© Wuhan University 2024

0 Introduction

Cloud computing is a business computing model. It distributes computer tasks to resource pools made up of large numbers of computers, enabling various applications to obtain computing power, storage space, and information services as needed. However, compared with traditional decentralized computing, cloud computing centralizes computing resources, and risks are centralized together. Therefore, cloud computing cannot meet the needs of high mobility, location-aware, and low-latency applications ^[1]. Fog computing was born to eliminate the limitations of cloud computing and is used to be a link between the Internet of Things devices and the cloud ^[1]. In fog computing, fog services are distributed at the margin of the network and close to terminal equipment geographically ^[2], so some data can be processed and stored directly in the fog layer. As a result, fog computing can reduce the pressure on the cloud, improve transmission rates, and reduce latency.

Fog computing can effectively decentralize computational and analytical power and help reduce bandwidth usage. However, fog nodes are often deployed in remote and unprotected places ^[3], and rely on insecure public channels for data transmission between users and fog servers, as well as fog servers and cloud servers. Therefore, secure identity authentication is critical in fog computing.

Many researchers have recently proposed identity authentication schemes in fog computing environments. Lampot first proposed a remote authentication scheme in an insecure environment in 1981^[4]. Then, many two-factor authentication schemes based on Hashes, smart cards, and temporary certificates were proposed^[5-10], but most of them have security issues. Then, lots of three-factor authentication schemes^[1,11-15] based on fog computing were proposed. In 2019, Ma et al^[16] proposed an authenticated key agreement protocol without bilinear pairing and claimed that their scheme achieves mutual authentication, generates a securely agreed session key for secret communication, and supports privacy protection. In 2021, Chen et al ^[17] proposed an authenticated key exchange scheme for fog computing. However, after analysis, Rana et al^[18] found that Chen et al's scheme ^[17] does not provide user anonymity and is also not resistant to tamper-proof device stolen attack, user impersonation attack, fog node impersonation attack, insider attack, and known session key attack. In 2021, Weng et al ^[15] proposed a lightweight anonymous mutual authentication and secure communication scheme and claimed that their scheme only uses one-way Hash functions, and XOR operations and security can be ensured.

In this paper, we point out the shortcomings of Weng et al's ^[15] scheme. Weng et al's scheme cannot resist user traceability attack and user impersonation attack. Therefore, we propose an improved scheme through adding a password, modifying the calculation method of E_i, and adding timestamps. We also compare security features and computation costs between the improved scheme and the other four schemes^{[3, 15-17]}.

The rest of the paper is structured as follows: Section 1 briefly reviews Weng et al's scheme. Section 2 analyses the shortcomings of Weng et al's scheme. In Section 3, an improved scheme is presented. Section 4 provides a security analysis and comparison of the enhanced scheme. Section 5 concludes the paper.

1 Review of Weng et al's Scheme

In Weng et al's scheme ^[15], there are two mutual authentication and key agreement phases: one is the authentication and key agreement phase of edge user EU_i and fog server FS_j, and the other is the authentication and key agreement phase of edge device ED_k and fog server FS_j. Through analysis, we find that the two phases similarly implement mutual authentication and key agreement. So, in this section, we only review the authentication and key agreement phase of edge user EU_i and fog server FS_j. There are three participants in Weng et al's scheme: cloud server, fog servers, and edge users. Fog servers and edge users all register to the cloud server, and then edge users and fog servers authenticate with each other and agree on the same session keys with the help of the cloud server. Weng et al's scheme ^[15] consists of the following steps. The notations used in this article are listed in Table 1.

1.1 System Initialization

The cloud server CS generates a master secret key MK, and two long-term secret keys K_cf and K_cu, and keeps them secret. CS chooses a one-way Hash function h(·).

1.2 Fog Server Registration Phase

Fog server FS_j selects a unique identity ID_j and sends identity ID_j to CS via a secure channel. On receiving ID_j, CS generates a pseudonym TID_j, and computes

$B_j=h(\mathrm{I}{\mathrm{D}}_j||K_{cf}),h(\mathrm{M}\mathrm{K}||K_{cf}).$

Then CS sends {TID_j, B_j, h(MK||K_cf)} to FS_j and maintains {TID_j, ID_j, B_j} in a protected verifier table of FS_j. Finally, FS_j stores TID_j, B_j, and h(MK||K_cf) in its memory.

