (Jia et al., 2017; E. Fernandes et al., 2016; E. Fernan-
des et al., 2016). Typically, this attack exploits permissions
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Fig. 2. Attacks and countermeasures at the Perception Layer.

7
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Fig. 3. Attacks and countermeasures at the Network Layer.

model design flaws (Nan et al., 2015). Attackers have used b. Data storage and recovery: Data storage entails data transmis-
permission model flaws to seize application control in smart sion through various channels to various locations, which in-
homes, resulting in issues such as theft and break-ins (Jia et al., volves user privacy and data integrity. And the subsequent re-
2017). covery of that data on time. Many security threats occur during

8
M. Saqib and A.H. Moon
Fig. 4. Attacks and countermeasures at the Application Layer.
data transmission. As a result, proper data storage and retrieval
should be incorporated at every data transmission stage.
c. Handling large amounts of data: Many network nodes are pro-
cessing large amounts of data, which causes some data loss
during the communication process, affecting the network’s effi-
ciency.
d. Buffer Overflow: This attack uses programming flaws to over-
flow a code or data buffer. Numerous programs store code and
data segments using a pre-defined memory layout. The adver-
sary writes a lengthy data sequence to a specified area, causing
the sequence to overflow beyond its predefined boundary. As
a result, other data may be modified (for instance, when the
sequence encroaches on a data region of another data buffer),
9
Computers & Security 125 (2023) 103053
and malicious code may be executed (for example, when the
sequence encroaches on a segment of code, the program’s con-
trol flow may be destroyed. Common exploits comprise stack
or heap-based buffer overflows, integer errors, format string at-
tacks, and double-free (Mitrokotsa et al., 2010; Zhu et al., 2011;
Simmons et al., 2014). Buffer overflows are a very common at-
tack against software and applications.
e. Code injection: This attack exploits program errors to in-
ject malicious code into the system (Farooq et al., 2015;
Mitrokotsa et al., 2010). Code injection is a technique that can
be used for various purposes, such as data theft, system control,
and worm propagation (Zhang and Qu, 2013; Yampolskiy et al.,
2013). The 2 common attacks are HTML script injection and
M. Saqib and A.H. Moon
shell injection. The code injection attack can result in the sys-
tem losing control, exposing the user’s privacy to an adversary,
or shutting down of system completely.
f. Impersonation Attack: Attackers could pose as a valid reader to
trick tags into revealing sensitive data stored in the tags.
g. Phishing Attack: The phishing attack involves an adversary im-
personating a legitimate user or institution to attain the user’s
sensitive information, such as credit card information and pass-
word (Farooq et al., 2015; Thakur and Chaudhary, 2013). Email
is a common medium for this attack, in which an attacker ob-
tains sensitive information when users open the email.
5. Authentication schemes
Authentication’s primary objective is to classify network users
and devices to confine access to legitimate individuals and non-
manipulated entities and to safeguard user data if user signals are
interrupted or intercepted. Numerous security solutions have been
proposed and developed in recent years. But, due to their unique
nature, some of these solutions are incompetent, infeasible, and in-
applicable in the IoT environment. Authentication is a critical factor
when developing a secure IoT communication system. One of the
most difficult challenges is to provide a lightweight, bulletproof,
and distributed authentication scheme for total security solutions
for IoT applications (P. Mahalle et al., 2013).
According to recent research, devices can enter and exit net-
works without being authenticated. IoT has many heterogeneous
devices connected and ranges in size, shape, storage, compu-
tational power, and battery capacity. With so many network-
connected devices, determining who does what, when, where, and
so on is time-consuming. Several studies have also shown that it
is difficult to authenticate devices due to the range of devices con-
nected. Furthermore, communication can occur between small and
large devices and between small and small devices. As a result, nu-
merous authentication schemes for the IoT environment have been
proposed and developed (El-Hajj et al., 2019). These schemes can
be generally classified into the following categories, as displayed in
Fig. 5.
5.1. Identity-based authentication (Kim and Lee, 2017; wazid et al.,
2018; gope and sikdar, 2019; aman et al., 2018; zhao et al., 2018)
Identity-based authentication requires one party to present in-
formation to another party for authentication. This type of authen-
tication is a straightforward approach to implement. Credentials
such as passwords and key values are stored in device memory to
validate identity.
5.2. Cryptography-based authentication
The cryptographic algorithms used during the authentication
phase can also be used as a classification criterion. Cryptogra-
phy algorithms are divided into 3 types: symmetric, known as
secret-key cryptosystems; asymmetric, known as public-key cryp-
tosystems; and hash functions. Because symmetric algorithms have a
lower overhead than asymmetric algorithms, some authentication
mechanisms rely solely on them. Data Encryption Standard (DES),
Advanced Encryption Standard (AES), and Rivest Cipher 4 are the
three types of symmetric algorithms. Another kind of solution re-
lies solely on asymmetric cryptography during the authentication
phase. It is further subdivided into Rivest, Shamir, Adleman (RSA),
Elliptical Curve Cryptography (ECC), and Digital Signature Algorithm
(DSA). Due to its lightweight nature, hash functions are used in the
third category of solutions. In more complex cryptographic proto-
cols, hash functions are typically used as data integrity primitive.
10
Computers & Security 125 (2023) 103053
5.3. Usage of tokens
a. Token-based authentication (Naveed Aman et al., 2019): This
type of authentication authenticates a user or device using a
server-generated identification token (a piece of data like the
OAuth2 protocol (Chae et al., 2015; Emerson et al., 2015) or
open ID (Blazquez et al., 2015). OAuth2 is an open standard for
authorization and authentication using tokens.
b. Non-Token-based authentication: Requires credentials such as
username and password each time data is exchanged (e.g.,
TLS/DTLS (Shang et al., 2016, ; Kothmayr et al., 2013, ;
Kothmayr et al., 2012).
5.4. Hardware-based authentication
Hardware-based authentication processes the authentication
using the physical characteristics of the hardware. Based on this
criterion, one can differentiate between
a. Implicit hardware-based solutions: These use "existing" hard-
ware during authentication (e.g., Physical Unclonable Func-
tion (PUF) (Marchand et al., 2017) (Bendavid et al., 2018) or
True Random Number Generator (TRNG) (Yang et al., 2017)
(Hussain et al., 2016)).
b. Explicit hardware-based solutions: These require the use
of an additional component dedicated to the operations
(cryptographic or otherwise) performed during authentica-
tion (e.g., Trusted Platform Module (TPM) (Hamadeh et al.,
2017) (Tan et al., 2017), Trusted Execution Environment (TEE)
(Lesjak et al., 2015) (Gomes et al., 2017) (Ayoade et al., 2018).
5.5. Procedure-based authentication
Procedure-based Authentication includes one-way authentica-
tion, two-way authentication (mutual authentication), and three-
way authentication.
a. One-way authentication: When two parties wish to communi-
cate, only one authenticates the other, leaving the other unau-
thenticated.
b. Two-way authentication: This is also known as mutual authen-
tication. In this type of authentication, two entities authenticate
one another.
c. Three-way authentication: In this case, a central authority au-
thenticates both parties and helps them mutually authenticate
themselves.
5.6. Context-based authentication (Wang et al., 2017; Alizai et al.,
2018)
This is the process of reconciling data about the physical con-
text to improve the verification process. The features collected can
be sent to other gadgets, which process them to determine the lo-
cation of the device and the message’s origin time. This informa-
tion can be used to enhance the authentication process. Two types
of context-based authentication exist:
a. Physical: The biometric data that is derived from an individual’s
physical characteristics, for example, fingerprints, hand geome-
try, and retinal scans.
b. Behavioral: A biometric-based on an individual’s behavioral
characteristics, such as keystroke dynamics (the timing and
rhythm pattern generated when a person types), voice ID (voice
authentication using the individual’s voiceprint), gait analysis (a
technique used to assess how we walk/run), and so on.
As a result, we summarize and discuss relevant work on IoT
authentication schemes. Existing authentication schemes based on
M. Saqib and A.H. Moon
Fig. 5. Taxonomy of Authentication Schemes.
different authentication schemes are compared and analyzed in
Table 1 , demonstrating their contributions and limitations by clas-
sifying authentication schemes.
6. Formal security evaluation
To determine whether an authentication scheme is vulnerable,
its security must be evaluated using a variety of security analysis
metrics. The following formal security analysis must be conducted
to ensure the security of scheme:
6.1. Proverif
Proverif is a formal verification tool for cryptographic proto-
cols that verifies their security properties. Bruno Blanchet devised
this. This tool verifies the protocol many times with an infinite
amount of message space. The Proverif tool can attack reconstruc-
tion, which means that if a property is not established, it will con-
struct an execution trace that falsifies the desired property. This
tool accepts data in two formats: Horn clauses and Pi calculus. The
output of the tool is essentially identical in both cases. It is not
necessary to model the attacker explicitly. The attacker’s state can
also be specified as active or passive (Blanchet, 2001). Hash func-
tions, symmetric encryption/decryption, and bit-commitment are
11
Computers & Security 125 (2023) 103053
all examples of cryptographic operations. In general, researchers
use it to determine the reachability of security, establish the se-
crecy of session keys, and authenticate.
6.2. Burrows–Abadi–Needham (BAN) logic
Authentication protocols are the foundation of security in a
wide range of distributed systems, thus they must work properly.
A simple logical calculus based on an agreed-upon set of deduc-
tion rules can be used to model the beliefs and evolution of trust-
worthy parties involved in authentication protocols (Sierra et al.,
2004). BAN logic is a formal protocol verification technique used
to determine whether a protocol is working correctly.
Burrows, Abadi, and Needham created logic to analyze authen-
tication protocols. The logic is known as BAN-logic. The logic for-
malizes all public - and shared key primitives and concepts of a
’fresh message.’ This allows for the formalisation of a challenge-
response protocol. The following questions can be answered using
BAN-logic:
• What are the protocol’s implications?
• What assumptions will be required for this protocol?
• Does the protocol include any unnecessary actions that could
be omitted?
M. Saqib and A.H. Moon
Table 1
Comparison Analysis of Different Authentication Schemes.
Author
(de Meulenaer et al., 2008)
(Hsiang and Shih, 2009)
(Li and Hwang, 2010)
(Yeh et al., 2011)
(Vaidya et al., 2011)
(Xue et al., 2013)
(Chang et al., 2013)
(Gubbi et al., 2013)
(Ndibanje et al., 2014)
Contribution
Proposed an enhancement to
the remote user authentication
scheme based on dynamic ID-
for multi-server environments
Presented a secure remote
user authentication scheme
based on dynamic id
enhancement in a multiserver
environment.
Proposed a biometric-based
remote user authentication
scheme based on smart cards
that are both efficient and
secure.
Designed an authentication
method for remote users
based on elliptical curve
cryptography.
Presented a scheme for a
Smart Energy Home Area
Networks (SE-HAN)
authentication device that
uses a novel authentication
and key formation algorithm
based on the Elliptic Curve
Algorithm.
Presented a lightweight
mutual authentication and key
agreement scheme based on
the user, GWN, and sensor
node’s temporal credentials.
Designed a user authentication
scheme that uses biometrics
for connected health care.
Concentrated on developing a
unified authentication scheme
for the Internet of Things that
works across multiple layers
and terminal nodes.
Presented a secure key
establishment scheme that is
simple and efficient, based on
ECC for the IoT.
Computers & Security 125 (2023) 103053
Result Obtained Drawbacks
• Provide a cost comparison of the Kerberos • It is applicable only in the presence of
key agreement scheme and the Elliptic a trusted third party.
Curve Diffie–Hellman key exchange with • The listening cost raises the
elliptic curve digital signature communication cost.
authentication (ECDH-ECDSA).
• Discovered that Kerberos is approximately
one order of magnitude less expensive
than the ECDH-ECDSA key exchange and
confirms that it should be preferred in
situations involving a trusted third party.
• Improved computation cost. • Susceptible to incorrect password
• Enhanced the authentication scheme’s change, impersonation attack, and
security and efficiency. replay attack.
• Minimized the computation cost • Lack of security enhancement.
• Discards timestamps to eradicate serious
time synchronization problems by using
random numbers.
• Allows users to change their passwords
freely and establishes mutual
authentication between them and the
remote server.
• Provides mutual authentication to protect • Increase in the computational cost.
both internal and external security.
• Improves the security of the
authentication scheme.
• Satisfies some common security • Vulnerable to key-share attacks.
properties.
• Robust and secure.
• The scheme provides a greater number of • Vulnerable to a variety of attacks,
security features including server spoofing and smart
• Offers a high level of security without card theft
significantly increasing communication,
computation, and storage overhead.
• Ensures both anonymity and uniqueness. • Incapable of delivering multiple layers
• Resistant to offline attacks, impersonation of security and secure authentication.
attacks, DoS, and stolen smart card • Inappropriate for distributed systems
attacks. with multiple servers, such as the IoT
• Only the authorized user/patient can framework.
access the remote server, and nobody can
track them using the data transmitted.
• No malicious user can use transmitted
data to track down a specific user as the
transmitted identities are distinct.
• Avoid jamming attacks. • No empirical evidence to claim that
• Provides a secure authentication solution the scheme would improve data
for IoT devices. security.
• The extraction procedure incorporates
some irreversibility properties (which are
relatively light in weight) that help
ensure the security of IoT-connected
devices.
• Improved device authentication. • The IoT sensor nodes had a high
• Enhanced security analysis authentication communication overhead.
and access control for IoT. • No practical experiments were
• Implemented Role-Based Access Control conducted on the proposed security
to accomplish access control policies for valuation.
IoT network applications.
(continued on next page)
12
M. Saqib and A.H. Moon
Table 1 (continued)
Author Contribution
(Turkanović et al., 2014) Designed a new user
authentication and key
negotiation scheme for
heterogeneous ad hoc WSN’s.
(Singh et al., 2015) Suggested a secure variant of
MQTT and MQTT-SN for sensor
networks.
Chen et al., 2015; Devised a user authentication
(Shunmuganathan et al., scheme for WSN’s that is
2015) resistant to smart-card loss
attacks using symmetric key
techniques
Das et al., 2016; Designed a 3-factor
(Chen et al., 2015) multi-gateway user
authentication protocol for
WSNs.
Amin and Biswas et al., Developed a smart card-based
2016 (Das et al., 2016) authentication framework for
a distributed cloud framework.
Result Obtained
• Allows a remote user to securely
exchange a session key with a general
sensor node without personally
connecting to the GWN.
• Enables mutual authentication between
all parties.
• Tailored to the WSN’s
resource-constrained architecture, it only
employs simple hash and XOR
computations.
• Less computationally intensive.
• Provides high security since it is resilient
to session key security, stolen smart card,
smart card breach attacks, stolen verifier
attacks, impersonation attacks, and GWN
bypassing attacks.
• The suggested scheme uses
Attribute-Based Encryption (ABE) based
on a Key Policy (KP-ABE), Cipher Text
Policy (CP-ABE), and ECC.
• Summarizes the threats and security
requirements for 2-factor user
authentication in wireless sensor
networks (WSNs).
• Withstand smart-card loss attacks simply
by using symmetric key techniques.
• Highly secure and efficient.
• Demonstrated that the scheme offers
mutual authentication using the widely
known BAN logic.
• The scheme is secure.
• Resistant to several cryptographic attacks,
including sensor capture and
impersonation attacks.
• Enables registered users to securely
access confidential data stored on all
private cloud servers.
• The scheme offers secure mutual
authentication using the widely accepted
Burrows–Abadi–Needham logic.
• Offers session key agreement property
between the entities involved securely.
• SAFE under the OFMC and CL-AtSe
models.
• Numerous security concerns confirm that
the scheme is adequately safe against
related security attacks.
• Meets all security requirements,
particularly energy efficiency, user
anonymity, and an easy-to-use password
change phase.
• Ensures that the scheme is efficient in
terms of complexities.
13
Computers & Security 125 (2023) 103053
Drawbacks
• Security faults like DOS attacks, replay
attacks, and the capture of sensor
node attacks result in the formation
of a malicious node.
• Ineffective phases of login and
authentication.
• An issue with the calculation of the
hash function.
• Prone to perfect forward secrecy,
offline identity, and password
guessing attack.
• The scheme is inefficient since it
needs nodes to register with the
Broker by transmitting a list of
attributes resulting in unwanted
overhead.
• CP-ABE adds some overhead as well,
and its complexity is higher in terms
of computation and storage.
• Finally, minor ABE problems include
key escrow, key coordination, and key
and attribute revocation.
• Due to their ineffective verification
method, they are prone to smart card
loss attacks and DoS attacks.
• Does not provide user anonymity
during login requests; the user’s
identity is transmitted in plaintext
form.
• Due to the delay in identifying wrong
login credentials, such as passwords,
the scheme wastes both the user’s
and sensor nodes’ resources
concerning communication and
computational overheads.
• Susceptible to attacks based on user
tracking.
• A session key is different for each of
the three participants.
• Vulnerable to sensor capture, session
key disclosure, impersonation,
desynchronization, and offline
guessing attacks.
• Susceptible to attacks based on user
tracking attacks.
• Fails to offer mutual authentication.
(continued on next page)
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Table 1 (continued)

