SUACC-IoT: secure unified authentication and access control system based on capability for IoT

With the widespread use of Internet of Things (IoT) in various applications and several security vulnerabilities reported in them, the security requirements have become an integral part of an IoT system. Authentication and access control are the two principal security requirements for ensuring authorized and restricted accesses to limited and essential resources in IoT. The built-in authentication mechanism in IoT devices is not reliable, because several security vulnerabilities are revealed in the firmware implementation of authentication protocols in IoT. On the other hand, the current authentication approaches for IoT that are not firmware are vulnerable to some security attacks prevalent in IoT. Moreover, the recent access control approaches for IoT have limitations in context-awareness, scalability, interoperability, and security. To mitigate these limitations, there is a need for a robust authentication and access control system to safeguard the rapidly growing number of IoT devices. Consequently, in this paper, we propose a new secure unified authentication and access control system for IoT, called SUACC-IoT. The proposed system is based around the notion of capability, where a capability is considered as a token containing the access rights for authorized entities in the network. In the proposed system, the capability token is used to ensure authorized and controlled access to limited resources in IoT. The system uses only lightweight Elliptic Curve Diffie-Hellman Ephemeral (ECDHE), symmetric key encryption/decryption, message authentication code and cryptographic hash primitives. SUACC-IoT is proved to be secure against probabilistic polynomial-time adversaries and various attacks prevalent in IoT. The experimental results demonstrate that the proposed protocol’s maximum CPU usage is 29.35%, maximum memory usage is 2.79% and computational overhead is 744.5 ms which are quite acceptable. Additionally, in SUACC-IoT, a reasonable communication cost of 872 bits is incurred for the longest message exchanged.


Introduction
The recent years witnessed the widespread use of Internet of Things (IoT) paradigm in many applications such as smart home, smart healthcare, smart grid, smart transport, smart logistics, supply chain in industries, and so on. A study reveals the number of IoT devices worldwide would be more than 75 billion by the year 2025 [1]. Meanwhile, various security attacks are reported in the IoT devices of different applications [2,3]. Thus, security in the field of IoT is an indispensable and crucial requirement. Authentication and access control are the two main security requirements to ensure authorized and restricted accesses to limited and pivotal resources in IoT. In an attempt to partially fulfill these requirements, some IoT device manufacturers made IoT device products with built-in authentication mechanism. However, several security vulnerabilities are disclosed in the firmware implementation of authentication in IoT such as weak, guessable, or hardcoded passwords leading to unauthorized access, insecure ecosystem interfaces resulting to lack of authentication/authorization or weak encryption (broken authentication), lack of firmware validation on device, insecure network services, insecure default settings that may allow the operators to modify the configurations, and so on [4]. Hence, the built-in authentication mechanism in IoT Extended author information available on the last page of the article devices is not reliable. On the other hand, the current authentication approaches for IoT [2,3,[5][6][7][8][9][10] which are not firmware, are also vulnerable to certain security attacks among the prevalent ones namely Man-in-the-Middle (MITM), replay, traceability, session-key computation, secret disclosure, impersonation, gateway bypass, Denialof-Service (DoS), and dictionary attacks in IoT. Moreover, some present access control approaches for IoT [11,12] show limitations in terms of context-awareness, scalability, interoperability, and security. Therefore, there is a need for a robust authentication and access control system to safeguard the fast growing number of IoT devices.
In this paper, we propose a secure, unified authentication and access control system based on capability for IoT, called SUACC-IoT. The system is based on the concept of capability token which holds the access rights granted to the entity holding it. In the proposed system, the capability token is generated in the authentication stage. The generated token is used in mutual authentication and access control to ensure authorized and restricted access to limited resources in IoT. The system uses only lightweight Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) performed using a highly performance optimized and fast elliptic curve, symmetric encryption/decryption, message authentication code and cryptographic hash primitives.
The proposed SUACC-IoT can be applied in a cloudenabled IoT healthcare system, where the health-related information collected from smart IoT devices (wearable devices) is typically outsourced to the cloud in order to facilitate the timely sharing of health information with the healthcare service providers as well as the medical practitioners [13,14]. The data security and privacy are very important in such environment as the health-related information is confidential and private. In addition, there are the challenges for handling the expensive computational time and energy consumption for the resource-limited IoT wearable devices that are deployed in the patient and doctor side in a smart healthcare system [15]. To handle these issues, we have applied the capability tokens that can be used in mutual authentication and access control in order to ensure authorized and restricted access to the limited resources in IoT-enabled healthcare system.

Research contributions
Various security vulnerabilities are reported in the built-in authentication mechanism in IoT devices such as weak, guessable, or hardcoded passwords, insecure ecosystem interfaces, lack of firmware validation on device, insecure network services, insecure default settings, and so forth [4]. Hence, the built-in mechanism is not reliable. For instance, recent IoT smart devices, such as fitness tracker and smartwatch often rely on the ''Bluetooth Low Energy (BLE)'' for transmission of the data. Wang et al. [16] designed the BlueDoor method that can obtain illegal information from the IoT smart devices via the BLE vulnerability. Michalevsky et al. [17] suggested some applications for the purpose of cryptographic secret handshakes among the mobile devices on the top of ''Bluetooth Low-Energy (LE)''. The present authentication approaches for IoT [2,3,[5][6][7][8][9][10] that are not firmware are vulnerable to some security attacks among the prevalent ones viz., MITM, replay, traceability, session-key computation, secret disclosure, impersonation, gateway bypass, DoS, and dictionary in IoT. Some recent access control approaches for IoT [11,12] show limitations in terms of contextawareness, scalability, interoperability, and security.
The following are the major contributions in this research work: -We propose a secure unified authentication and access control system based on capability for IoT, called SUACC-IoT to address the limitations in the current authentication and access control approaches. -We assess the security strength of the proposed protocol to computationally bounded probabilistic polynomialtime (PPT) adversaries using the universal Real-Or-Random (ROR) model [18]. -We carry out the security analysis of the proposed protocol for various attack vectors predominant in IoT namely MITM, replay, traceability, session key computation, secret disclosure, device impersonation, gateway impersonation, gateway bypass, offline dictionary, and DoS using the widely accepted Scyther automated software validation tool [19] and by intuitive reasoning. -We also evaluate the proposed protocol for key performance parameters namely CPU usage, memory usage, computational overhead and communication cost in our IoT testbed involving Raspberry Pi.

