A Provably Secure and Practical PUF-Based End-to-End Mutual Authentication and Key Exchange Protocol for IoT

Abstract

Device authentication and key exchange are essential issues for Internet of Things (IoT) which plays an indispensable role in modern life. Many sensor devices in IoT, with limited resources and poor self-protection capabilities, are deployed in the unattended and open places, making them vulnerable to physical attacks while facing traditional security threats. Despite several researches have been conducted by using the physical unclonable function (PUF) to immune the communication between IoT devices from the security threats above, as per the knowledge of the authors, current solutions rely on the participation of the server to distribute the key parameters, which requires high message overhead and markedly influences the efficiency. To fill this gap, this article proposes an end-to-end mutual authentication and key exchange protocol for IoT by combining PUF with certificateless public key cryptography (CL-PKC) on elliptic curve, which only needs “three handshakes” without the real-time participation of the server. The security analysis shows that the proposed protocol can not only secure the IoT devices from various attacks, but also provide perfect forward secrecy. Moreover, the experimental validation and performance analysis show the proposed protocol outperforms existing related protocols in terms of security features, protocol rounds and communication cost.