Author Contribution Result Obtained Drawbacks

Farash et al. 2016 Introduced a new and
(Amin and Biswas, 2016) improved user authentication
and key exchange protocol for
diverse WSN’s.
• Offers a high degree of security.
• Provides defense against a wide range of
attacks, e.g., man-in-the-middle attack,
replay attack, stolen verifier attack,
privileged-insider attack, smart card
attack, GWN bypassing attack,
impersonation attack, Password change
attack, and DoS attack.
• Susceptible to stolen smart card
attacks, user impersonation attacks,
offline password guessing, and known
session-specific temporary
information (KSSTI).

Maitra et al., 2016 Designed a 2-factor password
(Farash et al., 2016) authentication scheme for
client-server- IoT applications
built on the hardness
assumption of the elliptic
curve discrete logarithm
problem and one-way hash
functions.
• Aware users easily of incorrect inputs • The scheme is based solely on theory,
during the login and password update with no empirical evidence to back it
phases. up.
• Preserves user anonymity and dynamic
identity, ensuring that no adversary can
identify a specific user based on
communication messages between the
user and the server.
• Immune to all potential security threats
due to the hardness of the Elliptic curve
discrete logarithm problem and the
one-way hash function.
• Resistant against all potential attacks.
• Provides a trade-off between
computational and communication cost,
storage cost, and security requirement.

Chang et al., 2016 Introduced a dynamic user
(Maitra et al., 2016) authentication and key
agreement scheme for
heterogeneous WSN’s using
smart cards.
• Used Dynamic identities to guard against
attacks to users’ privacy.
• Validated that the scheme attains key
exchange and mutual authentication
among user nodes, a base station, and
cluster heads.
• Withstand the majority of potential
attacks
• Increased efficiency
• Suitably adaptable for WSN’s.
• Prone to temporary session and
offline password guessing attacks.
• Susceptible to key session breach
attacks.
• Inefficient during the authentication
and password-changing phases.

Kaul and Awasthi et al., Designed a smart-card-based
2016 (Chang et al., 2016) remote user authentication
and key agreement protocol.
• Offers a small storage capacity and a low • Susceptible to user impersonation
computation and communication cost. attacks.
• Achieves mutual authentication.
• Withstand various security attacks,
making the protocol secure and efficient
for practical use.
• Justified the authentication protocol’s
security against active and passive attacks
using the widely known OFMC and
CL-AtSe back-ends of the AVISPA tool.

Roy et al., 2017 (Kaul and Presented a novel, secure
Awasthi, 2016) 3-factor remote user
authentication protocol using
biometrics, expanded chaotic
map, and fuzzy extractor for
crowdsourcing IoT
• Provides a lightweight and efficient • The chaotic map’s computational
authentication scheme by avoiding complexity is inappropriate for an IoT.
computationally intensive operations such
as elliptic curve point multiplication or
modular exponentiation.
• Demonstrates that the scheme is secure
using the widely used verification tool
Proverif
• Practical for limited battery devices in
healthcare applications due to the
combination of high security and
appreciably low communication and
computational overheads.

Dhillon and Kalra et al., Designed a lightweight, secure
2017 (Roy et al., 2017) multi-factor remote user
authentication and key
agreement protocol for the IoT
framework
• Safe against potential attacks like offline • Prone to user masquerading attacks
password guessing, parallel session, and a stolen verifier attack.
password change, DoS, and • Violates the anonymity and
impersonation. traceability of a user.
• Cost-effective in terms of communication
and computation.
• The simulation, conducted using the
AVISPA web-based tool, verifies the
system’s security in the presence of a
potential intruder.

(continued on next page)

14
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Table 1 (continued)

Author Contribution Result Obtained Drawbacks

Katsikeas et al. 2017 Investigated the security
(Dhillon and Kalra, 2017) implementation of the MQTT
(Message Queue Telemetry
Transport) protocol in the
industrial area utilizing
payload encryption (with AES,
AES-CBC, AES-OCB) and link
layer encryption (with
AES-CCM).
• The authors used a WSN test bed • MQTT insertion payload encryption
(Raspberry Pi) and a simulator to evaluate required extra memory, energy, and a
and compare the secure and lightweight high delay.
MQTT implementation.
• During the assessment process, two nodes
are used: the Publisher to encrypt the
data and simulate IIoT sensors and the
Subscriber to decrypt the data and
emulate IIoT actuators. Latency, energy
consumption, and memory utilization are
all considered for comparison.

Wazid et al., 2017 Presented a new
(Katsikeas et al., 2017) authentication scheme for
remote users in a smart home
environment.
• The one-way hash function, symmetric
encryptions/decryptions, and the XOR
operation are suitable for
resource-constrained devices.
• Relies on a verification table stored in
the database of the Gateway node,
having disastrous consequences if
stolen by an attacker.
• Since it relies on a timestamp to
resist replay attacks, the scheme was
vulnerable to synchronization attacks.

Moon et al., 2017 Suggested Improved
(M. Wazid et al., 2017) Biometric-Based
Authentication Schemes for
WSN’s with Smart Card
Revocation/Reissue
• Ensures efficiency, anonymity, and • Prone to impersonation attack and
security. Known session key.
• Proved the proposed scheme’s security • The scheme has inefficient login and
via a formal proof based on the random password change phase.
oracle model.
• Eliminated impersonation attacks and
other security flaws.
• Minimized the computational cost.

Nikooghadam et al., 2017 Proposed a lightweight key
(Moon et al., 2017) agreement and authentication
scheme.
• Immune to various security attacks and • Fails to resist insider attacks, replay
provides user anonymity. attacks, and password guessing
• Demonstrate the correctness using BAN attacks.
logic.
• Offers acceptable computation cost
• Suitable for implementation in
resource-constrained environments.

Challa et al., 2017 Presented a new
(Nikooghadam et al., 2017) signature-based scheme for
establishing authenticated
keys in an Internet of Things
environment.
• Mutual authentication is achieved using • Insufficient computation and
the broadly-accepted BAN logic. communication overheads.
• A rigorous simulation using the widely
known NS2 simulator is used to
determine various network parameters.

Koya et al., 2018 Proposed a hybrid scheme
(Challa et al., 2017) based on ECG for anonymous
mutual authentication and key
agreement.
• Incorporates additional security features
to safeguard against hub node
impersonation attacks and the key escrow
issue.
• The correctness of the scheme is
demonstrated using
Burrows-Abadi-Needham (BAN) logic.
• Security is evaluated using the Automated
Validation of Internet Security Protocols
and Applications (AVISPA).
• Susceptible to sensor node capture
and lacks forward secrecy.
• The physiological signal-based
authentication schemes typically
require sensors to monitor specific
physiological signals, such as the
electrocardiogram (ECG), limiting
their universality.

Kang et al., 2018 Proposed a user authentication
(Koya and Deepthi, 2018) and key exchange scheme
using biometrics for an IoT
framework that is both
efficient and secure
• Used a dynamic identity technique to • It cannot withstand privileged insider
conceal the user’s identity attacks or Ephemeral Secret Leakage
• Used biometrics information in attacks.
conjunction with Biohashing to prevent
impersonation attacks and offline
password guessing attacks.
• Discards timestamps to eradicate serious
time synchronization problems by using
nonce numbers to prevent replay attacks.
• Improves security and ensures efficiency.

Shah et al., 2018 Introduced Secure • Offers mutual authentication between IoT • Issue in authentication
(Shah and Authentication of IoT Device servers and IoT devices. • Physical attacks on IoT devices at the
Venkatesan, 2018) and IoT Server through the use • Protects side-channel attacks on IoT perception layer are possible.
of Secure Vault devices and the server.