Structure of the paper
The remainder of the paper is structured as follows: The closely related authentication and access control schemes are discussed in Sect. 2. The network model of the proposed protocol is presented in Sect. 3. The proposed system, SUACC-IoT, is discussed in detail in Sect. 4. The security strength of the proposed system to PPT adversaries and multiple attack vectors in IoT is demonstrated in Sect. 5. The performance/features of the proposed system are compared with the closely related existing schemes in Sect. 6. Section 7 concludes the paper.

Related work
In this section, the authentication and access control schemes that are closely related to our work are discussed. A ''user authentication scheme for multi-gateway Wireless Sensor Network (WSN)'' was presented by Srinivas et al. [5]. Their scheme offers mutual authentication and key agreement. It is secure against MITM, replay, session key computation, traceability, device impersonation, gateway node impersonation, offline dictionary, and DoS attacks. It also supports anonymity. However, it is vulnerable to secret disclosure, and gateway bypass attacks. Also, it requires offline device registration with a system administrator which introduces some security threats.
Aman et al. [6] designed a ''mutual authentication protocol for IoT using Physical Unclonable Functions (PUF)''. It enables secret key establishment among the IoT devices. Their scheme is resistant to eavesdropping, replay, MITM, tampering, secret disclosure, and cloning attacks. However, it does not analyze anonymity, traceability, session key computation, gateway impersonation and bypass, offline dictionary, and DoS attacks.
Alotaibi [7] devised an ''anonymous user authentication scheme for WSN''. The scheme provides key agreement along with mutual authentication. It supports security features like user anonymity and resistance to replay, MITM, session key computation, user impersonation, gateway impersonation, DoS attacks. But, traceability, secret disclosure, gateway bypass, and offline dictionary attacks are not examined. Also, the scheme requires an additional hardware since biometric is used in user authentication.
Gope et al. [8] introduced a ''privacy-preserving twofactor authentication scheme'' for IoT devices. The scheme considers PUFs as one of the authentication factors. The scheme provides security features such as support for anonymity and resilience to replay, tampering, traceability, secret disclosure, cloning, impersonation attacks. But, MITM, session key computation, gateway impersonation and bypass, offline dictionary and DoS attacks are not investigated in the work.
A ''lightweight and secure authentication scheme for IoT'' was presented by Adeel et al. [9]. Their scheme provides mutual authentication and session key agreement. It is resistant to replay, MITM, session key computation, forgery, impersonation, and DoS attacks. However, it is vulnerable to traceability, secret disclosure, gateway impersonation and bypass, and offline dictionary attacks. Also, offline device registration with an authentication server is required in the scheme which poses security threats.
Aghili et al. [2] designed a ''lightweight authentication, access control and access permissions transfer scheme for the e-health systems in IoT''. It supports anonymity and exhibits resilience to MITM, replay, traceability, session key computation, impersonation, offline dictionary, and DoS attacks. But, it is not secure against secret disclosure, and gateway impersonation and bypass attacks. Their scheme's access permission transfer phase lacks scalability feature.
Feng et al. [20] pointed out that the serial computing mode is the primary concern for ''slow decryption speed of the outsourced decryption'' as well as the ''parallel computing mode of outsourced decryption''. To mitigate these issues, they designed an attribute-based encryption (ABE) model that relies on the parallel outsourced decryption for edge intelligent Internet of Vehicles (IoV) paradigm. Their scheme is suitable for all the ABE schemes with the tree access structures. Yin et al. [21] proposed a method for hybrid privacy preservation which is based on both the ''functional encryption'' and ''Bayesian differential privacy'' techniques. For the federated learning, they suggested a new function that can ensure that the server cannot extract the gradient parameters of each user's local training model as well as the weights of users' datasets. Moreover, they applied a local quantification mechanism for privacy loss in Bayesian differential privacy, that can permit the users to adapt the privacy budget based on the ''data distribution of the datasets''.
Bao et al. [22] suggested an intrusion-resilient serveraided attribute-based signature (ABS) scheme for an industrial IoT environment. In their approach, an adversary cannot forge a legitimate signature of the previous and future time period even if both the helper device and the server are compromised by the adversary.
Mohajer et al. [23] suggested a reputation based routing protocol that is based on CDS Connected Dominating Set (CDS) for mobile ad-hoc networks (MANETs). They also suggested a weight heuristic that can be applied to each node in MANET in order to choose CDS based on the use of the reputation value. It helps in achieving the selective forwarders' detection.
Kumar et al. [24] designed an energy efficient smart building architecture using the IoT technology. In their approach, the ''Datagram Transport Layer Protection (DTLS)'' and ''Secure Hash Algorithm (SHA-256)'' are integrated along with the optimizations from the ''Certificate Authority (CA)'' for improving security of their proposed architecture.
A ''user authenticated key establishment protocol for smart home environment'' was introduced by Wazid et al. [3]. Their scheme offers both mutual authentication and key agreement. The scheme provides support for anonymity and security against MITM, replay, traceability, session key computation, user and device impersonation, gateway impersonation, gateway bypass, and offline dictionary attacks. But, it does not investigate secret disclosure and DoS attacks. The scheme assumes the gateway node is fully trusted and compromise of this node would compromise everything. Moreover, the scheme requires the devices to do offline registration with a registration authority which invites further security threats. Kim et al. [10] also designed an ''authentication scheme based on lightweight signcryption protocol for IoT environment''. It is resistant to MITM, replay, session key computation, and impersonation attacks. However, traceability, anonymity, secret disclosure, gateway, offline dictionary, and DoS attacks are not studied in the scheme.
Kurniawan and Kyas [25] proposed a trust-based access control mechanism that is based Bayesian decision theory for a large scale IoT environment. Their mechanism is applied for access control on uncertainty environment where the identities are not known in priori. Imani and Ghoreishi [26] suggested a framework that relies on the combination of the graphical model, the ''Bayesian optimization'', and the ''mean objective cost of uncertainty (MOCU)''. Their proposed framework satisfies scalability, fast decision making as well as efficiency.
Xu et al. [11] proposed a ''capability-based access control framework for federated IoT environment''. The framework considers two IoT domains. The framework is lightweight, context-aware, and fine grained. However, it is not scalable because there is only one coordinator who creates the capability token for all the devices in a particular IoT domain. Besides, interoperability and security are not examined in the framework. A attribute-based access control scheme using blockchain for IoT was presented by Yang et al. [12]. The scheme is context-aware, finegrained, scalable, and secure. However, interoperability between the different parties in the system model is not examined.
Bao et al. [15] devised a ''secure and lightweight finegrained searchable data sharing for IoT-oriented and cloudassisted smart healthcare system''. The scheme realizes fine-grained access control and ciphertext search concurrently. It significantly reduces the computational time of IoT devices in the data user and patient side. The scheme's security is formally analyzed. Other authentication schemes in IoT-related environments have been also suggested in [27,28].
The above discussion demonstrates that many authentication approaches in the literature are vulnerable to some security attacks among the prevalent ones namely MITM, replay, traceability, session-key computation, secret disclosure, impersonation, gateway bypass, DoS, and dictionary in IoT. The recent access control approaches have limitations in context-awareness, scalability, interoperability, and security. Thus, there is a need for a robust authentication and access control system that safeguards rapidly growing number of IoT devices. This has motivated us to design a secure unified authentication and access control system that fulfills the aforesaid criteria in this research work.