1.3 Edge User Registration Phase

Edge user EU_i selects a unique identity ID_i and imprints his/her biometric BIO_i into smart device MD_i. MD_i generates a 160-bit random secret number n_u and computes A_i=h(ID_i||BIO_i||n_u). Then MD_i sends {A_i,ID_i} to CS through a secure channel. After receiving ID_i and A_i, CS generates a pseudonym TID_i, and computes

$B_i=h(\mathrm{I}{\mathrm{D}}_i||\mathrm{M}\mathrm{K}),$

$C_i=h(\mathrm{I}{\mathrm{D}}_i||A_i||h(K_{cu})),$

$D_i=B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus A_i.$

Then CS sends $\left\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,C_i,D_i,h(\cdot ),h(K_{cu})\right\}$ to EU_i via a secure channel and maintains $\left\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,B_i\right\}$ in a protected verifier table of EU_i. Finally, EU_i's smart device stores $\left\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,C_i,D_i,h(\cdot ),h(K_{cu}),n_u\right\}$ in its memory.

1.4 Authentication and Key Agreement Phase

In this phase, an edge user EU_i wants to access a fog server FS_j through a public channel, the cloud server CS can help EU_i and FS_j to authenticate each other and achieve a session key SK_ij. The specific steps are as follows.

Step 1: EU_i first inputs $\mathrm{I}{\mathrm{D}}_i^{\text{'}}$ and $\mathrm{B}\mathrm{I}{\mathrm{O}}_i^{\text{'}}$ into his/her smart device. Then, MD_i retrieves n_u and h(K_cu) to compute

$A_i^{\text{'}}=h(\mathrm{I}{\mathrm{D}}_i^{\text{'}}||\mathrm{B}\mathrm{I}{\mathrm{O}}_i^{\text{'}}||n_u),C_i^{\text{'}}=h(\mathrm{I}{\mathrm{D}}_i^{\text{'}}||A_i^{\text{'}}||h(K_{cu}))$

and checks whether $C_i^{\text{'}}=C_i$. If it is true, it means EU_i is a legal user, then smart device MD_i selects a 128-bit random number r_u and computes

$E_i=D_i\oplus A_i^{}\oplus r_u,F_i=h(h(K_{cu})||\mathrm{I}{\mathrm{D}}_j||r_u).$

Finally, MD_i sends the message $M_{u\mathrm{1}}=\left\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,E_i,F_i\right\}$ to FS_j through a public channel.

Step 2: On receiving M_u1, FS_j selects a 128-bit random number r_f and retrieves TID_j, B_j, and h(MK||K_cf ) to compute

$O_j=B_j\oplus r_f,P_j=h(h(\mathrm{M}\mathrm{K}||K_{cf})||\mathrm{T}\mathrm{I}{\mathrm{D}}_j||r_f).$

Finally, FS_j sends messages M_u1 and M_u2 = {TID_j, O_j, P_j} to CS through a public channel.

Step 3: On receiving M_u1 and M_u2, CS inspects M_u1 and searches the verifier table of EU_i in its database to find entry that match TID_i. If there is no matching entry, CS rejects the request and terminates the session. Otherwise, CS retrieves B_i and h(MK||K_cu) to compute

$r_u^{\text{'}}=E_i\oplus B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu}),F_i^{\text{'}}=h(h(K_{cu})||\mathrm{I}{\mathrm{D}}_j||r_u^{\text{'}}).$

Then CS checks whether $F_i^{\text{'}}=F_i.$ If it is not true, CS terminates the session. Otherwise, the legitimacy of EU_i is authenticated by CS.

Step 4: CS further inspects M_u2 and searches the verifier table of FS_j in its database to find entry that match TID_j. If there is no matching entry, CS rejects the request and terminates the session. Otherwise, CS retrieves B_j and h(MK||K_cf ) to compute

$r_f^{\text{'}}=O_j\oplus B_j,P_j^{\text{'}}=h(h(\mathrm{M}\mathrm{K}||K_{cf})||\mathrm{T}\mathrm{I}{\mathrm{D}}_j||r_f^{\text{'}}).$

Then CS checks whether $P_j^{\text{'}}=P_j$.

