A secure and efficient AKE scheme for IoT devices using PUF and cancellable biometrics

As the Internet of Things (IoT) continues to grow, there is an increasing need for secure and efficient authentication protocols for IoT devices. The design of IoT authentication schemes requires several essential features such as real two-factor security, Key Compromise Impersonation (KCI) resilience, and Perfect Forward Secrecy (PFS). In this paper, we perform a cryptanalysis of two state-of-the-art PUF-based Authentication and Key Exchange(AKE) schemes and show informally how they fail to achieve real two-factor security, PFS and suffer KCI, user traceability, and database attacks. To address these limitations, we propose an improved two-party AKE scheme between the user-device and the server based on a combination of a physically unclonable function (PUF) and a cancellable biometric (CB). Our proposed scheme provides real two-factor security, KCI resilience, PFS, and user untraceability, achieving all desired properties based on the Computational Diffie–Hellman (CDH) assumption in the random oracle model. To establish the security of our proposed scheme, we utilize formal analysis methods, including the RoR model and ProVerif, and perform an informal security analysis to demonstrate its resilience against potential attacks. Additionally, we analyze the computational and communication performance of our proposed scheme against related PUF-based schemes. Our proposed scheme exhibits a computational and communicational feasible overhead for deployment in the context of the IoT, with a lower magnitude than most previous related PUF-based schemes. Overall, our proposed scheme provides an efficient and secure authentication solution for IoT devices, with improved security and reduced communication overhead compared to previous PUF-based schemes. The combination of formal and informal analysis provides robust evidence of the strength and reliability of our proposed scheme, and its scalability makes it a viable solution for large-scale IoT deployments.