Network model
The proposed system's network model is depicted in Fig. 1. It presents an IoT environment where a device such as clinical smartphone would want to access a resource, for instance the file containing the readings of patient's biological parameter, in a healthcare device say glucometer or heart rate monitor or blood pressure monitor or spirometer or others to present the patient's health status to the physician for necessary action. The communication between the clinical smartphone and healthcare device happens via the gateway node. The gateway node acts as the protocol bridge to ensure protocol compatibility across the devices. Thus, the gateway node takes the responsibility of ensuring device interoperability. As the major step to achieve the necessary security level, the two devices (clinical smartphone and healthcare device) and gateway node undergo mutual authentication. Two types of mutual authentication take place: 1) between the device and gateway node and 2) between the devices. The device (clinical smartphone) requests access to the resource in the healthcare device. The healthcare device then grants or denies access based on the access control rule.

Proposed SUACC-IoT system
In this section, the proposed authentication and access control system based on capability for IoT environment, SUACC-IoT, is presented. The system is based on the concept of capability token which holds the access rights granted to the entity holding it. In the proposed system, the capability token is generated in the authentication stage. The generated token is used in mutual authentication and access control to ensure authorized and restricted access to limited resources in IoT. The system uses only ECDHE performed using a highly performance optimized and fast elliptic curve, symmetric encryption/decryption, message authentication code and cryptographic hash primitives. The proposed protocol is split into three stages: (1) setup, (2) authentication, and (3) access control. Table 1 provides the description for the notations used in the protocol.

Setup phase
In this stage, the device D1 and gateway node GWN agree upon a secret key dk 1 using lightweight ECDHE which they use in the authentication stage. Similarly, the device D2 and GWN agree upon a secret key dk 2 . In the proposed system, GWN stores several secrets and sensitive information. Hence, GWN is equipped with tamper-proof device so that all the sensitive information stored in its secure databased is protected from the adversary.
-Step 1. The participating entities D1, GWN, and D2 generate their EllipticCurveCryptography (ECC) private and public keys fpr k D1 ; pu k D1 g, fpr k GWN ; pu k GWN g, and fpr k D2 ; pu k D2 g using a highly performance optimized, fast, and safe elliptic curve. These keys are ephemeral keys generated freshly in every key exchange. D1 and GWN exchange their public keys pu k D1 and pu k GWN . In the same way, GWN and D2 exchange their public keys pu k GWN and pu k D2 . This is the only instance in the proposed protocol, where the messages are exchanged through secure channels (established using the Transport Layer Security (TLS) protocol) to prevent possible MITM attacks. This is acceptable because the setup phase is only one-time process. However, the remaining messages in the proposed protocol are exchanged via open channels. In this manner, the proposed protocol makes very limited use of TLS.
-Step 2. D1 and GWN individually compute the shared secret key, s 1 , as in s 1 ¼ pr k D1 Â pu k GWN and s 1 ¼ pr k GWN Â pu k D1 . In a similar manner, GWN and D2 independently compute the shared secret key, s 2 , using Step 3. Subsequently, D1 and GWN independently derive another key, dk 1 , from s 1 via dk 1 ¼ hðs 1 ; pu k D1 ; pu k GWN Þ. GWN and D2 individually derive key, dk 2 , from s 2 through dk 2 ¼ hðs 2 ; pu k GWN ; pu k D2 Þ. The keys dk 1 and dk 2 are used in the authentication process of D1, GWN, and D2.