(continued on next page)

15
M. Saqib and A.H. Moon
Table 1 (continued)
Author
Chandrakar et al., 2018
(Kang et al., 2018)
Alotaibi et al., 2018
(Chandrakar and
Om, 2018)
Amin et al., 2018
(Alotaibi, 2018)
Park et al. 2018
(Amin et al., 2018)
Lu et al., 2019 (Lu et al.,
2019)
(Shuai et al., 2019)
(Zhou et al., 2019)
(Ostad-Sharif et al., 2019)
Garg et al., 2019 (Garg and
Dave, 2019)
Contribution
Introduced a 3-factor
authentication protocol for
TMIS.
Developed an enhanced
anonymous user
authentication and key
exchange protocol using
biometrics and a symmetric
cryptosystem for WSN’s
Proposed a robust,
untraceable, and anonymous
password authentication
scheme for WSNs.
Introduced direct
multicast-Message Queue
Telemetry Transport for huge
IoT communications.
Presented a 3-factor
anonymous key exchange for
WSN’s using ECC.
Designed an anonymous
authentication scheme that is
efficient for smart home
frameworks using Elliptic
Curve Cryptography.
Introduced a
Privacy-Preserving
Authentication and Key
Agreement Scheme with
deniability for the Internet of
Things.
Presented an authentication
and key agreement protocol
that is secure and lightweight
for IoT-based WSN’s.
Proposed OAuth, an open
authorization protocol that
allows users to access
middleware by providing a
username, password, and
token.
Result Obtained
• Presented its security in formal and
informal ways, demonstrating its
resistance to different security attacks.
• Validate the scheme using BAN logic
• Offers a high degree of security with
efficient complexity.
• Preserve the security by primarily using
the formal BAN-logic method to verify the
accuracy of mutual authentication.
• Defensive against various active and
passive attacks, such as
man-in-the-middle attacks, forgery, and
replay attacks.
• The scheme is suitable for WSNs based on
comparing computational efficiency and
security requirements.
• Resistant against known active and
passive attacks.
• Presented a more realistic architecture for
WSNs deployment with low-power sensor
nodes.
• Demonstrated that the proposed protocol
incurs lower computation and
communication costs without
compromising the level of security.
• Reduce network congestion and data
transmission delays in dispersed edge
networks.
• Ensure the mutual authentication
properties using the BAN logic
• Can withstand a variety of attacks using
rigorous security analysis.
• Did not require the storage of the
verification table for authentication
purposes.
• The random number technique protects
against replay attacks and circumvents
the clock synchronization issue.
• Heuristic analysis and rigorous formal
proofs demonstrated that the scheme has
the required security features and can
withstand all possible attacks.
• Strikes a delicate balance between
security and efficiency, making it more
suited to real environments.
• Offers a mutual authentication scheme
that protects user privacy by identifying
the user solely through the getaway node.
• The accuracy of the scheme is established
via BAN logic.
• Security is verified via the ROR model.
• Enhances the efficiency of the scheme
• Maintains perfect forward secrecy with a
high degree of efficiency.
• Minimized communication and
computational overhead.
• Provides enhanced security functionality
and lower storage costs.
• Middleware exposes device information
via a REST API while concealing details
and serves as a link between the user and
sensor data.
16
Computers & Security 125 (2023) 103053
Drawbacks
• Vulnerable to perfect forward secrecy
and replay attack.
• Proves unsuccessful in offering
protection against perfect forward
secrecy, known session key, and smart
card stolen attack.
• Prone to perfect forward secrecy,
impersonation, and known session
key attacks.
• Lack of security solutions like
authentication and authorization.
• Lack of robust session key security
cannot provide three-factor security
due to KSSTI attacks.
• It cannot thwart offline password
guessing attacks, insider attacks,
replay attacks, and gateway bypass
attacks.
• Insecure session key agreement
problem.
• Increase in computational and
communication costs.
• The gateway device can generate a
message indistinguishable from the
message received from the user,
posing a non-repudiation issue.
• Users may deny sending this message,
potentially causing a security problem
if the gateway device is hacked.
• Vulnerable to key compromise
password guessing and key
compromise impersonation attacks.
• The system administrator selects the
master key.
• OAuth protocol at middleware
requires a username, password, and
tokens for authentication.
• The likelihood of a data breach at the
middleware is high.
(continued on next page)
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Table 1 (continued)

Author Contribution Result Obtained Drawbacks

Martinez et al., 2019 Devised an improved
(Martínez-Peláez et al., IoT-based authentication
2019) scheme that is lightweight in
a cloud computing framework.
• Establishes mutual authentication and key • Does not provide mutual
exchange, allowing cloud servers to access authentication
securely. • Susceptible to replay attack,
• Prevents eavesdroppers from learning the impersonation, known session key
user’s identity, secures the session key, smart card stolen, anonymity and
and incorporates a challenge-response trace attacks.
method.
• Incorporates a sub-phase known evidence
connection attempt, demonstrating any
connection attempt among a user node
and a server to the control server.
• Resists impersonation, privileged-insider,
and replay attacks.
• Minimizes computational power

Banerjee et al., 2020 Presented an efficient, robust,
(Banerjee et al., 2020) anonymous authentication
protocol for Smart Home
Environments.
• Resistant to a variety of potential attacks, • Fails to resist anonymity and trace
which is necessary for a smart home attack.
framework
• Demonstrate the proposed scheme’s
superior security and functionality
features
• Provided a practical perspective on the
proposed scheme’s applicability via a
network simulator (NS3) simulation study.

Suresh et al. 2020 Introduced an enhanced
(Sureshkumar et al., 2020) mutual authentication and key
exchange protocol for the
Telecare Medical Information
System using a chaotic map.
• Informally tested against a variety of • The scheme is computationally
security threats. expensive
• Achieves mutual authentication using the • Vulnerable to desynchronization
formal method BAN logic. attacks.
• Highly efficient and secure.

Vinoth et al. 2020 Developed an authenticated
(Vinoth et al., 2020) key agreement protocol that is
secure for Industrial IoT based
on multifactor to enable
legitimate users to access
sensing devices remotely.
• Used Chinese remainder theorem and • Vulnerable to various attacks,
secret-sharing technology to create a including sensor node capture, DoS
group key between authentic sensing attacks, replay attacks in the 4th
devices, which is then used to help in phase, and desynchronization attacks.
exchanging a session key securely among • Consumes a lot of power at the
the user and multiple sensing devices. sensor node and is thus unsuitable for
• Because the scheme uses only symmetric Industrial IoT, especially in the vast
cryptography, XOR, and a hash function, it expanses of IIoT.
is well-suited for resource-constrained
IIoT.
• Minimized communication and
computational costs
• Immune against a wide range of known
attacks.

Deebak et al. 2020 Introduced a scheme for smart
(Deebak, 2020) IoT-assisted systems based on
lightweight authentication and
key management (L-AKM).
• Ensure secure communication between • Increases transmission delay and
computing devices. throughput rate due to the additional
• Accelerates the authentication process by authentication phases.
utilizing continuous user authentication • Fails to resist user anonymity and
sessions. privileged insider attack.
• Uses a token technique to determine the
battery capacity of devices by
continuously sensing their activity.
• Conducts formal and informal analysis to
ascertain the l-security AKM’s robustness
and time consumption.
• Improves security efficiency to withstand
various potential attacks such as forgery,
replay, password guessing, etc.

(Bae and Kwak, 2020) Presented a smart card-based
authentication scheme in a
multi-server environment
• The security of the authentication
protocol is validated using the formal
verification tool AVISPA.
• Immune against user impersonations,
session key leakage attacks, and other
attacks.
• Used in smart card-based applications
such as a key exchange.
• Susceptible to traceability,
impersonation, session key disclosure
attacks, anonymity, and gateway node
spoofing.
• Fails to provide secure mutual
authentication.

(continued on next page)

17
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Table 1 (continued)

Author Contribution Result Obtained Drawbacks

(Yang et al., 2020) Introduced framework for
exchanging authentication
information in WSN for IoT
applications.
• Resist sensor node capture attack • Not immune against forward secrecy,
• Developed a dynamic contacting known session key attack, password
mechanism to prevent attackers from guessing attack, DoS attack, and
guessing the communication period impersonation attack.
between the HGWN and the sensor.
• Validate the scheme using three methods:
security evaluation, BAN logic evaluation,
and performance evaluation,
demonstrating that the authentication
information exchange protocol satisfies
security requirements and objectives.

(Rana et al., 2021) Devised an improved
lightweight authentication
protocol for the next
generation of IoT frameworks
• Ensure secure communication across the • It cannot thwart KSSTI attacks.
entire channel. • Does not provide user anonymity.
• Demonstrated that the scheme is safe
against major security threats.
• Minimized communication, computation,
and storage resources.
• Excellent candidate for deployment in
6 G/IoT infrastructure.

(Kaur and Kumar, 2021) Proposed a 2-factor user
authentication protocol for
smart homes based on an
elliptic curve cryptosystem.
• A formal security analysis of the proposed • Prone to the disclosure of session key
scheme is shown using the random oracle attack and impersonation attack.
model. • Fails to support mutual
• The Proverif tool is used to verify mutual authentication.
authentication and key agreement.
• Effectively resists replay attack, DoS
attack, Password guessing attack, forward
secrecy, and session key attack.
• Highly effective and reliable.

(Yu et al., 2021) Developed a 3-factor
authentication scheme based
on privacy-preserving that is
lightweight and secure for
IoT-enabled smart home
environments to offer secure
home services for legitimate
users.
• Resistant to various security attacks such • Fails to offer mutual authentication
as impersonation attacks and disclosure due to a crucial design fault.
of session key attacks.
• Offers the security functionalities such as
anonymity, mutual authentication, and
privacy.
• Verified the proposed protocol’s formal
security using the AVISPA, which assesses
security against various security attacks.
• Offers better security and efficiency,
making it more appropriate for
IoT-enabled smart home environments.
• Conducted a formal (mathematical)
security analysis using the ROR model to
determine the AKA scheme’s session key
security.

Amoretti et al. 2021 Presented a multi-stage
(Amoretti et al., 2020) broker-based secure and
scalable MQTT communication
system for the Industrial IoT.
• The single trustworthy authentication and
authorization server is in charge of client
authentication and the production of
access tokens to define a client’s right to
subscribe to or publish a topic.
• The 2048-bit RSA asymmetric key is used
to sign the cryptographic access token,
and authentication occurs during the TLS
handshake protocol.
• Heavyweight authentication due to
the high processing requirements of
RSA and TLS makes it unsuitable for
resource-constrained IoT devices.
• Because the central AS cannot keep
up with the exponential expansion of
IoT devices, scaling is prevented,
resulting in a bottleneck or single
point of failure.
• Neither clients nor brokers
authenticate one another.

(Shilpa et al., 2022) Suggested the Secure Reliable
Message Communication
protocol for MQTT.
• The scheme employs a lightweight
encryption technique to transfer data
securely at the transport layer for MQTT.
• The results reveal an enhancement in
packet delivery ratio (PDR) and energy
utilization.
• No security analysis or performance
review of the proposed scheme
• The proposed scheme does not
account for broker bridging, which
occurs when brokers contact one
another to transfer messages between
MQTT clients.

18
M. Saqib and A.H. Moon
• Does the protocol encrypt anything that could be sent in plain
text without compromising security?
6.3. Scyther
Scyther tool is used for automatically verifying, falsifying, and
analyzing security protocols (Cremers, 2008). The tool includes a
graphical user interface that aids protocol verification and compre-
hension. It is employed to
• Check the security protocol written in Scyther for correctness.
• Conduct security protocol analysis to identify potential attacks
and vulnerabilities and the ability to detect a variety of attack
types.
• For each attack, create a graph corresponding to the asserted
claim.
Security Protocol Description Language is the protocol writing
language used in Scyther. The Scyther tool can be used in 3 differ-
ent ways:
v To determine whether the protocol description’s security claims
are true or false.
v To develop and validate appropriate security claims for a proto-
col automatically.
v To conduct a complete characterization of the protocol to ana-
lyze it.
The three modes are as follows:
a. Claim Verification: Scyther’s input language supports the se-
curity specification properties concerning claim events; for in-
stance, in a role specification, one can assert that a given value
is confidential or those specified properties maintain for au-
thentication for communication partners. Scyther enables the
verification or falsification of these properties.
b. Automatic Claims: Scyther may generate security claims auto-
matically if the protocol specification does not provide them.
Following each role, authentication claims assert that the ap-
parent communication partners must follow the protocol’s re-
quirements. For all locally produced values (nonces) and vari-
ables, confidentiality claims are added. Scyther then applies the
same analysis to the enhanced protocol description as in the
former scenario. This allows users to easily examine the prop-
erties of a protocol.
c. Characterization: The protocol role is "characterized" for pro-
tocol analysis. Scyther can analyze the protocol and generate a
finite trace representation containing the protocol role’s execu-
tion. This representation typically consists of no more than a
few execution patterns. Manually evaluating these patterns en-
ables rapid identification of potential protocol problems and, if
necessary, protocol modification.
6.4. Automated validation of internet security protocols and
applications (AVISPA)
AVISPA was introduced by Armando et al. (Armando et al.,
2005) as a toolkit for validating and evaluating Internet Secu-
rity Protocols and Applications. The authors assessed the specifi-
cations of numerous standardized industrial-scale security proto-
cols to demonstrate proof of concept (Vigano, 2006). AVISPA is a
role-based programming language where each agent performs a
distinctive function during the execution of the protocol. Through
the High-Level Protocol Specification Language, the AVISPA tool en-
ables the definition and specification of security protocols (HLPSL).
The primary aim of High-Level Protocol Specification Language is
to offer a mechanism for authenticating the security properties
19
Computers & Security 125 (2023) 103053
of agent-to-agent message exchanges, such as authentication and
secrecy of data. The HLPSL specification includes a separate sec-
tion dubbed the goal section that defines the security properties.
Therefore, the security protocol is evaluated to determine whether
it is SAFE or not based on predefined goals. The HLPSL2IF con-
verter automatically transforms HLPSL specifications into the In-
termediate Format, a lower-level language (IF). The fundamental
goal of these translations and the design of the IF language is
to offer and aid with appropriate input to many back-ends of
the AVISPA toolset. The following are some of AVISPA’s back-end
tools:
a. On-the-Fly Model-Checker: The OFMC performs demand-driven
state space exploration by utilizing various symbolic methods
and algebraic properties.
b. Constraint-Logic-based Attack Searcher: The CL-AtSe translates
any security protocol definition expressed in the IF language as
a transition related to a set of constraints that may be used to
effectively determine any protocol attacks.
c. SAT-Based Model Checker: The SATMC creates a propositional
formula from an Intermediate Format specification’s Transi-
tional state. The propositional formula represents any violation
of the security properties to be converted into an attack.
d. Tree Automata Automatic Approximations for the Analysis of
Security Protocol: Using an accurate estimation of the capabili-
ties of intruders, the TA4SP identifies a protocol’s susceptibility
or predicts its accuracy.
6.5. Real-or-Random (ROR) model
The Real-or-Random (Abdalla et al., 2005) model is a function
used to map all possible inputs and outputs randomly. The Real-or-
Random model is a well-known technique for proving a protocol’s
security (Banerjee et al., 2019).
7. Computational, communication overhead, and energy
consumption
The following section compares the overhead of various
lightweight authentication schemes’ computational, communica-
tion, and energy consumption. Tbp , Tecm , Teca , Tf , and Tse denote the
time required to compute "bilinear pairing", "Elliptical curve point
multiplication", "Elliptical curve point addition", "fuzzy extractor oper-
ation for biometric verification", "hashing operations", and "symmetric
encryption/decryption", respectively. Because registration and pass-
word change are not repeated, only the costs related to login and
authentication are considered and compared. Since the exclusive
OR operation takes so little time to execute, it has been excluded
from the computation cost calculation. Table 2 lists each crypto-
graphic operation’s computation time and notations based on ex-
perimental results (Wu et al., 2021).
Table 3 displays the comparison of various authentication
schemes based on computational overhead.
Table 4 summarizes the communications overheads and the
message exchange rates for the different authentication schemes.
For communication cost comparison, ECC point multiplication is
assumed to be 320 bits, a cryptographic hash function of 160 bits,
and an identity of 160 bits. Similarly, random number and times-
tamp output sizes are 160 bits and 32 bits, respectively. Further-
more, the symmetric cryptography block size is 128 bits.
Table 5 shows authentication schemes comparison based on
energy consumption. The battery consumption model is used
from (Shnayder et al., 2004), in which the energy required to
send and receive a bit is assumed to be 4.602 mJ and 2.34 mJ
(Karuppiah et al., 2019).
M. Saqib and A.H. Moon Computers & Security 125 (2023) 103053

Table 2
Time requisite for different cryptographic operations.