Step 5: After verifying the validity of EU_i and FS_j, CS refreshes pseudonyms for EU_i and FS_j by computing

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u^{\text{'}},\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_j\oplus r_f^{\text{'}}.$

And CS replaces TID_i with $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}$ in the verifier table of EU_i, replaces TID_j with $\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}$ in the verifier table of FS_j. CS further selects a 128-bit random number r_cand computes

$\begin{array}{l}{Q}_j=r_u^{\text{'}}\oplus r_c\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}),\mathrm{S}{\mathrm{K}}_{ij}=h(r_u^{\text{'}}\oplus r_f^{\text{'}}\oplus r_c),\\ R_j=h(B_j\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}),S_j=r_f^{\text{'}}\oplus r_c\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}),\\ T_j=h(B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}).\end{array}$

Finally, CS sends M_u3 = {Q_j, R_j} and M_u4 = {S_j, T_j} to FS_j.

Step 6: On receiving M_u3 and M_u4, FS_j computes

$\begin{array}{l}\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_j\oplus r_f,r_u^{\text{'}}\oplus r_c^{\text{'}}=Q_j\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}),\\ \mathrm{S}{\mathrm{K}}_{ij}=h(r_u^{\text{'}}\oplus r_c^{\text{'}}\oplus r_f),R_j^{\text{'}}=h({\mathrm{B}}_j\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}).\end{array}$

FS_j checks if $R_j^{\text{'}}=R_j$. Finally, FS_j sends M_u4 to EU_i.

Step 7: On receiving M_u4, EU_i computes

$\begin{array}{l}\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u,r_f^{\text{'}}\oplus r_c^{\text{'}}=S_j\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}),\\ \mathrm{S}{\mathrm{K}}_{ij}=h(r_f^{\text{'}}\oplus r_c^{\text{'}}\oplus r_u),\\ T_j^{\text{'}}=h(B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}).\end{array}$

If $T_j^{\text{'}}=T_j$, EU_i believes that CS and FS_j are legal parties and stores the shared session key SK_ij for future secure communication.

2 Attacks on Weng et al's Scheme

This section will show that Weng et al's scheme^[15] is vulnerable to user traceability and impersonation attacks. Further details are provided in the following subsections.

2.1 User Traceability Attack

Weng et al's scheme^[15] cannot resist user traceability attack. The following steps show the process of user traceability attack.

Step 1:In the first authentication, if a user EU_i sends a message M_U1=$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,E_i,F_i\}$ trying to contact a fog server FS_j, one attacker may intercept the message M_U1, and then he/she saves {E_i, TID_i}. At the end of this authentication, the cloud server CS and the user will update the pseudonym by (1). Lastly, the first authentication ends.

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u$(1)

$E_i=D_i\oplus A_i^{}\oplus r_u$(2)

But through (1) and (2), the attacker can know

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=D_i\oplus A_i$(3)

Step 2:In the second authentication, assume that three users EU_A, EU_B, EU_C, and the same user EU_i all send messages trying to contact a fog server FS_g. EU_A sends message M_U1a=$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}},E_a^{\mathrm{n}\mathrm{e}\mathrm{w}},F_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\}$, EU_B sends message M_U1b=$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}},E_b^{\mathrm{n}\mathrm{e}\mathrm{w}},F_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\}$, EU_C sends message M_U1c=$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}},E_c^{\mathrm{n}\mathrm{e}\mathrm{w}},F_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\}$ and EU_i sends message M_U1i=$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}},E_i^{\mathrm{n}\mathrm{e}\mathrm{w}},F_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\}$, the attacker intercepts four messages M_U1a, M_U1b, M_U1c, M_U1i and uses the previous intercepted E_i and TID_i to calculate

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}}=N_a,\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}}=N_b,$(4)

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}}=N_c,\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=N_d.$

The attacker also saves the intercepted messages M_U1a, M_U1b, M_U1c and M_U1i. At the end of the second authentication, the new pseudonym of user EU_i has been updated to $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}$.