Authentication phase
In this stage, D1 and GWN, D2 and GWN, and eventually D1 and D2 are mutually authenticated. Besides, D1 and D2 establish a session key 0 sk 0 at the end of authentication as outlined in Figs. 2 and 3. Consider D1 requests access to resource 0 r 0 in D2.
-Step 1. D1 generates its universally unique identifier uid D1 and a random, one-time nonce g 1 . Universally unique identifiers are used to identify the IoT devices, large in number, because they are unique, random and collision-resistant. D1 computes the messages M1 ¼ Eðuid D1 kr; dk 1 Þ and M2 ¼ MACðdk

Access control phase
The capability token Cap D1 generated in the authentication process is used to control the access of D1 to resource 0 r 0 of D2 at this instance. Figure 4 presents the steps in the access control process. The sequence charts in this section are drawn using the msc package [29].
-Step 1. D1 sends GWN, the generated g 5 , randomly chosen message 0 msg 0 and computed message M17 ¼ MACðsk; msgkg 5 Þ along with Cap D1 ; r A to prevent possible replay attack in this communication. If the verification is successful, D2 checks if the current context ¼¼ ctxt and and the access requested r A 2 AR. If this verification also succeeds, the requested access to 0 r 0 is granted to D1.

Security analysis
In this section, we rigorously analyze the SUACC-IoT system in terms of its security. We perform the formal security analysis using the widely-recognized Real-Or-Random (ROR) random oracle model [18] and the formal security verification using the broadly-accepted automated software validation tool, known as the Scyther tool [19]. We also carry out security analysis by intuitive reasoning through the non-mathematical (heuristic) approaches. Wang et al. [30] in their seminal work stated that the widely-used formal security methods, such as the ''random oracle model'' and ''Burrows-Abadi-Needham (BAN) logic'' [31] can not always capture some structural mistakes in the analyzed authentication protocols, and thus, ensuring the soundness of authentication protocols still remains an open problem. Due to this, we need to analyze the proposed protocol using all the possible security methods (formal analysis, formal security verification and informal analysis) to show that it is robust against various potential attacks with high probability.

Formal security analysis using ROR model
The security strength of the proposed protocol to computationally bounded PPT adversaries is evaluated in this section using the universal ROR model.

ROR model
In the proposed protocol, there are three participants namely D1, GWN, and D2. -Instances: Let P w 1 D1 , P w 2 GWN , and P w 3 D2 be the instances of D1, GWN, and D2 respectively. w 1 , w 2 , and w 3 are called oracles. -Accepted state: An instance P w is known to be accepted, if it goes into an accepted state on receiving the last protocol message. All the messages sent and received by P w , concatenated in order, is the sessionidentification (s-id) of P w for the ongoing session. -Partnering: Two instances P w 1 and P w 2 are said to be partnered, if they meet the following three conditions simultaneously: (i) P w 1 and P w 2 are in accepted state, (ii) P w 1 and P w 2 undergo mutual authentication and share an identical s-id, and (iii) P w 1 and P w 2 are mutual partners. -Instance freshness: The instance P w 1 D1 or P w 3 D2 is considered fresh, if the session key between D1 and D2 is not revealed to A via RevealðP w Þ query.
-Adversary: The adversary A is a PPT Turing machine which has the ability to read, modify, intercept, delay, delete the protocol messages, fabricate new messages and inject them into the network. In addition, it can ask an instance to reveal the session key. These abilities of A are modeled using a predetermined set of oracles. These oracles are accessible to A and all the participants. They are: -Enc: This oracle represents the symmetric key encryption EðÁÞ of the proposed protocol. -ExecuteðP w 1 D1 ; P w 2 GWN andP w 3 D2 Þ: This query represents a passive eavesdropping attack on the protocol messages. A runs this query to acquire the messages exchanged between D1, GWN and D2. -SendðP w E ; messageÞ: The Send query models active attacks on the protocol. It sends message to an instance P w E . On receiving message, P w E advances as per the specifications of the protocol. Any message generated by P w E is regarded as the output and given to A.
-RevealðP w E Þ: An instance P w E , on receiving this query, reveals the session key that it has established with its partner to A.
-TestAKEðP w E Þ: This query represents the indistinguishability-based semantic security of the session key 0 sk 0 between P w E (D1) and its partner (D2). The TestAKE oracle chooses value for the random bit b r . If b r ¼ 1, the actual session key is returned as response to the query, Otherwise, a random key chosen from the session key sample space is returned.

Cryptographic preliminaries
The following cryptographic preliminaries are used in the security proof in the subsequent section.
(1) Elliptic Curve Computational Diffie Hellman Problem (ECCDHP): Consider G be an elliptic curve of prime order 0 q 0 and Q be a base point on the elliptic curve G. Let 0 u 0 and 0 v 0 be the private keys of the two communicating parties chosen randomly from Z Ã q , where Z Ã q is the set of integers over 0 q 0 . The ECCDHP for G, when given two elements ðuQ; vQÞ 2 G 2 , is to compute the shared secret key viz., uvQ 2 G. The advantage of adversary A to find the solution to the ECCDHP for G is given by Adv ECCDHP G ðAÞ ¼ P½AðG; Q; uQ; vQÞ ¼ uvQ. The ECCDHP assumption holds in G if for all the PPT adversaries, Adv ECCDHP G ðAÞ is negligible.