Notation Description Computation time (in milliseconds)

Tbp Bilinear pairing 11.43 ms

Tm Elliptic curve scalar point multiplication 8.8 ms
Tf ∼ Th Fuzzy extractor function 0.0058 ms
Th Hash function 0.0058 ms
Tpa Elliptic curve point addition 0.057 ms
Tse Symmetric 18.37 ms

Table 3
Comparative analysis of computations performed during the login and authentication phases.

Elliptical Elliptical Symmetric Fuzzy

Hashing curve point curve point encryption/ extractor Bilinear Total time in
Schemes operations multiplication addition decryption operation pairing Total cost milliseconds

(Xue et al., 2013) 20 – – – – – 20Th 0.116 ms

(Turkanović et al., 2014) 7 – – 6 – – 7Th +6Tse 110.26 ms
(Kalra and Sood, 2015) 9 7 – – – – 9Th +7Tm 61.65 ms
(Porambage et al., 2015) 18 15 4 – – – 18Th +15Tm +4Tpa 132.33 ms
(Choi et al., 2016) 26 4 – 4 1 – 26Th +4Tm +4Tse 108.83 ms
(Challa et al., 2017) 12 14 – – – – 12Th +14Tm 123.26 ms
(M. Wazid et al., 2017) 22 – – 8 1 – 22Th +8Tse +1Tf 147.09 ms
(Li et al., 2017) 19 3 – 8 1 – 19Th +3Tm +8Tse +1Tf 173.47 ms
(Kumari et al., 2018) 7 8 – – – – 7Th +8Tm 70.44 ms
(Das et al., 2018) 30 – – – 1 – 30Th +1Tf 0.179 ms
(Yu and Li, 2019) 26 47 – – – 4 26Th +47Tm +4Tbp 459.47 ms
(Renuka et al., 2019) 27 26 – – – – 27Th +26Tm 228.95 ms
(Naoui et al., 2019) 26 4 – 7 – – 26Th +4Tm +7Tse 163.94 ms
(Ma et al., 2019) 19 17 – – 1 – 19Th +17Tm 149.71 ms
(Banerjee et al., 2020) 26 – – – 1 – 26Th +1Tf 0.156 ms

8. Network security assessment

Table 4
Comparative analysis based on Communicational Overhead.
Schemes
(Xue et al., 2013)
(Turkanović et al., 2014)
(Kalra and Sood, 2015)
(Porambage et al., 2015)
(Challa et al., 2017)
(M. Wazid et al., 2017)
(Li et al., 2017)
(Kumari et al., 2018)
(Das et al., 2018)
(Yu and Li, 2019)
(Ma et al., 2019)
(Karuppiah et al., 2019)
(Fakroon et al., 2020)
(Bhuarya et al., 2021)
Sahoo et al., (Sahoo et al., 2021)
Table 5
Comparative analysis based on energy consumption.
Schemes
(Xue et al., 2013)
Turkanovic et al., (Turkanović et al., 2014)
Kalra et al., (Kalra and Sood, 2015)
Porambage et al., (Porambage et al., 2015)
Challa et al., (Challa et al., 2017)
Wazid et al., (M. Wazid et al., 2017)
Li et al., (Li et al., 2017)
Kumari et al., (Kumari et al., 2018)
Das et al., (Das et al., 2018)
Yu et al., (Yu and Li, 2019)
Ma et al., (Ma et al., 2019)
Karuppiah et al., (Karuppiah et al., 2019)
Fakroon et al., (Fakroon et al., 2020)
Bhuarya et al., (Bhuarya et al., 2021)
Sahoo et al., (Sahoo et al., 2021)
No. of Messages No. of bits
4 1984
4 2720
3 1760
4 2688
3 2528
4 2592
4 2688
3 1760
3 1536
8 8576
4 3200
2 1984
3 2528
3 1280
4 1312
Total Energy Consumption
9.130 mJ
12.517 mJ
8.099 mJ
12.370 mJ
11.633 mJ
11.928 mJ
12.370 mJ
8.099 mJ
7.068 mJ
39.466 mJ
14.726 mJ
9.130 mJ
11.633 mJ
5.890 mJ
6.037 mJ
The following are typical methods for assessing network secu-
rity:
bits
bits 8.1. Vulnerability scanner
bits
bits Using vulnerability scanners is an efficient approach to detect-
bits
ing various devices connected to a network. This might be consid-
bits
bits
ered a beneficial IoT testing tool for improving IoT security. In con-
bits junction with a regular scanning schedule, a vulnerability scanner
bits can detect known flaws in linked devices.
bits
bits 8.2. Penetration testing
bits
bits
bits Penetration testing is a technique for evaluating the security
bits of a system or computer network by simulating an attack. Pen-
etration testing has been shown to help assist with network se-
curity challenges. Penetration testing techniques are not only fo-
cused on applications but can also be applied to networks and op-
erating systems to discover and then exploit flaws discovered in
prior evaluations of particular technologies. The Penetration Test-
ing Methodology Overview for Internet of Things is shown in Fig. 6
(Gupta, 2019).
Penetration testing is classified into three types:
a. Black-Box Penetration testing: Black-Box Penetration testing is
without knowledge of an organization’s systems or networks
b. White-Box Penetration Testing: White-Box Penetration Testing
is based on an organization’s infrastructure information.
c. gray-Boxing Penetration Testing: It is a penetration test that
combines black-box and white-box techniques (Satria et al.,
2018).
8.3. Common vulnerability scoring system (CVSS)
According to (Johnson et al., 2016), the CVSS is a metric-based
vulnerability scoring system that was first proposed by the Na-