Step 3: In the third authentication, assume that three users EU_J, EU_K, EU_L and the same user EU_i send messages trying to contact a fog server FS_l. The four users send messages $M_{\mathrm{U}\mathrm{1}j}=\{\mathrm{T}\mathrm{I}{{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}}^{\mathrm{2}},E_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},F_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\},M_{\mathrm{U}\mathrm{1}k}=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},E_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},F_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\},M_{\mathrm{U}\mathrm{1}l}\{\mathrm{T}\mathrm{I}{\mathrm{D}}_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},E_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},$$F_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\},M_{\mathrm{U}\mathrm{1}i}^{\mathrm{n}\mathrm{e}\mathrm{w}}=\left\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\right\}$, respectively. The attacker intercepts all four messages M_U1j, M_U1k, M_U1l, and $M_{\mathrm{U}\mathrm{1}i}^{\mathrm{n}\mathrm{e}\mathrm{w}}$ and according to the second intercepted messages M_U1a, M_U1b, M_U1c and M_U1i to calculate

$\begin{array}{l}\mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{aj},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ak},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{al},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_a^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ai},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{bj},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{bk},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{bl},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_b^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{bi},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{cj},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ck},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{cl},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_c^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ci},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ij},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ik},\\ \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_l^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{il},\end{array}$

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=N_{ii}.$(5)

After calculating (4) and (5), the attacker will find that N_d = N_ii. This is because $\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus E_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=D_i\oplus A_i,$ where A_i and D_i are constant, then the attacker can determine the messages M_U1, M_U1i and $M_{\mathrm{U}\mathrm{1}i}^{\mathrm{n}\mathrm{e}\mathrm{w}}$ are from the same user EU_i. When a user EU_k contacts a fog server FS_n with the new pseudonym $\mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}}$ next time, the attacker can judge whether EU_k is EU_i by calculating $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_k^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}}\stackrel{?}{=}{N}_d=N_{ii}$. Thus, user traceability attack can be successful.

2.2 User Impersonation Attack

Weng et al's scheme^[15] cannot resist user impersonation attack and the attack can be simulated as follows.

Step 1: According to the Section 2.1, the attacker can obtain the value of $A_i\oplus D_i$ of edge user EU_i. Based on user traceability attack, the attacker intercepts the message ${M_{\mathrm{U}\mathrm{1}}^{}}_i=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}},E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}},F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}}\}$ sent by EU_i to the fog server. According to (6), the attacker can calculate the random number $r_u^{\text{'}}$ chosen by edge user EU_i this time; then, the attacker can calculate the new pseudonym updated by the user and cloud server CS at the end of this authentication by (7).

$r_u^{\text{'}}=D_i\oplus A_i\oplus E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}}$(6)

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{3}}\oplus r_u^{\text{'}}$(7)

Step 2: Assume that the attacker is a legitimately registered user, then, based on the analysis in Step 1, the attacker can know $A_i\oplus D_i,$$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}},$h(K_cu). In the login and authentication phase, the attacker selects a fog server FS_j that he/she wants to contact and picks a random number r_A , calculates

$E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}=D_i\oplus A_i\oplus r_A^{},F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}=h(h(K_{cu})||\mathrm{I}{\mathrm{D}}_j||r_A).$

Then, the attacker sends the message $M_{u\mathrm{1}}^{*}=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}},E_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}},F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}\}$ to the fog server FS_j.

Step 4: Upon receiving the message $M_{u\mathrm{1}}^{*}$, FS_j chooses a random number r_f1, and calculates

$O_{j\mathrm{1}}=B_j\oplus r_{f\mathrm{1}},P_{j\mathrm{1}}=h(h(\mathrm{M}\mathrm{K}||K_{cf})||\mathrm{T}\mathrm{I}{\mathrm{D}}_{{}_j}^{\mathrm{n}\mathrm{e}\mathrm{w}}||r_{f\mathrm{1}}).$

FS_j sends the message $M_{\mathrm{U}\mathrm{1}}^{\mathrm{*}},M_{\mathrm{U}\mathrm{2}}^{\mathrm{*}}=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}},O_{j\mathrm{1}},P_{j\mathrm{1}}\}$ to the cloud server CS, where $\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}$ is the fog server FS_j's pseudonym.