Security proof
In this section, we present the formal security proof for the proposed protocol. The main goal of such a proof is to prove that the proposed protocol is robust against the sesssion-key (SK) security against PPT adversaries. If A be a PPT adversary running in polynomial-time t p against the proposed protocol and the advantage (success probability) of A in breaking the proposed protocol in time t p is negligible, we call the proposed scheme offers the SK-security.
Theorem 1 Let A be a PPT adversary running in polynomial-time t p against the proposed protocol w in the random oracle. The advantage of A in breaking the proposed authenticated key exchange (AKE) protocol, w's security is Adv AKE w ðt p Þ are the advantage of A in solving ECCDHP for G, the advantage of A in finding the hash collision in hðÁÞ, the advantage of A in breaking the IND À CPA security of X, the number of Send queries, and the advantage of A in violating the EU À CPA of D, respectively.
Proof In this proof, we consider a sequence of six games namely Game 0 -Game 5 . Game 0 is the basic game. The other games viz., Game 1 , Game 2 , Game 3 , Game 4 , and Game 5 are built upon their preceding game(s). Let success i be an event wherein A succeeds in the game Game i in choosing the random bit b r correctly. The difference in the success probabilities between the previous and current games is studied every time.
-Game 0 : A may ask any oracle queries except the following: i) A is not permitted to ask a TestAKEðP w E Þ query if the instance P w E is no more fresh, and ii) A is not permitted to ask a RevealðP w E Þ query if P w E or its partner has already been asked a TestAKEðP w E Þ query. As a result, A produces a random output as its guess for the random bit b r . A succeeds if its random out-put¼¼ b r chosen by the TestAKE oracle. At this point, A's advantage in breaking the AKE security of w is given by, Adv AKE w ðAÞ ¼ 2:P w;A ½success 0 À 1 ð1Þ -Game 1 : The first modified game Game 1 represents a passive eavesdropping attack wherein A can run the ExecuteðP w 1 D1 ; P w 2 GWN ; P w 3 D2 Þ oracle query. A gets all the messages exchanged between the three participants viz., M1; M2; g 1 ; M5; M6; g 2 ; M9; M10; Cap D1 ; g 3 ; M13; M14; Cap D1 ; g 4 . However, the session key 0 sk 0 cannot be computed by A because dk 1 ; dk 2 are not known to A and the identities uid D1 , id GWN , and uid D2 , therefore, cannot be extracted from the acquired messages. Thus, A's probability of succeeding in Game 1 is not increased. This is given by, -Game 2 : In this game, the computations of pu k D1 and pu k GWN are modified as given below: -The simulator picks a random point Y 2 G.
-For every fresh instance, the simulator chooses the random secrets r 1 ; r 2 2 Z Ã q and then it sets pu k D1 ¼ r 1 Y; pu k GWN ¼ r 2 Y. The simulator computes pu k D1 and pu k GWN as in Game 1 for the other instances. Due to the modification in the computations of pu k D1 and pu k GWN , the simulator is not aware of the ephemeral secrets pr k D1 and pr k GWN . Hence, it cannot compute the shared secret s 1 . Therefore, the simulator cannot compute the secret dk 1 . In the same manner, when the computations of pu k D2 and pu k GWN are modified, the simulator cannot compute the secrets s 2 and dk 2 . Due to this, it cannot obtain uid D1 ; id GWN ; uid D2 and simply sets the session key 0 sk 0 to a random l À bit string. The difference in the success probabilities of A between Game 1 and Game 2 is upper bounded by the below equation.
-Game 3 : Game 2 is modified into Game 3 by adding the simulation of 0 h 0 oracle and Send query. For a query to the 0 h 0 oracle on a string 0 x 0 , the simulator first checks if an entry of the kind (x, str) is present in the LList. It is a list that stores the input-output pairs of 0 h 0 oracle. If present, the simulator responds the query by producing the string 0 str 0 . If not present, the simulator responds the query by producing a random l À bit string 0 str 0 and adds (x, str) to the LList. Game 3 models an active attack. In this game, the objective of A is to trick a participant in accepting a modified message. A is permitted to use Send query and query 0 h 0 oracle any number of times for this purpose. A queries 0 h 0 oracle to find the presence of hash collisions. The exchanged messages obtained by A in Game 1 as a result of Execute query include M1; M2; g 1 ; M5; M6; g 2 ; M9; M10; Cap D1 ; g 3 ; M13; M14; Cap D1 ; g 4 . In case of Cap D1 , tricking the participant requires finding a hash collision which is very hard. Besides, Cap D1 is used in the messages M10, M14. Therefore, tricking the participant through these messages is computationally infeasible for A. Hence, the difference in the success probabilities between Game 2 and Game 3 follows the result of birthday paradox and is given by, where q Send ; q h ; and |h| are the number of Send queries, number of 0 h 0 oracle queries and range space of 0 h 0 respectively. Therefore, jP w;A ½success 2 À P w;A ½success 3 j q Send :Adv HASH hðÁÞ ðt p Þ ð4Þ -Game 4 : Let Forge be an event, wherein, A forwards a query of the type SendðP w E ; E 0 jjmessageÞ such that message holds a MAC forgery. In this game, the objective of A is to output a MAC pair ðmsg; dÞ such that Ver k ðmsg; dÞ ¼ 1 and this d was not previously outputted by Gen k ðmsgÞ. The secrets dk 1 ; dk 2 are used as MAC keys in w. Let k n denote the number of MAC keys used for the forgery attempt. It is very clear that k n q Send . The oracles Gen k ; Ver k are accessible to all the participants and A. A begins the game by picking a random key k i from the key space k n . It then accesses the Gen k i oracle to generate d for 0 msg 0 and sends the MAC pair ðmsg; dÞ to an instance. The process is repeated. If the event Forge occurs against an instance holding the key k i , A declares the MAC pair as its forgery. The most crucial thing for A to win this game is to guess the key correctly. However, guessing the key k i such that k i ¼ dk 1 or dk 2 is very hard because the shared secrets s 1 ; s 2 which are based on ECDHE are not known to A. As a result, the session key 0 sk 0 cannot be computed. The difference in the success probabilities between Game 3 and Game 4 is given by, -Game 5 : In this game, the objective of A is to identify the correct plaintext in the plaintext pair for a given ciphertext. In this game, A has access to all the oracles in Game 4 in addition to the encryption oracle 0 Enc 0 . The indistinguishability game is explained below: For each device, A produces the true identity uid and random identity uidr as its plaintext pair and forwards it to the challenger. The challenger randomly picks a plaintext from the plaintext pair and encrypts it using 0 Enc 0 oracle. Then, the challenger sends the ciphertext to A. A tries to identify the correct plaintext, uid or uidr, for the ciphertext. It could not succeed by mere guessing.
In the proposed protocol, for the ciphertext messages namely M1, M5, M9, M13, A has no choice other than guessing the correct plaintext due to the use of stateless symmetric cipher for encryption. As a result, it loses the indistinguishability game. A would not know uid D1 ; id GWN ; uid D2 and hence, cannot compute the session key 0 sk 0 . Therefore, it just guesses the random bit b r chosen by the TestAKE oracle. The difference in the success probabilities between Game 4 and the indistinguishability game Game 5 is given by the following equation: All the six games are simulated. After querying the Tes-tAKE oracle for the session key 0 sk 0 , A has no choice other than guessing the random bit b r to win the game. Hence, Equation (1) is adjusted to obtain the following equation.
According to the triangular inequality, jP w;A ½success 1 À P w;A ½success 5 j jP w;A ½success 1 À P w;A ½success 2 j þ jP w;A ½success 2 À P w;A ½success 3 j þ jP w;A ½success 3 À P w;A ½success 4 j þ jP w;A ½success 4 À P w;A ½success 5 j Using Eq. (3) through (6), we obtain jP w;A ½success 1 À P w;A ½success 5 j  (10), it is evident that the advantage of A in breaking the AKE security of w is negligible. Thus, the proposed protocol is secure against the PPT adversaries.