20
M. Saqib and A.H. Moon
Fig. 6. Penetration Testing Methodology Overview for IoT.
tional Infrastructure Advisory (NIAC) and then built by the Forum
of Incident Response and Security Teams (FIRST). CVSS aims to give
a method for determining the severity of vulnerabilities. Essen-
tially, the CVSS strategy is predicated on these vulnerabilities’ im-
pacts or characteristics. A CVSS is made up of three metrics: base,
temporal, and environmental. According to CVSS V2.0, the base met-
rics are Access Vector, Access Complexity, Authentication, Confidential-
ity, Integrity, and Availability (Rufi, 2006). This gives the vulnera-
bility’s intrinsic characteristics. The Base metric is used to access
vulnerabilities based on their exploitability, impact, and scope, re-
vealing the extent to which a vulnerability can cause change when
attacked. The temporal metric emphasizes the vulnerability’s char-
acteristic as it changes over time, whereas environmental metrics
depict the vulnerability’s characteristics based on how unique they
are to the user environment (Maghrabi et al., 2016).
a Combining CVSS Scores
The method for calculating an aggregate score per device that
can encapsulate the total security risk indicated by a set of CVSS
scores and be used to measure risk reduction efforts.
The strategy would take into account the following realities
(https):
• The device’s risk must directly match its greatest severity find-
ing.
• The greater the number of findings, the higher the overall risk
score should be.
• The severity of ALL findings should be considered and repre-
sented in the overall score.
Riskdevice = F ∗ (H + A )
The total risk of a device is determined by the number and
severity of vulnerabilities connected with it.
Where:
• F denotes the number of findings consolidated into a single
score {0-}
• H is the greatest severity rating of the aggregated findings {0 –
10}
• A is the average severity of the pooled findings {0 – 10}
Due to the infinite number of findings, the resulting value can-
not be normalized and is a non-negative rational number.
a CVSS Scores for the Entire Network
Instead of comparing individual device aggregate scores, it is
more useful to broaden the computation to include multiple de-
vices:
Risknetwork = F ∗ (H + A )/N
A network’s aggregated risk is a ratio of the number and sever-
ity of vulnerabilities connected to the number of network nodes.
As the network grows, this approach dilutes the significance of the
number of discoveries. For example, this reflects the reality that
the risk of ten findings on a single node is greater than the risk of
ten findings in a network of 100 nodes.
21
Computers & Security 125 (2023) 103053
9. Network simulator tools
Based on a decade’s worth of research on IoT security, the most
frequently used tools are Cooja and Network simulator NS3. These
tools are beneficial for assessing the performance of Internet of
Things protocols.
9.1. Cooja
The Contiki Operating System, an embedded operating system
that is network-centric and focuses on Internet of Things sensor
networks, powers Cooja, a network simulator (Romdhani et al.,
2016). It is used to evaluate the performance of applications, net-
works, and protocols connected to the Internet of Things. IoT appli-
cation development and testing are made simpler and faster with
the Cooja network simulator. Contiki is a C-based operating sys-
tem optimized for sensor nodes with limited resources. Cooja is a
graphical user interface-based simulator that enables users to cre-
ate simulation applications easily. The cooja simulator includes the
following windows for interacting with the node:
a Network widow: The Network window displays the network
mote’s layout and can be extensively customized to display var-
ious network traffic and factors.
b Simulation Control window: This window allows viewing the
simulation’s time and speed and starting, pausing and stopping
it. Additionally, this window allows for a complete reload of the
simulation, though other options exist.
c Mote Output window: The Mote Output window displays the
output window for the motes. This is especially useful in more
complex networks requiring finer-grained results analysis. The
mote’s actual source code can be modified at various levels, re-
sulting in the appearance of messages in this window. Addi-
tionally, any print messages used to determine the flow of the
code will be included here.
d Timeline window: The Timeline window displays events over
time.
e Collect view: The collect view can be used to analyze network
performance in terms of Packet Delivery Ratio (PDR), Latency,
Throughput Node Power Consumption, Packet Drop, Received Sig-
nal Strength (RSS), and Link Quality Indicator (LQI). Contiki sup-
ports protocols such as MQTT, 6LoWPAN, Rime, RPL, and CoAP
via packages.
As a result, the cooja simulator is used to test the performance
of real-time applications that interface directly with protocols.
9.2. Network simulator (NS3)
NS-3 is open, extensible networking research and edu-
cation platform employing discrete-event network simulation
(nsnam.org 2018). NS-3 can provide a simulation engine that al-
lows users to efficiently simulate the real system, concentrating
on the Internet protocols and network modeling. When develop-
ing in C++ or Python, NS-3 can be used with external animators,
data analysis, and visualization tools. The NS-3 allows for studying
complex network parameters such as end-to-end delay, network
throughput, packet loss, latency, and packet delivery ratio.
M. Saqib and A.H. Moon
The following modules are used in NS-3: (Selinis, 2014)
a Node: In NS-3, a node is the basic computing device that may
be expanded with numerous functionality. Depending on the
demands of the simulated network, any number of nodes can
be generated and maintained using a NodeContainer.
b Application: In NS-3, an application is a user-written pro-
gram that generates a simulated activity. UdpEchoClientApplica-
tion and UdpEchoServerApplication are two subclasses of Appli-
cations used to implement UDP client and server applications.
c Channeling: A channel is the medium through which data
is transmitted. A CsmaChannel represents a wired network,
whereas a WifiChannel represents a wireless medium. The user
can modify the channel properties, such as bandwidth and
propagation loss.
d Network Device: A Network Interface Card is installed on a
node to enable communication with other nodes and network
connectivity. NetDevices is responsible for managing these pe-
ripheral cards. CsmaNetDevice, WifiNetDevice, and PointToPoint-
NetDevice are all examples of these optimized NetDevices.
e Topology Helpers: Topology Helpers connect the elements that
the user creates, such as Nodes, Channels, and NetDevices. The
Topology Helpers simplify the task of creating NetDevices, at-
taching them to Nodes, connecting them to Channels, and con-
figure protocol stacks on Nodes.
v NodeContainer: NodeContainer offers the user a variety of
node creation and management options. When a node is
created, it is purposeless. To connect the newly constructed
network nodes, the user constructs a topology. A point-to-
point connection between 2 nodes is the simplest type of
network that ns-3 can make.
v PointToPointHelper: In reality, the Channel and NetDevice
objects correspond to a network cable and a peripheral card,
respectively. To configure and connect NS-3 PointToPoint-
NetDevice and PointToPointChannel objects, a single PointTo-
PointHelper object is used. The PointToPointNetDevice has the
attribute "DataRate", whereas the PointToPointChannel has a
"Delay" attribute. Both attributes, in this example, PointTo-
PointHelper, can be defined using the appropriate Topology
Helper. It assists the user with device creation, configuration,
and installation.
v NetDeviceContainer: Like a NodeContainer, a NetDeviceCon-
tainer stores the created NetDevices. Later, procedures such
as Install are used to configure the devices and channels.
Later, the devices and channels are configured using meth-
ods such as Install. After that, devices are programmed to
communicate data at a specified rate over the specified
channel.
v InternetStackHelper: After configuring the nodes and de-
vices, they need to be configured with protocol stacks. Each
node created with this Helper can be configured to use any
Internet Stack, such as Transmission Control Protocol (TCP),
Internet Protocol (IP), or User Datagram Protocol (UDP).
v Ipv4AddressHelper: The established node’s devices must
now be assigned IP addresses. The user’s only input required
to perform this address assignment function is a base Inter-
net Protocol address and a network mask.
10. Key challenges
IoT deployments vary by application, ranging from smart health
to critical cyber-physical systems and their different security con-
cerns need to be addressed in order to overcome the existing IoT
adoption impediments. It is recommended to incorporate security
design principles at an early stage of the design process. The key
challenges are as follows:
22
Computers & Security 125 (2023) 103053
10.1. Interoperability
The major hurdle to organizations adopting this technology is
interoperability, which encompasses syntactic, semantic, and cross-
domain interoperability (Megouache et al., 2020). Businesses must
apply several tactics, including operational, tactical, and strategic
trials and technological trials, which require more time and delay
the product’s early market introduction, to deploy these factors en-
tirely without error and guarantee QoS. Due to the lack of a uni-
form design, each device must select its architecture based on its
requirements, increasing algorithm and device complexity. Provid-
ing intelligence to devices using various current technologies and
intelligent algorithms enables them to detect and respond to other
devices and services automatically. Use semantic web technologies
and related application programming interfaces to prioritize cross-
domain interoperability. Context-adaptive workflow management
is a critical enabler technology for realizing the user-centric vision
(Ahmad et al., 2019). There is no common standard for IoT device
interoperability, and most tasks are either organization-specific or
de facto.
10.2. Security and privacy
Because IoT has become an essential component of the inter-
net’s future with rising usage, it demands the necessity to address
security and trust functions appropriately. Researchers are aware of
the flaws that exist in many IoT devices nowadays. Various threats
and flaws in IoT systems demonstrate the necessity for compre-
hensive security designs that safeguard data and systems from end
to end. Many attacks often use flaws in specific devices to gain
access to their systems and, as a result, make safe devices suscep-
tible (Daia et al., 2018). This security gap further stimulates com-
plete security solutions, which include efficient applied cryptogra-
phy research for data and system security, non-cryptographic secu-
rity techniques, and frameworks that assist developers in develop-
ing secure systems on heterogeneous devices.
10.3. Using emerging naming and addressing for IoT identity
management
Each device requires a unique identifier to communicate over
the network. As a result, a technique for assigning a unique iden-
tifier to each network object is needed (Matharu et al., 2014). In
the early days of the Internet of Things, IPv4 was used to issue a
unique identifier to each network node. As the number of Internet
of Things devices grows, IPv6 addresses are assigned. Named Data
Networking is one of the next-generation network architectures
that can be used for naming and addressing in Internet of Things
applications. IPv4 and IPv6 addresses can be substituted by named
data objects in the Internet of Things. Named Data Networking has
been mentioned by several academics (Datta and Bonnet, 2016) in
IoT architecture. Additional research in this topic can be performed
as the Internet evolves to a more content-centric design.
10.4. Blockchain of things (BCoT): a hybrid of blockchain technology
with the IoT
The Internet contains several unsecure features that make IoT
devices vulnerable to attacks. Researchers develop and optimize
the Internet of Things device network regarding network security
and algorithms, which still lack an effective way of preventing at-
tacks and privacy leaks. Blockchain technology is expected to be a
potential approach to address data security issues in the Internet of
Things (Zhang et al., 2020). Blockchain can record historical data by
constructing a collectively maintained and tamper-resistant public
ledger to assure the security and dependability of data kept in a
M. Saqib and A.H. Moon
distributed network. The blockchain can be thought of as a form
of decentralized distributed database that is not controlled by any
entity or authority (Matharu et al., 2014). It has the potential to
deliver innovative solutions to many industries, including informa-
tion tracing and privacy protection.
IoT and Blockchain, according to Miraz, can mutually reinforce
each other by addressing their fundamental architectural limita-
tions (J. Wang et al., 2020). The inherent security, immutabil-
ity, trust, and transparency of blockchain are the primary rea-
sons for its adoption in nonmonetary applications. These features
are enabled via blockchain’s consensus mechanism and Distributed
Ledger Technologies (DLTs), which rely largely on participating
nodes. As a result of the combination of these two technologies,
Blockchain and the Internet of Things (IoT), a new concept known
as the Blockchain of Things (BCoT) is created, in which blockchain
strengthens IoT by adding an extra layer of security, while IoT
"things" can serve as participating nodes in blockchain ecosystems
(Miraz, 2020). As a result, blockchain-enabled IoT networks will
improve overall security while mutually benefiting.
10.5. Authentication and authorization
Authenticating users can be done in various ways. Alternative