Step 5: On receiving messages $M_{\mathrm{U}\mathrm{1}}^{*},M_{\mathrm{U}\mathrm{2}}^{*},$CS first checks the validity of pseudonyms; it is evident that $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}$,$\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}$ is valid, and then CS computes

$r_{{}_A}^{\text{'}}=E_{{}_i}^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}\oplus B_i^{}\oplus h(\mathrm{M}\mathrm{K}||K_{cu}),F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}\text{'}}=h(h(K_{cu})||\mathrm{I}{\mathrm{D}}_j||r_{{}_A}^{\text{'}}),$

$F_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}\text{'}}\stackrel{?}{=}{F}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}.$

This verification can pass, and the attacker can successfully impersonate user EU_i. Then, cloud server CS chooses a random number r_c1,and computes

$\begin{array}{l}\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{5}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}\oplus r_{{}_A}^{\text{'}},\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_{{}_j}^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus r_{f\mathrm{1}}^{\text{'}},\\ Q_{j\mathrm{1}}=r_A^{\text{'}}\oplus r_{c\mathrm{1}}\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}),\mathrm{S}{\mathrm{K}}_{{}_{ij}}^{\text{'}}=h(r_A^{\text{'}}\oplus r_{c\mathrm{1}}^{}\oplus r_{f\mathrm{1}}^{\text{'}}),\\ R_{j\mathrm{1}}=h(B_j\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}})\oplus \mathrm{S}{\mathrm{K}}_{ij}^{\text{'}}),S_{j\mathrm{1}}=r_{f\mathrm{1}}^{\text{'}}\oplus r_{c\mathrm{1}}\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{5}}).\end{array}$

Then, the cloud server CS sends M_U3={Q_j1, R_j1}, M_U4={S_j1,T_j1} to the fog server FS_j.

Step 6: After receiving M_U3 and M_U4 from CS, the fog server FS_j computes

$\begin{array}{l}\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus r_{f\mathrm{1}},r_A^{\text{'}}\oplus r_{c\mathrm{1}}^{\text{'}}=Q_{j\mathrm{1}}\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}}),\\ \mathrm{S}{\mathrm{K}}_{ij}=h(r_A^{\text{'}}\oplus r_{c\mathrm{1}}^{\text{'}}\oplus r_{f\mathrm{1}}).\end{array}$

Step 7: The attacker can also compute the session key by

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{5}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{4}}\oplus r_{{}_A}^{},r_{f\mathrm{1}}^{\text{'}}\oplus r_{c\mathrm{1}}^{\text{'}}=S_{j\mathrm{1}}\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{5}}),$

$\mathrm{S}{\mathrm{K}}_{ij}=h(r_{f\mathrm{1}}^{\text{'}}\oplus r_{c\mathrm{1}}^{\text{'}}\oplus r_A).$

Eventually, the attacker and the fog server FS_j agree on a session key SK_ij with the help of the cloud server CS.

3 The Improved Scheme

To overcome the shortcomings of Weng et al's scheme^[15], we propose an improved scheme in this section. In the registration phase, we add a password to make the improved scheme more complete, and we also avoid sending h(k_cu) and h(MK||K_cf) directly, this can prevent attackers from performing impersonation attack. In the login and authentication phase, to ensure that the improved scheme is resistant to user traceability attack, we also modify the calculation of E_i and add timestamps. The following is a detailed description of the improved scheme.

3.1 Deployment Phase

The cloud server CS generates a master secret key MK and two long-term secret keys K_cf and K_cu and keeps them secret. CS chooses a one-way Hash function h(·).

3.2 Fog Server Registration Phase

Fog server FS_j selects a unique identity ID_j and registers itself with CS by sending identity ID_j to CS via a secure channel. On receiving ID_j, CS generates a pseudonym TID_j and a random secret number n_f and computes $B_j=h(\mathrm{I}{\mathrm{D}}_j||K_{cf})$ and $h(\mathrm{M}\mathrm{K}||K_{cf}||n_f).$ CS publicizes fog server FS_j's identity ID_j. Then CS sends {TID_j,B_j,h(MK||K_cf ||n_f)} to FS_j and maintains {TID_j, ID_j, B_j, n_f} in a protected verifier table. Finally, FS_j stores TID_j, B_j, and h(MK||K_cf ||n_f) in its memory. The fog server registration phase is illustrated in Fig. 1.