Formal security verification: simulation study using Scyther tool
In this section, the proposed protocol's resilience to different attack vectors in IoT is assessed using the widelyaccepted automated software validation tool, known as the Scyther tool. Through the simulation study using the Scyther tool, we show that the proposed scheme is safe against other types of attacks, such as passive secret disclosure, impersonation, traceability and session key computation attacks. Scyther [19] is a security tool which can be used for verification, falsification, and analysis of security protocols. It uses a pattern refinement algorithm to produce infinite set of traces. The protocol to be verified is provided to the scyther tool in the form of protocol description written using the ''Security Protocol Description Language (SPDL)''. The protocol description comprises a set of roles. Each role consists of a sequence of events. The events can be send or receive of terms (security parameters).
The entities D1, GWN and D2 are communicating with one another in the proposed protocol. They are modeled as roles D1, GWN and D2 as shown in Figs. 5, 6 and 7, respectively. A role begins with the declaration of the sending and receiving terms, then the exchange of such terms followed by the security claims. The security claims are used to model the protocol's security properties. These claims are crucial part of the protocol description without which scyther would not know what is to be verified. Fig. 8 confirms that the roles D1, GWN, and D2 are reachable. This ensures that there is no obvious weakness in the protocol description.
Our claims on role D1 include (i) key dk 1 is secret, (ii) uid D2 is secret, (iii) id GWN is secret, (iv) session key 0 sk 0 is secret, (v) aliveness, and vi) weak agreement. Secondly,  our claims on role GWN comprise i) dk 1 is secret, ii) key dk 2 is secret, iii) uid D1 is secret, iv) uid D2 is secret, V) 0 sk 0 is secret, vi) aliveness, and vii) weak agreement. Thirdly, our claims on role D2 are i) dk 2 is secret, ii) uid D1 is secret, iii) id GWN is secret, iv) 0 sk 0 is secret, v) aliveness, and vi) weak agreement. From the scyther verification results in Fig. 9, we have drawn useful insights which are summarized in Table 2. Firstly, the keys dk 1 ; dk 2 derived from s 1 ; s 2 are secret. As a result, the passive secret disclosure attack is prevented in the system. Secondly, the system is secure against impersonation attack because the identities uid D1 ; id GWN and uid D2 are declared secret. Thirdly, the system is protected from traceability attack since no attacks are reported on uid D1 , uid D2 . In fact, these identities are freshly generated every time. Lastly, the system is resistant to session key computation attack since the identities required to compute 0 sk 0 are secret.

Informal security analysis
In this section, we show that the proposed protocol is secure against various attack vectors in IoT environment by intuitive reasoning. It is worth noticing that we follow the informal (non-mathematical heuristic) security analysis to show the proposed protocol is secure against other attacks that are not covered so far in Sects. 5.1 and 5.2.
Proposition 1 SUACC-IoT prevents brute-force attack. Proof The private keys pr k D1 and pr k GWN of D1 and GWN respectively are of at least k À 1 bits, where k is large. Now, even if gcdðpr k D1 ; pr k GWN Þ ¼ pr k D1 , pu k GWN cannot be expressed in term of pu k D1 by bruteforcing approach, where gcdðx; yÞ represents the greatest common divisor of two numbers x and y. In the same manner, considering D2 and GWN, pu k GWN cannot be also expressed in term of pu k D2 with gcdðpr k D2 ; pr k GWN Þ ¼ pr k D2 . Thus, the brute-force attacks based on the key sizes are prevented in the proposed protocol.
Proposition 2 SUACC-IoT is resilient to man-in-the-middle (MITM) and replay attacks.
Proof Suppose an adversary A intercepts the exchanges messages during the communication among the various entities in the network and tries to modify the messages on the fly so that the recipients will not be aware of the modified messages and the adversary A will force the recipients to believe that the messages are genuine. In order to do so, in the authentication stage, if A carries out an active MITM attack like ''intercept and modify'' on the exchanged parameters exchanged, such as M1, g 1 ; M5, g 2 ; M9, Cap D1 ; g 3 ; M13, g 4 , he would not succeed because the integrity of these parameters is guaranteed by the respective message authentication codes M2 ¼ Cap D1 k g 4 Þ, and the adversary needs to know the secret credentials. On the other hand, the replay attack is also prevented by random one-time nonces g 1 ; g 2 ; g 3 ; g 4 and the respective message authentication codes. Therefore, in the access control stage, the replay attack is prevented using the random nonces g 5 and g 6 , and the corresponding message authentication codes. As a result, the proposed protocol resists both replay and MITM attacks.