methods include digital signature, access cards, voice recognition,
retina scans, fingerprints, and the traditional login and password.
Authorization can also be accomplished through access control. It
is a security approach that regulates and manages who or what has
access to or uses a system’s resources. Because of the large number
of objects in the network, it has become complex. As a result, tra-
ditional authentication and authorization approaches have failed in
large networks. Because of the one-time registration, multi-server
authentication allows you to access services from different servers
via a trusted agent. Users are generally hesitant to register them-
selves separately with all service providers due to the difficulty
of remembering several passwords. The multi-server authentica-
tion enables speedy access to services through real-time consumer
validation across the public channel (Akram et al., 2020). A new
paradigm for providing authentication and data integrity in a dis-
tributed and interoperable environment that enables identity au-
thentication and interoperability with processes operating on dif-
ferent cloud providers has been suggested (Tang et al., 2008).
10.6. Discovering new internet of things applications in DTN and CCN
The Internet of Things connects physical things by enabling
them to sense, compute, and communicate. Traditional IoT commu-
nication can be enhanced by including delay tolerance, which al-
lows objects to communicate even when connectivity is disrupted.
As a result, designing IoT applications that can withstand delays
is a fascinating field of research. Similarly, as Internet applications
shift toward peer-to-peer (P2P) Content-Centric Network (CCN) ap-
proaches (M. Saqib et al., 2020), academics must consider how IoT
may integrate into such a situation.
11. Conclusion and future opportunities of IoT
This research endeavor demonstrates the Systematic Review
of Literature (SLR) to highlight the importance of authentica-
tion in a typical resource constraint network like IoT from a re-
searcher’s perspective. The protocol provided by Kitchenham and
Charters was employed to carry out the SLR. Various authentica-
tion frameworks developed for IoT were reviewed, analyzed, and
benchmarked against quality performance parameters like compu-
tational, communication overhead, and energy consumption costs.
The paper brings out the prevalent security and privacy concerns,
23
Computers & Security 125 (2023) 103053
security threats, and available countermeasures in an IoT environ-
ment proposed in the form of numerous authentication schemes
distinct from one another and applicable to multiple domains. We
followed a meticulous and systematic process to obtain the stud-
ies for analysis in this paper. The formal verification analysis per-
formed on the authentication schemes by the various verification
tools such as Proverif, BAN logic, Scyther, AVISPA, and ROR model
is also described. Finally, the paper discusses the typical meth-
ods for assessing network security and network simulator tools
used to evaluate the authentication scheme’s performance param-
eters. While these IoT authentication schemes have led to a se-
cure design, they still have flaws that must be addressed in terms
of computational, communication overhead, energy consumption
costs, session key negotiation, resilience to cryptographic attacks,
and mutual authentication between nodes to guarantee greater se-
curity and privacy. As a result, additional research in this area is
necessary, as developing a robust authentication scheme remains
an open question.
11.1. Future opportunities
This part will discuss the future potential for enabling depend-
able IoT applications. We address three critical prospects for im-
proving the reliability of future IoT applications. Machine learning
techniques, blockchain-enabled security and 6 G communications
are among the opportunities.
(a). Machine Learning Methods
Because future IoT applications will produce a significant quan-
tity of data, effective machine learning techniques will be required
to analyze the data and gain meaningful visions to increase IoT re-
liability (Mittal et al., 2021). Many machine learning algorithms ap-
ply to IoT applications. Some of them are as follows:
➢ Regression-based techniques: Many critical metrics in IoT can
be predicted using regression-based algorithms. Regression can
be used to forecast data flow and network load.
➢ Reinforcement learning techniques: These can be used in the
Internet of Things to improve resource allocation and load bal-
ancing. Optimal behaviours like transmission power selection,
job offloading ratios and cache location in fog nodes can be de-
termined using reinforcement learning algorithms.
➢ Classification techniques: Classification techniques, such as the
k-nearest neighbor and decision trees, can be used to solve
problems such as anomaly detection for increased security. Ma-
licious nodes can target IoT nodes by sharing misleading data
or blocking signals. As a result, recognizing anomalous traffic is
crucial for ensuring the stability of the IoT network.
(b). Blockchain-Enabled Security
For IoT applications, robust security techniques must be devel-
oped. Some IoT applications, such as health monitoring and data
exchange for vehicle safety, are critical. As a result, attacks on these
applications may raise concerns about human safety. Because of its
distributed record-keeping and proof-of-work method, blockchain
is an efficient technique that may assure safe data transmission
(Jameel et al., 2020). While blockchain technology has many appli-
cations in the Internet of Things, significant difficulties like mining
task computation and consensus algorithm selection require addi-
tional investigation. Furthermore, the amount of energy required to
mine blockchain transactions is a significant hurdle that must be
overcome by developing energy-efficient algorithms. IoT can bene-
fit from blockchain-based smart contracts, which have applications
in supply chain, healthcare, and industrial automation. However,
more research is needed to assess the performance and security
of a blockchain-enabled smart contract (Ngabo et al., 2021).
(c). 6 G Communications and Reconfigurable Intelligent Surfaces
(RISs) for IIoT
M. Saqib and A.H. Moon
6 G communications will be a critical enabler for future IoT
applications. Enhancing communications in terms of feasible data
rate, enhanced MIMO techniques, packet delivery ratio, latency and
jitter can result in reliable data dissemination across IoT nodes.
6 G will dramatically increase end-to-end communications be-
tween multiple IoT-enabled nodes by utilizing terahertz commu-
nications, Reconfigurable Intelligent Surfaces (RISs) and massive
computing. RISs shall strongly emerge as a potential alternative
to large scale phased antenna arrays requiring complex feeding
networks and many high resolution phase shifters especially for
Industrial Internet of Things (IIoT). Further developments in IoT
leveraging RISs, Artificial Intelligence along with harnessing pho-
tovoltaic energy holds lot of promise in developing futuristic ubiq-
uitous intelligent environment to acquire sensory data.
Declaration of Competing Interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in the paper entitled “A Systematic Se-
curity Assessment and Review of Internet of Things in the context
of Authentication”
Data availability
The data that has been used is confidential.
Data Availability Statement
This paper does not require data sharing because no datasets
were generated or analysed during the current study.
References
Aazam, M., St-Hilaire, M., Lung, C.H., Lambadaris, I., 2016. PRE-Fog: ioT trace based
probabilistic resource estimation at Fog. In: 2016 13th IEEE Annual Consumer
Communications & Networking Conference (CCNC). IEEE, pp. 12–17.
Abdalla, M., Fouque, P.A., Pointcheval, D., 2005. Password-based authenticated key
exchange in the three-party setting. In: International Workshop on Public Key
Cryptography. Springer, Berlin, Heidelberg, pp. 65–84.
Abdmeziem, M.R., Tandjaoui, D., 2014. A cooperative end to end key management
scheme for e-health applications in the context of internet of things. In: Inter-
national Conference on Ad-Hoc Networks and Wireless. Springer, Berlin, Heidel-
berg, pp. 35–46.
Ahmad, A., Cuomo, S., Wu, W., Jeon, G., 2019. Intelligent algorithms and standards
for interoperability in Internet of Things. Future Gen. Comp. Syst. 92, 1187–1191.
Airehrour, D., Gutierrez, J., Ray, S.K., 2016. Secure routing for internet of things: a
survey. J. Netw. Comput. Appl. 66, 198–213.
Akhunzada, A., Gani, A., Anuar, N., Abdelaziz, A., Khan, M., Hayat, A., Khan, S., 2016.
Secure and dependable software defined networks. J. Netw. Comput. Appl. 61,
199–221.
Akram, M.A., Ghaffar, Z., Mahmood, K., Kumari, S., Agarwal, K., Chen, C.M., 2020.
An anonymous authenticated key-agreement scheme for multi-server infras-
tructure. Human-centric Comput. Inform. Sci. 10 (1), 1–18.
Alizai, Z.A., Tareen, N.F., Jadoon, I., 2018. Improved IoT device authentication scheme
using device capability and digital signatures. In: 2018 International Conference
on Applied and Engineering Mathematics (ICAEM). IEEE, pp. 1–5.
Alotaibi, M., 2018. An enhanced symmetric cryptosystem and biometric-based
anonymous user authentication and session key establishment scheme for WSN.
IEEE Access 6, 70 072–70 087.
Aman, M.N., Basheer, M.H., Sikdar, B., 2018. Two-factor authentication for IoT with
location information. IEEE Internet Things J 6 (2), 3335–3351.
Amin, R., Biswas, G.P., 2016. A secure light weight scheme for user authentication
and key agreement in multi-gateway based wireless sensor networks. Ad Hoc
Netw 36, 58–80.
Amin, R., Islam, S.H., Kumar, N., Choo, K.K.R., 2018. An untraceable and anonymous
password authentication protocol for heterogeneous wireless sensor networks.
J. Netw. Comput. Appl. 104, 133–144.
Amoretti, M., Pecori, R., Protskaya, Y., Veltri, L., Zanichelli, F., 2020. A scalable and
secure publish/subscribe-based framework for industrial IoT. IEEE Trans. Ind. Inf.
17 (6), 3815–3825.
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuéllar, J.,
Drielsma, P.H., Héam, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S.,
2005. The AVISPA tool for the automated validation of internet security pro-
tocols and applications. In: International conference on computer aided verifi-
cation. Springer, Berlin, Heidelberg, pp. 281–285.
24
Computers & Security 125 (2023) 103053
Ayoade, G., Karande, V., Khan, L., Hamlen, K., 2018. Decentralized IoT data man-
agement using blockchain and trusted execution environment. In: 2018 IEEE
International Conference on Information Reuse and Integration (IRI). IEEE,
pp. 15–22.
Bae, W.I., Kwak, J., 2020. Smart card-based secure authentication protocol in multi-
-server IoT environment. Multimed. Tools Appl. 79 (23), 15793–15811.
Banerjee, S., Odelu, V., Das, A.K., Srinivas, J., Kumar, N., Chattopadhyay, S.,
Choo, K.K.R., 2019. A provably secure and lightweight anonymous user authen-
ticated session key exchange scheme for Internet of Things deployment. IEEE
Internet Things J 6 (5), 8739–8752.
Banerjee, S., Odelu, V., Das, A.K., Chattopadhyay, S., Park, Y., 2020. An efficient,
anonymous and robust authentication scheme for smart home environments.
Sensors 20 (4), 1215.
Bendavid, Y., Bagheri, N., Safkhani, M., Rostampour, S., 2018. IoT device security:
challenging “a lightweight rfid mutual authentication protocol based on physical
Unclonable function. Sensors 18 (12), 4444.
Bhuarya, P., Chandrakar, P., Ali, R., Sharaff, A., 2021. An enhanced authentication
scheme for Internet of Things and cloud based on elliptic curve cryptography.
Int. J. Commun. Syst. 34 (10), e4834.
Blanchet, B., 2001. An efficient cryptographic protocol verifier based on prolog rules.
CSFW 1, 82–96.
Blazquez, A., Tsiatsis, V., Vandikas, K., 2015. Performance evaluation of openid con-
nect for an iot information marketplace. In: 2015 IEEE 81st Vehicular Technol-
ogy Conference (VTC Spring). IEEE, pp. 1–6.
Chae, C., Choi, K., Choi, K., Yae, Y., Shin, Y., 2015. The Extended Authentication Pro-
tocol using E-mail Authentication in OAuth 2.0 Protocol for Secure Granting of
User Access. J. Internet Comput. Serv. 16 (1), 21–28.
Challa, S., Wazid, M., Das, A.K., Kumar, N., Reddy, A.G., Yoon, E.J., Yoo, K.Y., 2017.
Secure signature-based authenticated key establishment scheme for future IoT
applications. IEEE Access 5, 3028–3043.
Chandrakar, P., Om, H., 2018. An extended ECC-based anonymity-preserving 3-fac-
tor remote authentication scheme usable in TMIS. Int. J. Commun. Syst. 31 (8),
e3540.
Chang, Y.-.F., Yu, S.-.H., Shiao, D.-.R., 2013. A Uniqueness-and-Anonymity-Preserving
Remote User Authentication Scheme for Connected Health Care. J. Med. Syst. 37
(2).
Chang, C.C., Hsueh, W.Y., Cheng, T.F., 2016. A dynamic user authentication and key
agreement scheme for heterogeneous wireless sensor networks. Wirel. Pers.
Commun. 89 (2), 447–465.
Chen, L., Wei, F., Ma, C., 2015. A secure user authentication scheme against smart–
card loss attack for wireless sensor networks using symmetric key techniques.
Int. J. Distrib. Sens. Netw. 11 (4), 704502.
Choi, Y., Lee, Y., Won, D., 2016. Security improvement on biometric based authen-
tication scheme for wireless sensor networks using fuzzy extraction. Int. J. Dis-
trib. Sens. Netw. 12 (1), 8572410.
Conti, M., Dragoni, N., Lesyk, V., 2016. A survey of man in the middle attacks. IEEE
Commun. Surv. Tutor. 18 (3), 2027–2051.
Cremers, C.J., 2008. The Scyther Tool: verification, falsification, and analysis of se-
curity protocols. In: International conference on computer aided verification.
Springer, Berlin, Heidelberg, pp. 414–418.
Daia, A.S.A., Ramadan, R.A., Fayek, M.B., AETiC, A., 2018. Sensor networks attacks
classifications and mitigation. Ann. Emerg. Tech. Comput. (AETiC) Print ISSN,
2516-0281.s.
Das, A.K., Sutrala, A.K., Kumari, S., Odelu, V., Wazid, M., Li, X., 2016. An efficient mul-
ti-gateway-based three-factor user authentication and key agreement scheme