Fig. 1 Fog server registration

3.3 Edge User Registration Phase

Edge user EU_i selects a unique identity ID_i, PW_i, and imprints his/her biometric BIO_i into a smart device. EU_i's smart device MD_i generates a random secret number n_u and computes

$\mathrm{G}\mathrm{e}\mathrm{n}(\mathrm{B}\mathrm{I}{\mathrm{O}}_i)=({\sigma }_i,{\tau }_i),\mathrm{P}\mathrm{P}{\mathrm{W}}_i=h(\mathrm{P}{\mathrm{W}}_i||n_u),$

$A_i=h(\mathrm{I}{\mathrm{D}}_i||\mathrm{P}\mathrm{P}{\mathrm{W}}_i||{\sigma }_i||n_u).$

Then MD_i sends {A_i, ID_i, PPW_i} to CS through a secure channel. After receiving ID_i, A_iand PPW_i, CS generates a psedonym TID_i and computes

$B_i=h(\mathrm{I}{\mathrm{D}}_i||\mathrm{M}\mathrm{K}),C_i=h(\mathrm{I}{\mathrm{D}}_i||A_i||h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i)),$

$D_i=B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus A_i,H_i=\mathrm{P}\mathrm{P}{\mathrm{W}}_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu}).$

Then CS sends $\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,C_i,D_i,h(\cdot ),h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i)\}$ to EU_i via a secure channel and maintains $\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,B_i,H_i\}$ in a protected verifier table. Finally, MD_i computes

$K=h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i)\oplus h(\mathrm{P}\mathrm{P}{\mathrm{W}}_i||{\sigma }_i),\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\text{'}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus h(\mathrm{I}{\mathrm{D}}_i||{\sigma }_i).$

Then, MD_i stores $\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\text{'}},C_i,D_i,h(\cdot ),K,n_u,\mathrm{R}\mathrm{e}\mathrm{p}(\cdot ),{\tau }_i\}$ in its memory. Edge user registration phase is explained in Fig. 2.

Fig. 2 Edge user registration

3.4 Authentication and Key Agreement Phase

In this phase, if an edge user EU_i wants to access a fog server FS_j through a public channel, EU_i and FS_j authenticate each other with the help of the cloud server CS and establish a session key SK_ij. The detailed steps are as follows and the detailed process is explicated in Fig. 3.

Fig. 3 Authentication and key agreement phase

Step 1: EU_i first inputs $\mathrm{I}{\mathrm{D}}_i^{\text{'}},\mathrm{P}{\mathrm{W}}_i^{\text{'}}$ and imprints $\mathrm{B}\mathrm{I}{\mathrm{O}}_i^{\text{'}}$ into his/her smart device MD_i. Then, MD_i computes

${\sigma }_i^{\text{'}}=\mathrm{R}\mathrm{e}\mathrm{p}(\mathrm{B}\mathrm{I}{\mathrm{O}}_i^{\text{'}},{\tau }_i),\mathrm{P}\mathrm{P}{\mathrm{W}}_i^{\text{'}}=h(\mathrm{P}{\mathrm{W}}_i^{\text{'}}||n_u),$

$A_i^{\text{'}}=h(\mathrm{I}{\mathrm{D}}_i^{\text{'}}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i^{\text{'}}||{\sigma }_i^{\text{'}}||n_u),h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i{)}^{\text{'}}=K\oplus h(\mathrm{P}\mathrm{P}{\mathrm{W}}_i^{\text{'}}||{\sigma }_i^{\text{'}}),$

$C_i^{\text{'}}=h(\mathrm{I}{\mathrm{D}}_i^{\text{'}}||A_i^{\text{'}}||h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i{)}^{\text{'}}),$

checks whether $C_i^{\text{'}}=C_i$. If it does not hold, the smart device MD_i rejects the request and terminates the session. Otherwise, it means that this user is a legitimate smart device holder. Then, user EU_i selects a fog server FS_j that he/she wants to contact, selects a random number r_u, and generates a current timestamp T₁. MD_i computes

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i=\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\text{'}}\oplus h(\mathrm{I}{\mathrm{D}}_i||{\sigma }_i),M_i=r_u\oplus h(D_i\oplus A_i^{}\oplus T_{\mathrm{1}}),$

$V_i=h(h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i)||\mathrm{I}{\mathrm{D}}_j||r_u||T_{\mathrm{1}}).$

Finally, MD_i sends the request message $M_{u\mathrm{1}}=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i,M_i,V_i,T_{\mathrm{1}}\}$ to FS_j through a public channel.