Proposition 3 SUACC-IoT prevents traceability attack.
Proof Traceability attack is prevented in the system by the use of universally unique identifiers for IoT devices and dynamic messages created by the entities during the communication. The universally unique identifier is a cryptographically strong, random, and unique identifier, which is collision-resistant. In order to have a collision with a probability of 0.5, 2.71 quintillion identifiers are to be generated which is computationally infeasible. Due to the above reasons, uid D1 and uid D2 generated in different sessions would be different and unique. Consequently, the capability token, such as Cap D1 ¼ hðuid D1 ; r, ctxt, AR, Rnd) and MACs: M2, M6, M10, M14 in different sessions would be different. Moreover, in each session, the exchanged messages are dynamic and unique due to usage of the random nonces. Therefore, the traceability is prevented in the proposed SUACC-IoT.

Proposition 4 SUACC-IoT preserves anonymity property.
Proof During the authentication stage of the proposed SUACC-IoT, whether it is uid D1 or uid D2 , the identity of a device is protected by the symmetric key encryption and the corresponding key as M1 ¼ Eðuid D1 kr; dk 1 Þ and M9 ¼ Eðuid D2 ; dk 2 Þ. In addition, when a device D2 sends Cap D1 to another device D1, uid D1 is hidden as in Cap D1 ¼ hðuid D1 ; r; ctxt; AR; RndÞ.
Moreover, when MACs, such as M10 and M14 are sent, Cap D1 is then hidden; thereby, uid D1 is also hidden. During the access control stage of SUACC-IoT, D1 submits Cap D1 to D2 for granting the requested access where uid D1 is hidden. In this way, anonymity is preserved in the SUACC-IoT. h Proposition 5 SUACC-IoT prevents session-key computation attack.
Proof In the proposed SUACC-IoT, the identities uid D1 ; id GWN and uid D2 required to compute the session key sk that are protected by symmetric key encryption and the corresponding keys dk 1 ; dk 2 in M1 ¼ Eðuid D1 kr; dk 1 Þ; Thus, the session key computation is computationally infeasible for an adversary without having the knowledge of the secret credentials dk 1 and dk 2 . Hence, the session-key computation attack is prevented in the proposed SUACC-IoT. h Proposition 6 SUACC-IoT protects the system parameters from passive secret disclosure attack.
Proof If an adversary A eavesdrops or intercepts on the messages during the communication to read the parameters M1, M5, M9, M13, Cap D1 containing in the exchanged messages, he would not be able to disclose the secrets of the entities in the network due to the following reasons. Firstly, the adversary would need the permanent (longterm) secrets dk 1 and dk 2 which are derived from the keys based on ECDHE to disclose the secrets uid D1 ; r, id GWN ; and uid D2 in the M1, M5, M9 and M13. Secondly, the secrets contained in Cap D1 , such as uid D1 ; r, ctxt and AR cannot be disclosed, because Cap D1 uses collision-resistant one way cryptographic hash function. Thus, the system parameters are protected from passive secret disclosure attack in the SUACC-IoT due to the hardness of computational ECDLP and collision-resistant property of one way cryptographic hash function. h Proposition 7 SUACC-IoT is secure against device impersonation attack.
Proof An impersonation attack allows an adversary to attempt to falsify a unauthenticated message to defraud other recipient parties in IoT network on behalf of a sending party. In such a scenario, the receiver will be forced to believe that the message has come from a genuine entity [32]. Suppose an adversary A intercepts the exchanged messages and gets M1, M2, M9, M10, Cap D1 . After that A tries to create valid M1 0 ; M2 0 ; M9 0 ; M10 0 ; Cap 0 D1 on behalf of D1 and D2. In that case, A would be unsuccessful due to the following reasons. Firstly, in order to compute valid ciphertexts M1 and M9, he would need the secrets uid D1 ; r, uid D2 and dk 1 ; dk 2 that are not known. Secondly, he would require the unknown (longterm) secret credentials dk 1 and dk 2 to compute valid MACs, such as M2 and M10. Thirdly, for compute valid capability token Cap D1 , he would need uid D1 ; r, ctxt, AR, Rnd which are not known to A. From these discussions, it is clear that without having the secret credentials, the adversary A can not create valid messages on behalf of any IoT devices D1 and D2, and send the messages on behalf of D1 and D2. Thus, SUACC-IoT is secure against device impersonation attack. h Proof When A accesses a particular resource over and over again in the network, DoS can take place. In the proposed SUACC-IoT, DoS attack using single identity is prevented because it restricts access to a resource for an identity to only one session at a time. Moreover, even if an adversary mounts the replay attacks to send old messages to the recipients, due to the lightweight cryptographic primitives used in the proposed SUACC-IoT the adversary can not consume more resource from the recipient side. Thus, DoS attack is resisted in the proposed SUACC-IoT. h Proposition 11 SUACC-IoT is resilient to dictionary attacks.
Proof Suppose an adversary A carries out a dictionary attack to determine the decryption keys dk 1 and dk 2 so as to decipher the ciphertexts in the system (for example, to compute the parameters like M1, M5, M9 and M13. However, A would not be successful, because the secret keys dk 1 and dk 2 are derived from the shared secrets s 1 and s 2 generated using the ECDHE. Besides, the stateless Cipher Block Chaining (CBC) mode of the applied symmetric encryption is used for symmetric key encryption operations in the system as in [3]. Hence, SUACC-IoT is resilient to dictionary attack due to hardness of the computational ECDLP and ''indistinguishability under chosen plaintext attack (IND-CPA) security'' of stateless CBC mode of symmetric cipher. h

Testbed results and discussions
In this section, the proposed SUACC-IoT is evaluated for key performance parameters, namely CPU and memory usage, and computational overhead in an IoT testbed setup using Raspberry PI 3 [33]. Besides, the communication cost and security features of the system are assessed. Furthermore, the proposed system is also compared with the existing competing schemes.

