Scalable, password-based and threshold authentication for smart homes

Smart homes are a special use-case of the IoT paradigm, which is becoming more and more important in our lives. Although sensors, devices and applications make our daily lives easier, they often collect our sensitive data, which may lead to security problems (e.g., hacked devices, botnets, etc.). In several cases, the appropriate security mechanisms are missing within the devices. Therefore, security measures have become a central topic in the field of IoT. The most essential requirements are secure user-device authentication and confidentiality of transferred sensitive data. Passwords are the most widely used factors in various areas, such as user authentication, key establishment, and also secret sharing. Password-based protocols that are resistant to typical threats, such as offline dictionary, man-in-the-middle and phishing attacks, generate new session keys. The major aim of these solutions is to guarantee high-level security, even if a user applies a single low-entropy human memorable password for all their accounts. We introduce a threshold and password-based, distributed, mutual authenticated key agreement with key confirmation protocol for a smart home environment. The proposed protocol is a scalable and robust scheme, which forces the adversary to corrupt l-1\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$l-1$$\end{document} smart home devices, where l is the threshold, in order to perform an offline dictionary attack. The protocol is designed to achieve password-only setting, and end-to-end security if the chosen IoT devices are also authenticated besides the user. We also provide a security analysis of the protocol in AVISPA. We apply the on-the-fly model checker and the constraint-logic-based attack searcher to perform protocol verification for bounded numbers of sessions. We show that the proposed protocol provides session key secrecy and mutual authentication of the user and the device manager. Since efficiency is a crucial aspect, we implemented our protocol to measure the computation and communication costs and demonstrate that our solution is appropriate and eligible for smart homes.