Step 2: On receiving M_u1, FS_j first checks the freshness of the message. Then, FS_j selects a random number r_f and a current timestamp T₂, and retrieves TID_j, B_j, and h(MK||K_cf ||n_f) to compute

$M_j=r_f\oplus h(B_j||T_{\mathrm{2}}),V_j=h(h(\mathrm{M}\mathrm{K}||K_{cf}||n_f)||\mathrm{T}\mathrm{I}{\mathrm{D}}_j||r_f||T_{\mathrm{2}}).$

Finally, FS_j sends messages M_u1 and M_u2 ={TID_j, M_j, V_j, T₂} to CS through a public channel.

Step 3: On receiving M_u1 and M_u2, CS first checks the freshness of the messages. If true, CS retrieves B_i, H_i and B_j, ID_j, n_f according to TID_i and TID_j, respectively. Then CS computes

$\mathrm{P}\mathrm{P}{\mathrm{W}}_{{}_i}^{\text{'}}=H_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu}),r_u^{\text{'}}=M_i\oplus h(B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus T_{\mathrm{1}}),$

$V_i^{\text{'}}=h(h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_{{}_i}^{\text{'}})||\mathrm{I}{\mathrm{D}}_j||r_{{}_u}^{\text{'}}||T_{\mathrm{1}}).$

CS checks whether $V_i^{\text{'}}=V_i$. If it is not true, CS terminates the session. Otherwise, the legitimacy of EU_i is authenticated by CS. CS further computes

$r_f^{\text{'}}=M_j\oplus h(B_j||T_{\mathrm{2}}),V_j^{\text{'}}=h(h(\mathrm{M}\mathrm{K}||K_{cf}||n_f)||\mathrm{T}\mathrm{I}{\mathrm{D}}_j||r_f^{\text{'}}||T_{\mathrm{2}}).$

Then CS checks whether $V_j^{\text{'}}=V_j$.

Step 4: After verifying the validity of EU_i and FS_j, CS refreshes new pseudonyms for EU_i and FS_j by computing

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u^{\text{'}},\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_j\oplus r_f^{\text{'}}$

and replaces TID_i with $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}$ in the verifier table of EU_i, replaces TID_j with $\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}$ in the verifier table of FS_j. CS further selects a random number r_c and a current timestamp T₃ to compute

$\begin{array}{l}{H}_j=r_u^{\text{'}}\oplus r_c\oplus h(I{D}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}}),\mathrm{S}{\mathrm{K}}_{ij}=h(r_u^{\text{'}}\oplus r_f^{\text{'}}\oplus r_c),\\ I_j=h(B_j\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_j^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}\oplus T_{\mathrm{3}}),\\ J_i=r_f^{\text{'}}\oplus r_c\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}),\\ K_i=h(B_i\oplus h(\mathrm{M}\mathrm{K}||K_{cu})\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}\oplus T_{\mathrm{3}}).\end{array}$

Finally, CS sends M_u3 ={H_j, I_j, T₃} and M_u4 ={J_i, K_i, T₃} to FS_j.

Step 5: On receiving M_u3 and M_u4, FS_j computes

$\begin{array}{l}\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{j}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_j\oplus r_f,r_u^{\text{'}}\oplus r_c^{\text{'}}=H_j\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{j}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}),\\ \mathrm{S}{\mathrm{K}}_{ij}=h(r_u^{\text{'}}\oplus r_c^{\text{'}}\oplus r_f),I_j^{\text{'}}=h(B_j\oplus h(\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{j}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}\oplus T_{\mathrm{3}}).\end{array}$

FS_j checks if $I_j^{\text{'}}=I_j$. If it holds, FS_j sends M_u4 to EU_i.