in hierarchical wireless sensor networks. Secur. Commun. Netw. 9 (13), 2070–
2092.
Das, A.K., Wazid, M., Kumar, N., Vasilakos, A.V., Rodrigues, J.J., 2018. Biometric-
s-based privacy-preserving user authentication scheme for cloud-based indus-
trial Internet of Things deployment. IEEE Internet Things J 5 (6), 4900–4913.
Das, M.L., 2015. Privacy and security challenges in internet of things. In: Interna-
tional Conference on Distributed Computing and Internet Technology, Cham.
Springer, pp. 33–48.
Datta, S.K., Bonnet, C., 2016. Integrating named data networking in internet of things
architecture. In: 2016 IEEE International Conference on Consumer Electronics–
Taiwan (ICCE-TW). IEEE, pp. 1–2.
de Meulenaer, G., Gosset, F., Standaert, F.-.X., Pereira, O., 2008. On the energy cost of
communication and cryptography in wireless sensor networks. In: Proceedings
of the 2008 IEEE International Conference on Wireless and Mobile Computing,
Networking and Communications. Avignon, France October.
Deebak, B.D., 2020. Lightweight authentication and key management in mobile-sink
for smart IoT-assisted systems. Sustain. Cities Soc. 63, 102416.
Dhillon, P.K., Kalra, S., 2017. Secure multi-factor remote user authentication scheme
for Internet of Things environments. Int. J. Commun. Syst. 30 (16), e3323.
El-Hajj, M., Fadlallah, A., Chamoun, M., Serhrouchni, A., 2019. A survey of internet
of things (IoT) authentication schemes. Sensors 19 (5), 1141.
Emerson, S., Choi, Y.K., Hwang, D.Y., Kim, K.S., Kim, K.H., 2015. An OAuth based
authentication mechanism for IoT networks. In: 2015 International Confer-
ence on Information and Communication Technology Convergence (ICTC). IEEE,
pp. 1072–1074.
Fakroon, M., Alshahrani, M., Gebali, F., Traore, I., 2020. Secure remote anonymous
user authentication scheme for smart home environment. Internet of Things 9,
100158.
Farash, M.S., Turkanović, M., Kumari, S., Hölbl, M., 2016. An efficient user authen-
tication and key agreement scheme for heterogeneous wireless sensor network
tailored for the Internet of Things environment. Ad Hoc Netw 36, 152–176.
M. Saqib and A.H. Moon
Farooq, M.U., Waseem, M., Khairi, A., Mazhar, S., 2015. A Critical Analysis on the
Security Concerns of Internet of Things (IoT). Int. J. Comput. Appl. 111 (7), 1–6.
Fernandes, E., Jung, J., Prakash, A., 2016a. Security analysis of emerging smart
home applications. In: 2016 IEEE symposium on security and privacy (SP). IEEE,
pp. 636–654.
Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A., 2016b.
{FlowFence}: practical Data Protection for Emerging {IoT} Application Frame-
works. In: 25th USENIX security symposium (USENIX Security 16), pp. 531–548.
Garg, H., Dave, M., 2019. Securing User Access at IoT Middleware Using Attribute
Based Access Control. In: 2019 10th International Conference on Computing,
Communication and Networking Technologies (ICCCNT). IEEE, pp. 1–6.
Gessner, D., Olivereau, A., Segura, A.S., Serbanati, A., 2012. Trustworthy infrastruc-
ture services for a secure and privacy-respecting internet of things. In: 2012
IEEE 11th international conference on trust, security and privacy in computing
and communications. IEEE, pp. 998–1003.
Ghafir, I., 2016. Social engineering attack strategies and defense approaches. In: 2016
Proceedings of the IEEE International Conference on Future Internet of Things
and Cloud. IEEE, Vienna, Austria, pp. 1–5.
Gomes, S., Pereira, T., Cabral, J., J, Tavares, A., 2017. IIoTEED: an enhanced, trusted
execution environment for industrial IoT edge devices. IEEE Internet Comput.
21 (1), 40–47.
Gope, P., Sikdar, B., 2019. Lightweight and Privacy-Preserving Two-Factor Authenti-
cation Scheme for IoT Devices. IEEE Internet Things J 6 (1), 580–589.
Gubbi, J., Buyya, R., Marusic, S., Palaniswami, M., 2013. Internet of Things (IoT): a
vision, architectural elements, and future directions. Future Gen. Comp. Syst. 29
(7), 1645–1660.
Gupta, A., 2019. The IoT Hacker’s Handbook. Apress, Berkeley, CA.
Hamadeh, H., Chaudhuri, S., Tyagi, A., 2017. Area, energy, and time assessment for a
distributed TPM for distributed trust in IoT clusters. Integration 58, 267–273.
Hernández-Ramos, J.L., Jara, A.J., Marin, L., Skarmeta, A.F., 2013. Distributed capabili-
ty-based access control for the internet of things. J. Internet Serv. Inform. Secur.
(JISIS) 3 (3/4), 1–16.
Hossain, M.M., Fotouhi, M., Hasan, R., 2015. Towards an analysis of security issues,
challenges, and open problems in the internet of things. In: 2015 ieee world
congress on services. IEEE, pp. 21–28.
Hsiang, H.C., Shih, W.K., 2009. Improvement of the secure dynamic ID based remote
user authentication scheme for multi-server environment. Computer Standards
& Interfaces 31 (6), 1118–1123.
https: //affinity-it-security.com/securing-iot-networks-measuring-network-security/
Hussain, S.U., Majzoobi, M., Koushanfar, F., 2016. A built-in-self-test scheme for on-
line evaluation of physical Unclonable functions and true random number gen-
erators. IEEE Trans. Multi-Scale Comput. Syst. 2 (1), 2–16.
itu.int. 11700 www. (n.d.). Y.2069: Terms and definitions for the Internet of things.
[online] Available at: https://www.itu.int/rec/T- REC- Y.2069 [Accessed 19 Apr.
2022].
Jøsang, A., Ismail, R., Boyd, C., 2007. A survey of trust and reputation systems for
online service provision. Decis. Support Syst. 43 (2), 618–644.
Jameel, F., Javed, M.A., Zeadally, S., Jäntti, R., 2020. Efficient mining cluster selection
for blockchain-based cellular V2X communications. IEEE Trans. Intell. Transp.
Syst. 22 (7), 4064–4072.
Jia, Y.J., Chen, Q.A., Wang, S., Rahmati, A., Fernandes, E., Mao, Z.M., Prakash, A., Un-
viersity, S.J., 2017. February. ContexloT: towards Providing Contextual Integrity
to Appified IoT Platforms. In NDSS 2 (2), 2 VolNo2.
Jing, Q., Vasilakos, A.V., Wan, J., Lu, J., Qiu, D., 2014. Security of the Internet of
Things: perspectives and challenges. Proc. 8th Int. Conf. Transparent Opt. Net-
works, 5th Eur. Symp. Photonic Cryst., 5th Workshop All-Opt. Routing, 3rd
Global Opt. Wireless Networking Semin., 2nd COST 270 Workshop Reliab. Is-
sues Next Gener. Opt. Networks, 2nd Photonic Integr. Compon. Appl. Workshop
20 (8), 2481–2501.
John Walker, S., 2014. Big Data: a Revolution That Will Transform How We Live,
Work, and Think. Int. J. Advert. 33 (1), 181–183.
Johnson, P., Lagerström, R., Ekstedt, M., Franke, U., 2016. Can the common vulnera-
bility scoring system be trusted? a bayesian analysis. IEEE Trans. Depend. Secure
Comput. 15 (6), 1002–1015.
Kalra, S., Sood, S.K., 2015. Secure authentication scheme for IoT and cloud servers.
Pervasive Mob. Comput. 24, 210–223.
Kang, D., Jung, J., Kim, H., Lee, Y., Won, D., 2018. Efficient and secure biomet-
ric-based user authenticated key agreement scheme with anonymity. Secur.
Commun. Netw. 2018.
Karlof, C., Wagner, D., 2003. Secure routing in wireless sensor networks: attacks and
countermeasures. Ad Hoc Netw. 1 (2–3), 293–315.
Karuppiah, M., Das, A.K., Li, X., Kumari, S., Wu, F., Chaudhry, S.A., Niranchana, R.,
2019. Secure remote user mutual authentication scheme with key agreement
for cloud environment. Mob. Netw. Appl. 24 (3), 1046–1062.
Katsikeas, S., Fysarakis, K., Miaoudakis, A., Van Bemten, A., Askoxylakis, I., Papaef-
stathiou, I., Plemenos, A., 2017. Lightweight & secure industrial IoT communi-
cations via the MQ telemetry transport protocol. In: 2017 IEEE Symposium on
Computers and Communications (ISCC). IEEE, pp. 1193–1200.
Kaul, S.D., Awasthi, A.K., 2016. Security enhancement of an improved remote user
authentication scheme with key agreement. Wirel. Pers. Commun. 89 (2),
621–637.
Kaur, D., Kumar, D., 2021. Cryptanalysis and improvement of a two-factor user au-
thentication scheme for smart home. J. Inform. Secur. Appl. 58, 102787.
Khan, M.A., Salah, K., 2018. IoT security: review, blockchain solutions, and open
challenges. Future Gen. Comp. Syst. 82, 395–411.
25
Computers & Security 125 (2023) 103053
Kim, H., Lee, E.A., 2017. Authentication and Authorization for the Internet of Things.
IT Prof 19 (5), 27–33.
Kitchenham, B. and Charters, S., 2007. Guidelines for performing systematic litera-
ture reviews in software engineering.
Kothmayr, T., Schmitt, C., Hu, W., Brünig, M., Carle, G., 2012. A DTLS based end–
to-end security architecture for the Internet of Things with two-way authentica-
tion. In: 37th Annual IEEE Conference on Local Computer Networks-Workshops.
IEEE, pp. 956–963.
Kothmayr, T., Schmitt, C., Hu, W., Brünig, M., Carle, G., 2013. DTLS based security
and two-way authentication for the Internet of Things. Ad Hoc Netw. 11 (8),
2710–2723.
Koya, A.M., Deepthi, P.P., 2018. Anonymous hybrid mutual authentication and key
agreement scheme for wireless body area network. Comput. Netw. Chem. Lab.
Symp. 140, 138–151.
Kumari, S., Karuppiah, M., Das, A.K., Li, X., Wu, F., Kumar, N., 2018. A secure authen-
tication scheme based on elliptic curve cryptography for IoT and cloud servers.
J. Supercomput. 74 (12), 6428–6453.
Lesjak, C., Hein, D., Winter, J., 2015. Hardware-security technologies for industrial
IoT: trustZone and security controller. In: IECON 2015-41st Annual Conference
of the IEEE Industrial Electronics Society. IEEE, pp. 0 02589–0 02595.
Li, C.-.T., Hwang, M.-.S., 2010. An efficient biometrics-based remote user authentica-
tion scheme using smart cards. J. Netw. Comput. Appl. 33 (1), 1–5.
Li, Shancang, Zhang, Kewang, 2008. Principle and Application of Wireless Sensor
Network. China Machine Press, M. Beijing, pp. 58–59 Shancang, L., Kewang, Z.,
2008. Principles and applications of wireless sensor networks. Beijing: China
Machine Press.
Li, X., Peng, J., Niu, J., Wu, F., Liao, J., Choo, K.K.R., 2017. A robust and energy efficient
authentication protocol for industrial internet of things. IEEE Internet Things J 5
(3), 1606–1615.
Lu, Y., Xu, G., Li, L., Yang, Y., 2019. Anonymous three-factor authenticated key agree-
ment for wireless sensor networks. Proc. 8th Int. Conf. Transparent Opt. Net-
works, 5th Eur. Symp. Photonic Cryst., 5th Workshop All-Opt. Routing, 3rd
Global Opt. Wireless Networking Semin., 2nd COST 270 Workshop Reliab. Is-
sues Next Gener. Opt. Networks, 2nd Photonic Integr. Compon. Appl. Workshop
25 (4), 1461–1475.
Ma, M., He, D., Wang, H., Kumar, N., Choo, K.K.R., 2019. An efficient and provably se-
cure authenticated key agreement protocol for fog-based vehicular ad-hoc net-
works. IEEE Internet Things J 6 (5), 8065–8075.
Maghrabi, L., Pfluegel, E., Noorji, S.F., 2016. Designing utility functions for game-the-
oretic cloud security assessment: a case for using the common vulnerability
scoring system. In: 2016 International Conference On Cyber Security And Pro-
tection Of Digital Services (Cyber Security). IEEE, pp. 1–6.
Mahalle, P.N., Anggorojati, B., Prasad, N.R., Prasad, R., 2013a. Identity authentication
and capability based access control (iacac) for the internet of things. J. Cyber
Secur. Mobil. 1 (4), 309–348.
Mahalle, P., Anggorojati, B., Prasad, N., Prasad, R., 2013b. Identity Authentication and
Capability Based Access Control (IACAC) for the Internet of Things. J. Cyber Se-
cur. Mobil. 309–348.
Maitra, T., Obaidat, M.S., Islam, S.H., Giri, D., Amin, R., 2016. Security analysis and
design of an efficient ECC-based two-factor password authentication scheme.
In: Secur. Commun. Netw., 9, pp. 4166–4181.
Manyika, J., Chui, M., Brown, B., Bughin, J., Dobbs, R., Roxburgh, C., Hung Byers, A.,
2011. Big data: The next Frontier for innovation, competition, and Productivity.
McKinsey Global Institute.
Maple, C., 2017. Security and privacy in the internet of things. J. Cyber Policy 2 (2),
155–184.
Marchand, C., Bossuet, L., Mureddu, U., Bochard, N., Cherkaoui, A., Fischer, V., 2017.
Implementation and characterization of a physical unclonable function for IoT:
a case study with the TERO-PUF. IEEE Trans. Comput. Aided Des. Integr. Circuits
Syst. 37 (1), 97–109.
Martínez-Peláez, R., Toral-Cruz, H., Parra-Michel, J.R., García, V., Mena, L.J.,
Félix, V.G., Ochoa-Brust, A., 2019. An enhanced lightweight IoT-based authen-
tication scheme in cloud computing circumstances. Sensors 19 (9), 2098.
Matharu, G.S., Upadhyay, P., Chaudhary, L., 2014. The internet of things: challenges
& security issues. In: 2014 International Conference on Emerging Technologies
(ICET). IEEE, pp. 54–59.
Megouache, L., Zitouni, A., Djoudi, M., 2020. Ensuring user authentication and data
integrity in multi-cloud environment. Human-centric Comput. Inform. Sci. 10
(1), 1–20.
Miraz, M.H., 2020. Blockchain of things (BCoT): the fusion of blockchain and IoT
technologies. Adv. Appl. Blockchain Tech. 141–159.
Mitrokotsa, A., Rieback, M.R., Tanenbaum, A.S., 2010. Classification of RFID attacks.
Gen 15693 (14443), 14.
Mittal, M., de Prado, R.P., Kawai, Y., Nakajima, S., Muñoz-Expósito, J.E., 2021. Ma-
chine learning techniques for energy efficiency and anomaly detection in hybrid
wireless sensor networks. Energies 14 (11), 3125.
Moon, A.H., Ummer, K., 2016. Authentication protocols for WSN using ECC and hid-
den generator. Int. J. Comput. Appl. 133 (13), 42–47.
Moon, A.H., Iqbal, U., Bhat, G.M., 2016a. Light weight authentication framework for
WSN. In: 2016 International Conference on Electrical, Electronics, and Optimiza-
tion Techniques (ICEEOT). IEEE, pp. 3099–3105.
Moon, A.H., Iqbal, U., Bhat, G.M., Iqbal, Z., 2016b. Simulating and analyzing RREQ
flooding attack in Wireless Sensor Networks. In: 2016 International Confer-
ence on Electrical, Electronics, and Optimization Techniques (ICEEOT). IEEE,
pp. 3374–3377.
M. Saqib and A.H. Moon
Moon, J., Lee, D., Lee, Y., Won, D., 2017. Improving biometric-based authentication
schemes with smart card revocation/reissue for wireless sensor networks. Sen-
sors 17 (5), 940.
Moosavi, S.R., Gia, T.N., Rahmani, A.M., Nigussie, E., Virtanen, S., Isoaho, J., Ten-
hunen, H., 2015. SEA: a secure and efficient authentication and authorization
architecture for IoT-based healthcare using smart gateways. Procedia Comput.
Sci. 52, 452–459.
Nan, Y., Yang, M., Yang, Z., Zhou, S., Gu, G., Wang, X., 2015. {UIPicker}:{User-Input}