Cryptographic standards used in testbed
The proposed system is implemented in Java using Java Cryptography Architecture [34] and BouncyCastle [35] libraries. The cryptographic standards mentioned in Table 3 are used in the implementation of the proposed system. The reasons for the choice of the cryptographic standards are provided below: i) Curve25519 [36] is used for secret key generation using ECDHE since it is a highly performance optimized, fast, and safe elliptic curve, ii) Advanced Encryption Standard (AES-256) [37], which has a key length of 256 bits, in stateless CBC cipher mode is used for symmetric encryption/decryption so that the resultant ciphertext is different every time and satisfies IND-CPA security, iii) Secure Hash Algorithm (SHA-256) [38], which produces 256 bits hash output, is used for finding cryptographic hash so that the generated hash is collision-resistant, and iv) CBC-MAC based on AES is used for finding message authentication code so that EU-CPA is fulfilled.

IoT testbed experiments
In this section, we provide the IoT testbed experiments using Raspberry PI 3 setting [33] for measuring CPU and memory usage as well as computational time based on the cryptographic standards used in Sect. 6.1.

CPU and memory usage
To the best of our knowledge, the existing schemes did not consider CPU and memory usage parameters in their performance evaluation. We conducted four measurement runs in our IoT testbed to quantify the CPU and memory usage of the proposed system. The experimental results in Fig. 10 indicate that the SUACC-IoT system's maximum CPU usage is 29.35% and maximum memory usage is 2.79% which are quite acceptable.

Computational cost
The third essential parameter we considered in the performance evaluation is computational overhead. We conducted four measurement runs in our IoT testbed. Fig. 11 presents the overhead in the different measurement runs. The average computational overhead computed from the different overheads is 744.5 ms which is fairly acceptable. The theoretical computational overhead of the SUACC-IoT system and the different authentication approaches under consideration are presented in Table 4. Let T H , T MAC , T ENC=DEC , T FE , T PUF , T O , and T K:GEN denote the overhead to execute hash, MAC, symmetric encryption/decryption, fuzzy extractor generation and reproduction, physical unclonable function, addition and multiplication, and key generation using ECDHE computations respectively. The computational overhead of SUACC-IoT is 2T H þ 1T K:GEN þ 4T ENC=DEC þ 4T MAC . The time complexities of hash, key generation, symmetric encryption/decryption and MAC are deemed OðnÞ for a n-bit message. Therefore, the overall time complexity of the proposed system is OðnÞ. The system involves key generation and symmetric encryption/decryption operations which are avoided in the schemes [2,5,9]. However, this is complemented by the security features of the proposed system.

Communication cost
Communication cost is yet another key parameter. Table 5 shows that the number of messages exchanged in SUACC-IoT is 6 which is reasonably acceptable. Besides, the size of the longest message exchanged fM9; M10; Cap D1 ; g 3 g or fM13; M14; Cap D1 ; g 4 g in SUACC-IoT is (384 ? 128 ? 256 ? 104) = 872 bits. This size is less compared to those in the schemes [3,[5][6][7]. Thus, the communication cost incurred for the longest message exchanged in the proposed system is 872 bits which is reasonably acceptable. Table 6 presents the comparison of security features between the different authentication approaches under consideration and SUACC-IoT. From the table, it can be observed that SUACC-IoT has better security features compared to the other approaches. The proposed system is secure against various attack vectors in IoT namely MITM, replay, traceability, session key computation, passive secret disclosure, device impersonation, gateway impersonation and bypass, offline dictionary, and DoS attacks. In Table 7, the different access control approaches are compared with the SUACC-IoT system. Five features namely context-awareness, granularity, scalability, interoperability, and security are considered for comparison. SUACC-IoT supports all the features considered while the other approaches do not. In a nutshell, SUACC-IoT performs fairly well and has better security features compared to the closely related existing schemes.

Conclusion and future works
In this paper, we presented a new secure unified authentication and access control system based on capability for IoT, called SUACC-IoT. SUACC-IoT brings the following advantages to authentication and access control in IoT: -Security: In the proposed protocol, an IoT device communicates with another device through the gateway node. The two devices and gateway node are mutually authenticated to one another. Two types of mutual authentication happen: (1) between the device and gateway node and (2) between the devices. Various attack vectors such as MITM, replay, traceability, session key computation, secret disclosure, device impersonation, gateway impersonation, gateway   bypass, offline dictionary and DoS are addressed in the protocol. Security is also ensured during access control. -Lightweight: The proposed system involves only lightweight cryptographic operations such as ECDHE using highly performance optimized and fast elliptic curve, symmetric key encryption/decryption, message authentication code, and hash. Furthermore, the proposed system uses TLS only during the setup stage. Thus, the proposed system is a lightweight system suitable for use in resource-constraint IoT. -Scalability: The gateway node performs only limited number of lightweight ECDHE, symmetric key encryption/decryption and message authentication code operations in the protocol. The two communicating devices generate the required parameters on their own. The devices do not overload the gateway node. As a result, the proposed system performs fairly well with the increase in the number of devices. -Interoperability: The gateway node acts as a protocol bridge to ensure protocol compatibility across various IoT devices. Thus, the gateway node ensures device interoperability.
SUACC-IoT shows promising results in the key performance parameters, namely CPU and memory usage, computational overhead, and communication cost. The protocol's maximum CPU usage is 29.35%, maximum memory usage is 2.79%, and computational overhead is 744.5 ms which are quite reasonable. The communication cost incurred for the longest message exchanged in the protocol is 872 bits which is fairly acceptable. Furthermore, SUACC-IoT has better security features compared to the closely related existing schemes. These make SUACC-IoT usable in various resource-constraint IoT environments. Some future works are as follows. The first future work is to design a decentralized framework for the system to make the system more scalable. The mobility management among the heterogeneous network slices in a 5th generation mobile network (5G) network is an important issue [39]. Therefore, second future work may be on the mobility management task in IoT-enaled 5G environment where the subscription-based connectivity services for the end users should be granted based on access capability. Recently, the privacy-preserving bilateral access control with fine-granularity in an IoT-enabled healthcare has been suggested where only authorized counterparts will be able to access the health-related information [13]. As a result, another interesting future work may include to integrate privacypreserving bilateral access control with fine-granularity with the proposed protocol.