Step 6: On receiving M_u4, EU_i computes

$\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{i}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u,r_f^{\text{'}}\oplus r_c^{\text{'}}=J_i\oplus h(\mathrm{I}{\mathrm{D}}_j||\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{i}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}),$

$\mathrm{S}{\mathrm{K}}_{ij}=h(r_f^{\text{'}}\oplus r_c^{\text{'}}\oplus r_u),K_i^{\text{'}}=h(D_i\oplus A_i\oplus h(\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}})\oplus \mathrm{S}{\mathrm{K}}_{ij}\oplus T_{\mathrm{3}}).$

If $K_i^{\text{'}}=K_i$, EU_i believes that CS and FS_j are legal parties and stores the shared session key SK_ij for future secure communication. Then, EU_i computes

$\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{i}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_{\mathrm{i}}^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus h(\mathrm{I}{\mathrm{D}}_i||{\sigma }_i),$

and replaces $\mathrm{T}\mathrm{I}{\mathrm{D}}_{\mathrm{i}}^{\mathrm{\text{'}}}$ with $\mathrm{T}\mathrm{I}{{\mathrm{D}}_{\mathrm{i}}^{\mathrm{\text{'}}}}^{\mathrm{n}\mathrm{e}\mathrm{w}}$ in smart device's memory.

4 Security Analysis and Comparisons

4.1 Security Analysis

This section analyzes security of the improved scheme. We demonstrate the improved scheme's security features and resilience against various attacks.

4.1.1 User anonymity

The improved scheme has strong anonymity. During the authentication and key agreement phase, the edge user's identity is never shared openly or sent over the public channel; instead, the edge user sends his/her pseudonym TID_i. Even if an attacker intercepts the edge user's pseudonym TID_i, he/she cannot know the user's identity ID_i.

4.1.2 Password guessing attack

Assuming that an attacker gets all information $\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\text{'}},C_i,D_i,h(\cdot ),K,n_u,\mathrm{R}\mathrm{e}\mathrm{p}(\cdot ),{\tau }_i\}$ stored in the mobile device, the attacker performs password guessing attack based on $\mathrm{P}\mathrm{P}{\mathrm{W}}_i=h(n_u||\mathrm{P}{\mathrm{W}}_i)$. However, the attacker must know the values of PPW_i and n_u. Although the attacker knows the value of n_u, he/she cannot know the value of PPW_i. So, the attacker cannot guess the password.

4.1.3 Replay attack

An attacker may resend previous messages to cloud server for replay attack. However, this will not succeed because the improved scheme contains timestamp verifications, and the timestamps in past messages are not within an acceptable range. Resending past messages will cause the session to terminate. Even if an attacker can modify the timestamp T₁, the attacker does not know D_i, A_i, and h(K_cu||PPW_i), then the corresponding values M_i and V_i cannot be modified based on the new timestamp. Finally, the value of V_i sent by the attacker differs from $V_i^{\text{'}}$ calculated by the cloud server CS by (8), and verification $V_i^{\text{'}}\stackrel{?}{=}{V}_i$ cannot pass. Therefore, the improved scheme can resist replay attack.

$V_i^{\text{'}}=h(h(K_{cu}||\mathrm{P}\mathrm{P}{\mathrm{W}}_i)||\mathrm{I}{\mathrm{D}}_j||r_u||T_{\mathrm{1}})$(8)

4.1.4 User untraceability

In the mutual authentication and key agreement phase, the user's identity is hidden by sending the pseudonym TID_i, and the user's pseudonym TID_i is updated every time by (9). Due to the inclusion of random number r_u in (9), the user's pseudonym will be different each time. Therefore, the attacker does not know what the user's next pseudonym $\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}$ will be.

$\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}=\mathrm{T}\mathrm{I}{\mathrm{D}}_i\oplus r_u$(9)

When the attacker intercepts EU_i's request message M_u1={TID_i,M_i,V_i,T₁}, and stores {TID_i, M_i} as described in Section 2.1.

In the second authentication, even if the attacker intercepts EU_i's message $M_{u\mathrm{1}}^{\text{'}}=$$\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}},M_i^{\text{'}},V_i^{\text{'}},T_{\mathrm{1}}^{\text{'}}\}$, the attacker computes

$M_i\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}}\oplus \mathrm{T}\mathrm{I}{\mathrm{D}}_i=h(D_i\oplus A_i\oplus T_{\mathrm{1}}).$

In the third authentication, assuming that the attacker intercepts EU_i's request message $M_{u\mathrm{1}}^{\mathrm{2}}=\{\mathrm{T}\mathrm{I}{\mathrm{D}}_i^{\mathrm{n}\mathrm{e}\mathrm{w}\mathrm{2}},$$M_i^{\mathrm{2}},V_i^{\mathrm{2}},T_{\mathrm{1}}^{\mathrm{2}}\}$ once again, the attacker computes