Privacy Identification in Mobile Applications. In: 24th USENIX Security Sympo-
sium (USENIX Security 15), pp. 993–1008.
Naoui, S., Elhdhili, M.H., Saidane, L.A., 2019. Novel Smart Home Authentication Pro-
tocol LRP-SHAP. In: 2019 IEEE Wireless Communications and Networking Con-
ference (WCNC). IEEE, pp. 1–6.
Naveed Aman, M., Taneja, S., Sikdar, B., Chua, K., Alioto, M., 2019. Token-Based Se-
curity for the Internet of Things with Dynamic Energy-Quality Tradeoff. IEEE
Internet Things J 6 (2), 2843–2859.
Ndibanje, B., Lee, H.J., Lee, S.G., 2014. Security analysis and improvements of
authentication and access control in the internet of things. Sensors 14 (8),
14786–14805.
Newsome, J., Shi, E., Song, D., Perrig, A., 2004. The Sybil attack in sensor networks:
analysis & defenses. In: Third international symposium on information process-
ing in sensor networks, 2004. IEEE, pp. 259–268 IPSN 2004.
Ngabo, D., Wang, D., Iwendi, C., Anajemba, J.H., Ajao, L.A., Biamba, C., 2021.
Blockchain-based security mechanism for the medical data at fog computing
architecture of internet of things. Electronics (Basel) 10 (17), 2110.
Nikooghadam, M., Jahantigh, R., Arshad, H., 2017. A lightweight authentication and
key agreement protocol preserving user anonymity. Multimed. Tools Appl. 76
(11), 13401–13423.
nsnam.org. (2018). NS-3.28. [Online]. Available: https://www.nsnam.org
Ogonji, M.M., Okeyo, G., Wafula, J.M., 2020. A survey on privacy and security of
Internet of Things. Comp. Sci. Rev. 38, 100312.
Ostad-Sharif, A., Arshad, H., Nikooghadam, M., Abbasinezhad-Mood, D., 2019.
Three party secure data transmission in IoT networks through design of a
lightweight authenticated key agreement scheme. Future Gen. Comp. Syst. 100,
882–892.
Pongle, P., Chavan, G., 2015. Real time intrusion and wormhole attack detection in
internet of things. Int. J. Comput. Appl. 121 (9).
Porambage, P., Braeken, A., Schmitt, C., Gurtov, A., Ylianttila, M., Stiller, B., 2015.
Group key establishment for enabling secure multicast communication in wire-
less sensor networks deployed for IoT applications. IEEE Access 3, 1503–1511.
Rana, M., Shafiq, A., Altaf, I., Alazab, M., Mahmood, K., Chaudhry, S.A., Zikria, Y.B.,
2021. A secure and lightweight authentication scheme for next generation IoT
infrastructure. Comput. Commun. 165, 85–96.
Renuka, K.M., Kumari, S., Zhao, D., Li, L., 2019. Design of a secure password-based
authentication scheme for M2M networks in IoT enabled cyber-physical sys-
tems. IEEE Access 7, 51014–51027.
Romdhani, I., Qasem, M., Al-Dubai, A.Y., Ghaleb, B., 2016. Cooja simulator manual.
Edinburgh Napier University.
Roopak, M., Tian, G.Y., Chambers, J., 2020. Multi-objective-based feature selection
for DDoS attack detection in IoT networks. Synth. Charact. Theory Polym. Netw.
Gels Proc. Am. Chem. Soc. Div. Polym. Mater. Sci. Eng. Symp. 9 (3), 120–127.
Roy, S., Chatterjee, S., Das, A.K., Chattopadhyay, S., Kumari, S., Jo, M., 2017. Chaotic
map-based anonymous user authentication scheme with user biometrics and
fuzzy extractor for crowdsourcing Internet of Things. IEEE Internet Things J 5
(4), 2884–2895.
Rufi, A.W., 2006. Network security 1 and 2 companion guide. Cisco Systems 10.
Sahoo, S.S., Mohanty, S., Majhi, B., 2021. A secure three factor based authentication
scheme for health care systems using IoT enabled devices. J. Ambient Intell. Hu-
maniz. Comput. 12 (1), 1419–1434.
Samaila, M.G., Neto, M., Fernandes, D.A., Freire, M.M., Inacio, P.R., 2018. Challenges
of securing Internet of Things devices: a survey. Security and Privacy 1 (2), e20.
Saqib, M., Jasra, B., Moon, A.H., 2020a. A Systematized Security and Communica-
tion Protocols Stack Review for Internet of Things. In: 2020 IEEE International
Conference for Innovation in Technology (INOCON). IEEE, pp. 1–9.
Saqib, M., Jasra, B., Moon, A.H., 2020b. Mutual Authentication Protocol for Green
Internet of Things in Content Centric Network. Int. J. Green Nanotechnol. 10,
4896–4909.
Saqib, M., Jasra, B., Moon, A.H., 2021. A lightweight three factor authentication
framework for IoT based critical applications. J. King Saud. Univ.-Comp. Inform.
Sci.
Sarkar, C., Nambi, S.N., A., Prasad, R., Rahim, A., Neisse, R., Baldini, G., 2015. DIAT:
a Scalable Distributed Architecture for IoT. IEEE Internet Things J 2 (3), 230–
239.
Satria, D., Alanda, A., Erianda, A., Prayama, D., 2018. Network security assessment
using internal network penetration testing methodology. JOIV Int. J. Inform. Vi-
sual. 2 (4–2), 360–365.
Schiller, E., Aidoo, A., Fuhrer, J., Stahl, J., Ziörjen, M., Stiller, B., 2022. Landscape of
IoT security. Comp. Sci. Rev. 44, 100467.
Selinis, I., 2014. Performance Study of 802.11 n WLAN and MAC Enhancements in
ns-3. University of Piraeus.
Shah, T., Venkatesan, S., 2018. Authentication of IoT device and IoT server using se-
cure vaults. In: 2018 17th IEEE International Conference on Trust, Security and
Privacy in Computing and Communications/12th IEEE International Conference
on Big Data Science and Engineering (TrustCom/BigDataSE). IEEE, pp. 819–824.
Shang, W., Yu, Y., Droms, R., Zhang, L., 2016. Challenges in IoT networking via TCP/IP
architecture. NDN Project.
26
Computers & Security 125 (2023) 103053
Shilpa, V., Vidya, A., Pattar, S., 2022. MQTT based Secure Transport Layer Commu-
nication for Mutual Authentication in IoT Network. In: Global Transitions Pro-
ceedings.
Shnayder, V., Hempstead, M., Chen, B.R., Allen, G.W., Welsh, M., 2004. Simulating
the power consumption of large-scale sensor network applications. In: Proceed-
ings of the 2nd international conference on Embedded networked sensor sys-
tems, pp. 188–200.
Shuai, M., Yu, N., Wang, H., Xiong, L., 2019. Anonymous authentication scheme
for smart home environment with provable security. Comp. Secur. 86, 132–
146.
Shunmuganathan, S., Saravanan, R.D., Palanichamy, Y., 2015. Secure and efficient
smart-card-based remote user authentication scheme for multiserver environ-
ment. Can. J. Electr. Comput. Eng. 38 (1), 20–30.
Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A., 2015. Security, privacy and trust
in Internet of Things: the road ahead. Comput. Netw. Chem. Lab. Symp. 76,
146–164.
Sierra, J.M., Hernández, J.C., Alcaide, A., Torres, J., 2004. Validating the Use of BAN
LOGIC. In: International Conference on Computational Science and Its Applica-
tions. Springer, Berlin, Heidelberg, pp. 851–858.
Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., Wu, Q., 2014. AVOIDIT: a cyber-at-
tack taxonomy. In: 9th Annual Symposium on Information Assurance (ASIA’14),
pp. 2–12.
Singh, M., Rajan, M.A., Shivraj, V.L., Balamuralidhar, P., 2015. Secure mqtt for Inter-
net of things (iot). In: 2015 fifth international conference on communication
systems and network technologies. IEEE, pp. 746–751.
Sosa-Reyna, C.M., Tello-Leal, E., Lara-Alabazares, D., 2018. Methodology for the mod-
el-driven development of service-oriented IoT applications. J. Syst. Archit. 90,
15–22.
Strategy Analytics: Internet of Things Now Numbers 22 Billion Devices But
Where Is The Revenue? [online] Businesswire.com. Available at: https://www.
businesswire.com/news/home/201905160 0570 0/en/Strategy- Analytics- Internet-
Things- Numbers- 22- Billion [Accessed 19 April 2022].
Sureshkumar, V., Amin, R., Obaidat, M.S., Karthikeyan, I., 2020. An enhanced mutual
authentication and key establishment protocol for TMIS using chaotic map. J.
Inform. Secur. Appl. 53, 102539.
Tan, H., Tsudik, G., Jha, S., 2017. MTRA: multiple-tier remote attestation in IoT net-
works. In: 2017 IEEE Conference on Communications and Network Security
(CNS). IEEE, pp. 1–9.
Tang, F., Guo, M., Dong, M., Li, M., Guan, H., 2008. Towards context-aware workflow
management for ubiquitous computing. In: 2008 International Conference on
Embedded Software and Systems. IEEE, pp. 221–228.
Tewari, A., Gupta, B.B., 2020. Security, privacy and trust of different layers in Inter-
net-of-Things (IoTs) framework. Future Gen. Comp. Syst. 108, 909–920.
Thakur, B.S., Chaudhary, S., 2013. Content sniffing attack detection in client and
server side: a survey. Int. J. Adv. Comp. Res. 3 (2), 7.
Tokognon, C.J.A., Gao, B, 2017. Senior Member, IEEE, Gui Yun Tian, Senior Member,
IEEE, and Yan Yan. IEEE Internet Things J. 4 (3).
Trappe, W., Howard, R., Moore, R.S., 2015. Low-energy security: limits and opportu-
nities in the internet of things. IEEE Secur. Priv. 13 (1), 14–21.
Turkanović, M., Brumen, B., Hölbl, M., 2014. A novel user authentication and key
agreement scheme for heterogeneous ad hoc wireless sensor networks, based
on the Internet of Things notion. Ad Hoc Netw 20, 96–112.
Umadevi, V., Chezhian, R., Khan, Z.U., 2012. Security requirements in mobile ad-hoc
networks. Int. J. Adv. Res. Comput. Commun. 1 (2).
Vaidya, B., Makrakis, D., Mouftah, H.T., 2011. Device authentication mechanism for
smart energy home area networks. In: 2011 IEEE international conference on
consumer electronics (ICCE). IEEE, pp. 787–788.
Vigano, L., 2006. Automated security protocol analysis with the AVISPA tool. Elec-
tron. Notes Theor. Comput. Sci. 155, 61–86.
Vinoth, R., Deborah, L.J., Vijayakumar, P., Kumar, N., 2020. Secure multi-factor Au-
thenticated key agreement scheme for industrial IoT. IEEE Internet Things J 8
(5), 3801–3811.
Wang, N., Jiang, T., Lv, S., Xiao, L., 2017. Physical-Layer Authentication Based on Ex-
treme Learning Machine. IEEE Commun. Lett. 21 (7), 1557–1560.
Wang, J., Yang, Y., Wang, T., Sherratt, R.S., Zhang, J., 2020a. Big data service architec-
ture: a survey. J. Internet Tech. 21 (2), 393–405.
Wang, J., Chen, W., Wang, L., Sherratt, R.S., Alfarraj, O., Tolba, A., 2020b. Data secure
storage mechanism of sensor networks based on blockchain. CMC-Comp. Mater.
Continua. 65 (3), 2365–2384.
Wazid, M., Das, A.K., Odelu, V., Kumar, N., Susilo, W., 2017a. Secure remote user
authenticated key establishment protocol for smart home environment. IEEE
Trans. Depend. Secure Comput. 17 (2), 391–406.
Wazid, M., Das, A.K., Odelu, V., Kumar, N., Conti, M., Jo, M., 2017b. Design of secure
user authenticated key management protocol for generic IoT networks. IEEE In-
ternet Things J 5 (1), 269–282.
Wazid, M., Das, A., Odelu, V., Kumar, N., Conti, M., Jo, M., 2018. Design of Secure
User Authenticated Key Management Protocol for Generic IoT Networks. IEEE
Internet Things J 5 (1), 269–282.
Whitmore, A., Agarwal, A., Da Xu, L., 2014. The Internet of Things—A survey of topics
and trends. Inform. Syst. Front. 17 (2), 261–274.
Wu, D., Hu, G., Ni, G., 2008. Research and improve on secure routing protocols in
wireless sensor networks. In: 2008 4th IEEE International Conference on Cir-
cuits and Systems for Communications. IEEE, pp. 853–856.
Wu, T.Y., Wang, T., Lee, Y.Q., Zheng, W., Kumari, S., Kumar, S., 2021. Improved au-
thenticated key agreement scheme for fog-driven IoT healthcare system. Secur.
Commun. Netw. 2021.
M. Saqib and A.H. Moon
Xue, K., Ma, C., Hong, P., Ding, R., 2013. A temporal-credential-based mutual au-
thentication and key agreement scheme for wireless sensor networks. J. Netw.
Comput. Appl. 36 (1), 316–323.
Yampolskiy, M., Horvath, P., Koutsoukos, X.D., Xue, Y., Sztipanovits, J., 2013. Tax-
onomy for description of cross-domain attacks on CPS. In: Proceedings of the
2nd ACM international conference on High confidence networked systems,
pp. 135–142.
Yang, J., Lin, Y., Fu, Y., Xue, X., Chen, B.A., 2017. A small area and low power true
random number generator using write speed variation of oxide based RRAM for
IoT security application. In: 2017 IEEE international symposium on circuits and
systems (ISCAS). IEEE, pp. 1–4.
Yang, S.K., Shiue, Y.M., Su, Z.Y., Liu, I.H., Liu, C.G., 2020. An authentication
information exchange scheme in WSN for IoT applications. IEEE Access 8,
9728–9738.
Yeh, H.L., Chen, T.H., Liu, P.C., Kim, T.H., Wei, H.W., 2011. A secured authentication
protocol for wireless sensor networks using elliptic curves cryptography. Sen-
sors 11 (5), 4767–4779.
Yu, B., Li, H., 2019. Anonymous authentication key agreement scheme with pair-
ing-based cryptography for home-based multi-sensor Internet of Things. Int. J.
Distrib. Sens. Netw. 15 (9), 1550147719879379.
Yu, S., Jho, N., Park, Y., 2021. Lightweight three-factor-based privacy-preserv-
ing authentication scheme for IoT-enabled smart Homes. IEEE Access 9,
126186–126197.
Zeng, X., Garg, S.K., Strazdins, P., Jayaraman, P.P., Georgakopoulos, D., Ranjan, R.,
2017. IOTSim: a simulator for analysing IoT applications. J. Syst. Archit. 72,
93–107.
27
Computers & Security 125 (2023) 103053
Zhang, W., Qu, B., 2013. Security architecture of the Internet of Things oriented to
perceptual layer. Int. J. Comp. Consum. Control (IJ3C) 2 (2), 37–45.
Zhang, J., Tian, G.Y., Marindra, A.M., Sunny, A.I., Zhao, A.B., 2017. A review of passive
RFID tag antenna-based sensors and systems for structural health monitoring
applications. Sensors 17 (2), 265.
Zhang, J., Zhong, S., Wang, T., Chao, H.C., Wang, J., 2020. Blockchain-based systems
and applications: a survey. J. Internet Tech. 21 (1), 1–14.
Zhao, K., Ge, L., 2013. A survey on the internet of things security. In: 2013
Ninth international conference on computational intelligence and security. IEEE,
pp. 663–667.
Zhao, Y., Li, S., Jiang, L., 2018. Secure and Efficient User Authentication Scheme
Based on Password and Smart Card for Multiserver Environment. Secur. Com-
mun. Netw. 1–13 2018.
Zhou, Y., Liu, T., Tang, F., Wang, F., Tinashe, M., 2019. A privacy-preserving authenti-
cation and key agreement scheme with deniability for IoT. Electronics (Basel) 8
(4), 450.
Zhu, B., Joseph, A., Sastry, S., 2011. A taxonomy of cyber-attacks on SCADA sys-
tems. In: 2011 International conference on internet of things and 4th inter-
national conference on cyber, physical and social computing. IEEE, pp. 380–
388.
Manasha Saqib has received her B.E in Computer Science Engineering from Univer-
sity of Kashmir in 2014 and M.Tech from Jamia Hamdard in 2017. She is currently
pursuing her Ph.D from Islamic University of Science Technology. Her research in-
terest includes Internet of Things, Network Security and Cryptography.